aboutsummaryrefslogtreecommitdiffstats
path: root/library/oauth2/src/OAuth2/Storage
diff options
context:
space:
mode:
authorMario Vavti <mario@mariovavti.com>2017-08-16 10:32:35 +0200
committerMario Vavti <mario@mariovavti.com>2017-08-16 10:32:35 +0200
commit4a7384bc0ce1893a432bf4b7d67bca23796fe9db (patch)
tree5623c66a3f66445284529d6207e4ab4a2edb2810 /library/oauth2/src/OAuth2/Storage
parentc664a4bdcd1bd578f5ec3c2884f7c97e9f68d2d7 (diff)
parent90bc21f2d560d879d7eaf05a85af6d6dca53ebac (diff)
downloadvolse-hubzilla-2.6.tar.gz
volse-hubzilla-2.6.tar.bz2
volse-hubzilla-2.6.zip
Merge branch '2.6RC'2.6
Diffstat (limited to 'library/oauth2/src/OAuth2/Storage')
-rw-r--r--library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php64
-rw-r--r--library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php86
-rw-r--r--library/oauth2/src/OAuth2/Storage/Cassandra.php480
-rw-r--r--library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php49
-rw-r--r--library/oauth2/src/OAuth2/Storage/ClientInterface.php66
-rwxr-xr-xlibrary/oauth2/src/OAuth2/Storage/CouchbaseDB.php331
-rw-r--r--library/oauth2/src/OAuth2/Storage/DynamoDB.php540
-rw-r--r--library/oauth2/src/OAuth2/Storage/JwtAccessToken.php88
-rw-r--r--library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php14
-rw-r--r--library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php74
-rw-r--r--library/oauth2/src/OAuth2/Storage/Memory.php381
-rw-r--r--library/oauth2/src/OAuth2/Storage/Mongo.php339
-rw-r--r--library/oauth2/src/OAuth2/Storage/Pdo.php553
-rw-r--r--library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php16
-rw-r--r--library/oauth2/src/OAuth2/Storage/Redis.php321
-rw-r--r--library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php82
-rw-r--r--library/oauth2/src/OAuth2/Storage/ScopeInterface.php46
-rw-r--r--library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php52
18 files changed, 0 insertions, 3582 deletions
diff --git a/library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php b/library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php
deleted file mode 100644
index 1819158af..000000000
--- a/library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php
+++ /dev/null
@@ -1,64 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should get/save access tokens
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface AccessTokenInterface
-{
- /**
- * Look up the supplied oauth_token from storage.
- *
- * We need to retrieve access token data as we create and verify tokens.
- *
- * @param $oauth_token
- * oauth_token to be check with.
- *
- * @return
- * An associative array as below, and return NULL if the supplied oauth_token
- * is invalid:
- * - expires: Stored expiration in unix timestamp.
- * - client_id: (optional) Stored client identifier.
- * - user_id: (optional) Stored user identifier.
- * - scope: (optional) Stored scope values in space-separated string.
- * - id_token: (optional) Stored id_token (if "use_openid_connect" is true).
- *
- * @ingroup oauth2_section_7
- */
- public function getAccessToken($oauth_token);
-
- /**
- * Store the supplied access token values to storage.
- *
- * We need to store access token data as we create and verify tokens.
- *
- * @param $oauth_token oauth_token to be stored.
- * @param $client_id client identifier to be stored.
- * @param $user_id user identifier to be stored.
- * @param int $expires expiration to be stored as a Unix timestamp.
- * @param string $scope OPTIONAL Scopes to be stored in space-separated string.
- *
- * @ingroup oauth2_section_4
- */
- public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null);
-
- /**
- * Expire an access token.
- *
- * This is not explicitly required in the spec, but if defined in a draft RFC for token
- * revoking (RFC 7009) https://tools.ietf.org/html/rfc7009
- *
- * @param $access_token
- * Access token to be expired.
- *
- * @return BOOL true if an access token was unset, false if not
- * @ingroup oauth2_section_6
- *
- * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x
- */
- //public function unsetAccessToken($access_token);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php b/library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php
deleted file mode 100644
index 3beb0e437..000000000
--- a/library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php
+++ /dev/null
@@ -1,86 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should get/save authorization codes for the "Authorization Code"
- * grant type
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface AuthorizationCodeInterface
-{
- /**
- * The Authorization Code grant type supports a response type of "code".
- *
- * @var string
- * @see http://tools.ietf.org/html/rfc6749#section-1.4.1
- * @see http://tools.ietf.org/html/rfc6749#section-4.2
- */
- const RESPONSE_TYPE_CODE = "code";
-
- /**
- * Fetch authorization code data (probably the most common grant type).
- *
- * Retrieve the stored data for the given authorization code.
- *
- * Required for OAuth2::GRANT_TYPE_AUTH_CODE.
- *
- * @param $code
- * Authorization code to be check with.
- *
- * @return
- * An associative array as below, and NULL if the code is invalid
- * @code
- * return array(
- * "client_id" => CLIENT_ID, // REQUIRED Stored client identifier
- * "user_id" => USER_ID, // REQUIRED Stored user identifier
- * "expires" => EXPIRES, // REQUIRED Stored expiration in unix timestamp
- * "redirect_uri" => REDIRECT_URI, // REQUIRED Stored redirect URI
- * "scope" => SCOPE, // OPTIONAL Stored scope values in space-separated string
- * );
- * @endcode
- *
- * @see http://tools.ietf.org/html/rfc6749#section-4.1
- *
- * @ingroup oauth2_section_4
- */
- public function getAuthorizationCode($code);
-
- /**
- * Take the provided authorization code values and store them somewhere.
- *
- * This function should be the storage counterpart to getAuthCode().
- *
- * If storage fails for some reason, we're not currently checking for
- * any sort of success/failure, so you should bail out of the script
- * and provide a descriptive fail message.
- *
- * Required for OAuth2::GRANT_TYPE_AUTH_CODE.
- *
- * @param string $code Authorization code to be stored.
- * @param mixed $client_id Client identifier to be stored.
- * @param mixed $user_id User identifier to be stored.
- * @param string $redirect_uri Redirect URI(s) to be stored in a space-separated string.
- * @param int $expires Expiration to be stored as a Unix timestamp.
- * @param string $scope OPTIONAL Scopes to be stored in space-separated string.
- *
- * @ingroup oauth2_section_4
- */
- public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null);
-
- /**
- * once an Authorization Code is used, it must be exipired
- *
- * @see http://tools.ietf.org/html/rfc6749#section-4.1.2
- *
- * The client MUST NOT use the authorization code
- * more than once. If an authorization code is used more than
- * once, the authorization server MUST deny the request and SHOULD
- * revoke (when possible) all tokens previously issued based on
- * that authorization code
- *
- */
- public function expireAuthorizationCode($code);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/Cassandra.php b/library/oauth2/src/OAuth2/Storage/Cassandra.php
deleted file mode 100644
index 602e8a058..000000000
--- a/library/oauth2/src/OAuth2/Storage/Cassandra.php
+++ /dev/null
@@ -1,480 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use phpcassa\ColumnFamily;
-use phpcassa\ColumnSlice;
-use phpcassa\Connection\ConnectionPool;
-use OAuth2\OpenID\Storage\UserClaimsInterface;
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-
-/**
- * Cassandra storage for all storage types
- *
- * To use, install "thobbs/phpcassa" via composer
- * <code>
- * composer require thobbs/phpcassa:dev-master
- * </code>
- *
- * Once this is done, instantiate the
- * <code>
- * $cassandra = new \phpcassa\Connection\ConnectionPool('oauth2_server', array('127.0.0.1:9160'));
- * </code>
- *
- * Then, register the storage client:
- * <code>
- * $storage = new OAuth2\Storage\Cassandra($cassandra);
- * $storage->setClientDetails($client_id, $client_secret, $redirect_uri);
- * </code>
- *
- * @see test/lib/OAuth2/Storage/Bootstrap::getCassandraStorage
- */
-class Cassandra implements AuthorizationCodeInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- UserCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- ScopeInterface,
- PublicKeyInterface,
- UserClaimsInterface,
- OpenIDAuthorizationCodeInterface
-{
-
- private $cache;
-
- /* The cassandra client */
- protected $cassandra;
-
- /* Configuration array */
- protected $config;
-
- /**
- * Cassandra Storage! uses phpCassa
- *
- * @param \phpcassa\ConnectionPool $cassandra
- * @param array $config
- */
- public function __construct($connection = array(), array $config = array())
- {
- if ($connection instanceof ConnectionPool) {
- $this->cassandra = $connection;
- } else {
- if (!is_array($connection)) {
- throw new \InvalidArgumentException('First argument to OAuth2\Storage\Cassandra must be an instance of phpcassa\Connection\ConnectionPool or a configuration array');
- }
- $connection = array_merge(array(
- 'keyspace' => 'oauth2',
- 'servers' => null,
- ), $connection);
-
- $this->cassandra = new ConnectionPool($connection['keyspace'], $connection['servers']);
- }
-
- $this->config = array_merge(array(
- // cassandra config
- 'column_family' => 'auth',
-
- // key names
- 'client_key' => 'oauth_clients:',
- 'access_token_key' => 'oauth_access_tokens:',
- 'refresh_token_key' => 'oauth_refresh_tokens:',
- 'code_key' => 'oauth_authorization_codes:',
- 'user_key' => 'oauth_users:',
- 'jwt_key' => 'oauth_jwt:',
- 'scope_key' => 'oauth_scopes:',
- 'public_key_key' => 'oauth_public_keys:',
- ), $config);
- }
-
- protected function getValue($key)
- {
- if (isset($this->cache[$key])) {
- return $this->cache[$key];
- }
- $cf = new ColumnFamily($this->cassandra, $this->config['column_family']);
-
- try {
- $value = $cf->get($key, new ColumnSlice("", ""));
- $value = array_shift($value);
- } catch (\cassandra\NotFoundException $e) {
- return false;
- }
-
- return json_decode($value, true);
- }
-
- protected function setValue($key, $value, $expire = 0)
- {
- $this->cache[$key] = $value;
-
- $cf = new ColumnFamily($this->cassandra, $this->config['column_family']);
-
- $str = json_encode($value);
- if ($expire > 0) {
- try {
- $seconds = $expire - time();
- // __data key set as C* requires a field, note: max TTL can only be 630720000 seconds
- $cf->insert($key, array('__data' => $str), null, $seconds);
- } catch (\Exception $e) {
- return false;
- }
- } else {
- try {
- // __data key set as C* requires a field
- $cf->insert($key, array('__data' => $str));
- } catch (\Exception $e) {
- return false;
- }
- }
-
- return true;
- }
-
- protected function expireValue($key)
- {
- unset($this->cache[$key]);
-
- $cf = new ColumnFamily($this->cassandra, $this->config['column_family']);
-
- if ($cf->get_count($key) > 0) {
- try {
- // __data key set as C* requires a field
- $cf->remove($key, array('__data'));
- } catch (\Exception $e) {
- return false;
- }
-
- return true;
- }
-
- return false;
- }
-
- /* AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- return $this->getValue($this->config['code_key'] . $code);
- }
-
- public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- return $this->setValue(
- $this->config['code_key'] . $authorization_code,
- compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token'),
- $expires
- );
- }
-
- public function expireAuthorizationCode($code)
- {
- $key = $this->config['code_key'] . $code;
- unset($this->cache[$key]);
-
- return $this->expireValue($key);
- }
-
- /* UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- if ($user = $this->getUser($username)) {
- return $this->checkPassword($user, $password);
- }
-
- return false;
- }
-
- // plaintext passwords are bad! Override this for your application
- protected function checkPassword($user, $password)
- {
- return $user['password'] == $this->hashPassword($password);
- }
-
- // use a secure hashing algorithm when storing passwords. Override this for your application
- protected function hashPassword($password)
- {
- return sha1($password);
- }
-
- public function getUserDetails($username)
- {
- return $this->getUser($username);
- }
-
- public function getUser($username)
- {
- if (!$userInfo = $this->getValue($this->config['user_key'] . $username)) {
- return false;
- }
-
- // the default behavior is to use "username" as the user_id
- return array_merge(array(
- 'user_id' => $username,
- ), $userInfo);
- }
-
- public function setUser($username, $password, $first_name = null, $last_name = null)
- {
- $password = $this->hashPassword($password);
-
- return $this->setValue(
- $this->config['user_key'] . $username,
- compact('username', 'password', 'first_name', 'last_name')
- );
- }
-
- /* ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- if (!$client = $this->getClientDetails($client_id)) {
- return false;
- }
-
- return isset($client['client_secret'])
- && $client['client_secret'] == $client_secret;
- }
-
- public function isPublicClient($client_id)
- {
- if (!$client = $this->getClientDetails($client_id)) {
- return false;
- }
-
- return empty($client['client_secret']);;
- }
-
- /* ClientInterface */
- public function getClientDetails($client_id)
- {
- return $this->getValue($this->config['client_key'] . $client_id);
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- return $this->setValue(
- $this->config['client_key'] . $client_id,
- compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id')
- );
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- $details = $this->getClientDetails($client_id);
- if (isset($details['grant_types'])) {
- $grant_types = explode(' ', $details['grant_types']);
-
- return in_array($grant_type, (array) $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- /* RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- return $this->getValue($this->config['refresh_token_key'] . $refresh_token);
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- return $this->setValue(
- $this->config['refresh_token_key'] . $refresh_token,
- compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'),
- $expires
- );
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- return $this->expireValue($this->config['refresh_token_key'] . $refresh_token);
- }
-
- /* AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- return $this->getValue($this->config['access_token_key'].$access_token);
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
- {
- return $this->setValue(
- $this->config['access_token_key'].$access_token,
- compact('access_token', 'client_id', 'user_id', 'expires', 'scope'),
- $expires
- );
- }
-
- public function unsetAccessToken($access_token)
- {
- return $this->expireValue($this->config['access_token_key'] . $access_token);
- }
-
- /* ScopeInterface */
- public function scopeExists($scope)
- {
- $scope = explode(' ', $scope);
-
- $result = $this->getValue($this->config['scope_key'].'supported:global');
-
- $supportedScope = explode(' ', (string) $result);
-
- return (count(array_diff($scope, $supportedScope)) == 0);
- }
-
- public function getDefaultScope($client_id = null)
- {
- if (is_null($client_id) || !$result = $this->getValue($this->config['scope_key'].'default:'.$client_id)) {
- $result = $this->getValue($this->config['scope_key'].'default:global');
- }
-
- return $result;
- }
-
- public function setScope($scope, $client_id = null, $type = 'supported')
- {
- if (!in_array($type, array('default', 'supported'))) {
- throw new \InvalidArgumentException('"$type" must be one of "default", "supported"');
- }
-
- if (is_null($client_id)) {
- $key = $this->config['scope_key'].$type.':global';
- } else {
- $key = $this->config['scope_key'].$type.':'.$client_id;
- }
-
- return $this->setValue($key, $scope);
- }
-
- /*JWTBearerInterface */
- public function getClientKey($client_id, $subject)
- {
- if (!$jwt = $this->getValue($this->config['jwt_key'] . $client_id)) {
- return false;
- }
-
- if (isset($jwt['subject']) && $jwt['subject'] == $subject ) {
- return $jwt['key'];
- }
-
- return null;
- }
-
- public function setClientKey($client_id, $key, $subject = null)
- {
- return $this->setValue($this->config['jwt_key'] . $client_id, array(
- 'key' => $key,
- 'subject' => $subject
- ));
- }
-
- /*ScopeInterface */
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs cassandra implementation.
- throw new \Exception('getJti() for the Cassandra driver is currently unimplemented.');
- }
-
- public function setJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs cassandra implementation.
- throw new \Exception('setJti() for the Cassandra driver is currently unimplemented.');
- }
-
- /* PublicKeyInterface */
- public function getPublicKey($client_id = '')
- {
- $public_key = $this->getValue($this->config['public_key_key'] . $client_id);
- if (is_array($public_key)) {
- return $public_key['public_key'];
- }
- $public_key = $this->getValue($this->config['public_key_key']);
- if (is_array($public_key)) {
- return $public_key['public_key'];
- }
- }
-
- public function getPrivateKey($client_id = '')
- {
- $public_key = $this->getValue($this->config['public_key_key'] . $client_id);
- if (is_array($public_key)) {
- return $public_key['private_key'];
- }
- $public_key = $this->getValue($this->config['public_key_key']);
- if (is_array($public_key)) {
- return $public_key['private_key'];
- }
- }
-
- public function getEncryptionAlgorithm($client_id = null)
- {
- $public_key = $this->getValue($this->config['public_key_key'] . $client_id);
- if (is_array($public_key)) {
- return $public_key['encryption_algorithm'];
- }
- $public_key = $this->getValue($this->config['public_key_key']);
- if (is_array($public_key)) {
- return $public_key['encryption_algorithm'];
- }
-
- return 'RS256';
- }
-
- /* UserClaimsInterface */
- public function getUserClaims($user_id, $claims)
- {
- $userDetails = $this->getUserDetails($user_id);
- if (!is_array($userDetails)) {
- return false;
- }
-
- $claims = explode(' ', trim($claims));
- $userClaims = array();
-
- // for each requested claim, if the user has the claim, set it in the response
- $validClaims = explode(' ', self::VALID_CLAIMS);
- foreach ($validClaims as $validClaim) {
- if (in_array($validClaim, $claims)) {
- if ($validClaim == 'address') {
- // address is an object with subfields
- $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails);
- } else {
- $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails));
- }
- }
- }
-
- return $userClaims;
- }
-
- protected function getUserClaim($claim, $userDetails)
- {
- $userClaims = array();
- $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim)));
- $claimValues = explode(' ', $claimValuesString);
-
- foreach ($claimValues as $value) {
- if ($value == 'email_verified') {
- $userClaims[$value] = $userDetails[$value]=='true' ? true : false;
- } else {
- $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null;
- }
- }
-
- return $userClaims;
- }
-
-}
diff --git a/library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php b/library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php
deleted file mode 100644
index 3318c6966..000000000
--- a/library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php
+++ /dev/null
@@ -1,49 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify how the OAuth2 Server
- * should verify client credentials
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface ClientCredentialsInterface extends ClientInterface
-{
-
- /**
- * Make sure that the client credentials is valid.
- *
- * @param $client_id
- * Client identifier to be check with.
- * @param $client_secret
- * (optional) If a secret is required, check that they've given the right one.
- *
- * @return
- * TRUE if the client credentials are valid, and MUST return FALSE if it isn't.
- * @endcode
- *
- * @see http://tools.ietf.org/html/rfc6749#section-3.1
- *
- * @ingroup oauth2_section_3
- */
- public function checkClientCredentials($client_id, $client_secret = null);
-
- /**
- * Determine if the client is a "public" client, and therefore
- * does not require passing credentials for certain grant types
- *
- * @param $client_id
- * Client identifier to be check with.
- *
- * @return
- * TRUE if the client is public, and FALSE if it isn't.
- * @endcode
- *
- * @see http://tools.ietf.org/html/rfc6749#section-2.3
- * @see https://github.com/bshaffer/oauth2-server-php/issues/257
- *
- * @ingroup oauth2_section_2
- */
- public function isPublicClient($client_id);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/ClientInterface.php b/library/oauth2/src/OAuth2/Storage/ClientInterface.php
deleted file mode 100644
index 09a5bffc1..000000000
--- a/library/oauth2/src/OAuth2/Storage/ClientInterface.php
+++ /dev/null
@@ -1,66 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should retrieve client information
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface ClientInterface
-{
- /**
- * Get client details corresponding client_id.
- *
- * OAuth says we should store request URIs for each registered client.
- * Implement this function to grab the stored URI for a given client id.
- *
- * @param $client_id
- * Client identifier to be check with.
- *
- * @return array
- * Client details. The only mandatory key in the array is "redirect_uri".
- * This function MUST return FALSE if the given client does not exist or is
- * invalid. "redirect_uri" can be space-delimited to allow for multiple valid uris.
- * <code>
- * return array(
- * "redirect_uri" => REDIRECT_URI, // REQUIRED redirect_uri registered for the client
- * "client_id" => CLIENT_ID, // OPTIONAL the client id
- * "grant_types" => GRANT_TYPES, // OPTIONAL an array of restricted grant types
- * "user_id" => USER_ID, // OPTIONAL the user identifier associated with this client
- * "scope" => SCOPE, // OPTIONAL the scopes allowed for this client
- * );
- * </code>
- *
- * @ingroup oauth2_section_4
- */
- public function getClientDetails($client_id);
-
- /**
- * Get the scope associated with this client
- *
- * @return
- * STRING the space-delineated scope list for the specified client_id
- */
- public function getClientScope($client_id);
-
- /**
- * Check restricted grant types of corresponding client identifier.
- *
- * If you want to restrict clients to certain grant types, override this
- * function.
- *
- * @param $client_id
- * Client identifier to be check with.
- * @param $grant_type
- * Grant type to be check with
- *
- * @return
- * TRUE if the grant type is supported by this client identifier, and
- * FALSE if it isn't.
- *
- * @ingroup oauth2_section_4
- */
- public function checkRestrictedGrantType($client_id, $grant_type);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/CouchbaseDB.php b/library/oauth2/src/OAuth2/Storage/CouchbaseDB.php
deleted file mode 100755
index 1eb55f027..000000000
--- a/library/oauth2/src/OAuth2/Storage/CouchbaseDB.php
+++ /dev/null
@@ -1,331 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-
-/**
- * Simple Couchbase storage for all storage types
- *
- * This class should be extended or overridden as required
- *
- * NOTE: Passwords are stored in plaintext, which is never
- * a good idea. Be sure to override this for your application
- *
- * @author Tom Park <tom@raucter.com>
- */
-class CouchbaseDB implements AuthorizationCodeInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- UserCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- OpenIDAuthorizationCodeInterface
-{
- protected $db;
- protected $config;
-
- public function __construct($connection, $config = array())
- {
- if ($connection instanceof \Couchbase) {
- $this->db = $connection;
- } else {
- if (!is_array($connection) || !is_array($connection['servers'])) {
- throw new \InvalidArgumentException('First argument to OAuth2\Storage\CouchbaseDB must be an instance of Couchbase or a configuration array containing a server array');
- }
-
- $this->db = new \Couchbase($connection['servers'], (!isset($connection['username'])) ? '' : $connection['username'], (!isset($connection['password'])) ? '' : $connection['password'], $connection['bucket'], false);
- }
-
- $this->config = array_merge(array(
- 'client_table' => 'oauth_clients',
- 'access_token_table' => 'oauth_access_tokens',
- 'refresh_token_table' => 'oauth_refresh_tokens',
- 'code_table' => 'oauth_authorization_codes',
- 'user_table' => 'oauth_users',
- 'jwt_table' => 'oauth_jwt',
- ), $config);
- }
-
- // Helper function to access couchbase item by type:
- protected function getObjectByType($name,$id)
- {
- return json_decode($this->db->get($this->config[$name].'-'.$id),true);
- }
-
- // Helper function to set couchbase item by type:
- protected function setObjectByType($name,$id,$array)
- {
- $array['type'] = $name;
-
- return $this->db->set($this->config[$name].'-'.$id,json_encode($array));
- }
-
- // Helper function to delete couchbase item by type, wait for persist to at least 1 node
- protected function deleteObjectByType($name,$id)
- {
- $this->db->delete($this->config[$name].'-'.$id,"",1);
- }
-
- /* ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- if ($result = $this->getObjectByType('client_table',$client_id)) {
- return $result['client_secret'] == $client_secret;
- }
-
- return false;
- }
-
- public function isPublicClient($client_id)
- {
- if (!$result = $this->getObjectByType('client_table',$client_id)) {
- return false;
- }
-
- return empty($result['client_secret']);
- }
-
- /* ClientInterface */
- public function getClientDetails($client_id)
- {
- $result = $this->getObjectByType('client_table',$client_id);
-
- return is_null($result) ? false : $result;
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- if ($this->getClientDetails($client_id)) {
-
- $this->setObjectByType('client_table',$client_id, array(
- 'client_id' => $client_id,
- 'client_secret' => $client_secret,
- 'redirect_uri' => $redirect_uri,
- 'grant_types' => $grant_types,
- 'scope' => $scope,
- 'user_id' => $user_id,
- ));
- } else {
- $this->setObjectByType('client_table',$client_id, array(
- 'client_id' => $client_id,
- 'client_secret' => $client_secret,
- 'redirect_uri' => $redirect_uri,
- 'grant_types' => $grant_types,
- 'scope' => $scope,
- 'user_id' => $user_id,
- ));
- }
-
- return true;
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- $details = $this->getClientDetails($client_id);
- if (isset($details['grant_types'])) {
- $grant_types = explode(' ', $details['grant_types']);
-
- return in_array($grant_type, $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- /* AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- $token = $this->getObjectByType('access_token_table',$access_token);
-
- return is_null($token) ? false : $token;
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
- {
- // if it exists, update it.
- if ($this->getAccessToken($access_token)) {
- $this->setObjectByType('access_token_table',$access_token, array(
- 'access_token' => $access_token,
- 'client_id' => $client_id,
- 'expires' => $expires,
- 'user_id' => $user_id,
- 'scope' => $scope
- ));
- } else {
- $this->setObjectByType('access_token_table',$access_token, array(
- 'access_token' => $access_token,
- 'client_id' => $client_id,
- 'expires' => $expires,
- 'user_id' => $user_id,
- 'scope' => $scope
- ));
- }
-
- return true;
- }
-
- /* AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- $code = $this->getObjectByType('code_table',$code);
-
- return is_null($code) ? false : $code;
- }
-
- public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- // if it exists, update it.
- if ($this->getAuthorizationCode($code)) {
- $this->setObjectByType('code_table',$code, array(
- 'authorization_code' => $code,
- 'client_id' => $client_id,
- 'user_id' => $user_id,
- 'redirect_uri' => $redirect_uri,
- 'expires' => $expires,
- 'scope' => $scope,
- 'id_token' => $id_token,
- ));
- } else {
- $this->setObjectByType('code_table',$code,array(
- 'authorization_code' => $code,
- 'client_id' => $client_id,
- 'user_id' => $user_id,
- 'redirect_uri' => $redirect_uri,
- 'expires' => $expires,
- 'scope' => $scope,
- 'id_token' => $id_token,
- ));
- }
-
- return true;
- }
-
- public function expireAuthorizationCode($code)
- {
- $this->deleteObjectByType('code_table',$code);
-
- return true;
- }
-
- /* UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- if ($user = $this->getUser($username)) {
- return $this->checkPassword($user, $password);
- }
-
- return false;
- }
-
- public function getUserDetails($username)
- {
- if ($user = $this->getUser($username)) {
- $user['user_id'] = $user['username'];
- }
-
- return $user;
- }
-
- /* RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- $token = $this->getObjectByType('refresh_token_table',$refresh_token);
-
- return is_null($token) ? false : $token;
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- $this->setObjectByType('refresh_token_table',$refresh_token, array(
- 'refresh_token' => $refresh_token,
- 'client_id' => $client_id,
- 'user_id' => $user_id,
- 'expires' => $expires,
- 'scope' => $scope
- ));
-
- return true;
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- $this->deleteObjectByType('refresh_token_table',$refresh_token);
-
- return true;
- }
-
- // plaintext passwords are bad! Override this for your application
- protected function checkPassword($user, $password)
- {
- return $user['password'] == $password;
- }
-
- public function getUser($username)
- {
- $result = $this->getObjectByType('user_table',$username);
-
- return is_null($result) ? false : $result;
- }
-
- public function setUser($username, $password, $firstName = null, $lastName = null)
- {
- if ($this->getUser($username)) {
- $this->setObjectByType('user_table',$username, array(
- 'username' => $username,
- 'password' => $password,
- 'first_name' => $firstName,
- 'last_name' => $lastName
- ));
-
- } else {
- $this->setObjectByType('user_table',$username, array(
- 'username' => $username,
- 'password' => $password,
- 'first_name' => $firstName,
- 'last_name' => $lastName
- ));
-
- }
-
- return true;
- }
-
- public function getClientKey($client_id, $subject)
- {
- if (!$jwt = $this->getObjectByType('jwt_table',$client_id)) {
- return false;
- }
-
- if (isset($jwt['subject']) && $jwt['subject'] == $subject) {
- return $jwt['key'];
- }
-
- return false;
- }
-
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs couchbase implementation.
- throw new \Exception('getJti() for the Couchbase driver is currently unimplemented.');
- }
-
- public function setJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs couchbase implementation.
- throw new \Exception('setJti() for the Couchbase driver is currently unimplemented.');
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/DynamoDB.php b/library/oauth2/src/OAuth2/Storage/DynamoDB.php
deleted file mode 100644
index 8347ab258..000000000
--- a/library/oauth2/src/OAuth2/Storage/DynamoDB.php
+++ /dev/null
@@ -1,540 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use Aws\DynamoDb\DynamoDbClient;
-
-use OAuth2\OpenID\Storage\UserClaimsInterface;
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-/**
- * DynamoDB storage for all storage types
- *
- * To use, install "aws/aws-sdk-php" via composer
- * <code>
- * composer require aws/aws-sdk-php:dev-master
- * </code>
- *
- * Once this is done, instantiate the DynamoDB client
- * <code>
- * $storage = new OAuth2\Storage\Dynamodb(array("key" => "YOURKEY", "secret" => "YOURSECRET", "region" => "YOURREGION"));
- * </code>
- *
- * Table :
- * - oauth_access_tokens (primary hash key : access_token)
- * - oauth_authorization_codes (primary hash key : authorization_code)
- * - oauth_clients (primary hash key : client_id)
- * - oauth_jwt (primary hash key : client_id, primary range key : subject)
- * - oauth_public_keys (primary hash key : client_id)
- * - oauth_refresh_tokens (primary hash key : refresh_token)
- * - oauth_scopes (primary hash key : scope, secondary index : is_default-index hash key is_default)
- * - oauth_users (primary hash key : username)
- *
- * @author Frederic AUGUSTE <frederic.auguste at gmail dot com>
- */
-class DynamoDB implements
- AuthorizationCodeInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- UserCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- ScopeInterface,
- PublicKeyInterface,
- UserClaimsInterface,
- OpenIDAuthorizationCodeInterface
-{
- protected $client;
- protected $config;
-
- public function __construct($connection, $config = array())
- {
- if (!($connection instanceof DynamoDbClient)) {
- if (!is_array($connection)) {
- throw new \InvalidArgumentException('First argument to OAuth2\Storage\Dynamodb must be an instance a configuration array containt key, secret, region');
- }
- if (!array_key_exists("key",$connection) || !array_key_exists("secret",$connection) || !array_key_exists("region",$connection) ) {
- throw new \InvalidArgumentException('First argument to OAuth2\Storage\Dynamodb must be an instance a configuration array containt key, secret, region');
- }
- $this->client = DynamoDbClient::factory(array(
- 'key' => $connection["key"],
- 'secret' => $connection["secret"],
- 'region' =>$connection["region"]
- ));
- } else {
- $this->client = $connection;
- }
-
- $this->config = array_merge(array(
- 'client_table' => 'oauth_clients',
- 'access_token_table' => 'oauth_access_tokens',
- 'refresh_token_table' => 'oauth_refresh_tokens',
- 'code_table' => 'oauth_authorization_codes',
- 'user_table' => 'oauth_users',
- 'jwt_table' => 'oauth_jwt',
- 'scope_table' => 'oauth_scopes',
- 'public_key_table' => 'oauth_public_keys',
- ), $config);
- }
-
- /* OAuth2\Storage\ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['client_table'],
- "Key" => array('client_id' => array('S' => $client_id))
- ));
-
- return $result->count()==1 && $result["Item"]["client_secret"]["S"] == $client_secret;
- }
-
- public function isPublicClient($client_id)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['client_table'],
- "Key" => array('client_id' => array('S' => $client_id))
- ));
-
- if ($result->count()==0) {
- return false ;
- }
-
- return empty($result["Item"]["client_secret"]);
- }
-
- /* OAuth2\Storage\ClientInterface */
- public function getClientDetails($client_id)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['client_table'],
- "Key" => array('client_id' => array('S' => $client_id))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $result = $this->dynamo2array($result);
- foreach (array('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id') as $key => $val) {
- if (!array_key_exists ($val, $result)) {
- $result[$val] = null;
- }
- }
-
- return $result;
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- $clientData = compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id');
- $clientData = array_filter($clientData, 'self::isNotEmpty');
-
- $result = $this->client->putItem(array(
- 'TableName' => $this->config['client_table'],
- 'Item' => $this->client->formatAttributes($clientData)
- ));
-
- return true;
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- $details = $this->getClientDetails($client_id);
- if (isset($details['grant_types'])) {
- $grant_types = explode(' ', $details['grant_types']);
-
- return in_array($grant_type, (array) $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- /* OAuth2\Storage\AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['access_token_table'],
- "Key" => array('access_token' => array('S' => $access_token))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
- if (array_key_exists ('expires', $token)) {
- $token['expires'] = strtotime($token['expires']);
- }
-
- return $token;
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
- {
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- $clientData = compact('access_token', 'client_id', 'user_id', 'expires', 'scope');
- $clientData = array_filter($clientData, 'self::isNotEmpty');
-
- $result = $this->client->putItem(array(
- 'TableName' => $this->config['access_token_table'],
- 'Item' => $this->client->formatAttributes($clientData)
- ));
-
- return true;
-
- }
-
- public function unsetAccessToken($access_token)
- {
- $result = $this->client->deleteItem(array(
- 'TableName' => $this->config['access_token_table'],
- 'Key' => $this->client->formatAttributes(array("access_token" => $access_token)),
- 'ReturnValues' => 'ALL_OLD',
- ));
-
- return null !== $result->get('Attributes');
- }
-
- /* OAuth2\Storage\AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['code_table'],
- "Key" => array('authorization_code' => array('S' => $code))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
- if (!array_key_exists("id_token", $token )) {
- $token['id_token'] = null;
- }
- $token['expires'] = strtotime($token['expires']);
-
- return $token;
-
- }
-
- public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- $clientData = compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'id_token', 'scope');
- $clientData = array_filter($clientData, 'self::isNotEmpty');
-
- $result = $this->client->putItem(array(
- 'TableName' => $this->config['code_table'],
- 'Item' => $this->client->formatAttributes($clientData)
- ));
-
- return true;
- }
-
- public function expireAuthorizationCode($code)
- {
-
- $result = $this->client->deleteItem(array(
- 'TableName' => $this->config['code_table'],
- 'Key' => $this->client->formatAttributes(array("authorization_code" => $code))
- ));
-
- return true;
- }
-
- /* OAuth2\Storage\UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- if ($user = $this->getUser($username)) {
- return $this->checkPassword($user, $password);
- }
-
- return false;
- }
-
- public function getUserDetails($username)
- {
- return $this->getUser($username);
- }
-
- /* UserClaimsInterface */
- public function getUserClaims($user_id, $claims)
- {
- if (!$userDetails = $this->getUserDetails($user_id)) {
- return false;
- }
-
- $claims = explode(' ', trim($claims));
- $userClaims = array();
-
- // for each requested claim, if the user has the claim, set it in the response
- $validClaims = explode(' ', self::VALID_CLAIMS);
- foreach ($validClaims as $validClaim) {
- if (in_array($validClaim, $claims)) {
- if ($validClaim == 'address') {
- // address is an object with subfields
- $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails);
- } else {
- $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails));
- }
- }
- }
-
- return $userClaims;
- }
-
- protected function getUserClaim($claim, $userDetails)
- {
- $userClaims = array();
- $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim)));
- $claimValues = explode(' ', $claimValuesString);
-
- foreach ($claimValues as $value) {
- if ($value == 'email_verified') {
- $userClaims[$value] = $userDetails[$value]=='true' ? true : false;
- } else {
- $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null;
- }
- }
-
- return $userClaims;
- }
-
- /* OAuth2\Storage\RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['refresh_token_table'],
- "Key" => array('refresh_token' => array('S' => $refresh_token))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
- $token['expires'] = strtotime($token['expires']);
-
- return $token;
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- $clientData = compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope');
- $clientData = array_filter($clientData, 'self::isNotEmpty');
-
- $result = $this->client->putItem(array(
- 'TableName' => $this->config['refresh_token_table'],
- 'Item' => $this->client->formatAttributes($clientData)
- ));
-
- return true;
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- $result = $this->client->deleteItem(array(
- 'TableName' => $this->config['refresh_token_table'],
- 'Key' => $this->client->formatAttributes(array("refresh_token" => $refresh_token))
- ));
-
- return true;
- }
-
- // plaintext passwords are bad! Override this for your application
- protected function checkPassword($user, $password)
- {
- return $user['password'] == $this->hashPassword($password);
- }
-
- // use a secure hashing algorithm when storing passwords. Override this for your application
- protected function hashPassword($password)
- {
- return sha1($password);
- }
-
- public function getUser($username)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['user_table'],
- "Key" => array('username' => array('S' => $username))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
- $token['user_id'] = $username;
-
- return $token;
- }
-
- public function setUser($username, $password, $first_name = null, $last_name = null)
- {
- // do not store in plaintext
- $password = $this->hashPassword($password);
-
- $clientData = compact('username', 'password', 'first_name', 'last_name');
- $clientData = array_filter($clientData, 'self::isNotEmpty');
-
- $result = $this->client->putItem(array(
- 'TableName' => $this->config['user_table'],
- 'Item' => $this->client->formatAttributes($clientData)
- ));
-
- return true;
-
- }
-
- /* ScopeInterface */
- public function scopeExists($scope)
- {
- $scope = explode(' ', $scope);
- $scope_query = array();
- $count = 0;
- foreach ($scope as $key => $val) {
- $result = $this->client->query(array(
- 'TableName' => $this->config['scope_table'],
- 'Select' => 'COUNT',
- 'KeyConditions' => array(
- 'scope' => array(
- 'AttributeValueList' => array(array('S' => $val)),
- 'ComparisonOperator' => 'EQ'
- )
- )
- ));
- $count += $result['Count'];
- }
-
- return $count == count($scope);
- }
-
- public function getDefaultScope($client_id = null)
- {
-
- $result = $this->client->query(array(
- 'TableName' => $this->config['scope_table'],
- 'IndexName' => 'is_default-index',
- 'Select' => 'ALL_ATTRIBUTES',
- 'KeyConditions' => array(
- 'is_default' => array(
- 'AttributeValueList' => array(array('S' => 'true')),
- 'ComparisonOperator' => 'EQ',
- ),
- )
- ));
- $defaultScope = array();
- if ($result->count() > 0) {
- $array = $result->toArray();
- foreach ($array["Items"] as $item) {
- $defaultScope[] = $item['scope']['S'];
- }
-
- return empty($defaultScope) ? null : implode(' ', $defaultScope);
- }
-
- return null;
- }
-
- /* JWTBearerInterface */
- public function getClientKey($client_id, $subject)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['jwt_table'],
- "Key" => array('client_id' => array('S' => $client_id), 'subject' => array('S' => $subject))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
-
- return $token['public_key'];
- }
-
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expires, $jti)
- {
- //TODO not use.
- }
-
- public function setJti($client_id, $subject, $audience, $expires, $jti)
- {
- //TODO not use.
- }
-
- /* PublicKeyInterface */
- public function getPublicKey($client_id = '0')
- {
-
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['public_key_table'],
- "Key" => array('client_id' => array('S' => $client_id))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
-
- return $token['public_key'];
-
- }
-
- public function getPrivateKey($client_id = '0')
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['public_key_table'],
- "Key" => array('client_id' => array('S' => $client_id))
- ));
- if ($result->count()==0) {
- return false ;
- }
- $token = $this->dynamo2array($result);
-
- return $token['private_key'];
- }
-
- public function getEncryptionAlgorithm($client_id = null)
- {
- $result = $this->client->getItem(array(
- "TableName"=> $this->config['public_key_table'],
- "Key" => array('client_id' => array('S' => $client_id))
- ));
- if ($result->count()==0) {
- return 'RS256' ;
- }
- $token = $this->dynamo2array($result);
-
- return $token['encryption_algorithm'];
- }
-
- /**
- * Transform dynamodb resultset to an array.
- * @param $dynamodbResult
- * @return $array
- */
- private function dynamo2array($dynamodbResult)
- {
- $result = array();
- foreach ($dynamodbResult["Item"] as $key => $val) {
- $result[$key] = $val["S"];
- $result[] = $val["S"];
- }
-
- return $result;
- }
-
- private static function isNotEmpty($value)
- {
- return null !== $value && '' !== $value;
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/JwtAccessToken.php b/library/oauth2/src/OAuth2/Storage/JwtAccessToken.php
deleted file mode 100644
index 75b49d301..000000000
--- a/library/oauth2/src/OAuth2/Storage/JwtAccessToken.php
+++ /dev/null
@@ -1,88 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use OAuth2\Encryption\EncryptionInterface;
-use OAuth2\Encryption\Jwt;
-
-/**
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-class JwtAccessToken implements JwtAccessTokenInterface
-{
- protected $publicKeyStorage;
- protected $tokenStorage;
- protected $encryptionUtil;
-
- /**
- * @param OAuth2\Encryption\PublicKeyInterface $publicKeyStorage the public key encryption to use
- * @param OAuth2\Storage\AccessTokenInterface $tokenStorage OPTIONAL persist the access token to another storage. This is useful if
- * you want to retain access token grant information somewhere, but
- * is not necessary when using this grant type.
- * @param OAuth2\Encryption\EncryptionInterface $encryptionUtil OPTIONAL class to use for "encode" and "decode" functions.
- */
- public function __construct(PublicKeyInterface $publicKeyStorage, AccessTokenInterface $tokenStorage = null, EncryptionInterface $encryptionUtil = null)
- {
- $this->publicKeyStorage = $publicKeyStorage;
- $this->tokenStorage = $tokenStorage;
- if (is_null($encryptionUtil)) {
- $encryptionUtil = new Jwt;
- }
- $this->encryptionUtil = $encryptionUtil;
- }
-
- public function getAccessToken($oauth_token)
- {
- // just decode the token, don't verify
- if (!$tokenData = $this->encryptionUtil->decode($oauth_token, null, false)) {
- return false;
- }
-
- $client_id = isset($tokenData['aud']) ? $tokenData['aud'] : null;
- $public_key = $this->publicKeyStorage->getPublicKey($client_id);
- $algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id);
-
- // now that we have the client_id, verify the token
- if (false === $this->encryptionUtil->decode($oauth_token, $public_key, array($algorithm))) {
- return false;
- }
-
- // normalize the JWT claims to the format expected by other components in this library
- return $this->convertJwtToOAuth2($tokenData);
- }
-
- public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null)
- {
- if ($this->tokenStorage) {
- return $this->tokenStorage->setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope);
- }
- }
-
- public function unsetAccessToken($access_token)
- {
- if ($this->tokenStorage) {
- return $this->tokenStorage->unsetAccessToken($access_token);
- }
- }
-
-
- // converts a JWT access token into an OAuth2-friendly format
- protected function convertJwtToOAuth2($tokenData)
- {
- $keyMapping = array(
- 'aud' => 'client_id',
- 'exp' => 'expires',
- 'sub' => 'user_id'
- );
-
- foreach ($keyMapping as $jwtKey => $oauth2Key) {
- if (isset($tokenData[$jwtKey])) {
- $tokenData[$oauth2Key] = $tokenData[$jwtKey];
- unset($tokenData[$jwtKey]);
- }
- }
-
- return $tokenData;
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php b/library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php
deleted file mode 100644
index 3abb2aa2d..000000000
--- a/library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php
+++ /dev/null
@@ -1,14 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * No specific methods, but allows the library to check "instanceof"
- * against interface rather than class
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface JwtAccessTokenInterface extends AccessTokenInterface
-{
-
-}
diff --git a/library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php b/library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php
deleted file mode 100644
index c83aa72ea..000000000
--- a/library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php
+++ /dev/null
@@ -1,74 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should get the JWT key for clients
- *
- * @TODO consider extending ClientInterface, as this will almost always
- * be the same storage as retrieving clientData
- *
- * @author F21
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface JwtBearerInterface
-{
- /**
- * Get the public key associated with a client_id
- *
- * @param $client_id
- * Client identifier to be checked with.
- *
- * @return
- * STRING Return the public key for the client_id if it exists, and MUST return FALSE if it doesn't.
- */
- public function getClientKey($client_id, $subject);
-
- /**
- * Get a jti (JSON token identifier) by matching against the client_id, subject, audience and expiration.
- *
- * @param $client_id
- * Client identifier to match.
- *
- * @param $subject
- * The subject to match.
- *
- * @param $audience
- * The audience to match.
- *
- * @param $expiration
- * The expiration of the jti.
- *
- * @param $jti
- * The jti to match.
- *
- * @return
- * An associative array as below, and return NULL if the jti does not exist.
- * - issuer: Stored client identifier.
- * - subject: Stored subject.
- * - audience: Stored audience.
- * - expires: Stored expiration in unix timestamp.
- * - jti: The stored jti.
- */
- public function getJti($client_id, $subject, $audience, $expiration, $jti);
-
- /**
- * Store a used jti so that we can check against it to prevent replay attacks.
- * @param $client_id
- * Client identifier to insert.
- *
- * @param $subject
- * The subject to insert.
- *
- * @param $audience
- * The audience to insert.
- *
- * @param $expiration
- * The expiration of the jti.
- *
- * @param $jti
- * The jti to insert.
- */
- public function setJti($client_id, $subject, $audience, $expiration, $jti);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/Memory.php b/library/oauth2/src/OAuth2/Storage/Memory.php
deleted file mode 100644
index 42d833ccb..000000000
--- a/library/oauth2/src/OAuth2/Storage/Memory.php
+++ /dev/null
@@ -1,381 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use OAuth2\OpenID\Storage\UserClaimsInterface;
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-
-/**
- * Simple in-memory storage for all storage types
- *
- * NOTE: This class should never be used in production, and is
- * a stub class for example use only
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-class Memory implements AuthorizationCodeInterface,
- UserCredentialsInterface,
- UserClaimsInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- ScopeInterface,
- PublicKeyInterface,
- OpenIDAuthorizationCodeInterface
-{
- public $authorizationCodes;
- public $userCredentials;
- public $clientCredentials;
- public $refreshTokens;
- public $accessTokens;
- public $jwt;
- public $jti;
- public $supportedScopes;
- public $defaultScope;
- public $keys;
-
- public function __construct($params = array())
- {
- $params = array_merge(array(
- 'authorization_codes' => array(),
- 'user_credentials' => array(),
- 'client_credentials' => array(),
- 'refresh_tokens' => array(),
- 'access_tokens' => array(),
- 'jwt' => array(),
- 'jti' => array(),
- 'default_scope' => null,
- 'supported_scopes' => array(),
- 'keys' => array(),
- ), $params);
-
- $this->authorizationCodes = $params['authorization_codes'];
- $this->userCredentials = $params['user_credentials'];
- $this->clientCredentials = $params['client_credentials'];
- $this->refreshTokens = $params['refresh_tokens'];
- $this->accessTokens = $params['access_tokens'];
- $this->jwt = $params['jwt'];
- $this->jti = $params['jti'];
- $this->supportedScopes = $params['supported_scopes'];
- $this->defaultScope = $params['default_scope'];
- $this->keys = $params['keys'];
- }
-
- /* AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- if (!isset($this->authorizationCodes[$code])) {
- return false;
- }
-
- return array_merge(array(
- 'authorization_code' => $code,
- ), $this->authorizationCodes[$code]);
- }
-
- public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- $this->authorizationCodes[$code] = compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token');
-
- return true;
- }
-
- public function setAuthorizationCodes($authorization_codes)
- {
- $this->authorizationCodes = $authorization_codes;
- }
-
- public function expireAuthorizationCode($code)
- {
- unset($this->authorizationCodes[$code]);
- }
-
- /* UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- $userDetails = $this->getUserDetails($username);
-
- return $userDetails && $userDetails['password'] && $userDetails['password'] === $password;
- }
-
- public function setUser($username, $password, $firstName = null, $lastName = null)
- {
- $this->userCredentials[$username] = array(
- 'password' => $password,
- 'first_name' => $firstName,
- 'last_name' => $lastName,
- );
-
- return true;
- }
-
- public function getUserDetails($username)
- {
- if (!isset($this->userCredentials[$username])) {
- return false;
- }
-
- return array_merge(array(
- 'user_id' => $username,
- 'password' => null,
- 'first_name' => null,
- 'last_name' => null,
- ), $this->userCredentials[$username]);
- }
-
- /* UserClaimsInterface */
- public function getUserClaims($user_id, $claims)
- {
- if (!$userDetails = $this->getUserDetails($user_id)) {
- return false;
- }
-
- $claims = explode(' ', trim($claims));
- $userClaims = array();
-
- // for each requested claim, if the user has the claim, set it in the response
- $validClaims = explode(' ', self::VALID_CLAIMS);
- foreach ($validClaims as $validClaim) {
- if (in_array($validClaim, $claims)) {
- if ($validClaim == 'address') {
- // address is an object with subfields
- $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails);
- } else {
- $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails));
- }
- }
- }
-
- return $userClaims;
- }
-
- protected function getUserClaim($claim, $userDetails)
- {
- $userClaims = array();
- $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim)));
- $claimValues = explode(' ', $claimValuesString);
-
- foreach ($claimValues as $value) {
- $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null;
- }
-
- return $userClaims;
- }
-
- /* ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- return isset($this->clientCredentials[$client_id]['client_secret']) && $this->clientCredentials[$client_id]['client_secret'] === $client_secret;
- }
-
- public function isPublicClient($client_id)
- {
- if (!isset($this->clientCredentials[$client_id])) {
- return false;
- }
-
- return empty($this->clientCredentials[$client_id]['client_secret']);
- }
-
- /* ClientInterface */
- public function getClientDetails($client_id)
- {
- if (!isset($this->clientCredentials[$client_id])) {
- return false;
- }
-
- $clientDetails = array_merge(array(
- 'client_id' => $client_id,
- 'client_secret' => null,
- 'redirect_uri' => null,
- 'scope' => null,
- ), $this->clientCredentials[$client_id]);
-
- return $clientDetails;
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- if (isset($this->clientCredentials[$client_id]['grant_types'])) {
- $grant_types = explode(' ', $this->clientCredentials[$client_id]['grant_types']);
-
- return in_array($grant_type, $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- $this->clientCredentials[$client_id] = array(
- 'client_id' => $client_id,
- 'client_secret' => $client_secret,
- 'redirect_uri' => $redirect_uri,
- 'grant_types' => $grant_types,
- 'scope' => $scope,
- 'user_id' => $user_id,
- );
-
- return true;
- }
-
- /* RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- return isset($this->refreshTokens[$refresh_token]) ? $this->refreshTokens[$refresh_token] : false;
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- $this->refreshTokens[$refresh_token] = compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope');
-
- return true;
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- if (isset($this->refreshTokens[$refresh_token])) {
- unset($this->refreshTokens[$refresh_token]);
-
- return true;
- }
-
- return false;
- }
-
- public function setRefreshTokens($refresh_tokens)
- {
- $this->refreshTokens = $refresh_tokens;
- }
-
- /* AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- return isset($this->accessTokens[$access_token]) ? $this->accessTokens[$access_token] : false;
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null, $id_token = null)
- {
- $this->accessTokens[$access_token] = compact('access_token', 'client_id', 'user_id', 'expires', 'scope', 'id_token');
-
- return true;
- }
-
- public function unsetAccessToken($access_token)
- {
- if (isset($this->accessTokens[$access_token])) {
- unset($this->accessTokens[$access_token]);
-
- return true;
- }
-
- return false;
- }
-
- public function scopeExists($scope)
- {
- $scope = explode(' ', trim($scope));
-
- return (count(array_diff($scope, $this->supportedScopes)) == 0);
- }
-
- public function getDefaultScope($client_id = null)
- {
- return $this->defaultScope;
- }
-
- /*JWTBearerInterface */
- public function getClientKey($client_id, $subject)
- {
- if (isset($this->jwt[$client_id])) {
- $jwt = $this->jwt[$client_id];
- if ($jwt) {
- if ($jwt["subject"] == $subject) {
- return $jwt["key"];
- }
- }
- }
-
- return false;
- }
-
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expires, $jti)
- {
- foreach ($this->jti as $storedJti) {
- if ($storedJti['issuer'] == $client_id && $storedJti['subject'] == $subject && $storedJti['audience'] == $audience && $storedJti['expires'] == $expires && $storedJti['jti'] == $jti) {
- return array(
- 'issuer' => $storedJti['issuer'],
- 'subject' => $storedJti['subject'],
- 'audience' => $storedJti['audience'],
- 'expires' => $storedJti['expires'],
- 'jti' => $storedJti['jti']
- );
- }
- }
-
- return null;
- }
-
- public function setJti($client_id, $subject, $audience, $expires, $jti)
- {
- $this->jti[] = array('issuer' => $client_id, 'subject' => $subject, 'audience' => $audience, 'expires' => $expires, 'jti' => $jti);
- }
-
- /*PublicKeyInterface */
- public function getPublicKey($client_id = null)
- {
- if (isset($this->keys[$client_id])) {
- return $this->keys[$client_id]['public_key'];
- }
-
- // use a global encryption pair
- if (isset($this->keys['public_key'])) {
- return $this->keys['public_key'];
- }
-
- return false;
- }
-
- public function getPrivateKey($client_id = null)
- {
- if (isset($this->keys[$client_id])) {
- return $this->keys[$client_id]['private_key'];
- }
-
- // use a global encryption pair
- if (isset($this->keys['private_key'])) {
- return $this->keys['private_key'];
- }
-
- return false;
- }
-
- public function getEncryptionAlgorithm($client_id = null)
- {
- if (isset($this->keys[$client_id]['encryption_algorithm'])) {
- return $this->keys[$client_id]['encryption_algorithm'];
- }
-
- // use a global encryption algorithm
- if (isset($this->keys['encryption_algorithm'])) {
- return $this->keys['encryption_algorithm'];
- }
-
- return 'RS256';
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/Mongo.php b/library/oauth2/src/OAuth2/Storage/Mongo.php
deleted file mode 100644
index cef35e5e9..000000000
--- a/library/oauth2/src/OAuth2/Storage/Mongo.php
+++ /dev/null
@@ -1,339 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-
-/**
- * Simple MongoDB storage for all storage types
- *
- * NOTE: This class is meant to get users started
- * quickly. If your application requires further
- * customization, extend this class or create your own.
- *
- * NOTE: Passwords are stored in plaintext, which is never
- * a good idea. Be sure to override this for your application
- *
- * @author Julien Chaumond <chaumond@gmail.com>
- */
-class Mongo implements AuthorizationCodeInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- UserCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- OpenIDAuthorizationCodeInterface
-{
- protected $db;
- protected $config;
-
- public function __construct($connection, $config = array())
- {
- if ($connection instanceof \MongoDB) {
- $this->db = $connection;
- } else {
- if (!is_array($connection)) {
- throw new \InvalidArgumentException('First argument to OAuth2\Storage\Mongo must be an instance of MongoDB or a configuration array');
- }
- $server = sprintf('mongodb://%s:%d', $connection['host'], $connection['port']);
- $m = new \MongoClient($server);
- $this->db = $m->{$connection['database']};
- }
-
- $this->config = array_merge(array(
- 'client_table' => 'oauth_clients',
- 'access_token_table' => 'oauth_access_tokens',
- 'refresh_token_table' => 'oauth_refresh_tokens',
- 'code_table' => 'oauth_authorization_codes',
- 'user_table' => 'oauth_users',
- 'jwt_table' => 'oauth_jwt',
- ), $config);
- }
-
- // Helper function to access a MongoDB collection by `type`:
- protected function collection($name)
- {
- return $this->db->{$this->config[$name]};
- }
-
- /* ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- if ($result = $this->collection('client_table')->findOne(array('client_id' => $client_id))) {
- return $result['client_secret'] == $client_secret;
- }
-
- return false;
- }
-
- public function isPublicClient($client_id)
- {
- if (!$result = $this->collection('client_table')->findOne(array('client_id' => $client_id))) {
- return false;
- }
-
- return empty($result['client_secret']);
- }
-
- /* ClientInterface */
- public function getClientDetails($client_id)
- {
- $result = $this->collection('client_table')->findOne(array('client_id' => $client_id));
-
- return is_null($result) ? false : $result;
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- if ($this->getClientDetails($client_id)) {
- $this->collection('client_table')->update(
- array('client_id' => $client_id),
- array('$set' => array(
- 'client_secret' => $client_secret,
- 'redirect_uri' => $redirect_uri,
- 'grant_types' => $grant_types,
- 'scope' => $scope,
- 'user_id' => $user_id,
- ))
- );
- } else {
- $client = array(
- 'client_id' => $client_id,
- 'client_secret' => $client_secret,
- 'redirect_uri' => $redirect_uri,
- 'grant_types' => $grant_types,
- 'scope' => $scope,
- 'user_id' => $user_id,
- );
- $this->collection('client_table')->insert($client);
- }
-
- return true;
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- $details = $this->getClientDetails($client_id);
- if (isset($details['grant_types'])) {
- $grant_types = explode(' ', $details['grant_types']);
-
- return in_array($grant_type, $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- /* AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- $token = $this->collection('access_token_table')->findOne(array('access_token' => $access_token));
-
- return is_null($token) ? false : $token;
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
- {
- // if it exists, update it.
- if ($this->getAccessToken($access_token)) {
- $this->collection('access_token_table')->update(
- array('access_token' => $access_token),
- array('$set' => array(
- 'client_id' => $client_id,
- 'expires' => $expires,
- 'user_id' => $user_id,
- 'scope' => $scope
- ))
- );
- } else {
- $token = array(
- 'access_token' => $access_token,
- 'client_id' => $client_id,
- 'expires' => $expires,
- 'user_id' => $user_id,
- 'scope' => $scope
- );
- $this->collection('access_token_table')->insert($token);
- }
-
- return true;
- }
-
- public function unsetAccessToken($access_token)
- {
- $result = $this->collection('access_token_table')->remove(array(
- 'access_token' => $access_token
- ), array('w' => 1));
-
- return $result['n'] > 0;
- }
-
-
- /* AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- $code = $this->collection('code_table')->findOne(array('authorization_code' => $code));
-
- return is_null($code) ? false : $code;
- }
-
- public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- // if it exists, update it.
- if ($this->getAuthorizationCode($code)) {
- $this->collection('code_table')->update(
- array('authorization_code' => $code),
- array('$set' => array(
- 'client_id' => $client_id,
- 'user_id' => $user_id,
- 'redirect_uri' => $redirect_uri,
- 'expires' => $expires,
- 'scope' => $scope,
- 'id_token' => $id_token,
- ))
- );
- } else {
- $token = array(
- 'authorization_code' => $code,
- 'client_id' => $client_id,
- 'user_id' => $user_id,
- 'redirect_uri' => $redirect_uri,
- 'expires' => $expires,
- 'scope' => $scope,
- 'id_token' => $id_token,
- );
- $this->collection('code_table')->insert($token);
- }
-
- return true;
- }
-
- public function expireAuthorizationCode($code)
- {
- $this->collection('code_table')->remove(array('authorization_code' => $code));
-
- return true;
- }
-
- /* UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- if ($user = $this->getUser($username)) {
- return $this->checkPassword($user, $password);
- }
-
- return false;
- }
-
- public function getUserDetails($username)
- {
- if ($user = $this->getUser($username)) {
- $user['user_id'] = $user['username'];
- }
-
- return $user;
- }
-
- /* RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- $token = $this->collection('refresh_token_table')->findOne(array('refresh_token' => $refresh_token));
-
- return is_null($token) ? false : $token;
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- $token = array(
- 'refresh_token' => $refresh_token,
- 'client_id' => $client_id,
- 'user_id' => $user_id,
- 'expires' => $expires,
- 'scope' => $scope
- );
- $this->collection('refresh_token_table')->insert($token);
-
- return true;
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- $result = $this->collection('refresh_token_table')->remove(array(
- 'refresh_token' => $refresh_token
- ), array('w' => 1));
-
- return $result['n'] > 0;
- }
-
- // plaintext passwords are bad! Override this for your application
- protected function checkPassword($user, $password)
- {
- return $user['password'] == $password;
- }
-
- public function getUser($username)
- {
- $result = $this->collection('user_table')->findOne(array('username' => $username));
-
- return is_null($result) ? false : $result;
- }
-
- public function setUser($username, $password, $firstName = null, $lastName = null)
- {
- if ($this->getUser($username)) {
- $this->collection('user_table')->update(
- array('username' => $username),
- array('$set' => array(
- 'password' => $password,
- 'first_name' => $firstName,
- 'last_name' => $lastName
- ))
- );
- } else {
- $user = array(
- 'username' => $username,
- 'password' => $password,
- 'first_name' => $firstName,
- 'last_name' => $lastName
- );
- $this->collection('user_table')->insert($user);
- }
-
- return true;
- }
-
- public function getClientKey($client_id, $subject)
- {
- $result = $this->collection('jwt_table')->findOne(array(
- 'client_id' => $client_id,
- 'subject' => $subject
- ));
-
- return is_null($result) ? false : $result['key'];
- }
-
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs mongodb implementation.
- throw new \Exception('getJti() for the MongoDB driver is currently unimplemented.');
- }
-
- public function setJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs mongodb implementation.
- throw new \Exception('setJti() for the MongoDB driver is currently unimplemented.');
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/Pdo.php b/library/oauth2/src/OAuth2/Storage/Pdo.php
deleted file mode 100644
index ae5107e29..000000000
--- a/library/oauth2/src/OAuth2/Storage/Pdo.php
+++ /dev/null
@@ -1,553 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use OAuth2\OpenID\Storage\UserClaimsInterface;
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-
-/**
- * Simple PDO storage for all storage types
- *
- * NOTE: This class is meant to get users started
- * quickly. If your application requires further
- * customization, extend this class or create your own.
- *
- * NOTE: Passwords are stored in plaintext, which is never
- * a good idea. Be sure to override this for your application
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-class Pdo implements
- AuthorizationCodeInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- UserCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- ScopeInterface,
- PublicKeyInterface,
- UserClaimsInterface,
- OpenIDAuthorizationCodeInterface
-{
- protected $db;
- protected $config;
-
- public function __construct($connection, $config = array())
- {
- if (!$connection instanceof \PDO) {
- if (is_string($connection)) {
- $connection = array('dsn' => $connection);
- }
- if (!is_array($connection)) {
- throw new \InvalidArgumentException('First argument to OAuth2\Storage\Pdo must be an instance of PDO, a DSN string, or a configuration array');
- }
- if (!isset($connection['dsn'])) {
- throw new \InvalidArgumentException('configuration array must contain "dsn"');
- }
- // merge optional parameters
- $connection = array_merge(array(
- 'username' => null,
- 'password' => null,
- 'options' => array(),
- ), $connection);
- $connection = new \PDO($connection['dsn'], $connection['username'], $connection['password'], $connection['options']);
- }
- $this->db = $connection;
-
- // debugging
- $connection->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
-
- $this->config = array_merge(array(
- 'client_table' => 'oauth_clients',
- 'access_token_table' => 'oauth_access_tokens',
- 'refresh_token_table' => 'oauth_refresh_tokens',
- 'code_table' => 'oauth_authorization_codes',
- 'user_table' => 'oauth_users',
- 'jwt_table' => 'oauth_jwt',
- 'jti_table' => 'oauth_jti',
- 'scope_table' => 'oauth_scopes',
- 'public_key_table' => 'oauth_public_keys',
- ), $config);
- }
-
- /* OAuth2\Storage\ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
- $stmt->execute(compact('client_id'));
- $result = $stmt->fetch(\PDO::FETCH_ASSOC);
-
- // make this extensible
- return $result && $result['client_secret'] == $client_secret;
- }
-
- public function isPublicClient($client_id)
- {
- $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
- $stmt->execute(compact('client_id'));
-
- if (!$result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return false;
- }
-
- return empty($result['client_secret']);
- }
-
- /* OAuth2\Storage\ClientInterface */
- public function getClientDetails($client_id)
- {
- $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
- $stmt->execute(compact('client_id'));
-
- return $stmt->fetch(\PDO::FETCH_ASSOC);
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- // if it exists, update it.
- if ($this->getClientDetails($client_id)) {
- $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_secret=:client_secret, redirect_uri=:redirect_uri, grant_types=:grant_types, scope=:scope, user_id=:user_id where client_id=:client_id', $this->config['client_table']));
- } else {
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (client_id, client_secret, redirect_uri, grant_types, scope, user_id) VALUES (:client_id, :client_secret, :redirect_uri, :grant_types, :scope, :user_id)', $this->config['client_table']));
- }
-
- return $stmt->execute(compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id'));
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- $details = $this->getClientDetails($client_id);
- if (isset($details['grant_types'])) {
- $grant_types = explode(' ', $details['grant_types']);
-
- return in_array($grant_type, (array) $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- /* OAuth2\Storage\AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- $stmt = $this->db->prepare(sprintf('SELECT * from %s where access_token = :access_token', $this->config['access_token_table']));
-
- $token = $stmt->execute(compact('access_token'));
- if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- // convert date string back to timestamp
- $token['expires'] = strtotime($token['expires']);
- }
-
- return $token;
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
- {
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- // if it exists, update it.
- if ($this->getAccessToken($access_token)) {
- $stmt = $this->db->prepare(sprintf('UPDATE %s SET client_id=:client_id, expires=:expires, user_id=:user_id, scope=:scope where access_token=:access_token', $this->config['access_token_table']));
- } else {
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (access_token, client_id, expires, user_id, scope) VALUES (:access_token, :client_id, :expires, :user_id, :scope)', $this->config['access_token_table']));
- }
-
- return $stmt->execute(compact('access_token', 'client_id', 'user_id', 'expires', 'scope'));
- }
-
- public function unsetAccessToken($access_token)
- {
- $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE access_token = :access_token', $this->config['access_token_table']));
-
- $stmt->execute(compact('access_token'));
-
- return $stmt->rowCount() > 0;
- }
-
- /* OAuth2\Storage\AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- $stmt = $this->db->prepare(sprintf('SELECT * from %s where authorization_code = :code', $this->config['code_table']));
- $stmt->execute(compact('code'));
-
- if ($code = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- // convert date string back to timestamp
- $code['expires'] = strtotime($code['expires']);
- }
-
- return $code;
- }
-
- public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- if (func_num_args() > 6) {
- // we are calling with an id token
- return call_user_func_array(array($this, 'setAuthorizationCodeWithIdToken'), func_get_args());
- }
-
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- // if it exists, update it.
- if ($this->getAuthorizationCode($code)) {
- $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_id=:client_id, user_id=:user_id, redirect_uri=:redirect_uri, expires=:expires, scope=:scope where authorization_code=:code', $this->config['code_table']));
- } else {
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (authorization_code, client_id, user_id, redirect_uri, expires, scope) VALUES (:code, :client_id, :user_id, :redirect_uri, :expires, :scope)', $this->config['code_table']));
- }
-
- return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope'));
- }
-
- private function setAuthorizationCodeWithIdToken($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- // if it exists, update it.
- if ($this->getAuthorizationCode($code)) {
- $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_id=:client_id, user_id=:user_id, redirect_uri=:redirect_uri, expires=:expires, scope=:scope, id_token =:id_token where authorization_code=:code', $this->config['code_table']));
- } else {
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (authorization_code, client_id, user_id, redirect_uri, expires, scope, id_token) VALUES (:code, :client_id, :user_id, :redirect_uri, :expires, :scope, :id_token)', $this->config['code_table']));
- }
-
- return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token'));
- }
-
- public function expireAuthorizationCode($code)
- {
- $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE authorization_code = :code', $this->config['code_table']));
-
- return $stmt->execute(compact('code'));
- }
-
- /* OAuth2\Storage\UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- if ($user = $this->getUser($username)) {
- return $this->checkPassword($user, $password);
- }
-
- return false;
- }
-
- public function getUserDetails($username)
- {
- return $this->getUser($username);
- }
-
- /* UserClaimsInterface */
- public function getUserClaims($user_id, $claims)
- {
- if (!$userDetails = $this->getUserDetails($user_id)) {
- return false;
- }
-
- $claims = explode(' ', trim($claims));
- $userClaims = array();
-
- // for each requested claim, if the user has the claim, set it in the response
- $validClaims = explode(' ', self::VALID_CLAIMS);
- foreach ($validClaims as $validClaim) {
- if (in_array($validClaim, $claims)) {
- if ($validClaim == 'address') {
- // address is an object with subfields
- $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails);
- } else {
- $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails));
- }
- }
- }
-
- return $userClaims;
- }
-
- protected function getUserClaim($claim, $userDetails)
- {
- $userClaims = array();
- $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim)));
- $claimValues = explode(' ', $claimValuesString);
-
- foreach ($claimValues as $value) {
- $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null;
- }
-
- return $userClaims;
- }
-
- /* OAuth2\Storage\RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- $stmt = $this->db->prepare(sprintf('SELECT * FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table']));
-
- $token = $stmt->execute(compact('refresh_token'));
- if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- // convert expires to epoch time
- $token['expires'] = strtotime($token['expires']);
- }
-
- return $token;
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- // convert expires to datestring
- $expires = date('Y-m-d H:i:s', $expires);
-
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (refresh_token, client_id, user_id, expires, scope) VALUES (:refresh_token, :client_id, :user_id, :expires, :scope)', $this->config['refresh_token_table']));
-
- return $stmt->execute(compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'));
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table']));
-
- $stmt->execute(compact('refresh_token'));
-
- return $stmt->rowCount() > 0;
- }
-
- // plaintext passwords are bad! Override this for your application
- protected function checkPassword($user, $password)
- {
- return $user['password'] == $this->hashPassword($password);
- }
-
- // use a secure hashing algorithm when storing passwords. Override this for your application
- protected function hashPassword($password)
- {
- return sha1($password);
- }
-
- public function getUser($username)
- {
- $stmt = $this->db->prepare($sql = sprintf('SELECT * from %s where username=:username', $this->config['user_table']));
- $stmt->execute(array('username' => $username));
-
- if (!$userInfo = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return false;
- }
-
- // the default behavior is to use "username" as the user_id
- return array_merge(array(
- 'user_id' => $username
- ), $userInfo);
- }
-
- public function setUser($username, $password, $firstName = null, $lastName = null)
- {
- // do not store in plaintext
- $password = $this->hashPassword($password);
-
- // if it exists, update it.
- if ($this->getUser($username)) {
- $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET password=:password, first_name=:firstName, last_name=:lastName where username=:username', $this->config['user_table']));
- } else {
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (username, password, first_name, last_name) VALUES (:username, :password, :firstName, :lastName)', $this->config['user_table']));
- }
-
- return $stmt->execute(compact('username', 'password', 'firstName', 'lastName'));
- }
-
- /* ScopeInterface */
- public function scopeExists($scope)
- {
- $scope = explode(' ', $scope);
- $whereIn = implode(',', array_fill(0, count($scope), '?'));
- $stmt = $this->db->prepare(sprintf('SELECT count(scope) as count FROM %s WHERE scope IN (%s)', $this->config['scope_table'], $whereIn));
- $stmt->execute($scope);
-
- if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return $result['count'] == count($scope);
- }
-
- return false;
- }
-
- public function getDefaultScope($client_id = null)
- {
- $stmt = $this->db->prepare(sprintf('SELECT scope FROM %s WHERE is_default=:is_default', $this->config['scope_table']));
- $stmt->execute(array('is_default' => true));
-
- if ($result = $stmt->fetchAll(\PDO::FETCH_ASSOC)) {
- $defaultScope = array_map(function ($row) {
- return $row['scope'];
- }, $result);
-
- return implode(' ', $defaultScope);
- }
-
- return null;
- }
-
- /* JWTBearerInterface */
- public function getClientKey($client_id, $subject)
- {
- $stmt = $this->db->prepare($sql = sprintf('SELECT public_key from %s where client_id=:client_id AND subject=:subject', $this->config['jwt_table']));
-
- $stmt->execute(array('client_id' => $client_id, 'subject' => $subject));
-
- return $stmt->fetchColumn();
- }
-
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expires, $jti)
- {
- $stmt = $this->db->prepare($sql = sprintf('SELECT * FROM %s WHERE issuer=:client_id AND subject=:subject AND audience=:audience AND expires=:expires AND jti=:jti', $this->config['jti_table']));
-
- $stmt->execute(compact('client_id', 'subject', 'audience', 'expires', 'jti'));
-
- if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return array(
- 'issuer' => $result['issuer'],
- 'subject' => $result['subject'],
- 'audience' => $result['audience'],
- 'expires' => $result['expires'],
- 'jti' => $result['jti'],
- );
- }
-
- return null;
- }
-
- public function setJti($client_id, $subject, $audience, $expires, $jti)
- {
- $stmt = $this->db->prepare(sprintf('INSERT INTO %s (issuer, subject, audience, expires, jti) VALUES (:client_id, :subject, :audience, :expires, :jti)', $this->config['jti_table']));
-
- return $stmt->execute(compact('client_id', 'subject', 'audience', 'expires', 'jti'));
- }
-
- /* PublicKeyInterface */
- public function getPublicKey($client_id = null)
- {
- $stmt = $this->db->prepare($sql = sprintf('SELECT public_key FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table']));
-
- $stmt->execute(compact('client_id'));
- if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return $result['public_key'];
- }
- }
-
- public function getPrivateKey($client_id = null)
- {
- $stmt = $this->db->prepare($sql = sprintf('SELECT private_key FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table']));
-
- $stmt->execute(compact('client_id'));
- if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return $result['private_key'];
- }
- }
-
- public function getEncryptionAlgorithm($client_id = null)
- {
- $stmt = $this->db->prepare($sql = sprintf('SELECT encryption_algorithm FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table']));
-
- $stmt->execute(compact('client_id'));
- if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
- return $result['encryption_algorithm'];
- }
-
- return 'RS256';
- }
-
- /**
- * DDL to create OAuth2 database and tables for PDO storage
- *
- * @see https://github.com/dsquier/oauth2-server-php-mysql
- */
- public function getBuildSql($dbName = 'oauth2_server_php')
- {
- $sql = "
- CREATE TABLE {$this->config['client_table']} (
- client_id VARCHAR(80) NOT NULL,
- client_secret VARCHAR(80),
- redirect_uri VARCHAR(2000),
- grant_types VARCHAR(80),
- scope VARCHAR(4000),
- user_id VARCHAR(80),
- PRIMARY KEY (client_id)
- );
-
- CREATE TABLE {$this->config['access_token_table']} (
- access_token VARCHAR(40) NOT NULL,
- client_id VARCHAR(80) NOT NULL,
- user_id VARCHAR(80),
- expires TIMESTAMP NOT NULL,
- scope VARCHAR(4000),
- PRIMARY KEY (access_token)
- );
-
- CREATE TABLE {$this->config['code_table']} (
- authorization_code VARCHAR(40) NOT NULL,
- client_id VARCHAR(80) NOT NULL,
- user_id VARCHAR(80),
- redirect_uri VARCHAR(2000),
- expires TIMESTAMP NOT NULL,
- scope VARCHAR(4000),
- id_token VARCHAR(1000),
- PRIMARY KEY (authorization_code)
- );
-
- CREATE TABLE {$this->config['refresh_token_table']} (
- refresh_token VARCHAR(40) NOT NULL,
- client_id VARCHAR(80) NOT NULL,
- user_id VARCHAR(80),
- expires TIMESTAMP NOT NULL,
- scope VARCHAR(4000),
- PRIMARY KEY (refresh_token)
- );
-
- CREATE TABLE {$this->config['user_table']} (
- username VARCHAR(80),
- password VARCHAR(80),
- first_name VARCHAR(80),
- last_name VARCHAR(80),
- email VARCHAR(80),
- email_verified BOOLEAN,
- scope VARCHAR(4000)
- );
-
- CREATE TABLE {$this->config['scope_table']} (
- scope VARCHAR(80) NOT NULL,
- is_default BOOLEAN,
- PRIMARY KEY (scope)
- );
-
- CREATE TABLE {$this->config['jwt_table']} (
- client_id VARCHAR(80) NOT NULL,
- subject VARCHAR(80),
- public_key VARCHAR(2000) NOT NULL
- );
-
- CREATE TABLE {$this->config['jti_table']} (
- issuer VARCHAR(80) NOT NULL,
- subject VARCHAR(80),
- audience VARCHAR(80),
- expires TIMESTAMP NOT NULL,
- jti VARCHAR(2000) NOT NULL
- );
-
- CREATE TABLE {$this->config['public_key_table']} (
- client_id VARCHAR(80),
- public_key VARCHAR(2000),
- private_key VARCHAR(2000),
- encryption_algorithm VARCHAR(100) DEFAULT 'RS256'
- )
-";
-
- return $sql;
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php b/library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php
deleted file mode 100644
index 108418d3a..000000000
--- a/library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php
+++ /dev/null
@@ -1,16 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should get public/private key information
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface PublicKeyInterface
-{
- public function getPublicKey($client_id = null);
- public function getPrivateKey($client_id = null);
- public function getEncryptionAlgorithm($client_id = null);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/Redis.php b/library/oauth2/src/OAuth2/Storage/Redis.php
deleted file mode 100644
index e6294e22d..000000000
--- a/library/oauth2/src/OAuth2/Storage/Redis.php
+++ /dev/null
@@ -1,321 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
-
-/**
- * redis storage for all storage types
- *
- * To use, install "predis/predis" via composer
- *
- * Register client:
- * <code>
- * $storage = new OAuth2\Storage\Redis($redis);
- * $storage->setClientDetails($client_id, $client_secret, $redirect_uri);
- * </code>
- */
-class Redis implements AuthorizationCodeInterface,
- AccessTokenInterface,
- ClientCredentialsInterface,
- UserCredentialsInterface,
- RefreshTokenInterface,
- JwtBearerInterface,
- ScopeInterface,
- OpenIDAuthorizationCodeInterface
-{
-
- private $cache;
-
- /* The redis client */
- protected $redis;
-
- /* Configuration array */
- protected $config;
-
- /**
- * Redis Storage!
- *
- * @param \Predis\Client $redis
- * @param array $config
- */
- public function __construct($redis, $config=array())
- {
- $this->redis = $redis;
- $this->config = array_merge(array(
- 'client_key' => 'oauth_clients:',
- 'access_token_key' => 'oauth_access_tokens:',
- 'refresh_token_key' => 'oauth_refresh_tokens:',
- 'code_key' => 'oauth_authorization_codes:',
- 'user_key' => 'oauth_users:',
- 'jwt_key' => 'oauth_jwt:',
- 'scope_key' => 'oauth_scopes:',
- ), $config);
- }
-
- protected function getValue($key)
- {
- if ( isset($this->cache[$key]) ) {
- return $this->cache[$key];
- }
- $value = $this->redis->get($key);
- if ( isset($value) ) {
- return json_decode($value, true);
- } else {
- return false;
- }
- }
-
- protected function setValue($key, $value, $expire=0)
- {
- $this->cache[$key] = $value;
- $str = json_encode($value);
- if ($expire > 0) {
- $seconds = $expire - time();
- $ret = $this->redis->setex($key, $seconds, $str);
- } else {
- $ret = $this->redis->set($key, $str);
- }
-
- // check that the key was set properly
- // if this fails, an exception will usually thrown, so this step isn't strictly necessary
- return is_bool($ret) ? $ret : $ret->getPayload() == 'OK';
- }
-
- protected function expireValue($key)
- {
- unset($this->cache[$key]);
-
- return $this->redis->del($key);
- }
-
- /* AuthorizationCodeInterface */
- public function getAuthorizationCode($code)
- {
- return $this->getValue($this->config['code_key'] . $code);
- }
-
- public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
- {
- return $this->setValue(
- $this->config['code_key'] . $authorization_code,
- compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token'),
- $expires
- );
- }
-
- public function expireAuthorizationCode($code)
- {
- $key = $this->config['code_key'] . $code;
- unset($this->cache[$key]);
-
- return $this->expireValue($key);
- }
-
- /* UserCredentialsInterface */
- public function checkUserCredentials($username, $password)
- {
- $user = $this->getUserDetails($username);
-
- return $user && $user['password'] === $password;
- }
-
- public function getUserDetails($username)
- {
- return $this->getUser($username);
- }
-
- public function getUser($username)
- {
- if (!$userInfo = $this->getValue($this->config['user_key'] . $username)) {
- return false;
- }
-
- // the default behavior is to use "username" as the user_id
- return array_merge(array(
- 'user_id' => $username,
- ), $userInfo);
- }
-
- public function setUser($username, $password, $first_name = null, $last_name = null)
- {
- return $this->setValue(
- $this->config['user_key'] . $username,
- compact('username', 'password', 'first_name', 'last_name')
- );
- }
-
- /* ClientCredentialsInterface */
- public function checkClientCredentials($client_id, $client_secret = null)
- {
- if (!$client = $this->getClientDetails($client_id)) {
- return false;
- }
-
- return isset($client['client_secret'])
- && $client['client_secret'] == $client_secret;
- }
-
- public function isPublicClient($client_id)
- {
- if (!$client = $this->getClientDetails($client_id)) {
- return false;
- }
-
- return empty($client['client_secret']);
- }
-
- /* ClientInterface */
- public function getClientDetails($client_id)
- {
- return $this->getValue($this->config['client_key'] . $client_id);
- }
-
- public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
- {
- return $this->setValue(
- $this->config['client_key'] . $client_id,
- compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id')
- );
- }
-
- public function checkRestrictedGrantType($client_id, $grant_type)
- {
- $details = $this->getClientDetails($client_id);
- if (isset($details['grant_types'])) {
- $grant_types = explode(' ', $details['grant_types']);
-
- return in_array($grant_type, (array) $grant_types);
- }
-
- // if grant_types are not defined, then none are restricted
- return true;
- }
-
- /* RefreshTokenInterface */
- public function getRefreshToken($refresh_token)
- {
- return $this->getValue($this->config['refresh_token_key'] . $refresh_token);
- }
-
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
- {
- return $this->setValue(
- $this->config['refresh_token_key'] . $refresh_token,
- compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'),
- $expires
- );
- }
-
- public function unsetRefreshToken($refresh_token)
- {
- $result = $this->expireValue($this->config['refresh_token_key'] . $refresh_token);
-
- return $result > 0;
- }
-
- /* AccessTokenInterface */
- public function getAccessToken($access_token)
- {
- return $this->getValue($this->config['access_token_key'].$access_token);
- }
-
- public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
- {
- return $this->setValue(
- $this->config['access_token_key'].$access_token,
- compact('access_token', 'client_id', 'user_id', 'expires', 'scope'),
- $expires
- );
- }
-
- public function unsetAccessToken($access_token)
- {
- $result = $this->expireValue($this->config['access_token_key'] . $access_token);
-
- return $result > 0;
- }
-
- /* ScopeInterface */
- public function scopeExists($scope)
- {
- $scope = explode(' ', $scope);
-
- $result = $this->getValue($this->config['scope_key'].'supported:global');
-
- $supportedScope = explode(' ', (string) $result);
-
- return (count(array_diff($scope, $supportedScope)) == 0);
- }
-
- public function getDefaultScope($client_id = null)
- {
- if (is_null($client_id) || !$result = $this->getValue($this->config['scope_key'].'default:'.$client_id)) {
- $result = $this->getValue($this->config['scope_key'].'default:global');
- }
-
- return $result;
- }
-
- public function setScope($scope, $client_id = null, $type = 'supported')
- {
- if (!in_array($type, array('default', 'supported'))) {
- throw new \InvalidArgumentException('"$type" must be one of "default", "supported"');
- }
-
- if (is_null($client_id)) {
- $key = $this->config['scope_key'].$type.':global';
- } else {
- $key = $this->config['scope_key'].$type.':'.$client_id;
- }
-
- return $this->setValue($key, $scope);
- }
-
- /*JWTBearerInterface */
- public function getClientKey($client_id, $subject)
- {
- if (!$jwt = $this->getValue($this->config['jwt_key'] . $client_id)) {
- return false;
- }
-
- if (isset($jwt['subject']) && $jwt['subject'] == $subject) {
- return $jwt['key'];
- }
-
- return null;
- }
-
- public function setClientKey($client_id, $key, $subject = null)
- {
- return $this->setValue($this->config['jwt_key'] . $client_id, array(
- 'key' => $key,
- 'subject' => $subject
- ));
- }
-
- public function getClientScope($client_id)
- {
- if (!$clientDetails = $this->getClientDetails($client_id)) {
- return false;
- }
-
- if (isset($clientDetails['scope'])) {
- return $clientDetails['scope'];
- }
-
- return null;
- }
-
- public function getJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs redis implementation.
- throw new \Exception('getJti() for the Redis driver is currently unimplemented.');
- }
-
- public function setJti($client_id, $subject, $audience, $expiration, $jti)
- {
- //TODO: Needs redis implementation.
- throw new \Exception('setJti() for the Redis driver is currently unimplemented.');
- }
-}
diff --git a/library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php b/library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php
deleted file mode 100644
index 0273f2125..000000000
--- a/library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php
+++ /dev/null
@@ -1,82 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should get/save refresh tokens for the "Refresh Token"
- * grant type
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface RefreshTokenInterface
-{
- /**
- * Grant refresh access tokens.
- *
- * Retrieve the stored data for the given refresh token.
- *
- * Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
- *
- * @param $refresh_token
- * Refresh token to be check with.
- *
- * @return
- * An associative array as below, and NULL if the refresh_token is
- * invalid:
- * - refresh_token: Refresh token identifier.
- * - client_id: Client identifier.
- * - user_id: User identifier.
- * - expires: Expiration unix timestamp, or 0 if the token doesn't expire.
- * - scope: (optional) Scope values in space-separated string.
- *
- * @see http://tools.ietf.org/html/rfc6749#section-6
- *
- * @ingroup oauth2_section_6
- */
- public function getRefreshToken($refresh_token);
-
- /**
- * Take the provided refresh token values and store them somewhere.
- *
- * This function should be the storage counterpart to getRefreshToken().
- *
- * If storage fails for some reason, we're not currently checking for
- * any sort of success/failure, so you should bail out of the script
- * and provide a descriptive fail message.
- *
- * Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
- *
- * @param $refresh_token
- * Refresh token to be stored.
- * @param $client_id
- * Client identifier to be stored.
- * @param $user_id
- * User identifier to be stored.
- * @param $expires
- * Expiration timestamp to be stored. 0 if the token doesn't expire.
- * @param $scope
- * (optional) Scopes to be stored in space-separated string.
- *
- * @ingroup oauth2_section_6
- */
- public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null);
-
- /**
- * Expire a used refresh token.
- *
- * This is not explicitly required in the spec, but is almost implied.
- * After granting a new refresh token, the old one is no longer useful and
- * so should be forcibly expired in the data store so it can't be used again.
- *
- * If storage fails for some reason, we're not currently checking for
- * any sort of success/failure, so you should bail out of the script
- * and provide a descriptive fail message.
- *
- * @param $refresh_token
- * Refresh token to be expirse.
- *
- * @ingroup oauth2_section_6
- */
- public function unsetRefreshToken($refresh_token);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/ScopeInterface.php b/library/oauth2/src/OAuth2/Storage/ScopeInterface.php
deleted file mode 100644
index a8292269b..000000000
--- a/library/oauth2/src/OAuth2/Storage/ScopeInterface.php
+++ /dev/null
@@ -1,46 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should retrieve data involving the relevent scopes associated
- * with this implementation.
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface ScopeInterface
-{
- /**
- * Check if the provided scope exists.
- *
- * @param $scope
- * A space-separated string of scopes.
- *
- * @return
- * TRUE if it exists, FALSE otherwise.
- */
- public function scopeExists($scope);
-
- /**
- * The default scope to use in the event the client
- * does not request one. By returning "false", a
- * request_error is returned by the server to force a
- * scope request by the client. By returning "null",
- * opt out of requiring scopes
- *
- * @param $client_id
- * An optional client id that can be used to return customized default scopes.
- *
- * @return
- * string representation of default scope, null if
- * scopes are not defined, or false to force scope
- * request by the client
- *
- * ex:
- * 'default'
- * ex:
- * null
- */
- public function getDefaultScope($client_id = null);
-}
diff --git a/library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php b/library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php
deleted file mode 100644
index 6e0fd7bad..000000000
--- a/library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php
+++ /dev/null
@@ -1,52 +0,0 @@
-<?php
-
-namespace OAuth2\Storage;
-
-/**
- * Implement this interface to specify where the OAuth2 Server
- * should retrieve user credentials for the
- * "Resource Owner Password Credentials" grant type
- *
- * @author Brent Shaffer <bshafs at gmail dot com>
- */
-interface UserCredentialsInterface
-{
- /**
- * Grant access tokens for basic user credentials.
- *
- * Check the supplied username and password for validity.
- *
- * You can also use the $client_id param to do any checks required based
- * on a client, if you need that.
- *
- * Required for OAuth2::GRANT_TYPE_USER_CREDENTIALS.
- *
- * @param $username
- * Username to be check with.
- * @param $password
- * Password to be check with.
- *
- * @return
- * TRUE if the username and password are valid, and FALSE if it isn't.
- * Moreover, if the username and password are valid, and you want to
- *
- * @see http://tools.ietf.org/html/rfc6749#section-4.3
- *
- * @ingroup oauth2_section_4
- */
- public function checkUserCredentials($username, $password);
-
- /**
- * @return
- * ARRAY the associated "user_id" and optional "scope" values
- * This function MUST return FALSE if the requested user does not exist or is
- * invalid. "scope" is a space-separated list of restricted scopes.
- * @code
- * return array(
- * "user_id" => USER_ID, // REQUIRED user_id to be stored with the authorization code or access token
- * "scope" => SCOPE // OPTIONAL space-separated list of restricted scopes
- * );
- * @endcode
- */
- public function getUserDetails($username);
-}