/**
* Check whether a token is valid (i.e. not expired) and that an application with the given key exists.
*/
function isValid()
{
if (!\IdnoPlugins\OAuth2\Application::getOne(['key' => $this->key])) {
return false;
}
return $this->created + $this->expires_in > time();
}
function getContent()
{
$this->gatekeeper();
$fwd = $this->getInput('fwd');
// return page
$client_id = $this->getInput('client_id');
$scope = $this->getInput('scope');
$client = \IdnoPlugins\OAuth2\Application::getOne(['key' => $client_id]);
if ($client) {
$t = \Idno\Core\site()->template();
$t->body = $t->__(array('fwd' => $fwd, 'client_id' => $client_id, 'scope' => $scope, 'client' => $client))->draw('oauth2/forms/connect');
$t->title = 'Authorise connection...';
$t->drawPage();
} else {
throw new \Exception("Could not load client associated with {$client_id}");
}
}
function postContent()
{
$this->gatekeeper();
$action = $this->getInput('action');
switch ($action) {
case 'create':
$app = \IdnoPlugins\OAuth2\Application::newApplication($this->getInput('name'));
if ($app->save()) {
\Idno\Core\site()->session()->addMessage("New application " . $app->getTitle() . " created!");
} else {
\Idno\Core\site()->session()->addErrorMessage("Problem creating new application...");
}
break;
case 'delete':
$uuid = $this->getInput('app_uuid');
if ($app = \IdnoPlugins\OAuth2\Application::getByUUID($uuid)) {
if ($app->delete()) {
\Idno\Core\site()->session()->addMessage($app->getTitle() . " was removed.");
}
}
break;
}
$this->forward(\Idno\Core\site()->config()->getURL() . 'account/oauth2/');
}
function getContent()
{
try {
try {
$scope = $this->getInput('scope');
$state = $this->getInput('state');
$code = $this->getInput('code');
$grant_type = $this->getInput('grant_type');
$client_id = $this->getInput('client_id');
$redirect_uri = $this->getInput('redirect_uri');
if (!$grant_type) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter grant_type is missing!", 'invalid_request', $state);
}
switch ($grant_type) {
// Refresh token
case 'refresh_token':
$refresh_token = $this->getInput('refresh_token');
if (!$refresh_token) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter refresh_token is missing!", 'invalid_request', $state);
}
if (!($token = \IdnoPlugins\OAuth2\Token::getOne(['refresh_token' => $refresh_token]))) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, that refresh token appears to be invalid!", 'invalid_grant', $state);
}
// Check state on object
if ($token->state) {
if ($token->state != $state) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Invalid state given", 'access_denied', $state);
}
}
// OK so far, so generate new token
$newtoken = new \IdnoPlugins\OAuth2\Token();
// Add state and scope variables
$newtoken->state = $token->state;
$newtoken->scope = $token->scope;
// Bind to a client ID!
$newtoken->key = $token->key;
// Set owner from code object
$newtoken->setOwner($token->getOwner());
// Ok, delete old token and issue a new token
if ($token->delete() && $newtoken->save()) {
echo json_encode($newtoken);
} else {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Server problem, couldn't refresh token. Try again in a bit...", 'invalid_grant', $state);
}
break;
// Basic authorisation
// Basic authorisation
case 'authorization_code':
default:
if (!$client_id) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter client_id is missing!", 'invalid_request', $state);
}
// Check Application
if (!\IdnoPlugins\OAuth2\Application::getOne(['key' => $client_id])) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("I have no knowledge of the application identified by {$client_id}", 'unauthorized_client', $state);
}
// Check code
if (!($code_obj = \IdnoPlugins\OAuth2\Code::getOne(['code' => $code, 'key' => $client_id])) || $code_obj->expires < time()) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, unknown or expired code!", 'invalid_grant', $state);
}
// Check state on object
if ($code_obj->state) {
if ($code_obj->state != $state) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Invalid state given", 'access_denied', $state);
}
}
// Check redirect
if ($code_obj->redirect_uri) {
if ($code_obj->redirect_uri != $redirect_uri) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, redirect_uri doesn't match the one given before!", 'access_denied', $state);
}
}
// OK so far, so generate new token
$token = new \IdnoPlugins\OAuth2\Token();
// Add state and scope variables
$token->state = $state;
$token->scope = $code_obj->scope;
// Bind to a client ID!
$token->key = $client_id;
// Set owner from code object
$token->setOwner($code_obj->getOwner());
if (!$token->save()) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Server problem, couldn't generate new tokens. Try again in a bit...", 'invalid_grant', $state);
}
echo json_encode($token);
}
} catch (\IdnoPlugins\OAuth2\OAuth2Exception $oa2e) {
$this->setResponse($oa2e->http_code);
echo json_encode($oa2e->jsonSerialize());
}
} catch (\Exception $e) {
$this->setResponse(400);
echo json_encode(['error' => 'invalid_request', 'error_description' => $e->getMessage()]);
}
}
function getContent()
{
try {
try {
$state = $this->getInput('state');
$scope = $this->getInput('scope');
$response_type = $this->getInput('response_type');
$client_id = $this->getInput('client_id');
$redirect_uri = $this->getInput('redirect_uri');
if (!$response_type) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter response_type is missing!", 'invalid_request', $state);
}
if (!$client_id) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter client_id is missing!", 'invalid_request', $state);
}
switch ($response_type) {
case 'token':
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, implicit grant is currently not supported.", 'unsupported_response_type', $state);
break;
case 'code':
default:
// Generate code
$code = new \IdnoPlugins\OAuth2\Code();
// Save context
$code->scope = $scope;
$code->key = $client_id;
$code->state = $state;
$code->redirect_uri = $redirect_uri;
// Check Application
if (!\IdnoPlugins\OAuth2\Application::getOne(['key' => $client_id])) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("I have no knowledge of the application identified by {$client_id}", 'unauthorized_client', $state);
}
// Authenticate user
if (!($user = \Idno\Core\site()->session()->currentUser())) {
// Do login and redirect workflow
$this->forward('/session/login?fwd=' . urlencode($this->currentUrl()));
}
// Not authorized before, or change in scope?
if (!$user->oauth2[$client_id] || $user->oauth2[$client_id]['scope'] != $scope) {
$this->forward('/oauth2/connect?client_id=' . $client_id . '&scope=' . urlencode($scope) . '&fwd=' . urlencode($this->currentUrl()));
}
// Check code
if ($code->getOne(['code' => $code])) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, this code has been seen before!", 'access_denied', $state);
}
// Save code so we've not seen it before
if (!$code->save()) {
throw new \IdnoPlugins\OAuth2\OAuth2Exception("Bang, code incorrect", 'invalid_request', $state);
}
// Forward or echo
if ($redirect_uri) {
// Normalise url and add parameters
if (strpos($redirect_uri, '?') === false) {
$redirect_uri .= '?';
}
$redirect_uri .= 'code=' . urlencode($code) . '&state=' . urlencode($state);
// Forward
$this->forward($redirect_uri);
} else {
// Otherwise echo result
echo json_encode(['code' => $code, 'state' => $state]);
}
}
} catch (\IdnoPlugins\OAuth2\OAuth2Exception $oa2e) {
$this->setResponse($oa2e->http_code);
echo json_encode($oa2e->jsonSerialize());
}
} catch (\Exception $e) {
$this->setResponse(400);
echo json_encode(['error' => 'invalid_request', 'error_description' => $e->getMessage()]);
}
}