/**
* Processes an OAuth refresh token request.
*
* @param Request $request the OAuth token request
* @param Response $response the response
*/
protected function tokenFromRefreshToken($request, $response)
{
$store = StoreManager::instance();
$client = $this->oauth->getClient();
if (!isset($request['refresh_token']) || $request['refresh_token'] == '') {
$this->logger->log(LogLevel::ERROR, 'Token request failed: refresh_token not set');
$response->setError('invalid_request', 'refresh_token not set');
return;
}
$refresh_token = RefreshToken::decode($request['refresh_token']);
if (!$refresh_token->isValid()) {
$this->logger->log(LogLevel::ERROR, 'Token request failed: Refresh token not valid');
$response->setError('invalid_grant', 'Refresh token not valid');
return;
}
$authorization = $refresh_token->getAuthorization();
if ($authorization->getClient()->getStoreID() != $client->getStoreID()) {
$this->logger->log(LogLevel::ERROR, 'Token request failed: this client (' . $client->getStoreID() . ') does not match the client stored in refresh token (' . $authorization->getClient()->getStoreID() . ')');
$response->setError('invalid_grant', 'this client does not match the client stored in refresh token');
$response->renderJSON();
return;
}
$authorization->revokeTokensFromSource($refresh_token);
$scope = $refresh_token->getScope();
// If we issue, we delete the old refresh token so that it can't be used again
$refresh_token->revoke();
$authorization->resetAuthState();
$store->saveAuth($authorization);
$response->loadData($authorization->issueTokens($scope, SIMPLEID_SHORT_TOKEN_EXPIRES_IN, $refresh_token));
// Call modules
$this->mgr->invokeAll('oAuthToken', 'refresh_token', $authorization, $request, $response, $scope);
return $authorization;
}
/**
* Registration endpoint
*/
public function register()
{
$rand = new Random();
$response = new Response();
$this->checkHttps('error');
$this->logger->log(LogLevel::DEBUG, 'SimpleID\\Protocols\\Connect\\ConnectClientRegistrationModule->register');
// Access token OR rate limit
if (!$this->isTokenAuthorized(self::CLIENT_REGISTRATION_INIT_SCOPE)) {
$limiter = new RateLimiter('connect_register');
if (!$limiter->throttle()) {
header('Retry-After: ' . $limiter->getInterval());
// We never display a log for rate limit errors
$response->setError('invalid_request', 'client has been blocked from making further requests')->renderJSON(429);
return;
}
}
if (!$this->f3->exists('BODY')) {
$response->setError('invalid_request')->renderJSON();
return;
}
$request = json_decode($this->f3->get('BODY'), true);
if ($request == null) {
$response->setError('invalid_request', 'unable to parse body')->renderJSON();
return;
}
if (!isset($request['redirect_uris'])) {
$response->setError('invalid_redirect_uri', 'redirect_uris missing')->renderJSON();
return;
}
// Verify redirect_uri based on application_type
$application_type = isset($request['application_type']) ? $request['application_type'] : 'web';
$grant_types = isset($request['grant_types']) ? $request['grant_types'] : array('authorization_code');
foreach ($request['redirect_uris'] as $redirect_uri) {
$parts = parse_url($redirect_uri);
if (isset($parts['fragment'])) {
$response->setError('invalid_redirect_uri', 'redirect_uris cannot contain a fragment')->renderJSON();
return;
}
if ($application_type == 'web' && in_array('implicit', $grant_types)) {
if (strtolower($parts['scheme']) != 'https' || strtolower($parts['host']) == 'localhost' && $parts['host'] == '127.0.0.1') {
$response->setError('invalid_redirect_uri', 'implicit grant type must use https URIs')->renderJSON();
return;
}
} elseif ($application_type == 'native') {
// Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname.
// Authorization Servers MAY place additional constraints on Native Clients.
// Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients.
// The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients.
if (strtolower($parts['scheme']) == 'http' && (strtolower($parts['host']) != 'localhost' || $parts['host'] != '127.0.0.1') || strtolower($parts['scheme']) == 'https') {
$response->setError('invalid_redirect_uri', 'native clients cannot use https URIs')->renderJSON();
return;
}
}
}
// Verify sector_identifier_url
$subject_type = isset($request['subject_type']) ? $request['subject_type'] : 'public';
if (isset($request['sector_identifier_uri'])) {
if (!$this->verifySectorIdentifier($request['sector_identifier_uri'], $request['redirect_uris'])) {
$response->setError('invalid_client_metadata', 'cannot verify sector_identifier_uri')->renderJSON();
return;
}
}
$client = new ConnectDynamicClient();
$client_id = $client->getStoreID();
// Map data
foreach ($request as $name => $value) {
$parts = explode('#', $name, 2);
$client_path = isset(self::$metadata_map[$parts[0]]) ? self::$metadata_map[$parts[0]] : 'connect.' . $parts[0];
if (isset($parts[1])) {
$client_path .= '#' . $locale;
}
$client->pathSet($client_path, $value);
}
$client->fetchJWKs();
$response->loadData($request);
$response->loadData(array('client_id' => $client->getStoreID(), 'registration_client_uri' => $this->getCanonicalURL('connect/client/' . $client->getStoreID()), 'client_id_issued_at' => time()));
if ($client['oauth']['token_endpoint_auth_method'] != 'none') {
$client->pathSet('oauth.client_secret', $rand->secret());
$response['client_secret'] = $client['oauth']['client_secret'];
$response['client_secret_expires_at'] = 0;
}
$store = StoreManager::instance();
$store->saveClient($client);
$this->logger->log(LogLevel::INFO, 'Created dynamic client: ' . $client_id);
$auth = new Authorization($client, $client, self::CLIENT_REGISTRATION_ACCESS_SCOPE);
$store->saveAuth($auth);
$token = $auth->issueAccessToken(array(self::CLIENT_REGISTRATION_ACCESS_SCOPE));
$response['registration_access_token'] = $token['access_token'];
$this->f3->status(201);
$response->renderJSON();
}
/**
* Displays the OpenID Connect configuration file for this installation.
*
*/
public function openid_configuration()
{
$mgr = ModuleManager::instance();
header('Content-Type: application/json');
header('Content-Disposition: inline; filename=openid-configuration');
$scopes = $mgr->invokeAll('scopes');
$jwt_signing_algs = AlgorithmFactory::getSupportedAlgs(Algorithm::SIGNATURE_ALGORITHM);
$jwt_encryption_algs = AlgorithmFactory::getSupportedAlgs(Algorithm::KEY_ALGORITHM);
$jwt_encryption_enc_algs = AlgorithmFactory::getSupportedAlgs(Algorithm::ENCRYPTION_ALGORITHM);
$claims_supported = array('sub', 'iss', 'auth_time', 'acr');
foreach ($scopes['oauth'] as $scope => $settings) {
if (isset($settings['claims'])) {
$claims_supporteds = array_merge($claims_supported, $settings['claims']);
}
}
$token_endpoint_auth_methods_supported = array('client_secret_basic', 'client_secret_post');
$config = array('issuer' => $this->getCanonicalHost(), 'authorization_endpoint' => $this->getCanonicalURL('@oauth_auth', '', 'https'), 'token_endpoint' => $this->getCanonicalURL('@oauth_token', '', 'https'), 'userinfo_endpoint' => $this->getCanonicalURL('@connect_userinfo', '', 'https'), 'jwks_uri' => $this->getCanonicalURL('@connect_jwks', '', 'https'), 'scopes_supported' => array_keys($scopes['oauth']), 'response_types_supported' => array('code', 'token', 'id_token', 'id_token token', 'code token', 'code id_token', 'code id_token token'), 'response_modes_supported' => Response::getResponseModesSupported(), 'grant_types_supported' => array('authorization_code', 'refresh_token'), 'acr_values_supported' => array(), 'subject_types_supported' => array('public', 'pairwise'), 'userinfo_signing_alg_values_supported' => $jwt_signing_algs, 'userinfo_encryption_alg_values_supported' => $jwt_encryption_algs, 'userinfo_encryption_enc_alg_values_supported' => $jwt_encryption_enc_algs, 'id_token_signing_alg_values_supported' => $jwt_signing_algs, 'id_token_encrpytion_alg_values_supported' => $jwt_encryption_algs, 'id_token_encrpytion_enc_alg_values_supported' => $jwt_encryption_enc_algs, 'request_object_signing_alg_values_supported' => array_merge($jwt_signing_algs, array('none')), 'request_object_encryption_alg_values_supported' => $jwt_encryption_algs, 'request_object_encryption_enc_alg_values_supported' => $jwt_encryption_enc_algs, 'token_endpoint_auth_methods_supported' => $token_endpoint_auth_methods_supported, 'claim_types_supported' => array('normal'), 'claims_supported' => $claims_supported, 'claims_parameter_supported' => true, 'request_parameter_supported' => true, 'request_uri_parameter_supported' => true, 'require_request_uri_registration' => false, 'service_documentation' => 'http://simpleid.koinic.net/docs/');
$config = array_merge($config, $mgr->invokeAll('connectConfiguration'));
print json_encode($config);
}
