diff options
Diffstat (limited to 'library/oauth2/src/OAuth2/GrantType')
6 files changed, 0 insertions, 607 deletions
diff --git a/library/oauth2/src/OAuth2/GrantType/AuthorizationCode.php b/library/oauth2/src/OAuth2/GrantType/AuthorizationCode.php deleted file mode 100644 index e8995204c..000000000 --- a/library/oauth2/src/OAuth2/GrantType/AuthorizationCode.php +++ /dev/null @@ -1,100 +0,0 @@ -<?php - -namespace OAuth2\GrantType; - -use OAuth2\Storage\AuthorizationCodeInterface; -use OAuth2\ResponseType\AccessTokenInterface; -use OAuth2\RequestInterface; -use OAuth2\ResponseInterface; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class AuthorizationCode implements GrantTypeInterface -{ - protected $storage; - protected $authCode; - - /** - * @param OAuth2\Storage\AuthorizationCodeInterface $storage REQUIRED Storage class for retrieving authorization code information - */ - public function __construct(AuthorizationCodeInterface $storage) - { - $this->storage = $storage; - } - - public function getQuerystringIdentifier() - { - return 'authorization_code'; - } - - public function validateRequest(RequestInterface $request, ResponseInterface $response) - { - if (!$request->request('code')) { - $response->setError(400, 'invalid_request', 'Missing parameter: "code" is required'); - - return false; - } - - $code = $request->request('code'); - if (!$authCode = $this->storage->getAuthorizationCode($code)) { - $response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client'); - - return false; - } - - /* - * 4.1.3 - ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request - * @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3 - */ - if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) { - if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != $authCode['redirect_uri']) { - $response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3"); - - return false; - } - } - - if (!isset($authCode['expires'])) { - throw new \Exception('Storage must return authcode with a value for "expires"'); - } - - if ($authCode["expires"] < time()) { - $response->setError(400, 'invalid_grant', "The authorization code has expired"); - - return false; - } - - if (!isset($authCode['code'])) { - $authCode['code'] = $code; // used to expire the code after the access token is granted - } - - $this->authCode = $authCode; - - return true; - } - - public function getClientId() - { - return $this->authCode['client_id']; - } - - public function getScope() - { - return isset($this->authCode['scope']) ? $this->authCode['scope'] : null; - } - - public function getUserId() - { - return isset($this->authCode['user_id']) ? $this->authCode['user_id'] : null; - } - - public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) - { - $token = $accessToken->createAccessToken($client_id, $user_id, $scope); - $this->storage->expireAuthorizationCode($this->authCode['code']); - - return $token; - } -} diff --git a/library/oauth2/src/OAuth2/GrantType/ClientCredentials.php b/library/oauth2/src/OAuth2/GrantType/ClientCredentials.php deleted file mode 100644 index f953e4e8d..000000000 --- a/library/oauth2/src/OAuth2/GrantType/ClientCredentials.php +++ /dev/null @@ -1,67 +0,0 @@ -<?php - -namespace OAuth2\GrantType; - -use OAuth2\ClientAssertionType\HttpBasic; -use OAuth2\ResponseType\AccessTokenInterface; -use OAuth2\Storage\ClientCredentialsInterface; - -/** - * @author Brent Shaffer <bshafs at gmail dot com> - * - * @see OAuth2\ClientAssertionType_HttpBasic - */ -class ClientCredentials extends HttpBasic implements GrantTypeInterface -{ - private $clientData; - - public function __construct(ClientCredentialsInterface $storage, array $config = array()) - { - /** - * The client credentials grant type MUST only be used by confidential clients - * - * @see http://tools.ietf.org/html/rfc6749#section-4.4 - */ - $config['allow_public_clients'] = false; - - parent::__construct($storage, $config); - } - - public function getQuerystringIdentifier() - { - return 'client_credentials'; - } - - public function getScope() - { - $this->loadClientData(); - - return isset($this->clientData['scope']) ? $this->clientData['scope'] : null; - } - - public function getUserId() - { - $this->loadClientData(); - - return isset($this->clientData['user_id']) ? $this->clientData['user_id'] : null; - } - - public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) - { - /** - * Client Credentials Grant does NOT include a refresh token - * - * @see http://tools.ietf.org/html/rfc6749#section-4.4.3 - */ - $includeRefreshToken = false; - - return $accessToken->createAccessToken($client_id, $user_id, $scope, $includeRefreshToken); - } - - private function loadClientData() - { - if (!$this->clientData) { - $this->clientData = $this->storage->getClientDetails($this->getClientId()); - } - } -} diff --git a/library/oauth2/src/OAuth2/GrantType/GrantTypeInterface.php b/library/oauth2/src/OAuth2/GrantType/GrantTypeInterface.php deleted file mode 100644 index 98489e9c1..000000000 --- a/library/oauth2/src/OAuth2/GrantType/GrantTypeInterface.php +++ /dev/null @@ -1,20 +0,0 @@ -<?php - -namespace OAuth2\GrantType; - -use OAuth2\ResponseType\AccessTokenInterface; -use OAuth2\RequestInterface; -use OAuth2\ResponseInterface; - -/** - * Interface for all OAuth2 Grant Types - */ -interface GrantTypeInterface -{ - public function getQuerystringIdentifier(); - public function validateRequest(RequestInterface $request, ResponseInterface $response); - public function getClientId(); - public function getUserId(); - public function getScope(); - public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope); -} diff --git a/library/oauth2/src/OAuth2/GrantType/JwtBearer.php b/library/oauth2/src/OAuth2/GrantType/JwtBearer.php deleted file mode 100644 index bb11a6954..000000000 --- a/library/oauth2/src/OAuth2/GrantType/JwtBearer.php +++ /dev/null @@ -1,226 +0,0 @@ -<?php - -namespace OAuth2\GrantType; - -use OAuth2\ClientAssertionType\ClientAssertionTypeInterface; -use OAuth2\Storage\JwtBearerInterface; -use OAuth2\Encryption\Jwt; -use OAuth2\Encryption\EncryptionInterface; -use OAuth2\ResponseType\AccessTokenInterface; -use OAuth2\RequestInterface; -use OAuth2\ResponseInterface; - -/** - * The JWT bearer authorization grant implements JWT (JSON Web Tokens) as a grant type per the IETF draft. - * - * @see http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04#section-4 - * - * @author F21 - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class JwtBearer implements GrantTypeInterface, ClientAssertionTypeInterface -{ - private $jwt; - - protected $storage; - protected $audience; - protected $jwtUtil; - protected $allowedAlgorithms; - - /** - * Creates an instance of the JWT bearer grant type. - * - * @param OAuth2\Storage\JWTBearerInterface|JwtBearerInterface $storage A valid storage interface that implements storage hooks for the JWT bearer grant type. - * @param string $audience The audience to validate the token against. This is usually the full URI of the OAuth token requests endpoint. - * @param EncryptionInterface|OAuth2\Encryption\JWT $jwtUtil OPTONAL The class used to decode, encode and verify JWTs. - * @param array $config - */ - public function __construct(JwtBearerInterface $storage, $audience, EncryptionInterface $jwtUtil = null, array $config = array()) - { - $this->storage = $storage; - $this->audience = $audience; - - if (is_null($jwtUtil)) { - $jwtUtil = new Jwt(); - } - - $this->config = array_merge(array( - 'allowed_algorithms' => array('RS256', 'RS384', 'RS512') - ), $config); - - $this->jwtUtil = $jwtUtil; - - $this->allowedAlgorithms = $this->config['allowed_algorithms']; - } - - /** - * Returns the grant_type get parameter to identify the grant type request as JWT bearer authorization grant. - * - * @return - * The string identifier for grant_type. - * - * @see OAuth2\GrantType\GrantTypeInterface::getQuerystringIdentifier() - */ - public function getQuerystringIdentifier() - { - return 'urn:ietf:params:oauth:grant-type:jwt-bearer'; - } - - /** - * Validates the data from the decoded JWT. - * - * @return - * TRUE if the JWT request is valid and can be decoded. Otherwise, FALSE is returned. - * - * @see OAuth2\GrantType\GrantTypeInterface::getTokenData() - */ - public function validateRequest(RequestInterface $request, ResponseInterface $response) - { - if (!$request->request("assertion")) { - $response->setError(400, 'invalid_request', 'Missing parameters: "assertion" required'); - - return null; - } - - // Store the undecoded JWT for later use - $undecodedJWT = $request->request('assertion'); - - // Decode the JWT - $jwt = $this->jwtUtil->decode($request->request('assertion'), null, false); - - if (!$jwt) { - $response->setError(400, 'invalid_request', "JWT is malformed"); - - return null; - } - - // ensure these properties contain a value - // @todo: throw malformed error for missing properties - $jwt = array_merge(array( - 'scope' => null, - 'iss' => null, - 'sub' => null, - 'aud' => null, - 'exp' => null, - 'nbf' => null, - 'iat' => null, - 'jti' => null, - 'typ' => null, - ), $jwt); - - if (!isset($jwt['iss'])) { - $response->setError(400, 'invalid_grant', "Invalid issuer (iss) provided"); - - return null; - } - - if (!isset($jwt['sub'])) { - $response->setError(400, 'invalid_grant', "Invalid subject (sub) provided"); - - return null; - } - - if (!isset($jwt['exp'])) { - $response->setError(400, 'invalid_grant', "Expiration (exp) time must be present"); - - return null; - } - - // Check expiration - if (ctype_digit($jwt['exp'])) { - if ($jwt['exp'] <= time()) { - $response->setError(400, 'invalid_grant', "JWT has expired"); - - return null; - } - } else { - $response->setError(400, 'invalid_grant', "Expiration (exp) time must be a unix time stamp"); - - return null; - } - - // Check the not before time - if ($notBefore = $jwt['nbf']) { - if (ctype_digit($notBefore)) { - if ($notBefore > time()) { - $response->setError(400, 'invalid_grant', "JWT cannot be used before the Not Before (nbf) time"); - - return null; - } - } else { - $response->setError(400, 'invalid_grant', "Not Before (nbf) time must be a unix time stamp"); - - return null; - } - } - - // Check the audience if required to match - if (!isset($jwt['aud']) || ($jwt['aud'] != $this->audience)) { - $response->setError(400, 'invalid_grant', "Invalid audience (aud)"); - - return null; - } - - // Check the jti (nonce) - // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1.7 - if (isset($jwt['jti'])) { - $jti = $this->storage->getJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']); - - //Reject if jti is used and jwt is still valid (exp parameter has not expired). - if ($jti && $jti['expires'] > time()) { - $response->setError(400, 'invalid_grant', "JSON Token Identifier (jti) has already been used"); - - return null; - } else { - $this->storage->setJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']); - } - } - - // Get the iss's public key - // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-4.1.1 - if (!$key = $this->storage->getClientKey($jwt['iss'], $jwt['sub'])) { - $response->setError(400, 'invalid_grant', "Invalid issuer (iss) or subject (sub) provided"); - - return null; - } - - // Verify the JWT - if (!$this->jwtUtil->decode($undecodedJWT, $key, $this->allowedAlgorithms)) { - $response->setError(400, 'invalid_grant', "JWT failed signature verification"); - - return null; - } - - $this->jwt = $jwt; - - return true; - } - - public function getClientId() - { - return $this->jwt['iss']; - } - - public function getUserId() - { - return $this->jwt['sub']; - } - - public function getScope() - { - return null; - } - - /** - * Creates an access token that is NOT associated with a refresh token. - * If a subject (sub) the name of the user/account we are accessing data on behalf of. - * - * @see OAuth2\GrantType\GrantTypeInterface::createAccessToken() - */ - public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) - { - $includeRefreshToken = false; - - return $accessToken->createAccessToken($client_id, $user_id, $scope, $includeRefreshToken); - } -} diff --git a/library/oauth2/src/OAuth2/GrantType/RefreshToken.php b/library/oauth2/src/OAuth2/GrantType/RefreshToken.php deleted file mode 100644 index e55385222..000000000 --- a/library/oauth2/src/OAuth2/GrantType/RefreshToken.php +++ /dev/null @@ -1,111 +0,0 @@ -<?php - -namespace OAuth2\GrantType; - -use OAuth2\Storage\RefreshTokenInterface; -use OAuth2\ResponseType\AccessTokenInterface; -use OAuth2\RequestInterface; -use OAuth2\ResponseInterface; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class RefreshToken implements GrantTypeInterface -{ - private $refreshToken; - - protected $storage; - protected $config; - - /** - * @param OAuth2\Storage\RefreshTokenInterface $storage REQUIRED Storage class for retrieving refresh token information - * @param array $config OPTIONAL Configuration options for the server - * <code> - * $config = array( - * 'always_issue_new_refresh_token' => true, // whether to issue a new refresh token upon successful token request - * 'unset_refresh_token_after_use' => true // whether to unset the refresh token after after using - * ); - * </code> - */ - public function __construct(RefreshTokenInterface $storage, $config = array()) - { - $this->config = array_merge(array( - 'always_issue_new_refresh_token' => false, - 'unset_refresh_token_after_use' => true - ), $config); - - // to preserve B.C. with v1.6 - // @see https://github.com/bshaffer/oauth2-server-php/pull/580 - // @todo - remove in v2.0 - if (isset($config['always_issue_new_refresh_token']) && !isset($config['unset_refresh_token_after_use'])) { - $this->config['unset_refresh_token_after_use'] = $config['always_issue_new_refresh_token']; - } - - $this->storage = $storage; - } - - public function getQuerystringIdentifier() - { - return 'refresh_token'; - } - - public function validateRequest(RequestInterface $request, ResponseInterface $response) - { - if (!$request->request("refresh_token")) { - $response->setError(400, 'invalid_request', 'Missing parameter: "refresh_token" is required'); - - return null; - } - - if (!$refreshToken = $this->storage->getRefreshToken($request->request("refresh_token"))) { - $response->setError(400, 'invalid_grant', 'Invalid refresh token'); - - return null; - } - - if ($refreshToken['expires'] > 0 && $refreshToken["expires"] < time()) { - $response->setError(400, 'invalid_grant', 'Refresh token has expired'); - - return null; - } - - // store the refresh token locally so we can delete it when a new refresh token is generated - $this->refreshToken = $refreshToken; - - return true; - } - - public function getClientId() - { - return $this->refreshToken['client_id']; - } - - public function getUserId() - { - return isset($this->refreshToken['user_id']) ? $this->refreshToken['user_id'] : null; - } - - public function getScope() - { - return isset($this->refreshToken['scope']) ? $this->refreshToken['scope'] : null; - } - - public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) - { - /* - * It is optional to force a new refresh token when a refresh token is used. - * However, if a new refresh token is issued, the old one MUST be expired - * @see http://tools.ietf.org/html/rfc6749#section-6 - */ - $issueNewRefreshToken = $this->config['always_issue_new_refresh_token']; - $unsetRefreshToken = $this->config['unset_refresh_token_after_use']; - $token = $accessToken->createAccessToken($client_id, $user_id, $scope, $issueNewRefreshToken); - - if ($unsetRefreshToken) { - $this->storage->unsetRefreshToken($this->refreshToken['refresh_token']); - } - - return $token; - } -} diff --git a/library/oauth2/src/OAuth2/GrantType/UserCredentials.php b/library/oauth2/src/OAuth2/GrantType/UserCredentials.php deleted file mode 100644 index f165538ba..000000000 --- a/library/oauth2/src/OAuth2/GrantType/UserCredentials.php +++ /dev/null @@ -1,83 +0,0 @@ -<?php - -namespace OAuth2\GrantType; - -use OAuth2\Storage\UserCredentialsInterface; -use OAuth2\ResponseType\AccessTokenInterface; -use OAuth2\RequestInterface; -use OAuth2\ResponseInterface; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class UserCredentials implements GrantTypeInterface -{ - private $userInfo; - - protected $storage; - - /** - * @param OAuth2\Storage\UserCredentialsInterface $storage REQUIRED Storage class for retrieving user credentials information - */ - public function __construct(UserCredentialsInterface $storage) - { - $this->storage = $storage; - } - - public function getQuerystringIdentifier() - { - return 'password'; - } - - public function validateRequest(RequestInterface $request, ResponseInterface $response) - { - if (!$request->request("password") || !$request->request("username")) { - $response->setError(400, 'invalid_request', 'Missing parameters: "username" and "password" required'); - - return null; - } - - if (!$this->storage->checkUserCredentials($request->request("username"), $request->request("password"))) { - $response->setError(401, 'invalid_grant', 'Invalid username and password combination'); - - return null; - } - - $userInfo = $this->storage->getUserDetails($request->request("username")); - - if (empty($userInfo)) { - $response->setError(400, 'invalid_grant', 'Unable to retrieve user information'); - - return null; - } - - if (!isset($userInfo['user_id'])) { - throw new \LogicException("you must set the user_id on the array returned by getUserDetails"); - } - - $this->userInfo = $userInfo; - - return true; - } - - public function getClientId() - { - return null; - } - - public function getUserId() - { - return $this->userInfo['user_id']; - } - - public function getScope() - { - return isset($this->userInfo['scope']) ? $this->userInfo['scope'] : null; - } - - public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) - { - return $accessToken->createAccessToken($client_id, $user_id, $scope); - } -} |