/** * {@inheritdoc} */ public function validateAuthorization(\Phalcon\Http\RequestInterface $request) { if (!$request->getHeader('authorization')) { throw OAuthServerException::accessDenied('Missing "Authorization" header'); } $header = $request->getHeader('authorization'); $jwt = trim(preg_replace('/^(?:\\s+)?Bearer\\s/', '', $header)); try { // Attempt to parse and validate the JWT $token = (new Parser())->parse($jwt); if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) { throw OAuthServerException::accessDenied('Access token could not be verified'); } // Ensure access token hasn't expired $data = new ValidationData(); $data->setCurrentTime(time()); if ($token->validate($data) === false) { throw OAuthServerException::accessDenied('Access token is invalid'); } // Check if token has been revoked if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) { throw OAuthServerException::accessDenied('Access token has been revoked'); } // Return the response with additional attributes $response = ['oauth_access_token_id' => $token->getClaim('jti'), 'oauth_client_id' => $token->getClaim('aud'), 'oauth_user_id' => $token->getClaim('sub'), 'oauth_scopes' => $token->getClaim('scopes')]; return $response; } catch (\InvalidArgumentException $exception) { // JWT couldn't be parsed so return the request as is throw OAuthServerException::accessDenied($exception->getMessage()); } }
/** * Issue an access token. * * @param \DateInterval $accessTokenTTL * @param \League\OAuth2\Server\Entities\ClientEntityInterface $client * @param string $userIdentifier * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes * * @return \League\OAuth2\Server\Entities\AccessTokenEntityInterface */ protected function issueAccessToken(\DateInterval $accessTokenTTL, ClientEntityInterface $client, $userIdentifier, array $scopes = []) { $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier); $accessToken->setClient($client); $accessToken->setUserIdentifier($userIdentifier); $accessToken->setIdentifier($this->generateUniqueIdentifier()); $accessToken->setExpiryDateTime((new \DateTime())->add($accessTokenTTL)); foreach ($scopes as $scope) { $accessToken->addScope($scope); } $this->accessTokenRepository->persistNewAccessToken($accessToken); return $accessToken; }
/** * Issue an access token. * * @param \DateInterval $accessTokenTTL * @param \League\OAuth2\Server\Entities\ClientEntityInterface $client * @param string $userIdentifier * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes * * @return \League\OAuth2\Server\Entities\AccessTokenEntityInterface */ protected function issueAccessToken(\DateInterval $accessTokenTTL, ClientEntityInterface $client, $userIdentifier, array $scopes = []) { $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS; $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier); $accessToken->setClient($client); $accessToken->setUserIdentifier($userIdentifier); $accessToken->setExpiryDateTime((new \DateTime())->add($accessTokenTTL)); foreach ($scopes as $scope) { $accessToken->addScope($scope); } while ($maxGenerationAttempts-- > 0) { $accessToken->setIdentifier($this->generateUniqueIdentifier()); try { $this->accessTokenRepository->persistNewAccessToken($accessToken); return $accessToken; } catch (UniqueTokenIdentifierConstraintViolationException $e) { if ($maxGenerationAttempts === 0) { throw $e; } } } }