|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* @author Alex Bilbie <[email protected]> |
|
4
|
|
|
* @copyright Copyright (c) Alex Bilbie |
|
5
|
|
|
* @license http://mit-license.org/ |
|
6
|
|
|
* |
|
7
|
|
|
* @link https://github.com/thephpleague/oauth2-server |
|
8
|
|
|
*/ |
|
9
|
|
|
|
|
10
|
|
|
namespace League\OAuth2\Server\Grant; |
|
11
|
|
|
|
|
12
|
|
|
use League\OAuth2\Server\Entities\ClientEntityInterface; |
|
13
|
|
|
use League\OAuth2\Server\Entities\ScopeEntityInterface; |
|
14
|
|
|
use League\OAuth2\Server\Entities\UserEntityInterface; |
|
15
|
|
|
use League\OAuth2\Server\Exception\OAuthServerException; |
|
16
|
|
|
use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface; |
|
17
|
|
|
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface; |
|
18
|
|
|
use League\OAuth2\Server\RequestEvent; |
|
19
|
|
|
use League\OAuth2\Server\RequestTypes\AuthorizationRequest; |
|
20
|
|
|
use League\OAuth2\Server\ResponseTypes\RedirectResponse; |
|
21
|
|
|
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; |
|
22
|
|
|
use Psr\Http\Message\ServerRequestInterface; |
|
23
|
|
|
|
|
24
|
|
|
class AuthCodeGrant extends AbstractAuthorizeGrant |
|
25
|
|
|
{ |
|
26
|
|
|
/** |
|
27
|
|
|
* @var \DateInterval |
|
28
|
|
|
*/ |
|
29
|
|
|
private $authCodeTTL; |
|
30
|
|
|
|
|
31
|
|
|
/** |
|
32
|
|
|
* @var bool |
|
33
|
|
|
*/ |
|
34
|
|
|
private $enableCodeExchangeProof = false; |
|
35
|
|
|
|
|
36
|
|
|
/** |
|
37
|
|
|
* @param AuthCodeRepositoryInterface $authCodeRepository |
|
38
|
|
|
* @param RefreshTokenRepositoryInterface $refreshTokenRepository |
|
39
|
|
|
* @param \DateInterval $authCodeTTL |
|
40
|
|
|
*/ |
|
41
|
41 |
|
public function __construct( |
|
42
|
|
|
AuthCodeRepositoryInterface $authCodeRepository, |
|
43
|
|
|
RefreshTokenRepositoryInterface $refreshTokenRepository, |
|
44
|
|
|
\DateInterval $authCodeTTL |
|
45
|
|
|
) { |
|
46
|
41 |
|
$this->setAuthCodeRepository($authCodeRepository); |
|
47
|
41 |
|
$this->setRefreshTokenRepository($refreshTokenRepository); |
|
48
|
41 |
|
$this->authCodeTTL = $authCodeTTL; |
|
49
|
41 |
|
$this->refreshTokenTTL = new \DateInterval('P1M'); |
|
50
|
41 |
|
} |
|
51
|
|
|
|
|
52
|
13 |
|
public function enableCodeExchangeProof() |
|
53
|
|
|
{ |
|
54
|
13 |
|
$this->enableCodeExchangeProof = true; |
|
55
|
13 |
|
} |
|
56
|
|
|
|
|
57
|
|
|
/** |
|
58
|
|
|
* Respond to an access token request. |
|
59
|
|
|
* |
|
60
|
|
|
* @param ServerRequestInterface $request |
|
61
|
|
|
* @param ResponseTypeInterface $responseType |
|
62
|
|
|
* @param \DateInterval $accessTokenTTL |
|
63
|
|
|
* |
|
64
|
|
|
* @throws OAuthServerException |
|
65
|
|
|
* |
|
66
|
|
|
* @return ResponseTypeInterface |
|
67
|
|
|
*/ |
|
68
|
18 |
|
public function respondToAccessTokenRequest( |
|
69
|
|
|
ServerRequestInterface $request, |
|
70
|
|
|
ResponseTypeInterface $responseType, |
|
71
|
|
|
\DateInterval $accessTokenTTL |
|
72
|
|
|
) { |
|
73
|
|
|
// Validate request |
|
74
|
18 |
|
$client = $this->validateClient($request); |
|
75
|
18 |
|
$encryptedAuthCode = $this->getRequestParameter('code', $request, null); |
|
76
|
|
|
|
|
77
|
18 |
|
if ($encryptedAuthCode === null) { |
|
78
|
1 |
|
throw OAuthServerException::invalidRequest('code'); |
|
79
|
|
|
} |
|
80
|
|
|
|
|
81
|
|
|
// Validate the authorization code |
|
82
|
|
|
try { |
|
83
|
17 |
|
$authCodePayload = json_decode($this->decrypt($encryptedAuthCode)); |
|
84
|
16 |
|
if (time() > $authCodePayload->expire_time) { |
|
85
|
1 |
|
throw OAuthServerException::invalidRequest('code', 'Authorization code has expired'); |
|
86
|
|
|
} |
|
87
|
|
|
|
|
88
|
15 |
|
if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) { |
|
89
|
1 |
|
throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked'); |
|
90
|
|
|
} |
|
91
|
|
|
|
|
92
|
14 |
|
if ($authCodePayload->client_id !== $client->getIdentifier()) { |
|
93
|
1 |
|
throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client'); |
|
94
|
|
|
} |
|
95
|
|
|
|
|
96
|
|
|
// The redirect URI is required in this request |
|
97
|
13 |
|
$redirectUri = $this->getRequestParameter('redirect_uri', $request, null); |
|
98
|
13 |
|
if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) { |
|
99
|
1 |
|
throw OAuthServerException::invalidRequest('redirect_uri'); |
|
100
|
|
|
} |
|
101
|
|
|
|
|
102
|
12 |
|
if ($authCodePayload->redirect_uri !== $redirectUri) { |
|
103
|
1 |
|
throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI'); |
|
104
|
|
|
} |
|
105
|
|
|
|
|
106
|
11 |
|
$scopes = []; |
|
107
|
11 |
|
foreach ($authCodePayload->scopes as $scopeId) { |
|
108
|
11 |
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId); |
|
109
|
|
|
|
|
110
|
11 |
|
if ($scope instanceof ScopeEntityInterface === false) { |
|
111
|
|
|
// @codeCoverageIgnoreStart |
|
112
|
|
|
throw OAuthServerException::invalidScope($scopeId); |
|
113
|
|
|
// @codeCoverageIgnoreEnd |
|
114
|
|
|
} |
|
115
|
|
|
|
|
116
|
11 |
|
$scopes[] = $scope; |
|
117
|
|
|
} |
|
118
|
|
|
|
|
119
|
|
|
// Finalize the requested scopes |
|
120
|
11 |
|
$scopes = $this->scopeRepository->finalizeScopes( |
|
121
|
11 |
|
$scopes, |
|
122
|
11 |
|
$this->getIdentifier(), |
|
123
|
11 |
|
$client, |
|
124
|
11 |
|
$authCodePayload->user_id |
|
125
|
|
|
); |
|
126
|
6 |
|
} catch (\LogicException $e) { |
|
127
|
1 |
|
throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code'); |
|
128
|
|
|
} |
|
129
|
|
|
|
|
130
|
|
|
// Validate code challenge |
|
131
|
11 |
|
if ($this->enableCodeExchangeProof === true) { |
|
132
|
7 |
|
$codeVerifier = $this->getRequestParameter('code_verifier', $request, null); |
|
133
|
7 |
|
if ($codeVerifier === null) { |
|
134
|
1 |
|
throw OAuthServerException::invalidRequest('code_verifier'); |
|
135
|
|
|
} |
|
136
|
|
|
|
|
137
|
|
|
// Validate code_verifier according to RFC-7636 |
|
138
|
|
|
// @see: https://tools.ietf.org/html/rfc7636#section-4.1 |
|
139
|
6 |
|
if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeVerifier) !== 1) { |
|
140
|
3 |
|
throw OAuthServerException::invalidRequest( |
|
141
|
3 |
|
'code_verifier', |
|
142
|
3 |
|
'Code Verifier must follow the specifications of RFC-7636.' |
|
143
|
|
|
); |
|
144
|
|
|
} |
|
145
|
|
|
|
|
146
|
3 |
|
switch ($authCodePayload->code_challenge_method) { |
|
147
|
3 |
|
case 'plain': |
|
148
|
2 |
|
if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) { |
|
149
|
1 |
|
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.'); |
|
150
|
|
|
} |
|
151
|
|
|
|
|
152
|
1 |
|
break; |
|
153
|
1 |
|
case 'S256': |
|
154
|
|
|
if ( |
|
155
|
1 |
|
hash_equals( |
|
156
|
1 |
|
strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'), |
|
157
|
1 |
|
$authCodePayload->code_challenge |
|
158
|
1 |
|
) === false |
|
159
|
|
|
) { |
|
160
|
|
|
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.'); |
|
161
|
|
|
} |
|
162
|
|
|
// @codeCoverageIgnoreStart |
|
163
|
|
|
break; |
|
164
|
|
|
default: |
|
165
|
|
|
throw OAuthServerException::serverError( |
|
166
|
|
|
sprintf( |
|
167
|
|
|
'Unsupported code challenge method `%s`', |
|
168
|
|
|
$authCodePayload->code_challenge_method |
|
169
|
|
|
) |
|
170
|
|
|
); |
|
171
|
|
|
// @codeCoverageIgnoreEnd |
|
172
|
|
|
} |
|
173
|
|
|
} |
|
174
|
|
|
|
|
175
|
|
|
// Issue and persist access + refresh tokens |
|
176
|
6 |
|
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes); |
|
177
|
6 |
|
$refreshToken = $this->issueRefreshToken($accessToken); |
|
178
|
|
|
|
|
179
|
|
|
// Send events to emitter |
|
180
|
4 |
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request)); |
|
181
|
4 |
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request)); |
|
182
|
|
|
|
|
183
|
|
|
// Inject tokens into response type |
|
184
|
4 |
|
$responseType->setAccessToken($accessToken); |
|
|
|
|
|
|
185
|
4 |
|
$responseType->setRefreshToken($refreshToken); |
|
|
|
|
|
|
186
|
|
|
|
|
187
|
|
|
// Revoke used auth code |
|
188
|
4 |
|
$this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id); |
|
189
|
|
|
|
|
190
|
4 |
|
return $responseType; |
|
191
|
|
|
} |
|
192
|
|
|
|
|
193
|
|
|
/** |
|
194
|
|
|
* Return the grant identifier that can be used in matching up requests. |
|
195
|
|
|
* |
|
196
|
|
|
* @return string |
|
197
|
|
|
*/ |
|
198
|
33 |
|
public function getIdentifier() |
|
199
|
|
|
{ |
|
200
|
33 |
|
return 'authorization_code'; |
|
201
|
|
|
} |
|
202
|
|
|
|
|
203
|
|
|
/** |
|
204
|
|
|
* Fetch the client_id parameter from the query string. |
|
205
|
|
|
* |
|
206
|
|
|
* @return string|null |
|
207
|
|
|
* @throws OAuthServerException |
|
208
|
|
|
*/ |
|
209
|
15 |
|
protected function getClientIdFromRequest($request) |
|
210
|
|
|
{ |
|
211
|
15 |
|
$clientId = $this->getQueryStringParameter( |
|
212
|
15 |
|
'client_id', |
|
213
|
15 |
|
$request, |
|
214
|
15 |
|
$this->getServerParameter('PHP_AUTH_USER', $request) |
|
215
|
|
|
); |
|
216
|
|
|
|
|
217
|
15 |
|
if (is_null($clientId)) { |
|
218
|
1 |
|
throw OAuthServerException::invalidRequest('client_id'); |
|
219
|
|
|
} |
|
220
|
|
|
|
|
221
|
14 |
|
return $clientId; |
|
222
|
|
|
} |
|
223
|
|
|
|
|
224
|
|
|
/** |
|
225
|
|
|
* {@inheritdoc} |
|
226
|
|
|
*/ |
|
227
|
4 |
|
public function canRespondToAuthorizationRequest(ServerRequestInterface $request) |
|
228
|
|
|
{ |
|
229
|
|
|
return ( |
|
230
|
4 |
|
array_key_exists('response_type', $request->getQueryParams()) |
|
231
|
4 |
|
&& $request->getQueryParams()['response_type'] === 'code' |
|
232
|
4 |
|
&& $this->getClientIdFromRequest($request) !== null |
|
233
|
|
|
); |
|
234
|
|
|
} |
|
235
|
|
|
|
|
236
|
|
|
/** |
|
237
|
|
|
* {@inheritdoc} |
|
238
|
|
|
*/ |
|
239
|
13 |
|
public function validateAuthorizationRequest(ServerRequestInterface $request) |
|
240
|
|
|
{ |
|
241
|
13 |
|
$clientId = $this->getClientIdFromRequest($request); |
|
242
|
|
|
|
|
243
|
13 |
|
$client = $this->clientRepository->getClientEntity( |
|
244
|
13 |
|
$clientId, |
|
245
|
13 |
|
$this->getIdentifier(), |
|
246
|
13 |
|
null, |
|
247
|
13 |
|
false |
|
248
|
|
|
); |
|
249
|
|
|
|
|
250
|
13 |
|
if ($client instanceof ClientEntityInterface === false) { |
|
251
|
1 |
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); |
|
252
|
1 |
|
throw OAuthServerException::invalidClient(); |
|
253
|
|
|
} |
|
254
|
|
|
|
|
255
|
12 |
|
$redirectUri = $this->getQueryStringParameter('redirect_uri', $request); |
|
256
|
12 |
|
if ($redirectUri !== null) { |
|
257
|
|
|
if ( |
|
258
|
10 |
|
is_string($client->getRedirectUri()) |
|
259
|
10 |
|
&& (strcmp($client->getRedirectUri(), $redirectUri) !== 0) |
|
260
|
|
|
) { |
|
261
|
1 |
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); |
|
262
|
1 |
|
throw OAuthServerException::invalidClient(); |
|
263
|
|
|
} elseif ( |
|
264
|
9 |
|
is_array($client->getRedirectUri()) |
|
265
|
9 |
|
&& in_array($redirectUri, $client->getRedirectUri(), true) === false |
|
266
|
|
|
) { |
|
267
|
1 |
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); |
|
268
|
9 |
|
throw OAuthServerException::invalidClient(); |
|
269
|
|
|
} |
|
270
|
2 |
|
} elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1 |
|
271
|
2 |
|
|| empty($client->getRedirectUri())) { |
|
272
|
1 |
|
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); |
|
273
|
1 |
|
throw OAuthServerException::invalidClient(); |
|
274
|
|
|
} else { |
|
275
|
1 |
|
$redirectUri = is_array($client->getRedirectUri()) |
|
276
|
|
|
? $client->getRedirectUri()[0] |
|
277
|
1 |
|
: $client->getRedirectUri(); |
|
278
|
|
|
} |
|
279
|
|
|
|
|
280
|
9 |
|
$scopes = $this->validateScopes( |
|
281
|
9 |
|
$this->getQueryStringParameter('scope', $request, $this->defaultScope), |
|
282
|
9 |
|
$redirectUri |
|
283
|
|
|
); |
|
284
|
|
|
|
|
285
|
9 |
|
$stateParameter = $this->getQueryStringParameter('state', $request); |
|
286
|
|
|
|
|
287
|
9 |
|
$authorizationRequest = new AuthorizationRequest(); |
|
288
|
9 |
|
$authorizationRequest->setGrantTypeId($this->getIdentifier()); |
|
289
|
9 |
|
$authorizationRequest->setClient($client); |
|
290
|
9 |
|
$authorizationRequest->setRedirectUri($redirectUri); |
|
291
|
9 |
|
$authorizationRequest->setState($stateParameter); |
|
292
|
9 |
|
$authorizationRequest->setScopes($scopes); |
|
293
|
|
|
|
|
294
|
9 |
|
if ($this->enableCodeExchangeProof === true) { |
|
295
|
6 |
|
$codeChallenge = $this->getQueryStringParameter('code_challenge', $request); |
|
296
|
6 |
|
if ($codeChallenge === null) { |
|
297
|
1 |
|
throw OAuthServerException::invalidRequest('code_challenge'); |
|
298
|
|
|
} |
|
299
|
|
|
|
|
300
|
5 |
|
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain'); |
|
301
|
5 |
|
if (in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) { |
|
302
|
1 |
|
throw OAuthServerException::invalidRequest( |
|
303
|
1 |
|
'code_challenge_method', |
|
304
|
1 |
|
'Code challenge method must be `plain` or `S256`' |
|
305
|
|
|
); |
|
306
|
|
|
} |
|
307
|
|
|
|
|
308
|
|
|
// Validate code_challenge according to RFC-7636 |
|
309
|
|
|
// @see: https://tools.ietf.org/html/rfc7636#section-4.2 |
|
310
|
4 |
|
if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeChallenge) !== 1) { |
|
311
|
3 |
|
throw OAuthServerException::invalidRequest( |
|
312
|
3 |
|
'code_challenged', |
|
313
|
3 |
|
'Code challenge must follow the specifications of RFC-7636.' |
|
314
|
|
|
); |
|
315
|
|
|
} |
|
316
|
|
|
|
|
317
|
1 |
|
$authorizationRequest->setCodeChallenge($codeChallenge); |
|
318
|
1 |
|
$authorizationRequest->setCodeChallengeMethod($codeChallengeMethod); |
|
319
|
|
|
} |
|
320
|
|
|
|
|
321
|
4 |
|
return $authorizationRequest; |
|
322
|
|
|
} |
|
323
|
|
|
|
|
324
|
|
|
/** |
|
325
|
|
|
* {@inheritdoc} |
|
326
|
|
|
*/ |
|
327
|
7 |
|
public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest) |
|
328
|
|
|
{ |
|
329
|
7 |
|
if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) { |
|
330
|
1 |
|
throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest'); |
|
331
|
|
|
} |
|
332
|
|
|
|
|
333
|
6 |
|
$finalRedirectUri = ($authorizationRequest->getRedirectUri() === null) |
|
334
|
6 |
|
? is_array($authorizationRequest->getClient()->getRedirectUri()) |
|
335
|
|
|
? $authorizationRequest->getClient()->getRedirectUri()[0] |
|
336
|
6 |
|
: $authorizationRequest->getClient()->getRedirectUri() |
|
337
|
6 |
|
: $authorizationRequest->getRedirectUri(); |
|
338
|
|
|
|
|
339
|
|
|
// The user approved the client, redirect them back with an auth code |
|
340
|
6 |
|
if ($authorizationRequest->isAuthorizationApproved() === true) { |
|
341
|
5 |
|
$authCode = $this->issueAuthCode( |
|
342
|
5 |
|
$this->authCodeTTL, |
|
343
|
5 |
|
$authorizationRequest->getClient(), |
|
344
|
5 |
|
$authorizationRequest->getUser()->getIdentifier(), |
|
345
|
5 |
|
$authorizationRequest->getRedirectUri(), |
|
346
|
5 |
|
$authorizationRequest->getScopes() |
|
347
|
|
|
); |
|
348
|
|
|
|
|
349
|
|
|
$payload = [ |
|
350
|
3 |
|
'client_id' => $authCode->getClient()->getIdentifier(), |
|
351
|
3 |
|
'redirect_uri' => $authCode->getRedirectUri(), |
|
352
|
3 |
|
'auth_code_id' => $authCode->getIdentifier(), |
|
353
|
3 |
|
'scopes' => $authCode->getScopes(), |
|
354
|
3 |
|
'user_id' => $authCode->getUserIdentifier(), |
|
355
|
3 |
|
'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'), |
|
356
|
3 |
|
'code_challenge' => $authorizationRequest->getCodeChallenge(), |
|
357
|
3 |
|
'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(), |
|
358
|
|
|
]; |
|
359
|
|
|
|
|
360
|
3 |
|
$response = new RedirectResponse(); |
|
361
|
3 |
|
$response->setRedirectUri( |
|
362
|
3 |
|
$this->makeRedirectUri( |
|
363
|
3 |
|
$finalRedirectUri, |
|
364
|
|
|
[ |
|
365
|
3 |
|
'code' => $this->encrypt( |
|
366
|
3 |
|
json_encode( |
|
367
|
3 |
|
$payload |
|
368
|
|
|
) |
|
369
|
|
|
), |
|
370
|
3 |
|
'state' => $authorizationRequest->getState(), |
|
371
|
|
|
] |
|
372
|
|
|
) |
|
373
|
|
|
); |
|
374
|
|
|
|
|
375
|
3 |
|
return $response; |
|
376
|
|
|
} |
|
377
|
|
|
|
|
378
|
|
|
// The user denied the client, redirect them back with an error |
|
379
|
1 |
|
throw OAuthServerException::accessDenied( |
|
380
|
1 |
|
'The user denied the request', |
|
381
|
1 |
|
$this->makeRedirectUri( |
|
382
|
1 |
|
$finalRedirectUri, |
|
383
|
|
|
[ |
|
384
|
1 |
|
'state' => $authorizationRequest->getState(), |
|
385
|
|
|
] |
|
386
|
|
|
) |
|
387
|
|
|
); |
|
388
|
|
|
} |
|
389
|
|
|
} |
|
390
|
|
|
|
thephpleague /
oauth2-server
Loading history...
Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: