mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-05-31 14:12:07 +05:30
Updated scope validation
This commit is contained in:
Alex Bilbie
@@ -2,6 +2,8 @@
|
|||||||
|
|
||||||
namespace OAuth2ServerExamples\Repositories;
|
namespace OAuth2ServerExamples\Repositories;
|
||||||
|
|
||||||
|
use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
|
||||||
|
use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
|
||||||
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
||||||
use OAuth2ServerExamples\Entities\ScopeEntity;
|
use OAuth2ServerExamples\Entities\ScopeEntity;
|
||||||
|
|
||||||
@@ -10,7 +12,7 @@ class ScopeRepository implements ScopeRepositoryInterface
|
|||||||
/**
|
/**
|
||||||
* {@inheritdoc}
|
* {@inheritdoc}
|
||||||
*/
|
*/
|
||||||
public function getScopeEntityByIdentifier($scopeIdentifier, $grantType, $clientId = null)
|
public function getScopeEntityByIdentifier($scopeIdentifier)
|
||||||
{
|
{
|
||||||
$scopes = [
|
$scopes = [
|
||||||
'basic' => [
|
'basic' => [
|
||||||
@@ -30,4 +32,17 @@ class ScopeRepository implements ScopeRepositoryInterface
|
|||||||
|
|
||||||
return $scope;
|
return $scope;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @inheritdoc
|
||||||
|
*/
|
||||||
|
public function finalizeScopes(
|
||||||
|
array $scopes,
|
||||||
|
$grantType,
|
||||||
|
ClientEntityInterface $clientEntity,
|
||||||
|
$userIdentifier = null
|
||||||
|
) {
|
||||||
|
return $scopes;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
namespace OAuth2ServerExamples\Repositories;
|
namespace OAuth2ServerExamples\Repositories;
|
||||||
|
|
||||||
use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
|
use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
|
|
||||||
use League\OAuth2\Server\Repositories\UserRepositoryInterface;
|
use League\OAuth2\Server\Repositories\UserRepositoryInterface;
|
||||||
use OAuth2ServerExamples\Entities\ScopeEntity;
|
use OAuth2ServerExamples\Entities\ScopeEntity;
|
||||||
use OAuth2ServerExamples\Entities\UserEntity;
|
use OAuth2ServerExamples\Entities\UserEntity;
|
||||||
@@ -11,22 +10,13 @@ use OAuth2ServerExamples\Entities\UserEntity;
|
|||||||
class UserRepository implements UserRepositoryInterface
|
class UserRepository implements UserRepositoryInterface
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* Get a user entity.
|
* @inheritdoc
|
||||||
*
|
|
||||||
* @param string $username
|
|
||||||
* @param string $password
|
|
||||||
* @param string $grantType The grant type used
|
|
||||||
* @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
|
|
||||||
* @param ScopeEntityInterface[] $scopes
|
|
||||||
*
|
|
||||||
* @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
|
|
||||||
*/
|
*/
|
||||||
public function getUserEntityByUserCredentials(
|
public function getUserEntityByUserCredentials(
|
||||||
$username,
|
$username,
|
||||||
$password,
|
$password,
|
||||||
$grantType,
|
$grantType,
|
||||||
ClientEntityInterface $clientEntity,
|
ClientEntityInterface $clientEntity
|
||||||
array &$scopes
|
|
||||||
) {
|
) {
|
||||||
if ($username === 'alex' && $password === 'whisky') {
|
if ($username === 'alex' && $password === 'whisky') {
|
||||||
$scope = new ScopeEntity();
|
$scope = new ScopeEntity();
|
||||||
|
|||||||
@@ -205,11 +205,7 @@ abstract class AbstractGrant implements GrantTypeInterface
|
|||||||
|
|
||||||
$scopes = [];
|
$scopes = [];
|
||||||
foreach ($scopesList as $scopeItem) {
|
foreach ($scopesList as $scopeItem) {
|
||||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier(
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
|
||||||
$scopeItem,
|
|
||||||
$this->getIdentifier(),
|
|
||||||
$client->getIdentifier()
|
|
||||||
);
|
|
||||||
|
|
||||||
if (($scope instanceof ScopeEntityInterface) === false) {
|
if (($scope instanceof ScopeEntityInterface) === false) {
|
||||||
throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
|
throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
|
||||||
|
|||||||
@@ -78,6 +78,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
|
|
||||||
$redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
|
$redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
|
||||||
if ($redirectUriParameter !== $client->getRedirectUri()) {
|
if ($redirectUriParameter !== $client->getRedirectUri()) {
|
||||||
|
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
||||||
throw OAuthServerException::invalidClient();
|
throw OAuthServerException::invalidClient();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -124,8 +125,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
$usernameParameter,
|
$usernameParameter,
|
||||||
$passwordParameter,
|
$passwordParameter,
|
||||||
$this->getIdentifier(),
|
$this->getIdentifier(),
|
||||||
$client,
|
$client
|
||||||
$scopes
|
|
||||||
);
|
);
|
||||||
|
|
||||||
if ($userEntity instanceof UserEntityInterface) {
|
if ($userEntity instanceof UserEntityInterface) {
|
||||||
@@ -134,7 +134,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
$loginError = 'Incorrect username or password';
|
$loginError = 'Incorrect username or password';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// The user hasn't logged in yet so show a login form
|
// The user hasn't logged in yet so show a login form
|
||||||
if ($userId === null) {
|
if ($userId === null) {
|
||||||
$html = $this->getTemplateRenderer()->renderLogin([
|
$html = $this->getTemplateRenderer()->renderLogin([
|
||||||
@@ -192,7 +192,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
if ($userHasApprovedClient === true) {
|
if ($userHasApprovedClient === true) {
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $userId);
|
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
|
||||||
|
|
||||||
$authCode = $this->issueAuthCode(
|
$authCode = $this->issueAuthCode(
|
||||||
$this->authCodeTTL,
|
$this->authCodeTTL,
|
||||||
@@ -281,11 +281,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
|
|
||||||
$scopes = [];
|
$scopes = [];
|
||||||
foreach ($authCodePayload->scopes as $scopeId) {
|
foreach ($authCodePayload->scopes as $scopeId) {
|
||||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier(
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
||||||
$scopeId,
|
|
||||||
$this->getIdentifier(),
|
|
||||||
$client->getIdentifier()
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!$scope) {
|
if (!$scope) {
|
||||||
// @codeCoverageIgnoreStart
|
// @codeCoverageIgnoreStart
|
||||||
|
|||||||
@@ -31,7 +31,7 @@ class ClientCredentialsGrant extends AbstractGrant
|
|||||||
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
|
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client);
|
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
|
||||||
|
|
||||||
// Issue and persist access token
|
// Issue and persist access token
|
||||||
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $client->getIdentifier(), $scopes);
|
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $client->getIdentifier(), $scopes);
|
||||||
|
|||||||
@@ -69,14 +69,12 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
|||||||
|
|
||||||
if ($client instanceof ClientEntityInterface === false) {
|
if ($client instanceof ClientEntityInterface === false) {
|
||||||
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
||||||
|
|
||||||
throw OAuthServerException::invalidClient();
|
throw OAuthServerException::invalidClient();
|
||||||
}
|
}
|
||||||
|
|
||||||
$redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
|
$redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
|
||||||
if ($redirectUriParameter !== $client->getRedirectUri()) {
|
if ($redirectUriParameter !== $client->getRedirectUri()) {
|
||||||
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
|
||||||
|
|
||||||
throw OAuthServerException::invalidClient();
|
throw OAuthServerException::invalidClient();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -114,7 +112,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
|||||||
// The username + password might be available in $_POST
|
// The username + password might be available in $_POST
|
||||||
$usernameParameter = $this->getRequestParameter('username', $request, null);
|
$usernameParameter = $this->getRequestParameter('username', $request, null);
|
||||||
$passwordParameter = $this->getRequestParameter('password', $request, null);
|
$passwordParameter = $this->getRequestParameter('password', $request, null);
|
||||||
|
|
||||||
$loginError = null;
|
$loginError = null;
|
||||||
|
|
||||||
// Assert if the user has logged in already
|
// Assert if the user has logged in already
|
||||||
@@ -190,7 +188,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
|||||||
if ($userHasApprovedClient === true) {
|
if ($userHasApprovedClient === true) {
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $userId);
|
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
|
||||||
|
|
||||||
$accessToken = $this->issueAccessToken(
|
$accessToken = $this->issueAccessToken(
|
||||||
$accessTokenTTL,
|
$accessTokenTTL,
|
||||||
|
|||||||
@@ -52,7 +52,7 @@ class PasswordGrant extends AbstractGrant
|
|||||||
$user = $this->validateUser($request, $client);
|
$user = $this->validateUser($request, $client);
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $client, $user->getIdentifier());
|
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
|
||||||
|
|
||||||
// Issue and persist new tokens
|
// Issue and persist new tokens
|
||||||
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
|
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
|
||||||
|
|||||||
@@ -47,11 +47,7 @@ class RefreshTokenGrant extends AbstractGrant
|
|||||||
// If no new scopes are requested then give the access token the original session scopes
|
// If no new scopes are requested then give the access token the original session scopes
|
||||||
if (count($scopes) === 0) {
|
if (count($scopes) === 0) {
|
||||||
$scopes = array_map(function ($scopeId) use ($client) {
|
$scopes = array_map(function ($scopeId) use ($client) {
|
||||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier(
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
||||||
$scopeId,
|
|
||||||
$this->getIdentifier(),
|
|
||||||
$client->getIdentifier()
|
|
||||||
);
|
|
||||||
|
|
||||||
if (!$scope) {
|
if (!$scope) {
|
||||||
// @codeCoverageIgnoreStart
|
// @codeCoverageIgnoreStart
|
||||||
|
|||||||
@@ -21,23 +21,27 @@ interface ScopeRepositoryInterface extends RepositoryInterface
|
|||||||
/**
|
/**
|
||||||
* Return information about a scope.
|
* Return information about a scope.
|
||||||
*
|
*
|
||||||
* @param string $identifier The scope identifier
|
* @param string $identifier The scope identifier
|
||||||
* @param string $grantType The grant type used in the request
|
|
||||||
* @param string|null $clientId The client sending the request
|
|
||||||
*
|
*
|
||||||
* @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface
|
* @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface
|
||||||
*/
|
*/
|
||||||
public function getScopeEntityByIdentifier($identifier, $grantType, $clientId = null);
|
public function getScopeEntityByIdentifier($identifier);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a client (and optional user identifier) validate the set of scopes requested are valid and optionally
|
* Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
|
||||||
* append additional scopes or remove requested scopes.
|
* append additional scopes or remove requested scopes.
|
||||||
*
|
*
|
||||||
* @param ScopeEntityInterface[] $scopes
|
* @param ScopeEntityInterface[] $scopes
|
||||||
|
* @param string $grantType
|
||||||
* @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
|
* @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
|
||||||
* @param null|string $userIdentifier
|
* @param null|string $userIdentifier
|
||||||
*
|
*
|
||||||
* @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
|
* @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
|
||||||
*/
|
*/
|
||||||
public function finalizeScopes(array $scopes, ClientEntityInterface $clientEntity, $userIdentifier = null);
|
public function finalizeScopes(
|
||||||
|
array $scopes,
|
||||||
|
$grantType,
|
||||||
|
ClientEntityInterface $clientEntity,
|
||||||
|
$userIdentifier = null
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user