blob: 6ccacd6d9cf0708324019d79b7a60036ee816f50 (
plain) (
tree)
|
|
<?php
namespace OAuth2\Storage;
use OAuth2\Encryption\EncryptionInterface;
use OAuth2\Encryption\Jwt;
/**
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class JwtAccessToken implements JwtAccessTokenInterface
{
protected $publicKeyStorage;
protected $tokenStorage;
protected $encryptionUtil;
/**
* @param OAuth2\Encryption\PublicKeyInterface $publicKeyStorage the public key encryption to use
* @param OAuth2\Storage\AccessTokenInterface $tokenStorage OPTIONAL persist the access token to another storage. This is useful if
* you want to retain access token grant information somewhere, but
* is not necessary when using this grant type.
* @param OAuth2\Encryption\EncryptionInterface $encryptionUtil OPTIONAL class to use for "encode" and "decode" functions.
*/
public function __construct(PublicKeyInterface $publicKeyStorage, AccessTokenInterface $tokenStorage = null, EncryptionInterface $encryptionUtil = null)
{
$this->publicKeyStorage = $publicKeyStorage;
$this->tokenStorage = $tokenStorage;
if (is_null($encryptionUtil)) {
$encryptionUtil = new Jwt;
}
$this->encryptionUtil = $encryptionUtil;
}
public function getAccessToken($oauth_token)
{
// just decode the token, don't verify
if (!$tokenData = $this->encryptionUtil->decode($oauth_token, null, false)) {
return false;
}
$client_id = isset($tokenData['aud']) ? $tokenData['aud'] : null;
$public_key = $this->publicKeyStorage->getPublicKey($client_id);
$algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id);
// now that we have the client_id, verify the token
if (false === $this->encryptionUtil->decode($oauth_token, $public_key, array($algorithm))) {
return false;
}
// normalize the JWT claims to the format expected by other components in this library
return $this->convertJwtToOAuth2($tokenData);
}
public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null)
{
if ($this->tokenStorage) {
return $this->tokenStorage->setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope);
}
}
public function unsetAccessToken($access_token)
{
if ($this->tokenStorage) {
return $this->tokenStorage->unsetAccessToken($access_token);
}
}
// converts a JWT access token into an OAuth2-friendly format
protected function convertJwtToOAuth2($tokenData)
{
$keyMapping = array(
'aud' => 'client_id',
'exp' => 'expires',
'sub' => 'user_id'
);
foreach ($keyMapping as $jwtKey => $oauth2Key) {
if (isset($tokenData[$jwtKey])) {
$tokenData[$oauth2Key] = $tokenData[$jwtKey];
unset($tokenData[$jwtKey]);
}
}
return $tokenData;
}
}
|