Add means to set default scopes for grants

2025-01-03 18:51:53 +05:30 · 2017-10-18 22:08:41 +01:00 · 2017-10-18 22:08:41 +01:00 · c996b66528
commit c996b66528
parent c70451abd5
7 changed files with 42 additions and 19 deletions
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@ -56,6 +56,11 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    protected $scopeRepository;

+    /**
+     * @var string
+     */
+    protected $defaultScope = '';
+
    /**
     * @var AuthCodeRepositoryInterface
     */
@ -105,6 +110,14 @@ abstract class AbstractGrant implements GrantTypeInterface
        $this->scopeRepository = $scopeRepository;
    }

+    /**
+     * @param string $scope
+     */
+    public function setDefaultScope($scope)
+    {
+        $this->defaultScope = $scope;
+    }
+
    /**
     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
     */
@ -211,10 +224,8 @@ abstract class AbstractGrant implements GrantTypeInterface
     *
     * @return ScopeEntityInterface[]
     */
-    public function validateScopes(
-        $scopes,
-        $redirectUri = null
-    ) {
+    public function validateScopes($scopes, $redirectUri = null)
+    {
        $scopesList = array_filter(
            explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
            function ($scope) {
@ -222,7 +233,8 @@ abstract class AbstractGrant implements GrantTypeInterface
            }
        );

-        $scopes = [];
+        $validScopes = [];
+
        foreach ($scopesList as $scopeItem) {
            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);

@ -230,10 +242,14 @@ abstract class AbstractGrant implements GrantTypeInterface
                throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
            }

-            $scopes[] = $scope;
+            $validScopes[] = $scope;
        }

-        return $scopes;
+        if (empty($validScopes)) {
+            throw OAuthServerException::missingScope($redirectUri);
+        }
+
+        return $validScopes;
    }

    /**
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@ -243,7 +243,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
        }

        $scopes = $this->validateScopes(
-            $this->getQueryStringParameter('scope', $request),
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
            is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
                : $client->getRedirectUri()
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@ -29,13 +29,13 @@ class ClientCredentialsGrant extends AbstractGrant
    ) {
        // Validate request
        $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));

        // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);

        // Issue and persist access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);

        // Inject access token into response type
        $responseType->setAccessToken($accessToken);
--- a/src/Grant/GrantTypeInterface.php
+++ b/src/Grant/GrantTypeInterface.php
@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface
     */
    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);

+    /**
+     * Set the default scope.
+     *
+     * @param string $scope
+     */
+    public function setDefaultScope($scope);
+
    /**
     * Set the path to the private key.
     *
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@ -145,14 +145,14 @@ class ImplicitGrant extends AbstractAuthorizeGrant
        }

        $scopes = $this->validateScopes(
-            $this->getQueryStringParameter('scope', $request),
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
            is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
                : $client->getRedirectUri()
        );

        // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes(
+        $finalizedScopes = $this->scopeRepository->finalizeScopes(
            $scopes,
            $this->getIdentifier(),
            $client
@ -165,7 +165,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
        $authorizationRequest->setClient($client);
        $authorizationRequest->setRedirectUri($redirectUri);
        $authorizationRequest->setState($stateParameter);
-        $authorizationRequest->setScopes($scopes);
+        $authorizationRequest->setScopes($finalizedScopes);

        return $authorizationRequest;
    }
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@ -49,14 +49,14 @@ class PasswordGrant extends AbstractGrant
    ) {
        // Validate request
        $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
        $user = $this->validateUser($request, $client);

        // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());

        // Issue and persist new tokens
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
        $refreshToken = $this->issueRefreshToken($accessToken);

        // Inject tokens into response
--- a/src/Grant/RefreshTokenGrant.php
+++ b/src/Grant/RefreshTokenGrant.php
@ -44,11 +44,11 @@ class RefreshTokenGrant extends AbstractGrant
        // Validate request
        $client = $this->validateClient($request);
        $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));

        // If no new scopes are requested then give the access token the original session scopes
        if (count($scopes) === 0) {
-            $scopes = array_map(function ($scopeId) use ($client) {
+            $scopes = array_map(function ($scopeId) {
                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);

                if ($scope instanceof ScopeEntityInterface === false) {