/** * {@inheritdoc} */ public function checkRefreshToken(RefreshTokenInterface $token, ClientInterface $client) { if ($client->getPublicId() !== $token->getClientPublicId()) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Invalid refresh token'); } if ($token->hasExpired()) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Refresh token has expired'); } }
/** * {@inheritdoc} */ public function createAccessToken(ClientInterface $client, ResourceOwnerInterface $resource_owner, array $token_type_parameters, array $request_parameters, array $scope = [], RefreshTokenInterface $refresh_token = null, ClientInterface $resource_server = null, array $metadatas = []) { $access_token = $this->createEmptyAccessToken(); $access_token->setExpiresAt(time() + $this->getLifetime($client)); $access_token->setScope($scope); if ($resource_owner instanceof UserAccountInterface) { $access_token->setResourceOwnerPublicId($resource_owner->getUserPublicId()); $access_token->setUserAccountPublicId($resource_owner->getPublicId()); } else { $access_token->setResourceOwnerPublicId($resource_owner->getPublicId()); } $access_token->setClientPublicId($client->getPublicId()); $access_token->setRefreshToken(null === $refresh_token ? null : $refresh_token->getToken()); $access_token->setMetadatas($metadatas); foreach ($token_type_parameters as $key => $value) { $access_token->setParameter($key, $value); } $this->updateAccessToken($access_token); $this->populateAccessToken($access_token, $client, $resource_owner, $refresh_token, $resource_server); $this->saveAccessToken($access_token); return $access_token; }
protected function addAccessToken($token, $expiresAt, ClientInterface $client, ResourceOwnerInterface $resourceOwner, array $scope = [], BaseRefreshTokenInterface $refresh_token = null) { if (null !== $this->event_dispatcher) { $this->event_dispatcher->dispatch(Events::OAUTH2_PRE_ACCESS_TOKEN_CREATION, new PreAccessTokenCreationEvent($client, $scope, $resourceOwner, $refresh_token)); } $class = $this->getClass(); /* * @var \SpomkyLabs\OAuth2ServerBundle\Plugin\SimpleStringAccessTokenPlugin\Model\SimpleStringAccessTokenInterface */ $access_token = new $class(); $access_token->setToken($token)->setExpiresAt($expiresAt)->setClientPublicId($client->getPublicId())->setScope($scope); if (null !== $resourceOwner) { $access_token->setResourceOwnerPublicId($resourceOwner->getPublicId()); } if (null !== $refresh_token) { $access_token->setRefreshToken($refresh_token->getToken()); } $this->getEntityManager()->persist($access_token); $this->getEntityManager()->flush(); if (null !== $this->event_dispatcher) { $this->event_dispatcher->dispatch(Events::OAUTH2_POST_ACCESS_TOKEN_CREATION, new PostAccessTokenCreationEvent($access_token)); } return $access_token; }
/** * {@inheritdoc} */ public function markRefreshTokenAsUsed(BaseRefreshTokenInterface $refreshToken) { $refreshToken->setUsed(true); $this->save($refreshToken); return $this; }
/** * @param \OAuth2\Token\AccessTokenInterface|\OAuth2\Token\RefreshTokenInterface $token * @param \OAuth2\Client\ClientInterface|null $client * * @return bool */ private function isClientVerified($token, ClientInterface $client = null) { if (null !== $client) { // The client ID of the token is the same as client authenticated return $token->getClientPublicId() === $client->getPublicId(); } else { // We try to get the client $client = $this->getClientManagerSupervisor()->getClient($token->getClientPublicId()); // Return false if the client is a confidential client (confidential client must be authenticated) return !$client instanceof ConfidentialClientInterface; } }
/** * @param \OAuth2\Client\ClientInterface $client * @param array $scope * @param \OAuth2\ResourceOwner\ResourceOwnerInterface|null $resource_owner * @param \OAuth2\Token\RefreshTokenInterface|null $refresh_token * * @throws \OAuth2\Exception\BaseExceptionInterface * * @return array */ protected function preparePayload(ClientInterface $client, array $scope = [], ResourceOwnerInterface $resource_owner = null, RefreshTokenInterface $refresh_token = null) { $audience = $this->getConfiguration()->get('jwt_access_token_audience', null); $issuer = $this->getConfiguration()->get('jwt_access_token_issuer', null); if (!is_string($audience)) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::INTERNAL_SERVER_ERROR, ExceptionManagerInterface::SERVER_ERROR, 'The configuration option "jwt_access_token_audience" is not set.'); } if (!is_string($issuer)) { throw $this->getExceptionManager()->getException(ExceptionManagerInterface::INTERNAL_SERVER_ERROR, ExceptionManagerInterface::SERVER_ERROR, 'The configuration option "jwt_access_token_issuer" is not set.'); } $payload = ['iss' => $issuer, 'aud' => $audience, 'iat' => time(), 'nbf' => time(), 'exp' => time() + $this->getLifetime($client), 'sub' => $client->getPublicId(), 'sco' => $scope]; if (null !== $resource_owner) { $payload['r_o'] = $resource_owner->getPublicId(); } if (null !== $refresh_token) { $payload['ref'] = $refresh_token->getToken(); } return $payload; }