/** * {@inheritdoc} */ public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response) { if ($client->isPublic()) { throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a confidential client'); } $issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken(); $grant_type_response->setResourceOwnerPublicId($client->getPublicId()); $grant_type_response->setUserAccountPublicId(null); $grant_type_response->setRefreshTokenIssued($issue_refresh_token); $grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope()); }
/** * @param \OAuth2\Client\ClientInterface $client * * @return bool */ private function issueRefreshToken(ClientInterface $client) { if (!$this->isRefreshTokenIssuanceAllowed()) { return false; } if (true === $client->isPublic()) { return $this->isRefreshTokenIssuanceForPublicClientsAllowed(); } return true; }
/** * @param \OAuth2\Client\ClientInterface $client * @param array $parameters * * @throws \InvalidArgumentException */ private function checkRedirectUriForConfidentialClient(ClientInterface $client, array $parameters) { Assertion::false(!$client->isPublic() && array_key_exists('response_type', $parameters) && $parameters['response_type'] === 'token', 'Confidential clients must register at least one redirect URI when using "token" response type.'); }
/** * @param \Psr\Http\Message\ServerRequestInterface $request * @param \OAuth2\Token\AuthCodeInterface $authCode * @param \OAuth2\Client\ClientInterface $client * * @throws \OAuth2\Exception\BaseExceptionInterface */ private function checkPKCE(ServerRequestInterface $request, AuthCodeInterface $authCode, ClientInterface $client) { $params = $authCode->getQueryParams(); if (!array_key_exists('code_challenge', $params)) { if (true === $this->isPKCEForPublicClientsEnforced() && $client->isPublic()) { throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, 'Non-confidential clients must set a proof key (PKCE) for code exchange.'); } return; } $code_challenge = $params['code_challenge']; $code_challenge_method = array_key_exists('code_challenge_method', $params) ? $params['code_challenge_method'] : 'plain'; $code_verifier = RequestBody::getParameter($request, 'code_verifier'); try { $this->getPKCEMethodManager()->checkPKCEInput($code_challenge_method, $code_challenge, $code_verifier); } catch (\InvalidArgumentException $e) { throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, $e->getMessage()); } }