mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-05-31 14:12:07 +05:30
Add means to set default scopes for grants
This commit is contained in:
Andrew Millington
@@ -56,6 +56,11 @@ abstract class AbstractGrant implements GrantTypeInterface
|
|||||||
*/
|
*/
|
||||||
protected $scopeRepository;
|
protected $scopeRepository;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
protected $defaultScope = '';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @var AuthCodeRepositoryInterface
|
* @var AuthCodeRepositoryInterface
|
||||||
*/
|
*/
|
||||||
@@ -105,6 +110,14 @@ abstract class AbstractGrant implements GrantTypeInterface
|
|||||||
$this->scopeRepository = $scopeRepository;
|
$this->scopeRepository = $scopeRepository;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $scope
|
||||||
|
*/
|
||||||
|
public function setDefaultScope($scope)
|
||||||
|
{
|
||||||
|
$this->defaultScope = $scope;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param RefreshTokenRepositoryInterface $refreshTokenRepository
|
* @param RefreshTokenRepositoryInterface $refreshTokenRepository
|
||||||
*/
|
*/
|
||||||
@@ -211,10 +224,8 @@ abstract class AbstractGrant implements GrantTypeInterface
|
|||||||
*
|
*
|
||||||
* @return ScopeEntityInterface[]
|
* @return ScopeEntityInterface[]
|
||||||
*/
|
*/
|
||||||
public function validateScopes(
|
public function validateScopes($scopes, $redirectUri = null)
|
||||||
$scopes,
|
{
|
||||||
$redirectUri = null
|
|
||||||
) {
|
|
||||||
$scopesList = array_filter(
|
$scopesList = array_filter(
|
||||||
explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
|
explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
|
||||||
function ($scope) {
|
function ($scope) {
|
||||||
@@ -222,7 +233,8 @@ abstract class AbstractGrant implements GrantTypeInterface
|
|||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
$scopes = [];
|
$validScopes = [];
|
||||||
|
|
||||||
foreach ($scopesList as $scopeItem) {
|
foreach ($scopesList as $scopeItem) {
|
||||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
|
||||||
|
|
||||||
@@ -230,10 +242,14 @@ abstract class AbstractGrant implements GrantTypeInterface
|
|||||||
throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
|
throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
|
||||||
}
|
}
|
||||||
|
|
||||||
$scopes[] = $scope;
|
$validScopes[] = $scope;
|
||||||
}
|
}
|
||||||
|
|
||||||
return $scopes;
|
if (empty($validScopes)) {
|
||||||
|
throw OAuthServerException::missingScope($redirectUri);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $validScopes;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -243,7 +243,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
}
|
}
|
||||||
|
|
||||||
$scopes = $this->validateScopes(
|
$scopes = $this->validateScopes(
|
||||||
$this->getQueryStringParameter('scope', $request),
|
$this->getQueryStringParameter('scope', $request, $this->defaultScope),
|
||||||
is_array($client->getRedirectUri())
|
is_array($client->getRedirectUri())
|
||||||
? $client->getRedirectUri()[0]
|
? $client->getRedirectUri()[0]
|
||||||
: $client->getRedirectUri()
|
: $client->getRedirectUri()
|
||||||
|
|||||||
@@ -29,13 +29,13 @@ class ClientCredentialsGrant extends AbstractGrant
|
|||||||
) {
|
) {
|
||||||
// Validate request
|
// Validate request
|
||||||
$client = $this->validateClient($request);
|
$client = $this->validateClient($request);
|
||||||
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
|
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
|
$finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
|
||||||
|
|
||||||
// Issue and persist access token
|
// Issue and persist access token
|
||||||
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $scopes);
|
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
|
||||||
|
|
||||||
// Inject access token into response type
|
// Inject access token into response type
|
||||||
$responseType->setAccessToken($accessToken);
|
$responseType->setAccessToken($accessToken);
|
||||||
|
|||||||
@@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface
|
|||||||
*/
|
*/
|
||||||
public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
|
public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the default scope.
|
||||||
|
*
|
||||||
|
* @param string $scope
|
||||||
|
*/
|
||||||
|
public function setDefaultScope($scope);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set the path to the private key.
|
* Set the path to the private key.
|
||||||
*
|
*
|
||||||
|
|||||||
@@ -145,14 +145,14 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
|||||||
}
|
}
|
||||||
|
|
||||||
$scopes = $this->validateScopes(
|
$scopes = $this->validateScopes(
|
||||||
$this->getQueryStringParameter('scope', $request),
|
$this->getQueryStringParameter('scope', $request, $this->defaultScope),
|
||||||
is_array($client->getRedirectUri())
|
is_array($client->getRedirectUri())
|
||||||
? $client->getRedirectUri()[0]
|
? $client->getRedirectUri()[0]
|
||||||
: $client->getRedirectUri()
|
: $client->getRedirectUri()
|
||||||
);
|
);
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes(
|
$finalizedScopes = $this->scopeRepository->finalizeScopes(
|
||||||
$scopes,
|
$scopes,
|
||||||
$this->getIdentifier(),
|
$this->getIdentifier(),
|
||||||
$client
|
$client
|
||||||
@@ -165,7 +165,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
|
|||||||
$authorizationRequest->setClient($client);
|
$authorizationRequest->setClient($client);
|
||||||
$authorizationRequest->setRedirectUri($redirectUri);
|
$authorizationRequest->setRedirectUri($redirectUri);
|
||||||
$authorizationRequest->setState($stateParameter);
|
$authorizationRequest->setState($stateParameter);
|
||||||
$authorizationRequest->setScopes($scopes);
|
$authorizationRequest->setScopes($finalizedScopes);
|
||||||
|
|
||||||
return $authorizationRequest;
|
return $authorizationRequest;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -49,14 +49,14 @@ class PasswordGrant extends AbstractGrant
|
|||||||
) {
|
) {
|
||||||
// Validate request
|
// Validate request
|
||||||
$client = $this->validateClient($request);
|
$client = $this->validateClient($request);
|
||||||
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
|
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
|
||||||
$user = $this->validateUser($request, $client);
|
$user = $this->validateUser($request, $client);
|
||||||
|
|
||||||
// Finalize the requested scopes
|
// Finalize the requested scopes
|
||||||
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
|
$finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
|
||||||
|
|
||||||
// Issue and persist new tokens
|
// Issue and persist new tokens
|
||||||
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
|
$accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
|
||||||
$refreshToken = $this->issueRefreshToken($accessToken);
|
$refreshToken = $this->issueRefreshToken($accessToken);
|
||||||
|
|
||||||
// Inject tokens into response
|
// Inject tokens into response
|
||||||
|
|||||||
@@ -44,11 +44,11 @@ class RefreshTokenGrant extends AbstractGrant
|
|||||||
// Validate request
|
// Validate request
|
||||||
$client = $this->validateClient($request);
|
$client = $this->validateClient($request);
|
||||||
$oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
|
$oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
|
||||||
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
|
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
|
||||||
|
|
||||||
// If no new scopes are requested then give the access token the original session scopes
|
// If no new scopes are requested then give the access token the original session scopes
|
||||||
if (count($scopes) === 0) {
|
if (count($scopes) === 0) {
|
||||||
$scopes = array_map(function ($scopeId) use ($client) {
|
$scopes = array_map(function ($scopeId) {
|
||||||
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
|
||||||
|
|
||||||
if ($scope instanceof ScopeEntityInterface === false) {
|
if ($scope instanceof ScopeEntityInterface === false) {
|
||||||
|
|||||||
Reference in New Issue
Block a user