From eef5cf39d4605d6d6884638855a9dcdb7ec26b18 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Wed, 13 Jan 2016 00:12:10 +0000 Subject: [PATCH] Fixes to refresh grant --- src/Grant/RefreshTokenGrant.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Grant/RefreshTokenGrant.php b/src/Grant/RefreshTokenGrant.php index f8e5779b..e3ba3029 100644 --- a/src/Grant/RefreshTokenGrant.php +++ b/src/Grant/RefreshTokenGrant.php @@ -114,9 +114,13 @@ class RefreshTokenGrant extends AbstractGrant } // Validate refresh token - $oldRefreshToken = (new Parser())->parse($refreshTokenJwt); + try { + $oldRefreshToken = (new Parser())->parse($refreshTokenJwt); + } catch (\InvalidArgumentException $e) { + throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token'); + } if ($oldRefreshToken->verify(new Sha256(), new Key($this->pathToPublicKey)) === false) { - throw OAuthServerException::invalidRefreshToken(); + throw OAuthServerException::invalidRefreshToken('Cannot validate refresh token signature'); } $validation = new ValidationData(); @@ -142,7 +146,7 @@ class RefreshTokenGrant extends AbstractGrant // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure // the request doesn't include any new scopes foreach ($requestedScopes as $requestedScope) { - if (!isset($scopes[$requestedScope->getIdentifier()])) { + if (in_array($requestedScope->getIdentifier(), $scopes) === false) { throw OAuthServerException::invalidScope($requestedScope->getIdentifier()); } }