1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
declare(strict_types=1); |
4
|
|
|
|
5
|
|
|
/* |
6
|
|
|
* The MIT License (MIT) |
7
|
|
|
* |
8
|
|
|
* Copyright (c) 2014-2019 Spomky-Labs |
9
|
|
|
* |
10
|
|
|
* This software may be modified and distributed under the terms |
11
|
|
|
* of the MIT license. See the LICENSE file for details. |
12
|
|
|
*/ |
13
|
|
|
|
14
|
|
|
namespace OAuth2Framework\Component\AuthorizationCodeGrant; |
15
|
|
|
|
16
|
|
|
use OAuth2Framework\Component\AuthorizationCodeGrant\PKCEMethod\PKCEMethodManager; |
17
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\AuthorizationRequest\AuthorizationRequest; |
18
|
|
|
use OAuth2Framework\Component\AuthorizationEndpoint\ResponseType\ResponseType; |
19
|
|
|
use OAuth2Framework\Component\Core\DataBag\DataBag; |
20
|
|
|
use OAuth2Framework\Component\Core\Message\OAuth2Error; |
21
|
|
|
use OAuth2Framework\Component\Core\TokenType\TokenType; |
22
|
|
|
use function Safe\sprintf; |
23
|
|
|
|
24
|
|
|
final class AuthorizationCodeResponseType implements ResponseType |
25
|
|
|
{ |
26
|
|
|
/** |
27
|
|
|
* @var int |
28
|
|
|
*/ |
29
|
|
|
private $authorizationCodeLifetime; |
30
|
|
|
|
31
|
|
|
/** |
32
|
|
|
* @var bool |
33
|
|
|
*/ |
34
|
|
|
private $pkceForPublicClientsEnforced; |
35
|
|
|
|
36
|
|
|
/** |
37
|
|
|
* @var AuthorizationCodeRepository |
38
|
|
|
*/ |
39
|
|
|
private $authorizationCodeRepository; |
40
|
|
|
|
41
|
|
|
/** |
42
|
|
|
* @var PKCEMethodManager |
43
|
|
|
*/ |
44
|
|
|
private $pkceMethodManager; |
45
|
|
|
|
46
|
|
|
public function __construct(AuthorizationCodeRepository $authorizationCodeRepository, int $authorizationCodeLifetime, PKCEMethodManager $pkceMethodManager, bool $pkceForPublicClientsEnforced) |
47
|
|
|
{ |
48
|
|
|
$this->authorizationCodeRepository = $authorizationCodeRepository; |
49
|
|
|
$this->authorizationCodeLifetime = $authorizationCodeLifetime; |
50
|
|
|
$this->pkceMethodManager = $pkceMethodManager; |
51
|
|
|
$this->pkceForPublicClientsEnforced = $pkceForPublicClientsEnforced; |
52
|
|
|
} |
53
|
|
|
|
54
|
|
|
public function associatedGrantTypes(): array |
55
|
|
|
{ |
56
|
|
|
return ['authorization_code']; |
57
|
|
|
} |
58
|
|
|
|
59
|
|
|
public function name(): string |
60
|
|
|
{ |
61
|
|
|
return 'code'; |
62
|
|
|
} |
63
|
|
|
|
64
|
|
|
public function getResponseMode(): string |
65
|
|
|
{ |
66
|
|
|
return self::RESPONSE_TYPE_MODE_QUERY; |
67
|
|
|
} |
68
|
|
|
|
69
|
|
|
public function preProcess(AuthorizationRequest $authorization): void |
70
|
|
|
{ |
71
|
|
|
$queryParams = $authorization->getQueryParams(); |
72
|
|
|
|
73
|
|
|
if (!\array_key_exists('code_challenge', $queryParams)) { |
74
|
|
|
if (true === $this->pkceForPublicClientsEnforced && $authorization->getClient()->isPublic()) { |
75
|
|
|
throw OAuth2Error::invalidRequest('Non-confidential clients must set a proof key (PKCE) for code exchange.'); |
76
|
|
|
} |
77
|
|
|
} else { |
78
|
|
|
$codeChallengeMethod = \array_key_exists('code_challenge_method', $queryParams) ? $queryParams['code_challenge_method'] : 'plain'; |
79
|
|
|
if (!$this->pkceMethodManager->has($codeChallengeMethod)) { |
80
|
|
|
throw OAuth2Error::invalidRequest(sprintf('The challenge method "%s" is not supported.', $codeChallengeMethod)); |
81
|
|
|
} |
82
|
|
|
} |
83
|
|
|
|
84
|
|
|
$authorizationCode = $this->authorizationCodeRepository->create( |
85
|
|
|
$authorization->getClient()->getClientId(), |
86
|
|
|
$authorization->getUserAccount()->getUserAccountId(), |
87
|
|
|
$authorization->getQueryParams(), |
88
|
|
|
$authorization->getRedirectUri(), |
89
|
|
|
(new \DateTimeImmutable())->setTimestamp(time() + $this->authorizationCodeLifetime), |
|
|
|
|
90
|
|
|
new DataBag([]), |
91
|
|
|
$authorization->getMetadata(), |
92
|
|
|
null !== $authorization->getResourceServer() ? $authorization->getResourceServer()->getResourceServerId() : null |
93
|
|
|
); |
94
|
|
|
$this->authorizationCodeRepository->save($authorizationCode); |
95
|
|
|
$authorization->setResponseParameter('code', $authorizationCode->getId()->getValue()); |
96
|
|
|
} |
97
|
|
|
|
98
|
|
|
public function process(AuthorizationRequest $authorization, TokenType $tokenType): void |
99
|
|
|
{ |
100
|
|
|
//Nothing to do |
101
|
|
|
} |
102
|
|
|
} |
103
|
|
|
|