/**
* Register a new client and generate a strong secret
*
* Please note that the secret must be really kept secret, as it is used for some grant type to
* authorize the client. It is returned as a result of this method, as it's already encrypted
* in the client object
*
* @param string $name
* @param array $redirectUris
* @return array [$client, $secret]
*/
public function registerClient(string $name, array $redirectUris) : array
{
do {
$client = Client::createNewClient($name, $redirectUris);
} while ($this->clientRepository->idExists($client->getId()));
$secret = $client->generateSecret();
$client = $this->clientRepository->save($client);
return [$client, $secret];
}
/**
* @throws OAuth2Exception (invalid_request) When grant type was not 'code'
*/
public function createAuthorizationResponse(ServerRequestInterface $request, Client $client, TokenOwnerInterface $owner = null) : ResponseInterface
{
$queryParams = $request->getQueryParams();
// We must validate some parameters first
$responseType = $queryParams['response_type'] ?? null;
if ($responseType !== self::GRANT_RESPONSE_TYPE) {
throw OAuth2Exception::invalidRequest(sprintf('The desired grant type must be "code", but "%s" was given', $responseType));
}
// We try to fetch the redirect URI from query param as per spec, and if none found, we just use
// the first redirect URI defined in the client
$redirectUri = $queryParams['redirect_uri'] ?? $client->getRedirectUris()[0];
// If the redirect URI cannot be found in the list, we throw an error as we don't want the user
// to be redirected to an unauthorized URL
if (!$client->hasRedirectUri($redirectUri)) {
throw OAuth2Exception::invalidRequest('Redirect URI does not match the registered one');
}
// Scope and state allow to perform additional validation
$scope = $queryParams['scope'] ?? null;
$state = $queryParams['state'] ?? null;
$authorizationCode = $this->authorizationCodeService->createToken($redirectUri, $owner, $client, $scope);
$uri = http_build_query(array_filter(['code' => $authorizationCode->getToken(), 'state' => $state]));
return new Response\RedirectResponse($redirectUri . '?' . $uri);
}
public function testCanCreateTokenResponse()
{
$request = $this->createMock(ServerRequestInterface::class);
$client = Client::createNewClient('name', 'http://www.example.com');
$owner = $this->createMock(TokenOwnerInterface::class);
$owner->expects($this->once())->method('getTokenOwnerId')->will($this->returnValue(1));
$token = AccessToken::reconstitute(['token' => 'azerty', 'owner' => $owner, 'client' => null, 'expiresAt' => (new \DateTimeImmutable())->add(new DateInterval('PT1H')), 'scopes' => []]);
$this->tokenService->expects($this->once())->method('createToken')->will($this->returnValue($token));
$response = $this->grant->createTokenResponse($request, $client, $owner);
$body = json_decode($response->getBody(), true);
$this->assertEquals('azerty', $body['access_token']);
$this->assertEquals('Bearer', $body['token_type']);
$this->assertEquals(3600, $body['expires_in']);
$this->assertEquals(1, $body['owner_id']);
}
/**
* @dataProvider grantOptions
*/
public function testCanCreateTokenResponse($rotateRefreshToken, $revokeRotatedRefreshToken)
{
$grant = new RefreshTokenGrant($this->accessTokenService, $this->refreshTokenService, ServerOptions::fromArray(['rotate_refresh_tokens' => $rotateRefreshToken, 'revoke_rotated_refresh_tokens' => $revokeRotatedRefreshToken]));
$request = $this->createMock(ServerRequestInterface::class);
$request->expects($this->once())->method('getParsedBody')->willReturn(['refresh_token' => '123', 'scope' => 'read']);
$owner = $this->createMock(TokenOwnerInterface::class);
$owner->expects($this->once())->method('getTokenOwnerId')->will($this->returnValue(1));
$refreshToken = $this->getValidRefreshToken($owner, ['read']);
$this->refreshTokenService->expects($this->once())->method('getToken')->with('123')->will($this->returnValue($refreshToken));
if ($rotateRefreshToken) {
$this->refreshTokenService->expects($revokeRotatedRefreshToken ? $this->once() : $this->never())->method('deleteToken')->with($refreshToken);
$refreshToken = $this->getValidRefreshToken();
$this->refreshTokenService->expects($this->once())->method('createToken')->will($this->returnValue($refreshToken));
}
$accessToken = $this->getValidAccessToken($owner);
$this->accessTokenService->expects($this->once())->method('createToken')->will($this->returnValue($accessToken));
$response = $grant->createTokenResponse($request, Client::createNewClient('name', []));
$body = json_decode($response->getBody(), true);
$this->assertEquals('azerty_access', $body['access_token']);
$this->assertEquals('Bearer', $body['token_type']);
$this->assertEquals(3600, $body['expires_in']);
$this->assertEquals('read', $body['scope']);
$this->assertEquals(1, $body['owner_id']);
$this->assertEquals('azerty_refresh', $body['refresh_token']);
}
public function testCanGetClient()
{
$client = Client::reconstitute(['id' => 'client_id', 'name' => 'name', 'secret' => '', 'redirectUris' => []]);
$this->clientRepository->expects($this->once())->method('findById')->with('client_id')->will($this->returnValue($client));
$this->assertSame($client, $this->clientService->getClient('client_id'));
}
/**
* @dataProvider hasRefreshGrant
*/
public function testCanCreateTokenResponse($hasRefreshGrant)
{
$request = $this->createMock(ServerRequestInterface::class);
$request->expects($this->once())->method('getParsedBody')->willReturn(['username' => 'michael', 'password' => 'azerty', 'scope' => 'read']);
$owner = $this->createMock(TokenOwnerInterface::class);
$owner->expects($this->once())->method('getTokenOwnerId')->will($this->returnValue(1));
$callable = function ($username, $password) use($owner) {
return $owner;
};
$accessToken = $this->getValidAccessToken($owner);
$this->accessTokenService->expects($this->once())->method('createToken')->will($this->returnValue($accessToken));
if ($hasRefreshGrant) {
$refreshToken = $this->getValidRefreshToken();
$this->refreshTokenService->expects($this->once())->method('createToken')->will($this->returnValue($refreshToken));
}
$authorizationServer = $this->createMock(AuthorizationServer::class);
$authorizationServer->expects($this->once())->method('hasGrant')->with(RefreshTokenGrant::GRANT_TYPE)->will($this->returnValue($hasRefreshGrant));
$this->grant = new PasswordGrant($this->accessTokenService, $this->refreshTokenService, $callable);
$this->grant->setAuthorizationServer($authorizationServer);
$response = $this->grant->createTokenResponse($request, Client::createNewClient('id', 'http://www.example.com'));
$body = json_decode($response->getBody(), true);
$this->assertEquals('azerty_access', $body['access_token']);
$this->assertEquals('Bearer', $body['token_type']);
$this->assertEquals(3600, $body['expires_in']);
$this->assertEquals('read', $body['scope']);
$this->assertEquals(1, $body['owner_id']);
if ($hasRefreshGrant) {
$this->assertEquals('azerty_refresh', $body['refresh_token']);
}
}
public function testAuthenticate()
{
$client = Client::reconstitute(['id' => '325e4ffc-ff89-4558-971a-6c6a4c13e718', 'name' => 'name', 'secret' => '$2y$10$LHAy5E0b1Fie9NpV6KeOWeAmVdA6UnaXP82TNoMGiVl0Sy/E6PUs6', 'redirectUris' => []]);
$this->assertFalse($client->authenticate('azerty'));
$this->assertTrue($client->authenticate('17ef7d94a9172d31c6336424651c861fad9c891e'));
$this->assertFalse($client->authenticate($client->getSecret()));
}
/**
* @dataProvider hasRefreshGrant
*/
public function testCanCreateTokenResponse($hasRefreshGrant)
{
$request = $this->createMock(ServerRequestInterface::class);
$request->expects($this->once())->method('getParsedBody')->willReturn(['code' => '123', 'client_id' => 'client_123']);
$client = Client::reconstitute(['id' => 'client_123', 'name' => 'name', 'secret' => '', 'redirectUris' => []]);
$token = $this->getValidAuthorizationCode(null, null, $client);
$this->authorizationCodeService->expects($this->once())->method('getToken')->with('123')->will($this->returnValue($token));
$owner = $this->createMock(TokenOwnerInterface::class);
$owner->expects($this->once())->method('getTokenOwnerId')->will($this->returnValue(1));
$accessToken = $this->getValidAccessToken($owner);
$this->accessTokenService->expects($this->once())->method('createToken')->will($this->returnValue($accessToken));
if ($hasRefreshGrant) {
$refreshToken = $this->getValidRefreshToken();
$this->refreshTokenService->expects($this->once())->method('createToken')->will($this->returnValue($refreshToken));
}
$authorizationServer = $this->createMock(AuthorizationServer::class);
$authorizationServer->expects($this->once())->method('hasGrant')->with(RefreshTokenGrant::GRANT_TYPE)->will($this->returnValue($hasRefreshGrant));
$this->grant = new AuthorizationGrant($this->authorizationCodeService, $this->accessTokenService, $this->refreshTokenService);
$this->grant->setAuthorizationServer($authorizationServer);
$response = $this->grant->createTokenResponse($request, $client, $owner);
$body = json_decode($response->getBody(), true);
$this->assertEquals('azerty_access', $body['access_token']);
$this->assertEquals('Bearer', $body['token_type']);
$this->assertEquals(3600, $body['expires_in']);
$this->assertEquals('read', $body['scope']);
$this->assertEquals(1, $body['owner_id']);
if ($hasRefreshGrant) {
$this->assertEquals('azerty_refresh', $body['refresh_token']);
}
}