mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-03-11 18:59:11 +05:30
Updated scope validation
This commit is contained in:
Alex Bilbie
parent
614fbde56e
commit
6383a58755
@ -2,6 +2,8 @@
|
||||
|
||||
namespace OAuth2ServerExamples\Repositories;
|
||||
|
||||
use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
|
||||
use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
|
||||
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
||||
use OAuth2ServerExamples\Entities\ScopeEntity;
|
||||
|
||||
@ -10,7 +12,7 @@ class ScopeRepository implements ScopeRepositoryInterface
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function getScopeEntityByIdentifier($scopeIdentifier, $grantType, $clientId = null)
|
||||
public function getScopeEntityByIdentifier($scopeIdentifier)
|
||||
{
|
||||
$scopes = [
|
||||
'basic' => [
|
||||
@ -30,4 +32,17 @@ class ScopeRepository implements ScopeRepositoryInterface
|
||||
|
||||
return $scope;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function finalizeScopes(
|
||||
array $scopes,
|
||||
$grantType,
|
||||
ClientEntityInterface $clientEntity,
|
||||
$userIdentifier = null
|
||||
) {
|
||||
return $scopes;
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,7 +3,6 @@
|
||||
namespace OAuth2ServerExamples\Repositories;
|
||||
|
||||
use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
|
||||
use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
|
||||
use League\OAuth2\Server\Repositories\UserRepositoryInterface;
|
||||
use OAuth2ServerExamples\Entities\ScopeEntity;
|
||||
use OAuth2ServerExamples\Entities\UserEntity;
|
||||
@ -11,22 +10,13 @@ use OAuth2ServerExamples\Entities\UserEntity;
|
||||
class UserRepository implements UserRepositoryInterface
|
||||
{
|
||||
/**
|
||||
* Get a user entity.
|
||||
*
|
||||
* @param string $username
|
||||
* @param string $password
|
||||
* @param string $grantType The grant type used
|
||||
* @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
|
||||
* @param ScopeEntityInterface[] $scopes
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function getUserEntityByUserCredentials(
|
||||
$username,
|
||||
$password,
|
||||
$grantType,
|
||||
ClientEntityInterface $clientEntity,
|
||||
array &$scopes
|
||||
ClientEntityInterface $clientEntity
|
||||
) {
|
||||
if ($username === 'alex' && $password === 'whisky') {
|
||||
$scope = new ScopeEntity();
|
||||
|
||||
@ -205,11 +205,7 @@ abstract class AbstractGrant implements GrantTypeInterface
|
||||
|
||||
$scopes = [];
|
||||
foreach ($scopesList as $scopeItem) {
|
||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier(
|
||||
$scopeItem,
|
||||
$this->getIdentifier(),
|
||||
$client->getIdentifier()
|
||||
);
|
||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
|
||||
|
||||
if (($scope instanceof ScopeEntityInterface) === false) {
|
||||
throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
|
||||
|
||||
@ -78,6 +78,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
|
||||
$redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
|
||||
if ($redirectUriParameter !== $client->getRedirectUri()) {
|
||||
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
||||
throw OAuthServerException::invalidClient();
|
||||
}
|
||||
|
||||
@ -124,8 +125,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
$usernameParameter,
|
||||
$passwordParameter,
|
||||
$this->getIdentifier(),
|
||||
$client,
|
||||
$scopes
|
||||
$client
|
||||
);
|
||||
|
||||
if ($userEntity instanceof UserEntityInterface) {
|
||||
@ -134,7 +134,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
$loginError = 'Incorrect username or password';
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// The user hasn't logged in yet so show a login form
|
||||
if ($userId === null) {
|
||||
$html = $this->getTemplateRenderer()->renderLogin([
|
||||
@ -192,7 +192,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
if ($userHasApprovedClient === true) {
|
||||
|
||||
// Finalize the requested scopes
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $userId);
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
|
||||
|
||||
$authCode = $this->issueAuthCode(
|
||||
$this->authCodeTTL,
|
||||
@ -281,11 +281,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
|
||||
$scopes = [];
|
||||
foreach ($authCodePayload->scopes as $scopeId) {
|
||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier(
|
||||
$scopeId,
|
||||
$this->getIdentifier(),
|
||||
$client->getIdentifier()
|
||||
);
|
||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
||||
|
||||
if (!$scope) {
|
||||
// @codeCoverageIgnoreStart
|
||||
|
||||
@ -31,7 +31,7 @@ class ClientCredentialsGrant extends AbstractGrant
|
||||
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
|
||||
|
||||
// Finalize the requested scopes
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client);
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
|
||||
|
||||
// Issue and persist access token
|
||||
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $client->getIdentifier(), $scopes);
|
||||
|
||||
@ -69,14 +69,12 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
||||
|
||||
if ($client instanceof ClientEntityInterface === false) {
|
||||
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
||||
|
||||
throw OAuthServerException::invalidClient();
|
||||
}
|
||||
|
||||
$redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
|
||||
if ($redirectUriParameter !== $client->getRedirectUri()) {
|
||||
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
||||
|
||||
throw OAuthServerException::invalidClient();
|
||||
}
|
||||
|
||||
@ -114,7 +112,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
||||
// The username + password might be available in $_POST
|
||||
$usernameParameter = $this->getRequestParameter('username', $request, null);
|
||||
$passwordParameter = $this->getRequestParameter('password', $request, null);
|
||||
|
||||
|
||||
$loginError = null;
|
||||
|
||||
// Assert if the user has logged in already
|
||||
@ -190,7 +188,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
||||
if ($userHasApprovedClient === true) {
|
||||
|
||||
// Finalize the requested scopes
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $userId);
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
|
||||
|
||||
$accessToken = $this->issueAccessToken(
|
||||
$accessTokenTTL,
|
||||
|
||||
@ -52,7 +52,7 @@ class PasswordGrant extends AbstractGrant
|
||||
$user = $this->validateUser($request, $client);
|
||||
|
||||
// Finalize the requested scopes
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $user->getIdentifier());
|
||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
|
||||
|
||||
// Issue and persist new tokens
|
||||
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
|
||||
|
||||
@ -47,11 +47,7 @@ class RefreshTokenGrant extends AbstractGrant
|
||||
// If no new scopes are requested then give the access token the original session scopes
|
||||
if (count($scopes) === 0) {
|
||||
$scopes = array_map(function ($scopeId) use ($client) {
|
||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier(
|
||||
$scopeId,
|
||||
$this->getIdentifier(),
|
||||
$client->getIdentifier()
|
||||
);
|
||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
||||
|
||||
if (!$scope) {
|
||||
// @codeCoverageIgnoreStart
|
||||
|
||||
@ -21,23 +21,27 @@ interface ScopeRepositoryInterface extends RepositoryInterface
|
||||
/**
|
||||
* Return information about a scope.
|
||||
*
|
||||
* @param string $identifier The scope identifier
|
||||
* @param string $grantType The grant type used in the request
|
||||
* @param string|null $clientId The client sending the request
|
||||
* @param string $identifier The scope identifier
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface
|
||||
*/
|
||||
public function getScopeEntityByIdentifier($identifier, $grantType, $clientId = null);
|
||||
public function getScopeEntityByIdentifier($identifier);
|
||||
|
||||
/**
|
||||
* Given a client (and optional user identifier) validate the set of scopes requested are valid and optionally
|
||||
* Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
|
||||
* append additional scopes or remove requested scopes.
|
||||
*
|
||||
* @param ScopeEntityInterface[] $scopes
|
||||
* @param string $grantType
|
||||
* @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
|
||||
* @param null|string $userIdentifier
|
||||
*
|
||||
* @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
|
||||
*/
|
||||
public function finalizeScopes(array $scopes, ClientEntityInterface $clientEntity, $userIdentifier = null);
|
||||
public function finalizeScopes(
|
||||
array $scopes,
|
||||
$grantType,
|
||||
ClientEntityInterface $clientEntity,
|
||||
$userIdentifier = null
|
||||
);
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user