ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2025-05-31 14:12:07 +05:30
Code Issues Packages Projects Releases Wiki Activity

Moved files into server namespace/folder and updated docblock copyright statements

Browse Source
This commit is contained in:
Alex Bilbie
2013-05-08 11:29:24 -07:00
parent 2d6cc3c98e
commit 5524e9b9c8
24 changed files with 52 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

468
src/League/OAuth2/Server/AuthServer.php Normal file
View File

@@ -0,0 +1,468 @@
<?php
/**
* OAuth 2.0 Authorization Server
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2;
use League\OAuth2\Util\Request;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
use League\OAuth2\Grant\GrantTypeInterface;
/**
* OAuth 2.0 authorization server class
*/
class AuthServer
{
/**
* The delimeter between scopes specified in the scope query string parameter
*
* The OAuth 2 specification states it should be a space but that is stupid
* and everyone excepted Google use a comma instead.
*
* @var string
*/
protected $scopeDelimeter = ',';
/**
* The TTL (time to live) of an access token in seconds (default: 3600)
* @var integer
*/
protected $accessTokenTTL = 3600;
/**
* The registered grant response types
* @var array
*/
protected $responseTypes = array();
/**
* The client, scope and session storage classes
* @var array
*/
protected $storages = array();
/**
* The registered grant types
* @var array
*/
protected $grantTypes = array();
/**
* Require the "scope" parameter to be in checkAuthoriseParams()
* @var boolean
*/
protected $requireScopeParam = true;
/**
* Default scope to be used if none is provided and requireScopeParam is false
* @var string
*/
protected $defaultScope = null;
/**
* Require the "state" parameter to be in checkAuthoriseParams()
* @var boolean
*/
protected $requireStateParam = false;
/**
* The request object
* @var Util\RequestInterface
*/
protected $request = null;
/**
* Exception error codes
* @var array
*/
protected static $exceptionCodes = array(
0 => 'invalid_request',
1 => 'unauthorized_client',
2 => 'access_denied',
3 => 'unsupported_response_type',
4 => 'invalid_scope',
5 => 'server_error',
6 => 'temporarily_unavailable',
7 => 'unsupported_grant_type',
8 => 'invalid_client',
9 => 'invalid_grant'
);
/**
* Exception error messages
* @var array
*/
protected static $exceptionMessages = array(
'invalid_request' => 'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
'unauthorized_client' => 'The client is not authorized to request an access token using this method.',
'access_denied' => 'The resource owner or authorization server denied the request.',
'unsupported_response_type' => 'The authorization server does not support obtaining an access token using this method.',
'invalid_scope' => 'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
'server_error' => 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
'temporarily_unavailable' => 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.',
'unsupported_grant_type' => 'The authorization grant type "%s" is not supported by the authorization server',
'invalid_client' => 'Client authentication failed',
'invalid_grant' => 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.',
'invalid_credentials' => 'The user credentials were incorrect.',
'invalid_refresh' => 'The refresh token is invalid.',
);
/**
* Exception error HTTP status codes
* @var array
*
* RFC 6749, section 4.1.2.1.:
* No 503 status code for 'temporarily_unavailable', because
* "a 503 Service Unavailable HTTP status code cannot be
* returned to the client via an HTTP redirect"
*/
protected static $exceptionHttpStatusCodes = array(
'invalid_request' => 400,
'unauthorized_client' => 400,
'access_denied' => 401,
'unsupported_response_type' => 400,
'invalid_scope' => 400,
'server_error' => 500,
'temporarily_unavailable' => 400,
'unsupported_grant_type' => 501,
'invalid_client' => 401,
'invalid_grant' => 400,
'invalid_credentials' => 400,
'invalid_refresh' => 400,
);
/**
* Get all headers that have to be send with the error response
*
* @param string $error The error message key
* @return array Array with header values
*/
public static function getExceptionHttpHeaders($error)
{
$headers = array();
switch (self::$exceptionHttpStatusCodes[$error]) {
case 401:
$headers[] = 'HTTP/1.1 401 Unauthorized';
break;
case 500:
$headers[] = 'HTTP/1.1 500 Internal Server Error';
break;
case 501:
$headers[] = 'HTTP/1.1 501 Not Implemented';
break;
case 400:
default:
$headers[] = 'HTTP/1.1 400 Bad Request';
}
// Add "WWW-Authenticate" header
//
// RFC 6749, section 5.2.:
// "If the client attempted to authenticate via the 'Authorization'
// request header field, the authorization server MUST
// respond with an HTTP 401 (Unauthorized) status code and
// include the "WWW-Authenticate" response header field
// matching the authentication scheme used by the client.
// @codeCoverageIgnoreStart
if ($error === 'invalid_client') {
$authScheme = null;
$request = new Request();
if ($request->server('PHP_AUTH_USER') !== null) {
$authScheme = 'Basic';
} else {
$authHeader = $request->header('Authorization');
if ($authHeader !== null) {
if (strpos($authHeader, 'Bearer') === 0) {
$authScheme = 'Bearer';
} elseif (strpos($authHeader, 'Basic') === 0) {
$authScheme = 'Basic';
}
}
}
if ($authScheme !== null) {
$headers[] = 'WWW-Authenticate: '.$authScheme.' realm=""';
}
}
// @codeCoverageIgnoreEnd
return $headers;
}
/**
* Get an exception message
*
* @param string $error The error message key
* @return string The error message
*/
public static function getExceptionMessage($error = '')
{
return self::$exceptionMessages[$error];
}
/**
* Get an exception code
*
* @param integer $code The exception code
* @return string The exception code type
*/
public static function getExceptionType($code = 0)
{
return self::$exceptionCodes[$code];
}
/**
* Create a new OAuth2 authorization server
*
* @param ClientInterface $client A class which inherits from Storage/ClientInterface
* @param SessionInterface $session A class which inherits from Storage/SessionInterface
* @param ScopeInterface $scope A class which inherits from Storage/ScopeInterface
*/
public function __construct(ClientInterface $client, SessionInterface $session, ScopeInterface $scope)
{
$this->storages = array(
'client' => $client,
'session' => $session,
'scope' => $scope
);
}
/**
* Enable support for a grant
* @param GrantTypeInterface $grantType A grant class which conforms to Interface/GrantTypeInterface
* @param null|string $identifier An identifier for the grant (autodetected if not passed)
*/
public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
{
if (is_null($identifier)) {
$identifier = $grantType->getIdentifier();
}
$this->grantTypes[$identifier] = $grantType;
if ( ! is_null($grantType->getResponseType())) {
$this->responseTypes[] = $grantType->getResponseType();
}
}
/**
* Check if a grant type has been enabled
* @param string $identifier The grant type identifier
* @return boolean Returns "true" if enabled, "false" if not
*/
public function hasGrantType($identifier)
{
return (array_key_exists($identifier, $this->grantTypes));
}
public function getResponseTypes()
{
return $this->responseTypes;
}
/**
* Require the "scope" paremter in checkAuthoriseParams()
* @param boolean $require
* @return void
*/
public function requireScopeParam($require = true)
{
$this->requireScopeParam = $require;
}
/**
* Is the scope parameter required?
* @return bool
*/
public function scopeParamRequired()
{
return $this->requireScopeParam;
}
/**
* Default scope to be used if none is provided and requireScopeParam is false
* @var string
*/
public function setDefaultScope($default = null)
{
$this->defaultScope = $default;
}
/**
* Default scope to be used if none is provided and requireScopeParam is false
* @return string|null
*/
public function getDefaultScope()
{
return $this->defaultScope;
}
/**
* Require the "state" paremter in checkAuthoriseParams()
* @param boolean $require
* @return void
*/
public function stateParamRequired()
{
return $this->requireStateParam;
}
/**
* Require the "state" paremter in checkAuthoriseParams()
* @param boolean $require
* @return void
*/
public function requireStateParam($require = false)
{
$this->requireStateParam = $require;
}
/**
* Get the scope delimeter
*
* @return string The scope delimiter (default: ",")
*/
public function getScopeDelimeter()
{
return $this->scopeDelimeter;
}
/**
* Set the scope delimiter
*
* @param string $scopeDelimeter
*/
public function setScopeDelimeter($scopeDelimeter)
{
$this->scopeDelimeter = $scopeDelimeter;
}
/**
* Get the TTL for an access token
* @return int The TTL
*/
public function getAccessTokenTTL()
{
return $this->accessTokenTTL;
}
/**
* Set the TTL for an access token
* @param int $accessTokenTTL The new TTL
*/
public function setAccessTokenTTL($accessTokenTTL)
{
$this->accessTokenTTL = $accessTokenTTL;
}
/**
* Sets the Request Object
*
* @param Util\RequestInterface The Request Object
*/
public function setRequest(Util\RequestInterface $request)
{
$this->request = $request;
}
/**
* Gets the Request object. It will create one from the globals if one is not set.
*
* @return Util\RequestInterface
*/
public function getRequest()
{
if ($this->request === null) {
// @codeCoverageIgnoreStart
$this->request = Request::buildFromGlobals();
}
// @codeCoverageIgnoreEnd
return $this->request;
}
/**
* Return a storage class
* @param string $obj The class required
* @return Storage\ClientInterface|Storage\ScopeInterface|Storage\SessionInterface
*/
public function getStorage($obj)
{
return $this->storages[$obj];
}
/**
* Issue an access token
*
* @param array $inputParams Optional array of parsed $_POST keys
* @return array Authorise request parameters
*/
public function issueAccessToken($inputParams = array())
{
$grantType = $this->getParam('grant_type', 'post', $inputParams);
if (is_null($grantType)) {
throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'grant_type'), 0);
}
// Ensure grant type is one that is recognised and is enabled
if ( ! in_array($grantType, array_keys($this->grantTypes))) {
throw new Exception\ClientException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 7);
}
// Complete the flow
return $this->getGrantType($grantType)->completeFlow($inputParams);
}
/**
* Return a grant type class
* @param string $grantType The grant type identifer
* @return class
*/
public function getGrantType($grantType)
{
if (isset($this->grantTypes[$grantType])) {
return $this->grantTypes[$grantType];
}
throw new Exception\InvalidGrantTypeException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 9);
}
/**
* Get a parameter from passed input parameters or the Request class
* @param string|array $param Required parameter
* @param string $method Get/put/post/delete
* @param array $inputParams Passed input parameters
* @return mixed 'Null' if parameter is missing
*/
public function getParam($param = '', $method = 'get', $inputParams = array(), $default = null)
{
if (is_string($param)) {
if (isset($inputParams[$param])) {
return $inputParams[$param];
} elseif ($param === 'client_id' && ! is_null($client_id = $this->getRequest()->server('PHP_AUTH_USER'))) {
return $client_id;
} elseif ($param === 'client_secret' && ! is_null($client_secret = $this->getRequest()->server('PHP_AUTH_PW'))) {
return $client_secret;
} else {
return $this->getRequest()->{$method}($param, $default);
}
} else {
$response = array();
foreach ($param as $p) {
$response[$p] = $this->getParam($p, $method, $inputParams);
}
return $response;
}
}
}

20
src/League/OAuth2/Server/Exception/ClientException.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
/**
* OAuth 2.0 Client Exception
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Exception;
/**
* ClientException Exception
*/
class ClientException extends OAuth2Exception
{
}

20
src/League/OAuth2/Server/Exception/InvalidAccessTokenException.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
/**
* OAuth 2.0 Invalid Access Token Exception
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Exception;
/**
* InvalidAccessToken Exception
*/
class InvalidAccessTokenException extends OAuth2Exception
{
}

20
src/League/OAuth2/Server/Exception/InvalidGrantTypeException.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
/**
* OAuth 2.0 Invalid Grant Type Exception
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Exception;
/**
* InvalidGrantTypeException Exception
*/
class InvalidGrantTypeException extends OAuth2Exception
{
}

20
src/League/OAuth2/Server/Exception/OAuth2Exception.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
/**
* OAuth 2.0 Base Exception
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Exception;
/**
* Exception class
*/
class OAuth2Exception extends \Exception
{
}

293
src/League/OAuth2/Server/Grant/AuthCode.php Normal file
View File

@@ -0,0 +1,293 @@
<?php
/**
* OAuth 2.0 Auth code grant
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Grant;
use League\OAuth2\Request;
use League\OAuth2\AuthServer;
use League\OAuth2\Exception;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
/**
* Auth code grant class
*/
class AuthCode implements GrantTypeInterface {
/**
* Grant identifier
* @var string
*/
protected $identifier = 'authorization_code';
/**
* Response type
* @var string
*/
protected $responseType = 'code';
/**
* AuthServer instance
* @var AuthServer
*/
protected $authServer = null;
/**
* Access token expires in override
* @var int
*/
protected $accessTokenTTL = null;
/**
* The TTL of the auth token
* @var integer
*/
protected $authTokenTTL = 600;
/**
* Constructor
* @param AuthServer $authServer AuthServer instance
* @return void
*/
public function __construct(AuthServer $authServer)
{
$this->authServer = $authServer;
}
/**
* Return the identifier
* @return string
*/
public function getIdentifier()
{
return $this->identifier;
}
/**
* Return the response type
* @return string
*/
public function getResponseType()
{
return $this->responseType;
}
/**
* Override the default access token expire time
* @param int $accessTokenTTL
* @return void
*/
public function setAccessTokenTTL($accessTokenTTL)
{
$this->accessTokenTTL = $accessTokenTTL;
}
/**
* Override the default access token expire time
* @param int $authTokenTTL
* @return void
*/
public function setAuthTokenTTL($authTokenTTL)
{
$this->authTokenTTL = $authTokenTTL;
}
/**
* Check authorise parameters
*
* @param array $inputParams Optional array of parsed $_GET keys
* @throws \OAuth2\Exception\ClientException
* @return array Authorise request parameters
*/
public function checkAuthoriseParams($inputParams = array())
{
// Auth params
$authParams = $this->authServer->getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams);
if (is_null($authParams['client_id'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
}
if (is_null($authParams['redirect_uri'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
}
if ($this->authServer->stateParamRequired() === true && is_null($authParams['state'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'state'), 0);
}
// Validate client ID and redirect URI
$clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);
if ($clientDetails === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
}
$authParams['client_details'] = $clientDetails;
if (is_null($authParams['response_type'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'response_type'), 0);
}
// Ensure response type is one that is recognised
if ( ! in_array($authParams['response_type'], $this->authServer->getResponseTypes())) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('unsupported_response_type'), 3);
}
// Validate scopes
$scopes = explode($this->authServer->getScopeDelimeter(), $authParams['scope']);
for ($i = 0; $i < count($scopes); $i++) {
$scopes[$i] = trim($scopes[$i]);
if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
}
if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
} elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
$scopes = array($this->authServer->getDefaultScope());
}
$authParams['scopes'] = array();
foreach ($scopes as $scope) {
$scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
if ($scopeDetails === false) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
}
$authParams['scopes'][] = $scopeDetails;
}
return $authParams;
}
/**
* Parse a new authorise request
*
* @param string $type The session owner's type
* @param string $typeId The session owner's ID
* @param array $authParams The authorise request $_GET parameters
* @return string An authorisation code
*/
public function newAuthoriseRequest($type, $typeId, $authParams = array())
{
// Generate an auth code
$authCode = SecureKey::make();
// Remove any old sessions the user might have
$this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId);
// List of scopes IDs
$scopeIds = array();
foreach ($authParams['scopes'] as $scope)
{
$scopeIds[] = $scope['id'];
}
// Create a new session
$sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId);
// Associate a redirect URI
$this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']);
// Associate the auth code
$this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL, implode(',', $scopeIds));
return $authCode;
}
/**
* Complete the auth code grant
* @param null|array $inputParams
* @return array
*/
public function completeFlow($inputParams = null)
{
// Get the required params
$authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams);
if (is_null($authParams['client_id'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
}
if (is_null($authParams['client_secret'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
}
if (is_null($authParams['redirect_uri'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
}
// Validate client ID and redirect URI
$clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], $authParams['redirect_uri'], $this->identifier);
if ($clientDetails === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
}
$authParams['client_details'] = $clientDetails;
// Validate the authorization code
if (is_null($authParams['code'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'code'), 0);
}
// Verify the authorization code matches the client_id and the request_uri
$session = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
if ( ! $session) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9);
}
// A session ID was returned so update it with an access token and remove the authorisation code
$accessToken = SecureKey::make();
$accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
$accessTokenExpires = time() + $accessTokenExpiresIn;
// Remove the auth code
$this->authServer->getStorage('session')->removeAuthCode($session['id']);
// Create an access token
$accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($session['id'], $accessToken, $accessTokenExpires);
// Associate scopes with the access token
if ( ! is_null($session['scope_ids'])) {
$scopeIds = explode(',', $session['scope_ids']);
foreach ($scopeIds as $scopeId) {
$this->authServer->getStorage('session')->associateScope($accessTokenId, $scopeId);
}
}
$response = array(
'access_token' => $accessToken,
'token_type' => 'bearer',
'expires' => $accessTokenExpires,
'expires_in' => $accessTokenExpiresIn
);
// Associate a refresh token if set
if ($this->authServer->hasGrantType('refresh_token')) {
$refreshToken = SecureKey::make();
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
$response['refresh_token'] = $refreshToken;
}
return $response;
}
}

173
src/League/OAuth2/Server/Grant/ClientCredentials.php Normal file
View File

@@ -0,0 +1,173 @@
<?php
/**
* OAuth 2.0 Client credentials grant
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Grant;
use League\OAuth2\Request;
use League\OAuth2\AuthServer;
use League\OAuth2\Exception;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
/**
* Client credentials grant class
*/
class ClientCredentials implements GrantTypeInterface {
/**
* Grant identifier
* @var string
*/
protected $identifier = 'client_credentials';
/**
* Response type
* @var string
*/
protected $responseType = null;
/**
* AuthServer instance
* @var AuthServer
*/
protected $authServer = null;
/**
* Access token expires in override
* @var int
*/
protected $accessTokenTTL = null;
/**
* Constructor
* @param AuthServer $authServer AuthServer instance
* @return void
*/
public function __construct(AuthServer $authServer)
{
$this->authServer = $authServer;
}
/**
* Return the identifier
* @return string
*/
public function getIdentifier()
{
return $this->identifier;
}
/**
* Return the response type
* @return string
*/
public function getResponseType()
{
return $this->responseType;
}
/**
* Override the default access token expire time
* @param int $accessTokenTTL
* @return void
*/
public function setAccessTokenTTL($accessTokenTTL)
{
$this->accessTokenTTL = $accessTokenTTL;
}
/**
* Complete the client credentials grant
* @param null|array $inputParams
* @return array
*/
public function completeFlow($inputParams = null)
{
// Get the required params
$authParams = $this->authServer->getParam(array('client_id', 'client_secret'), 'post', $inputParams);
if (is_null($authParams['client_id'])) {
throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0);
}
if (is_null($authParams['client_secret'])) {
throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0);
}
// Validate client ID and client secret
$clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
if ($clientDetails === false) {
throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8);
}
$authParams['client_details'] = $clientDetails;
// Validate any scopes that are in the request
$scope = $this->authServer->getParam('scope', 'post', $inputParams, '');
$scopes = explode($this->authServer->getScopeDelimeter(), $scope);
for ($i = 0; $i < count($scopes); $i++) {
$scopes[$i] = trim($scopes[$i]);
if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
}
if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
} elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
$scopes = array($this->authServer->getDefaultScope());
}
$authParams['scopes'] = array();
foreach ($scopes as $scope) {
$scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
if ($scopeDetails === false) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
}
$authParams['scopes'][] = $scopeDetails;
}
// Generate an access token
$accessToken = SecureKey::make();
$accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
$accessTokenExpires = time() + $accessTokenExpiresIn;
// Delete any existing sessions just to be sure
$this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'client', $authParams['client_id']);
// Create a new session
$sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'client', $authParams['client_id']);
// Add the access token
$accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
// Associate scopes with the new session
foreach ($authParams['scopes'] as $scope)
{
$this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
}
$response = array(
'access_token' => $accessToken,
'token_type' => 'bearer',
'expires' => $accessTokenExpires,
'expires_in' => $accessTokenExpiresIn
);
return $response;
}
}

61
src/League/OAuth2/Server/Grant/GrantTypeInterface.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
/**
* OAuth 2.0 Grant type interface
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Grant;
use League\OAuth2\Request;
use League\OAuth2\AuthServer;
use League\OAuth2\Exception;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
interface GrantTypeInterface
{
/**
* Constructor
* @param AuthServer $authServer AuthServer instance
* @return void
*/
public function __construct(AuthServer $authServer);
/**
* Returns the grant identifier (used to validate grant_type in OAuth2\AuthServer\issueAccessToken())
* @return string
*/
public function getIdentifier();
/**
* Returns the response type (used to validate response_type in OAuth2\AuthServer\checkAuthoriseParams())
* @return null|string
*/
public function getResponseType();
/**
* Complete the grant flow
*
* Example response:
* <code>
* array(
* 'access_token' => (string), // The access token
* 'refresh_token' => (string), // The refresh token (only set if the refresh token grant is enabled)
* 'token_type' => 'bearer', // Almost always "bearer" (exceptions: JWT, SAML)
* 'expires' => (int), // The timestamp of when the access token will expire
* 'expires_in' => (int) // The number of seconds before the access token will expire
* )
* </code>
*
* @param null|array $inputParams Null unless the input parameters have been manually set
* @return array An array of parameters to be passed back to the client
*/
public function completeFlow($inputParams = null);
}

107
src/League/OAuth2/Server/Grant/Implicit.php Normal file
View File

@@ -0,0 +1,107 @@
<?php
/**
* OAuth 2.0 implicit grant
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Grant;
use League\OAuth2\Request;
use League\OAuth2\AuthServer;
use League\OAuth2\Exception;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
/**
* Client credentials grant class
*/
class Implict implements GrantTypeInterface {
/**
* Grant identifier
* @var string
*/
protected $identifier = 'implicit';
/**
* Response type
* @var string
*/
protected $responseType = 'token';
/**
* AuthServer instance
* @var AuthServer
*/
protected $authServer = null;
/**
* Constructor
* @param AuthServer $authServer AuthServer instance
* @return void
*/
public function __construct(AuthServer $authServer)
{
$this->authServer = $authServer;
}
/**
* Return the identifier
* @return string
*/
public function getIdentifier()
{
return $this->identifier;
}
/**
* Return the response type
* @return string
*/
public function getResponseType()
{
return $this->responseType;
}
/**
* Complete the client credentials grant
* @param null|array $inputParams
* @return array
*/
public function completeFlow($authParams = null)
{
// Remove any old sessions the user might have
$this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $authParams['user_id']);
// Generate a new access token
$accessToken = SecureKey::make();
// Compute expiry time
$accessTokenExpires = time() + $this->authServer->getAccessTokenTTL();
// Create a new session
$sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $authParams['user_id']);
// Create an access token
$accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
// Associate scopes with the access token
foreach ($authParams['scopes'] as $scope) {
$this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
}
$response = array(
'access_token' => $accessToken
);
return $response;
}
}

223
src/League/OAuth2/Server/Grant/Password.php Normal file
View File

@@ -0,0 +1,223 @@
<?php
/**
* OAuth 2.0 Password grant
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Grant;
use League\OAuth2\Request;
use League\OAuth2\AuthServer;
use League\OAuth2\Exception;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
/**
* Password grant class
*/
class Password implements GrantTypeInterface {
/**
* Grant identifier
* @var string
*/
protected $identifier = 'password';
/**
* Response type
* @var string
*/
protected $responseType = null;
/**
* Callback to authenticate a user's name and password
* @var function
*/
protected $callback = null;
/**
* AuthServer instance
* @var AuthServer
*/
protected $authServer = null;
/**
* Access token expires in override
* @var int
*/
protected $accessTokenTTL = null;
/**
* Constructor
* @param AuthServer $authServer AuthServer instance
* @return void
*/
public function __construct(AuthServer $authServer)
{
$this->authServer = $authServer;
}
/**
* Return the identifier
* @return string
*/
public function getIdentifier()
{
return $this->identifier;
}
/**
* Return the response type
* @return string
*/
public function getResponseType()
{
return $this->responseType;
}
/**
* Override the default access token expire time
* @param int $accessTokenTTL
* @return void
*/
public function setAccessTokenTTL($accessTokenTTL)
{
$this->accessTokenTTL = $accessTokenTTL;
}
/**
* Set the callback to verify a user's username and password
* @param function $callback The callback function
*/
public function setVerifyCredentialsCallback($callback)
{
$this->callback = $callback;
}
/**
* Return the callback function
* @return function
*/
protected function getVerifyCredentialsCallback()
{
if (is_null($this->callback) || ! is_callable($this->callback)) {
throw new Exception\InvalidGrantTypeException('Null or non-callable callback set');
}
return $this->callback;
}
/**
* Complete the password grant
* @param null|array $inputParams
* @return array
*/
public function completeFlow($inputParams = null)
{
// Get the required params
$authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams);
if (is_null($authParams['client_id'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
}
if (is_null($authParams['client_secret'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
}
// Validate client credentials
$clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
if ($clientDetails === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
}
$authParams['client_details'] = $clientDetails;
if (is_null($authParams['username'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'username'), 0);
}
if (is_null($authParams['password'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'password'), 0);
}
// Check if user's username and password are correct
$userId = call_user_func($this->getVerifyCredentialsCallback(), $authParams['username'], $authParams['password']);
if ($userId === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_credentials'), 0);
}
// Validate any scopes that are in the request
$scope = $this->authServer->getParam('scope', 'post', $inputParams, '');
$scopes = explode($this->authServer->getScopeDelimeter(), $scope);
for ($i = 0; $i < count($scopes); $i++) {
$scopes[$i] = trim($scopes[$i]);
if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
}
if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
} elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
$scopes = array($this->authServer->getDefaultScope());
}
$authParams['scopes'] = array();
foreach ($scopes as $scope) {
$scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
if ($scopeDetails === false) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
}
$authParams['scopes'][] = $scopeDetails;
}
// Generate an access token
$accessToken = SecureKey::make();
$accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
$accessTokenExpires = time() + $accessTokenExpiresIn;
// Delete any existing sessions just to be sure
$this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $userId);
// Create a new session
$sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $userId);
// Associate an access token with the session
$accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
// Associate scopes with the access token
foreach ($authParams['scopes'] as $scope) {
$this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
}
$response = array(
'access_token' => $accessToken,
'token_type' => 'bearer',
'expires' => $accessTokenExpires,
'expires_in' => $accessTokenExpiresIn
);
// Associate a refresh token if set
if ($this->authServer->hasGrantType('refresh_token')) {
$refreshToken = SecureKey::make();
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
$response['refresh_token'] = $refreshToken;
}
return $response;
}
}

182
src/League/OAuth2/Server/Grant/RefreshToken.php Normal file
View File

@@ -0,0 +1,182 @@
<?php
/**
* OAuth 2.0 Refresh token grant
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Grant;
use League\OAuth2\Request;
use League\OAuth2\AuthServer;
use League\OAuth2\Exception;
use League\OAuth2\Util\SecureKey;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Storage\ClientInterface;
use League\OAuth2\Storage\ScopeInterface;
/**
* Referesh token grant
*/
class RefreshToken implements GrantTypeInterface {
/**
* Grant identifier
* @var string
*/
protected $identifier = 'refresh_token';
/**
* Response type
* @var string
*/
protected $responseType = null;
/**
* AuthServer instance
* @var AuthServer
*/
protected $authServer = null;
/**
* Access token expires in override
* @var int
*/
protected $accessTokenTTL = null;
/**
* Refresh token TTL
* @var integer
*/
protected $refreshTokenTTL = 604800;
/**
* Constructor
* @param AuthServer $authServer AuthServer instance
* @return void
*/
public function __construct(AuthServer $authServer)
{
$this->authServer = $authServer;
}
/**
* Return the identifier
* @return string
*/
public function getIdentifier()
{
return $this->identifier;
}
/**
* Return the response type
* @return string
*/
public function getResponseType()
{
return $this->responseType;
}
/**
* Override the default access token expire time
* @param int $accessTokenTTL
* @return void
*/
public function setAccessTokenTTL($accessTokenTTL)
{
$this->accessTokenTTL = $accessTokenTTL;
}
/**
* Set the TTL of the refresh token
* @param int $refreshTokenTTL
* @return void
*/
public function setRefreshTokenTTL($refreshTokenTTL)
{
$this->refreshTokenTTL = $refreshTokenTTL;
}
/**
* Get the TTL of the refresh token
* @return int
*/
public function getRefreshTokenTTL()
{
return $this->refreshTokenTTL;
}
/**
* Complete the refresh token grant
* @param null|array $inputParams
* @return array
*/
public function completeFlow($inputParams = null)
{
// Get the required params
$authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token'), 'post', $inputParams);
if (is_null($authParams['client_id'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
}
if (is_null($authParams['client_secret'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
}
// Validate client ID and client secret
$clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
if ($clientDetails === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
}
$authParams['client_details'] = $clientDetails;
if (is_null($authParams['refresh_token'])) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'refresh_token'), 0);
}
// Validate refresh token
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
if ($accessTokenId === false) {
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
}
// Get the existing access token
$accessTokenDetails = $this->authServer->getStorage('session')->getAccessToken($accessTokenId);
// Get the scopes for the existing access token
$scopes = $this->authServer->getStorage('session')->getScopes($accessTokenDetails['access_token']);
// Generate new tokens and associate them to the session
$accessToken = SecureKey::make();
$accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
$accessTokenExpires = time() + $accessTokenExpiresIn;
$refreshToken = SecureKey::make();
$refreshTokenExpires = time() + $this->getRefreshTokenTTL();
$newAccessTokenId = $this->authServer->getStorage('session')->associateAccessToken($accessTokenDetails['session_id'], $accessToken, $accessTokenExpires);
foreach ($scopes as $scope) {
$this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
}
$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
return array(
'access_token' => $accessToken,
'refresh_token' => $refreshToken,
'token_type' => 'bearer',
'expires' => $accessTokenExpires,
'expires_in' => $accessTokenExpiresIn
);
}
}

244
src/League/OAuth2/Server/ResourceServer.php Normal file
View File

@@ -0,0 +1,244 @@
<?php
/**
* OAuth 2.0 Resource Server
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2;
use OutOfBoundsException;
use League\OAuth2\Storage\SessionInterface;
use League\OAuth2\Util\RequestInterface;
use League\OAuth2\Util\Request;
/**
* OAuth 2.0 Resource Server
*/
class ResourceServer
{
/**
* The access token
* @var string
*/
protected $accessToken = null;
/**
* The session ID
* @var string
*/
protected $sessionId = null;
/**
* The type of the owner of the access token
* @var string
*/
protected $ownerType = null;
/**
* The ID of the owner of the access token
* @var string
*/
protected $ownerId = null;
/**
* The scopes associated with the access token
* @var array
*/
protected $sessionScopes = array();
/**
* The client, scope and session storage classes
* @var array
*/
protected $storages = array();
/**
* The request object
* @var Util\RequestInterface
*/
protected $request = null;
/**
* The query string key which is used by clients to present the access token (default: access_token)
* @var string
*/
protected $tokenKey = 'access_token';
/**
* Sets up the Resource
*
* @param SessionInterface The Session Storage Object
*/
public function __construct(SessionInterface $session)
{
$this->storages['session'] = $session;
}
/**
* Sets the Request Object
*
* @param RequestInterface The Request Object
*/
public function setRequest(RequestInterface $request)
{
$this->request = $request;
}
/**
* Gets the Request object. It will create one from the globals if one is not set.
*
* @return Util\RequestInterface
*/
public function getRequest()
{
if ($this->request === null) {
// @codeCoverageIgnoreStart
$this->request = Request::buildFromGlobals();
}
// @codeCoverageIgnoreEnd
return $this->request;
}
/**
* Returns the query string key for the access token.
*
* @return string
*/
public function getTokenKey()
{
return $this->tokenKey;
}
/**
* Sets the query string key for the access token.
*
* @param $key The new query string key
*/
public function setTokenKey($key)
{
$this->tokenKey = $key;
}
/**
* Gets the access token owner ID.
*
* @return string
*/
public function getOwnerId()
{
return $this->ownerId;
}
/**
* Gets the owner type.
*
* @return string
*/
public function getOwnerType()
{
return $this->ownerType;
}
/**
* Gets the access token.
*
* @return string
*/
public function getAccessToken()
{
return $this->accessToken;
}
/**
* Checks if the access token is valid or not.
*
* @throws Exception\InvalidAccessTokenException Thrown if the presented access token is not valid
* @return bool
*/
public function isValid()
{
$accessToken = $this->determineAccessToken();
$result = $this->storages['session']->validateAccessToken($accessToken);
if ( ! $result) {
throw new Exception\InvalidAccessTokenException('Access token is not valid');
}
$this->accessToken = $accessToken;
$this->sessionId = $result['session_id'];
$this->clientId = $result['client_id'];
$this->ownerType = $result['owner_type'];
$this->ownerId = $result['owner_id'];
$sessionScopes = $this->storages['session']->getScopes($this->accessToken);
foreach ($sessionScopes as $scope) {
$this->sessionScopes[] = $scope['key'];
}
return true;
}
/**
* Get the session scopes
* @return [type] [description]
*/
public function getScopes()
{
return $this->sessionScopes;
}
/**
* Checks if the presented access token has the given scope(s).
*
* @param array|string An array of scopes or a single scope as a string
* @return bool Returns bool if all scopes are found, false if any fail
*/
public function hasScope($scopes)
{
if (is_string($scopes)) {
if (in_array($scopes, $this->sessionScopes)) {
return true;
}
return false;
} elseif (is_array($scopes)) {
foreach ($scopes as $scope) {
if ( ! in_array($scope, $this->sessionScopes)) {
return false;
}
}
return true;
}
return false;
}
/**
* Reads in the access token from the headers.
*
* @throws Exception\MissingAccessTokenException Thrown if there is no access token presented
* @return string
*/
protected function determineAccessToken()
{
if ($header = $this->getRequest()->header('Authorization')) {
$accessToken = trim(str_replace('Bearer', '', $header));
} else {
$method = $this->getRequest()->server('REQUEST_METHOD');
$accessToken = $this->getRequest()->{$method}($this->tokenKey);
}
if (empty($accessToken)) {
throw new Exception\InvalidAccessTokenException('Access token is missing');
}
return $accessToken;
}
}

55
src/League/OAuth2/Server/Storage/ClientInterface.php Normal file
View File

@@ -0,0 +1,55 @@
<?php
/**
* OAuth 2.0 Client storage interface
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Storage;
interface ClientInterface
{
/**
* Validate a client
*
* Example SQL query:
*
* <code>
* # Client ID + redirect URI
* SELECT oauth_clients.id FROM oauth_clients LEFT JOIN client_endpoints ON client_endpoints.client_id
* = oauth_clients.id WHERE oauth_clients.id = $clientId AND client_endpoints.redirect_uri = $redirectUri
*
* # Client ID + client secret
* SELECT oauth_clients.id FROM oauth_clients WHERE oauth_clients.id = $clientId AND
* oauth_clients.secret = $clientSecret
*
* # Client ID + client secret + redirect URI
* SELECT oauth_clients.id FROM oauth_clients LEFT JOIN client_endpoints ON client_endpoints.client_id
* = oauth_clients.id WHERE oauth_clients.id = $clientId AND oauth_clients.secret = $clientSecret
* AND client_endpoints.redirect_uri = $redirectUri
* </code>
*
* Response:
*
* <code>
* Array
* (
* [client_id] => (string) The client ID
* [client secret] => (string) The client secret
* [redirect_uri] => (string) The redirect URI used in this request
* [name] => (string) The name of the client
* )
* </code>
*
* @param string $clientId The client's ID
* @param string $clientSecret The client's secret (default = "null")
* @param string $redirectUri The client's redirect URI (default = "null")
* @param string $grantType The grant type used in the request
* @return bool|array Returns false if the validation fails, array on success
*/
public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null);
}

45
src/League/OAuth2/Server/Storage/PDO/Client.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
namespace League\OAuth2\Storage\PDO;
use League\OAuth2\Storage\ClientInterface;
class Client implements ClientInterface
{
public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null)
{
$db = \ezcDbInstance::get();
if ( ! is_null($redirectUri) && is_null($clientSecret)) {
$stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri');
$stmt->bindValue(':redirectUri', $redirectUri);
}
elseif ( ! is_null($clientSecret) && is_null($redirectUri)) {
$stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name FROM oauth_clients WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret');
$stmt->bindValue(':clientSecret', $clientSecret);
}
elseif ( ! is_null($clientSecret) && ! is_null($redirectUri)) {
$stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND oauth_client_endpoints.redirect_uri = :redirectUri');
$stmt->bindValue(':redirectUri', $redirectUri);
$stmt->bindValue(':clientSecret', $clientSecret);
}
$stmt->bindValue(':clientId', $clientId);
$stmt->execute();
$row = $stmt->fetchObject();
if ($row === false) {
return false;
}
return array(
'client_id' => $row->id,
'client_secret' => $row->secret,
'redirect_uri' => (isset($row->redirect_uri)) ? $row->redirect_uri : null,
'name' => $row->name
);
}
}

12
src/League/OAuth2/Server/Storage/PDO/Db.php Normal file
View File

@@ -0,0 +1,12 @@
<?php
namespace League\OAuth2\Storage\PDO;
class Db
{
public function __construct($dsn = '')
{
$db = \ezcDbFactory::create($dsn);
\ezcDbInstance::set($db);
}
}

31
src/League/OAuth2/Server/Storage/PDO/Scope.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
namespace League\OAuth2\Storage\PDO;
use League\OAuth2\Storage\ScopeInterface;
class Scope implements ScopeInterface
{
public function getScope($scope, $clientId = null, $grantType = null)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT * FROM oauth_scopes WHERE oauth_scopes.key = :scope');
$stmt->bindValue(':scope', $scope);
$stmt->execute();
$row = $stmt->fetchObject();
if ($row === false) {
return false;
}
return array(
'id' => $row->id,
'scope' => $row->key,
'name' => $row->name,
'description' => $row->description
);
}
}

269
src/League/OAuth2/Server/Storage/PDO/Session.php Normal file
View File

@@ -0,0 +1,269 @@
<?php
namespace League\OAuth2\Storage\PDO;
use League\OAuth2\Storage\SessionInterface;
class Session implements SessionInterface
{
/**
* Create a new session
* @param string $clientId The client ID
* @param string $ownerType The type of the session owner (e.g. "user")
* @param string $ownerId The ID of the session owner (e.g. "123")
* @return int The session ID
*/
public function createSession($clientId, $ownerType, $ownerId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_sessions (client_id, owner_type, owner_id) VALUE
(:clientId, :ownerType, :ownerId)');
$stmt->bindValue(':clientId', $clientId);
$stmt->bindValue(':ownerType', $ownerType);
$stmt->bindValue(':ownerId', $ownerId);
$stmt->execute();
return $db->lastInsertId();
}
/**
* Delete a session
* @param string $clientId The client ID
* @param string $ownerType The type of the session owner (e.g. "user")
* @param string $ownerId The ID of the session owner (e.g. "123")
* @return void
*/
public function deleteSession($clientId, $ownerType, $ownerId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('DELETE FROM oauth_sessions WHERE client_id = :clientId AND
owner_type = :type AND owner_id = :typeId');
$stmt->bindValue(':clientId', $clientId);
$stmt->bindValue(':type', $ownerType);
$stmt->bindValue(':typeId', $ownerId);
$stmt->execute();
}
/**
* Associate a redirect URI with a session
* @param int $sessionId The session ID
* @param string $redirectUri The redirect URI
* @return void
*/
public function associateRedirectUri($sessionId, $redirectUri)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_session_redirects (session_id, redirect_uri)
VALUE (:sessionId, :redirectUri)');
$stmt->bindValue(':sessionId', $sessionId);
$stmt->bindValue(':redirectUri', $redirectUri);
$stmt->execute();
}
/**
* Associate an access token with a session
* @param int $sessionId The session ID
* @param string $accessToken The access token
* @param int $expireTime Unix timestamp of the access token expiry time
* @return void
*/
public function associateAccessToken($sessionId, $accessToken, $expireTime)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_session_access_tokens (session_id, access_token, access_token_expires)
VALUE (:sessionId, :accessToken, :accessTokenExpire)');
$stmt->bindValue(':sessionId', $sessionId);
$stmt->bindValue(':accessToken', $accessToken);
$stmt->bindValue(':accessTokenExpire', $expireTime);
$stmt->execute();
return $db->lastInsertId();
}
/**
* Remove an associated access token from a session
* @param int $sessionId The session ID
* @return void
*/
public function removeAccessToken($sessionId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token) VALUE
(:accessTokenId, :refreshToken)');
$stmt->bindValue(':accessTokenId', $accessTokenId);
$stmt->bindValue(':refreshToken', $params['refresh_token']);
$stmt->execute();
}
/**
* Associate a refresh token with a session
* @param int $accessTokenId The access token ID
* @param string $refreshToken The refresh token
* @param int $expireTime Unix timestamp of the refresh token expiry time
* @return void
*/
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
(:accessTokenId, :refreshToken, :expireTime)');
$stmt->bindValue(':accessTokenId', $accessTokenId);
$stmt->bindValue(':refreshToken', $refreshToken);
$stmt->bindValue(':expireTime', $expireTime);
$stmt->execute();
}
/**
* Assocate an authorization code with a session
* @param int $sessionId The session ID
* @param string $authCode The authorization code
* @param int $expireTime Unix timestamp of the access token expiry time
* @param string $scopeIds Comma seperated list of scope IDs to be later associated (default = null)
* @return void
*/
public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids)
VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)');
$stmt->bindValue(':sessionId', $sessionId);
$stmt->bindValue(':authCode', $authCode);
$stmt->bindValue(':authCodeExpires', $expireTime);
$stmt->bindValue(':scopeIds', $scopeIds);
$stmt->execute();
}
/**
* Remove an associated authorization token from a session
* @param int $sessionId The session ID
* @return void
*/
public function removeAuthCode($sessionId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('DELETE FROM oauth_session_authcodes WHERE session_id = :sessionId');
$stmt->bindValue(':sessionId', $sessionId);
$stmt->execute();
}
/**
* Validate an authorization code
* @param string $clientId The client ID
* @param string $redirectUri The redirect URI
* @param string $authCode The authorization code
* @return void
*/
public function validateAuthCode($clientId, $redirectUri, $authCode)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions JOIN
oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id JOIN
oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode AND
`oauth_session_authcodes`.`auth_code_expires` >= :time AND `oauth_session_redirects`.`redirect_uri`
= :redirectUri');
$stmt->bindValue(':clientId', $clientId);
$stmt->bindValue(':redirectUri', $redirectUri);
$stmt->bindValue(':authCode', $authCode);
$stmt->bindValue(':time', time());
$stmt->execute();
$result = $stmt->fetchObject();
return ($result === false) ? false : (array) $result;
}
/**
* Validate an access token
* @param string $accessToken The access token to be validated
* @return void
*/
public function validateAccessToken($accessToken)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT session_id, oauth_sessions.`client_id`, oauth_sessions.`owner_id`, oauth_sessions.`owner_type` FROM `oauth_session_access_tokens` JOIN oauth_sessions ON oauth_sessions.`id` = session_id WHERE access_token = :accessToken AND access_token_expires >= ' . time());
$stmt->bindValue(':accessToken', $accessToken);
$stmt->execute();
$result = $stmt->fetchObject();
return ($result === false) ? false : (array) $result;
}
/**
* Validate a refresh token
* @param string $refreshToken The access token
* @return void
*/
public function validateRefreshToken($refreshToken)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
$stmt->bindValue(':refreshToken', $refreshToken);
$stmt->execute();
$result = $stmt->fetchObject();
return ($result === false) ? false : $result->session_access_token_id;
}
/**
* Get an access token by ID
* @param int $accessTokenId The access token ID
* @return array
*/
public function getAccessToken($accessTokenId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT * FROM `oauth_session_access_tokens` WHERE `id` = :accessTokenId');
$stmt->bindValue(':accessTokenId', $accessTokenId);
$stmt->execute();
$result = $stmt->fetchObject();
return ($result === false) ? false : (array) $result;
}
/**
* Associate a scope with an access token
* @param int $accessTokenId The ID of the access token
* @param int $scopeId The ID of the scope
* @return void
*/
public function associateScope($accessTokenId, $scopeId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO `oauth_session_token_scopes` (`session_access_token_id`, `scope_id`)
VALUE (:accessTokenId, :scopeId)');
$stmt->bindValue(':accessTokenId', $accessTokenId);
$stmt->bindValue(':scopeId', $scopeId);
$stmt->execute();
}
/**
* Get all associated access tokens for an access token
* @param string $accessToken The access token
* @return array
*/
public function getScopes($accessToken)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT oauth_scopes.* FROM oauth_session_token_scopes JOIN oauth_session_access_tokens ON oauth_session_access_tokens.`id` = `oauth_session_token_scopes`.`session_access_token_id` JOIN oauth_scopes ON oauth_scopes.id = `oauth_session_token_scopes`.`scope_id` WHERE access_token = :accessToken');
$stmt->bindValue(':accessToken', $accessToken);
$stmt->execute();
return $stmt->fetchAll();
}
}

42
src/League/OAuth2/Server/Storage/ScopeInterface.php Normal file
View File

@@ -0,0 +1,42 @@
<?php
/**
* OAuth 2.0 Scope storage interface
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Storage;
interface ScopeInterface
{
/**
* Return information about a scope
*
* Example SQL query:
*
* <code>
* SELECT * FROM oauth_scopes WHERE scope = $scope
* </code>
*
* Response:
*
* <code>
* Array
* (
* [id] => (int) The scope's ID
* [scope] => (string) The scope itself
* [name] => (string) The scope's name
* [description] => (string) The scope's description
* )
* </code>
*
* @param string $scope The scope
* @param string $clientId The client ID
* @return bool|array If the scope doesn't exist return false
*/
public function getScope($scope, $clientId = null, $grantType = null);
}

128
src/League/OAuth2/Server/Storage/SessionInterface.php Normal file
View File

@@ -0,0 +1,128 @@
<?php
/**
* OAuth 2.0 Session storage interface
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Storage;
interface SessionInterface
{
/**
* Create a new session
* @param string $clientId The client ID
* @param string $ownerType The type of the session owner (e.g. "user")
* @param string $ownerId The ID of the session owner (e.g. "123")
* @return int The session ID
*/
public function createSession($clientId, $ownerType, $ownerId);
/**
* Delete a session
* @param string $clientId The client ID
* @param string $ownerType The type of the session owner (e.g. "user")
* @param string $ownerId The ID of the session owner (e.g. "123")
* @return void
*/
public function deleteSession($clientId, $ownerType, $ownerId);
/**
* Associate a redirect URI with a session
* @param int $sessionId The session ID
* @param string $redirectUri The redirect URI
* @return void
*/
public function associateRedirectUri($sessionId, $redirectUri);
/**
* Associate an access token with a session
* @param int $sessionId The session ID
* @param string $accessToken The access token
* @param int $expireTime Unix timestamp of the access token expiry time
* @return void
*/
public function associateAccessToken($sessionId, $accessToken, $expireTime);
/**
* Remove an associated access token from a session
* @param int $sessionId The session ID
* @return void
*/
public function removeAccessToken($sessionId);
/**
* Associate a refresh token with a session
* @param int $accessTokenId The access token ID
* @param string $refreshToken The refresh token
* @param int $expireTime Unix timestamp of the refresh token expiry time
* @return void
*/
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
/**
* Assocate an authorization code with a session
* @param int $sessionId The session ID
* @param string $authCode The authorization code
* @param int $expireTime Unix timestamp of the access token expiry time
* @param string $scopeIds Comma seperated list of scope IDs to be later associated (default = null)
* @return void
*/
public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null);
/**
* Remove an associated authorization token from a session
* @param int $sessionId The session ID
* @return void
*/
public function removeAuthCode($sessionId);
/**
* Validate an authorization code
* @param string $clientId The client ID
* @param string $redirectUri The redirect URI
* @param string $authCode The authorization code
* @return void
*/
public function validateAuthCode($clientId, $redirectUri, $authCode);
/**
* Validate an access token
* @param string $accessToken [description]
* @return void
*/
public function validateAccessToken($accessToken);
/**
* Validate a refresh token
* @param string $refreshToken The access token
* @return void
*/
public function validateRefreshToken($refreshToken);
/**
* Get an access token by ID
* @param int $accessTokenId The access token ID
* @return array
*/
public function getAccessToken($accessTokenId);
/**
* Associate a scope with an access token
* @param int $accessTokenId The ID of the access token
* @param int $scopeId The ID of the scope
* @return void
*/
public function associateScope($accessTokenId, $scopeId);
/**
* Get all associated access tokens for an access token
* @param string $accessToken The access token
* @return array
*/
public function getScopes($accessToken);
}

31
src/League/OAuth2/Server/Util/RedirectUri.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
/**
* OAuth 2.0 Redirect URI generator
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Util;
/**
* RedirectUri class
*/
class RedirectUri
{
/**
* Generate a new redirect uri
* @param string $uri The base URI
* @param array $params The query string parameters
* @param string $queryDelimeter The query string delimeter (default: "?")
* @return string The updated URI
*/
public static function make($uri, $params = array(), $queryDelimeter = '?')
{
$uri .= (strstr($uri, $queryDelimeter) === false) ? $queryDelimeter : '&';
return $uri.http_build_query($params);
}
}

100
src/League/OAuth2/Server/Util/Request.php Normal file
View File

@@ -0,0 +1,100 @@
<?php
namespace League\OAuth2\Util;
use OutOfBoundsException;
use InvalidMethodCallException;
use InvalidArgumentException;
class Request implements RequestInterface
{
protected $get = array();
protected $post = array();
protected $cookies = array();
protected $files = array();
protected $server = array();
protected $headers = array();
public static function buildFromGlobals()
{
return new static($_GET, $_POST, $_COOKIE, $_FILES, $_SERVER);
}
public function __construct(array $get = array(), array $post = array(), array $cookies = array(), array $files = array(), array $server = array(), $headers = array())
{
$this->get = $get;
$this->post = $post;
$this->cookies = $cookies;
$this->files = $files;
$this->server = $server;
if (empty($headers)) {
$this->headers = $this->readHeaders();
}
}
public function get($index = null, $default = null)
{
return $this->getPropertyValue('get', $index, $default);
}
public function post($index = null, $default = null)
{
return $this->getPropertyValue('post', $index, $default);
}
public function file($index = null, $default = null)
{
return $this->getPropertyValue('files', $index, $default);
}
public function cookie($index = null, $default = null)
{
return $this->getPropertyValue('cookies', $index, $default);
}
public function server($index = null, $default = null)
{
return $this->getPropertyValue('server', $index, $default);
}
public function header($index = null, $default = null)
{
return $this->getPropertyValue('headers', $index, $default);
}
protected function readHeaders()
{
if (function_exists('getallheaders')) {
// @codeCoverageIgnoreStart
$headers = getallheaders();
} else {
// @codeCoverageIgnoreEnd
$headers = array();
foreach ($this->server() as $name => $value) {
if (substr($name, 0, 5) == 'HTTP_') {
$name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))));
$headers[$name] = $value;
}
}
}
return $headers;
}
protected function getPropertyValue($property, $index = null, $default = null)
{
if ( ! isset($this->{$property})) {
throw new InvalidArgumentException("Property '$property' does not exist.");
}
if (is_null($index)) {
return $this->{$property};
}
if ( ! array_key_exists($index, $this->{$property})) {
return $default;
}
return $this->{$property}[$index];
}
}

24
src/League/OAuth2/Server/Util/RequestInterface.php Normal file
View File

@@ -0,0 +1,24 @@
<?php
namespace League\OAuth2\Util;
interface RequestInterface
{
public static function buildFromGlobals();
public function __construct(array $get = array(), array $post = array(), array $cookies = array(), array $files = array(), array $server = array(), $headers = array());
public function get($index = null);
public function post($index = null);
public function cookie($index = null);
public function file($index = null);
public function server($index = null);
public function header($index = null);
}

40
src/League/OAuth2/Server/Util/SecureKey.php Normal file
View File

@@ -0,0 +1,40 @@
<?php
/**
* OAuth 2.0 Secure key generator
*
* @package php-loep/oauth2-server
* @author Alex Bilbie <hello@alexbilbie.com>
* @copyright Copyright (c) 2013 PHP League of Extraordinary Packages
* @license http://mit-license.org/
* @link http://github.com/php-leop/oauth2-server
*/
namespace League\OAuth2\Util;
/**
* SecureKey class
*/
class SecureKey
{
/**
* Generate a new unique code
* @param integer $len Length of the generated code
* @return string
*/
public static function make($len = 40)
{
// We generate twice as many bytes here because we want to ensure we have
// enough after we base64 encode it to get the length we need because we
// take out the "/", "+", and "=" characters.
$bytes = openssl_random_pseudo_bytes($len * 2, $strong);
// We want to stop execution if the key fails because, well, that is bad.
if ($bytes === false || $strong === false) {
// @codeCoverageIgnoreStart
throw new \Exception('Error Generating Key');
// @codeCoverageIgnoreEnd
}
return substr(str_replace(array('/', '+', '='), '', base64_encode($bytes)), 0, $len);
}
}