diff options
Diffstat (limited to 'library/oauth2/src/OAuth2/ResponseType')
6 files changed, 0 insertions, 490 deletions
diff --git a/library/oauth2/src/OAuth2/ResponseType/AccessToken.php b/library/oauth2/src/OAuth2/ResponseType/AccessToken.php deleted file mode 100644 index b235ad0c5..000000000 --- a/library/oauth2/src/OAuth2/ResponseType/AccessToken.php +++ /dev/null @@ -1,194 +0,0 @@ -<?php - -namespace OAuth2\ResponseType; - -use OAuth2\Storage\AccessTokenInterface as AccessTokenStorageInterface; -use OAuth2\Storage\RefreshTokenInterface; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class AccessToken implements AccessTokenInterface -{ - protected $tokenStorage; - protected $refreshStorage; - protected $config; - - /** - * @param OAuth2\Storage\AccessTokenInterface $tokenStorage REQUIRED Storage class for saving access token information - * @param OAuth2\Storage\RefreshTokenInterface $refreshStorage OPTIONAL Storage class for saving refresh token information - * @param array $config OPTIONAL Configuration options for the server - * <code> - * $config = array( - * 'token_type' => 'bearer', // token type identifier - * 'access_lifetime' => 3600, // time before access token expires - * 'refresh_token_lifetime' => 1209600, // time before refresh token expires - * ); - * </endcode> - */ - public function __construct(AccessTokenStorageInterface $tokenStorage, RefreshTokenInterface $refreshStorage = null, array $config = array()) - { - $this->tokenStorage = $tokenStorage; - $this->refreshStorage = $refreshStorage; - - $this->config = array_merge(array( - 'token_type' => 'bearer', - 'access_lifetime' => 3600, - 'refresh_token_lifetime' => 1209600, - ), $config); - } - - public function getAuthorizeResponse($params, $user_id = null) - { - // build the URL to redirect to - $result = array('query' => array()); - - $params += array('scope' => null, 'state' => null); - - /* - * a refresh token MUST NOT be included in the fragment - * - * @see http://tools.ietf.org/html/rfc6749#section-4.2.2 - */ - $includeRefreshToken = false; - $result["fragment"] = $this->createAccessToken($params['client_id'], $user_id, $params['scope'], $includeRefreshToken); - - if (isset($params['state'])) { - $result["fragment"]["state"] = $params['state']; - } - - return array($params['redirect_uri'], $result); - } - - /** - * Handle the creation of access token, also issue refresh token if supported / desirable. - * - * @param $client_id client identifier related to the access token. - * @param $user_id user ID associated with the access token - * @param $scope OPTIONAL scopes to be stored in space-separated string. - * @param bool $includeRefreshToken if true, a new refresh_token will be added to the response - * - * @see http://tools.ietf.org/html/rfc6749#section-5 - * @ingroup oauth2_section_5 - */ - public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true) - { - $token = array( - "access_token" => $this->generateAccessToken(), - "expires_in" => $this->config['access_lifetime'], - "token_type" => $this->config['token_type'], - "scope" => $scope - ); - - $this->tokenStorage->setAccessToken($token["access_token"], $client_id, $user_id, $this->config['access_lifetime'] ? time() + $this->config['access_lifetime'] : null, $scope); - - /* - * Issue a refresh token also, if we support them - * - * Refresh Tokens are considered supported if an instance of OAuth2\Storage\RefreshTokenInterface - * is supplied in the constructor - */ - if ($includeRefreshToken && $this->refreshStorage) { - $token["refresh_token"] = $this->generateRefreshToken(); - $expires = 0; - if ($this->config['refresh_token_lifetime'] > 0) { - $expires = time() + $this->config['refresh_token_lifetime']; - } - $this->refreshStorage->setRefreshToken($token['refresh_token'], $client_id, $user_id, $expires, $scope); - } - - return $token; - } - - /** - * Generates an unique access token. - * - * Implementing classes may want to override this function to implement - * other access token generation schemes. - * - * @return - * An unique access token. - * - * @ingroup oauth2_section_4 - */ - protected function generateAccessToken() - { - if (function_exists('mcrypt_create_iv')) { - $randomData = mcrypt_create_iv(20, MCRYPT_DEV_URANDOM); - if ($randomData !== false && strlen($randomData) === 20) { - return bin2hex($randomData); - } - } - if (function_exists('openssl_random_pseudo_bytes')) { - $randomData = openssl_random_pseudo_bytes(20); - if ($randomData !== false && strlen($randomData) === 20) { - return bin2hex($randomData); - } - } - if (@file_exists('/dev/urandom')) { // Get 100 bytes of random data - $randomData = file_get_contents('/dev/urandom', false, null, 0, 20); - if ($randomData !== false && strlen($randomData) === 20) { - return bin2hex($randomData); - } - } - // Last resort which you probably should just get rid of: - $randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true); - - return substr(hash('sha512', $randomData), 0, 40); - } - - /** - * Generates an unique refresh token - * - * Implementing classes may want to override this function to implement - * other refresh token generation schemes. - * - * @return - * An unique refresh. - * - * @ingroup oauth2_section_4 - * @see OAuth2::generateAccessToken() - */ - protected function generateRefreshToken() - { - return $this->generateAccessToken(); // let's reuse the same scheme for token generation - } - - /** - * Handle the revoking of refresh tokens, and access tokens if supported / desirable - * RFC7009 specifies that "If the server is unable to locate the token using - * the given hint, it MUST extend its search across all of its supported token types" - * - * @param $token - * @param null $tokenTypeHint - * @return boolean - */ - public function revokeToken($token, $tokenTypeHint = null) - { - if ($tokenTypeHint == 'refresh_token') { - if ($this->refreshStorage && $revoked = $this->refreshStorage->unsetRefreshToken($token)) { - return true; - } - } - - /** @TODO remove in v2 */ - if (!method_exists($this->tokenStorage, 'unsetAccessToken')) { - throw new \RuntimeException( - sprintf('Token storage %s must implement unsetAccessToken method', get_class($this->tokenStorage) - )); - } - - $revoked = $this->tokenStorage->unsetAccessToken($token); - - // if a typehint is supplied and fails, try other storages - // @see https://tools.ietf.org/html/rfc7009#section-2.1 - if (!$revoked && $tokenTypeHint != 'refresh_token') { - if ($this->refreshStorage) { - $revoked = $this->refreshStorage->unsetRefreshToken($token); - } - } - - return $revoked; - } -} diff --git a/library/oauth2/src/OAuth2/ResponseType/AccessTokenInterface.php b/library/oauth2/src/OAuth2/ResponseType/AccessTokenInterface.php deleted file mode 100644 index 4bd3928d8..000000000 --- a/library/oauth2/src/OAuth2/ResponseType/AccessTokenInterface.php +++ /dev/null @@ -1,34 +0,0 @@ -<?php - -namespace OAuth2\ResponseType; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface AccessTokenInterface extends ResponseTypeInterface -{ - /** - * Handle the creation of access token, also issue refresh token if supported / desirable. - * - * @param $client_id client identifier related to the access token. - * @param $user_id user ID associated with the access token - * @param $scope OPTONAL scopes to be stored in space-separated string. - * @param bool $includeRefreshToken if true, a new refresh_token will be added to the response - * - * @see http://tools.ietf.org/html/rfc6749#section-5 - * @ingroup oauth2_section_5 - */ - public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true); - - /** - * Handle the revoking of refresh tokens, and access tokens if supported / desirable - * - * @param $token - * @param $tokenTypeHint - * @return mixed - * - * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x - */ - //public function revokeToken($token, $tokenTypeHint); -} diff --git a/library/oauth2/src/OAuth2/ResponseType/AuthorizationCode.php b/library/oauth2/src/OAuth2/ResponseType/AuthorizationCode.php deleted file mode 100644 index 6a305fd75..000000000 --- a/library/oauth2/src/OAuth2/ResponseType/AuthorizationCode.php +++ /dev/null @@ -1,100 +0,0 @@ -<?php - -namespace OAuth2\ResponseType; - -use OAuth2\Storage\AuthorizationCodeInterface as AuthorizationCodeStorageInterface; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class AuthorizationCode implements AuthorizationCodeInterface -{ - protected $storage; - protected $config; - - public function __construct(AuthorizationCodeStorageInterface $storage, array $config = array()) - { - $this->storage = $storage; - $this->config = array_merge(array( - 'enforce_redirect' => false, - 'auth_code_lifetime' => 30, - ), $config); - } - - public function getAuthorizeResponse($params, $user_id = null) - { - // build the URL to redirect to - $result = array('query' => array()); - - $params += array('scope' => null, 'state' => null); - - $result['query']['code'] = $this->createAuthorizationCode($params['client_id'], $user_id, $params['redirect_uri'], $params['scope']); - - if (isset($params['state'])) { - $result['query']['state'] = $params['state']; - } - - return array($params['redirect_uri'], $result); - } - - /** - * Handle the creation of the authorization code. - * - * @param $client_id - * Client identifier related to the authorization code - * @param $user_id - * User ID associated with the authorization code - * @param $redirect_uri - * An absolute URI to which the authorization server will redirect the - * user-agent to when the end-user authorization step is completed. - * @param $scope - * (optional) Scopes to be stored in space-separated string. - * - * @see http://tools.ietf.org/html/rfc6749#section-4 - * @ingroup oauth2_section_4 - */ - public function createAuthorizationCode($client_id, $user_id, $redirect_uri, $scope = null) - { - $code = $this->generateAuthorizationCode(); - $this->storage->setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, time() + $this->config['auth_code_lifetime'], $scope); - - return $code; - } - - /** - * @return - * TRUE if the grant type requires a redirect_uri, FALSE if not - */ - public function enforceRedirect() - { - return $this->config['enforce_redirect']; - } - - /** - * Generates an unique auth code. - * - * Implementing classes may want to override this function to implement - * other auth code generation schemes. - * - * @return - * An unique auth code. - * - * @ingroup oauth2_section_4 - */ - protected function generateAuthorizationCode() - { - $tokenLen = 40; - if (function_exists('mcrypt_create_iv')) { - $randomData = mcrypt_create_iv(100, MCRYPT_DEV_URANDOM); - } elseif (function_exists('openssl_random_pseudo_bytes')) { - $randomData = openssl_random_pseudo_bytes(100); - } elseif (@file_exists('/dev/urandom')) { // Get 100 bytes of random data - $randomData = file_get_contents('/dev/urandom', false, null, 0, 100) . uniqid(mt_rand(), true); - } else { - $randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true); - } - - return substr(hash('sha512', $randomData), 0, $tokenLen); - } -} diff --git a/library/oauth2/src/OAuth2/ResponseType/AuthorizationCodeInterface.php b/library/oauth2/src/OAuth2/ResponseType/AuthorizationCodeInterface.php deleted file mode 100644 index df777e221..000000000 --- a/library/oauth2/src/OAuth2/ResponseType/AuthorizationCodeInterface.php +++ /dev/null @@ -1,30 +0,0 @@ -<?php - -namespace OAuth2\ResponseType; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface AuthorizationCodeInterface extends ResponseTypeInterface -{ - /** - * @return - * TRUE if the grant type requires a redirect_uri, FALSE if not - */ - public function enforceRedirect(); - - /** - * Handle the creation of the authorization code. - * - * @param $client_id client identifier related to the authorization code - * @param $user_id user id associated with the authorization code - * @param $redirect_uri an absolute URI to which the authorization server will redirect the - * user-agent to when the end-user authorization step is completed. - * @param $scope OPTIONAL scopes to be stored in space-separated string. - * - * @see http://tools.ietf.org/html/rfc6749#section-4 - * @ingroup oauth2_section_4 - */ - public function createAuthorizationCode($client_id, $user_id, $redirect_uri, $scope = null); -} diff --git a/library/oauth2/src/OAuth2/ResponseType/JwtAccessToken.php b/library/oauth2/src/OAuth2/ResponseType/JwtAccessToken.php deleted file mode 100644 index 3942fe41e..000000000 --- a/library/oauth2/src/OAuth2/ResponseType/JwtAccessToken.php +++ /dev/null @@ -1,124 +0,0 @@ -<?php - -namespace OAuth2\ResponseType; - -use OAuth2\Encryption\EncryptionInterface; -use OAuth2\Encryption\Jwt; -use OAuth2\Storage\AccessTokenInterface as AccessTokenStorageInterface; -use OAuth2\Storage\RefreshTokenInterface; -use OAuth2\Storage\PublicKeyInterface; -use OAuth2\Storage\Memory; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class JwtAccessToken extends AccessToken -{ - protected $publicKeyStorage; - protected $encryptionUtil; - - /** - * @param $config - * - store_encrypted_token_string (bool true) - * whether the entire encrypted string is stored, - * or just the token ID is stored - */ - public function __construct(PublicKeyInterface $publicKeyStorage = null, AccessTokenStorageInterface $tokenStorage = null, RefreshTokenInterface $refreshStorage = null, array $config = array(), EncryptionInterface $encryptionUtil = null) - { - $this->publicKeyStorage = $publicKeyStorage; - $config = array_merge(array( - 'store_encrypted_token_string' => true, - 'issuer' => '' - ), $config); - if (is_null($tokenStorage)) { - // a pass-thru, so we can call the parent constructor - $tokenStorage = new Memory(); - } - if (is_null($encryptionUtil)) { - $encryptionUtil = new Jwt(); - } - $this->encryptionUtil = $encryptionUtil; - parent::__construct($tokenStorage, $refreshStorage, $config); - } - - /** - * Handle the creation of access token, also issue refresh token if supported / desirable. - * - * @param $client_id - * Client identifier related to the access token. - * @param $user_id - * User ID associated with the access token - * @param $scope - * (optional) Scopes to be stored in space-separated string. - * @param bool $includeRefreshToken - * If true, a new refresh_token will be added to the response - * - * @see http://tools.ietf.org/html/rfc6749#section-5 - * @ingroup oauth2_section_5 - */ - public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true) - { - // token to encrypt - $expires = time() + $this->config['access_lifetime']; - $id = $this->generateAccessToken(); - $jwtAccessToken = array( - 'id' => $id, // for BC (see #591) - 'jti' => $id, - 'iss' => $this->config['issuer'], - 'aud' => $client_id, - 'sub' => $user_id, - 'exp' => $expires, - 'iat' => time(), - 'token_type' => $this->config['token_type'], - 'scope' => $scope - ); - - /* - * Encode the token data into a single access_token string - */ - $access_token = $this->encodeToken($jwtAccessToken, $client_id); - - /* - * Save the token to a secondary storage. This is implemented on the - * OAuth2\Storage\JwtAccessToken side, and will not actually store anything, - * if no secondary storage has been supplied - */ - $token_to_store = $this->config['store_encrypted_token_string'] ? $access_token : $jwtAccessToken['id']; - $this->tokenStorage->setAccessToken($token_to_store, $client_id, $user_id, $this->config['access_lifetime'] ? time() + $this->config['access_lifetime'] : null, $scope); - - // token to return to the client - $token = array( - 'access_token' => $access_token, - 'expires_in' => $this->config['access_lifetime'], - 'token_type' => $this->config['token_type'], - 'scope' => $scope - ); - - /* - * Issue a refresh token also, if we support them - * - * Refresh Tokens are considered supported if an instance of OAuth2\Storage\RefreshTokenInterface - * is supplied in the constructor - */ - if ($includeRefreshToken && $this->refreshStorage) { - $refresh_token = $this->generateRefreshToken(); - $expires = 0; - if ($this->config['refresh_token_lifetime'] > 0) { - $expires = time() + $this->config['refresh_token_lifetime']; - } - $this->refreshStorage->setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope); - $token['refresh_token'] = $refresh_token; - } - - return $token; - } - - protected function encodeToken(array $token, $client_id = null) - { - $private_key = $this->publicKeyStorage->getPrivateKey($client_id); - $algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id); - - return $this->encryptionUtil->encode($token, $private_key, $algorithm); - } -} diff --git a/library/oauth2/src/OAuth2/ResponseType/ResponseTypeInterface.php b/library/oauth2/src/OAuth2/ResponseType/ResponseTypeInterface.php deleted file mode 100644 index f8e26a5b0..000000000 --- a/library/oauth2/src/OAuth2/ResponseType/ResponseTypeInterface.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -namespace OAuth2\ResponseType; - -interface ResponseTypeInterface -{ - public function getAuthorizeResponse($params, $user_id = null); -} |