public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request('code')) { $response->setError(400, 'invalid_request', 'Missing parameter: "code" is required'); return false; } $code = $request->request('code'); if (!($authCode = $this->storage->getAuthorizationCode($code))) { $response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client'); return false; } /* * 4.1.3 - ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request * @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3 */ if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) { if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != $authCode['redirect_uri']) { $response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3"); return false; } } if (!isset($authCode['expires'])) { throw new Exception('Storage must return authcode with a value for "expires"'); } if ($authCode["expires"] < time()) { $response->setError(400, 'invalid_grant', "The authorization code has expired"); return false; } if (!isset($authCode['code'])) { $authCode['code'] = $code; // used to expire the code after the access token is granted } $this->authCode = $authCode; return true; }
/** * Grant or deny a requested access token. * This would be called from the "/token" endpoint as defined in the spec. * You can call your endpoint whatever you want. * * @param $request - RequestInterface * Request object to grant access token * * @throws InvalidArgumentException * @throws LogicException * * @see http://tools.ietf.org/html/rfc6749#section-4 * @see http://tools.ietf.org/html/rfc6749#section-10.6 * @see http://tools.ietf.org/html/rfc6749#section-4.1.3 * * @ingroup oauth2_section_4 */ public function grantAccessToken(RequestInterface $request, ResponseInterface $response) { if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2'); $response->addHttpHeaders(array('Allow' => 'POST')); return null; } /* Determine grant type from request * and validate the request for that grant type */ if (!($grantTypeIdentifier = $request->request('grant_type'))) { $response->setError(400, 'invalid_request', 'The grant type was not specified in the request'); return null; } if (!isset($this->grantTypes[$grantTypeIdentifier])) { /* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */ $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier)); return null; } $grantType = $this->grantTypes[$grantTypeIdentifier]; if (!$grantType->validateRequest($request, $response)) { return null; } /* Retrieve the client information from the request * ClientAssertionTypes allow for grant types which also assert the client data * in which case ClientAssertion is handled in the validateRequest method * * @see OAuth2\GrantType\JWTBearer * @see OAuth2\GrantType\ClientCredentials */ if ($grantType instanceof ClientAssertionTypeInterface) { $clientId = $grantType->getClientId(); } else { if (!$this->clientAssertionType->validateRequest($request, $response)) { return null; } $clientId = $this->clientAssertionType->getClientId(); // validate the Client ID (if applicable) if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) { $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier)); return null; } } /* * Validate the scope of the token * If the grant type returns a value for the scope, * this value must be verified with the scope being requested */ $availableScope = $grantType->getScope(); if (!($requestedScope = $this->scopeUtil->getScopeFromRequest($request))) { $requestedScope = $availableScope ? $availableScope : $this->scopeUtil->getDefaultScope(); } if ($requestedScope && !$this->scopeUtil->scopeExists($requestedScope, $clientId) || $availableScope && !$this->scopeUtil->checkScope($requestedScope, $availableScope)) { $response->setError(400, 'invalid_scope', 'An unsupported scope was requested'); return null; } return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope); }
/** * This is a convenience function that can be used to get the token, which can then * be passed to getAccessTokenData(). The constraints specified by the draft are * attempted to be adheared to in this method. * * As per the Bearer spec (draft 8, section 2) - there are three ways for a client * to specify the bearer token, in order of preference: Authorization Header, * POST and GET. * * NB: Resource servers MUST accept tokens via the Authorization scheme * (http://tools.ietf.org/html/rfc6750#section-2). * * @todo Should we enforce TLS/SSL in this function? * * @see http://tools.ietf.org/html/rfc6750#section-2.1 * @see http://tools.ietf.org/html/rfc6750#section-2.2 * @see http://tools.ietf.org/html/rfc6750#section-2.3 * * Old Android version bug (at least with version 2.2) * @see http://code.google.com/p/android/issues/detail?id=6684 * */ public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); // echo ($headers."bearer"); /** * Ensure more than one method is not used for including an * access token * * @see http://tools.ietf.org/html/rfc6750#section-3.1 */ $methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']); // echo ($methodsUsed); // echo ("<br>".$this->config['token_param_name']."<br>"); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } /** * If no authentication is provided, set the status code * to 401 and return no other error information * * @see http://tools.ietf.org/html/rfc6750#section-3.1 */ if ($methodsUsed == 0) { $response->setStatusCode(401); // echo ("no auth"); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/i', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // // POST: Get the token from POST data if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable // @see http://tools.ietf.org/html/rfc6750#section-2.2 $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } return $request->request($this->config['token_param_name']); } // GET method return $request->query($this->config['token_param_name']); }
/** * This is a convenience function that can be used to get the token, which can then * be passed to getAccessTokenData(). The constraints specified by the draft are * attempted to be adheared to in this method. * * As per the Bearer spec (draft 8, section 2) - there are three ways for a client * to specify the bearer token, in order of preference: Authorization Header, * POST and GET. * * NB: Resource servers MUST accept tokens via the Authorization scheme * (http://tools.ietf.org/html/rfc6750#section-2). * * @todo Should we enforce TLS/SSL in this function? * * @see http://tools.ietf.org/html/rfc6750#section-2.1 * @see http://tools.ietf.org/html/rfc6750#section-2.2 * @see http://tools.ietf.org/html/rfc6750#section-2.3 * * Old Android version bug (at least with version 2.2) * @see http://code.google.com/p/android/issues/detail?id=6684 * */ public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); // Check that exactly one method was used $methodsUsed = !empty($headers) + !is_null($request->query($this->config['token_param_name'])) + !is_null($request->request($this->config['token_param_name'])); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } if ($methodsUsed == 0) { $response->setStatusCode(401); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // POST: Get the token from POST data if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } LogMessage($request->request('upload_image')); LogMessage($contentType); if (!$request->files['Filedata']) { if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable // @see http://tools.ietf.org/html/rfc6750#section-2.2 $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } } return $request->request($this->config['token_param_name']); } // GET method return $request->query($this->config['token_param_name']); }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request('client_id')) { $response->setError(400, 'invalid_request', 'Missing parameter: "client_id" is required'); return false; } /* * Ensure that the client_id existed */ $client_id = $request->request('client_id'); if (!($client = $this->storage->getClientDetails($client_id))) { $response->setError(400, 'invalid_client', 'The client id supplied is invalid'); return false; } $this->client = $client; return true; }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$this->_adapter->checkUserCredentials($request->request('identity'), $request->request('token'))) { $response->setError(401, 'invalid_grant', 'Invalid identity and token combination'); return null; } $userInfo = $this->_adapter->getUserDetails($request->request('identity')); if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information'); return null; } if (!isset($userInfo['user_id'])) { throw new \LogicException("You must set the user_id on the array returned by getUserDetails"); } $this->_userInfo = $userInfo; return true; }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request("refresh_token")) { $response->setError(400, 'invalid_request', 'Missing parameter: "refresh_token" is required'); return null; } if (!($refreshToken = $this->storage->getRefreshToken($request->request("refresh_token")))) { $response->setError(400, 'invalid_grant', 'Invalid refresh token'); return null; } if ($refreshToken['expires'] > 0 && $refreshToken["expires"] < time()) { $response->setError(400, 'invalid_grant', 'Refresh token has expired'); return null; } // store the refresh token locally so we can delete it when a new refresh token is generated $this->refreshToken = $refreshToken; return true; }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { $identifier = $this->getQuerystringIdentifier(); if (!$request->request($identifier)) { $response->setError(400, 'invalid_request', 'Missing parameters: "' . $identifier . '" required'); return null; } $fb_app_id = Config::get('api-foundation::fb_app_id'); $fb_app_secret = Config::get('api-foundation::fb_app_secret'); if (empty($fb_app_id)) { throw new \LogicException('Facebook APP ID not set.'); } if (empty($fb_app_secret)) { throw new \LogicException('Facebook APP SECRET not set.'); } FacebookSession::setDefaultApplication($fb_app_id, $fb_app_secret); try { $session = new FacebookSession($request->request($identifier)); } catch (FacebookRequestException $e) { $response->setError(401, 'invalid_grant', $e->getMessage()); return null; } catch (\Exception $e) { $response->setError(401, 'invalid_grant', $e->getMessage()); return null; } if (!empty($session)) { try { $user_profile = (new FacebookRequest($session, 'GET', '/me'))->execute()->getGraphObject(GraphUser::className()); $email = $user_profile->getProperty('email'); if (empty($email)) { $response->setError(400, 'invalid_request', "User's email address not available."); return null; } else { $userInfo = $this->storage->getUserInfoByFacebookId($user_profile->getId()); if (empty($userInfo)) { $this->storage->createFacebookUser($user_profile); $userInfo = $this->storage->getUserInfoByFacebookId($user_profile->getId()); } } } catch (FacebookRequestException $e) { $response->setError(401, 'invalid_grant', $e->getMessage()); return null; } } else { $response->setError(401, 'invalid_grant', 'Facebook session could not be set with supplied access token.'); return null; } if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information.'); return null; } if (!isset($userInfo['user_id'])) { throw new \LogicException("You must set the user_id on the array."); } $this->userInfo = $userInfo; return true; }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { $token = $request->request("token"); if (!$token) { $response->setError(400, 'invalid_request', 'Missing parameter: "token" is required'); return null; } $socialUser = $this->getTokenInfo($token); if (!$socialUser) { $response->setError(401, 'invalid_grant', 'Invalid or expired token'); return null; } $user_id = $this->getLocalUser($socialUser); if (!$user_id) { $response->setError(401, 'invalid_grant', 'Unable to identify or create user'); return null; } $this->userInfo = ['user_id' => $user_id]; return true; }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request("user_id") || !$request->request("provider") || !$request->request("provider_id") || !$request->request("provider_access_token")) { $response->setError(400, 'invalid_request', 'Missing parameters: "username" and "provider" and "provider_id" and "access_token" required'); return null; } if (!$this->storage->getUserProviderAccessToken($request->request("provider"), $request->request("provider_id"), $request->request("user_id"))) { return null; } $userInfo = $this->storage->getUser($request->request("user_id")); if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information'); return null; } if (!isset($userInfo['user_id'])) { throw new \LogicException("you must set the user_id on the array returned by getUserDetails"); } $this->userInfo = $userInfo; return true; }
public function validateRequest(\OAuth2\RequestInterface $request, \OAuth2\ResponseInterface $response) { if (!$request->request('authkey') || !$request->request('username')) { $response->setError(400, 'invalid_request', 'Missing parameters: "authkey" and "username" required'); return null; } if (!$this->userStorage->findIdentityByAccessToken($request->request('authkey'))) { $response->setError(401, 'invalid_grant', 'Invalid user authkey'); return null; } $userInfo = $this->userStorage->getUserDetails($request->request('username')); if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information'); return null; } if (!isset($userInfo['user_id'])) { throw new \LogicException('you must set the user_id on the array returned by getUserDetails'); } $this->userInfo = $userInfo; return parent::validateRequest($request, $response); }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request("password") || !$request->request("username")) { $response->setError(400, 'invalid_request', 'Missing parameters: "username" and "password" required'); return null; } if (!$this->storage->checkUserCredentials($request->request("username"), $request->request("password"))) { $response->setError(401, 'invalid_grant', 'Invalid username and password combination'); return null; } $userInfo = $this->storage->getUserDetails($request->request("username")); if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information'); return null; } if (!isset($userInfo['user_id'])) { throw new \LogicException("you must set the user_id on the array returned by getUserDetails"); } $this->userInfo = $userInfo; return true; }
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); $methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } if ($methodsUsed == 0) { $response->setStatusCode(401); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/i', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // // POST: Get the token from POST data if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } return $request->request($this->config['token_param_name']); } return $request->query($this->config['token_param_name']); }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request('client_id')) { $response->setError(400, 'invalid_request', 'Missing parameter: "client_id" is required'); return false; } if (!$request->request('code')) { $response->setError(400, 'invalid_request', 'Missing parameter: "code" is required'); return false; } /* * Ensure that the device code exists */ $client_id = $request->request('client_id'); $code = $request->request('code'); if (!($deviceCode = $this->storage->getDeviceCode($code, $client_id))) { $response->setError(400, 'bad_verification_code', 'Bad verification code'); return false; } /* * Verify expiration */ if ($deviceCode["expires"] < time()) { $response->setError(400, 'code_expired', "The authorization code has expired"); return false; } /* * Ensure that the user confirmed this code */ if (!$deviceCode['user_id']) { $response->setError(400, 'authorization_pending', ''); return false; } $this->deviceCode = $deviceCode; return true; }
public function validateRequest(RequestInterface $request, ResponseInterface $response) { $identifier = $this->getQuerystringIdentifier(); if (!$request->request($identifier)) { $response->setError(400, 'invalid_request', 'Missing parameters: "' . $identifier . '" required'); return null; } $gplus_server_code = $request->request($identifier); try { $this->google_client->authenticate($gplus_server_code); $token_data = json_decode($this->google_client->getAccessToken()); $gplus_access_token = $token_data->access_token; $token_service = new Google_Service_Oauth2($this->google_client); $token_info = $token_service->tokeninfo(array('access_token' => $gplus_access_token)); if ($token_info->getAudience() != \Config::get('api-foundation::gplus_client_id')) { $response->setError(400, 'invalid_request', "Google+ access token audience does not match."); return null; } $gplus_id = $token_info->getUserId(); $email = $token_info->getEmail(); if (empty($email)) { $response->setError(400, 'invalid_request', "User's Google+ email addresses are not available."); return null; } if (empty($gplus_id)) { $response->setError(400, 'invalid_request', "User's Google+ id not available."); return null; } $userInfo = $this->storage->getUserInfoByGPlusId($gplus_id); if (empty($userInfo)) { $gplus_user = GPlusUserFromGPlusAccessToken::make($this->google_client, $gplus_access_token); $this->storage->createGPlusUser($gplus_user, $token_info); $userInfo = $this->storage->getUserInfoByGPlusId($gplus_id); } } catch (\Google_Service_Exception $e) { $response->setError($e->getCode(), 'invalid_request', "Google Plus server code is invalid."); return null; } catch (\Google_Auth_Exception $e) { $response->setError($e->getCode(), 'invalid_request', "Google Plus server code is invalid."); return null; } if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information.'); return null; } if (!isset($userInfo['user_id'])) { throw new \LogicException("You must set the user_id on the array."); } $this->userInfo = $userInfo; return true; }
public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null) { if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } if ($this->config['allow_credentials_in_request_body']) { // Using POST for HttpBasic authorization is not recommended, but is supported by specification if (!is_null($request->request('client_id'))) { return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret')); } } if ($response) { $message = $this->config['allow_credentials_in_request_body'] ? ' or body' : ''; $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message); } return null; }
/** * Internal function used to get the client credentials from HTTP basic * auth or POST data. * * According to the spec (draft 20), the client_id can be provided in * the Basic Authorization header (recommended) or via GET/POST. * * @return * A list containing the client identifier and password, for example * @code * return array( * "client_id" => CLIENT_ID, // REQUIRED the client id * "client_secret" => CLIENT_SECRET, // REQUIRED the client secret * ); * @endcode * * @link http://tools.ietf.org/html/rfc6749#section-2.3.1 * * @ingroup oauth2_section_2 */ public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null) { if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } if ($this->config['allow_credentials_in_request_body']) { // Using POST for HttpBasic authorization is not recommended, but is supported by specification if (!is_null($request->request('client_id'))) { /** * client_secret can be null if the client's password is an empty string * @link http://tools.ietf.org/html/rfc6749#section-2.3.1 */ return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret', '')); } } if ($response) { $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers or body'); } return null; }
public function grantAccessToken(RequestInterface $request, ResponseInterface $response) { if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2'); $response->addHttpHeaders(array('Allow' => 'POST')); return null; } if (!($grantTypeIdentifier = $request->request('grant_type'))) { $response->setError(400, 'invalid_request', 'The grant type was not specified in the request'); return null; } if (!isset($this->grantTypes[$grantTypeIdentifier])) { $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier)); return null; } $grantType = $this->grantTypes[$grantTypeIdentifier]; if (!$grantType instanceof ClientAssertionTypeInterface) { if (!$this->clientAssertionType->validateRequest($request, $response)) { return null; } $clientId = $this->clientAssertionType->getClientId(); } if (!$grantType->validateRequest($request, $response)) { return null; } if ($grantType instanceof ClientAssertionTypeInterface) { $clientId = $grantType->getClientId(); } else { // validate the Client ID (if applicable) if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) { $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier)); return null; } } /** * Validate the client can use the requested grant type */ if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) { $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id'); return false; } $requestedScope = $this->scopeUtil->getScopeFromRequest($request); $availableScope = $grantType->getScope(); if ($requestedScope) { // validate the requested scope if ($availableScope) { if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) { $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request'); return null; } } else { // validate the client has access to this scope if ($clientScope = $this->clientStorage->getClientScope($clientId)) { if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) { $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client'); return false; } } elseif (!$this->scopeUtil->scopeExists($requestedScope)) { $response->setError(400, 'invalid_scope', 'An unsupported scope was requested'); return null; } } } elseif ($availableScope) { // use the scope associated with this grant type $requestedScope = $availableScope; } else { // use a globally-defined default scope $defaultScope = $this->scopeUtil->getDefaultScope($clientId); // "false" means default scopes are not allowed if (false === $defaultScope) { $response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter'); return null; } $requestedScope = $defaultScope; } return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope); }
/** * Validate request via session data * * This is used for internal requests via ajax * * @param object $request Request object * @param object $response Response object * @return bool Result of auth */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { // ensure we have needed params if (!$request->request("password") || !$request->request("username")) { $response->setError(400, 'invalid_request', 'Missing parameters: "username" and "password" required'); return null; } // check username/password if (!$this->storage->checkUserCredentials($request->request("username"), $request->request("password"))) { $response->setError(401, 'invalid_grant', 'Invalid username and password combination'); return null; } // get user details by username $userInfo = $this->storage->getUserDetails($request->request("username")); // make sure we got an array of user details if (empty($userInfo)) { $response->setError(400, 'invalid_grant', 'Unable to retrieve user information'); return null; } // if not set, something went wrong if (!isset($userInfo['user_id'])) { throw new \LogicException("you must set the user_id on the array returned by getUserDetails"); } // set our userinfo for later use $this->userInfo = $userInfo; // return sucess return true; }
/** * Grant or deny a requested access token. * This would be called from the "/token" endpoint as defined in the spec. * You can call your endpoint whatever you want. * * @param $request - RequestInterface * Request object to grant access token * * @throws InvalidArgumentException * @throws LogicException * * @see http://tools.ietf.org/html/rfc6749#section-4 * @see http://tools.ietf.org/html/rfc6749#section-10.6 * @see http://tools.ietf.org/html/rfc6749#section-4.1.3 * * @ingroup oauth2_section_4 */ public function grantAccessToken(RequestInterface $request, ResponseInterface $response) { if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2'); $response->addHttpHeaders(array('Allow' => 'POST')); return null; } /** * Determine grant type from request * and validate the request for that grant type */ if (!($grantTypeIdentifier = $request->request('grant_type'))) { $response->setError(400, 'invalid_request', 'The grant type was not specified in the request'); return null; } if (!isset($this->grantTypes[$grantTypeIdentifier])) { /* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */ $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier)); return null; } $grantType = $this->grantTypes[$grantTypeIdentifier]; /** * Retrieve the client information from the request * ClientAssertionTypes allow for grant types which also assert the client data * in which case ClientAssertion is handled in the validateRequest method * * @see OAuth2\GrantType\JWTBearer * @see OAuth2\GrantType\ClientCredentials */ if (!$grantType instanceof ClientAssertionTypeInterface) { if (!$this->clientAssertionType->validateRequest($request, $response)) { return null; } $clientId = $this->clientAssertionType->getClientId(); } /** * Retrieve the grant type information from the request * The GrantTypeInterface object handles all validation * If the object is an instance of ClientAssertionTypeInterface, * That logic is handled here as well */ if (!$grantType->validateRequest($request, $response)) { return null; } if ($grantType instanceof ClientAssertionTypeInterface) { $clientId = $grantType->getClientId(); } else { // validate the Client ID (if applicable) if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) { $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier)); return null; } } /** * Validate the client can use the requested grant type */ if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) { $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id'); return false; } /** * Validate the scope of the token * * requestedScope - the scope specified in the token request * availableScope - the scope associated with the grant type * ex: in the case of the "Authorization Code" grant type, * the scope is specified in the authorize request * * @see http://tools.ietf.org/html/rfc6749#section-3.3 */ $requestedScope = $this->scopeUtil->getScopeFromRequest($request); $availableScope = $grantType->getScope(); if ($requestedScope) { // validate the requested scope if ($availableScope) { if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) { $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request'); return null; } } else { // validate the client has access to this scope if ($clientScope = $this->clientStorage->getClientScope($clientId)) { if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) { $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client'); return false; } } elseif (!$this->scopeUtil->scopeExists($requestedScope)) { $response->setError(400, 'invalid_scope', 'An unsupported scope was requested'); return null; } } } elseif ($availableScope) { // use the scope associated with this grant type $requestedScope = $availableScope; } else { // use a globally-defined default scope $defaultScope = $this->scopeUtil->getDefaultScope($clientId); // "false" means default scopes are not allowed if (false === $defaultScope) { $response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter'); return null; } $requestedScope = $defaultScope; } return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope); }
public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response) { // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI) if (!($client_id = $request->query('client_id', $request->request('client_id')))) { // We don't have a good URI to use $response->setError(400, 'invalid_client', "No client id supplied"); return false; } // Get client details if (!($clientData = $this->clientStorage->getClientDetails($client_id))) { $response->setError(400, 'invalid_client', 'The client id supplied is invalid'); return false; } $registered_redirect_uri = isset($clientData['redirect_uri']) ? $clientData['redirect_uri'] : ''; // Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI. // @see http://tools.ietf.org/html/rfc6749#section-3.1.2 // @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1 // @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1 if ($supplied_redirect_uri = $request->query('redirect_uri', $request->request('redirect_uri'))) { // validate there is no fragment supplied $parts = parse_url($supplied_redirect_uri); if (isset($parts['fragment']) && $parts['fragment']) { $response->setError(400, 'invalid_uri', 'The redirect URI must not contain a fragment'); return false; } // validate against the registered redirect uri(s) if available if ($registered_redirect_uri && !$this->validateRedirectUri($supplied_redirect_uri, $registered_redirect_uri)) { $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match', '#section-3.1.2'); return false; } $redirect_uri = $supplied_redirect_uri; } else { // use the registered redirect_uri if none has been supplied, if possible if (!$registered_redirect_uri) { $response->setError(400, 'invalid_uri', 'No redirect URI was supplied or stored'); return false; } if (count(explode(' ', $registered_redirect_uri)) > 1) { $response->setError(400, 'invalid_uri', 'A redirect URI must be supplied when multiple redirect URIs are registered', '#section-3.1.2.3'); return false; } $redirect_uri = $registered_redirect_uri; } // Select the redirect URI $response_type = $request->query('response_type', $request->request('response_type')); // for multiple-valued response types - make them alphabetical if (false !== strpos($response_type, ' ')) { $types = explode(' ', $response_type); sort($types); $response_type = ltrim(implode(' ', $types)); } $state = $request->query('state', $request->request('state')); // type and client_id are required if (!$response_type || !in_array($response_type, $this->getValidResponseTypes())) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_request', 'Invalid or missing response type', null); return false; } if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) { if (!isset($this->responseTypes['code'])) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'authorization code grant type not supported', null); return false; } if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'authorization_code')) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null); return false; } if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) { $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied'); return false; } } else { if (!$this->config['allow_implicit']) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'implicit grant type not supported', null); return false; } if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'implicit')) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null); return false; } } // validate requested scope if it exists $requestedScope = $this->scopeUtil->getScopeFromRequest($request); if ($requestedScope) { // restrict scope by client specific scope if applicable, // otherwise verify the scope exists $clientScope = $this->clientStorage->getClientScope($client_id); if (is_null($clientScope) && !$this->scopeUtil->scopeExists($requestedScope) || $clientScope && !$this->scopeUtil->checkScope($requestedScope, $clientScope)) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null); return false; } } else { // use a globally-defined default scope $defaultScope = $this->scopeUtil->getDefaultScope($client_id); if (false === $defaultScope) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_client', 'This application requires you specify a scope parameter', null); return false; } $requestedScope = $defaultScope; } // Validate state parameter exists (if configured to enforce this) if ($this->config['enforce_state'] && !$state) { $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, null, 'invalid_request', 'The state parameter is required'); return false; } // save the input data and return true $this->scope = $requestedScope; $this->state = $state; $this->client_id = $client_id; // Only save the SUPPLIED redirect URI (@see http://tools.ietf.org/html/rfc6749#section-4.1.3) $this->redirect_uri = $supplied_redirect_uri; $this->response_type = $response_type; return true; }
/** * Validates the data from the decoded JWT. * * @return * TRUE if the JWT request is valid and can be decoded. Otherwise, FALSE is returned. * * @see OAuth2\GrantType\GrantTypeInterface::getTokenData() */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { if (!$request->request("assertion")) { $response->setError(400, 'invalid_request', 'Missing parameters: "assertion" required'); return null; } // Store the undecoded JWT for later use $undecodedJWT = $request->request('assertion'); // Decode the JWT $jwt = $this->jwtUtil->decode($request->request('assertion'), null, false); if (!$jwt) { $response->setError(400, 'invalid_request', "JWT is malformed"); return null; } // ensure these properties contain a value // @todo: throw malformed error for missing properties $jwt = array_merge(array('scope' => null, 'iss' => null, 'sub' => null, 'aud' => null, 'exp' => null, 'nbf' => null, 'iat' => null, 'jti' => null, 'typ' => null), $jwt); if (!isset($jwt['iss'])) { $response->setError(400, 'invalid_grant', "Invalid issuer (iss) provided"); return null; } if (!isset($jwt['sub'])) { $response->setError(400, 'invalid_grant', "Invalid subject (sub) provided"); return null; } if (!isset($jwt['exp'])) { $response->setError(400, 'invalid_grant', "Expiration (exp) time must be present"); return null; } // Check expiration if (ctype_digit($jwt['exp'])) { if ($jwt['exp'] <= time()) { $response->setError(400, 'invalid_grant', "JWT has expired"); return null; } } else { $response->setError(400, 'invalid_grant', "Expiration (exp) time must be a unix time stamp"); return null; } // Check the not before time if ($notBefore = $jwt['nbf']) { if (ctype_digit($notBefore)) { if ($notBefore > time()) { $response->setError(400, 'invalid_grant', "JWT cannot be used before the Not Before (nbf) time"); return null; } } else { $response->setError(400, 'invalid_grant', "Not Before (nbf) time must be a unix time stamp"); return null; } } // Check the audience if required to match if (!isset($jwt['aud']) || $jwt['aud'] != $this->audience) { $response->setError(400, 'invalid_grant', "Invalid audience (aud)"); return null; } // Check the jti (nonce) // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1.7 if (isset($jwt['jti'])) { $jti = $this->storage->getJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']); //Reject if jti is used and jwt is still valid (exp parameter has not expired). if ($jti && $jti['expires'] > time()) { $response->setError(400, 'invalid_grant', "JSON Token Identifier (jti) has already been used"); return null; } else { $this->storage->setJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']); } } // Get the iss's public key // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-4.1.1 if (!($key = $this->storage->getClientKey($jwt['iss'], $jwt['sub']))) { $response->setError(400, 'invalid_grant', "Invalid issuer (iss) or subject (sub) provided"); return null; } // Verify the JWT if (!$this->jwtUtil->decode($undecodedJWT, $key, true)) { $response->setError(400, 'invalid_grant', "JWT failed signature verification"); return null; } $this->jwt = $jwt; return true; }
/** * Validate request via client * * @param object $request Request object * @param object $response Response object * @return bool Result of auth */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { // check HTTP basic auth headers for client id/secret if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { $clientData = array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } // if we allow credentials via request body look there if ($this->config['allow_credentials_in_request_body']) { // check for client id in request if (!is_null($request->request('client_id'))) { $clientData = array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret')); } } // must have client id if (!isset($clientData['client_id']) || $clientData['client_id'] == '') { $message = $this->config['allow_credentials_in_request_body'] ? ' or body' : ''; $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message); return false; } // check to see if we have client secret if (!isset($clientData['client_secret']) || $clientData['client_secret'] == '') { // invalid if we dont have client secret and public clients are off if (!$this->config['allow_public_clients']) { $response->setError(400, 'invalid_client', 'client credentials are required'); return false; } // check storage if client is public client if (!$this->storage->isPublicClient($clientData['client_id'])) { $response->setError(400, 'invalid_client', 'This client is invalid or must authenticate using a client secret'); return false; } } elseif ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) { $response->setError(400, 'invalid_client', 'The client credentials are invalid'); return false; } // store data locally $this->clientData = $clientData; return true; }
/** * @param RequestInterface $request * @param ResponseInterface $response * * @return bool */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { $providerName = $request->request('provider'); $providerUserId = $request->request('provider_user_id'); $providerAccessToken = $request->request('provider_access_token'); if (!$providerName || !$providerUserId || !$providerAccessToken) { $response->setError(400, 'invalid_request', 'One or more missing parameter: "provider", "provider_user_id" and "provider_access_token" are required'); return false; } $provider = isset($this->providers[$providerName]) ? $this->providers[$providerName] : null; if (!$provider instanceof ProviderInterface) { $response->setError(400, 'invalid_request', 'Unknown provider selected'); return false; } try { $errorMessage = ''; if (!$provider->validate($providerUserId, $providerAccessToken, $errorMessage)) { $response->setError(401, 'invalid_grant', 'Invalid third party credentials: ' . $errorMessage); return false; } } catch (ClientException $e) { $response->setError($e->getCode(), 'provider_client_error', $e->getMessage()); return false; } catch (Exception $e) { $response->setError(500, 'provider_error', $e->getMessage()); return false; } $token = $request->request('access_token'); $accessToken = $token ? $this->accessTokenMapper->findByToken($token) : null; if ($accessToken instanceof Entity\AccessToken && $accessToken->isExpired()) { $response->setError(401, 'invalid_grant', 'Access token is expired'); return false; } $thirdPartyUser = $this->thirdPartyMapper->findByProvider($provider); switch (true) { // a known user tries to connect with third party credentials owned by another user? issue an error case $accessToken instanceof Entity\AccessToken && $thirdPartyUser instanceof Entity\ThirdParty && $thirdPartyUser->getUser() !== $accessToken->getUser(): $response->setError(400, 'invalid_request', 'Another user is already registered with same credentials'); return false; // known third party credentials? update the data and grab the user form it // known third party credentials? update the data and grab the user form it case $thirdPartyUser instanceof Entity\ThirdParty: $thirdPartyUser->setData($provider->getUserData()); $user = $thirdPartyUser->getUser(); break; // valid access token? grab the user form it // valid access token? grab the user form it case $accessToken instanceof Entity\AccessToken: $user = $accessToken->getUser(); break; // no third party credentials or access token? it's a new user // no third party credentials or access token? it's a new user default: $userClass = $this->moduleOptions->getUserEntityClassName(); $user = new $userClass(); } // in case 3 and 4 we need to connect the user with new third party credentials if (!$thirdPartyUser instanceof Entity\ThirdParty) { $this->connectUserToThirdParty($user, $provider); } $this->userMapper->save($user); $this->user = $user; return true; }
/** * Validate request via session data * * This is used for internal requests via ajax * * @param object $request Request object * @param object $response Response object * @return bool Result of auth */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { // make sure we have tool session data if (!($toolData = $this->storage->getToolSessionDataFromRequest($request))) { $response->setError(401, 'tool_session_authentication_invalid', 'Unable to find valid tool session data.'); return false; } // validate tool session data if (!($userId = $this->storage->validateToolSessionData($toolData['toolSessionId'], $toolData['toolSessionToken']))) { $response->setError(401, 'tool_session_authentication_invalid', 'Unable to find valid tool session data.'); return false; } // store user info locally $this->userInfo = ['user_id' => $userId, 'scope' => '']; return true; }
/** * Revoke a refresh or access token. Returns true on success and when tokens are invalid * * Note: invalid tokens do not cause an error response since the client * cannot handle such an error in a reasonable way. Moreover, the * purpose of the revocation request, invalidating the particular token, * is already achieved. * * @param RequestInterface $request * @param ResponseInterface $response * @return bool|null */ public function revokeToken(RequestInterface $request, ResponseInterface $response) { if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2'); $response->addHttpHeaders(array('Allow' => 'POST')); return null; } $token_type_hint = $request->request('token_type_hint'); if (!in_array($token_type_hint, array(null, 'access_token', 'refresh_token'), true)) { $response->setError(400, 'invalid_request', 'Token type hint must be either \'access_token\' or \'refresh_token\''); return null; } $token = $request->request('token'); if ($token === null) { $response->setError(400, 'invalid_request', 'Missing token parameter to revoke'); return null; } // @todo remove this check for v2.0 if (!method_exists($this->accessToken, 'revokeToken')) { $class = get_class($this->accessToken); throw new \RuntimeException("AccessToken {$class} does not implement required revokeToken method"); } $this->accessToken->revokeToken($token, $token_type_hint); return true; }
/** * Validate request via client * * @param object $request Request object * @param object $response Response object * @return bool Result of auth */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { // make sure we have a code param if (!($code = $request->request('code'))) { $response->setError(400, 'invalid_request', 'Missing parameter: "code" is required'); return false; } // verify code param if (!($authCode = $this->storage->getAuthorizationCode($code))) { $response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client'); return false; } // make sure "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) { if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != $authCode['redirect_uri']) { $response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3"); return false; } } // must have expiration if (!isset($authCode['expires'])) { throw new \Exception('Storage must return authcode with a value for "expires"'); } // checkk code isnt expired if ($authCode["expires"] < time()) { $response->setError(400, 'invalid_grant', "The authorization code has expired"); return false; } // make sure have the actual auth code if (!isset($authCode['code'])) { $authCode['code'] = $code; // used to expire the code after the access token is granted } // store locally $this->authCode = $authCode; return true; }
/** * Validate request via session data * * This is used for internal requests via ajax * * @param object $request Request object * @param object $response Response object * @return bool Result of auth */ public function validateRequest(RequestInterface $request, ResponseInterface $response) { // check for session id if (!($sessionId = $this->storage->getSessionIdFromCookie())) { $response->setError(401, 'session_authentication_invalid', 'Unable to find a valid session id.'); return false; } // get user for session id if (!($userId = $this->storage->getUserIdFromSessionId($sessionId))) { $response->setError(401, 'session_authentication_invalid', 'Unable to authenticate via active session.'); return false; } // store our session & user id $this->userInfo = array('user_id' => $userId, 'session_id' => $sessionId); return true; }
public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response) { // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI) if (!($client_id = $request->query("client_id"))) { // We don't have a good URI to use $response->setError(400, 'invalid_client', "No client id supplied"); return false; } // Get client details if (!($clientData = $this->clientStorage->getClientDetails($client_id))) { $response->setError(400, 'invalid_client', 'The client id supplied is invalid'); return false; } $registered_redirect_uri = isset($clientData['redirect_uri']) ? $clientData['redirect_uri'] : ''; // Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI. // @see http://tools.ietf.org/html/rfc6749#section-3.1.2 // @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1 // @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1 if ($redirect_uri = $request->query('redirect_uri')) { // validate there is no fragment supplied $parts = parse_url($redirect_uri); if (isset($parts['fragment']) && $parts['fragment']) { $response->setError(400, 'invalid_uri', 'The redirect URI must not contain a fragment'); return false; } // validate against the registered redirect uri(s) if available if ($registered_redirect_uri && !$this->validateRedirectUri($redirect_uri, $registered_redirect_uri)) { $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match', '#section-3.1.2'); return false; } } else { // use the registered redirect_uri if none has been supplied, if possible if (!$registered_redirect_uri) { $response->setError(400, 'invalid_uri', 'No redirect URI was supplied or stored'); return false; } if (count(explode(' ', $registered_redirect_uri)) > 1) { $response->setError(400, 'invalid_uri', 'A redirect URI must be supplied when multiple redirect URIs are registered', '#section-3.1.2.3'); return false; } $redirect_uri = $registered_redirect_uri; } // Select the redirect URI $response_type = $request->query('response_type'); $state = $request->query('state'); if (!($scope = $this->scopeUtil->getScopeFromRequest($request))) { $scope = $this->scopeUtil->getDefaultScope(); } // type and client_id are required if (!$response_type || !in_array($response_type, array(self::RESPONSE_TYPE_AUTHORIZATION_CODE, self::RESPONSE_TYPE_ACCESS_TOKEN))) { $response->setRedirect(302, $redirect_uri, $state, 'invalid_request', 'Invalid or missing response type', null); return false; } if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) { if (!isset($this->responseTypes['code'])) { $response->setRedirect(302, $redirect_uri, $state, 'unsupported_response_type', 'authorization code grant type not supported', null); return false; } if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'authorization_code')) { $response->setRedirect(302, $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null); return false; } if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) { $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied'); return false; } } if ($response_type == self::RESPONSE_TYPE_ACCESS_TOKEN) { if (!$this->config['allow_implicit']) { $response->setRedirect(302, $redirect_uri, $state, 'unsupported_response_type', 'implicit grant type not supported', null); return false; } if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'implicit')) { $response->setRedirect(302, $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null); return false; } } // Validate that the requested scope is supported if (false === $scope) { $response->setRedirect(302, $redirect_uri, $state, 'invalid_client', 'This application requires you specify a scope parameter', null); return false; } if (!is_null($scope) && !$this->scopeUtil->scopeExists($scope, $client_id)) { $response->setRedirect(302, $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null); return false; } // Validate state parameter exists (if configured to enforce this) if ($this->config['enforce_state'] && !$state) { $response->setRedirect(302, $redirect_uri, null, 'invalid_request', 'The state parameter is required'); return false; } // Return retrieved client details together with input return array_merge(array('scope' => $scope, 'state' => $state), $clientData, $request->getAllQueryParameters(), array('redirect_uri' => $redirect_uri)); }