Modify grants so only auth requests use default scopes

This commit is contained in:
Sephster 2017-11-13 22:19:44 +00:00
parent ce8248c10f
commit c895885700
8 changed files with 45 additions and 68 deletions

View File

@ -33,25 +33,4 @@ abstract class AbstractAuthorizeGrant extends AbstractGrant
return $uri . http_build_query($params);
}
/**
* @param string $scope
*/
public function setDefaultScope($scope)
{
$this->defaultScope = $scope;
}
/**
* @param ScopeEntityInterface[] $requestedScopes
* @param string $redirectUri
*
* @throws OAuthServerException
*/
protected function checkScopesRequested($requestedScopes, $redirectUri = null)
{
if (empty($requestedScopes)) {
throw OAuthServerException::invalidScope($redirectUri);
}
}
}

View File

@ -81,6 +81,11 @@ abstract class AbstractGrant implements GrantTypeInterface
*/
protected $privateKey;
/**
* @string
*/
protected $defaultScope;
/**
* @param ClientRepositoryInterface $clientRepository
*/
@ -147,6 +152,14 @@ abstract class AbstractGrant implements GrantTypeInterface
$this->privateKey = $key;
}
/**
* @param string $scope
*/
public function setDefaultScope($scope)
{
$this->defaultScope = $scope;
}
/**
* Validate the client.
*
@ -213,12 +226,9 @@ abstract class AbstractGrant implements GrantTypeInterface
*/
public function validateScopes($scopes, $redirectUri = null)
{
$scopesList = array_filter(
explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
function ($scope) {
$scopesList = array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
return !empty($scope);
}
);
});
$validScopes = [];
@ -232,6 +242,10 @@ abstract class AbstractGrant implements GrantTypeInterface
$validScopes[] = $scope;
}
if (empty($validScopes)) {
throw OAuthServerException::invalidScope($redirectUri);
}
return $validScopes;
}

View File

@ -242,19 +242,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
}
}
$redirectUri = is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri();
$scopes = $this->validateScopes(
$this->getQueryStringParameter('scope', $request, $this->defaultScope),
$redirectUri
is_array($client->getRedirectUri())
? $client->getRedirectUri()[0]
: $client->getRedirectUri()
);
try {
$this->checkScopesRequested($scopes, $redirectUri);
} catch (OAuthServerException $ex) {
throw $ex;
}
$stateParameter = $this->getQueryStringParameter('state', $request);
$authorizationRequest = new AuthorizationRequest();

View File

@ -29,7 +29,7 @@ class ClientCredentialsGrant extends AbstractGrant
) {
// Validate request
$client = $this->validateClient($request);
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
// Finalize the requested scopes
$finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);

View File

@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface
*/
public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
/**
* Set the default scope.
*
* @param string $scope
*/
public function setDefaultScope($scope);
/**
* Set the path to the private key.
*

View File

@ -144,19 +144,13 @@ class ImplicitGrant extends AbstractAuthorizeGrant
}
}
$redirectUri = is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri();
$scopes = $this->validateScopes(
$this->getQueryStringParameter('scope', $request, $this->defaultScope),
$redirectUri
is_array($client->getRedirectUri())
? $client->getRedirectUri()[0]
: $client->getRedirectUri()
);
try {
$this->checkScopesRequested($scopes, $redirectUri);
} catch (OAuthServerException $ex) {
throw $ex;
}
// Finalize the requested scopes
$finalizedScopes = $this->scopeRepository->finalizeScopes(
$scopes,

View File

@ -49,7 +49,7 @@ class PasswordGrant extends AbstractGrant
) {
// Validate request
$client = $this->validateClient($request);
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
$user = $this->validateUser($request, $client);
// Finalize the requested scopes

View File

@ -44,22 +44,12 @@ class RefreshTokenGrant extends AbstractGrant
// Validate request
$client = $this->validateClient($request);
$oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
$scopes = $this->validateScopes($this->getRequestParameter(
'scope',
$request,
implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
);
// If no new scopes are requested then give the access token the original session scopes
if (count($scopes) === 0) {
$scopes = array_map(function ($scopeId) {
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
if ($scope instanceof ScopeEntityInterface === false) {
// @codeCoverageIgnoreStart
throw OAuthServerException::invalidScope($scopeId);
// @codeCoverageIgnoreEnd
}
return $scope;
}, $oldRefreshToken['scopes']);
} else {
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
// the request doesn't include any new scopes
foreach ($scopes as $scope) {
@ -67,7 +57,6 @@ class RefreshTokenGrant extends AbstractGrant
throw OAuthServerException::invalidScope($scope->getIdentifier());
}
}
}
// Expire old tokens
$this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);