public function testValidCredentialsInQuerystring()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret'));
$token = $server->grantAccessToken($request, new Response());
$this->assertNotNull($token);
$this->assertArrayHasKey('access_token', $token);
$this->assertNotNull($token['access_token']);
}
public function testNoSecretWithConfidentialClient()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'username' => 'test-username', 'password' => 'testpass'));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_client');
$this->assertEquals($response->getParameter('error_description'), 'This client is invalid or must authenticate using a client secret');
}
public function testValidCredentialsInvalidScope()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'username' => 'test-username', 'password' => 'testpass', 'scope' => 'invalid-scope'));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested');
}
public function testOfflineAccess()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'code' => 'testcode-openid', 'scope' => 'offline_access'));
$token = $server->grantAccessToken($request, new Response());
$this->assertNotNull($token);
$this->assertArrayHasKey('id_token', $token);
$this->assertEquals('test_id_token', $token['id_token']);
$this->assertTrue(isset($token['refresh_token']));
}
public function testRequestOverride()
{
$request = new TestRequest();
$server = $this->getTestServer();
// Smoke test for override request class
// $server->handleTokenRequest($request, $response = new Response());
// $this->assertInstanceOf('Response', $response);
// $server->handleAuthorizeRequest($request, $response = new Response(), true);
// $this->assertInstanceOf('Response', $response);
// $response = $server->verifyResourceRequest($request, $response = new Response());
// $this->assertTrue(is_bool($response));
/*** make some valid requests ***/
// Valid Token Request
$request->setPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'code' => 'testcode'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 200);
$this->assertNull($response->getParameter('error'));
$this->assertNotNUll($response->getParameter('access_token'));
}
public function testInvalidContentType()
{
$bearer = new Bearer();
$request = TestRequest::createPost(array('access_token' => 'ThisIsMyAccessToken'));
$request->server['CONTENT_TYPE'] = 'application/json; charset=UTF-8';
$param = $bearer->getAccessTokenParameter($request, $response = new Response());
$this->assertNull($param);
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_request');
$this->assertEquals($response->getParameter('error_description'), 'The content type for POST requests must be "application/x-www-form-urlencoded"');
}
public function testAccessResourceWithCryptoTokenUsingSecondaryStorage()
{
// add the test parameters in memory
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertNotNull($cryptoToken = $response->getParameter('access_token'));
// make a call to the resource server using the crypto token
$request = TestRequest::createPost(array('access_token' => $cryptoToken));
// create a resource server with the "memory" storage from the grant server
$resourceServer = new Server($server->getStorage('client_credentials'));
$this->assertTrue($resourceServer->verifyResourceRequest($request));
}
public function testCryptoTokenWithRefreshToken()
{
$server = $this->getTestServer();
// add "UserCredentials" grant type and "CryptoToken" response type
// and ensure "CryptoToken" response type has "RefreshToken" storage
$memoryStorage = Bootstrap::getInstance()->getMemoryStorage();
$server->addGrantType(new UserCredentials($memoryStorage));
$server->addGrantType(new RefreshToken($memoryStorage));
$server->addResponseType(new CryptoToken($memoryStorage, $memoryStorage, $memoryStorage), 'token');
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'username' => 'test-username', 'password' => 'testpass'));
// make the call to grant a crypto token
$server->handleTokenRequest($request, $response = new Response());
$this->assertNotNull($cryptoToken = $response->getParameter('access_token'));
$this->assertNotNull($refreshToken = $response->getParameter('refresh_token'));
// decode token and make sure refresh_token isn't set
list($header, $payload, $signature) = explode('.', $cryptoToken);
$decodedToken = json_decode(base64_decode($payload), true);
$this->assertFalse(array_key_exists('refresh_token', $decodedToken));
// use the refresh token to get another access token
$request = TestRequest::createPost(array('grant_type' => 'refresh_token', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'refresh_token' => $refreshToken));
$server->handleTokenRequest($request, $response = new Response());
$this->assertNotNull($response->getParameter('access_token'));
}
public function testGrantCodeAccessTokenOnNewCode()
{
$request = TestRequest::createPost(array('grant_type' => 'device_code', 'client_id' => 'test_client_id'));
$this->server->handleDeviceRequest($request, $response = new Response());
$this->assertNotNull($response->getParameter('code'));
$deviceCodeResponse = $response;
// Get access token when user_id is null
$request = TestRequest::createPost(array('grant_type' => 'device_token', 'client_id' => 'test_client_id', 'code' => $deviceCodeResponse->getParameter('code')));
$this->server->handleDeviceRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertArrayHasKey('error', $response->getParameters());
$this->assertEquals('authorization_pending', $response->getParameter('error'));
// Update user_id and verify response
$deviceStorage = $this->server->getStorage('device_code');
$code = $deviceStorage->getDeviceCode($deviceCodeResponse->getParameter('code'), 'test_client_id');
$deviceStorage->setDeviceCode($code['device_code'], $code['user_code'], $code['client_id'], 1, $code['expires'], $code['scope']);
$request = TestRequest::createPost(array('grant_type' => 'device_token', 'client_id' => 'test_client_id', 'code' => $deviceCodeResponse->getParameter('code')));
$this->server->handleDeviceRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 200);
$this->assertArrayHasKey('access_token', $response->getParameters());
//ensure device code was deleted
$code = $deviceStorage->getDeviceCode($deviceCodeResponse->getParameter('code'), 'test_client_id');
$this->assertFalse($code);
}
public function testCanReceiveAccessTokenUsingPasswordGrantTypeWithoutClientSecret()
{
// add the test parameters in memory
$storage = Bootstrap::getInstance()->getMemoryStorage();
$server = new Server($storage);
$server->addGrantType(new UserCredentials($storage));
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID For Password Grant', 'username' => 'johndoe', 'password' => 'password'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertTrue($response instanceof Response);
$this->assertEquals(200, $response->getStatusCode(), var_export($response, 1));
$this->assertNull($response->getParameter('error'));
$this->assertNull($response->getParameter('error_description'));
$this->assertNotNull($response->getParameter('access_token'));
$this->assertNotNull($response->getParameter('expires_in'));
$this->assertNotNull($response->getParameter('token_type'));
}
public function testValidJwtInvalidScope()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $this->getJWT(null, null, null, 'Test Client ID', 'invalid-scope')));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested');
}
public function testInvalidRequestMethodForRevoke()
{
$server = $this->getTestServer();
$request = new TestRequest();
$request->setQuery(array('token_type_hint' => 'access_token'));
$server->handleRevokeRequest($request, $response = new Response());
$this->assertTrue($response instanceof Response);
$this->assertEquals(405, $response->getStatusCode(), var_export($response, 1));
$this->assertEquals($response->getParameter('error'), 'invalid_request');
$this->assertEquals($response->getParameter('error_description'), 'The request method must be POST when revoking an access token');
}
public function testJtiReplayAttack()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $this->getJWT(99999999900, null, '*****@*****.**', 'Test Client ID', 'totally_new_jti')));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertNotNull($token);
$this->assertArrayHasKey('access_token', $token);
//Replay the same request
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_grant');
$this->assertEquals($response->getParameter('error_description'), 'JSON Token Identifier (jti) has already been used');
}
public function testClientUserIdIsSetInAccessToken()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Client ID With User ID', 'client_secret' => 'TestSecret'));
$token = $server->grantAccessToken($request, new Response());
$this->assertNotNull($token);
$this->assertArrayHasKey('access_token', $token);
// verify the user_id was associated with the token
$storage = $server->getStorage('client');
$token = $storage->getAccessToken($token['access_token']);
$this->assertNotNull($token);
$this->assertArrayHasKey('user_id', $token);
$this->assertEquals($token['user_id'], '*****@*****.**');
}
public function testCustomClientAssertionType()
{
$request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Client ID', 'code' => 'testcode'));
// verify the mock clientAssertionType was called as expected
$clientAssertionType = $this->getMock('OAuth2\\ClientAssertionType\\ClientAssertionTypeInterface', array('validateRequest', 'getClientId'));
$clientAssertionType->expects($this->once())->method('validateRequest')->will($this->returnValue(true));
$clientAssertionType->expects($this->once())->method('getClientId')->will($this->returnValue('Test Client ID'));
// create mock storage
$storage = Bootstrap::getInstance()->getMemoryStorage();
$server = new Server(array($storage), array(), array(), array(), null, null, $clientAssertionType);
$server->handleTokenRequest($request, $response = new Response());
}
/**
* @see http://tools.ietf.org/html/rfc6749#section-4.1.3
* @see https://github.com/bshaffer/oauth2-server-php/issues/163
*/
public function testNoRedirectUriSuppliedDoesNotRequireTokenRedirectUri()
{
$server = $this->getTestServer();
$request = new Request(array('client_id' => 'Test Client ID with Redirect Uri', 'response_type' => 'code', 'state' => 'xyz'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$this->assertContains('state', $response->getHttpHeader('Location'));
$this->assertStringStartsWith('http://brentertainment.com?code=', $response->getHttpHeader('Location'));
$parts = parse_url($response->getHttpHeader('Location'));
parse_str($parts['query'], $query);
// call token endpoint with no redirect_uri supplied
$request = TestRequest::createPost(array('client_id' => 'Test Client ID with Redirect Uri', 'client_secret' => 'TestSecret2', 'grant_type' => 'authorization_code', 'code' => $query['code']));
$server->handleTokenRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 200);
$this->assertNotNull($response->getParameter('access_token'));
}
public function testEnforceScope()
{
$storage = Bootstrap::getInstance()->getMemoryStorage();
$server = new Server($storage);
$server->addGrantType(new ClientCredentials($storage));
$scope = new Scope(array('default_scope' => false, 'supported_scopes' => array('testscope')));
$server->setScopeUtil($scope);
$request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret'));
$response = $server->handleTokenRequest($request);
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'This application requires you specify a scope parameter');
}
/**
* Test setting "always_issue_new_refresh_token" on a server level
*
* @see test/OAuth2/GrantType/RefreshTokenTest::testValidRefreshTokenWithNewRefreshTokenInResponse
**/
public function testValidRefreshTokenWithNewRefreshTokenInResponse()
{
$storage = Bootstrap::getInstance()->getMemoryStorage();
$server = new Server($storage, array('always_issue_new_refresh_token' => true));
$request = TestRequest::createPost(array('grant_type' => 'refresh_token', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'refresh_token' => 'test-refreshtoken'));
$token = $server->grantAccessToken($request, new Response());
$this->assertTrue(isset($token['refresh_token']), 'refresh token should always refresh');
$refresh_token = $storage->getRefreshToken($token['refresh_token']);
$this->assertNotNull($refresh_token);
$this->assertEquals($refresh_token['refresh_token'], $token['refresh_token']);
$this->assertEquals($refresh_token['client_id'], $request->request('client_id'));
$this->assertTrue($token['refresh_token'] != 'test-refreshtoken', 'the refresh token returned is not the one used');
$used_token = $storage->getRefreshToken('test-refreshtoken');
$this->assertFalse($used_token, 'the refresh token used is no longer valid');
}
public function testValidClientDifferentCode()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Some Other Client', 'client_secret' => 'TestSecret3', 'code' => 'testcode'));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_grant');
$this->assertEquals($response->getParameter('error_description'), 'authorization_code doesn\'t exist or is invalid for the client');
}
public function testInvalidClientIdScope()
{
// add the test parameters in memory
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'code' => 'testcode', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'scope' => 'clientscope3 scope1'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested');
}