Open Dining. Supports * IETF draft v10. * * Source repo has sample servers implementations for * PHP Data Objects and * MongoDB. Easily adaptable to other * storage engines. * * PHP Data Objects supports a variety of databases, including MySQL, * Microsoft SQL Server, SQLite, and Oracle, so you can try out the sample * to see how it all works. * * We're expanding the wiki to include more helpful documentation, but for * now, your best bet is to view the oauth.php source - it has lots of * comments. * * @author Tim Ridgely * @author Aaron Parecki * @author Edison Wong * * @see http://code.google.com/p/oauth2-php/ */ /** * The default duration in seconds of the access token lifetime. */ define("OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME", 3600); /** * The default duration in seconds of the authorization code lifetime. */ define("OAUTH2_DEFAULT_AUTH_CODE_LIFETIME", 30); /** * The default duration in seconds of the refresh token lifetime. */ define("OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME", 1209600); /** * @defgroup oauth2_section_2 Client Credentials * @{ * * When interacting with the authorization server, the client identifies * itself using a client identifier and authenticates using a set of * client credentials. This specification provides one mechanism for * authenticating the client using password credentials. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2 */ /** * Regex to filter out the client identifier (described in Section 2 of IETF draft). * * IETF draft does not prescribe a format for these, however I've arbitrarily * chosen alphanumeric strings with hyphens and underscores, 3-32 characters * long. * * Feel free to change. */ define("OAUTH2_CLIENT_ID_REGEXP", "/^[a-z0-9-_]{3,32}$/i"); /** * @} */ /** * @defgroup oauth2_section_3 Obtaining End-User Authorization * @{ * * When the client interacts with an end-user, the end-user MUST first * grant the client authorization to access its protected resources. * Once obtained, the end-user access grant is expressed as an * authorization code which the client uses to obtain an access token. * To obtain an end-user authorization, the client sends the end-user to * the end-user authorization endpoint. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 */ /** * Denotes "token" authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN", "token"); /** * Denotes "code" authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE", "code"); /** * Denotes "code-and-token" authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN", "code-and-token"); /** * Regex to filter out the authorization response type. */ define("OAUTH2_AUTH_RESPONSE_TYPE_REGEXP", "/^(token|code|code-and-token)$/"); /** * @} */ /** * @defgroup oauth2_section_4 Obtaining an Access Token * @{ * * The client obtains an access token by authenticating with the * authorization server and presenting its access grant (in the form of * an authorization code, resource owner credentials, an assertion, or a * refresh token). * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4 */ /** * Denotes "authorization_code" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_AUTH_CODE", "authorization_code"); /** * Denotes "password" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_USER_CREDENTIALS", "password"); /** * Denotes "assertion" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_ASSERTION", "assertion"); /** * Denotes "refresh_token" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_REFRESH_TOKEN", "refresh_token"); /** * Denotes "none" grant types (for token obtaining). */ define("OAUTH2_GRANT_TYPE_NONE", "none"); /** * Regex to filter out the grant type. */ define("OAUTH2_GRANT_TYPE_REGEXP", "/^(authorization_code|password|assertion|refresh_token|none)$/"); /** * @} */ /** * @defgroup oauth2_section_5 Accessing a Protected Resource * @{ * * Clients access protected resources by presenting an access token to * the resource server. Access tokens act as bearer tokens, where the * token string acts as a shared symmetric secret. This requires * treating the access token with the same care as other secrets (e.g. * end-user passwords). Access tokens SHOULD NOT be sent in the clear * over an insecure channel. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 */ /** * Used to define the name of the OAuth access token parameter (POST/GET/etc.). * * IETF Draft sections 5.1.2 and 5.1.3 specify that it should be called * "oauth_token" but other implementations use things like "access_token". * * I won't be heartbroken if you change it, but it might be better to adhere * to the spec. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.2 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1.3 */ define("OAUTH2_TOKEN_PARAM_NAME", "oauth_token"); /** * @} */ /** * @defgroup oauth2_http_status HTTP status code * @{ */ /** * "Found" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 */ define("OAUTH2_HTTP_FOUND", "302 Found"); /** * "Bad Request" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_HTTP_BAD_REQUEST", "400 Bad Request"); /** * "Unauthorized" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_HTTP_UNAUTHORIZED", "401 Unauthorized"); /** * "Forbidden" HTTP status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_HTTP_FORBIDDEN", "403 Forbidden"); /** * @} */ /** * @defgroup oauth2_error Error handling * @{ * * @todo Extend for i18n. */ /** * The request is missing a required parameter, includes an unsupported * parameter or parameter value, or is otherwise malformed. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_INVALID_REQUEST", "invalid_request"); /** * The client identifier provided is invalid. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_INVALID_CLIENT", "invalid_client"); /** * The client is not authorized to use the requested response type. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_UNAUTHORIZED_CLIENT", "unauthorized_client"); /** * The redirection URI provided does not match a pre-registered value. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 */ define("OAUTH2_ERROR_REDIRECT_URI_MISMATCH", "redirect_uri_mismatch"); /** * The end-user or authorization server denied the request. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 */ define("OAUTH2_ERROR_USER_DENIED", "access_denied"); /** * The requested response type is not supported by the authorization server. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 */ define("OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE", "unsupported_response_type"); /** * The requested scope is invalid, unknown, or malformed. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_INVALID_SCOPE", "invalid_scope"); /** * The provided access grant is invalid, expired, or revoked (e.g. invalid * assertion, expired authorization token, bad end-user password credentials, * or mismatching authorization code and redirection URI). * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_INVALID_GRANT", "invalid_grant"); /** * The access grant included - its type or another attribute - is not * supported by the authorization server. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3.1 */ define("OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE", "unsupported_grant_type"); /** * The access token provided is invalid. Resource servers SHOULD use this * error code when receiving an expired token which cannot be refreshed to * indicate to the client that a new authorization is necessary. The resource * server MUST respond with the HTTP 401 (Unauthorized) status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_INVALID_TOKEN", "invalid_token"); /** * The access token provided has expired. Resource servers SHOULD only use * this error code when the client is expected to be able to handle the * response and request a new access token using the refresh token issued * with the expired access token. The resource server MUST respond with the * HTTP 401 (Unauthorized) status code. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_EXPIRED_TOKEN", "expired_token"); /** * The request requires higher privileges than provided by the access token. * The resource server SHOULD respond with the HTTP 403 (Forbidden) status * code and MAY include the "scope" attribute with the scope necessary to * access the protected resource. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2.1 */ define("OAUTH2_ERROR_INSUFFICIENT_SCOPE", "insufficient_scope"); /** * @} */ /** * OAuth2.0 draft v10 server-side implementation. * * @author Originally written by Tim Ridgely . * @author Updated to draft v10 by Aaron Parecki . * @author Debug, coding style clean up and documented by Edison Wong . */ abstract class OAuth2 { /** * Array of persistent variables stored. */ protected $conf = array(); /** * Returns a persistent variable. * * To avoid problems, always use lower case for persistent variable names. * * @param $name * The name of the variable to return. * @param $default * The default value to use if this variable has never been set. * * @return * The value of the variable. */ public function getVariable($name, $default = NULL) { return isset($this->conf[$name]) ? $this->conf[$name] : $default; } /** * Sets a persistent variable. * * To avoid problems, always use lower case for persistent variable names. * * @param $name * The name of the variable to set. * @param $value * The value to set. */ public function setVariable($name, $value) { $this->conf[$name] = $value; return $this; } // Subclasses must implement the following functions. /** * Make sure that the client credentials is valid. * * @param $client_id * Client identifier to be check with. * @param $client_secret * (optional) If a secret is required, check that they've given the right one. * * @return * TRUE if client credentials are valid, and MUST return FALSE if invalid. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2.1 * * @ingroup oauth2_section_2 */ abstract protected function checkClientCredentials($client_id, $client_secret = NULL); /** * Get the registered redirect URI of corresponding client_id. * * OAuth says we should store request URIs for each registered client. * Implement this function to grab the stored URI for a given client id. * * @param $client_id * Client identifier to be check with. * * @return * Registered redirect URI of corresponding client identifier, and MUST * return FALSE if the given client does not exist or is invalid. * * @ingroup oauth2_section_3 */ abstract protected function getRedirectUri($client_id); /** * Look up the supplied oauth_token from storage. * * We need to retrieve access token data as we create and verify tokens. * * @param $oauth_token * oauth_token to be check with. * * @return * An associative array as below, and return NULL if the supplied oauth_token * is invalid: * - client_id: Stored client identifier. * - expires: Stored expiration in unix timestamp. * - scope: (optional) Stored scope values in space-separated string. * * @ingroup oauth2_section_5 */ abstract protected function getAccessToken($oauth_token); /** * Store the supplied access token values to storage. * * We need to store access token data as we create and verify tokens. * * @param $oauth_token * oauth_token to be stored. * @param $client_id * Client identifier to be stored. * @param $expires * Expiration to be stored. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ abstract protected function setAccessToken($oauth_token, $client_id, $expires, $scope = NULL); // Stuff that should get overridden by subclasses. // // I don't want to make these abstract, because then subclasses would have // to implement all of them, which is too much work. // // So they're just stubs. Override the ones you need. /** * Return supported grant types. * * You should override this function with something, or else your OAuth * provider won't support any grant types! * * @return * A list as below. If you support all grant types, then you'd do: * @code * return array( * OAUTH2_GRANT_TYPE_AUTH_CODE, * OAUTH2_GRANT_TYPE_USER_CREDENTIALS, * OAUTH2_GRANT_TYPE_ASSERTION, * OAUTH2_GRANT_TYPE_REFRESH_TOKEN, * OAUTH2_GRANT_TYPE_NONE, * ); * @endcode * * @ingroup oauth2_section_4 */ protected function getSupportedGrantTypes() { return array(); } /** * Return supported authorization response types. * * You should override this function with your supported response types. * * @return * A list as below. If you support all authorization response types, * then you'd do: * @code * return array( * OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE, * OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN, * OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN, * ); * @endcode * * @ingroup oauth2_section_3 */ protected function getSupportedAuthResponseTypes() { return array( OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE, OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN, OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN ); } /** * Return supported scopes. * * If you want to support scope use, then have this function return a list * of all acceptable scopes (used to throw the invalid-scope error). * * @return * A list as below, for example: * @code * return array( * 'my-friends', * 'photos', * 'whatever-else', * ); * @endcode * * @ingroup oauth2_section_3 */ protected function getSupportedScopes() { return array(); } /** * Check restricted authorization response types of corresponding Client * identifier. * * If you want to restrict clients to certain authorization response types, * override this function. * * @param $client_id * Client identifier to be check with. * @param $response_type * Authorization response type to be check with, would be one of the * values contained in OAUTH2_AUTH_RESPONSE_TYPE_REGEXP. * * @return * TRUE if the authorization response type is supported by this * client identifier, and FALSE if it isn't. * * @ingroup oauth2_section_3 */ protected function checkRestrictedAuthResponseType($client_id, $response_type) { return TRUE; } /** * Check restricted grant types of corresponding client identifier. * * If you want to restrict clients to certain grant types, override this * function. * * @param $client_id * Client identifier to be check with. * @param $grant_type * Grant type to be check with, would be one of the values contained in * OAUTH2_GRANT_TYPE_REGEXP. * * @return * TRUE if the grant type is supported by this client identifier, and * FALSE if it isn't. * * @ingroup oauth2_section_4 */ protected function checkRestrictedGrantType($client_id, $grant_type) { return TRUE; } // Functions that help grant access tokens for various grant types. /** * Fetch authorization code data (probably the most common grant type). * * Retrieve the stored data for the given authorization code. * * Required for OAUTH2_GRANT_TYPE_AUTH_CODE. * * @param $code * Authorization code to be check with. * * @return * An associative array as below, and NULL if the code is invalid: * - client_id: Stored client identifier. * - redirect_uri: Stored redirect URI. * - expires: Stored expiration in unix timestamp. * - scope: (optional) Stored scope values in space-separated string. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.1 * * @ingroup oauth2_section_4 */ protected function getAuthCode($code) { return NULL; } /** * Take the provided authorization code values and store them somewhere. * * This function should be the storage counterpart to getAuthCode(). * * If storage fails for some reason, we're not currently checking for * any sort of success/failure, so you should bail out of the script * and provide a descriptive fail message. * * Required for OAUTH2_GRANT_TYPE_AUTH_CODE. * * @param $code * Authorization code to be stored. * @param $client_id * Client identifier to be stored. * @param $redirect_uri * Redirect URI to be stored. * @param $expires * Expiration to be stored. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ protected function setAuthCode($code, $client_id, $redirect_uri, $expires, $scope = NULL) { } /** * Grant access tokens for basic user credentials. * * Check the supplied username and password for validity. * * You can also use the $client_id param to do any checks required based * on a client, if you need that. * * Required for OAUTH2_GRANT_TYPE_USER_CREDENTIALS. * * @param $client_id * Client identifier to be check with. * @param $username * Username to be check with. * @param $password * Password to be check with. * * @return * TRUE if the username and password are valid, and FALSE if it isn't. * Moreover, if the username and password are valid, and you want to * verify the scope of a user's access, return an associative array * with the scope values as below. We'll check the scope you provide * against the requested scope before providing an access token: * @code * return array( * 'scope' => , * ); * @endcode * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.2 * * @ingroup oauth2_section_4 */ protected function checkUserCredentials($client_id, $username, $password) { return FALSE; } /** * Grant access tokens for assertions. * * Check the supplied assertion for validity. * * You can also use the $client_id param to do any checks required based * on a client, if you need that. * * Required for OAUTH2_GRANT_TYPE_ASSERTION. * * @param $client_id * Client identifier to be check with. * @param $assertion_type * The format of the assertion as defined by the authorization server. * @param $assertion * The assertion. * * @return * TRUE if the assertion is valid, and FALSE if it isn't. Moreover, if * the assertion is valid, and you want to verify the scope of an access * request, return an associative array with the scope values as below. * We'll check the scope you provide against the requested scope before * providing an access token: * @code * return array( * 'scope' => , * ); * @endcode * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3 * * @ingroup oauth2_section_4 */ protected function checkAssertion($client_id, $assertion_type, $assertion) { return FALSE; } /** * Grant refresh access tokens. * * Retrieve the stored data for the given refresh token. * * Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN. * * @param $refresh_token * Refresh token to be check with. * * @return * An associative array as below, and NULL if the refresh_token is * invalid: * - client_id: Stored client identifier. * - expires: Stored expiration unix timestamp. * - scope: (optional) Stored scope values in space-separated string. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.4 * * @ingroup oauth2_section_4 */ protected function getRefreshToken($refresh_token) { return NULL; } /** * Take the provided refresh token values and store them somewhere. * * This function should be the storage counterpart to getRefreshToken(). * * If storage fails for some reason, we're not currently checking for * any sort of success/failure, so you should bail out of the script * and provide a descriptive fail message. * * Required for OAUTH2_GRANT_TYPE_REFRESH_TOKEN. * * @param $refresh_token * Refresh token to be stored. * @param $client_id * Client identifier to be stored. * @param $expires * expires to be stored. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ protected function setRefreshToken($refresh_token, $client_id, $expires, $scope = NULL) { return; } /** * Expire a used refresh token. * * This is not explicitly required in the spec, but is almost implied. * After granting a new refresh token, the old one is no longer useful and * so should be forcibly expired in the data store so it can't be used again. * * If storage fails for some reason, we're not currently checking for * any sort of success/failure, so you should bail out of the script * and provide a descriptive fail message. * * @param $refresh_token * Refresh token to be expirse. * * @ingroup oauth2_section_4 */ protected function unsetRefreshToken($refresh_token) { return; } /** * Grant access tokens for the "none" grant type. * * Not really described in the IETF Draft, so I just left a method * stub... Do whatever you want! * * Required for OAUTH2_GRANT_TYPE_NONE. * * @ingroup oauth2_section_4 */ protected function checkNoneAccess($client_id) { return FALSE; } /** * Get default authentication realm for WWW-Authenticate header. * * Change this to whatever authentication realm you want to send in a * WWW-Authenticate header. * * @return * A string that you want to send in a WWW-Authenticate header. * * @ingroup oauth2_error */ protected function getDefaultAuthenticationRealm() { return "Service"; } // End stuff that should get overridden. /** * Creates an OAuth2.0 server-side instance. * * @param $config * An associative array as below: * - access_token_lifetime: (optional) The lifetime of access token in * seconds. * - auth_code_lifetime: (optional) The lifetime of authorization code in * seconds. * - refresh_token_lifetime: (optional) The lifetime of refresh token in * seconds. * - display_error: (optional) Whether to show verbose error messages in * the response. */ public function __construct($config = array()) { foreach ($config as $name => $value) { $this->setVariable($name, $value); } } // Resource protecting (Section 5). /** * Check that a valid access token has been provided. * * The scope parameter defines any required scope that the token must have. * If a scope param is provided and the token does not have the required * scope, we bounce the request. * * Some implementations may choose to return a subset of the protected * resource (i.e. "public" data) if the user has not provided an access * token or if the access token is invalid or expired. * * The IETF spec says that we should send a 401 Unauthorized header and * bail immediately so that's what the defaults are set to. * * @param $scope * A space-separated string of required scope(s), if you want to check * for scope. * @param $exit_not_present * If TRUE and no access token is provided, send a 401 header and exit, * otherwise return FALSE. * @param $exit_invalid * If TRUE and the implementation of getAccessToken() returns NULL, exit, * otherwise return FALSE. * @param $exit_expired * If TRUE and the access token has expired, exit, otherwise return FALSE. * @param $exit_scope * If TRUE the access token does not have the required scope(s), exit, * otherwise return FALSE. * @param $realm * If you want to specify a particular realm for the WWW-Authenticate * header, supply it here. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 * * @ingroup oauth2_section_5 */ public function verifyAccessToken($scope = NULL, $exit_not_present = TRUE, $exit_invalid = TRUE, $exit_expired = TRUE, $exit_scope = TRUE, $realm = NULL) { $token_param = $this->getAccessTokenParams(); if ($token_param === FALSE) // Access token was not provided return $exit_not_present ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_BAD_REQUEST, $realm, OAUTH2_ERROR_INVALID_REQUEST, 'The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.', NULL, $scope) : FALSE; // Get the stored token data (from the implementing subclass) $token = $this->getAccessToken($token_param); if ($token === NULL) return $exit_invalid ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_INVALID_TOKEN, 'The access token provided is invalid.', NULL, $scope) : FALSE; // Check token expiration (I'm leaving this check separated, later we'll fill in better error messages) if (isset($token["expires"]) && time() > $token["expires"]) return $exit_expired ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_UNAUTHORIZED, $realm, OAUTH2_ERROR_EXPIRED_TOKEN, 'The access token provided has expired.', NULL, $scope) : FALSE; // Check scope, if provided // If token doesn't have a scope, it's NULL/empty, or it's insufficient, then throw an error if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->checkScope($scope, $token["scope"]))) return $exit_scope ? $this->errorWWWAuthenticateResponseHeader(OAUTH2_HTTP_FORBIDDEN, $realm, OAUTH2_ERROR_INSUFFICIENT_SCOPE, 'The request requires higher privileges than provided by the access token.', NULL, $scope) : FALSE; return TRUE; } /** * Check if everything in required scope is contained in available scope. * * @param $required_scope * Required scope to be check with. * @param $available_scope * Available scope to be compare with. * * @return * TRUE if everything in required scope is contained in available scope, * and False if it isn't. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5 * * @ingroup oauth2_section_5 */ private function checkScope($required_scope, $available_scope) { // The required scope should match or be a subset of the available scope if (!is_array($required_scope)) $required_scope = explode(" ", $required_scope); if (!is_array($available_scope)) $available_scope = explode(" ", $available_scope); return (count(array_diff($required_scope, $available_scope)) == 0); } /** * Pulls the access token out of the HTTP request. * * Either from the Authorization header or GET/POST/etc. * * @return * Access token value if present, and FALSE if it isn't. * * @todo Support PUT or DELETE. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.1 * * @ingroup oauth2_section_5 */ private function getAccessTokenParams() { $auth_header = $this->getAuthorizationHeader(); if ($auth_header !== FALSE) { // Make sure only the auth header is set if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME]) || isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth token found in GET or POST when token present in header'); $auth_header = trim($auth_header); // Make sure it's Token authorization if (strcmp(substr($auth_header, 0, 5), "OAuth ") !== 0) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Auth header found that doesn\'t start with "OAuth"'); // Parse the rest of the header if (preg_match('/\s*OAuth\s*="(.+)"/', substr($auth_header, 5), $matches) == 0 || count($matches) < 2) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Malformed auth header'); return $matches[1]; } if (isset($_GET[OAUTH2_TOKEN_PARAM_NAME])) { if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) // Both GET and POST are not allowed $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Only send the token in GET or POST, not both'); return $_GET[OAUTH2_TOKEN_PARAM_NAME]; } if (isset($_POST[OAUTH2_TOKEN_PARAM_NAME])) return $_POST[OAUTH2_TOKEN_PARAM_NAME]; return FALSE; } // Access token granting (Section 4). /** * Grant or deny a requested access token. * * This would be called from the "/token" endpoint as defined in the spec. * Obviously, you can call your endpoint whatever you want. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4 * * @ingroup oauth2_section_4 */ public function grantAccessToken() { $filters = array( "grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "scope" => array("flags" => FILTER_REQUIRE_SCALAR), "code" => array("flags" => FILTER_REQUIRE_SCALAR), "redirect_uri" => array("filter" => FILTER_SANITIZE_URL), "username" => array("flags" => FILTER_REQUIRE_SCALAR), "password" => array("flags" => FILTER_REQUIRE_SCALAR), "assertion_type" => array("flags" => FILTER_REQUIRE_SCALAR), "assertion" => array("flags" => FILTER_REQUIRE_SCALAR), "refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR), ); $input = filter_input_array(INPUT_POST, $filters); // Grant Type must be specified. if (!$input["grant_type"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing'); // Make sure we've implemented the requested grant type if (!in_array($input["grant_type"], $this->getSupportedGrantTypes())) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNSUPPORTED_GRANT_TYPE); // Authorize the client $client = $this->getClientCredentials(); if ($this->checkClientCredentials($client[0], $client[1]) === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT); if (!$this->checkRestrictedGrantType($client[0], $input["grant_type"])) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_UNAUTHORIZED_CLIENT); // Do the granting switch ($input["grant_type"]) { case OAUTH2_GRANT_TYPE_AUTH_CODE: if (!$input["code"] || !$input["redirect_uri"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST); $stored = $this->getAuthCode($input["code"]); // Ensure that the input uri starts with the stored uri if ($stored === NULL || (strcasecmp(substr($input["redirect_uri"], 0, strlen($stored["redirect_uri"])), $stored["redirect_uri"]) !== 0) || $client[0] != $stored["client_id"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); if ($stored["expires"] < time()) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN); break; case OAUTH2_GRANT_TYPE_USER_CREDENTIALS: if (!$input["username"] || !$input["password"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required'); $stored = $this->checkUserCredentials($client[0], $input["username"], $input["password"]); if ($stored === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); break; case OAUTH2_GRANT_TYPE_ASSERTION: if (!$input["assertion_type"] || !$input["assertion"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST); $stored = $this->checkAssertion($client[0], $input["assertion_type"], $input["assertion"]); if ($stored === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); break; case OAUTH2_GRANT_TYPE_REFRESH_TOKEN: if (!$input["refresh_token"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found'); $stored = $this->getRefreshToken($input["refresh_token"]); if ($stored === NULL || $client[0] != $stored["client_id"]) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_GRANT); if ($stored["expires"] < time()) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_EXPIRED_TOKEN); // store the refresh token locally so we can delete it when a new refresh token is generated $this->setVariable('_old_refresh_token', $stored["token"]); break; case OAUTH2_GRANT_TYPE_NONE: $stored = $this->checkNoneAccess($client[0]); if ($stored === FALSE) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_REQUEST); } // Check scope, if provided if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_SCOPE); if (!$input["scope"]) $input["scope"] = NULL; $token = $this->createAccessToken($client[0], $input["scope"]); $this->sendJsonHeaders(); echo json_encode($token); } /** * Internal function used to get the client credentials from HTTP basic * auth or POST data. * * @return * A list containing the client identifier and password, for example * @code * return array( * $_POST["client_id"], * $_POST["client_secret"], * ); * @endcode * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-2 * * @ingroup oauth2_section_2 */ protected function getClientCredentials() { if (isset($_SERVER["PHP_AUTH_USER"]) && $_POST && isset($_POST["client_id"])) $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT); // Try basic auth if (isset($_SERVER["PHP_AUTH_USER"])) return array($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"]); // Try POST if ($_POST && isset($_POST["client_id"])) { if (isset($_POST["client_secret"])) return array($_POST["client_id"], $_POST["client_secret"]); return array($_POST["client_id"], NULL); } // No credentials were specified $this->errorJsonResponse(OAUTH2_HTTP_BAD_REQUEST, OAUTH2_ERROR_INVALID_CLIENT); } // End-user/client Authorization (Section 3 of IETF Draft). /** * Pull the authorization request data out of the HTTP request. * * @return * The authorization parameters so the authorization server can prompt * the user for approval if valid. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 * * @ingroup oauth2_section_3 */ public function getAuthorizeParams() { $filters = array( "client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "response_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => OAUTH2_AUTH_RESPONSE_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "redirect_uri" => array("filter" => FILTER_SANITIZE_URL), "state" => array("flags" => FILTER_REQUIRE_SCALAR), "scope" => array("flags" => FILTER_REQUIRE_SCALAR), ); $input = filter_input_array(INPUT_GET, $filters); // Make sure a valid client id was supplied if (!$input["client_id"]) { if ($input["redirect_uri"]) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]); $this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_CLIENT); // We don't have a good URI to use } // redirect_uri is not required if already established via other channels // check an existing redirect URI against the one supplied $redirect_uri = $this->getRedirectUri($input["client_id"]); // At least one of: existing redirect URI or input redirect URI must be specified if (!$redirect_uri && !$input["redirect_uri"]) $this->errorJsonResponse(OAUTH2_HTTP_FOUND, OAUTH2_ERROR_INVALID_REQUEST); // getRedirectUri() should return FALSE if the given client ID is invalid // this probably saves us from making a separate db call, and simplifies the method set if ($redirect_uri === FALSE) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_CLIENT, NULL, NULL, $input["state"]); // If there's an existing uri and one from input, verify that they match if ($redirect_uri && $input["redirect_uri"]) { // Ensure that the input uri starts with the stored uri if (strcasecmp(substr($input["redirect_uri"], 0, strlen($redirect_uri)), $redirect_uri) !== 0) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_REDIRECT_URI_MISMATCH, NULL, NULL, $input["state"]); } elseif ($redirect_uri) { // They did not provide a uri from input, so use the stored one $input["redirect_uri"] = $redirect_uri; } // type and client_id are required if (!$input["response_type"]) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_REQUEST, 'Invalid response type.', NULL, $input["state"]); // Check requested auth response type against the list of supported types if (array_search($input["response_type"], $this->getSupportedAuthResponseTypes()) === FALSE) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, NULL, $input["state"]); // Restrict clients to certain authorization response types if ($this->checkRestrictedAuthResponseType($input["client_id"], $input["response_type"]) === FALSE) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_UNAUTHORIZED_CLIENT, NULL, NULL, $input["state"]); // Validate that the requested scope is supported if ($input["scope"] && !$this->checkScope($input["scope"], $this->getSupportedScopes())) $this->errorDoRedirectUriCallback($input["redirect_uri"], OAUTH2_ERROR_INVALID_SCOPE, NULL, NULL, $input["state"]); return $input; } /** * Redirect the user appropriately after approval. * * After the user has approved or denied the access request the * authorization server should call this function to redirect the user * appropriately. * * @param $is_authorized * TRUE or FALSE depending on whether the user authorized the access. * @param $params * An associative array as below: * - response_type: The requested response: an access token, an * authorization code, or both. * - client_id: The client identifier as described in Section 2. * - redirect_uri: An absolute URI to which the authorization server * will redirect the user-agent to when the end-user authorization * step is completed. * - scope: (optional) The scope of the access request expressed as a * list of space-delimited strings. * - state: (optional) An opaque value used by the client to maintain * state between the request and callback. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3 * * @ingroup oauth2_section_3 */ public function finishClientAuthorization($is_authorized, $params = array()) { $params += array( 'scope' => NULL, 'state' => NULL, ); extract($params); if ($state !== NULL) $result["query"]["state"] = $state; if ($is_authorized === FALSE) { $result["query"]["error"] = OAUTH2_ERROR_USER_DENIED; } else { if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN) $result["query"]["code"] = $this->createAuthCode($client_id, $redirect_uri, $scope); if ($response_type == OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN || $response_type == OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN) $result["fragment"] = $this->createAccessToken($client_id, $scope); } $this->doRedirectUriCallback($redirect_uri, $result); } // Other/utility functions. /** * Redirect the user agent. * * Handle both redirect for success or error response. * * @param $redirect_uri * An absolute URI to which the authorization server will redirect * the user-agent to when the end-user authorization step is completed. * @param $params * Parameters to be pass though buildUri(). * * @ingroup oauth2_section_3 */ private function doRedirectUriCallback($redirect_uri, $params) { header("HTTP/1.1 ". OAUTH2_HTTP_FOUND); header("Location: " . $this->buildUri($redirect_uri, $params)); exit; } /** * Build the absolute URI based on supplied URI and parameters. * * @param $uri * An absolute URI. * @param $params * Parameters to be append as GET. * * @return * An absolute URI with supplied parameters. * * @ingroup oauth2_section_3 */ private function buildUri($uri, $params) { $parse_url = parse_url($uri); // Add our params to the parsed uri foreach ($params as $k => $v) { if (isset($parse_url[$k])) $parse_url[$k] .= "&" . http_build_query($v); else $parse_url[$k] = http_build_query($v); } // Put humpty dumpty back together return ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "") . ((isset($parse_url["user"])) ? $parse_url["user"] . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "") . ((isset($parse_url["host"])) ? $parse_url["host"] : "") . ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "") . ((isset($parse_url["path"])) ? $parse_url["path"] : "") . ((isset($parse_url["query"])) ? "?" . $parse_url["query"] : "") . ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : ""); } /** * Handle the creation of access token, also issue refresh token if support. * * This belongs in a separate factory, but to keep it simple, I'm just * keeping it here. * * @param $client_id * Client identifier related to the access token. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_4 */ protected function createAccessToken($client_id, $scope = NULL) { $token = array( "access_token" => $this->genAccessToken(), "expires_in" => $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME), "scope" => $scope ); $this->setAccessToken($token["access_token"], $client_id, time() + $this->getVariable('access_token_lifetime', OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME), $scope); // Issue a refresh token also, if we support them if (in_array(OAUTH2_GRANT_TYPE_REFRESH_TOKEN, $this->getSupportedGrantTypes())) { $token["refresh_token"] = $this->genAccessToken(); $this->setRefreshToken($token["refresh_token"], $client_id, time() + $this->getVariable('refresh_token_lifetime', OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME), $scope); // If we've granted a new refresh token, expire the old one if ($this->getVariable('_old_refresh_token')) $this->unsetRefreshToken($this->getVariable('_old_refresh_token')); } return $token; } /** * Handle the creation of auth code. * * This belongs in a separate factory, but to keep it simple, I'm just * keeping it here. * * @param $client_id * Client identifier related to the access token. * @param $redirect_uri * An absolute URI to which the authorization server will redirect the * user-agent to when the end-user authorization step is completed. * @param $scope * (optional) Scopes to be stored in space-separated string. * * @ingroup oauth2_section_3 */ private function createAuthCode($client_id, $redirect_uri, $scope = NULL) { $code = $this->genAuthCode(); $this->setAuthCode($code, $client_id, $redirect_uri, time() + $this->getVariable('auth_code_lifetime', OAUTH2_DEFAULT_AUTH_CODE_LIFETIME), $scope); return $code; } /** * Generate unique access token. * * Implementing classes may want to override these function to implement * other access token or auth code generation schemes. * * @return * An unique access token. * * @ingroup oauth2_section_4 */ protected function genAccessToken() { return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid()))); } /** * Generate unique auth code. * * Implementing classes may want to override these function to implement * other access token or auth code generation schemes. * * @return * An unique auth code. * * @ingroup oauth2_section_3 */ protected function genAuthCode() { return md5(base64_encode(pack('N6', mt_rand(), mt_rand(), mt_rand(), mt_rand(), mt_rand(), uniqid()))); } /** * Pull out the Authorization HTTP header and return it. * * Implementing classes may need to override this function for use on * non-Apache web servers. * * @return * The Authorization HTTP header, and FALSE if does not exist. * * @todo Handle Authorization HTTP header for non-Apache web servers. * * @ingroup oauth2_section_5 */ private function getAuthorizationHeader() { if (array_key_exists("HTTP_AUTHORIZATION", $_SERVER)) return $_SERVER["HTTP_AUTHORIZATION"]; if (function_exists("apache_request_headers")) { $headers = apache_request_headers(); if (array_key_exists("Authorization", $headers)) return $headers["Authorization"]; } return FALSE; } /** * Send out HTTP headers for JSON. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * * @ingroup oauth2_section_4 */ private function sendJsonHeaders() { header("Content-Type: application/json"); header("Cache-Control: no-store"); } /** * Redirect the end-user's user agent with error message. * * @param $redirect_uri * An absolute URI to which the authorization server will redirect the * user-agent to when the end-user authorization step is completed. * @param $error * A single error code as described in Section 3.2.1. * @param $error_description * (optional) A human-readable text providing additional information, * used to assist in the understanding and resolution of the error * occurred. * @param $error_uri * (optional) A URI identifying a human-readable web page with * information about the error, used to provide the end-user with * additional information about the error. * @param $state * (optional) REQUIRED if the "state" parameter was present in the client * authorization request. Set to the exact value received from the client. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3.2 * * @ingroup oauth2_error */ private function errorDoRedirectUriCallback($redirect_uri, $error, $error_description = NULL, $error_uri = NULL, $state = NULL) { $result["query"]["error"] = $error; if ($state) $result["query"]["state"] = $state; if ($this->getVariable('display_error') && $error_description) $result["query"]["error_description"] = $error_description; if ($this->getVariable('display_error') && $error_uri) $result["query"]["error_uri"] = $error_uri; $this->doRedirectUriCallback($redirect_uri, $result); } /** * Send out error message in JSON. * * @param $http_status_code * HTTP status code message as predefined. * @param $error * A single error code. * @param $error_description * (optional) A human-readable text providing additional information, * used to assist in the understanding and resolution of the error * occurred. * @param $error_uri * (optional) A URI identifying a human-readable web page with * information about the error, used to provide the end-user with * additional information about the error. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.3 * * @ingroup oauth2_error */ private function errorJsonResponse($http_status_code, $error, $error_description = NULL, $error_uri = NULL) { $result['error'] = $error; if ($this->getVariable('display_error') && $error_description) $result["error_description"] = $error_description; if ($this->getVariable('display_error') && $error_uri) $result["error_uri"] = $error_uri; header("HTTP/1.1 " . $http_status_code); $this->sendJsonHeaders(); echo json_encode($result); exit; } /** * Send a 401 unauthorized header with the given realm and an error, if * provided. * * @param $http_status_code * HTTP status code message as predefined. * @param $realm * The "realm" attribute is used to provide the protected resources * partition as defined by [RFC2617]. * @param $scope * A space-delimited list of scope values indicating the required scope * of the access token for accessing the requested resource. * @param $error * The "error" attribute is used to provide the client with the reason * why the access request was declined. * @param $error_description * (optional) The "error_description" attribute provides a human-readable text * containing additional information, used to assist in the understanding * and resolution of the error occurred. * @param $error_uri * (optional) The "error_uri" attribute provides a URI identifying a human-readable * web page with information about the error, used to offer the end-user * with additional information about the error. If the value is not an * absolute URI, it is relative to the URI of the requested protected * resource. * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2 * * @ingroup oauth2_error */ private function errorWWWAuthenticateResponseHeader($http_status_code, $realm, $error, $error_description = NULL, $error_uri = NULL, $scope = NULL) { $realm = $realm === NULL ? $this->getDefaultAuthenticationRealm() : $realm; $result = "WWW-Authenticate: OAuth realm='" . $realm . "'"; if ($error) $result .= ", error='" . $error . "'"; if ($this->getVariable('display_error') && $error_description) $result .= ", error_description='" . $error_description . "'"; if ($this->getVariable('display_error') && $error_uri) $result .= ", error_uri='" . $error_uri . "'"; if ($scope) $result .= ", scope='" . $scope . "'"; header("HTTP/1.1 ". $http_status_code); header($result); exit; } }