Fixes to refresh grant

This commit is contained in:
Alex Bilbie 2016-01-13 00:12:10 +00:00
parent 6fb3fb5110
commit eef5cf39d4

View File

@ -114,9 +114,13 @@ class RefreshTokenGrant extends AbstractGrant
}
// Validate refresh token
try {
$oldRefreshToken = (new Parser())->parse($refreshTokenJwt);
} catch (\InvalidArgumentException $e) {
throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token');
}
if ($oldRefreshToken->verify(new Sha256(), new Key($this->pathToPublicKey)) === false) {
throw OAuthServerException::invalidRefreshToken();
throw OAuthServerException::invalidRefreshToken('Cannot validate refresh token signature');
}
$validation = new ValidationData();
@ -142,7 +146,7 @@ class RefreshTokenGrant extends AbstractGrant
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
// the request doesn't include any new scopes
foreach ($requestedScopes as $requestedScope) {
if (!isset($scopes[$requestedScope->getIdentifier()])) {
if (in_array($requestedScope->getIdentifier(), $scopes) === false) {
throw OAuthServerException::invalidScope($requestedScope->getIdentifier());
}
}