/** * @param \Symfony\Component\HttpFoundation\Request $request * @param bool $headerOnly * @throws \Atrauzzi\Oauth2Server\Exception\AccessDenied * @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest */ public function authorize(Request $request, $headerOnly = true) { if ($authorizationHeader = $request->headers->get('Authorization')) { $accessTokenId = $this->config->getTokenStrategy()->determineAccessTokenInHeader($request); } elseif (!$headerOnly) { $accessTokenId = $request->get($this->config->getTokenKey()); } else { throw new InvalidRequest('access_token'); } $accessToken = $this->accessTokenRepository->find($accessTokenId); if (empty($accessToken)) { throw new AccessDenied(); } if ($accessToken->isExpired()) { throw new AccessDenied(); } }
/** * Conducts the checks and operations necessary for the flow indicated in the request. * * @param \Symfony\Component\HttpFoundation\Request $request * @param int $grantTypeFlow * @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable * @return array * @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient * @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest */ public function doFlow(Request $request, $grantTypeFlow, Oauthable $oauthable = null) { if (!($clientId = $request->get('client_id', $request->getUser()))) { throw new InvalidRequest('client_id'); } if (!($clientSecret = $request->get('client_secret', $request->getPassword()))) { throw new InvalidRequest('client_secret'); } if (!($client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier()))) { throw new InvalidClient(); } $scopes = $this->scopeService->findValid($request->get('scope')); // // $accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $this->config->getAccessTokenTtl() + time(), $oauthable->getId(), $oauthable->getType(), $client->getId(), array_keys($scopes)); // ToDo: Do we do refresh tokens for this grant type? $this->accessTokenRepository->persist($accessToken); $tokenStrategy = $this->config->getTokenStrategy(); $tokenStrategy->setParam('access_token', $accessToken->getId()); $tokenStrategy->setParam('expires_in', $this->config->getAccessTokenTtl()); return $tokenStrategy->generateResponse(); }
/** * @param \Symfony\Component\HttpFoundation\Request $request * @param int $grantTypeFlow * @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable * @return mixed * @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient * @throws \Atrauzzi\Oauth2Server\Exception\InvalidCredentials * @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest * @throws \Atrauzzi\Oauth2Server\Exception\InvalidScope * @throws \Atrauzzi\Oauth2Server\Exception\ServerError */ public function doFlow(Request $request, $grantTypeFlow, Oauthable $oauthable = null) { if (!$oauthable instanceof Oauthable) { throw new InvalidCredentials(); } if ($clientId = $request->get('client_id', $request->getUser())) { throw new InvalidRequest('client_id'); } if ($clientSecret = $request->get('client_secret', $request->getPassword())) { throw new InvalidRequest('client_secret'); } if (!($client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier()))) { throw new InvalidClient(); } if (!($username = $request->get('username'))) { throw new InvalidRequest('username'); } if ($password = $request->get('password')) { throw new InvalidRequest('password'); } // // $scopes = $this->scopeService->findValid($request->get('scopes'), $this->getIdentifier(), $client->getId()); $accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $this->config->getAccessTokenTtl() + time(), $oauthable->getId(), $oauthable->getType(), $client->getId(), array_keys($scopes)); $tokenStrategy = $this->config->getTokenStrategy(); if ($this->config->hasGrantType('refresh_token')) { $refreshToken = $this->refreshTokenRepository->create(SecureKey::generate(), $this->config->getRefreshTokenTtl() + time(), $oauthable->getId(), $oauthable->getType(), $client->getId(), array_keys($scopes)); $this->refreshTokenRepository->persist($refreshToken); $accessToken->setRefreshTokenId($refreshToken->getId()); $tokenStrategy->setParam('refresh_token', $refreshToken->getId()); } $this->accessTokenRepository->persist($accessToken); $tokenStrategy->setParam('access_token', $accessToken->getId()); $tokenStrategy->setParam('expires_in', $this->config->getAccessTokenTtl()); return $tokenStrategy->generateResponse(); }
/** * @param \Symfony\Component\HttpFoundation\Request $request * @param int $grantTypeFlow * @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable * @return array * @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient * @throws \Atrauzzi\Oauth2Server\Exception\InvalidCredentials * @throws \Atrauzzi\Oauth2Server\Exception\InvalidRefresh * @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest * @throws \Atrauzzi\Oauth2Server\Exception\InvalidScope * @throws \Atrauzzi\Oauth2Server\Exception\UnsupportedFlow */ public function doFlow(Request $request, $grantTypeFlow, Oauthable $oauthable = null) { if ($grantTypeFlow != self::FLOW_DEFAULT) { throw new UnsupportedFlow(get_class(), $grantTypeFlow); } if (!($clientId = $request->get('client_id', $request->getUser()))) { throw new InvalidRequest('client_id'); } if (!($clientSecret = $request->get('client_secret', $request->getPassword()))) { throw new InvalidRequest('client_secret'); } if (!($oldRefreshTokenParam = $request->get('refresh_token', null))) { throw new InvalidRequest('refresh_token'); } if (!($client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier()))) { throw new InvalidClient(); } if (!($originalRefreshToken = $this->refreshTokenRepository->find($oldRefreshTokenParam))) { throw new InvalidRefresh(); } if ($originalRefreshToken->isExpired()) { throw new InvalidRefresh(); } // // $originalScopes = $originalRefreshToken->getScopeNames(); $requestedScopes = array_keys($this->scopeService->findValid($request->get('scope'), null, $client->getId(), $this->getIdentifier())); $disallowedScopes = array_diff($requestedScopes, $originalScopes); if (count($disallowedScopes)) { throw new InvalidScope($disallowedScopes); } $scopes = count($requestedScopes) ? $requestedScopes : $originalScopes; $accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $this->config->getAccessTokenTtl() + time(), $originalRefreshToken->getOauthableId(), $originalRefreshToken->getOauthableType(), $client->getId(), $scopes); $tokenStrategy = $this->config->getTokenStrategy(); if ($this->config->shouldRotateRefreshTokens()) { $newRefreshToken = $this->refreshTokenRepository->create(SecureKey::generate(), $this->config->getRefreshTokenTtl() + time(), $originalRefreshToken->getOauthableId(), $originalRefreshToken->getOauthableType(), $client->getId(), $scopes); $this->refreshTokenRepository->delete($originalRefreshToken); unset($originalRefreshToken); $this->refreshTokenRepository->persist($newRefreshToken); $accessToken->setRefreshTokenId($newRefreshToken->getId()); // ToDo: Should we try to convey refresh token expiry? $tokenStrategy->setParam('refresh_token', $newRefreshToken->getId()); } $this->accessTokenRepository->persist($accessToken); $tokenStrategy->setParam('access_token', $accessToken->getId()); $tokenStrategy->setParam('expires_in', $this->config->getAccessTokenTtl()); return $tokenStrategy->generateResponse(); }
/** * Exchange an oauth code for an access and optionally a refresh token. * * @param \Symfony\Component\HttpFoundation\Request $request * @return array * @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient * @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest */ protected function doExchangeFlow(Request $request) { if (!($clientId = $request->get('client_id', $request->getUser()))) { throw new InvalidRequest('client_id'); } if (!($clientSecret = $request->get('client_secret', $request->getPassword()))) { throw new InvalidRequest('client_secret'); } if (!($redirectUri = $request->request->get('redirect_uri', null))) { throw new InvalidRequest('redirect_uri'); } $client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier(), $redirectUri); if (!$client instanceof Client) { throw new InvalidClient(); } $authCode = $this->authorizationCodeRepository->find($request->get('code')); if (!$authCode instanceof AuthorizationCodeEntity) { throw new InvalidRequest('code'); } if ($authCode->isExpired()) { throw new InvalidRequest('code'); } if ($authCode->getRedirectUri() != $redirectUri) { throw new InvalidRequest('redirect_uri'); } // // $ttl = $this->config->getAccessTokenTtl(); $accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $ttl + time(), $authCode->getOauthableId(), $authCode->getOauthableType(), $authCode->getClientId(), $authCode->getScopeNames()); $this->authorizationCodeRepository->delete($authCode); unset($authCode); $tokenStrategy = $this->config->getTokenStrategy(); if ($this->config->hasGrantType('refresh_token')) { $refreshToken = $this->refreshTokenRepository->create(SecureKey::generate(), $this->config->getRefreshTokenTtl() + time(), $accessToken->getOauthableId(), $accessToken->getOauthableType(), $accessToken->getClientId(), $accessToken->getScopeNames()); $this->refreshTokenRepository->persist($refreshToken); $accessToken->setRefreshTokenId($refreshToken->getId()); $tokenStrategy->setParam('refresh_token', $refreshToken->getId()); } $this->accessTokenRepository->persist($accessToken); $tokenStrategy->setParam('access_token', $accessToken->getId()); $tokenStrategy->setParam('expires_in', $ttl); return $tokenStrategy->generateResponse(); }