|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Created by PhpStorm. |
|
4
|
|
|
* User: Alexandre |
|
5
|
|
|
* Date: 10/03/2018 |
|
6
|
|
|
* Time: 15:55 |
|
7
|
|
|
*/ |
|
8
|
|
|
|
|
9
|
|
|
namespace OAuth2\Roles\AuthorizationServer; |
|
10
|
|
|
|
|
11
|
|
|
|
|
12
|
|
|
use OAuth2\ClientAuthentication\ClientAuthenticationMethodManager; |
|
13
|
|
|
use OAuth2\ClientAuthentication\ClientSecretBasicAuthenticationMethod; |
|
14
|
|
|
use OAuth2\ClientAuthentication\ClientSecretPostAuthenticationMethod; |
|
15
|
|
|
use OAuth2\Config; |
|
16
|
|
|
use OAuth2\Endpoints\AuthorizationEndpoint; |
|
17
|
|
|
use OAuth2\Endpoints\AuthorizationRequestBuilder; |
|
18
|
|
|
use OAuth2\Endpoints\EndpointInterface; |
|
19
|
|
|
use OAuth2\Endpoints\TokenEndpoint; |
|
20
|
|
|
use OAuth2\AuthorizationGrantTypes\Flows\AuthorizationCodeFlow; |
|
21
|
|
|
use OAuth2\AuthorizationGrantTypes\Flows\ClientCredentialsFlow; |
|
22
|
|
|
use OAuth2\AuthorizationGrantTypes\Flows\FlowManager; |
|
23
|
|
|
use OAuth2\AuthorizationGrantTypes\Flows\ImplicitFlow; |
|
24
|
|
|
use OAuth2\AuthorizationGrantTypes\Flows\ResourceOwnerPasswordCredentialsFlow; |
|
25
|
|
|
use OAuth2\AuthorizationGrantTypes\GrantTypeManager; |
|
26
|
|
|
use OAuth2\AuthorizationGrantTypes\RefreshTokenGrantType; |
|
27
|
|
|
use OAuth2\Endpoints\TokenRevocationEndpoint; |
|
28
|
|
|
use OAuth2\ResponseModes\FragmentResponseMode; |
|
29
|
|
|
use OAuth2\ResponseModes\QueryResponseMode; |
|
30
|
|
|
use OAuth2\ResponseModes\ResponseModeManager; |
|
31
|
|
|
use OAuth2\AuthorizationEndpointResponseTypes\ResponseTypeManager; |
|
32
|
|
|
use OAuth2\Roles\AuthorizationServerInterface; |
|
33
|
|
|
use OAuth2\ScopePolicy\ScopePolicyManager; |
|
34
|
|
|
use OAuth2\Storages\StorageManager; |
|
35
|
|
|
|
|
36
|
|
|
|
|
37
|
|
|
class AuthorizationServer implements AuthorizationServerInterface |
|
38
|
|
|
{ |
|
39
|
|
|
protected $authorizationEndpoint; |
|
40
|
|
|
protected $tokenEndpoint; |
|
41
|
|
|
protected $responseTypeManager; |
|
42
|
|
|
protected $storageManager; |
|
43
|
|
|
protected $scopePolicyManager; |
|
44
|
|
|
protected $grantTypeManager; |
|
45
|
|
|
protected $clientAuthenticationMethodManager; |
|
46
|
|
|
protected $responseModeManager; |
|
47
|
|
|
protected $flowManager; |
|
48
|
|
|
protected $tokenRevocationEndpoint; |
|
49
|
|
|
|
|
50
|
|
|
public function __construct(Config $config, |
|
51
|
|
|
StorageManager $storageManager, |
|
52
|
|
|
ScopePolicyManager $scopePolicyManager, |
|
53
|
|
|
EndUserInterface $authorizationServerEndUser) |
|
54
|
|
|
{ |
|
55
|
|
|
$this->responseTypeManager = new ResponseTypeManager(); |
|
56
|
|
|
$this->grantTypeManager = new GrantTypeManager(); |
|
57
|
|
|
$this->storageManager = $storageManager; |
|
58
|
|
|
$this->scopePolicyManager = $scopePolicyManager; |
|
59
|
|
|
|
|
60
|
|
|
$this->clientAuthenticationMethodManager = new ClientAuthenticationMethodManager($this->storageManager->getClientStorage()); |
|
61
|
|
|
$this->clientAuthenticationMethodManager->addClientAuthenticationMethod('client_secret_basic', |
|
62
|
|
|
new ClientSecretBasicAuthenticationMethod($this->storageManager->getClientStorage())); |
|
63
|
|
|
$this->clientAuthenticationMethodManager->addClientAuthenticationMethod('client_secret_post', |
|
64
|
|
|
new ClientSecretPostAuthenticationMethod($this->storageManager->getClientStorage())); |
|
65
|
|
|
|
|
66
|
|
|
// $queryResponseMode = new QueryResponseMode(); |
|
|
|
|
|
|
67
|
|
|
$this->responseModeManager = new ResponseModeManager(); |
|
68
|
|
|
$this->responseModeManager->addResponseMode('query', new QueryResponseMode()); |
|
69
|
|
|
$this->responseModeManager->addResponseMode('fragment', new FragmentResponseMode()); |
|
70
|
|
|
|
|
71
|
|
|
// response_type : code |
|
72
|
|
|
// grant_type : authorization_code |
|
73
|
|
|
$authorizationCodeFlow = new AuthorizationCodeFlow( |
|
74
|
|
|
$config, |
|
75
|
|
|
$this->storageManager->getAuthorizationCodeStorage(), |
|
76
|
|
|
$this->storageManager->getAccessTokenStorage(), |
|
77
|
|
|
$this->storageManager->getRefreshTokenStorage() |
|
78
|
|
|
); |
|
79
|
|
|
|
|
80
|
|
|
// response_type : token |
|
81
|
|
|
$implicitFlow = new ImplicitFlow( |
|
82
|
|
|
$this->storageManager->getAccessTokenStorage(), |
|
83
|
|
|
$this->storageManager->getRefreshTokenStorage() |
|
84
|
|
|
); |
|
85
|
|
|
|
|
86
|
|
|
// grant_type : password |
|
87
|
|
|
$resourceOwnerPasswordCredentialsFlow = new ResourceOwnerPasswordCredentialsFlow( |
|
88
|
|
|
$this->scopePolicyManager, |
|
89
|
|
|
$this->storageManager->getResourceOwnerStorage(), |
|
90
|
|
|
$this->storageManager->getAccessTokenStorage(), |
|
91
|
|
|
$this->storageManager->getRefreshTokenStorage()); |
|
92
|
|
|
|
|
93
|
|
|
// grant_type : client_credentials |
|
94
|
|
|
$clientCredentialsFlow = new ClientCredentialsFlow( |
|
95
|
|
|
$this->scopePolicyManager, |
|
96
|
|
|
$this->storageManager->getAccessTokenStorage(), |
|
97
|
|
|
$this->storageManager->getRefreshTokenStorage() |
|
98
|
|
|
); |
|
99
|
|
|
|
|
100
|
|
|
// grant_type : refresh_token |
|
101
|
|
|
$refreshTokenGrantType = new RefreshTokenGrantType( |
|
102
|
|
|
$this->storageManager->getAccessTokenStorage(), |
|
103
|
|
|
$this->storageManager->getRefreshTokenStorage(), |
|
104
|
|
|
$config, |
|
105
|
|
|
$this->scopePolicyManager |
|
106
|
|
|
); |
|
107
|
|
|
|
|
108
|
|
|
$this->flowManager = new FlowManager($this->responseTypeManager, $this->grantTypeManager); |
|
109
|
|
|
$this->flowManager->addFlow($authorizationCodeFlow); |
|
110
|
|
|
$this->flowManager->addFlow($implicitFlow); |
|
111
|
|
|
$this->flowManager->addFlow($resourceOwnerPasswordCredentialsFlow); |
|
112
|
|
|
$this->flowManager->addFlow($clientCredentialsFlow); |
|
113
|
|
|
|
|
114
|
|
|
$this->grantTypeManager->addGrantType('refresh_token', $refreshTokenGrantType); |
|
115
|
|
|
|
|
116
|
|
|
$authorizationRequestBuilder = new AuthorizationRequestBuilder( |
|
117
|
|
|
$this->storageManager->getClientStorage(), |
|
118
|
|
|
$this->responseTypeManager, |
|
119
|
|
|
$this->responseModeManager, |
|
120
|
|
|
$this->scopePolicyManager |
|
121
|
|
|
); |
|
122
|
|
|
$this->authorizationEndpoint = new AuthorizationEndpoint($authorizationRequestBuilder, $authorizationServerEndUser); |
|
123
|
|
|
|
|
124
|
|
|
$this->tokenEndpoint = new TokenEndpoint( |
|
125
|
|
|
$this->grantTypeManager, |
|
126
|
|
|
$this->clientAuthenticationMethodManager); |
|
127
|
|
|
|
|
128
|
|
|
$this->tokenRevocationEndpoint = new TokenRevocationEndpoint( |
|
129
|
|
|
$this->clientAuthenticationMethodManager, |
|
130
|
|
|
$this->storageManager); |
|
131
|
|
|
} |
|
132
|
|
|
|
|
133
|
|
|
/** |
|
134
|
|
|
* @return AuthorizationEndpoint |
|
135
|
|
|
*/ |
|
136
|
|
|
public function getAuthorizationEndpoint(): EndpointInterface |
|
137
|
|
|
{ |
|
138
|
|
|
return $this->authorizationEndpoint; |
|
139
|
|
|
} |
|
140
|
|
|
|
|
141
|
|
|
/** |
|
142
|
|
|
* @return TokenEndpoint |
|
143
|
|
|
*/ |
|
144
|
|
|
public function getTokenEndpoint(): EndpointInterface |
|
145
|
|
|
{ |
|
146
|
|
|
return $this->tokenEndpoint; |
|
147
|
|
|
} |
|
148
|
|
|
|
|
149
|
|
|
/** |
|
150
|
|
|
* @return TokenRevocationEndpoint |
|
151
|
|
|
*/ |
|
152
|
|
|
public function getTokenRevocationEndpoint(): TokenRevocationEndpoint |
|
153
|
|
|
{ |
|
154
|
|
|
return $this->tokenRevocationEndpoint; |
|
155
|
|
|
} |
|
156
|
|
|
|
|
157
|
|
|
/** |
|
158
|
|
|
* @return bool |
|
159
|
|
|
* |
|
160
|
|
|
* @see https://tools.ietf.org/html/rfc6749#section-3.1.2.1 |
|
161
|
|
|
* |
|
162
|
|
|
* Endpoint Request Confidentiality |
|
163
|
|
|
* |
|
164
|
|
|
* The redirection endpoint SHOULD require the use of TLS as described |
|
165
|
|
|
* in Section 1.6 when the requested response type is "code" or "token", |
|
166
|
|
|
* or when the redirection request will result in the transmission of |
|
167
|
|
|
* sensitive credentials over an open network. This specification does |
|
168
|
|
|
* not mandate the use of TLS because at the time of this writing, |
|
169
|
|
|
* requiring clients to deploy TLS is a significant hurdle for many |
|
170
|
|
|
* client developers. If TLS is not available, the authorization server |
|
171
|
|
|
* SHOULD warn the resource owner about the insecure endpoint prior to |
|
172
|
|
|
* redirection (e.g., display a message during the authorization |
|
173
|
|
|
* request). |
|
174
|
|
|
* |
|
175
|
|
|
* Lack of transport-layer security can have a severe impact on the |
|
176
|
|
|
* security of the client and the protected resources it is authorized |
|
177
|
|
|
* to access. The use of transport-layer security is particularly |
|
178
|
|
|
* critical when the authorization process is used as a form of |
|
179
|
|
|
* delegated end-user authentication by the client (e.g., third-party |
|
180
|
|
|
* sign-in service). |
|
181
|
|
|
* @deprecated |
|
182
|
|
|
*/ |
|
183
|
|
|
public function isSecure() |
|
184
|
|
|
{ |
|
185
|
|
|
return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443; |
|
186
|
|
|
} |
|
187
|
|
|
} |
php-guard /
oauth-server
Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it.
The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production.
This check looks for comments that seem to be mostly valid code and reports them.