diff --git a/src/Entity/AbstractTokenEntity.php b/src/Entity/AbstractTokenEntity.php index d8d8af25..8f7478f4 100644 --- a/src/Entity/AbstractTokenEntity.php +++ b/src/Entity/AbstractTokenEntity.php @@ -14,6 +14,7 @@ namespace League\OAuth2\Server\Entity; use League\OAuth2\Server\Util\SecureKey; use League\OAuth2\Server\AbstractServer; use Symfony\Component\HttpFoundation\ParameterBag; +use League\OAuth2\Server\Entity\SessionEntity; /** * Abstract token class @@ -28,7 +29,7 @@ abstract class AbstractTokenEntity /** * Associated session - * @var \League\OAuth2\Server\SessionEntity + * @var \League\OAuth2\Server\Entity\SessionEntity */ protected $session; @@ -64,7 +65,7 @@ abstract class AbstractTokenEntity /** * Set session - * @param \League\OAuth2\Server\SessionEntity $session + * @param \League\OAuth2\Server\Entity\SessionEntity $session * @return self */ public function setSession(SessionEntity $session) diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php index 63b65029..0c712e4c 100644 --- a/src/Grant/AbstractGrant.php +++ b/src/Grant/AbstractGrant.php @@ -13,6 +13,7 @@ namespace League\OAuth2\Server\Grant; use League\OAuth2\Server\AuthorizationServer; use League\OAuth2\Server\Entity\ScopeEntity; +use League\OAuth2\Server\Entity\ClientEntity; use League\OAuth2\Server\Exception; /** @@ -120,10 +121,11 @@ abstract class AbstractGrant implements GrantTypeInterface /** * Given a list of scopes, validate them and return an arrary of Scope entities * @param string $scopeParam A string of scopes (e.g. "profile email birthday") + * @param ClientEntity $client A string of scopes (e.g. "profile email birthday") * @return array * @throws ClientException If scope is invalid, or no scopes passed when required */ - public function validateScopes($scopeParam = '') + public function validateScopes($scopeParam = '', ClientEntity $client) { $scopesList = explode($this->server->getScopeDelimeter(), $scopeParam); @@ -153,7 +155,8 @@ abstract class AbstractGrant implements GrantTypeInterface foreach ($scopesList as $scopeItem) { $scope = $this->server->getStorage('scope')->get( $scopeItem, - $this->getIdentifier() + $this->getIdentifier(), + $client->getId() ); if (($scope instanceof ScopeEntity) === false) { diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 1d930e36..d2cb0cde 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -114,7 +114,7 @@ class AuthCodeGrant extends AbstractGrant // Validate any scopes that are in the request $scopeParam = $this->server->getRequest()->query->get('scope', ''); - $scopes = $this->validateScopes($scopeParam); + $scopes = $this->validateScopes($scopeParam, $client); return [ 'client' => $client, diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php index 24c7b44c..3e18af31 100644 --- a/src/Grant/ClientCredentialsGrant.php +++ b/src/Grant/ClientCredentialsGrant.php @@ -86,7 +86,7 @@ class ClientCredentialsGrant extends AbstractGrant // Validate any scopes that are in the request $scopeParam = $this->server->getRequest()->request->get('scope', ''); - $scopes = $this->validateScopes($scopeParam); + $scopes = $this->validateScopes($scopeParam, $client); // Create a new session $session = new SessionEntity($this->server); diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php index cd778356..46084a68 100644 --- a/src/Grant/PasswordGrant.php +++ b/src/Grant/PasswordGrant.php @@ -127,7 +127,7 @@ class PasswordGrant extends AbstractGrant // Validate any scopes that are in the request $scopeParam = $this->server->getRequest()->request->get('scope', ''); - $scopes = $this->validateScopes($scopeParam); + $scopes = $this->validateScopes($scopeParam, $client); // Create a new session $session = new SessionEntity($this->server); diff --git a/src/Grant/RefreshTokenGrant.php b/src/Grant/RefreshTokenGrant.php index b6a1b0ac..5ac9bf8e 100644 --- a/src/Grant/RefreshTokenGrant.php +++ b/src/Grant/RefreshTokenGrant.php @@ -108,7 +108,7 @@ class RefreshTokenGrant extends AbstractGrant // Get and validate any requested scopes $requestedScopesString = $this->server->getRequest()->request->get('scope', ''); - $requestedScopes = $this->validateScopes($requestedScopesString); + $requestedScopes = $this->validateScopes($requestedScopesString, $client); // If no new scopes are requested then give the access token the original session scopes if (count($requestedScopes) === 0) { diff --git a/src/Storage/ScopeInterface.php b/src/Storage/ScopeInterface.php index e533a777..986510ed 100644 --- a/src/Storage/ScopeInterface.php +++ b/src/Storage/ScopeInterface.php @@ -20,7 +20,8 @@ interface ScopeInterface * Return information about a scope * @param string $scope The scope * @param string $grantType The grant type used in the request (default = "null") + * @param string $clientId The client sending the request (default = "null") * @return \League\OAuth2\Server\Entity\ScopeEntity */ - public function get($scope, $grantType = null); + public function get($scope, $grantType = null, $clientId = null); } diff --git a/tests/unit/Grant/AbstractGrantTest.php b/tests/unit/Grant/AbstractGrantTest.php index 15168bf0..784a5dc6 100644 --- a/tests/unit/Grant/AbstractGrantTest.php +++ b/tests/unit/Grant/AbstractGrantTest.php @@ -4,6 +4,7 @@ namespace LeagueTests\Grant; use League\OAuth2\Server\Grant; use League\OAuth2\Server\Entity\ScopeEntity; +use League\OAuth2\Server\Entity\ClientEntity; use League\OAuth2\Server\AuthorizationServer; use League\OAuth2\Server\Exception\InvalidRequestException; use LeagueTests\Stubs\StubAbstractGrant; @@ -63,11 +64,13 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase $grant = new StubAbstractGrant; $grant->setAuthorizationServer($server); + $client = (new ClientEntity($server))->hydrate(['id' => 'testapp']); + $this->assertEquals( [ 'foo' => (new ScopeEntity($server))->hydrate(['id' => 'foo']) ], - $grant->validateScopes('foo') + $grant->validateScopes('foo', $client) ); } @@ -85,7 +88,9 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase $grant = new StubAbstractGrant; $grant->setAuthorizationServer($server); - $grant->validateScopes(); + $client = (new ClientEntity($server))->hydrate(['id' => 'testapp']); + + $grant->validateScopes(null, $client); } public function testValidateScopesInvalidScope() @@ -102,7 +107,9 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase $grant = new StubAbstractGrant; $grant->setAuthorizationServer($server); - $grant->validateScopes('blah'); + $client = (new ClientEntity($server))->hydrate(['id' => 'testapp']); + + $grant->validateScopes('blah', $client); } public function testValidateScopesDefaultScope() @@ -123,7 +130,9 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase $grant = new StubAbstractGrant; $grant->setAuthorizationServer($server); - $grant->validateScopes(); + $client = (new ClientEntity($server))->hydrate(['id' => 'testapp']); + + $grant->validateScopes(null, $client); } public function testValidateScopesDefaultScopeArray() @@ -144,6 +153,8 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase $grant = new StubAbstractGrant; $grant->setAuthorizationServer($server); - $grant->validateScopes(); + $client = (new ClientEntity($server))->hydrate(['id' => 'testapp']); + + $grant->validateScopes(null, $client); } }