public function getApprovals(Request $request, UserInfoInterface $userInfo)
{
$approvals = $this->db->getApprovals($userInfo->getUserId());
$response = new Response();
$response->setBody($this->templateManager->render('approvals', array('approvals' => $approvals)));
return $response;
}
public function getClients()
{
$clients = $this->db->getClients();
$response = new Response();
$response->setBody($this->templateManager->render('clients', array('clients' => $clients)));
return $response;
}
public function getAuthorization(Request $request, UserInfoInterface $userInfo)
{
$authorizeRequest = new AuthorizeRequest($request);
$clientId = $authorizeRequest->getClientId();
$responseType = $authorizeRequest->getResponseType();
$redirectUri = $authorizeRequest->getRedirectUri();
$scope = $authorizeRequest->getScope();
$state = $authorizeRequest->getState();
$clientData = $this->storage->getClient($clientId);
if (false === $clientData) {
throw new BadRequestException('client not registered');
}
if (null === $redirectUri) {
$redirectUri = $clientData->getRedirectUri();
} else {
if (!$clientData->verifyRedirectUri($redirectUri, $this->allowRegExpRedirectUriMatch)) {
throw new BadRequestException('specified redirect_uri not the same as registered redirect_uri');
}
// we now use the provided redirect_uri...
}
if ($responseType !== $clientData->getType()) {
return new ClientResponse($clientData, $request, $redirectUri, array('error' => 'unsupported_response_type', 'error_description' => 'response_type not supported by client profile'));
}
$scopeObj = new Scope($scope);
$allowedScopeObj = new Scope($clientData->getAllowedScope());
if (!$scopeObj->hasOnlyScope($allowedScopeObj)) {
return new ClientResponse($clientData, $request, $redirectUri, array('error' => 'invalid_scope', 'error_description' => 'not authorized to request this scope'));
}
if ($clientData->getDisableUserConsent()) {
// we do not require approval by the user, add implicit approval
$this->addApproval($clientData, $userInfo->getUserId(), $scope);
}
$approval = $this->storage->getApprovalByResourceOwnerId($clientId, $userInfo->getUserId());
$approvedScopeObj = new Scope($approval['scope']);
if (false === $approval || false === $scopeObj->hasOnlyScope($approvedScopeObj)) {
// we do not yet have an approval at all, or client wants more
// permissions, so we ask the user for approval
$response = new Response();
$response->setBody($this->templateManager->render('askAuthorization', array('resourceOwnerId' => $userInfo->getUserId(), 'sslEnabled' => 'https' === $request->getUrl()->getScheme(), 'contactEmail' => $clientData->getContactEmail(), 'scopes' => $scopeObj->toArray(), 'clientName' => $clientData->getName(), 'clientId' => $clientData->getId(), 'clientDescription' => $clientData->getDescription())));
return $response;
} else {
// we already have approval
if ('token' === $responseType) {
// implicit grant
// FIXME: return existing access token if it exists for this exact client, resource owner and scope?
$accessToken = $this->io->getRandomHex();
$this->storage->storeAccessToken($accessToken, $this->io->getTime(), $clientId, $userInfo->getUserId(), $scope, $this->accessTokenExpiry);
return new ClientResponse($clientData, $request, $redirectUri, array('access_token' => $accessToken, 'expires_in' => $this->accessTokenExpiry, 'token_type' => 'bearer', 'scope' => $scope));
} else {
// authorization code grant
$authorizationCode = $this->io->getRandomHex();
$this->storage->storeAuthorizationCode($authorizationCode, $userInfo->getUserId(), $this->io->getTime(), $clientId, $authorizeRequest->getRedirectUri(), $scope);
return new ClientResponse($clientData, $request, $redirectUri, array('code' => $authorizationCode));
}
}
}
