add oauth2/oidc lib

2 files changed, 267 insertions, 0 deletions

diff --git a/library/oauth2/test/OAuth2/ResponseType/AccessTokenTest.php b/library/oauth2/test/OAuth2/ResponseType/AccessTokenTest.php
new file mode 100644
index 000000000..0ed1c82fc
--- /dev/null
+++ b/library/oauth2/test/OAuth2/ResponseType/AccessTokenTest.php
@@ -0,0 +1,107 @@
+<?php
+
+namespace OAuth2\ResponseType;
+
+use OAuth2\Server;
+use OAuth2\Storage\Memory;
+
+class AccessTokenTest extends \PHPUnit_Framework_TestCase
+{
+    public function testRevokeAccessTokenWithTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'access_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getAccessToken('revoke'));
+        $accessToken = new AccessToken($tokenStorage);
+        $accessToken->revokeToken('revoke', 'access_token');
+        $this->assertFalse($tokenStorage->getAccessToken('revoke'));
+    }
+
+    public function testRevokeAccessTokenWithoutTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'access_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getAccessToken('revoke'));
+        $accessToken = new AccessToken($tokenStorage);
+        $accessToken->revokeToken('revoke');
+        $this->assertFalse($tokenStorage->getAccessToken('revoke'));
+    }
+
+    public function testRevokeRefreshTokenWithTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'refresh_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getRefreshToken('revoke'));
+        $accessToken = new AccessToken(new Memory, $tokenStorage);
+        $accessToken->revokeToken('revoke', 'refresh_token');
+        $this->assertFalse($tokenStorage->getRefreshToken('revoke'));
+    }
+
+    public function testRevokeRefreshTokenWithoutTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'refresh_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getRefreshToken('revoke'));
+        $accessToken = new AccessToken(new Memory, $tokenStorage);
+        $accessToken->revokeToken('revoke');
+        $this->assertFalse($tokenStorage->getRefreshToken('revoke'));
+    }
+
+    public function testRevokeAccessTokenWithRefreshTokenTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'access_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getAccessToken('revoke'));
+        $accessToken = new AccessToken($tokenStorage);
+        $accessToken->revokeToken('revoke', 'refresh_token');
+        $this->assertFalse($tokenStorage->getAccessToken('revoke'));
+    }
+
+    public function testRevokeAccessTokenWithBogusTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'access_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getAccessToken('revoke'));
+        $accessToken = new AccessToken($tokenStorage);
+        $accessToken->revokeToken('revoke', 'foo');
+        $this->assertFalse($tokenStorage->getAccessToken('revoke'));
+    }
+
+    public function testRevokeRefreshTokenWithBogusTypeHint()
+    {
+        $tokenStorage = new Memory(array(
+            'refresh_tokens' => array(
+                'revoke' => array('mytoken'),
+            ),
+        ));
+
+        $this->assertEquals(array('mytoken'), $tokenStorage->getRefreshToken('revoke'));
+        $accessToken = new AccessToken(new Memory, $tokenStorage);
+        $accessToken->revokeToken('revoke', 'foo');
+        $this->assertFalse($tokenStorage->getRefreshToken('revoke'));
+    }
+}
diff --git a/library/oauth2/test/OAuth2/ResponseType/JwtAccessTokenTest.php b/library/oauth2/test/OAuth2/ResponseType/JwtAccessTokenTest.php
new file mode 100644
index 000000000..51b01a927
--- /dev/null
+++ b/library/oauth2/test/OAuth2/ResponseType/JwtAccessTokenTest.php
@@ -0,0 +1,160 @@
+<?php
+
+namespace OAuth2\ResponseType;
+
+use OAuth2\Server;
+use OAuth2\Response;
+use OAuth2\Request\TestRequest;
+use OAuth2\Storage\Bootstrap;
+use OAuth2\Storage\JwtAccessToken as JwtAccessTokenStorage;
+use OAuth2\GrantType\ClientCredentials;
+use OAuth2\GrantType\UserCredentials;
+use OAuth2\GrantType\RefreshToken;
+use OAuth2\Encryption\Jwt;
+
+class JwtAccessTokenTest extends \PHPUnit_Framework_TestCase
+{
+    public function testCreateAccessToken()
+    {
+        $server = $this->getTestServer();
+        $jwtResponseType = $server->getResponseType('token');
+
+        $accessToken = $jwtResponseType->createAccessToken('Test Client ID', 123, 'test', false);
+        $jwt = new Jwt;
+        $decodedAccessToken = $jwt->decode($accessToken['access_token'], null, false);
+
+        $this->assertArrayHasKey('id', $decodedAccessToken);
+        $this->assertArrayHasKey('jti', $decodedAccessToken);
+        $this->assertArrayHasKey('iss', $decodedAccessToken);
+        $this->assertArrayHasKey('aud', $decodedAccessToken);
+        $this->assertArrayHasKey('exp', $decodedAccessToken);
+        $this->assertArrayHasKey('iat', $decodedAccessToken);
+        $this->assertArrayHasKey('token_type', $decodedAccessToken);
+        $this->assertArrayHasKey('scope', $decodedAccessToken);
+
+        $this->assertEquals('https://api.example.com', $decodedAccessToken['iss']);
+        $this->assertEquals('Test Client ID', $decodedAccessToken['aud']);
+        $this->assertEquals(123, $decodedAccessToken['sub']);
+        $delta = $decodedAccessToken['exp'] - $decodedAccessToken['iat'];
+        $this->assertEquals(3600, $delta);
+        $this->assertEquals($decodedAccessToken['id'], $decodedAccessToken['jti']);
+    }
+
+    public function testGrantJwtAccessToken()
+    {
+        // add the test parameters in memory
+        $server = $this->getTestServer();
+        $request = TestRequest::createPost(array(
+            'grant_type'    => 'client_credentials', // valid grant type
+            'client_id'     => 'Test Client ID',     // valid client id
+            'client_secret' => 'TestSecret',         // valid client secret
+        ));
+        $server->handleTokenRequest($request, $response = new Response());
+
+        $this->assertNotNull($response->getParameter('access_token'));
+        $this->assertEquals(2, substr_count($response->getParameter('access_token'), '.'));
+    }
+
+    public function testAccessResourceWithJwtAccessToken()
+    {
+        // add the test parameters in memory
+        $server = $this->getTestServer();
+        $request = TestRequest::createPost(array(
+            'grant_type'    => 'client_credentials', // valid grant type
+            'client_id'     => 'Test Client ID',     // valid client id
+            'client_secret' => 'TestSecret',         // valid client secret
+        ));
+        $server->handleTokenRequest($request, $response = new Response());
+        $this->assertNotNull($JwtAccessToken = $response->getParameter('access_token'));
+
+        // make a call to the resource server using the crypto token
+        $request = TestRequest::createPost(array(
+            'access_token' => $JwtAccessToken,
+        ));
+
+        $this->assertTrue($server->verifyResourceRequest($request));
+    }
+
+    public function testAccessResourceWithJwtAccessTokenUsingSecondaryStorage()
+    {
+        // add the test parameters in memory
+        $server = $this->getTestServer();
+        $request = TestRequest::createPost(array(
+            'grant_type'    => 'client_credentials', // valid grant type
+            'client_id'     => 'Test Client ID',     // valid client id
+            'client_secret' => 'TestSecret',         // valid client secret
+        ));
+        $server->handleTokenRequest($request, $response = new Response());
+        $this->assertNotNull($JwtAccessToken = $response->getParameter('access_token'));
+
+        // make a call to the resource server using the crypto token
+        $request = TestRequest::createPost(array(
+            'access_token' => $JwtAccessToken,
+        ));
+
+        // create a resource server with the "memory" storage from the grant server
+        $resourceServer = new Server($server->getStorage('client_credentials'));
+
+        $this->assertTrue($resourceServer->verifyResourceRequest($request));
+    }
+
+    public function testJwtAccessTokenWithRefreshToken()
+    {
+        $server = $this->getTestServer();
+
+        // add "UserCredentials" grant type and "JwtAccessToken" response type
+        // and ensure "JwtAccessToken" response type has "RefreshToken" storage
+        $memoryStorage = Bootstrap::getInstance()->getMemoryStorage();
+        $server->addGrantType(new UserCredentials($memoryStorage));
+        $server->addGrantType(new RefreshToken($memoryStorage));
+        $server->addResponseType(new JwtAccessToken($memoryStorage, $memoryStorage, $memoryStorage), 'token');
+
+        $request = TestRequest::createPost(array(
+            'grant_type'    => 'password',         // valid grant type
+            'client_id'     => 'Test Client ID',   // valid client id
+            'client_secret' => 'TestSecret',       // valid client secret
+            'username'      => 'test-username',    // valid username
+            'password'      => 'testpass',         // valid password
+        ));
+
+        // make the call to grant a crypto token
+        $server->handleTokenRequest($request, $response = new Response());
+        $this->assertNotNull($JwtAccessToken = $response->getParameter('access_token'));
+        $this->assertNotNull($refreshToken = $response->getParameter('refresh_token'));
+
+        // decode token and make sure refresh_token isn't set
+        list($header, $payload, $signature) = explode('.', $JwtAccessToken);
+        $decodedToken = json_decode(base64_decode($payload), true);
+        $this->assertFalse(array_key_exists('refresh_token', $decodedToken));
+
+        // use the refresh token to get another access token
+        $request = TestRequest::createPost(array(
+            'grant_type'    => 'refresh_token',
+            'client_id'     => 'Test Client ID',   // valid client id
+            'client_secret' => 'TestSecret',       // valid client secret
+            'refresh_token' => $refreshToken,
+        ));
+
+        $server->handleTokenRequest($request, $response = new Response());
+        $this->assertNotNull($response->getParameter('access_token'));
+    }
+
+    private function getTestServer()
+    {
+        $memoryStorage = Bootstrap::getInstance()->getMemoryStorage();
+
+        $storage = array(
+            'access_token' => new JwtAccessTokenStorage($memoryStorage),
+            'client' => $memoryStorage,
+            'client_credentials' => $memoryStorage,
+        );
+        $server = new Server($storage);
+        $server->addGrantType(new ClientCredentials($memoryStorage));
+
+        // make the "token" response type a JwtAccessToken
+        $config = array('issuer' => 'https://api.example.com');
+        $server->addResponseType(new JwtAccessToken($memoryStorage, $memoryStorage, null, $config));
+
+        return $server;
+    }
+}