/**
* {@inheritDoc}
*/
public function createTokenResponse(Request $request, Client $client = null, TokenOwnerInterface $owner = null)
{
$token = $request->getPost('access_token');
$scope = $request->getPost('scope');
if (null === $token) {
throw OAuth2Exception::invalidRequest('Missing parameter access_token');
}
$owner = $this->getOwner($token);
if (!$owner instanceof TokenOwnerInterface) {
throw OAuth2Exception::accessDenied('Unable to load user from this token');
}
/**
* @var AccessToken $accessToken
* @var null|RefreshToken $refreshToken
* */
$accessToken = new AccessToken();
$refreshToken = null;
// Generate token
$this->populateToken($accessToken, $client, $owner, $scope);
$accessToken = $this->accessTokenService->createToken($accessToken);
// Before generating a refresh token, we must make sure the authorization server supports this grant
if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
$refreshToken = new RefreshToken();
$this->populateToken($refreshToken, $client, $owner, $scope);
$refreshToken = $this->refreshTokenService->createToken($refreshToken);
}
return $this->prepareTokenResponse($accessToken, $refreshToken);
}
/**
* {@inheritDoc}
*/
public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
{
$postParams = $request->getParsedBody();
$refreshToken = $postParams['refresh_token'] ?? null;
if (null === $refreshToken) {
throw OAuth2Exception::invalidRequest('Refresh token is missing');
}
// We can fetch the actual token, and validate it
/** @var RefreshToken $refreshToken */
$refreshToken = $this->refreshTokenService->getToken((string) $refreshToken);
if (null === $refreshToken || $refreshToken->isExpired()) {
throw OAuth2Exception::invalidGrant('Refresh token is expired');
}
// We can now create a new access token! First, we need to make some checks on the asked scopes,
// because according to the spec, a refresh token can create an access token with an equal or lesser
// scope, but not more
$scopes = $postParams['scope'] ?? $refreshToken->getScopes();
if (!$refreshToken->matchScopes($scopes)) {
throw OAuth2Exception::invalidScope('The scope of the new access token exceeds the scope(s) of the refresh token');
}
$owner = $refreshToken->getOwner();
$accessToken = $this->accessTokenService->createToken($owner, $client, $scopes);
// We may want to revoke the old refresh token
if ($this->serverOptions->getRotateRefreshTokens()) {
if ($this->serverOptions->getRevokeRotatedRefreshTokens()) {
$this->refreshTokenService->deleteToken($refreshToken);
}
$refreshToken = $this->refreshTokenService->createToken($owner, $client, $scopes);
}
// We can generate the response!
return $this->prepareTokenResponse($accessToken, $refreshToken, true);
}
/**
* Constructor.
*
* @param array $options
*/
public function __construct($options)
{
$this->createUserCallable = function () {
// By default if a new user tries to sign in, he is not allowed to sign in
throw OAuth2Exception::accessDenied('You are not authorized to log in to the system.');
};
$this->setFromArray($options);
}
/**
* {@inheritdoc}
*/
protected function findProviderUserFromRequest(ServerRequestInterface $request, ProviderInterface $provider)
{
$postParams = $request->getParsedBody();
$tokenIdentifier = isset($postParams['token_identifier']) ? $postParams['token_identifier'] : null;
$tokenSecret = isset($postParams['token_secret']) ? $postParams['token_secret'] : null;
$tokenCredentials = new TokenCredentials();
$tokenCredentials->setIdentifier($tokenIdentifier);
$tokenCredentials->setSecret($tokenSecret);
/** @var \League\OAuth1\Client\Server\Server $providerClient */
$providerClient = $this->providerClients->get($provider->getName());
try {
$user = $providerClient->getUserDetails($tokenCredentials);
} catch (\Exception $e) {
throw OAuth2Exception::invalidRequest('Token identifier and token secret are invalid');
}
return new Oauth1User($user);
}
/**
* {@inheritdoc}
*/
protected function findProviderUserFromRequest(ServerRequestInterface $request, ProviderInterface $provider)
{
$postParams = $request->getParsedBody();
$providerAuthorizationCode = isset($postParams['provider_authorization_code']) ? $postParams['provider_authorization_code'] : null;
$providerAccessToken = isset($postParams['provider_access_token']) ? $postParams['provider_access_token'] : null;
/* @var \League\OAuth2\Client\Provider\ProviderInterface */
$providerClient = $this->providerClients->get($provider->getName());
if ($providerAuthorizationCode) {
// Try to get an access token (using the authorization code grant)
try {
/** @var ProviderAccessToken $providerAccessToken*/
$providerAccessToken = $providerClient->getAccessToken('authorization_code', ['code' => $providerAuthorizationCode]);
} catch (IDPException $e) {
// @todo decide what is the best thing to do here???
throw OAuth2Exception::invalidRequest('Provider authorization code is invalid');
}
} else {
$providerAccessToken = new ProviderAccessToken(['access_token' => $providerAccessToken]);
}
/* @var \League\OAuth2\Client\Entity\User */
$userDetails = $providerClient->getUserDetails($providerAccessToken);
return new Oauth2User($userDetails);
}
public function createTokenResponse(Request $request, Client $client = null, TokenOwnerInterface $owner = null)
{
// TODO: Complete rewrite. This is just a temp method to allow token generation
$owner = $this->userService->get($request->getPost('id'));
$scope = 'foobar';
if (!$owner instanceof TokenOwnerInterface) {
throw OAuth2Exception::accessDenied('access_denied');
}
/**
* @var AccessToken $accessToken
* @var null|RefreshToken $refreshToken
* */
$accessToken = new AccessToken();
$refreshToken = null;
$this->populateToken($accessToken, $client, $owner, $scope);
$accessToken = $this->accessTokenService->createToken($accessToken);
// Before generating a refresh token, we must make sure the authorization server supports this grant
if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
$refreshToken = new RefreshToken();
$this->populateToken($refreshToken, $client, $owner, $scope);
$refreshToken = $this->refreshTokenService->createToken($refreshToken);
}
return $this->prepareTokenResponse($accessToken, $refreshToken);
}
/**
* {@inheritDoc}
*/
public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null)
{
$postParams = $request->getParsedBody();
$providerName = isset($postParams['provider']) ? $postParams['provider'] : null;
$scope = isset($postParams['scope']) ? $postParams['scope'] : null;
if ($providerName === null) {
throw OAuth2Exception::invalidRequest('Provider name is missing.');
}
$provider = $this->providerManager->findByName($providerName);
if (!$provider || !$this->providerClients->has($providerName)) {
throw OAuth2Exception::invalidRequest(sprintf('Provider %s is not supported', $providerName));
}
$providerUser = $this->findProviderUserFromRequest($request, $provider);
// access token is valid
$userProvider = $this->userProviderManager->findByProviderUid($providerUser->getId(), $provider);
if (!$userProvider) {
// access token is valid but the user does not exists
$createUserCallable = $this->options->getCreateUserCallable();
// by default, we expect the callable to return instance of "Hrevert\OauthClient\Model\UserProviderInterface"
// because the developer may have extended the default implementation
// Alternatively the callable may return user entity directly
$userProvider = $createUserCallable($providerUser);
if ($userProvider instanceof UserInterface) {
$user = $userProvider;
$userProvider = new UserProvider();
$userProvider->setUser($user);
}
$userProvider->setProviderUid($providerUser->getId());
$userProvider->setProvider($provider);
$this->objectManager->persist($userProvider);
$this->objectManager->flush();
}
/** @var TokenOwnerInterface $owner */
$owner = $userProvider->getUser();
// Everything is okay, we can start tokens generation!
$accessToken = new AccessToken();
$this->populateToken($accessToken, $client, $owner, $scope);
/** @var AccessToken $accessToken */
$accessToken = $this->accessTokenService->createToken($accessToken);
// Before generating a refresh token, we must make sure the authorization server supports this grant
$refreshToken = null;
if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
$refreshToken = new RefreshToken();
$this->populateToken($refreshToken, $client, $owner, $scope);
/** @var RefreshToken $refreshToken */
$refreshToken = $this->refreshTokenService->createToken($refreshToken);
}
return $this->prepareTokenResponse($accessToken, $refreshToken);
}
/**
* Validate the token scopes against the registered scope
*
* @param array $scopes
* @return void
* @throws OAuth2Exception
*/
protected function validateTokenScopes(array $scopes)
{
$registeredScopes = $this->scopeService->getAll();
foreach ($registeredScopes as &$registeredScope) {
$registeredScope = is_string($registeredScope) ? $registeredScope : $registeredScope->getName();
}
$diff = array_diff($scopes, $registeredScopes);
if (count($diff) > 0) {
throw OAuth2Exception::invalidScope(sprintf('Some scope(s) do not exist: %s', implode(', ', $diff)));
}
}
/**
* @throws OAuth2Exception (invalid_request)
*/
public function createAuthorizationResponse(ServerRequestInterface $request, Client $client, TokenOwnerInterface $owner = null) : ResponseInterface
{
throw OAuth2Exception::invalidRequest('Client credentials grant does not support authorization');
}
/**
* Create a response from the exception, using the format of the spec
*
* @link http://tools.ietf.org/html/rfc6749#section-5.2
*/
private function createResponseFromOAuthException(OAuth2Exception $exception) : ResponseInterface
{
$payload = ['error' => $exception->getCode(), 'error_description' => $exception->getMessage()];
return new Response\JsonResponse($payload, 400);
}
/**
* {@inheritDoc}
* @throws OAuth2Exception
*/
public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
{
$postParams = $request->getParsedBody();
$code = $postParams['code'] ?? null;
if (null === $code) {
throw OAuth2Exception::invalidRequest('Could not find the authorization code in the request');
}
/* @var \ZfrOAuth2\Server\Entity\AuthorizationCode $authorizationCode */
$authorizationCode = $this->authorizationCodeService->getToken($code);
if (null === $authorizationCode || $authorizationCode->isExpired()) {
throw OAuth2Exception::invalidGrant('Authorization code cannot be found or is expired');
}
$clientId = $postParams['client_id'] ?? null;
if ($authorizationCode->getClient()->getId() !== $clientId) {
throw OAuth2Exception::invalidRequest('Authorization code\'s client does not match with the one that created the authorization code');
}
// If owner is null, we reuse the same as the authorization code
$owner = $owner ?: $authorizationCode->getOwner();
// Everything is okey, let's start the token generation!
$scopes = $authorizationCode->getScopes();
// reuse the scopes from the authorization code
$accessToken = new AccessToken();
$this->populateToken($accessToken, $client, $owner, $scopes);
$accessToken = $this->accessTokenService->createToken($accessToken);
// Before generating a refresh token, we must make sure the authorization server supports this grant
$refreshToken = null;
if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
$refreshToken = new RefreshToken();
$this->populateToken($refreshToken, $client, $owner, $scopes);
$refreshToken = $this->refreshTokenService->createToken($refreshToken);
}
return $this->prepareTokenResponse($accessToken, $refreshToken);
}
/**
* @throws OAuth2Exception
*/
public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
{
$postParams = $request->getParsedBody();
// Validate the user using its username and password
$username = $postParams['username'] ?? null;
$password = $postParams['password'] ?? null;
$scope = $postParams['scope'] ?? null;
if (null === $username || null == $password) {
throw OAuth2Exception::invalidRequest('Username and/or password is missing');
}
$callback = $this->callback;
$owner = $callback($username, $password);
if (!$owner instanceof TokenOwnerInterface) {
throw OAuth2Exception::accessDenied('Either username or password are incorrect');
}
// Everything is okay, we can start tokens generation!
$accessToken = $this->accessTokenService->createToken($owner, $client, $scope);
// Before generating a refresh token, we must make sure the authorization server supports this grant
$refreshToken = null;
if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
$refreshToken = $this->refreshTokenService->createToken($owner, $client, $scope);
}
return $this->prepareTokenResponse($accessToken, $refreshToken);
}
