diff options
Diffstat (limited to 'library/oauth2/src/OAuth2/Storage')
18 files changed, 0 insertions, 3582 deletions
diff --git a/library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php b/library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php deleted file mode 100644 index 1819158af..000000000 --- a/library/oauth2/src/OAuth2/Storage/AccessTokenInterface.php +++ /dev/null @@ -1,64 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should get/save access tokens - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface AccessTokenInterface -{ - /** - * Look up the supplied oauth_token from storage. - * - * We need to retrieve access token data as we create and verify tokens. - * - * @param $oauth_token - * oauth_token to be check with. - * - * @return - * An associative array as below, and return NULL if the supplied oauth_token - * is invalid: - * - expires: Stored expiration in unix timestamp. - * - client_id: (optional) Stored client identifier. - * - user_id: (optional) Stored user identifier. - * - scope: (optional) Stored scope values in space-separated string. - * - id_token: (optional) Stored id_token (if "use_openid_connect" is true). - * - * @ingroup oauth2_section_7 - */ - public function getAccessToken($oauth_token); - - /** - * Store the supplied access token values to storage. - * - * We need to store access token data as we create and verify tokens. - * - * @param $oauth_token oauth_token to be stored. - * @param $client_id client identifier to be stored. - * @param $user_id user identifier to be stored. - * @param int $expires expiration to be stored as a Unix timestamp. - * @param string $scope OPTIONAL Scopes to be stored in space-separated string. - * - * @ingroup oauth2_section_4 - */ - public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null); - - /** - * Expire an access token. - * - * This is not explicitly required in the spec, but if defined in a draft RFC for token - * revoking (RFC 7009) https://tools.ietf.org/html/rfc7009 - * - * @param $access_token - * Access token to be expired. - * - * @return BOOL true if an access token was unset, false if not - * @ingroup oauth2_section_6 - * - * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x - */ - //public function unsetAccessToken($access_token); -} diff --git a/library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php b/library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php deleted file mode 100644 index 3beb0e437..000000000 --- a/library/oauth2/src/OAuth2/Storage/AuthorizationCodeInterface.php +++ /dev/null @@ -1,86 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should get/save authorization codes for the "Authorization Code" - * grant type - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface AuthorizationCodeInterface -{ - /** - * The Authorization Code grant type supports a response type of "code". - * - * @var string - * @see http://tools.ietf.org/html/rfc6749#section-1.4.1 - * @see http://tools.ietf.org/html/rfc6749#section-4.2 - */ - const RESPONSE_TYPE_CODE = "code"; - - /** - * Fetch authorization code data (probably the most common grant type). - * - * Retrieve the stored data for the given authorization code. - * - * Required for OAuth2::GRANT_TYPE_AUTH_CODE. - * - * @param $code - * Authorization code to be check with. - * - * @return - * An associative array as below, and NULL if the code is invalid - * @code - * return array( - * "client_id" => CLIENT_ID, // REQUIRED Stored client identifier - * "user_id" => USER_ID, // REQUIRED Stored user identifier - * "expires" => EXPIRES, // REQUIRED Stored expiration in unix timestamp - * "redirect_uri" => REDIRECT_URI, // REQUIRED Stored redirect URI - * "scope" => SCOPE, // OPTIONAL Stored scope values in space-separated string - * ); - * @endcode - * - * @see http://tools.ietf.org/html/rfc6749#section-4.1 - * - * @ingroup oauth2_section_4 - */ - public function getAuthorizationCode($code); - - /** - * Take the provided authorization code values and store them somewhere. - * - * This function should be the storage counterpart to getAuthCode(). - * - * If storage fails for some reason, we're not currently checking for - * any sort of success/failure, so you should bail out of the script - * and provide a descriptive fail message. - * - * Required for OAuth2::GRANT_TYPE_AUTH_CODE. - * - * @param string $code Authorization code to be stored. - * @param mixed $client_id Client identifier to be stored. - * @param mixed $user_id User identifier to be stored. - * @param string $redirect_uri Redirect URI(s) to be stored in a space-separated string. - * @param int $expires Expiration to be stored as a Unix timestamp. - * @param string $scope OPTIONAL Scopes to be stored in space-separated string. - * - * @ingroup oauth2_section_4 - */ - public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null); - - /** - * once an Authorization Code is used, it must be exipired - * - * @see http://tools.ietf.org/html/rfc6749#section-4.1.2 - * - * The client MUST NOT use the authorization code - * more than once. If an authorization code is used more than - * once, the authorization server MUST deny the request and SHOULD - * revoke (when possible) all tokens previously issued based on - * that authorization code - * - */ - public function expireAuthorizationCode($code); -} diff --git a/library/oauth2/src/OAuth2/Storage/Cassandra.php b/library/oauth2/src/OAuth2/Storage/Cassandra.php deleted file mode 100644 index 602e8a058..000000000 --- a/library/oauth2/src/OAuth2/Storage/Cassandra.php +++ /dev/null @@ -1,480 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use phpcassa\ColumnFamily; -use phpcassa\ColumnSlice; -use phpcassa\Connection\ConnectionPool; -use OAuth2\OpenID\Storage\UserClaimsInterface; -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; - -/** - * Cassandra storage for all storage types - * - * To use, install "thobbs/phpcassa" via composer - * <code> - * composer require thobbs/phpcassa:dev-master - * </code> - * - * Once this is done, instantiate the - * <code> - * $cassandra = new \phpcassa\Connection\ConnectionPool('oauth2_server', array('127.0.0.1:9160')); - * </code> - * - * Then, register the storage client: - * <code> - * $storage = new OAuth2\Storage\Cassandra($cassandra); - * $storage->setClientDetails($client_id, $client_secret, $redirect_uri); - * </code> - * - * @see test/lib/OAuth2/Storage/Bootstrap::getCassandraStorage - */ -class Cassandra implements AuthorizationCodeInterface, - AccessTokenInterface, - ClientCredentialsInterface, - UserCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - ScopeInterface, - PublicKeyInterface, - UserClaimsInterface, - OpenIDAuthorizationCodeInterface -{ - - private $cache; - - /* The cassandra client */ - protected $cassandra; - - /* Configuration array */ - protected $config; - - /** - * Cassandra Storage! uses phpCassa - * - * @param \phpcassa\ConnectionPool $cassandra - * @param array $config - */ - public function __construct($connection = array(), array $config = array()) - { - if ($connection instanceof ConnectionPool) { - $this->cassandra = $connection; - } else { - if (!is_array($connection)) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\Cassandra must be an instance of phpcassa\Connection\ConnectionPool or a configuration array'); - } - $connection = array_merge(array( - 'keyspace' => 'oauth2', - 'servers' => null, - ), $connection); - - $this->cassandra = new ConnectionPool($connection['keyspace'], $connection['servers']); - } - - $this->config = array_merge(array( - // cassandra config - 'column_family' => 'auth', - - // key names - 'client_key' => 'oauth_clients:', - 'access_token_key' => 'oauth_access_tokens:', - 'refresh_token_key' => 'oauth_refresh_tokens:', - 'code_key' => 'oauth_authorization_codes:', - 'user_key' => 'oauth_users:', - 'jwt_key' => 'oauth_jwt:', - 'scope_key' => 'oauth_scopes:', - 'public_key_key' => 'oauth_public_keys:', - ), $config); - } - - protected function getValue($key) - { - if (isset($this->cache[$key])) { - return $this->cache[$key]; - } - $cf = new ColumnFamily($this->cassandra, $this->config['column_family']); - - try { - $value = $cf->get($key, new ColumnSlice("", "")); - $value = array_shift($value); - } catch (\cassandra\NotFoundException $e) { - return false; - } - - return json_decode($value, true); - } - - protected function setValue($key, $value, $expire = 0) - { - $this->cache[$key] = $value; - - $cf = new ColumnFamily($this->cassandra, $this->config['column_family']); - - $str = json_encode($value); - if ($expire > 0) { - try { - $seconds = $expire - time(); - // __data key set as C* requires a field, note: max TTL can only be 630720000 seconds - $cf->insert($key, array('__data' => $str), null, $seconds); - } catch (\Exception $e) { - return false; - } - } else { - try { - // __data key set as C* requires a field - $cf->insert($key, array('__data' => $str)); - } catch (\Exception $e) { - return false; - } - } - - return true; - } - - protected function expireValue($key) - { - unset($this->cache[$key]); - - $cf = new ColumnFamily($this->cassandra, $this->config['column_family']); - - if ($cf->get_count($key) > 0) { - try { - // __data key set as C* requires a field - $cf->remove($key, array('__data')); - } catch (\Exception $e) { - return false; - } - - return true; - } - - return false; - } - - /* AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - return $this->getValue($this->config['code_key'] . $code); - } - - public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - return $this->setValue( - $this->config['code_key'] . $authorization_code, - compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token'), - $expires - ); - } - - public function expireAuthorizationCode($code) - { - $key = $this->config['code_key'] . $code; - unset($this->cache[$key]); - - return $this->expireValue($key); - } - - /* UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - if ($user = $this->getUser($username)) { - return $this->checkPassword($user, $password); - } - - return false; - } - - // plaintext passwords are bad! Override this for your application - protected function checkPassword($user, $password) - { - return $user['password'] == $this->hashPassword($password); - } - - // use a secure hashing algorithm when storing passwords. Override this for your application - protected function hashPassword($password) - { - return sha1($password); - } - - public function getUserDetails($username) - { - return $this->getUser($username); - } - - public function getUser($username) - { - if (!$userInfo = $this->getValue($this->config['user_key'] . $username)) { - return false; - } - - // the default behavior is to use "username" as the user_id - return array_merge(array( - 'user_id' => $username, - ), $userInfo); - } - - public function setUser($username, $password, $first_name = null, $last_name = null) - { - $password = $this->hashPassword($password); - - return $this->setValue( - $this->config['user_key'] . $username, - compact('username', 'password', 'first_name', 'last_name') - ); - } - - /* ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - if (!$client = $this->getClientDetails($client_id)) { - return false; - } - - return isset($client['client_secret']) - && $client['client_secret'] == $client_secret; - } - - public function isPublicClient($client_id) - { - if (!$client = $this->getClientDetails($client_id)) { - return false; - } - - return empty($client['client_secret']);; - } - - /* ClientInterface */ - public function getClientDetails($client_id) - { - return $this->getValue($this->config['client_key'] . $client_id); - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - return $this->setValue( - $this->config['client_key'] . $client_id, - compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id') - ); - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - $details = $this->getClientDetails($client_id); - if (isset($details['grant_types'])) { - $grant_types = explode(' ', $details['grant_types']); - - return in_array($grant_type, (array) $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - /* RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - return $this->getValue($this->config['refresh_token_key'] . $refresh_token); - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - return $this->setValue( - $this->config['refresh_token_key'] . $refresh_token, - compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'), - $expires - ); - } - - public function unsetRefreshToken($refresh_token) - { - return $this->expireValue($this->config['refresh_token_key'] . $refresh_token); - } - - /* AccessTokenInterface */ - public function getAccessToken($access_token) - { - return $this->getValue($this->config['access_token_key'].$access_token); - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) - { - return $this->setValue( - $this->config['access_token_key'].$access_token, - compact('access_token', 'client_id', 'user_id', 'expires', 'scope'), - $expires - ); - } - - public function unsetAccessToken($access_token) - { - return $this->expireValue($this->config['access_token_key'] . $access_token); - } - - /* ScopeInterface */ - public function scopeExists($scope) - { - $scope = explode(' ', $scope); - - $result = $this->getValue($this->config['scope_key'].'supported:global'); - - $supportedScope = explode(' ', (string) $result); - - return (count(array_diff($scope, $supportedScope)) == 0); - } - - public function getDefaultScope($client_id = null) - { - if (is_null($client_id) || !$result = $this->getValue($this->config['scope_key'].'default:'.$client_id)) { - $result = $this->getValue($this->config['scope_key'].'default:global'); - } - - return $result; - } - - public function setScope($scope, $client_id = null, $type = 'supported') - { - if (!in_array($type, array('default', 'supported'))) { - throw new \InvalidArgumentException('"$type" must be one of "default", "supported"'); - } - - if (is_null($client_id)) { - $key = $this->config['scope_key'].$type.':global'; - } else { - $key = $this->config['scope_key'].$type.':'.$client_id; - } - - return $this->setValue($key, $scope); - } - - /*JWTBearerInterface */ - public function getClientKey($client_id, $subject) - { - if (!$jwt = $this->getValue($this->config['jwt_key'] . $client_id)) { - return false; - } - - if (isset($jwt['subject']) && $jwt['subject'] == $subject ) { - return $jwt['key']; - } - - return null; - } - - public function setClientKey($client_id, $key, $subject = null) - { - return $this->setValue($this->config['jwt_key'] . $client_id, array( - 'key' => $key, - 'subject' => $subject - )); - } - - /*ScopeInterface */ - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs cassandra implementation. - throw new \Exception('getJti() for the Cassandra driver is currently unimplemented.'); - } - - public function setJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs cassandra implementation. - throw new \Exception('setJti() for the Cassandra driver is currently unimplemented.'); - } - - /* PublicKeyInterface */ - public function getPublicKey($client_id = '') - { - $public_key = $this->getValue($this->config['public_key_key'] . $client_id); - if (is_array($public_key)) { - return $public_key['public_key']; - } - $public_key = $this->getValue($this->config['public_key_key']); - if (is_array($public_key)) { - return $public_key['public_key']; - } - } - - public function getPrivateKey($client_id = '') - { - $public_key = $this->getValue($this->config['public_key_key'] . $client_id); - if (is_array($public_key)) { - return $public_key['private_key']; - } - $public_key = $this->getValue($this->config['public_key_key']); - if (is_array($public_key)) { - return $public_key['private_key']; - } - } - - public function getEncryptionAlgorithm($client_id = null) - { - $public_key = $this->getValue($this->config['public_key_key'] . $client_id); - if (is_array($public_key)) { - return $public_key['encryption_algorithm']; - } - $public_key = $this->getValue($this->config['public_key_key']); - if (is_array($public_key)) { - return $public_key['encryption_algorithm']; - } - - return 'RS256'; - } - - /* UserClaimsInterface */ - public function getUserClaims($user_id, $claims) - { - $userDetails = $this->getUserDetails($user_id); - if (!is_array($userDetails)) { - return false; - } - - $claims = explode(' ', trim($claims)); - $userClaims = array(); - - // for each requested claim, if the user has the claim, set it in the response - $validClaims = explode(' ', self::VALID_CLAIMS); - foreach ($validClaims as $validClaim) { - if (in_array($validClaim, $claims)) { - if ($validClaim == 'address') { - // address is an object with subfields - $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails); - } else { - $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails)); - } - } - } - - return $userClaims; - } - - protected function getUserClaim($claim, $userDetails) - { - $userClaims = array(); - $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim))); - $claimValues = explode(' ', $claimValuesString); - - foreach ($claimValues as $value) { - if ($value == 'email_verified') { - $userClaims[$value] = $userDetails[$value]=='true' ? true : false; - } else { - $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null; - } - } - - return $userClaims; - } - -} diff --git a/library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php b/library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php deleted file mode 100644 index 3318c6966..000000000 --- a/library/oauth2/src/OAuth2/Storage/ClientCredentialsInterface.php +++ /dev/null @@ -1,49 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify how the OAuth2 Server - * should verify client credentials - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface ClientCredentialsInterface extends ClientInterface -{ - - /** - * Make sure that the client credentials is valid. - * - * @param $client_id - * Client identifier to be check with. - * @param $client_secret - * (optional) If a secret is required, check that they've given the right one. - * - * @return - * TRUE if the client credentials are valid, and MUST return FALSE if it isn't. - * @endcode - * - * @see http://tools.ietf.org/html/rfc6749#section-3.1 - * - * @ingroup oauth2_section_3 - */ - public function checkClientCredentials($client_id, $client_secret = null); - - /** - * Determine if the client is a "public" client, and therefore - * does not require passing credentials for certain grant types - * - * @param $client_id - * Client identifier to be check with. - * - * @return - * TRUE if the client is public, and FALSE if it isn't. - * @endcode - * - * @see http://tools.ietf.org/html/rfc6749#section-2.3 - * @see https://github.com/bshaffer/oauth2-server-php/issues/257 - * - * @ingroup oauth2_section_2 - */ - public function isPublicClient($client_id); -} diff --git a/library/oauth2/src/OAuth2/Storage/ClientInterface.php b/library/oauth2/src/OAuth2/Storage/ClientInterface.php deleted file mode 100644 index 09a5bffc1..000000000 --- a/library/oauth2/src/OAuth2/Storage/ClientInterface.php +++ /dev/null @@ -1,66 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should retrieve client information - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface ClientInterface -{ - /** - * Get client details corresponding client_id. - * - * OAuth says we should store request URIs for each registered client. - * Implement this function to grab the stored URI for a given client id. - * - * @param $client_id - * Client identifier to be check with. - * - * @return array - * Client details. The only mandatory key in the array is "redirect_uri". - * This function MUST return FALSE if the given client does not exist or is - * invalid. "redirect_uri" can be space-delimited to allow for multiple valid uris. - * <code> - * return array( - * "redirect_uri" => REDIRECT_URI, // REQUIRED redirect_uri registered for the client - * "client_id" => CLIENT_ID, // OPTIONAL the client id - * "grant_types" => GRANT_TYPES, // OPTIONAL an array of restricted grant types - * "user_id" => USER_ID, // OPTIONAL the user identifier associated with this client - * "scope" => SCOPE, // OPTIONAL the scopes allowed for this client - * ); - * </code> - * - * @ingroup oauth2_section_4 - */ - public function getClientDetails($client_id); - - /** - * Get the scope associated with this client - * - * @return - * STRING the space-delineated scope list for the specified client_id - */ - public function getClientScope($client_id); - - /** - * Check restricted grant types of corresponding client identifier. - * - * If you want to restrict clients to certain grant types, override this - * function. - * - * @param $client_id - * Client identifier to be check with. - * @param $grant_type - * Grant type to be check with - * - * @return - * TRUE if the grant type is supported by this client identifier, and - * FALSE if it isn't. - * - * @ingroup oauth2_section_4 - */ - public function checkRestrictedGrantType($client_id, $grant_type); -} diff --git a/library/oauth2/src/OAuth2/Storage/CouchbaseDB.php b/library/oauth2/src/OAuth2/Storage/CouchbaseDB.php deleted file mode 100755 index 1eb55f027..000000000 --- a/library/oauth2/src/OAuth2/Storage/CouchbaseDB.php +++ /dev/null @@ -1,331 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; - -/** - * Simple Couchbase storage for all storage types - * - * This class should be extended or overridden as required - * - * NOTE: Passwords are stored in plaintext, which is never - * a good idea. Be sure to override this for your application - * - * @author Tom Park <tom@raucter.com> - */ -class CouchbaseDB implements AuthorizationCodeInterface, - AccessTokenInterface, - ClientCredentialsInterface, - UserCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - OpenIDAuthorizationCodeInterface -{ - protected $db; - protected $config; - - public function __construct($connection, $config = array()) - { - if ($connection instanceof \Couchbase) { - $this->db = $connection; - } else { - if (!is_array($connection) || !is_array($connection['servers'])) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\CouchbaseDB must be an instance of Couchbase or a configuration array containing a server array'); - } - - $this->db = new \Couchbase($connection['servers'], (!isset($connection['username'])) ? '' : $connection['username'], (!isset($connection['password'])) ? '' : $connection['password'], $connection['bucket'], false); - } - - $this->config = array_merge(array( - 'client_table' => 'oauth_clients', - 'access_token_table' => 'oauth_access_tokens', - 'refresh_token_table' => 'oauth_refresh_tokens', - 'code_table' => 'oauth_authorization_codes', - 'user_table' => 'oauth_users', - 'jwt_table' => 'oauth_jwt', - ), $config); - } - - // Helper function to access couchbase item by type: - protected function getObjectByType($name,$id) - { - return json_decode($this->db->get($this->config[$name].'-'.$id),true); - } - - // Helper function to set couchbase item by type: - protected function setObjectByType($name,$id,$array) - { - $array['type'] = $name; - - return $this->db->set($this->config[$name].'-'.$id,json_encode($array)); - } - - // Helper function to delete couchbase item by type, wait for persist to at least 1 node - protected function deleteObjectByType($name,$id) - { - $this->db->delete($this->config[$name].'-'.$id,"",1); - } - - /* ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - if ($result = $this->getObjectByType('client_table',$client_id)) { - return $result['client_secret'] == $client_secret; - } - - return false; - } - - public function isPublicClient($client_id) - { - if (!$result = $this->getObjectByType('client_table',$client_id)) { - return false; - } - - return empty($result['client_secret']); - } - - /* ClientInterface */ - public function getClientDetails($client_id) - { - $result = $this->getObjectByType('client_table',$client_id); - - return is_null($result) ? false : $result; - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - if ($this->getClientDetails($client_id)) { - - $this->setObjectByType('client_table',$client_id, array( - 'client_id' => $client_id, - 'client_secret' => $client_secret, - 'redirect_uri' => $redirect_uri, - 'grant_types' => $grant_types, - 'scope' => $scope, - 'user_id' => $user_id, - )); - } else { - $this->setObjectByType('client_table',$client_id, array( - 'client_id' => $client_id, - 'client_secret' => $client_secret, - 'redirect_uri' => $redirect_uri, - 'grant_types' => $grant_types, - 'scope' => $scope, - 'user_id' => $user_id, - )); - } - - return true; - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - $details = $this->getClientDetails($client_id); - if (isset($details['grant_types'])) { - $grant_types = explode(' ', $details['grant_types']); - - return in_array($grant_type, $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - /* AccessTokenInterface */ - public function getAccessToken($access_token) - { - $token = $this->getObjectByType('access_token_table',$access_token); - - return is_null($token) ? false : $token; - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) - { - // if it exists, update it. - if ($this->getAccessToken($access_token)) { - $this->setObjectByType('access_token_table',$access_token, array( - 'access_token' => $access_token, - 'client_id' => $client_id, - 'expires' => $expires, - 'user_id' => $user_id, - 'scope' => $scope - )); - } else { - $this->setObjectByType('access_token_table',$access_token, array( - 'access_token' => $access_token, - 'client_id' => $client_id, - 'expires' => $expires, - 'user_id' => $user_id, - 'scope' => $scope - )); - } - - return true; - } - - /* AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - $code = $this->getObjectByType('code_table',$code); - - return is_null($code) ? false : $code; - } - - public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - // if it exists, update it. - if ($this->getAuthorizationCode($code)) { - $this->setObjectByType('code_table',$code, array( - 'authorization_code' => $code, - 'client_id' => $client_id, - 'user_id' => $user_id, - 'redirect_uri' => $redirect_uri, - 'expires' => $expires, - 'scope' => $scope, - 'id_token' => $id_token, - )); - } else { - $this->setObjectByType('code_table',$code,array( - 'authorization_code' => $code, - 'client_id' => $client_id, - 'user_id' => $user_id, - 'redirect_uri' => $redirect_uri, - 'expires' => $expires, - 'scope' => $scope, - 'id_token' => $id_token, - )); - } - - return true; - } - - public function expireAuthorizationCode($code) - { - $this->deleteObjectByType('code_table',$code); - - return true; - } - - /* UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - if ($user = $this->getUser($username)) { - return $this->checkPassword($user, $password); - } - - return false; - } - - public function getUserDetails($username) - { - if ($user = $this->getUser($username)) { - $user['user_id'] = $user['username']; - } - - return $user; - } - - /* RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - $token = $this->getObjectByType('refresh_token_table',$refresh_token); - - return is_null($token) ? false : $token; - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - $this->setObjectByType('refresh_token_table',$refresh_token, array( - 'refresh_token' => $refresh_token, - 'client_id' => $client_id, - 'user_id' => $user_id, - 'expires' => $expires, - 'scope' => $scope - )); - - return true; - } - - public function unsetRefreshToken($refresh_token) - { - $this->deleteObjectByType('refresh_token_table',$refresh_token); - - return true; - } - - // plaintext passwords are bad! Override this for your application - protected function checkPassword($user, $password) - { - return $user['password'] == $password; - } - - public function getUser($username) - { - $result = $this->getObjectByType('user_table',$username); - - return is_null($result) ? false : $result; - } - - public function setUser($username, $password, $firstName = null, $lastName = null) - { - if ($this->getUser($username)) { - $this->setObjectByType('user_table',$username, array( - 'username' => $username, - 'password' => $password, - 'first_name' => $firstName, - 'last_name' => $lastName - )); - - } else { - $this->setObjectByType('user_table',$username, array( - 'username' => $username, - 'password' => $password, - 'first_name' => $firstName, - 'last_name' => $lastName - )); - - } - - return true; - } - - public function getClientKey($client_id, $subject) - { - if (!$jwt = $this->getObjectByType('jwt_table',$client_id)) { - return false; - } - - if (isset($jwt['subject']) && $jwt['subject'] == $subject) { - return $jwt['key']; - } - - return false; - } - - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs couchbase implementation. - throw new \Exception('getJti() for the Couchbase driver is currently unimplemented.'); - } - - public function setJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs couchbase implementation. - throw new \Exception('setJti() for the Couchbase driver is currently unimplemented.'); - } -} diff --git a/library/oauth2/src/OAuth2/Storage/DynamoDB.php b/library/oauth2/src/OAuth2/Storage/DynamoDB.php deleted file mode 100644 index 8347ab258..000000000 --- a/library/oauth2/src/OAuth2/Storage/DynamoDB.php +++ /dev/null @@ -1,540 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use Aws\DynamoDb\DynamoDbClient; - -use OAuth2\OpenID\Storage\UserClaimsInterface; -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; -/** - * DynamoDB storage for all storage types - * - * To use, install "aws/aws-sdk-php" via composer - * <code> - * composer require aws/aws-sdk-php:dev-master - * </code> - * - * Once this is done, instantiate the DynamoDB client - * <code> - * $storage = new OAuth2\Storage\Dynamodb(array("key" => "YOURKEY", "secret" => "YOURSECRET", "region" => "YOURREGION")); - * </code> - * - * Table : - * - oauth_access_tokens (primary hash key : access_token) - * - oauth_authorization_codes (primary hash key : authorization_code) - * - oauth_clients (primary hash key : client_id) - * - oauth_jwt (primary hash key : client_id, primary range key : subject) - * - oauth_public_keys (primary hash key : client_id) - * - oauth_refresh_tokens (primary hash key : refresh_token) - * - oauth_scopes (primary hash key : scope, secondary index : is_default-index hash key is_default) - * - oauth_users (primary hash key : username) - * - * @author Frederic AUGUSTE <frederic.auguste at gmail dot com> - */ -class DynamoDB implements - AuthorizationCodeInterface, - AccessTokenInterface, - ClientCredentialsInterface, - UserCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - ScopeInterface, - PublicKeyInterface, - UserClaimsInterface, - OpenIDAuthorizationCodeInterface -{ - protected $client; - protected $config; - - public function __construct($connection, $config = array()) - { - if (!($connection instanceof DynamoDbClient)) { - if (!is_array($connection)) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\Dynamodb must be an instance a configuration array containt key, secret, region'); - } - if (!array_key_exists("key",$connection) || !array_key_exists("secret",$connection) || !array_key_exists("region",$connection) ) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\Dynamodb must be an instance a configuration array containt key, secret, region'); - } - $this->client = DynamoDbClient::factory(array( - 'key' => $connection["key"], - 'secret' => $connection["secret"], - 'region' =>$connection["region"] - )); - } else { - $this->client = $connection; - } - - $this->config = array_merge(array( - 'client_table' => 'oauth_clients', - 'access_token_table' => 'oauth_access_tokens', - 'refresh_token_table' => 'oauth_refresh_tokens', - 'code_table' => 'oauth_authorization_codes', - 'user_table' => 'oauth_users', - 'jwt_table' => 'oauth_jwt', - 'scope_table' => 'oauth_scopes', - 'public_key_table' => 'oauth_public_keys', - ), $config); - } - - /* OAuth2\Storage\ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['client_table'], - "Key" => array('client_id' => array('S' => $client_id)) - )); - - return $result->count()==1 && $result["Item"]["client_secret"]["S"] == $client_secret; - } - - public function isPublicClient($client_id) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['client_table'], - "Key" => array('client_id' => array('S' => $client_id)) - )); - - if ($result->count()==0) { - return false ; - } - - return empty($result["Item"]["client_secret"]); - } - - /* OAuth2\Storage\ClientInterface */ - public function getClientDetails($client_id) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['client_table'], - "Key" => array('client_id' => array('S' => $client_id)) - )); - if ($result->count()==0) { - return false ; - } - $result = $this->dynamo2array($result); - foreach (array('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id') as $key => $val) { - if (!array_key_exists ($val, $result)) { - $result[$val] = null; - } - } - - return $result; - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - $clientData = compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id'); - $clientData = array_filter($clientData, 'self::isNotEmpty'); - - $result = $this->client->putItem(array( - 'TableName' => $this->config['client_table'], - 'Item' => $this->client->formatAttributes($clientData) - )); - - return true; - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - $details = $this->getClientDetails($client_id); - if (isset($details['grant_types'])) { - $grant_types = explode(' ', $details['grant_types']); - - return in_array($grant_type, (array) $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - /* OAuth2\Storage\AccessTokenInterface */ - public function getAccessToken($access_token) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['access_token_table'], - "Key" => array('access_token' => array('S' => $access_token)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - if (array_key_exists ('expires', $token)) { - $token['expires'] = strtotime($token['expires']); - } - - return $token; - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) - { - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - $clientData = compact('access_token', 'client_id', 'user_id', 'expires', 'scope'); - $clientData = array_filter($clientData, 'self::isNotEmpty'); - - $result = $this->client->putItem(array( - 'TableName' => $this->config['access_token_table'], - 'Item' => $this->client->formatAttributes($clientData) - )); - - return true; - - } - - public function unsetAccessToken($access_token) - { - $result = $this->client->deleteItem(array( - 'TableName' => $this->config['access_token_table'], - 'Key' => $this->client->formatAttributes(array("access_token" => $access_token)), - 'ReturnValues' => 'ALL_OLD', - )); - - return null !== $result->get('Attributes'); - } - - /* OAuth2\Storage\AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['code_table'], - "Key" => array('authorization_code' => array('S' => $code)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - if (!array_key_exists("id_token", $token )) { - $token['id_token'] = null; - } - $token['expires'] = strtotime($token['expires']); - - return $token; - - } - - public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - $clientData = compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'id_token', 'scope'); - $clientData = array_filter($clientData, 'self::isNotEmpty'); - - $result = $this->client->putItem(array( - 'TableName' => $this->config['code_table'], - 'Item' => $this->client->formatAttributes($clientData) - )); - - return true; - } - - public function expireAuthorizationCode($code) - { - - $result = $this->client->deleteItem(array( - 'TableName' => $this->config['code_table'], - 'Key' => $this->client->formatAttributes(array("authorization_code" => $code)) - )); - - return true; - } - - /* OAuth2\Storage\UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - if ($user = $this->getUser($username)) { - return $this->checkPassword($user, $password); - } - - return false; - } - - public function getUserDetails($username) - { - return $this->getUser($username); - } - - /* UserClaimsInterface */ - public function getUserClaims($user_id, $claims) - { - if (!$userDetails = $this->getUserDetails($user_id)) { - return false; - } - - $claims = explode(' ', trim($claims)); - $userClaims = array(); - - // for each requested claim, if the user has the claim, set it in the response - $validClaims = explode(' ', self::VALID_CLAIMS); - foreach ($validClaims as $validClaim) { - if (in_array($validClaim, $claims)) { - if ($validClaim == 'address') { - // address is an object with subfields - $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails); - } else { - $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails)); - } - } - } - - return $userClaims; - } - - protected function getUserClaim($claim, $userDetails) - { - $userClaims = array(); - $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim))); - $claimValues = explode(' ', $claimValuesString); - - foreach ($claimValues as $value) { - if ($value == 'email_verified') { - $userClaims[$value] = $userDetails[$value]=='true' ? true : false; - } else { - $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null; - } - } - - return $userClaims; - } - - /* OAuth2\Storage\RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['refresh_token_table'], - "Key" => array('refresh_token' => array('S' => $refresh_token)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - $token['expires'] = strtotime($token['expires']); - - return $token; - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - $clientData = compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'); - $clientData = array_filter($clientData, 'self::isNotEmpty'); - - $result = $this->client->putItem(array( - 'TableName' => $this->config['refresh_token_table'], - 'Item' => $this->client->formatAttributes($clientData) - )); - - return true; - } - - public function unsetRefreshToken($refresh_token) - { - $result = $this->client->deleteItem(array( - 'TableName' => $this->config['refresh_token_table'], - 'Key' => $this->client->formatAttributes(array("refresh_token" => $refresh_token)) - )); - - return true; - } - - // plaintext passwords are bad! Override this for your application - protected function checkPassword($user, $password) - { - return $user['password'] == $this->hashPassword($password); - } - - // use a secure hashing algorithm when storing passwords. Override this for your application - protected function hashPassword($password) - { - return sha1($password); - } - - public function getUser($username) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['user_table'], - "Key" => array('username' => array('S' => $username)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - $token['user_id'] = $username; - - return $token; - } - - public function setUser($username, $password, $first_name = null, $last_name = null) - { - // do not store in plaintext - $password = $this->hashPassword($password); - - $clientData = compact('username', 'password', 'first_name', 'last_name'); - $clientData = array_filter($clientData, 'self::isNotEmpty'); - - $result = $this->client->putItem(array( - 'TableName' => $this->config['user_table'], - 'Item' => $this->client->formatAttributes($clientData) - )); - - return true; - - } - - /* ScopeInterface */ - public function scopeExists($scope) - { - $scope = explode(' ', $scope); - $scope_query = array(); - $count = 0; - foreach ($scope as $key => $val) { - $result = $this->client->query(array( - 'TableName' => $this->config['scope_table'], - 'Select' => 'COUNT', - 'KeyConditions' => array( - 'scope' => array( - 'AttributeValueList' => array(array('S' => $val)), - 'ComparisonOperator' => 'EQ' - ) - ) - )); - $count += $result['Count']; - } - - return $count == count($scope); - } - - public function getDefaultScope($client_id = null) - { - - $result = $this->client->query(array( - 'TableName' => $this->config['scope_table'], - 'IndexName' => 'is_default-index', - 'Select' => 'ALL_ATTRIBUTES', - 'KeyConditions' => array( - 'is_default' => array( - 'AttributeValueList' => array(array('S' => 'true')), - 'ComparisonOperator' => 'EQ', - ), - ) - )); - $defaultScope = array(); - if ($result->count() > 0) { - $array = $result->toArray(); - foreach ($array["Items"] as $item) { - $defaultScope[] = $item['scope']['S']; - } - - return empty($defaultScope) ? null : implode(' ', $defaultScope); - } - - return null; - } - - /* JWTBearerInterface */ - public function getClientKey($client_id, $subject) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['jwt_table'], - "Key" => array('client_id' => array('S' => $client_id), 'subject' => array('S' => $subject)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - - return $token['public_key']; - } - - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expires, $jti) - { - //TODO not use. - } - - public function setJti($client_id, $subject, $audience, $expires, $jti) - { - //TODO not use. - } - - /* PublicKeyInterface */ - public function getPublicKey($client_id = '0') - { - - $result = $this->client->getItem(array( - "TableName"=> $this->config['public_key_table'], - "Key" => array('client_id' => array('S' => $client_id)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - - return $token['public_key']; - - } - - public function getPrivateKey($client_id = '0') - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['public_key_table'], - "Key" => array('client_id' => array('S' => $client_id)) - )); - if ($result->count()==0) { - return false ; - } - $token = $this->dynamo2array($result); - - return $token['private_key']; - } - - public function getEncryptionAlgorithm($client_id = null) - { - $result = $this->client->getItem(array( - "TableName"=> $this->config['public_key_table'], - "Key" => array('client_id' => array('S' => $client_id)) - )); - if ($result->count()==0) { - return 'RS256' ; - } - $token = $this->dynamo2array($result); - - return $token['encryption_algorithm']; - } - - /** - * Transform dynamodb resultset to an array. - * @param $dynamodbResult - * @return $array - */ - private function dynamo2array($dynamodbResult) - { - $result = array(); - foreach ($dynamodbResult["Item"] as $key => $val) { - $result[$key] = $val["S"]; - $result[] = $val["S"]; - } - - return $result; - } - - private static function isNotEmpty($value) - { - return null !== $value && '' !== $value; - } -} diff --git a/library/oauth2/src/OAuth2/Storage/JwtAccessToken.php b/library/oauth2/src/OAuth2/Storage/JwtAccessToken.php deleted file mode 100644 index 75b49d301..000000000 --- a/library/oauth2/src/OAuth2/Storage/JwtAccessToken.php +++ /dev/null @@ -1,88 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use OAuth2\Encryption\EncryptionInterface; -use OAuth2\Encryption\Jwt; - -/** - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class JwtAccessToken implements JwtAccessTokenInterface -{ - protected $publicKeyStorage; - protected $tokenStorage; - protected $encryptionUtil; - - /** - * @param OAuth2\Encryption\PublicKeyInterface $publicKeyStorage the public key encryption to use - * @param OAuth2\Storage\AccessTokenInterface $tokenStorage OPTIONAL persist the access token to another storage. This is useful if - * you want to retain access token grant information somewhere, but - * is not necessary when using this grant type. - * @param OAuth2\Encryption\EncryptionInterface $encryptionUtil OPTIONAL class to use for "encode" and "decode" functions. - */ - public function __construct(PublicKeyInterface $publicKeyStorage, AccessTokenInterface $tokenStorage = null, EncryptionInterface $encryptionUtil = null) - { - $this->publicKeyStorage = $publicKeyStorage; - $this->tokenStorage = $tokenStorage; - if (is_null($encryptionUtil)) { - $encryptionUtil = new Jwt; - } - $this->encryptionUtil = $encryptionUtil; - } - - public function getAccessToken($oauth_token) - { - // just decode the token, don't verify - if (!$tokenData = $this->encryptionUtil->decode($oauth_token, null, false)) { - return false; - } - - $client_id = isset($tokenData['aud']) ? $tokenData['aud'] : null; - $public_key = $this->publicKeyStorage->getPublicKey($client_id); - $algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id); - - // now that we have the client_id, verify the token - if (false === $this->encryptionUtil->decode($oauth_token, $public_key, array($algorithm))) { - return false; - } - - // normalize the JWT claims to the format expected by other components in this library - return $this->convertJwtToOAuth2($tokenData); - } - - public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null) - { - if ($this->tokenStorage) { - return $this->tokenStorage->setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope); - } - } - - public function unsetAccessToken($access_token) - { - if ($this->tokenStorage) { - return $this->tokenStorage->unsetAccessToken($access_token); - } - } - - - // converts a JWT access token into an OAuth2-friendly format - protected function convertJwtToOAuth2($tokenData) - { - $keyMapping = array( - 'aud' => 'client_id', - 'exp' => 'expires', - 'sub' => 'user_id' - ); - - foreach ($keyMapping as $jwtKey => $oauth2Key) { - if (isset($tokenData[$jwtKey])) { - $tokenData[$oauth2Key] = $tokenData[$jwtKey]; - unset($tokenData[$jwtKey]); - } - } - - return $tokenData; - } -} diff --git a/library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php b/library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php deleted file mode 100644 index 3abb2aa2d..000000000 --- a/library/oauth2/src/OAuth2/Storage/JwtAccessTokenInterface.php +++ /dev/null @@ -1,14 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * No specific methods, but allows the library to check "instanceof" - * against interface rather than class - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface JwtAccessTokenInterface extends AccessTokenInterface -{ - -} diff --git a/library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php b/library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php deleted file mode 100644 index c83aa72ea..000000000 --- a/library/oauth2/src/OAuth2/Storage/JwtBearerInterface.php +++ /dev/null @@ -1,74 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should get the JWT key for clients - * - * @TODO consider extending ClientInterface, as this will almost always - * be the same storage as retrieving clientData - * - * @author F21 - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface JwtBearerInterface -{ - /** - * Get the public key associated with a client_id - * - * @param $client_id - * Client identifier to be checked with. - * - * @return - * STRING Return the public key for the client_id if it exists, and MUST return FALSE if it doesn't. - */ - public function getClientKey($client_id, $subject); - - /** - * Get a jti (JSON token identifier) by matching against the client_id, subject, audience and expiration. - * - * @param $client_id - * Client identifier to match. - * - * @param $subject - * The subject to match. - * - * @param $audience - * The audience to match. - * - * @param $expiration - * The expiration of the jti. - * - * @param $jti - * The jti to match. - * - * @return - * An associative array as below, and return NULL if the jti does not exist. - * - issuer: Stored client identifier. - * - subject: Stored subject. - * - audience: Stored audience. - * - expires: Stored expiration in unix timestamp. - * - jti: The stored jti. - */ - public function getJti($client_id, $subject, $audience, $expiration, $jti); - - /** - * Store a used jti so that we can check against it to prevent replay attacks. - * @param $client_id - * Client identifier to insert. - * - * @param $subject - * The subject to insert. - * - * @param $audience - * The audience to insert. - * - * @param $expiration - * The expiration of the jti. - * - * @param $jti - * The jti to insert. - */ - public function setJti($client_id, $subject, $audience, $expiration, $jti); -} diff --git a/library/oauth2/src/OAuth2/Storage/Memory.php b/library/oauth2/src/OAuth2/Storage/Memory.php deleted file mode 100644 index 42d833ccb..000000000 --- a/library/oauth2/src/OAuth2/Storage/Memory.php +++ /dev/null @@ -1,381 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use OAuth2\OpenID\Storage\UserClaimsInterface; -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; - -/** - * Simple in-memory storage for all storage types - * - * NOTE: This class should never be used in production, and is - * a stub class for example use only - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class Memory implements AuthorizationCodeInterface, - UserCredentialsInterface, - UserClaimsInterface, - AccessTokenInterface, - ClientCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - ScopeInterface, - PublicKeyInterface, - OpenIDAuthorizationCodeInterface -{ - public $authorizationCodes; - public $userCredentials; - public $clientCredentials; - public $refreshTokens; - public $accessTokens; - public $jwt; - public $jti; - public $supportedScopes; - public $defaultScope; - public $keys; - - public function __construct($params = array()) - { - $params = array_merge(array( - 'authorization_codes' => array(), - 'user_credentials' => array(), - 'client_credentials' => array(), - 'refresh_tokens' => array(), - 'access_tokens' => array(), - 'jwt' => array(), - 'jti' => array(), - 'default_scope' => null, - 'supported_scopes' => array(), - 'keys' => array(), - ), $params); - - $this->authorizationCodes = $params['authorization_codes']; - $this->userCredentials = $params['user_credentials']; - $this->clientCredentials = $params['client_credentials']; - $this->refreshTokens = $params['refresh_tokens']; - $this->accessTokens = $params['access_tokens']; - $this->jwt = $params['jwt']; - $this->jti = $params['jti']; - $this->supportedScopes = $params['supported_scopes']; - $this->defaultScope = $params['default_scope']; - $this->keys = $params['keys']; - } - - /* AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - if (!isset($this->authorizationCodes[$code])) { - return false; - } - - return array_merge(array( - 'authorization_code' => $code, - ), $this->authorizationCodes[$code]); - } - - public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - $this->authorizationCodes[$code] = compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token'); - - return true; - } - - public function setAuthorizationCodes($authorization_codes) - { - $this->authorizationCodes = $authorization_codes; - } - - public function expireAuthorizationCode($code) - { - unset($this->authorizationCodes[$code]); - } - - /* UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - $userDetails = $this->getUserDetails($username); - - return $userDetails && $userDetails['password'] && $userDetails['password'] === $password; - } - - public function setUser($username, $password, $firstName = null, $lastName = null) - { - $this->userCredentials[$username] = array( - 'password' => $password, - 'first_name' => $firstName, - 'last_name' => $lastName, - ); - - return true; - } - - public function getUserDetails($username) - { - if (!isset($this->userCredentials[$username])) { - return false; - } - - return array_merge(array( - 'user_id' => $username, - 'password' => null, - 'first_name' => null, - 'last_name' => null, - ), $this->userCredentials[$username]); - } - - /* UserClaimsInterface */ - public function getUserClaims($user_id, $claims) - { - if (!$userDetails = $this->getUserDetails($user_id)) { - return false; - } - - $claims = explode(' ', trim($claims)); - $userClaims = array(); - - // for each requested claim, if the user has the claim, set it in the response - $validClaims = explode(' ', self::VALID_CLAIMS); - foreach ($validClaims as $validClaim) { - if (in_array($validClaim, $claims)) { - if ($validClaim == 'address') { - // address is an object with subfields - $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails); - } else { - $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails)); - } - } - } - - return $userClaims; - } - - protected function getUserClaim($claim, $userDetails) - { - $userClaims = array(); - $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim))); - $claimValues = explode(' ', $claimValuesString); - - foreach ($claimValues as $value) { - $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null; - } - - return $userClaims; - } - - /* ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - return isset($this->clientCredentials[$client_id]['client_secret']) && $this->clientCredentials[$client_id]['client_secret'] === $client_secret; - } - - public function isPublicClient($client_id) - { - if (!isset($this->clientCredentials[$client_id])) { - return false; - } - - return empty($this->clientCredentials[$client_id]['client_secret']); - } - - /* ClientInterface */ - public function getClientDetails($client_id) - { - if (!isset($this->clientCredentials[$client_id])) { - return false; - } - - $clientDetails = array_merge(array( - 'client_id' => $client_id, - 'client_secret' => null, - 'redirect_uri' => null, - 'scope' => null, - ), $this->clientCredentials[$client_id]); - - return $clientDetails; - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - if (isset($this->clientCredentials[$client_id]['grant_types'])) { - $grant_types = explode(' ', $this->clientCredentials[$client_id]['grant_types']); - - return in_array($grant_type, $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - $this->clientCredentials[$client_id] = array( - 'client_id' => $client_id, - 'client_secret' => $client_secret, - 'redirect_uri' => $redirect_uri, - 'grant_types' => $grant_types, - 'scope' => $scope, - 'user_id' => $user_id, - ); - - return true; - } - - /* RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - return isset($this->refreshTokens[$refresh_token]) ? $this->refreshTokens[$refresh_token] : false; - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - $this->refreshTokens[$refresh_token] = compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'); - - return true; - } - - public function unsetRefreshToken($refresh_token) - { - if (isset($this->refreshTokens[$refresh_token])) { - unset($this->refreshTokens[$refresh_token]); - - return true; - } - - return false; - } - - public function setRefreshTokens($refresh_tokens) - { - $this->refreshTokens = $refresh_tokens; - } - - /* AccessTokenInterface */ - public function getAccessToken($access_token) - { - return isset($this->accessTokens[$access_token]) ? $this->accessTokens[$access_token] : false; - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null, $id_token = null) - { - $this->accessTokens[$access_token] = compact('access_token', 'client_id', 'user_id', 'expires', 'scope', 'id_token'); - - return true; - } - - public function unsetAccessToken($access_token) - { - if (isset($this->accessTokens[$access_token])) { - unset($this->accessTokens[$access_token]); - - return true; - } - - return false; - } - - public function scopeExists($scope) - { - $scope = explode(' ', trim($scope)); - - return (count(array_diff($scope, $this->supportedScopes)) == 0); - } - - public function getDefaultScope($client_id = null) - { - return $this->defaultScope; - } - - /*JWTBearerInterface */ - public function getClientKey($client_id, $subject) - { - if (isset($this->jwt[$client_id])) { - $jwt = $this->jwt[$client_id]; - if ($jwt) { - if ($jwt["subject"] == $subject) { - return $jwt["key"]; - } - } - } - - return false; - } - - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expires, $jti) - { - foreach ($this->jti as $storedJti) { - if ($storedJti['issuer'] == $client_id && $storedJti['subject'] == $subject && $storedJti['audience'] == $audience && $storedJti['expires'] == $expires && $storedJti['jti'] == $jti) { - return array( - 'issuer' => $storedJti['issuer'], - 'subject' => $storedJti['subject'], - 'audience' => $storedJti['audience'], - 'expires' => $storedJti['expires'], - 'jti' => $storedJti['jti'] - ); - } - } - - return null; - } - - public function setJti($client_id, $subject, $audience, $expires, $jti) - { - $this->jti[] = array('issuer' => $client_id, 'subject' => $subject, 'audience' => $audience, 'expires' => $expires, 'jti' => $jti); - } - - /*PublicKeyInterface */ - public function getPublicKey($client_id = null) - { - if (isset($this->keys[$client_id])) { - return $this->keys[$client_id]['public_key']; - } - - // use a global encryption pair - if (isset($this->keys['public_key'])) { - return $this->keys['public_key']; - } - - return false; - } - - public function getPrivateKey($client_id = null) - { - if (isset($this->keys[$client_id])) { - return $this->keys[$client_id]['private_key']; - } - - // use a global encryption pair - if (isset($this->keys['private_key'])) { - return $this->keys['private_key']; - } - - return false; - } - - public function getEncryptionAlgorithm($client_id = null) - { - if (isset($this->keys[$client_id]['encryption_algorithm'])) { - return $this->keys[$client_id]['encryption_algorithm']; - } - - // use a global encryption algorithm - if (isset($this->keys['encryption_algorithm'])) { - return $this->keys['encryption_algorithm']; - } - - return 'RS256'; - } -} diff --git a/library/oauth2/src/OAuth2/Storage/Mongo.php b/library/oauth2/src/OAuth2/Storage/Mongo.php deleted file mode 100644 index cef35e5e9..000000000 --- a/library/oauth2/src/OAuth2/Storage/Mongo.php +++ /dev/null @@ -1,339 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; - -/** - * Simple MongoDB storage for all storage types - * - * NOTE: This class is meant to get users started - * quickly. If your application requires further - * customization, extend this class or create your own. - * - * NOTE: Passwords are stored in plaintext, which is never - * a good idea. Be sure to override this for your application - * - * @author Julien Chaumond <chaumond@gmail.com> - */ -class Mongo implements AuthorizationCodeInterface, - AccessTokenInterface, - ClientCredentialsInterface, - UserCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - OpenIDAuthorizationCodeInterface -{ - protected $db; - protected $config; - - public function __construct($connection, $config = array()) - { - if ($connection instanceof \MongoDB) { - $this->db = $connection; - } else { - if (!is_array($connection)) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\Mongo must be an instance of MongoDB or a configuration array'); - } - $server = sprintf('mongodb://%s:%d', $connection['host'], $connection['port']); - $m = new \MongoClient($server); - $this->db = $m->{$connection['database']}; - } - - $this->config = array_merge(array( - 'client_table' => 'oauth_clients', - 'access_token_table' => 'oauth_access_tokens', - 'refresh_token_table' => 'oauth_refresh_tokens', - 'code_table' => 'oauth_authorization_codes', - 'user_table' => 'oauth_users', - 'jwt_table' => 'oauth_jwt', - ), $config); - } - - // Helper function to access a MongoDB collection by `type`: - protected function collection($name) - { - return $this->db->{$this->config[$name]}; - } - - /* ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - if ($result = $this->collection('client_table')->findOne(array('client_id' => $client_id))) { - return $result['client_secret'] == $client_secret; - } - - return false; - } - - public function isPublicClient($client_id) - { - if (!$result = $this->collection('client_table')->findOne(array('client_id' => $client_id))) { - return false; - } - - return empty($result['client_secret']); - } - - /* ClientInterface */ - public function getClientDetails($client_id) - { - $result = $this->collection('client_table')->findOne(array('client_id' => $client_id)); - - return is_null($result) ? false : $result; - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - if ($this->getClientDetails($client_id)) { - $this->collection('client_table')->update( - array('client_id' => $client_id), - array('$set' => array( - 'client_secret' => $client_secret, - 'redirect_uri' => $redirect_uri, - 'grant_types' => $grant_types, - 'scope' => $scope, - 'user_id' => $user_id, - )) - ); - } else { - $client = array( - 'client_id' => $client_id, - 'client_secret' => $client_secret, - 'redirect_uri' => $redirect_uri, - 'grant_types' => $grant_types, - 'scope' => $scope, - 'user_id' => $user_id, - ); - $this->collection('client_table')->insert($client); - } - - return true; - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - $details = $this->getClientDetails($client_id); - if (isset($details['grant_types'])) { - $grant_types = explode(' ', $details['grant_types']); - - return in_array($grant_type, $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - /* AccessTokenInterface */ - public function getAccessToken($access_token) - { - $token = $this->collection('access_token_table')->findOne(array('access_token' => $access_token)); - - return is_null($token) ? false : $token; - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) - { - // if it exists, update it. - if ($this->getAccessToken($access_token)) { - $this->collection('access_token_table')->update( - array('access_token' => $access_token), - array('$set' => array( - 'client_id' => $client_id, - 'expires' => $expires, - 'user_id' => $user_id, - 'scope' => $scope - )) - ); - } else { - $token = array( - 'access_token' => $access_token, - 'client_id' => $client_id, - 'expires' => $expires, - 'user_id' => $user_id, - 'scope' => $scope - ); - $this->collection('access_token_table')->insert($token); - } - - return true; - } - - public function unsetAccessToken($access_token) - { - $result = $this->collection('access_token_table')->remove(array( - 'access_token' => $access_token - ), array('w' => 1)); - - return $result['n'] > 0; - } - - - /* AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - $code = $this->collection('code_table')->findOne(array('authorization_code' => $code)); - - return is_null($code) ? false : $code; - } - - public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - // if it exists, update it. - if ($this->getAuthorizationCode($code)) { - $this->collection('code_table')->update( - array('authorization_code' => $code), - array('$set' => array( - 'client_id' => $client_id, - 'user_id' => $user_id, - 'redirect_uri' => $redirect_uri, - 'expires' => $expires, - 'scope' => $scope, - 'id_token' => $id_token, - )) - ); - } else { - $token = array( - 'authorization_code' => $code, - 'client_id' => $client_id, - 'user_id' => $user_id, - 'redirect_uri' => $redirect_uri, - 'expires' => $expires, - 'scope' => $scope, - 'id_token' => $id_token, - ); - $this->collection('code_table')->insert($token); - } - - return true; - } - - public function expireAuthorizationCode($code) - { - $this->collection('code_table')->remove(array('authorization_code' => $code)); - - return true; - } - - /* UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - if ($user = $this->getUser($username)) { - return $this->checkPassword($user, $password); - } - - return false; - } - - public function getUserDetails($username) - { - if ($user = $this->getUser($username)) { - $user['user_id'] = $user['username']; - } - - return $user; - } - - /* RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - $token = $this->collection('refresh_token_table')->findOne(array('refresh_token' => $refresh_token)); - - return is_null($token) ? false : $token; - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - $token = array( - 'refresh_token' => $refresh_token, - 'client_id' => $client_id, - 'user_id' => $user_id, - 'expires' => $expires, - 'scope' => $scope - ); - $this->collection('refresh_token_table')->insert($token); - - return true; - } - - public function unsetRefreshToken($refresh_token) - { - $result = $this->collection('refresh_token_table')->remove(array( - 'refresh_token' => $refresh_token - ), array('w' => 1)); - - return $result['n'] > 0; - } - - // plaintext passwords are bad! Override this for your application - protected function checkPassword($user, $password) - { - return $user['password'] == $password; - } - - public function getUser($username) - { - $result = $this->collection('user_table')->findOne(array('username' => $username)); - - return is_null($result) ? false : $result; - } - - public function setUser($username, $password, $firstName = null, $lastName = null) - { - if ($this->getUser($username)) { - $this->collection('user_table')->update( - array('username' => $username), - array('$set' => array( - 'password' => $password, - 'first_name' => $firstName, - 'last_name' => $lastName - )) - ); - } else { - $user = array( - 'username' => $username, - 'password' => $password, - 'first_name' => $firstName, - 'last_name' => $lastName - ); - $this->collection('user_table')->insert($user); - } - - return true; - } - - public function getClientKey($client_id, $subject) - { - $result = $this->collection('jwt_table')->findOne(array( - 'client_id' => $client_id, - 'subject' => $subject - )); - - return is_null($result) ? false : $result['key']; - } - - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs mongodb implementation. - throw new \Exception('getJti() for the MongoDB driver is currently unimplemented.'); - } - - public function setJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs mongodb implementation. - throw new \Exception('setJti() for the MongoDB driver is currently unimplemented.'); - } -} diff --git a/library/oauth2/src/OAuth2/Storage/Pdo.php b/library/oauth2/src/OAuth2/Storage/Pdo.php deleted file mode 100644 index ae5107e29..000000000 --- a/library/oauth2/src/OAuth2/Storage/Pdo.php +++ /dev/null @@ -1,553 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use OAuth2\OpenID\Storage\UserClaimsInterface; -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; - -/** - * Simple PDO storage for all storage types - * - * NOTE: This class is meant to get users started - * quickly. If your application requires further - * customization, extend this class or create your own. - * - * NOTE: Passwords are stored in plaintext, which is never - * a good idea. Be sure to override this for your application - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -class Pdo implements - AuthorizationCodeInterface, - AccessTokenInterface, - ClientCredentialsInterface, - UserCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - ScopeInterface, - PublicKeyInterface, - UserClaimsInterface, - OpenIDAuthorizationCodeInterface -{ - protected $db; - protected $config; - - public function __construct($connection, $config = array()) - { - if (!$connection instanceof \PDO) { - if (is_string($connection)) { - $connection = array('dsn' => $connection); - } - if (!is_array($connection)) { - throw new \InvalidArgumentException('First argument to OAuth2\Storage\Pdo must be an instance of PDO, a DSN string, or a configuration array'); - } - if (!isset($connection['dsn'])) { - throw new \InvalidArgumentException('configuration array must contain "dsn"'); - } - // merge optional parameters - $connection = array_merge(array( - 'username' => null, - 'password' => null, - 'options' => array(), - ), $connection); - $connection = new \PDO($connection['dsn'], $connection['username'], $connection['password'], $connection['options']); - } - $this->db = $connection; - - // debugging - $connection->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION); - - $this->config = array_merge(array( - 'client_table' => 'oauth_clients', - 'access_token_table' => 'oauth_access_tokens', - 'refresh_token_table' => 'oauth_refresh_tokens', - 'code_table' => 'oauth_authorization_codes', - 'user_table' => 'oauth_users', - 'jwt_table' => 'oauth_jwt', - 'jti_table' => 'oauth_jti', - 'scope_table' => 'oauth_scopes', - 'public_key_table' => 'oauth_public_keys', - ), $config); - } - - /* OAuth2\Storage\ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); - $stmt->execute(compact('client_id')); - $result = $stmt->fetch(\PDO::FETCH_ASSOC); - - // make this extensible - return $result && $result['client_secret'] == $client_secret; - } - - public function isPublicClient($client_id) - { - $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); - $stmt->execute(compact('client_id')); - - if (!$result = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return false; - } - - return empty($result['client_secret']); - } - - /* OAuth2\Storage\ClientInterface */ - public function getClientDetails($client_id) - { - $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); - $stmt->execute(compact('client_id')); - - return $stmt->fetch(\PDO::FETCH_ASSOC); - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - // if it exists, update it. - if ($this->getClientDetails($client_id)) { - $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_secret=:client_secret, redirect_uri=:redirect_uri, grant_types=:grant_types, scope=:scope, user_id=:user_id where client_id=:client_id', $this->config['client_table'])); - } else { - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (client_id, client_secret, redirect_uri, grant_types, scope, user_id) VALUES (:client_id, :client_secret, :redirect_uri, :grant_types, :scope, :user_id)', $this->config['client_table'])); - } - - return $stmt->execute(compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id')); - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - $details = $this->getClientDetails($client_id); - if (isset($details['grant_types'])) { - $grant_types = explode(' ', $details['grant_types']); - - return in_array($grant_type, (array) $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - /* OAuth2\Storage\AccessTokenInterface */ - public function getAccessToken($access_token) - { - $stmt = $this->db->prepare(sprintf('SELECT * from %s where access_token = :access_token', $this->config['access_token_table'])); - - $token = $stmt->execute(compact('access_token')); - if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) { - // convert date string back to timestamp - $token['expires'] = strtotime($token['expires']); - } - - return $token; - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) - { - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - // if it exists, update it. - if ($this->getAccessToken($access_token)) { - $stmt = $this->db->prepare(sprintf('UPDATE %s SET client_id=:client_id, expires=:expires, user_id=:user_id, scope=:scope where access_token=:access_token', $this->config['access_token_table'])); - } else { - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (access_token, client_id, expires, user_id, scope) VALUES (:access_token, :client_id, :expires, :user_id, :scope)', $this->config['access_token_table'])); - } - - return $stmt->execute(compact('access_token', 'client_id', 'user_id', 'expires', 'scope')); - } - - public function unsetAccessToken($access_token) - { - $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE access_token = :access_token', $this->config['access_token_table'])); - - $stmt->execute(compact('access_token')); - - return $stmt->rowCount() > 0; - } - - /* OAuth2\Storage\AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - $stmt = $this->db->prepare(sprintf('SELECT * from %s where authorization_code = :code', $this->config['code_table'])); - $stmt->execute(compact('code')); - - if ($code = $stmt->fetch(\PDO::FETCH_ASSOC)) { - // convert date string back to timestamp - $code['expires'] = strtotime($code['expires']); - } - - return $code; - } - - public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - if (func_num_args() > 6) { - // we are calling with an id token - return call_user_func_array(array($this, 'setAuthorizationCodeWithIdToken'), func_get_args()); - } - - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - // if it exists, update it. - if ($this->getAuthorizationCode($code)) { - $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_id=:client_id, user_id=:user_id, redirect_uri=:redirect_uri, expires=:expires, scope=:scope where authorization_code=:code', $this->config['code_table'])); - } else { - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (authorization_code, client_id, user_id, redirect_uri, expires, scope) VALUES (:code, :client_id, :user_id, :redirect_uri, :expires, :scope)', $this->config['code_table'])); - } - - return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope')); - } - - private function setAuthorizationCodeWithIdToken($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - // if it exists, update it. - if ($this->getAuthorizationCode($code)) { - $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_id=:client_id, user_id=:user_id, redirect_uri=:redirect_uri, expires=:expires, scope=:scope, id_token =:id_token where authorization_code=:code', $this->config['code_table'])); - } else { - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (authorization_code, client_id, user_id, redirect_uri, expires, scope, id_token) VALUES (:code, :client_id, :user_id, :redirect_uri, :expires, :scope, :id_token)', $this->config['code_table'])); - } - - return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token')); - } - - public function expireAuthorizationCode($code) - { - $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE authorization_code = :code', $this->config['code_table'])); - - return $stmt->execute(compact('code')); - } - - /* OAuth2\Storage\UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - if ($user = $this->getUser($username)) { - return $this->checkPassword($user, $password); - } - - return false; - } - - public function getUserDetails($username) - { - return $this->getUser($username); - } - - /* UserClaimsInterface */ - public function getUserClaims($user_id, $claims) - { - if (!$userDetails = $this->getUserDetails($user_id)) { - return false; - } - - $claims = explode(' ', trim($claims)); - $userClaims = array(); - - // for each requested claim, if the user has the claim, set it in the response - $validClaims = explode(' ', self::VALID_CLAIMS); - foreach ($validClaims as $validClaim) { - if (in_array($validClaim, $claims)) { - if ($validClaim == 'address') { - // address is an object with subfields - $userClaims['address'] = $this->getUserClaim($validClaim, $userDetails['address'] ?: $userDetails); - } else { - $userClaims = array_merge($userClaims, $this->getUserClaim($validClaim, $userDetails)); - } - } - } - - return $userClaims; - } - - protected function getUserClaim($claim, $userDetails) - { - $userClaims = array(); - $claimValuesString = constant(sprintf('self::%s_CLAIM_VALUES', strtoupper($claim))); - $claimValues = explode(' ', $claimValuesString); - - foreach ($claimValues as $value) { - $userClaims[$value] = isset($userDetails[$value]) ? $userDetails[$value] : null; - } - - return $userClaims; - } - - /* OAuth2\Storage\RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - $stmt = $this->db->prepare(sprintf('SELECT * FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table'])); - - $token = $stmt->execute(compact('refresh_token')); - if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) { - // convert expires to epoch time - $token['expires'] = strtotime($token['expires']); - } - - return $token; - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - // convert expires to datestring - $expires = date('Y-m-d H:i:s', $expires); - - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (refresh_token, client_id, user_id, expires, scope) VALUES (:refresh_token, :client_id, :user_id, :expires, :scope)', $this->config['refresh_token_table'])); - - return $stmt->execute(compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope')); - } - - public function unsetRefreshToken($refresh_token) - { - $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table'])); - - $stmt->execute(compact('refresh_token')); - - return $stmt->rowCount() > 0; - } - - // plaintext passwords are bad! Override this for your application - protected function checkPassword($user, $password) - { - return $user['password'] == $this->hashPassword($password); - } - - // use a secure hashing algorithm when storing passwords. Override this for your application - protected function hashPassword($password) - { - return sha1($password); - } - - public function getUser($username) - { - $stmt = $this->db->prepare($sql = sprintf('SELECT * from %s where username=:username', $this->config['user_table'])); - $stmt->execute(array('username' => $username)); - - if (!$userInfo = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return false; - } - - // the default behavior is to use "username" as the user_id - return array_merge(array( - 'user_id' => $username - ), $userInfo); - } - - public function setUser($username, $password, $firstName = null, $lastName = null) - { - // do not store in plaintext - $password = $this->hashPassword($password); - - // if it exists, update it. - if ($this->getUser($username)) { - $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET password=:password, first_name=:firstName, last_name=:lastName where username=:username', $this->config['user_table'])); - } else { - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (username, password, first_name, last_name) VALUES (:username, :password, :firstName, :lastName)', $this->config['user_table'])); - } - - return $stmt->execute(compact('username', 'password', 'firstName', 'lastName')); - } - - /* ScopeInterface */ - public function scopeExists($scope) - { - $scope = explode(' ', $scope); - $whereIn = implode(',', array_fill(0, count($scope), '?')); - $stmt = $this->db->prepare(sprintf('SELECT count(scope) as count FROM %s WHERE scope IN (%s)', $this->config['scope_table'], $whereIn)); - $stmt->execute($scope); - - if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return $result['count'] == count($scope); - } - - return false; - } - - public function getDefaultScope($client_id = null) - { - $stmt = $this->db->prepare(sprintf('SELECT scope FROM %s WHERE is_default=:is_default', $this->config['scope_table'])); - $stmt->execute(array('is_default' => true)); - - if ($result = $stmt->fetchAll(\PDO::FETCH_ASSOC)) { - $defaultScope = array_map(function ($row) { - return $row['scope']; - }, $result); - - return implode(' ', $defaultScope); - } - - return null; - } - - /* JWTBearerInterface */ - public function getClientKey($client_id, $subject) - { - $stmt = $this->db->prepare($sql = sprintf('SELECT public_key from %s where client_id=:client_id AND subject=:subject', $this->config['jwt_table'])); - - $stmt->execute(array('client_id' => $client_id, 'subject' => $subject)); - - return $stmt->fetchColumn(); - } - - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expires, $jti) - { - $stmt = $this->db->prepare($sql = sprintf('SELECT * FROM %s WHERE issuer=:client_id AND subject=:subject AND audience=:audience AND expires=:expires AND jti=:jti', $this->config['jti_table'])); - - $stmt->execute(compact('client_id', 'subject', 'audience', 'expires', 'jti')); - - if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return array( - 'issuer' => $result['issuer'], - 'subject' => $result['subject'], - 'audience' => $result['audience'], - 'expires' => $result['expires'], - 'jti' => $result['jti'], - ); - } - - return null; - } - - public function setJti($client_id, $subject, $audience, $expires, $jti) - { - $stmt = $this->db->prepare(sprintf('INSERT INTO %s (issuer, subject, audience, expires, jti) VALUES (:client_id, :subject, :audience, :expires, :jti)', $this->config['jti_table'])); - - return $stmt->execute(compact('client_id', 'subject', 'audience', 'expires', 'jti')); - } - - /* PublicKeyInterface */ - public function getPublicKey($client_id = null) - { - $stmt = $this->db->prepare($sql = sprintf('SELECT public_key FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table'])); - - $stmt->execute(compact('client_id')); - if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return $result['public_key']; - } - } - - public function getPrivateKey($client_id = null) - { - $stmt = $this->db->prepare($sql = sprintf('SELECT private_key FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table'])); - - $stmt->execute(compact('client_id')); - if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return $result['private_key']; - } - } - - public function getEncryptionAlgorithm($client_id = null) - { - $stmt = $this->db->prepare($sql = sprintf('SELECT encryption_algorithm FROM %s WHERE client_id=:client_id OR client_id IS NULL ORDER BY client_id IS NOT NULL DESC', $this->config['public_key_table'])); - - $stmt->execute(compact('client_id')); - if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) { - return $result['encryption_algorithm']; - } - - return 'RS256'; - } - - /** - * DDL to create OAuth2 database and tables for PDO storage - * - * @see https://github.com/dsquier/oauth2-server-php-mysql - */ - public function getBuildSql($dbName = 'oauth2_server_php') - { - $sql = " - CREATE TABLE {$this->config['client_table']} ( - client_id VARCHAR(80) NOT NULL, - client_secret VARCHAR(80), - redirect_uri VARCHAR(2000), - grant_types VARCHAR(80), - scope VARCHAR(4000), - user_id VARCHAR(80), - PRIMARY KEY (client_id) - ); - - CREATE TABLE {$this->config['access_token_table']} ( - access_token VARCHAR(40) NOT NULL, - client_id VARCHAR(80) NOT NULL, - user_id VARCHAR(80), - expires TIMESTAMP NOT NULL, - scope VARCHAR(4000), - PRIMARY KEY (access_token) - ); - - CREATE TABLE {$this->config['code_table']} ( - authorization_code VARCHAR(40) NOT NULL, - client_id VARCHAR(80) NOT NULL, - user_id VARCHAR(80), - redirect_uri VARCHAR(2000), - expires TIMESTAMP NOT NULL, - scope VARCHAR(4000), - id_token VARCHAR(1000), - PRIMARY KEY (authorization_code) - ); - - CREATE TABLE {$this->config['refresh_token_table']} ( - refresh_token VARCHAR(40) NOT NULL, - client_id VARCHAR(80) NOT NULL, - user_id VARCHAR(80), - expires TIMESTAMP NOT NULL, - scope VARCHAR(4000), - PRIMARY KEY (refresh_token) - ); - - CREATE TABLE {$this->config['user_table']} ( - username VARCHAR(80), - password VARCHAR(80), - first_name VARCHAR(80), - last_name VARCHAR(80), - email VARCHAR(80), - email_verified BOOLEAN, - scope VARCHAR(4000) - ); - - CREATE TABLE {$this->config['scope_table']} ( - scope VARCHAR(80) NOT NULL, - is_default BOOLEAN, - PRIMARY KEY (scope) - ); - - CREATE TABLE {$this->config['jwt_table']} ( - client_id VARCHAR(80) NOT NULL, - subject VARCHAR(80), - public_key VARCHAR(2000) NOT NULL - ); - - CREATE TABLE {$this->config['jti_table']} ( - issuer VARCHAR(80) NOT NULL, - subject VARCHAR(80), - audience VARCHAR(80), - expires TIMESTAMP NOT NULL, - jti VARCHAR(2000) NOT NULL - ); - - CREATE TABLE {$this->config['public_key_table']} ( - client_id VARCHAR(80), - public_key VARCHAR(2000), - private_key VARCHAR(2000), - encryption_algorithm VARCHAR(100) DEFAULT 'RS256' - ) -"; - - return $sql; - } -} diff --git a/library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php b/library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php deleted file mode 100644 index 108418d3a..000000000 --- a/library/oauth2/src/OAuth2/Storage/PublicKeyInterface.php +++ /dev/null @@ -1,16 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should get public/private key information - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface PublicKeyInterface -{ - public function getPublicKey($client_id = null); - public function getPrivateKey($client_id = null); - public function getEncryptionAlgorithm($client_id = null); -} diff --git a/library/oauth2/src/OAuth2/Storage/Redis.php b/library/oauth2/src/OAuth2/Storage/Redis.php deleted file mode 100644 index e6294e22d..000000000 --- a/library/oauth2/src/OAuth2/Storage/Redis.php +++ /dev/null @@ -1,321 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface; - -/** - * redis storage for all storage types - * - * To use, install "predis/predis" via composer - * - * Register client: - * <code> - * $storage = new OAuth2\Storage\Redis($redis); - * $storage->setClientDetails($client_id, $client_secret, $redirect_uri); - * </code> - */ -class Redis implements AuthorizationCodeInterface, - AccessTokenInterface, - ClientCredentialsInterface, - UserCredentialsInterface, - RefreshTokenInterface, - JwtBearerInterface, - ScopeInterface, - OpenIDAuthorizationCodeInterface -{ - - private $cache; - - /* The redis client */ - protected $redis; - - /* Configuration array */ - protected $config; - - /** - * Redis Storage! - * - * @param \Predis\Client $redis - * @param array $config - */ - public function __construct($redis, $config=array()) - { - $this->redis = $redis; - $this->config = array_merge(array( - 'client_key' => 'oauth_clients:', - 'access_token_key' => 'oauth_access_tokens:', - 'refresh_token_key' => 'oauth_refresh_tokens:', - 'code_key' => 'oauth_authorization_codes:', - 'user_key' => 'oauth_users:', - 'jwt_key' => 'oauth_jwt:', - 'scope_key' => 'oauth_scopes:', - ), $config); - } - - protected function getValue($key) - { - if ( isset($this->cache[$key]) ) { - return $this->cache[$key]; - } - $value = $this->redis->get($key); - if ( isset($value) ) { - return json_decode($value, true); - } else { - return false; - } - } - - protected function setValue($key, $value, $expire=0) - { - $this->cache[$key] = $value; - $str = json_encode($value); - if ($expire > 0) { - $seconds = $expire - time(); - $ret = $this->redis->setex($key, $seconds, $str); - } else { - $ret = $this->redis->set($key, $str); - } - - // check that the key was set properly - // if this fails, an exception will usually thrown, so this step isn't strictly necessary - return is_bool($ret) ? $ret : $ret->getPayload() == 'OK'; - } - - protected function expireValue($key) - { - unset($this->cache[$key]); - - return $this->redis->del($key); - } - - /* AuthorizationCodeInterface */ - public function getAuthorizationCode($code) - { - return $this->getValue($this->config['code_key'] . $code); - } - - public function setAuthorizationCode($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null) - { - return $this->setValue( - $this->config['code_key'] . $authorization_code, - compact('authorization_code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token'), - $expires - ); - } - - public function expireAuthorizationCode($code) - { - $key = $this->config['code_key'] . $code; - unset($this->cache[$key]); - - return $this->expireValue($key); - } - - /* UserCredentialsInterface */ - public function checkUserCredentials($username, $password) - { - $user = $this->getUserDetails($username); - - return $user && $user['password'] === $password; - } - - public function getUserDetails($username) - { - return $this->getUser($username); - } - - public function getUser($username) - { - if (!$userInfo = $this->getValue($this->config['user_key'] . $username)) { - return false; - } - - // the default behavior is to use "username" as the user_id - return array_merge(array( - 'user_id' => $username, - ), $userInfo); - } - - public function setUser($username, $password, $first_name = null, $last_name = null) - { - return $this->setValue( - $this->config['user_key'] . $username, - compact('username', 'password', 'first_name', 'last_name') - ); - } - - /* ClientCredentialsInterface */ - public function checkClientCredentials($client_id, $client_secret = null) - { - if (!$client = $this->getClientDetails($client_id)) { - return false; - } - - return isset($client['client_secret']) - && $client['client_secret'] == $client_secret; - } - - public function isPublicClient($client_id) - { - if (!$client = $this->getClientDetails($client_id)) { - return false; - } - - return empty($client['client_secret']); - } - - /* ClientInterface */ - public function getClientDetails($client_id) - { - return $this->getValue($this->config['client_key'] . $client_id); - } - - public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null) - { - return $this->setValue( - $this->config['client_key'] . $client_id, - compact('client_id', 'client_secret', 'redirect_uri', 'grant_types', 'scope', 'user_id') - ); - } - - public function checkRestrictedGrantType($client_id, $grant_type) - { - $details = $this->getClientDetails($client_id); - if (isset($details['grant_types'])) { - $grant_types = explode(' ', $details['grant_types']); - - return in_array($grant_type, (array) $grant_types); - } - - // if grant_types are not defined, then none are restricted - return true; - } - - /* RefreshTokenInterface */ - public function getRefreshToken($refresh_token) - { - return $this->getValue($this->config['refresh_token_key'] . $refresh_token); - } - - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null) - { - return $this->setValue( - $this->config['refresh_token_key'] . $refresh_token, - compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'), - $expires - ); - } - - public function unsetRefreshToken($refresh_token) - { - $result = $this->expireValue($this->config['refresh_token_key'] . $refresh_token); - - return $result > 0; - } - - /* AccessTokenInterface */ - public function getAccessToken($access_token) - { - return $this->getValue($this->config['access_token_key'].$access_token); - } - - public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null) - { - return $this->setValue( - $this->config['access_token_key'].$access_token, - compact('access_token', 'client_id', 'user_id', 'expires', 'scope'), - $expires - ); - } - - public function unsetAccessToken($access_token) - { - $result = $this->expireValue($this->config['access_token_key'] . $access_token); - - return $result > 0; - } - - /* ScopeInterface */ - public function scopeExists($scope) - { - $scope = explode(' ', $scope); - - $result = $this->getValue($this->config['scope_key'].'supported:global'); - - $supportedScope = explode(' ', (string) $result); - - return (count(array_diff($scope, $supportedScope)) == 0); - } - - public function getDefaultScope($client_id = null) - { - if (is_null($client_id) || !$result = $this->getValue($this->config['scope_key'].'default:'.$client_id)) { - $result = $this->getValue($this->config['scope_key'].'default:global'); - } - - return $result; - } - - public function setScope($scope, $client_id = null, $type = 'supported') - { - if (!in_array($type, array('default', 'supported'))) { - throw new \InvalidArgumentException('"$type" must be one of "default", "supported"'); - } - - if (is_null($client_id)) { - $key = $this->config['scope_key'].$type.':global'; - } else { - $key = $this->config['scope_key'].$type.':'.$client_id; - } - - return $this->setValue($key, $scope); - } - - /*JWTBearerInterface */ - public function getClientKey($client_id, $subject) - { - if (!$jwt = $this->getValue($this->config['jwt_key'] . $client_id)) { - return false; - } - - if (isset($jwt['subject']) && $jwt['subject'] == $subject) { - return $jwt['key']; - } - - return null; - } - - public function setClientKey($client_id, $key, $subject = null) - { - return $this->setValue($this->config['jwt_key'] . $client_id, array( - 'key' => $key, - 'subject' => $subject - )); - } - - public function getClientScope($client_id) - { - if (!$clientDetails = $this->getClientDetails($client_id)) { - return false; - } - - if (isset($clientDetails['scope'])) { - return $clientDetails['scope']; - } - - return null; - } - - public function getJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs redis implementation. - throw new \Exception('getJti() for the Redis driver is currently unimplemented.'); - } - - public function setJti($client_id, $subject, $audience, $expiration, $jti) - { - //TODO: Needs redis implementation. - throw new \Exception('setJti() for the Redis driver is currently unimplemented.'); - } -} diff --git a/library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php b/library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php deleted file mode 100644 index 0273f2125..000000000 --- a/library/oauth2/src/OAuth2/Storage/RefreshTokenInterface.php +++ /dev/null @@ -1,82 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should get/save refresh tokens for the "Refresh Token" - * grant type - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface RefreshTokenInterface -{ - /** - * Grant refresh access tokens. - * - * Retrieve the stored data for the given refresh token. - * - * Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN. - * - * @param $refresh_token - * Refresh token to be check with. - * - * @return - * An associative array as below, and NULL if the refresh_token is - * invalid: - * - refresh_token: Refresh token identifier. - * - client_id: Client identifier. - * - user_id: User identifier. - * - expires: Expiration unix timestamp, or 0 if the token doesn't expire. - * - scope: (optional) Scope values in space-separated string. - * - * @see http://tools.ietf.org/html/rfc6749#section-6 - * - * @ingroup oauth2_section_6 - */ - public function getRefreshToken($refresh_token); - - /** - * Take the provided refresh token values and store them somewhere. - * - * This function should be the storage counterpart to getRefreshToken(). - * - * If storage fails for some reason, we're not currently checking for - * any sort of success/failure, so you should bail out of the script - * and provide a descriptive fail message. - * - * Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN. - * - * @param $refresh_token - * Refresh token to be stored. - * @param $client_id - * Client identifier to be stored. - * @param $user_id - * User identifier to be stored. - * @param $expires - * Expiration timestamp to be stored. 0 if the token doesn't expire. - * @param $scope - * (optional) Scopes to be stored in space-separated string. - * - * @ingroup oauth2_section_6 - */ - public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null); - - /** - * Expire a used refresh token. - * - * This is not explicitly required in the spec, but is almost implied. - * After granting a new refresh token, the old one is no longer useful and - * so should be forcibly expired in the data store so it can't be used again. - * - * If storage fails for some reason, we're not currently checking for - * any sort of success/failure, so you should bail out of the script - * and provide a descriptive fail message. - * - * @param $refresh_token - * Refresh token to be expirse. - * - * @ingroup oauth2_section_6 - */ - public function unsetRefreshToken($refresh_token); -} diff --git a/library/oauth2/src/OAuth2/Storage/ScopeInterface.php b/library/oauth2/src/OAuth2/Storage/ScopeInterface.php deleted file mode 100644 index a8292269b..000000000 --- a/library/oauth2/src/OAuth2/Storage/ScopeInterface.php +++ /dev/null @@ -1,46 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should retrieve data involving the relevent scopes associated - * with this implementation. - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface ScopeInterface -{ - /** - * Check if the provided scope exists. - * - * @param $scope - * A space-separated string of scopes. - * - * @return - * TRUE if it exists, FALSE otherwise. - */ - public function scopeExists($scope); - - /** - * The default scope to use in the event the client - * does not request one. By returning "false", a - * request_error is returned by the server to force a - * scope request by the client. By returning "null", - * opt out of requiring scopes - * - * @param $client_id - * An optional client id that can be used to return customized default scopes. - * - * @return - * string representation of default scope, null if - * scopes are not defined, or false to force scope - * request by the client - * - * ex: - * 'default' - * ex: - * null - */ - public function getDefaultScope($client_id = null); -} diff --git a/library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php b/library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php deleted file mode 100644 index 6e0fd7bad..000000000 --- a/library/oauth2/src/OAuth2/Storage/UserCredentialsInterface.php +++ /dev/null @@ -1,52 +0,0 @@ -<?php - -namespace OAuth2\Storage; - -/** - * Implement this interface to specify where the OAuth2 Server - * should retrieve user credentials for the - * "Resource Owner Password Credentials" grant type - * - * @author Brent Shaffer <bshafs at gmail dot com> - */ -interface UserCredentialsInterface -{ - /** - * Grant access tokens for basic user credentials. - * - * Check the supplied username and password for validity. - * - * You can also use the $client_id param to do any checks required based - * on a client, if you need that. - * - * Required for OAuth2::GRANT_TYPE_USER_CREDENTIALS. - * - * @param $username - * Username to be check with. - * @param $password - * Password to be check with. - * - * @return - * TRUE if the username and password are valid, and FALSE if it isn't. - * Moreover, if the username and password are valid, and you want to - * - * @see http://tools.ietf.org/html/rfc6749#section-4.3 - * - * @ingroup oauth2_section_4 - */ - public function checkUserCredentials($username, $password); - - /** - * @return - * ARRAY the associated "user_id" and optional "scope" values - * This function MUST return FALSE if the requested user does not exist or is - * invalid. "scope" is a space-separated list of restricted scopes. - * @code - * return array( - * "user_id" => USER_ID, // REQUIRED user_id to be stored with the authorization code or access token - * "scope" => SCOPE // OPTIONAL space-separated list of restricted scopes - * ); - * @endcode - */ - public function getUserDetails($username); -} |