Guwan
/
ldap-matter
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial Commit - First version

This commit is contained in:
Crivaledaz 2017-08-07 21:01:11 +02:00
parent 5c9c9fc144
commit e7058c90d7
52 changed files with 5246 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
The MIT License
Copyright (c) 2017 Denis CLAVIER
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

142
README.md Normal file
View File

@ -0,0 +1,142 @@
Mattermost-LDAP Module
======================
This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
## Overview
Currently, LDAP authentication in Mattermost is not featured in the Team Edition (only in the Enterprise Edition). Thus, the only way to get LDAP authentication in Mattermost is to install Gitlab and use its Single Sign On (SSO) feature. Gitlab allows LDAP authentication and transmits user data to Mattermost. So, anyone who wishes to use LDAP with Mattermost must run Gitlab, even if he does not use it, for the SSO feature.
However, although Gitlab is a nice software, it is resources-consuming and a bit complicated to manage if you just want the SSO feature. That's the reason why, this module provides an oauth server to only reproduce the Gitlab SSO feature and allows a simple and secure LDAP authentication to Mattermost.
The Mattermost-LDAP project uses the Gitlab authentication feature from Mattermost and substitute Gitlab to LDAP interaction. The main advantage of this module is to provide a light and easy to use LDAP connector for Mattermost not to need Gitlab.
## Module Description
This module provides an Oauth2 server designed for php, a LDAP connector for PHP and some files for automatic configuration. Once installed and configured with Mattermost, the module allows LDAP authentication by replacing Gitlab SSO. This module allows many configuration settings to try to comply with your settings and configuration. Mattermost-LDAP can be used with MySQL or PostgreSQL database on many operating systems. See Limitation section for more information.
## Setup
### Requirements
This module requires the following :
* PHP (minimum 5.3.9)
* php-ldap
* php-pdo
* php-pgsql or php-mysql
* httpd
* postgresql or mariadb (mysql)
* postgresql-server or maridb-server
* git
Obviously, you must have a Mattermost Server installed and be administrator on it, and a LDAP server configured.
### Pre-install
* For Centos 7, RHEL 7 and Fedora :
Install required packages :
```#For PostgreSQL
sudo yum -y --nogpgcheck install httpd php postgresql-server postgresql php-ldap php-pdo php-psql git
#For MySQL
sudo yum -y --nogpgcheck install httpd php mariadb-server mariadb php-ldap php-pdo php-mysql git```
Start and enable service for Apache and Database :
```#For PostgreSQL
sudo systemctl start httpd
sudo systemctl start postgresql
sudo systemctl enable httpd
sudo systemctl enable postgresql
#For MySQL
sudo systemctl start httpd
sudo systemctl start mariadb
sudo systemctl enable httpd
sudo systemctl enable mariadb```
Your system is ready to install and run Mattermost-LDAP module.
## Install
Clone (or download and extract) this repository in your /var/www/html (or your httpd root directory) :
```git clone https://github.com/crivaledaz/Mattermost-LDAP.git```
You need to create a database for the oauth server. For this purpose, you can use the script "init_postgres.sh" or "init_mysql.sh". These scripts try to configure your database automatically, by creating a new user and a new database associated for the oauth server. Scripts also create all tables necessary for the module. If script failed, please report here, and try to configure manually your database by adapting command in scripts. Before running the script you can change the default settings by editing the .sh file and modifying configuration variables at the beginning of the file.
This script will automatically create and add a new client in the oauth server, returning a client id and a client secret. You need to keep these two token to configure Mattermost. Please be sure the client secret remained secret. The redirect url in the script must comply with the hostname of your Mattermost server, else Mattermost could not get data from the Oauth server.
### configuration
* Mattermost :
Active Gitlab authentication in system console > Gitlab (or config.json on server) and fill application id and secret with the two token got during install section. For the next fields use this :
```User API Endpoint : http://HOSTNAME/oauth/resource.php
Auth Endpoint: http://HOSTNAME/oauth/authorize.php
Token Endpoint: http://HOSTNAME/oauth/token.php
```
Change HOSTNAME by hostname or ip of the server where you have installed Mattermost-LDAP module.
* Database credential
Edit oauth/server.php and adapt, with your settings, variables for database connection :
```$dsn = 'pgsql:dbname=oauth_db;host=localhost;port=5432';
$username = 'oauth';
$password = 'oauth_secure-pass';
```
* LDAP config
Edit oauth/LDAP/ldap_config.php to provide your ldap address and port.
Edit oauth/resource.php to change the base directory name ($base) and the filter ($filter) to comply with your LDAP configuration.
Edit oauth/connexion.php to change the relative directory name ($rdn) to comply with your LDAP configuration.
To try your configuration you can use the LDAP library for PHP or ldapsearch command in a shell.
Configure LDAP is certainly the most difficult step.
## Usage
If you have succeeded previous step you only have to go to the login page of your Mattermost server and click on the Gitlab Button. You will be redirected to a form asking for your LDAP credentials. If your credentials are valid, you will be asked to authorize Oauth to give your information to Mattermost. After authorizing you should be redirected on Mattermost connected with your account.
Keep in mind this will create a new account on your Mattermost server with information from LDAP. The process will fail if an existing user already use your LDAP email. To bind a user to the LDAP authentication, sign in mattermost with this user account, go in account settings > security > sign-in method and "switch to using Gitlab SSO".
## Limitation
This module has been tested on Centos 7, Fedora and Ubuntu with PostgreSQL.
Others operating systems has not been tested yet but should work fine.
MySQL has not really been tested so it is possible there is some bugs with.
## To do list
-> Gathering LDAP config
-> Add CSS to make a beautiful interface for Oauth server
-> Create an associated Puppet module
-> Change Gitlab button
-> Security audit
## Thanks
I wish to thank my company and my colleagues for their help and support. Also, I thank Brent Shaffer for his Oauth-server-php project and its documentation.
## Known issues
* LDAP authentication failed
Try to restart httpd service. If this persists verify your LDAP configuration or your credentials.
* PHP date timezone error
Edit php.ini to set up date.timezone option and restart httpd service.
* Token request failes
Try to add a new rule in your firewall (or use iptables -F on both Mattermost server and Oauth server)
* .htaccess does not work
Add following lines to your php.ini and restart httpd service.
```<Directory "/var/www/html/oauth">
AllowOverride All
</Directory>
```

80
init_mysql.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
#This script need right to become mysql user (so root) and to read/write in httpd directory
#######################################--CONFIGURATION--###########################################
#Client configuration
client_id=`openssl rand -hex 32`
client_secret=`openssl rand -hex 32`
redirect_uri="http://hostname.com:8065/signup/gitlab/complete"
grant_types="authorization_code"
scope="api"
user_id=""
#Database configuration
oauth_user="oauth"
oauth_db_name="oauth_db"
oauth_pass="oauth_secure-pass"
ip="127.0.0.1"
port="3306"
mysql_pass=""
#######################################--Fonctions--###############################################
ok() { echo -e '\e[32m'$1'\e[m'; }
error() { echo -e '\e[31m'$1'\e[m'; }
info() { echo -e '\e[34m'$1'\e[m'; }
warn() { echo -e '\e[33m'$1'\e[m'; }
#######################################--SQL STATEMENT--###########################################
#Tables creation
create_table_oauth_client="CREATE TABLE oauth_clients (client_id VARCHAR(80) NOT NULL, client_secret VARCHAR(80), redirect_uri VARCHAR(2000) NOT NULL, grant_types VARCHAR(80), scope VARCHAR(100), user_id VARCHAR(80), CONSTRAINT clients_client_id_pk PRIMARY KEY (client_id));"
create_table_oauth_access_tokens="CREATE TABLE oauth_access_tokens (access_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT access_token_pk PRIMARY KEY (access_token));"
create_table_oauth_authorization_codes="CREATE TABLE oauth_authorization_codes (authorization_code VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), redirect_uri VARCHAR(2000), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT auth_code_pk PRIMARY KEY (authorization_code));"
create_table_oauth_refresh_tokens="CREATE TABLE oauth_refresh_tokens (refresh_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT refresh_token_pk PRIMARY KEY (refresh_token));"
create_table_users="CREATE TABLE users (id SERIAL NOT NULL, username VARCHAR(255) NOT NULL, CONSTRAINT id_pk PRIMARY KEY (id));"
create_table_oauth_scopes="CREATE TABLE oauth_scopes (scope TEXT, is_default BOOLEAN);"
#Client creation
create_client="INSERT INTO oauth_clients (client_id,client_secret,redirect_uri,grant_types,scope,user_id) VALUES ('$client_id','$client_secret','$redirect_uri','$grant_types','$scope','$user_id');"
###################################################################################################
#Welcome Message
info "This script will create a new Oauth role and an associated database for Mattermost-LDAP\nTo edit configuration please edit this script before running !\n"
warn "SuperUser right must be ask to create the new role and database in mysql\n"
info "Press ctrl+c to stop the script"
sleep 5
#Creating Oauth role and associated database (need admin account on mysql)
info "Creation of role $oauth_user and database $oauth_db ... (need to be root)"
sudo mysql -u root --password=$mysql_pass --execute "CREATE DATABASE $oauth_db_name;"
sudo mysql -u root --password=$mysql_pass --execute "CREATE USER $oauth_user@'%' IDENTIFIED BY '$oauth_pass';"
sudo mysql -u root --password=$mysql_pass --execute "GRANT ALL PRIVILEGES ON $oauth_db_name.* TO $oauth_user@'%';"
#Creating tables for ouath database (use oauth role)
info "Creation of tables for database $oauth_db (using $oauth_user)"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_table_oauth_client"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_table_oauth_access_tokens"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_table_oauth_authorization_codes"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_table_oauth_refresh_tokens"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_table_users"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_table_oauth_scopes"
#Insert new client in the database
info "Insert new client in the database"
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "$create_client"
#Verification
mysql -u $oauth_user --password=$oauth_pass $oauth_db_name --execute "SELECT * from oauth_clients WHERE client_id='$client_id';" | grep '(1'
if [ $? ]
then ok "Client has been created ! Oauth Database is configured.\n"
info "Client ID : $client_id"
warn "Client Secret : $client_secret\n"
info "Keep id and secret, you will need them to configure Mattermost"
warn "Beware Client Secret IS PRIVATE and MUST BE KEPT SECRET"
else error "Client has not been created ! Check log below"
fi

79
init_postgres.sh Executable file
View File

@ -0,0 +1,79 @@
#!/bin/bash
#This script need right to become postgres user (so root) and to read/write in httpd directory
#######################################--CONFIGURATION--###########################################
#Client configuration
client_id=`openssl rand -hex 32`
client_secret=`openssl rand -hex 32`
redirect_uri="http://hostname.com:8065/signup/gitlab/complete"
grant_types="authorization_code"
scope="api"
user_id=""
#Database configuration
oauth_user="oauth"
oauth_db_name="oauth_db"
oauth_pass="oauth_secure-pass"
ip="127.0.0.1"
port="5432"
#######################################--Fonctions--###############################################
ok() { echo -e '\e[32m'$1'\e[m'; }
error() { echo -e '\e[31m'$1'\e[m'; }
info() { echo -e '\e[34m'$1'\e[m'; }
warn() { echo -e '\e[33m'$1'\e[m'; }
#######################################--SQL STATEMENT--###########################################
#Tables creation
create_table_oauth_client="CREATE TABLE oauth_clients (client_id VARCHAR(80) NOT NULL, client_secret VARCHAR(80), redirect_uri VARCHAR(2000) NOT NULL, grant_types VARCHAR(80), scope VARCHAR(100), user_id VARCHAR(80), CONSTRAINT clients_client_id_pk PRIMARY KEY (client_id));"
create_table_oauth_access_tokens="CREATE TABLE oauth_access_tokens (access_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT access_token_pk PRIMARY KEY (access_token));"
create_table_oauth_authorization_codes="CREATE TABLE oauth_authorization_codes (authorization_code VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), redirect_uri VARCHAR(2000), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT auth_code_pk PRIMARY KEY (authorization_code));"
create_table_oauth_refresh_tokens="CREATE TABLE oauth_refresh_tokens (refresh_token VARCHAR(40) NOT NULL, client_id VARCHAR(80) NOT NULL, user_id VARCHAR(255), expires TIMESTAMP NOT NULL, scope VARCHAR(2000), CONSTRAINT refresh_token_pk PRIMARY KEY (refresh_token));"
create_table_users="CREATE TABLE users (id SERIAL NOT NULL, username VARCHAR(255) NOT NULL, CONSTRAINT id_pk PRIMARY KEY (id));"
create_table_oauth_scopes="CREATE TABLE oauth_scopes (scope TEXT, is_default BOOLEAN);"
#Client creation
create_client="INSERT INTO oauth_clients (client_id,client_secret,redirect_uri,grant_types,scope,user_id) VALUES ('$client_id','$client_secret','$redirect_uri','$grant_types','$scope','$user_id');"
###################################################################################################
#Welcome Message
info "This script will create a new Oauth role and an associated database for Mattermost-LDAP\nTo edit configuration please edit this script before running !\n"
warn "SuperUser right must be ask to create the new role and database in postgres\n"
info "Press ctrl+c to stop the script"
sleep 5
#Creating Oauth role and associated database (need admin account on postgres)
info "Creation of role $oauth_user and database $oauth_db ... (need to be root)"
sudo -S -u postgres psql -c "CREATE DATABASE $oauth_db_name;"
sudo -S -u postgres psql -c "CREATE USER $oauth_user WITH ENCRYPTED PASSWORD '$oauth_pass';"
sudo -S -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE $oauth_db_name TO $oauth_user;"
#Creating tables for ouath database (use oauth role)
info "Creation of tables for database $oauth_db (using $oauth_user)"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_table_oauth_client"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_table_oauth_access_tokens"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_table_oauth_authorization_codes"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_table_oauth_refresh_tokens"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_table_users"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_table_oauth_scopes"
#Insert new client in the database
info "Insert new client in the database"
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "$create_client"
#Verification
psql postgres://$oauth_user:$oauth_pass@$ip:$port/$oauth_db_name -c "SELECT * from oauth_clients WHERE client_id='$client_id';" | grep '(1'
if [ $? ]
then ok "Client has been created ! Oauth Database is configured.\n"
info "Client ID : $client_id"
warn "Client Secret : $client_secret\n"
info "Keep id and secret, you will need them to configure Mattermost"
warn "Beware Client Secret IS PRIVATE and MUST BE KEPT SECRET"
else error "Client has not been created ! Check log below"
fi

7
oauth/.htaccess Normal file
View File

@ -0,0 +1,7 @@
# Deny access to everything by default
deny from all
# Only allow access to php files
<Files *.php>
allow from all
</Files>

7
oauth/LDAP/.htaccess Normal file
View File

@ -0,0 +1,7 @@
# Deny access to everything by default
deny from all
# Disallow php files
<Files *.php>
deny from all
</Files>

125
oauth/LDAP/LDAP.php Normal file
View File

@ -0,0 +1,125 @@
<?php
/**
* Simple LDAP object to interact with LDAP
*
* @author Denis CLAVIER <clavierd at gmail dot com>
*/
require_once __DIR__.'/LDAPInterface.php';
class LDAP implements LDAPInterface
{
protected $ldap_server;
/**
* LDAP Resource
*
* @param string @hostname
* Either a hostname or, with OpenLDAP 2.x.x and later, a full LDAP URI
* @param int @port
* An optional int to specify ldap server port
*
* Initiate LDAP connection by creating an associated resource
*/
public function __construct($hostname, $port = 389)
{
if (!is_string($hostname))
{
throw new InvalidArgumentException('First argument to LDAP must be the hostname of a ldap server (string). Ex: ldap//example.com/ ');
}
if (!is_int($port))
{
throw new InvalidArgumentException('Second argument to LDAP must be the ldap server port (int). Ex : 389');
}
$ldap = ldap_connect($hostname, $port)
or die("Unable to connect to the ldap server : $ldaphost ! Please check your configuration.");
$this->ldap_server = $ldap;
}
/**
* @param string @rdn
* A ldap user relative directory name
* @param string @password
* An optional password linked to the specified rdn account, if not provided an anonymous bind is attempted
*
* @return
* TRUE if the user is identified and can access to the LDAP server
* and FALSE if it isn't
*/
public function checkLogin($rdn,$password = null) {
if (!is_string($rdn))
{
throw new InvalidArgumentException('First argument to LDAP/checkLogin must be the relative directory name of a ldap user (string). Ex: uid=jdupont,ou=People,o=Company');
}
if (!is_string($password) && $password != null)
{
throw new InvalidArgumentException('Second argument to LDAP/checkLogin must be the password associated to the relative directory name (string).');
}
return ldap_bind($this->ldap_server,$rdn,$password);
}
/**
* @param string @base_dn
* The LDAP base DN.
* @param string @filter
* A filter to get relevant data. Often the user id in ldap (uid or sAMAccountName).
*
* @return
* An array with the user's mail and complete name.
*/
public function getDataForMattermost($base_dn, $filter) {
$attribute=array("cn","mail");
if (!is_string($base_dn))
{
throw new InvalidArgumentException('First argument to LDAP/getData must be the ldap base directory name (string). Ex: o=Company');
}
if (!is_string($filter))
{
throw new InvalidArgumentException('Second argument to LDAP/getData must be a filter to get relevant data. Often is the user id in ldap (string). Ex : uid=jdupont');
}
$result = ldap_search($this->ldap_server, $base_dn, $filter, $attribute, 0, 1, 500);
if (!$result)
{
throw new Exception('An error has occured during ldap_search execution. Please check parameter of LDAP/getData.');
}
$data = ldap_first_entry($this->ldap_server, $result);
if (!$data)
{
throw new Exception('An error has occured during ldap_first_entry execution. Please check parameter of LDAP/getData.');
}
$mail = ldap_get_values($this->ldap_server, $data, "mail");
if (!$mail)
{
throw new Exception('An error has occured during ldap_get_values execution (mail). Please check parameter of LDAP/getData.');
}
$cn = ldap_get_values($this->ldap_server, $data, "cn");
if (!$cn)
{
throw new Exception('An error has occured during ldap_get_values execution (complete name). Please check parameter of LDAP/getData.');
}
return array("mail" => $mail[0], "cn" => $cn[0]);
}
/*
* Destructor to close the LDAP connection
*/
public function __destruct()
{
ldap_close($this->ldap_server);
}
}

36
oauth/LDAP/LDAPInterface.php Normal file
View File

@ -0,0 +1,36 @@
<?php
/**
* Class to interact with LDAP
*
* @author Denis CLAVIER <clavierd at gmail dot com>
*/
interface LDAPInterface
{
/**
* Check user credentials
*
* @param string @rdn
* A ldap user relative directory name
* @param string @password
* An optional password linked to the specified rdn account, if not provided an anonymous bind is attempted
*
* @return
* TRUE if the user is identified and can access to the LDAP server
* and FALSE if it isn't
*/
public function checkLogin($rdn,$password = null);
/**
* Return only necessary data for Mattermost
*
* @param string @base_dn
* The LDAP base DN.
* @param string @filter
* A filter to get relevant data. Often the user id in ldap (uid or sAMAccountName).
*
* @return
* An array with the user's mail and complete name.
*/
public function getDataForMattermost($base_dn, $filter);
}

3
oauth/LDAP/config_ldap.php Normal file
View File

@ -0,0 +1,3 @@
<?php
$hostname = "ldap://hostname.com/";
$port = 389;

7
oauth/OAuth2/.htaccess Normal file
View File

@ -0,0 +1,7 @@
# Deny access to everything by default
deny from all
# Disallow php files
<Files *.php>
deny from all
</Files>

48
oauth/OAuth2/Autoloader.php Normal file
View File

@ -0,0 +1,48 @@
<?php
namespace OAuth2;
/**
* Autoloads OAuth2 classes
*
* @author Brent Shaffer <bshafs at gmail dot com>
* @license MIT License
*/
class Autoloader
{
private $dir;
public function __construct($dir = null)
{
if (is_null($dir)) {
$dir = dirname(__FILE__).'/..';
}
$this->dir = $dir;
}
/**
* Registers OAuth2\Autoloader as an SPL autoloader.
*/
public static function register($dir = null)
{
ini_set('unserialize_callback_func', 'spl_autoload_call');
spl_autoload_register(array(new self($dir), 'autoload'));
}
/**
* Handles autoloading of classes.
*
* @param string $class A class name.
*
* @return boolean Returns true if the class has been loaded
*/
public function autoload($class)
{
if (0 !== strpos($class, 'OAuth2')) {
return;
}
if (file_exists($file = $this->dir.'/'.str_replace('\\', '/', $class).'.php')) {
require $file;
}
}
}

15
oauth/OAuth2/ClientAssertionType/ClientAssertionTypeInterface.php Normal file
View File

@ -0,0 +1,15 @@
<?php
namespace OAuth2\ClientAssertionType;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* Interface for all OAuth2 Client Assertion Types
*/
interface ClientAssertionTypeInterface
{
public function validateRequest(RequestInterface $request, ResponseInterface $response);
public function getClientId();
}

123
oauth/OAuth2/ClientAssertionType/HttpBasic.php Normal file
View File

@ -0,0 +1,123 @@
<?php
namespace OAuth2\ClientAssertionType;
use OAuth2\Storage\ClientCredentialsInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* Validate a client via Http Basic authentication
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class HttpBasic implements ClientAssertionTypeInterface
{
private $clientData;
protected $storage;
protected $config;
/**
* @param OAuth2\Storage\ClientCredentialsInterface $clientStorage REQUIRED Storage class for retrieving client credentials information
* @param array $config OPTIONAL Configuration options for the server
* <code>
* $config = array(
* 'allow_credentials_in_request_body' => true, // whether to look for credentials in the POST body in addition to the Authorize HTTP Header
* 'allow_public_clients' => true // if true, "public clients" (clients without a secret) may be authenticated
* );
* </code>
*/
public function __construct(ClientCredentialsInterface $storage, array $config = array())
{
$this->storage = $storage;
$this->config = array_merge(array(
'allow_credentials_in_request_body' => true,
'allow_public_clients' => true,
), $config);
}
public function validateRequest(RequestInterface $request, ResponseInterface $response)
{
if (!$clientData = $this->getClientCredentials($request, $response)) {
return false;
}
if (!isset($clientData['client_id'])) {
throw new \LogicException('the clientData array must have "client_id" set');
}
if (!isset($clientData['client_secret']) || $clientData['client_secret'] == '') {
if (!$this->config['allow_public_clients']) {
$response->setError(400, 'invalid_client', 'client credentials are required');
return false;
}
if (!$this->storage->isPublicClient($clientData['client_id'])) {
$response->setError(400, 'invalid_client', 'This client is invalid or must authenticate using a client secret');
return false;
}
} elseif ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) {
$response->setError(400, 'invalid_client', 'The client credentials are invalid');
return false;
}
$this->clientData = $clientData;
return true;
}
public function getClientId()
{
return $this->clientData['client_id'];
}
/**
* Internal function used to get the client credentials from HTTP basic
* auth or POST data.
*
* According to the spec (draft 20), the client_id can be provided in
* the Basic Authorization header (recommended) or via GET/POST.
*
* @return
* A list containing the client identifier and password, for example
* @code
* return array(
* "client_id" => CLIENT_ID, // REQUIRED the client id
* "client_secret" => CLIENT_SECRET, // OPTIONAL the client secret (may be omitted for public clients)
* );
* @endcode
*
* @see http://tools.ietf.org/html/rfc6749#section-2.3.1
*
* @ingroup oauth2_section_2
*/
public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
{
if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
}
if ($this->config['allow_credentials_in_request_body']) {
// Using POST for HttpBasic authorization is not recommended, but is supported by specification
if (!is_null($request->request('client_id'))) {
/**
* client_secret can be null if the client's password is an empty string
* @see http://tools.ietf.org/html/rfc6749#section-2.3.1
*/
return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret'));
}
}
if ($response) {
$message = $this->config['allow_credentials_in_request_body'] ? ' or body' : '';
$response->setError(400, 'invalid_client', 'Client credentials were not found in the headers'.$message);
}
return null;
}
}

394
oauth/OAuth2/Controller/AuthorizeController.php Normal file
View File

@ -0,0 +1,394 @@
<?php
namespace OAuth2\Controller;
use OAuth2\Storage\ClientInterface;
use OAuth2\ScopeInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
use OAuth2\Scope;
/**
* @see OAuth2\Controller\AuthorizeControllerInterface
*/
class AuthorizeController implements AuthorizeControllerInterface
{
private $scope;
private $state;
private $client_id;
private $redirect_uri;
private $response_type;
protected $clientStorage;
protected $responseTypes;
protected $config;
protected $scopeUtil;
/**
* @param OAuth2\Storage\ClientInterface $clientStorage REQUIRED Instance of OAuth2\Storage\ClientInterface to retrieve client information
* @param array $responseTypes OPTIONAL Array of OAuth2\ResponseType\ResponseTypeInterface objects. Valid array
* keys are "code" and "token"
* @param array $config OPTIONAL Configuration options for the server
* <code>
* $config = array(
* 'allow_implicit' => false, // if the controller should allow the "implicit" grant type
* 'enforce_state' => true // if the controller should require the "state" parameter
* 'require_exact_redirect_uri' => true, // if the controller should require an exact match on the "redirect_uri" parameter
* 'redirect_status_code' => 302, // HTTP status code to use for redirect responses
* );
* </code>
* @param OAuth2\ScopeInterface $scopeUtil OPTIONAL Instance of OAuth2\ScopeInterface to validate the requested scope
*/
public function __construct(ClientInterface $clientStorage, array $responseTypes = array(), array $config = array(), ScopeInterface $scopeUtil = null)
{
$this->clientStorage = $clientStorage;
$this->responseTypes = $responseTypes;
$this->config = array_merge(array(
'allow_implicit' => false,
'enforce_state' => true,
'require_exact_redirect_uri' => true,
'redirect_status_code' => 302,
), $config);
if (is_null($scopeUtil)) {
$scopeUtil = new Scope();
}
$this->scopeUtil = $scopeUtil;
}
public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null)
{
if (!is_bool($is_authorized)) {
throw new \InvalidArgumentException('Argument "is_authorized" must be a boolean. This method must know if the user has granted access to the client.');
}
// We repeat this, because we need to re-validate. The request could be POSTed
// by a 3rd-party (because we are not internally enforcing NONCEs, etc)
if (!$this->validateAuthorizeRequest($request, $response)) {
return;
}
// If no redirect_uri is passed in the request, use client's registered one
if (empty($this->redirect_uri)) {
$clientData = $this->clientStorage->getClientDetails($this->client_id);
$registered_redirect_uri = $clientData['redirect_uri'];
}
// the user declined access to the client's application
if ($is_authorized === false) {
$redirect_uri = $this->redirect_uri ?: $registered_redirect_uri;
$this->setNotAuthorizedResponse($request, $response, $redirect_uri, $user_id);
return;
}
// build the parameters to set in the redirect URI
if (!$params = $this->buildAuthorizeParameters($request, $response, $user_id)) {
return;
}
$authResult = $this->responseTypes[$this->response_type]->getAuthorizeResponse($params, $user_id);
list($redirect_uri, $uri_params) = $authResult;
if (empty($redirect_uri) && !empty($registered_redirect_uri)) {
$redirect_uri = $registered_redirect_uri;
}
$uri = $this->buildUri($redirect_uri, $uri_params);
// return redirect response
$response->setRedirect($this->config['redirect_status_code'], $uri);
}
protected function setNotAuthorizedResponse(RequestInterface $request, ResponseInterface $response, $redirect_uri, $user_id = null)
{
$error = 'access_denied';
$error_message = 'The user denied access to your application';
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $this->state, $error, $error_message);
}
/*
* We have made this protected so this class can be extended to add/modify
* these parameters
*/
protected function buildAuthorizeParameters($request, $response, $user_id)
{
// @TODO: we should be explicit with this in the future
$params = array(
'scope' => $this->scope,
'state' => $this->state,
'client_id' => $this->client_id,
'redirect_uri' => $this->redirect_uri,
'response_type' => $this->response_type,
);
return $params;
}
/**
* @param RequestInterface $request
* @param ResponseInterface $response
* @return bool
*/
public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response)
{
// Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
if (!$client_id = $request->query('client_id', $request->request('client_id'))) {
// We don't have a good URI to use
$response->setError(400, 'invalid_client', "No client id supplied");
return false;
}
// Get client details
if (!$clientData = $this->clientStorage->getClientDetails($client_id)) {
$response->setError(400, 'invalid_client', 'The client id supplied is invalid');
return false;
}
$registered_redirect_uri = isset($clientData['redirect_uri']) ? $clientData['redirect_uri'] : '';
// Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI.
// @see http://tools.ietf.org/html/rfc6749#section-3.1.2
// @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1
// @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1
if ($supplied_redirect_uri = $request->query('redirect_uri', $request->request('redirect_uri'))) {
// validate there is no fragment supplied
$parts = parse_url($supplied_redirect_uri);
if (isset($parts['fragment']) && $parts['fragment']) {
$response->setError(400, 'invalid_uri', 'The redirect URI must not contain a fragment');
return false;
}
// validate against the registered redirect uri(s) if available
if ($registered_redirect_uri && !$this->validateRedirectUri($supplied_redirect_uri, $registered_redirect_uri)) {
$response->setError(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match', '#section-3.1.2');
return false;
}
$redirect_uri = $supplied_redirect_uri;
} else {
// use the registered redirect_uri if none has been supplied, if possible
if (!$registered_redirect_uri) {
$response->setError(400, 'invalid_uri', 'No redirect URI was supplied or stored');
return false;
}
if (count(explode(' ', $registered_redirect_uri)) > 1) {
$response->setError(400, 'invalid_uri', 'A redirect URI must be supplied when multiple redirect URIs are registered', '#section-3.1.2.3');
return false;
}
$redirect_uri = $registered_redirect_uri;
}
// Select the redirect URI
$response_type = $request->query('response_type', $request->request('response_type'));
// for multiple-valued response types - make them alphabetical
if (false !== strpos($response_type, ' ')) {
$types = explode(' ', $response_type);
sort($types);
$response_type = ltrim(implode(' ', $types));
}
$state = $request->query('state', $request->request('state'));
// type and client_id are required
if (!$response_type || !in_array($response_type, $this->getValidResponseTypes())) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_request', 'Invalid or missing response type', null);
return false;
}
if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
if (!isset($this->responseTypes['code'])) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'authorization code grant type not supported', null);
return false;
}
if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'authorization_code')) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null);
return false;
}
if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) {
$response->setError(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied');
return false;
}
} else {
if (!$this->config['allow_implicit']) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'implicit grant type not supported', null);
return false;
}
if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'implicit')) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null);
return false;
}
}
// validate requested scope if it exists
$requestedScope = $this->scopeUtil->getScopeFromRequest($request);
if ($requestedScope) {
// restrict scope by client specific scope if applicable,
// otherwise verify the scope exists
$clientScope = $this->clientStorage->getClientScope($client_id);
if ((empty($clientScope) && !$this->scopeUtil->scopeExists($requestedScope))
|| (!empty($clientScope) && !$this->scopeUtil->checkScope($requestedScope, $clientScope))) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null);
return false;
}
} else {
// use a globally-defined default scope
$defaultScope = $this->scopeUtil->getDefaultScope($client_id);
if (false === $defaultScope) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_client', 'This application requires you specify a scope parameter', null);
return false;
}
$requestedScope = $defaultScope;
}
// Validate state parameter exists (if configured to enforce this)
if ($this->config['enforce_state'] && !$state) {
$response->setRedirect($this->config['redirect_status_code'], $redirect_uri, null, 'invalid_request', 'The state parameter is required');
return false;
}
// save the input data and return true
$this->scope = $requestedScope;
$this->state = $state;
$this->client_id = $client_id;
// Only save the SUPPLIED redirect URI (@see http://tools.ietf.org/html/rfc6749#section-4.1.3)
$this->redirect_uri = $supplied_redirect_uri;
$this->response_type = $response_type;
return true;
}
/**
* Build the absolute URI based on supplied URI and parameters.
*
* @param $uri An absolute URI.
* @param $params Parameters to be append as GET.
*
* @return
* An absolute URI with supplied parameters.
*
* @ingroup oauth2_section_4
*/
private function buildUri($uri, $params)
{
$parse_url = parse_url($uri);
// Add our params to the parsed uri
foreach ($params as $k => $v) {
if (isset($parse_url[$k])) {
$parse_url[$k] .= "&" . http_build_query($v, '', '&');
} else {
$parse_url[$k] = http_build_query($v, '', '&');
}
}
// Put humpty dumpty back together
return
((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "")
. ((isset($parse_url["user"])) ? $parse_url["user"]
. ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "")
. ((isset($parse_url["host"])) ? $parse_url["host"] : "")
. ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "")
. ((isset($parse_url["path"])) ? $parse_url["path"] : "")
. ((isset($parse_url["query"]) && !empty($parse_url['query'])) ? "?" . $parse_url["query"] : "")
. ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "")
;
}
protected function getValidResponseTypes()
{
return array(
self::RESPONSE_TYPE_ACCESS_TOKEN,
self::RESPONSE_TYPE_AUTHORIZATION_CODE,
);
}
/**
* Internal method for validating redirect URI supplied
*
* @param string $inputUri The submitted URI to be validated
* @param string $registeredUriString The allowed URI(s) to validate against. Can be a space-delimited string of URIs to
* allow for multiple URIs
*
* @see http://tools.ietf.org/html/rfc6749#section-3.1.2
*/
protected function validateRedirectUri($inputUri, $registeredUriString)
{
if (!$inputUri || !$registeredUriString) {
return false; // if either one is missing, assume INVALID
}
$registered_uris = preg_split('/\s+/', $registeredUriString);
foreach ($registered_uris as $registered_uri) {
if ($this->config['require_exact_redirect_uri']) {
// the input uri is validated against the registered uri using exact match
if (strcmp($inputUri, $registered_uri) === 0) {
return true;
}
} else {
$registered_uri_length = strlen($registered_uri);
if ($registered_uri_length === 0) {
return false;
}
// the input uri is validated against the registered uri using case-insensitive match of the initial string
// i.e. additional query parameters may be applied
if (strcasecmp(substr($inputUri, 0, $registered_uri_length), $registered_uri) === 0) {
return true;
}
}
}
return false;
}
/**
* Convenience methods to access the parameters derived from the validated request
*/
public function getScope()
{
return $this->scope;
}
public function getState()
{
return $this->state;
}
public function getClientId()
{
return $this->client_id;
}
public function getRedirectUri()
{
return $this->redirect_uri;
}
public function getResponseType()
{
return $this->response_type;
}
}

43
oauth/OAuth2/Controller/AuthorizeControllerInterface.php Normal file
View File

@ -0,0 +1,43 @@
<?php
namespace OAuth2\Controller;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* This controller is called when a user should be authorized
* by an authorization server. As OAuth2 does not handle
* authorization directly, this controller ensures the request is valid, but
* requires the application to determine the value of $is_authorized
*
* ex:
* > $user_id = $this->somehowDetermineUserId();
* > $is_authorized = $this->somehowDetermineUserAuthorization();
* > $response = new OAuth2\Response();
* > $authorizeController->handleAuthorizeRequest(
* > OAuth2\Request::createFromGlobals(),
* > $response,
* > $is_authorized,
* > $user_id);
* > $response->send();
*
*/
interface AuthorizeControllerInterface
{
/**
* List of possible authentication response types.
* The "authorization_code" mechanism exclusively supports 'code'
* and the "implicit" mechanism exclusively supports 'token'.
*
* @var string
* @see http://tools.ietf.org/html/rfc6749#section-4.1.1
* @see http://tools.ietf.org/html/rfc6749#section-4.2.1
*/
const RESPONSE_TYPE_AUTHORIZATION_CODE = 'code';
const RESPONSE_TYPE_ACCESS_TOKEN = 'token';
public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null);
public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response);
}

112
oauth/OAuth2/Controller/ResourceController.php Normal file
View File

@ -0,0 +1,112 @@
<?php
namespace OAuth2\Controller;
use OAuth2\TokenType\TokenTypeInterface;
use OAuth2\Storage\AccessTokenInterface;
use OAuth2\ScopeInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
use OAuth2\Scope;
/**
* @see OAuth2\Controller\ResourceControllerInterface
*/
class ResourceController implements ResourceControllerInterface
{
private $token;
protected $tokenType;
protected $tokenStorage;
protected $config;
protected $scopeUtil;
public function __construct(TokenTypeInterface $tokenType, AccessTokenInterface $tokenStorage, $config = array(), ScopeInterface $scopeUtil = null)
{
$this->tokenType = $tokenType;
$this->tokenStorage = $tokenStorage;
$this->config = array_merge(array(
'www_realm' => 'Service',
), $config);
if (is_null($scopeUtil)) {
$scopeUtil = new Scope();
}
$this->scopeUtil = $scopeUtil;
}
public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response, $scope = null)
{
$token = $this->getAccessTokenData($request, $response);
// Check if we have token data
if (is_null($token)) {
return false;
}
/**
* Check scope, if provided
* If token doesn't have a scope, it's null/empty, or it's insufficient, then throw 403
* @see http://tools.ietf.org/html/rfc6750#section-3.1
*/
if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->scopeUtil->checkScope($scope, $token["scope"]))) {
$response->setError(403, 'insufficient_scope', 'The request requires higher privileges than provided by the access token');
$response->addHttpHeaders(array(
'WWW-Authenticate' => sprintf('%s realm="%s", scope="%s", error="%s", error_description="%s"',
$this->tokenType->getTokenType(),
$this->config['www_realm'],
$scope,
$response->getParameter('error'),
$response->getParameter('error_description')
)
));
return false;
}
// allow retrieval of the token
$this->token = $token;
return (bool) $token;
}
public function getAccessTokenData(RequestInterface $request, ResponseInterface $response)
{
// Get the token parameter
if ($token_param = $this->tokenType->getAccessTokenParameter($request, $response)) {
// Get the stored token data (from the implementing subclass)
// Check we have a well formed token
// Check token expiration (expires is a mandatory paramter)
if (!$token = $this->tokenStorage->getAccessToken($token_param)) {
$response->setError(401, 'invalid_token', 'The access token provided is invalid');
} elseif (!isset($token["expires"]) || !isset($token["client_id"])) {
$response->setError(401, 'malformed_token', 'Malformed token (missing "expires")');
} elseif (time() > $token["expires"]) {
$response->setError(401, 'invalid_token', 'The access token provided has expired');
} else {
$token["assoc_id"]=$this->tokenStorage->getUsersID($token["user_id"]);
return $token;
}
}
$authHeader = sprintf('%s realm="%s"', $this->tokenType->getTokenType(), $this->config['www_realm']);
if ($error = $response->getParameter('error')) {
$authHeader = sprintf('%s, error="%s"', $authHeader, $error);
if ($error_description = $response->getParameter('error_description')) {
$authHeader = sprintf('%s, error_description="%s"', $authHeader, $error_description);
}
}
$response->addHttpHeaders(array('WWW-Authenticate' => $authHeader));
return null;
}
// convenience method to allow retrieval of the token
public function getToken()
{
return $this->token;
}
}

26
oauth/OAuth2/Controller/ResourceControllerInterface.php Normal file
View File

@ -0,0 +1,26 @@
<?php
namespace OAuth2\Controller;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* This controller is called when a "resource" is requested.
* call verifyResourceRequest in order to determine if the request
* contains a valid token.
*
* ex:
* > if (!$resourceController->verifyResourceRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response())) {
* > $response->send(); // authorization failed
* > die();
* > }
* > return json_encode($resource); // valid token! Send the stuff!
*
*/
interface ResourceControllerInterface
{
public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response, $scope = null);
public function getAccessTokenData(RequestInterface $request, ResponseInterface $response);
}

295
oauth/OAuth2/Controller/TokenController.php Normal file
View File

@ -0,0 +1,295 @@
<?php
namespace OAuth2\Controller;
use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\ClientAssertionType\ClientAssertionTypeInterface;
use OAuth2\GrantType\GrantTypeInterface;
use OAuth2\ScopeInterface;
use OAuth2\Scope;
use OAuth2\Storage\ClientInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* @see \OAuth2\Controller\TokenControllerInterface
*/
class TokenController implements TokenControllerInterface
{
/**
* @var AccessTokenInterface
*/
protected $accessToken;
/**
* @var array
*/
protected $grantTypes;
/**
* @var ClientAssertionTypeInterface
*/
protected $clientAssertionType;
/**
* @var Scope|ScopeInterface
*/
protected $scopeUtil;
/**
* @var ClientInterface
*/
protected $clientStorage;
public function __construct(AccessTokenInterface $accessToken, ClientInterface $clientStorage, array $grantTypes = array(), ClientAssertionTypeInterface $clientAssertionType = null, ScopeInterface $scopeUtil = null)
{
if (is_null($clientAssertionType)) {
foreach ($grantTypes as $grantType) {
if (!$grantType instanceof ClientAssertionTypeInterface) {
throw new \InvalidArgumentException('You must supply an instance of OAuth2\ClientAssertionType\ClientAssertionTypeInterface or only use grant types which implement OAuth2\ClientAssertionType\ClientAssertionTypeInterface');
}
}
}
$this->clientAssertionType = $clientAssertionType;
$this->accessToken = $accessToken;
$this->clientStorage = $clientStorage;
foreach ($grantTypes as $grantType) {
$this->addGrantType($grantType);
}
if (is_null($scopeUtil)) {
$scopeUtil = new Scope();
}
$this->scopeUtil = $scopeUtil;
}
public function handleTokenRequest(RequestInterface $request, ResponseInterface $response)
{
if ($token = $this->grantAccessToken($request, $response)) {
// @see http://tools.ietf.org/html/rfc6749#section-5.1
// server MUST disable caching in headers when tokens are involved
$response->setStatusCode(200);
$response->addParameters($token);
$response->addHttpHeaders(array(
'Cache-Control' => 'no-store',
'Pragma' => 'no-cache',
'Content-Type' => 'application/json'
));
}
}
/**
* Grant or deny a requested access token.
* This would be called from the "/token" endpoint as defined in the spec.
* You can call your endpoint whatever you want.
*
* @param RequestInterface $request Request object to grant access token
* @param ResponseInterface $response
*
* @throws \InvalidArgumentException
* @throws \LogicException
*
* @see http://tools.ietf.org/html/rfc6749#section-4
* @see http://tools.ietf.org/html/rfc6749#section-10.6
* @see http://tools.ietf.org/html/rfc6749#section-4.1.3
*
* @ingroup oauth2_section_4
*/
public function grantAccessToken(RequestInterface $request, ResponseInterface $response)
{
if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
$response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2');
$response->addHttpHeaders(array('Allow' => 'POST'));
return null;
}
/**
* Determine grant type from request
* and validate the request for that grant type
*/
if (!$grantTypeIdentifier = $request->request('grant_type')) {
$response->setError(400, 'invalid_request', 'The grant type was not specified in the request');
return null;
}
if (!isset($this->grantTypes[$grantTypeIdentifier])) {
/* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */
$response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier));
return null;
}
$grantType = $this->grantTypes[$grantTypeIdentifier];
/**
* Retrieve the client information from the request
* ClientAssertionTypes allow for grant types which also assert the client data
* in which case ClientAssertion is handled in the validateRequest method
*
* @see OAuth2\GrantType\JWTBearer
* @see OAuth2\GrantType\ClientCredentials
*/
if (!$grantType instanceof ClientAssertionTypeInterface) {
if (!$this->clientAssertionType->validateRequest($request, $response)) {
return null;
}
$clientId = $this->clientAssertionType->getClientId();
}
/**
* Retrieve the grant type information from the request
* The GrantTypeInterface object handles all validation
* If the object is an instance of ClientAssertionTypeInterface,
* That logic is handled here as well
*/
if (!$grantType->validateRequest($request, $response)) {
return null;
}
if ($grantType instanceof ClientAssertionTypeInterface) {
$clientId = $grantType->getClientId();
} else {
// validate the Client ID (if applicable)
if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) {
$response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier));
return null;
}
}
/**
* Validate the client can use the requested grant type
*/
if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) {
$response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id');
return false;
}
/**
* Validate the scope of the token
*
* requestedScope - the scope specified in the token request
* availableScope - the scope associated with the grant type
* ex: in the case of the "Authorization Code" grant type,
* the scope is specified in the authorize request
*
* @see http://tools.ietf.org/html/rfc6749#section-3.3
*/
$requestedScope = $this->scopeUtil->getScopeFromRequest($request);
$availableScope = $grantType->getScope();
if ($requestedScope) {
// validate the requested scope
if ($availableScope) {
if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) {
$response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request');
return null;
}
} else {
// validate the client has access to this scope
if ($clientScope = $this->clientStorage->getClientScope($clientId)) {
if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) {
$response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client');
return false;
}
} elseif (!$this->scopeUtil->scopeExists($requestedScope)) {
$response->setError(400, 'invalid_scope', 'An unsupported scope was requested');
return null;
}
}
} elseif ($availableScope) {
// use the scope associated with this grant type
$requestedScope = $availableScope;
} else {
// use a globally-defined default scope
$defaultScope = $this->scopeUtil->getDefaultScope($clientId);
// "false" means default scopes are not allowed
if (false === $defaultScope) {
$response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter');
return null;
}
$requestedScope = $defaultScope;
}
return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope);
}
/**
* addGrantType
*
* @param GrantTypeInterface $grantType the grant type to add for the specified identifier
* @param string $identifier a string passed in as "grant_type" in the response that will call this grantType
*/
public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
{
if (is_null($identifier) || is_numeric($identifier)) {
$identifier = $grantType->getQuerystringIdentifier();
}
$this->grantTypes[$identifier] = $grantType;
}
public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response)
{
if ($this->revokeToken($request, $response)) {
$response->setStatusCode(200);
$response->addParameters(array('revoked' => true));
}
}
/**
* Revoke a refresh or access token. Returns true on success and when tokens are invalid
*
* Note: invalid tokens do not cause an error response since the client
* cannot handle such an error in a reasonable way. Moreover, the
* purpose of the revocation request, invalidating the particular token,
* is already achieved.
*
* @param RequestInterface $request
* @param ResponseInterface $response
* @return bool|null
*/
public function revokeToken(RequestInterface $request, ResponseInterface $response)
{
if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
$response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2');
$response->addHttpHeaders(array('Allow' => 'POST'));
return null;
}
$token_type_hint = $request->request('token_type_hint');
if (!in_array($token_type_hint, array(null, 'access_token', 'refresh_token'), true)) {
$response->setError(400, 'invalid_request', 'Token type hint must be either \'access_token\' or \'refresh_token\'');
return null;
}
$token = $request->request('token');
if ($token === null) {
$response->setError(400, 'invalid_request', 'Missing token parameter to revoke');
return null;
}
// @todo remove this check for v2.0
if (!method_exists($this->accessToken, 'revokeToken')) {
$class = get_class($this->accessToken);
throw new \RuntimeException("AccessToken {$class} does not implement required revokeToken method");
}
$this->accessToken->revokeToken($token, $token_type_hint);
return true;
}
}

32
oauth/OAuth2/Controller/TokenControllerInterface.php Normal file
View File

@ -0,0 +1,32 @@
<?php
namespace OAuth2\Controller;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* This controller is called when a token is being requested.
* it is called to handle all grant types the application supports.
* It also validates the client's credentials
*
* ex:
* > $tokenController->handleTokenRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response());
* > $response->send();
*
*/
interface TokenControllerInterface
{
/**
* handleTokenRequest
*
* @param $request
* OAuth2\RequestInterface - The current http request
* @param $response
* OAuth2\ResponseInterface - An instance of OAuth2\ResponseInterface to contain the response data
*
*/
public function handleTokenRequest(RequestInterface $request, ResponseInterface $response);
public function grantAccessToken(RequestInterface $request, ResponseInterface $response);
}

100
oauth/OAuth2/GrantType/AuthorizationCode.php Normal file
View File

@ -0,0 +1,100 @@
<?php
namespace OAuth2\GrantType;
use OAuth2\Storage\AuthorizationCodeInterface;
use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class AuthorizationCode implements GrantTypeInterface
{
protected $storage;
protected $authCode;
/**
* @param \OAuth2\Storage\AuthorizationCodeInterface $storage REQUIRED Storage class for retrieving authorization code information
*/
public function __construct(AuthorizationCodeInterface $storage)
{
$this->storage = $storage;
}
public function getQuerystringIdentifier()
{
return 'authorization_code';
}
public function validateRequest(RequestInterface $request, ResponseInterface $response)
{
if (!$request->request('code')) {
$response->setError(400, 'invalid_request', 'Missing parameter: "code" is required');
return false;
}
$code = $request->request('code');
if (!$authCode = $this->storage->getAuthorizationCode($code)) {
$response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client');
return false;
}
/*
* 4.1.3 - ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request
* @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3
*/
if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) {
if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != urldecode($authCode['redirect_uri'])) {
$response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3");
return false;
}
}
if (!isset($authCode['expires'])) {
throw new \Exception('Storage must return authcode with a value for "expires"');
}
if ($authCode["expires"] < time()) {
$response->setError(400, 'invalid_grant', "The authorization code has expired");
return false;
}
if (!isset($authCode['code'])) {
$authCode['code'] = $code; // used to expire the code after the access token is granted
}
$this->authCode = $authCode;
return true;
}
public function getClientId()
{
return $this->authCode['client_id'];
}
public function getScope()
{
return isset($this->authCode['scope']) ? $this->authCode['scope'] : null;
}
public function getUserId()
{
return isset($this->authCode['user_id']) ? $this->authCode['user_id'] : null;
}
public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
{
$token = $accessToken->createAccessToken($client_id, $user_id, $scope);
$this->storage->expireAuthorizationCode($this->authCode['code']);
return $token;
}
}

20
oauth/OAuth2/GrantType/GrantTypeInterface.php Normal file
View File

@ -0,0 +1,20 @@
<?php
namespace OAuth2\GrantType;
use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* Interface for all OAuth2 Grant Types
*/
interface GrantTypeInterface
{
public function getQuerystringIdentifier();
public function validateRequest(RequestInterface $request, ResponseInterface $response);
public function getClientId();
public function getUserId();
public function getScope();
public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope);
}

111
oauth/OAuth2/GrantType/RefreshToken.php Normal file
View File

@ -0,0 +1,111 @@
<?php
namespace OAuth2\GrantType;
use OAuth2\Storage\RefreshTokenInterface;
use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class RefreshToken implements GrantTypeInterface
{
private $refreshToken;
protected $storage;
protected $config;
/**
* @param OAuth2\Storage\RefreshTokenInterface $storage REQUIRED Storage class for retrieving refresh token information
* @param array $config OPTIONAL Configuration options for the server
* <code>
* $config = array(
* 'always_issue_new_refresh_token' => true, // whether to issue a new refresh token upon successful token request
* 'unset_refresh_token_after_use' => true // whether to unset the refresh token after after using
* );
* </code>
*/
public function __construct(RefreshTokenInterface $storage, $config = array())
{
$this->config = array_merge(array(
'always_issue_new_refresh_token' => false,
'unset_refresh_token_after_use' => true
), $config);
// to preserve B.C. with v1.6
// @see https://github.com/bshaffer/oauth2-server-php/pull/580
// @todo - remove in v2.0
if (isset($config['always_issue_new_refresh_token']) && !isset($config['unset_refresh_token_after_use'])) {
$this->config['unset_refresh_token_after_use'] = $config['always_issue_new_refresh_token'];
}
$this->storage = $storage;
}
public function getQuerystringIdentifier()
{
return 'refresh_token';
}
public function validateRequest(RequestInterface $request, ResponseInterface $response)
{
if (!$request->request("refresh_token")) {
$response->setError(400, 'invalid_request', 'Missing parameter: "refresh_token" is required');
return null;
}
if (!$refreshToken = $this->storage->getRefreshToken($request->request("refresh_token"))) {
$response->setError(400, 'invalid_grant', 'Invalid refresh token');
return null;
}
if ($refreshToken['expires'] > 0 && $refreshToken["expires"] < time()) {
$response->setError(400, 'invalid_grant', 'Refresh token has expired');
return null;
}
// store the refresh token locally so we can delete it when a new refresh token is generated
$this->refreshToken = $refreshToken;
return true;
}
public function getClientId()
{
return $this->refreshToken['client_id'];
}
public function getUserId()
{
return isset($this->refreshToken['user_id']) ? $this->refreshToken['user_id'] : null;
}
public function getScope()
{
return isset($this->refreshToken['scope']) ? $this->refreshToken['scope'] : null;
}
public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
{
/*
* It is optional to force a new refresh token when a refresh token is used.
* However, if a new refresh token is issued, the old one MUST be expired
* @see http://tools.ietf.org/html/rfc6749#section-6
*/
$issueNewRefreshToken = $this->config['always_issue_new_refresh_token'];
$unsetRefreshToken = $this->config['unset_refresh_token_after_use'];
$token = $accessToken->createAccessToken($client_id, $user_id, $scope, $issueNewRefreshToken);
if ($unsetRefreshToken) {
$this->storage->unsetRefreshToken($this->refreshToken['refresh_token']);
}
return $token;
}
}

21
oauth/OAuth2/LICENSE Normal file
View File

@ -0,0 +1,21 @@
The MIT License
Copyright (c) 2014 Brent Shaffer
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

8
oauth/OAuth2/README.md Normal file
View File

@ -0,0 +1,8 @@
oauth2-server-php
=================
[![Build Status](https://travis-ci.org/bshaffer/oauth2-server-php.svg?branch=develop)](https://travis-ci.org/bshaffer/oauth2-server-php)
[![Total Downloads](https://poser.pugx.org/bshaffer/oauth2-server-php/downloads.png)](https://packagist.org/packages/bshaffer/oauth2-server-php)
View the [complete documentation](http://bshaffer.github.io/oauth2-server-php-docs/)

213
oauth/OAuth2/Request.php Normal file
View File

@ -0,0 +1,213 @@
<?php
namespace OAuth2;
/**
* OAuth2\Request
* This class is taken from the Symfony2 Framework and is part of the Symfony package.
* See Symfony\Component\HttpFoundation\Request (https://github.com/symfony/symfony)
*/
class Request implements RequestInterface
{
public $attributes;
public $request;
public $query;
public $server;
public $files;
public $cookies;
public $headers;
public $content;
/**
* Constructor.
*
* @param array $query The GET parameters
* @param array $request The POST parameters
* @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
* @param array $cookies The COOKIE parameters
* @param array $files The FILES parameters
* @param array $server The SERVER parameters
* @param string $content The raw body data
*
* @api
*/
public function __construct(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array(), array $files = array(), array $server = array(), $content = null, array $headers = null)
{
$this->initialize($query, $request, $attributes, $cookies, $files, $server, $content, $headers);
}
/**
* Sets the parameters for this request.
*
* This method also re-initializes all properties.
*
* @param array $query The GET parameters
* @param array $request The POST parameters
* @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
* @param array $cookies The COOKIE parameters
* @param array $files The FILES parameters
* @param array $server The SERVER parameters
* @param string $content The raw body data
*
* @api
*/
public function initialize(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array(), array $files = array(), array $server = array(), $content = null, array $headers = null)
{
$this->request = $request;
$this->query = $query;
$this->attributes = $attributes;
$this->cookies = $cookies;
$this->files = $files;
$this->server = $server;
$this->content = $content;
$this->headers = is_null($headers) ? $this->getHeadersFromServer($this->server) : $headers;
}
public function query($name, $default = null)
{
return isset($this->query[$name]) ? $this->query[$name] : $default;
}
public function request($name, $default = null)
{
return isset($this->request[$name]) ? $this->request[$name] : $default;
}
public function server($name, $default = null)
{
return isset($this->server[$name]) ? $this->server[$name] : $default;
}
public function headers($name, $default = null)
{
$headers = array_change_key_case($this->headers);
$name = strtolower($name);
return isset($headers[$name]) ? $headers[$name] : $default;
}
public function getAllQueryParameters()
{
return $this->query;
}
/**
* Returns the request body content.
*
* @param Boolean $asResource If true, a resource will be returned
*
* @return string|resource The request body content or a resource to read the body stream.
*/
public function getContent($asResource = false)
{
if (false === $this->content || (true === $asResource && null !== $this->content)) {
throw new \LogicException('getContent() can only be called once when using the resource return type.');
}
if (true === $asResource) {
$this->content = false;
return fopen('php://input', 'rb');
}
if (null === $this->content) {
$this->content = file_get_contents('php://input');
}
return $this->content;
}
private function getHeadersFromServer($server)
{
$headers = array();
foreach ($server as $key => $value) {
if (0 === strpos($key, 'HTTP_')) {
$headers[substr($key, 5)] = $value;
}
// CONTENT_* are not prefixed with HTTP_
elseif (in_array($key, array('CONTENT_LENGTH', 'CONTENT_MD5', 'CONTENT_TYPE'))) {
$headers[$key] = $value;
}
}
if (isset($server['PHP_AUTH_USER'])) {
$headers['PHP_AUTH_USER'] = $server['PHP_AUTH_USER'];
$headers['PHP_AUTH_PW'] = isset($server['PHP_AUTH_PW']) ? $server['PHP_AUTH_PW'] : '';
} else {
/*
* php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default
* For this workaround to work, add this line to your .htaccess file:
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
*
* A sample .htaccess file:
* RewriteEngine On
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
* RewriteCond %{REQUEST_FILENAME} !-f
* RewriteRule ^(.*)$ app.php [QSA,L]
*/
$authorizationHeader = null;
if (isset($server['HTTP_AUTHORIZATION'])) {
$authorizationHeader = $server['HTTP_AUTHORIZATION'];
} elseif (isset($server['REDIRECT_HTTP_AUTHORIZATION'])) {
$authorizationHeader = $server['REDIRECT_HTTP_AUTHORIZATION'];
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = (array) apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
if (isset($requestHeaders['Authorization'])) {
$authorizationHeader = trim($requestHeaders['Authorization']);
}
}
if (null !== $authorizationHeader) {
$headers['AUTHORIZATION'] = $authorizationHeader;
// Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
if (0 === stripos($authorizationHeader, 'basic')) {
$exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
if (count($exploded) == 2) {
list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
}
}
}
}
// PHP_AUTH_USER/PHP_AUTH_PW
if (isset($headers['PHP_AUTH_USER'])) {
$headers['AUTHORIZATION'] = 'Basic '.base64_encode($headers['PHP_AUTH_USER'].':'.$headers['PHP_AUTH_PW']);
}
return $headers;
}
/**
* Creates a new request with values from PHP's super globals.
*
* @return Request A new request
*
* @api
*/
public static function createFromGlobals()
{
$class = get_called_class();
$request = new $class($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER);
$contentType = $request->server('CONTENT_TYPE', '');
$requestMethod = $request->server('REQUEST_METHOD', 'GET');
if (0 === strpos($contentType, 'application/x-www-form-urlencoded')
&& in_array(strtoupper($requestMethod), array('PUT', 'DELETE'))
) {
parse_str($request->getContent(), $data);
$request->request = $data;
} elseif (0 === strpos($contentType, 'application/json')
&& in_array(strtoupper($requestMethod), array('POST', 'PUT', 'DELETE'))
) {
$data = json_decode($request->getContent(), true);
$request->request = $data;
}
return $request;
}
}

16
oauth/OAuth2/RequestInterface.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace OAuth2;
interface RequestInterface
{
public function query($name, $default = null);
public function request($name, $default = null);
public function server($name, $default = null);
public function headers($name, $default = null);
public function getAllQueryParameters();
}

369
oauth/OAuth2/Response.php Normal file
View File

@ -0,0 +1,369 @@
<?php
namespace OAuth2;
/**
* Class to handle OAuth2 Responses in a graceful way. Use this interface
* to output the proper OAuth2 responses.
*
* @see OAuth2\ResponseInterface
*
* This class borrows heavily from the Symfony2 Framework and is part of the symfony package
* @see Symfony\Component\HttpFoundation\Request (https://github.com/symfony/symfony)
*/
class Response implements ResponseInterface
{
public $version;
protected $statusCode = 200;
protected $statusText;
protected $parameters = array();
protected $httpHeaders = array();
public static $statusTexts = array(
100 => 'Continue',
101 => 'Switching Protocols',
200 => 'OK',
201 => 'Created',
202 => 'Accepted',
203 => 'Non-Authoritative Information',
204 => 'No Content',
205 => 'Reset Content',
206 => 'Partial Content',
300 => 'Multiple Choices',
301 => 'Moved Permanently',
302 => 'Found',
303 => 'See Other',
304 => 'Not Modified',
305 => 'Use Proxy',
307 => 'Temporary Redirect',
400 => 'Bad Request',
401 => 'Unauthorized',
402 => 'Payment Required',
403 => 'Forbidden',
404 => 'Not Found',
405 => 'Method Not Allowed',
406 => 'Not Acceptable',
407 => 'Proxy Authentication Required',
408 => 'Request Timeout',
409 => 'Conflict',
410 => 'Gone',
411 => 'Length Required',
412 => 'Precondition Failed',
413 => 'Request Entity Too Large',
414 => 'Request-URI Too Long',
415 => 'Unsupported Media Type',
416 => 'Requested Range Not Satisfiable',
417 => 'Expectation Failed',
418 => 'I\'m a teapot',
500 => 'Internal Server Error',
501 => 'Not Implemented',
502 => 'Bad Gateway',
503 => 'Service Unavailable',
504 => 'Gateway Timeout',
505 => 'HTTP Version Not Supported',
);
public function __construct($parameters = array(), $statusCode = 200, $headers = array())
{
$this->setParameters($parameters);
$this->setStatusCode($statusCode);
$this->setHttpHeaders($headers);
$this->version = '1.1';
}
/**
* Converts the response object to string containing all headers and the response content.
*
* @return string The response with headers and content
*/
public function __toString()
{
$headers = array();
foreach ($this->httpHeaders as $name => $value) {
$headers[$name] = (array) $value;
}
return
sprintf('HTTP/%s %s %s', $this->version, $this->statusCode, $this->statusText)."\r\n".
$this->getHttpHeadersAsString($headers)."\r\n".
$this->getResponseBody();
}
/**
* Returns the build header line.
*
* @param string $name The header name
* @param string $value The header value
*
* @return string The built header line
*/
protected function buildHeader($name, $value)
{
return sprintf("%s: %s\n", $name, $value);
}
public function getStatusCode()
{
return $this->statusCode;
}
public function setStatusCode($statusCode, $text = null)
{
$this->statusCode = (int) $statusCode;
if ($this->isInvalid()) {
throw new \InvalidArgumentException(sprintf('The HTTP status code "%s" is not valid.', $statusCode));
}
$this->statusText = false === $text ? '' : (null === $text ? self::$statusTexts[$this->statusCode] : $text);
}
public function getStatusText()
{
return $this->statusText;
}
public function getParameters()
{
return $this->parameters;
}
public function setParameters(array $parameters)
{
$this->parameters = $parameters;
}
public function addParameters(array $parameters)
{
$this->parameters = array_merge($this->parameters, $parameters);
}
public function getParameter($name, $default = null)
{
return isset($this->parameters[$name]) ? $this->parameters[$name] : $default;
}
public function setParameter($name, $value)
{
$this->parameters[$name] = $value;
}
public function setHttpHeaders(array $httpHeaders)
{
$this->httpHeaders = $httpHeaders;
}
public function setHttpHeader($name, $value)
{
$this->httpHeaders[$name] = $value;
}
public function addHttpHeaders(array $httpHeaders)
{
$this->httpHeaders = array_merge($this->httpHeaders, $httpHeaders);
}
public function getHttpHeaders()
{
return $this->httpHeaders;
}
public function getHttpHeader($name, $default = null)
{
return isset($this->httpHeaders[$name]) ? $this->httpHeaders[$name] : $default;
}
public function getResponseBody($format = 'json')
{
switch ($format) {
case 'json':
return $this->parameters ? json_encode($this->parameters) : '';
case 'xml':
// this only works for single-level arrays
$xml = new \SimpleXMLElement('<response/>');
foreach ($this->parameters as $key => $param) {
$xml->addChild($key, $param);
}
return $xml->asXML();
}
throw new \InvalidArgumentException(sprintf('The format %s is not supported', $format));
}
public function send($format = 'json')
{
// headers have already been sent by the developer
if (headers_sent()) {
return;
}
switch ($format) {
case 'json':
$this->setHttpHeader('Content-Type', 'application/json');
break;
case 'xml':
$this->setHttpHeader('Content-Type', 'text/xml');
break;
}
// status
header(sprintf('HTTP/%s %s %s', $this->version, $this->statusCode, $this->statusText));
foreach ($this->getHttpHeaders() as $name => $header) {
header(sprintf('%s: %s', $name, $header));
}
echo $this->getResponseBody($format);
}
public function setError($statusCode, $error, $errorDescription = null, $errorUri = null)
{
$parameters = array(
'error' => $error,
'error_description' => $errorDescription,
);
if (!is_null($errorUri)) {
if (strlen($errorUri) > 0 && $errorUri[0] == '#') {
// we are referencing an oauth bookmark (for brevity)
$errorUri = 'http://tools.ietf.org/html/rfc6749' . $errorUri;
}
$parameters['error_uri'] = $errorUri;
}
$httpHeaders = array(
'Cache-Control' => 'no-store'
);
$this->setStatusCode($statusCode);
$this->addParameters($parameters);
$this->addHttpHeaders($httpHeaders);
if (!$this->isClientError() && !$this->isServerError()) {
throw new \InvalidArgumentException(sprintf('The HTTP status code is not an error ("%s" given).', $statusCode));
}
}
public function setRedirect($statusCode, $url, $state = null, $error = null, $errorDescription = null, $errorUri = null)
{
if (empty($url)) {
throw new \InvalidArgumentException('Cannot redirect to an empty URL.');
}
$parameters = array();
if (!is_null($state)) {
$parameters['state'] = $state;
}
if (!is_null($error)) {
$this->setError(400, $error, $errorDescription, $errorUri);
}
$this->setStatusCode($statusCode);
$this->addParameters($parameters);
if (count($this->parameters) > 0) {
// add parameters to URL redirection
$parts = parse_url($url);
$sep = isset($parts['query']) && count($parts['query']) > 0 ? '&' : '?';
$url .= $sep . http_build_query($this->parameters);
}
$this->addHttpHeaders(array('Location' => $url));
if (!$this->isRedirection()) {
throw new \InvalidArgumentException(sprintf('The HTTP status code is not a redirect ("%s" given).', $statusCode));
}
}
// http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
/**
* @return Boolean
*
* @api
*/
public function isInvalid()
{
return $this->statusCode < 100 || $this->statusCode >= 600;
}
/**
* @return Boolean
*
* @api
*/
public function isInformational()
{
return $this->statusCode >= 100 && $this->statusCode < 200;
}
/**
* @return Boolean
*
* @api
*/
public function isSuccessful()
{
return $this->statusCode >= 200 && $this->statusCode < 300;
}
/**
* @return Boolean
*
* @api
*/
public function isRedirection()
{
return $this->statusCode >= 300 && $this->statusCode < 400;
}
/**
* @return Boolean
*
* @api
*/
public function isClientError()
{
return $this->statusCode >= 400 && $this->statusCode < 500;
}
/**
* @return Boolean
*
* @api
*/
public function isServerError()
{
return $this->statusCode >= 500 && $this->statusCode < 600;
}
/*
* Functions from Symfony2 HttpFoundation - output pretty header
*/
private function getHttpHeadersAsString($headers)
{
if (count($headers) == 0) {
return '';
}
$max = max(array_map('strlen', array_keys($headers))) + 1;
$content = '';
ksort($headers);
foreach ($headers as $name => $values) {
foreach ($values as $value) {
$content .= sprintf("%-{$max}s %s\r\n", $this->beautifyHeaderName($name).':', $value);
}
}
return $content;
}
private function beautifyHeaderName($name)
{
return preg_replace_callback('/\-(.)/', array($this, 'beautifyCallback'), ucfirst($name));
}
private function beautifyCallback($match)
{
return '-'.strtoupper($match[1]);
}
}

24
oauth/OAuth2/ResponseInterface.php Normal file
View File

@ -0,0 +1,24 @@
<?php
namespace OAuth2;
/**
* Interface which represents an object response. Meant to handle and display the proper OAuth2 Responses
* for errors and successes
*
* @see OAuth2\Response
*/
interface ResponseInterface
{
public function addParameters(array $parameters);
public function addHttpHeaders(array $httpHeaders);
public function setStatusCode($statusCode);
public function setError($statusCode, $name, $description = null, $uri = null);
public function setRedirect($statusCode, $url, $state = null, $error = null, $errorDescription = null, $errorUri = null);
public function getParameter($name);
}

197
oauth/OAuth2/ResponseType/AccessToken.php Normal file
View File

@ -0,0 +1,197 @@
<?php
namespace OAuth2\ResponseType;
use OAuth2\Storage\AccessTokenInterface as AccessTokenStorageInterface;
use OAuth2\Storage\RefreshTokenInterface;
/**
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class AccessToken implements AccessTokenInterface
{
protected $tokenStorage;
protected $refreshStorage;
protected $config;
/**
* @param OAuth2\Storage\AccessTokenInterface $tokenStorage REQUIRED Storage class for saving access token information
* @param OAuth2\Storage\RefreshTokenInterface $refreshStorage OPTIONAL Storage class for saving refresh token information
* @param array $config OPTIONAL Configuration options for the server
* <code>
* $config = array(
* 'token_type' => 'bearer', // token type identifier
* 'access_lifetime' => 3600, // time before access token expires
* 'refresh_token_lifetime' => 1209600, // time before refresh token expires
* );
* </endcode>
*/
public function __construct(AccessTokenStorageInterface $tokenStorage, RefreshTokenInterface $refreshStorage = null, array $config = array())
{
$this->tokenStorage = $tokenStorage;
$this->refreshStorage = $refreshStorage;
$this->config = array_merge(array(
'token_type' => 'bearer',
'access_lifetime' => 3600,
'refresh_token_lifetime' => 1209600,
), $config);
}
public function getAuthorizeResponse($params, $user_id = null)
{
// build the URL to redirect to
$result = array('query' => array());
$params += array('scope' => null, 'state' => null);
/*
* a refresh token MUST NOT be included in the fragment
*
* @see http://tools.ietf.org/html/rfc6749#section-4.2.2
*/
$includeRefreshToken = false;
$result["fragment"] = $this->createAccessToken($params['client_id'], $user_id, $params['scope'], $includeRefreshToken);
if (isset($params['state'])) {
$result["fragment"]["state"] = $params['state'];
}
return array($params['redirect_uri'], $result);
}
/**
* Handle the creation of access token, also issue refresh token if supported / desirable.
*
* @param $client_id client identifier related to the access token.
* @param $user_id user ID associated with the access token
* @param $scope OPTIONAL scopes to be stored in space-separated string.
* @param bool $includeRefreshToken if true, a new refresh_token will be added to the response
*
* @see http://tools.ietf.org/html/rfc6749#section-5
* @ingroup oauth2_section_5
*/
public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true)
{
$includeRefreshToken = true;
$token = array(
"access_token" => $this->generateAccessToken(),
"token_type" => $this->config['token_type']
// "expires_in" => $this->config['access_lifetime'],
);
$this->tokenStorage->setAccessToken($token["access_token"], $client_id, $user_id, $this->config['access_lifetime'] ? time() + $this->config['access_lifetime'] : null, $scope);
/*
* Issue a refresh token also, if we support them
*
* Refresh Tokens are considered supported if an instance of OAuth2\Storage\RefreshTokenInterface
* is supplied in the constructor
*/
if ($includeRefreshToken && $this->refreshStorage) {
$token["refresh_token"] = $this->generateRefreshToken();
$expires = 0;
if ($this->config['refresh_token_lifetime'] > 0) {
$expires = time() + $this->config['refresh_token_lifetime'];
}
$this->refreshStorage->setRefreshToken($token['refresh_token'], $client_id, $user_id, $expires, $scope);
}
$token["scope"] = $scope;
$token["created_at"] = time();
return $token;
}
/**
* Generates an unique access token.
*
* Implementing classes may want to override this function to implement
* other access token generation schemes.
*
* @return
* An unique access token.
*
* @ingroup oauth2_section_4
*/
protected function generateAccessToken()
{
if (function_exists('openssl_random_pseudo_bytes')) {
$randomData = openssl_random_pseudo_bytes(20);
if ($randomData !== false && strlen($randomData) === 20) {
return bin2hex($randomData);
}
}
if (function_exists('mcrypt_create_iv')) {
$randomData = mcrypt_create_iv(20, MCRYPT_DEV_URANDOM);
if ($randomData !== false && strlen($randomData) === 20) {
return bin2hex($randomData);
}
}
if (@file_exists('/dev/urandom')) { // Get 100 bytes of random data
$randomData = file_get_contents('/dev/urandom', false, null, 0, 20);
if ($randomData !== false && strlen($randomData) === 20) {
return bin2hex($randomData);
}
}
// Last resort which you probably should just get rid of:
$randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);
return substr(hash('sha512', $randomData), 0, 40);
}
/**
* Generates an unique refresh token
*
* Implementing classes may want to override this function to implement
* other refresh token generation schemes.
*
* @return
* An unique refresh.
*
* @ingroup oauth2_section_4
* @see OAuth2::generateAccessToken()
*/
protected function generateRefreshToken()
{
return $this->generateAccessToken(); // let's reuse the same scheme for token generation
}
/**
* Handle the revoking of refresh tokens, and access tokens if supported / desirable
* RFC7009 specifies that "If the server is unable to locate the token using
* the given hint, it MUST extend its search across all of its supported token types"
*
* @param $token
* @param null $tokenTypeHint
* @return boolean
*/
public function revokeToken($token, $tokenTypeHint = null)
{
if ($tokenTypeHint == 'refresh_token') {
if ($this->refreshStorage && $revoked = $this->refreshStorage->unsetRefreshToken($token)) {
return true;
}
}
/** @TODO remove in v2 */
if (!method_exists($this->tokenStorage, 'unsetAccessToken')) {
throw new \RuntimeException(
sprintf('Token storage %s must implement unsetAccessToken method', get_class($this->tokenStorage)
));
}
$revoked = $this->tokenStorage->unsetAccessToken($token);
// if a typehint is supplied and fails, try other storages
// @see https://tools.ietf.org/html/rfc7009#section-2.1
if (!$revoked && $tokenTypeHint != 'refresh_token') {
if ($this->refreshStorage) {
$revoked = $this->refreshStorage->unsetRefreshToken($token);
}
}
return $revoked;
}
}

34
oauth/OAuth2/ResponseType/AccessTokenInterface.php Normal file
View File

@ -0,0 +1,34 @@
<?php
namespace OAuth2\ResponseType;
/**
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface AccessTokenInterface extends ResponseTypeInterface
{
/**
* Handle the creation of access token, also issue refresh token if supported / desirable.
*
* @param $client_id client identifier related to the access token.
* @param $user_id user ID associated with the access token
* @param $scope OPTONAL scopes to be stored in space-separated string.
* @param bool $includeRefreshToken if true, a new refresh_token will be added to the response
*
* @see http://tools.ietf.org/html/rfc6749#section-5
* @ingroup oauth2_section_5
*/
public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true);
/**
* Handle the revoking of refresh tokens, and access tokens if supported / desirable
*
* @param $token
* @param $tokenTypeHint
* @return mixed
*
* @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x
*/
//public function revokeToken($token, $tokenTypeHint);
}

107
oauth/OAuth2/ResponseType/AuthorizationCode.php Normal file
View File

@ -0,0 +1,107 @@
<?php
namespace OAuth2\ResponseType;
use OAuth2\Storage\AuthorizationCodeInterface as AuthorizationCodeStorageInterface;
/**
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class AuthorizationCode implements AuthorizationCodeInterface
{
protected $storage;
protected $config;
public function __construct(AuthorizationCodeStorageInterface $storage, array $config = array())
{
$this->storage = $storage;
$this->config = array_merge(array(
'enforce_redirect' => false,
'auth_code_lifetime' => 30,
), $config);
}
public function getAuthorizeResponse($params, $user_id = null)
{
// build the URL to redirect to
$result = array('query' => array());
$params += array('scope' => null, 'state' => null);
$result['query']['code'] = $this->createAuthorizationCode($params['client_id'], $user_id, $params['redirect_uri'], $params['scope']);
if (isset($params['state'])) {
$result['query']['state'] = $params['state'];
}
return array($params['redirect_uri'], $result);
}
/**
* Handle the creation of the authorization code.
*
* @param $client_id
* Client identifier related to the authorization code
* @param $user_id
* User ID associated with the authorization code
* @param $redirect_uri
* An absolute URI to which the authorization server will redirect the
* user-agent to when the end-user authorization step is completed.
* @param $scope
* (optional) Scopes to be stored in space-separated string.
*
* @see http://tools.ietf.org/html/rfc6749#section-4
* @ingroup oauth2_section_4
*/
public function createAuthorizationCode($client_id, $user_id, $redirect_uri, $scope = null)
{
$code = $this->generateAuthorizationCode();
if (!$this->storage->getUsersID($user_id))
{
$this->storage->setUsersID($user_id);
}
// Scope API is forced here to comply with gitlab specification.
$this->storage->setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, time() + $this->config['auth_code_lifetime'], "api");
return $code;
}
/**
* @return
* TRUE if the grant type requires a redirect_uri, FALSE if not
*/
public function enforceRedirect()
{
return $this->config['enforce_redirect'];
}
/**
* Generates an unique auth code.
*
* Implementing classes may want to override this function to implement
* other auth code generation schemes.
*
* @return
* An unique auth code.
*
* @ingroup oauth2_section_4
*/
protected function generateAuthorizationCode()
{
$tokenLen = 40;
if (function_exists('openssl_random_pseudo_bytes')) {
$randomData = openssl_random_pseudo_bytes(100);
} elseif (function_exists('mcrypt_create_iv')) {
$randomData = mcrypt_create_iv(100, MCRYPT_DEV_URANDOM);
} elseif (@file_exists('/dev/urandom')) { // Get 100 bytes of random data
$randomData = file_get_contents('/dev/urandom', false, null, 0, 100) . uniqid(mt_rand(), true);
} else {
$randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);
}
return substr(hash('sha512', $randomData), 0, $tokenLen);
}
}

30
oauth/OAuth2/ResponseType/AuthorizationCodeInterface.php Normal file
View File

@ -0,0 +1,30 @@
<?php
namespace OAuth2\ResponseType;
/**
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface AuthorizationCodeInterface extends ResponseTypeInterface
{
/**
* @return
* TRUE if the grant type requires a redirect_uri, FALSE if not
*/
public function enforceRedirect();
/**
* Handle the creation of the authorization code.
*
* @param $client_id client identifier related to the authorization code
* @param $user_id user id associated with the authorization code
* @param $redirect_uri an absolute URI to which the authorization server will redirect the
* user-agent to when the end-user authorization step is completed.
* @param $scope OPTIONAL scopes to be stored in space-separated string.
*
* @see http://tools.ietf.org/html/rfc6749#section-4
* @ingroup oauth2_section_4
*/
public function createAuthorizationCode($client_id, $user_id, $redirect_uri, $scope = null);
}

8
oauth/OAuth2/ResponseType/ResponseTypeInterface.php Normal file
View File

@ -0,0 +1,8 @@
<?php
namespace OAuth2\ResponseType;
interface ResponseTypeInterface
{
public function getAuthorizeResponse($params, $user_id = null);
}

102
oauth/OAuth2/Scope.php Normal file
View File

@ -0,0 +1,102 @@
<?php
namespace OAuth2;
use OAuth2\Storage\ScopeInterface as ScopeStorageInterface;
/**
* @see OAuth2\ScopeInterface
*/
class Scope implements ScopeInterface
{
protected $storage;
/**
* @param mixed @storage
* Either an array of supported scopes, or an instance of OAuth2\Storage\ScopeInterface
*/
public function __construct($storage = null)
{
if (is_null($storage) || is_array($storage)) {
$storage = new Memory((array) $storage);
}
if (!$storage instanceof ScopeStorageInterface) {
throw new \InvalidArgumentException("Argument 1 to OAuth2\Scope must be null, an array, or instance of OAuth2\Storage\ScopeInterface");
}
$this->storage = $storage;
}
/**
* Check if everything in required scope is contained in available scope.
*
* @param $required_scope
* A space-separated string of scopes.
*
* @return
* TRUE if everything in required scope is contained in available scope,
* and FALSE if it isn't.
*
* @see http://tools.ietf.org/html/rfc6749#section-7
*
* @ingroup oauth2_section_7
*/
public function checkScope($required_scope, $available_scope)
{
$required_scope = explode(' ', trim($required_scope));
$available_scope = explode(' ', trim($available_scope));
return (count(array_diff($required_scope, $available_scope)) == 0);
}
/**
* Check if the provided scope exists in storage.
*
* @param $scope
* A space-separated string of scopes.
*
* @return
* TRUE if it exists, FALSE otherwise.
*/
public function scopeExists($scope)
{
// Check reserved scopes first.
$scope = explode(' ', trim($scope));
$reservedScope = $this->getReservedScopes();
$nonReservedScopes = array_diff($scope, $reservedScope);
if (count($nonReservedScopes) == 0) {
return true;
} else {
// Check the storage for non-reserved scopes.
$nonReservedScopes = implode(' ', $nonReservedScopes);
return $this->storage->scopeExists($nonReservedScopes);
}
}
public function getScopeFromRequest(RequestInterface $request)
{
// "scope" is valid if passed in either POST or QUERY
return $request->request('scope', $request->query('scope'));
}
public function getDefaultScope($client_id = null)
{
return $this->storage->getDefaultScope($client_id);
}
/**
* Get reserved scopes needed by the server.
*
* In case OpenID Connect is used, these scopes must include:
* 'openid', offline_access'.
*
* @return
* An array of reserved scopes.
*/
public function getReservedScopes()
{
return array('openid', 'offline_access');
}
}

40
oauth/OAuth2/ScopeInterface.php Normal file
View File

@ -0,0 +1,40 @@
<?php
namespace OAuth2;
use OAuth2\Storage\ScopeInterface as ScopeStorageInterface;
/**
* Class to handle scope implementation logic
*
* @see OAuth2\Storage\ScopeInterface
*/
interface ScopeInterface extends ScopeStorageInterface
{
/**
* Check if everything in required scope is contained in available scope.
*
* @param $required_scope
* A space-separated string of scopes.
*
* @return
* TRUE if everything in required scope is contained in available scope,
* and FALSE if it isn't.
*
* @see http://tools.ietf.org/html/rfc6749#section-7
*
* @ingroup oauth2_section_7
*/
public function checkScope($required_scope, $available_scope);
/**
* Return scope info from request
*
* @param OAuth2\RequestInterface
* Request object to check
*
* @return
* string representation of requested scope
*/
public function getScopeFromRequest(RequestInterface $request);
}

728
oauth/OAuth2/Server.php Normal file
View File

@ -0,0 +1,728 @@
<?php
namespace OAuth2;
use OAuth2\Controller\ResourceControllerInterface;
use OAuth2\Controller\ResourceController;
use OAuth2\Controller\AuthorizeControllerInterface;
use OAuth2\Controller\AuthorizeController;
use OAuth2\Controller\TokenControllerInterface;
use OAuth2\Controller\TokenController;
use OAuth2\ClientAssertionType\ClientAssertionTypeInterface;
use OAuth2\ClientAssertionType\HttpBasic;
use OAuth2\ResponseType\ResponseTypeInterface;
use OAuth2\ResponseType\AuthorizationCode as AuthorizationCodeResponseType;
use OAuth2\ResponseType\AccessToken;
use OAuth2\TokenType\TokenTypeInterface;
use OAuth2\TokenType\Bearer;
use OAuth2\GrantType\GrantTypeInterface;
use OAuth2\GrantType\RefreshToken;
use OAuth2\GrantType\AuthorizationCode;
/**
* Server class for OAuth2
* This class serves as a convience class which wraps the other Controller classes
*
* @see OAuth2\Controller\ResourceController
* @see OAuth2\Controller\AuthorizeController
* @see OAuth2\Controller\TokenController
*/
class Server implements ResourceControllerInterface,
AuthorizeControllerInterface,
TokenControllerInterface
{
// misc properties
/**
* @var Response
*/
protected $response;
/**
* @var array
*/
protected $config;
/**
* @var array
*/
protected $storages;
// servers
/**
* @var AuthorizeControllerInterface
*/
protected $authorizeController;
/**
* @var TokenControllerInterface
*/
protected $tokenController;
/**
* @var ResourceControllerInterface
*/
protected $resourceController;
/**
* @var UserInfoControllerInterface
*/
protected $userInfoController;
// config classes
protected $grantTypes;
protected $responseTypes;
protected $tokenType;
/**
* @var ScopeInterface
*/
protected $scopeUtil;
protected $clientAssertionType;
protected $storageMap = array(
'access_token' => 'OAuth2\Storage\AccessTokenInterface',
'authorization_code' => 'OAuth2\Storage\AuthorizationCodeInterface',
'client_credentials' => 'OAuth2\Storage\ClientCredentialsInterface',
'client' => 'OAuth2\Storage\ClientInterface',
'refresh_token' => 'OAuth2\Storage\RefreshTokenInterface',
'user_credentials' => 'OAuth2\Storage\UserCredentialsInterface',
'public_key' => 'OAuth2\Storage\PublicKeyInterface',
'scope' => 'OAuth2\Storage\ScopeInterface',
);
protected $responseTypeMap = array(
'token' => 'OAuth2\ResponseType\AccessTokenInterface',
'code' => 'OAuth2\ResponseType\AuthorizationCodeInterface',
);
/**
* @param mixed $storage (array or OAuth2\Storage) - single object or array of objects implementing the
* required storage types (ClientCredentialsInterface and AccessTokenInterface as a minimum)
* @param array $config specify a different token lifetime, token header name, etc
* @param array $grantTypes An array of OAuth2\GrantType\GrantTypeInterface to use for granting access tokens
* @param array $responseTypes Response types to use. array keys should be "code" and and "token" for
* Access Token and Authorization Code response types
* @param \OAuth2\TokenType\TokenTypeInterface $tokenType The token type object to use. Valid token types are "bearer" and "mac"
* @param \OAuth2\ScopeInterface $scopeUtil The scope utility class to use to validate scope
* @param \OAuth2\ClientAssertionType\ClientAssertionTypeInterface $clientAssertionType The method in which to verify the client identity. Default is HttpBasic
*
* @ingroup oauth2_section_7
*/
public function __construct($storage = array(), array $config = array(), array $grantTypes = array(), array $responseTypes = array(), TokenTypeInterface $tokenType = null, ScopeInterface $scopeUtil = null, ClientAssertionTypeInterface $clientAssertionType = null)
{
$storage = is_array($storage) ? $storage : array($storage);
$this->storages = array();
foreach ($storage as $key => $service) {
$this->addStorage($service, $key);
}
// merge all config values. These get passed to our controller objects
$this->config = array_merge(array(
'store_encrypted_token_string' => true,
'id_lifetime' => 3600,
'access_lifetime' => 3600,
'www_realm' => 'Service',
'token_param_name' => 'access_token',
'token_bearer_header_name' => 'Bearer',
'enforce_state' => true,
'require_exact_redirect_uri' => true,
'allow_implicit' => false,
'allow_credentials_in_request_body' => true,
'allow_public_clients' => true,
'always_issue_new_refresh_token' => false,
'unset_refresh_token_after_use' => true,
), $config);
foreach ($grantTypes as $key => $grantType) {
$this->addGrantType($grantType, $key);
}
foreach ($responseTypes as $key => $responseType) {
$this->addResponseType($responseType, $key);
}
$this->tokenType = $tokenType;
$this->scopeUtil = $scopeUtil;
$this->clientAssertionType = $clientAssertionType;
}
public function getAuthorizeController()
{
if (is_null($this->authorizeController)) {
$this->authorizeController = $this->createDefaultAuthorizeController();
}
return $this->authorizeController;
}
public function getTokenController()
{
if (is_null($this->tokenController)) {
$this->tokenController = $this->createDefaultTokenController();
}
return $this->tokenController;
}
public function getResourceController()
{
if (is_null($this->resourceController)) {
$this->resourceController = $this->createDefaultResourceController();
}
return $this->resourceController;
}
public function getUserInfoController()
{
if (is_null($this->userInfoController)) {
$this->userInfoController = $this->createDefaultUserInfoController();
}
return $this->userInfoController;
}
/**
* every getter deserves a setter
*
* @param AuthorizeControllerInterface $authorizeController
*/
public function setAuthorizeController(AuthorizeControllerInterface $authorizeController)
{
$this->authorizeController = $authorizeController;
}
/**
* every getter deserves a setter
*
* @param TokenControllerInterface $tokenController
*/
public function setTokenController(TokenControllerInterface $tokenController)
{
$this->tokenController = $tokenController;
}
/**
* every getter deserves a setter
*
* @param ResourceControllerInterface $resourceController
*/
public function setResourceController(ResourceControllerInterface $resourceController)
{
$this->resourceController = $resourceController;
}
/**
* every getter deserves a setter
*
* @param UserInfoControllerInterface $userInfoController
*/
public function setUserInfoController(UserInfoControllerInterface $userInfoController)
{
$this->userInfoController = $userInfoController;
}
/**
* Grant or deny a requested access token.
* This would be called from the "/token" endpoint as defined in the spec.
* Obviously, you can call your endpoint whatever you want.
*
* @param $request - \OAuth2\RequestInterface
* Request object to grant access token
*
* @param $response - \OAuth2\ResponseInterface
* Response object containing error messages (failure) or access token (success)
*
* @return ResponseInterface
*
* @throws \InvalidArgumentException
* @throws \LogicException
*
* @see http://tools.ietf.org/html/rfc6749#section-4
* @see http://tools.ietf.org/html/rfc6749#section-10.6
* @see http://tools.ietf.org/html/rfc6749#section-4.1.3
*
* @ingroup oauth2_section_4
*/
public function handleTokenRequest(RequestInterface $request, ResponseInterface $response = null)
{
$this->response = is_null($response) ? new Response() : $response;
$this->getTokenController()->handleTokenRequest($request, $this->response);
return $this->response;
}
public function grantAccessToken(RequestInterface $request, ResponseInterface $response = null)
{
$this->response = is_null($response) ? new Response() : $response;
$value = $this->getTokenController()->grantAccessToken($request, $this->response);
return $value;
}
/**
* Handle a revoke token request
* This would be called from the "/revoke" endpoint as defined in the draft Token Revocation spec
*
* @see https://tools.ietf.org/html/rfc7009#section-2
*
* @param RequestInterface $request
* @param ResponseInterface $response
* @return Response|ResponseInterface
*/
public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response = null)
{
$this->response = is_null($response) ? new Response() : $response;
$this->getTokenController()->handleRevokeRequest($request, $this->response);
return $this->response;
}
/**
* Redirect the user appropriately after approval.
*
* After the user has approved or denied the resource request the
* authorization server should call this function to redirect the user
* appropriately.
*
* @param $request
* The request should have the follow parameters set in the querystring:
* - response_type: The requested response: an access token, an
* authorization code, or both.
* - client_id: The client identifier as described in Section 2.
* - redirect_uri: An absolute URI to which the authorization server
* will redirect the user-agent to when the end-user authorization
* step is completed.
* - scope: (optional) The scope of the resource request expressed as a
* list of space-delimited strings.
* - state: (optional) An opaque value used by the client to maintain
* state between the request and callback.
* @param ResponseInterface $response
* @param $is_authorized
* TRUE or FALSE depending on whether the user authorized the access.
* @param $user_id
* Identifier of user who authorized the client
*
* @return Response
*
* @see http://tools.ietf.org/html/rfc6749#section-4
*
* @ingroup oauth2_section_4
*/
public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null)
{
$this->response = $response;
$this->getAuthorizeController()->handleAuthorizeRequest($request, $this->response, $is_authorized, $user_id);
return $this->response;
}
/**
* Pull the authorization request data out of the HTTP request.
* - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
* by setting $config['enforce_redirect'] to true.
* - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
* CSRF protection is MANDATORY. You can enforce this by setting the $config['enforce_state'] to true.
*
* The draft specifies that the parameters should be retrieved from GET, override the Response
* object to change this
*
* @return
* The authorization parameters so the authorization server can prompt
* the user for approval if valid.
*
* @see http://tools.ietf.org/html/rfc6749#section-4.1.1
* @see http://tools.ietf.org/html/rfc6749#section-10.12
*
* @ingroup oauth2_section_3
*/
public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response = null)
{
$this->response = is_null($response) ? new Response() : $response;
$value = $this->getAuthorizeController()->validateAuthorizeRequest($request, $this->response);
return $value;
}
public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response = null, $scope = null)
{
$this->response = is_null($response) ? new Response() : $response;
$value = $this->getResourceController()->verifyResourceRequest($request, $this->response, $scope);
return $value;
}
public function getAccessTokenData(RequestInterface $request, ResponseInterface $response = null)
{
$this->response = is_null($response) ? new Response() : $response;
$value = $this->getResourceController()->getAccessTokenData($request, $this->response);
return $value;
}
public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
{
if (!is_string($identifier)) {
$identifier = $grantType->getQuerystringIdentifier();
}
$this->grantTypes[$identifier] = $grantType;
// persist added grant type down to TokenController
if (!is_null($this->tokenController)) {
$this->getTokenController()->addGrantType($grantType, $identifier);
}
}
/**
* Set a storage object for the server
*
* @param $storage
* An object implementing one of the Storage interfaces
* @param $key
* If null, the storage is set to the key of each storage interface it implements
*
* @see storageMap
*/
public function addStorage($storage, $key = null)
{
// if explicitly set to a valid key, do not "magically" set below
if (isset($this->storageMap[$key])) {
if (!is_null($storage) && !$storage instanceof $this->storageMap[$key]) {
throw new \InvalidArgumentException(sprintf('storage of type "%s" must implement interface "%s"', $key, $this->storageMap[$key]));
}
$this->storages[$key] = $storage;
// special logic to handle "client" and "client_credentials" strangeness
if ($key === 'client' && !isset($this->storages['client_credentials'])) {
if ($storage instanceof \OAuth2\Storage\ClientCredentialsInterface) {
$this->storages['client_credentials'] = $storage;
}
} elseif ($key === 'client_credentials' && !isset($this->storages['client'])) {
if ($storage instanceof \OAuth2\Storage\ClientInterface) {
$this->storages['client'] = $storage;
}
}
} elseif (!is_null($key) && !is_numeric($key)) {
throw new \InvalidArgumentException(sprintf('unknown storage key "%s", must be one of [%s]', $key, implode(', ', array_keys($this->storageMap))));
} else {
$set = false;
foreach ($this->storageMap as $type => $interface) {
if ($storage instanceof $interface) {
$this->storages[$type] = $storage;
$set = true;
}
}
if (!$set) {
throw new \InvalidArgumentException(sprintf('storage of class "%s" must implement one of [%s]', get_class($storage), implode(', ', $this->storageMap)));
}
}
}
public function addResponseType(ResponseTypeInterface $responseType, $key = null)
{
$key = $this->normalizeResponseType($key);
if (isset($this->responseTypeMap[$key])) {
if (!$responseType instanceof $this->responseTypeMap[$key]) {
throw new \InvalidArgumentException(sprintf('responseType of type "%s" must implement interface "%s"', $key, $this->responseTypeMap[$key]));
}
$this->responseTypes[$key] = $responseType;
} elseif (!is_null($key) && !is_numeric($key)) {
throw new \InvalidArgumentException(sprintf('unknown responseType key "%s", must be one of [%s]', $key, implode(', ', array_keys($this->responseTypeMap))));
} else {
$set = false;
foreach ($this->responseTypeMap as $type => $interface) {
if ($responseType instanceof $interface) {
$this->responseTypes[$type] = $responseType;
$set = true;
}
}
if (!$set) {
throw new \InvalidArgumentException(sprintf('Unknown response type %s. Please implement one of [%s]', get_class($responseType), implode(', ', $this->responseTypeMap)));
}
}
}
public function getScopeUtil()
{
if (!$this->scopeUtil) {
$storage = isset($this->storages['scope']) ? $this->storages['scope'] : null;
$this->scopeUtil = new Scope($storage);
}
return $this->scopeUtil;
}
/**
* every getter deserves a setter
*
* @param ScopeInterface $scopeUtil
*/
public function setScopeUtil($scopeUtil)
{
$this->scopeUtil = $scopeUtil;
}
protected function createDefaultAuthorizeController()
{
if (!isset($this->storages['client'])) {
throw new \LogicException('You must supply a storage object implementing \OAuth2\Storage\ClientInterface to use the authorize server');
}
if (0 == count($this->responseTypes)) {
$this->responseTypes = $this->getDefaultResponseTypes();
}
$config = array_intersect_key($this->config, array_flip(explode(' ', 'allow_implicit enforce_state require_exact_redirect_uri')));
return new AuthorizeController($this->storages['client'], $this->responseTypes, $config, $this->getScopeUtil());
}
protected function createDefaultTokenController()
{
if (0 == count($this->grantTypes)) {
$this->grantTypes = $this->getDefaultGrantTypes();
}
if (is_null($this->clientAssertionType)) {
// see if HttpBasic assertion type is requred. If so, then create it from storage classes.
foreach ($this->grantTypes as $grantType) {
if (!$grantType instanceof ClientAssertionTypeInterface) {
if (!isset($this->storages['client_credentials'])) {
throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\ClientCredentialsInterface to use the token server');
}
$config = array_intersect_key($this->config, array_flip(explode(' ', 'allow_credentials_in_request_body allow_public_clients')));
$this->clientAssertionType = new HttpBasic($this->storages['client_credentials'], $config);
break;
}
}
}
if (!isset($this->storages['client'])) {
throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\ClientInterface to use the token server');
}
$accessTokenResponseType = $this->getAccessTokenResponseType();
return new TokenController($accessTokenResponseType, $this->storages['client'], $this->grantTypes, $this->clientAssertionType, $this->getScopeUtil());
}
protected function createDefaultResourceController()
{
if (!isset($this->storages['access_token'])) {
throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\AccessTokenInterface');
}
if (!$this->tokenType) {
$this->tokenType = $this->getDefaultTokenType();
}
$config = array_intersect_key($this->config, array('www_realm' => ''));
return new ResourceController($this->tokenType, $this->storages['access_token'], $config, $this->getScopeUtil());
}
protected function createDefaultUserInfoController()
{
if (!isset($this->storages['access_token'])) {
throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\AccessTokenInterface');
}
if (!$this->tokenType) {
$this->tokenType = $this->getDefaultTokenType();
}
$config = array_intersect_key($this->config, array('www_realm' => ''));
return new UserInfoController($this->tokenType, $this->storages['access_token'], $this->storages['user_claims'], $config, $this->getScopeUtil());
}
protected function getDefaultTokenType()
{
$config = array_intersect_key($this->config, array_flip(explode(' ', 'token_param_name token_bearer_header_name')));
return new Bearer($config);
}
protected function getDefaultResponseTypes()
{
$responseTypes = array();
if ($this->config['allow_implicit']) {
$responseTypes['token'] = $this->getAccessTokenResponseType();
}
if (isset($this->storages['authorization_code'])) {
$config = array_intersect_key($this->config, array_flip(explode(' ', 'enforce_redirect auth_code_lifetime')));
$responseTypes['code'] = new AuthorizationCodeResponseType($this->storages['authorization_code'], $config);
}
if (count($responseTypes) == 0) {
throw new \LogicException('You must supply an array of response_types in the constructor or implement a OAuth2\Storage\AuthorizationCodeInterface storage object or set "allow_implicit" to true and implement a OAuth2\Storage\AccessTokenInterface storage object');
}
return $responseTypes;
}
protected function getDefaultGrantTypes()
{
$grantTypes = array();
if (isset($this->storages['user_credentials'])) {
$grantTypes['password'] = new UserCredentials($this->storages['user_credentials']);
}
if (isset($this->storages['client_credentials'])) {
$config = array_intersect_key($this->config, array('allow_credentials_in_request_body' => ''));
$grantTypes['client_credentials'] = new ClientCredentials($this->storages['client_credentials'], $config);
}
if (isset($this->storages['refresh_token'])) {
$config = array_intersect_key($this->config, array_flip(explode(' ', 'always_issue_new_refresh_token unset_refresh_token_after_use')));
$grantTypes['refresh_token'] = new RefreshToken($this->storages['refresh_token'], $config);
}
if (isset($this->storages['authorization_code'])) {
$grantTypes['authorization_code'] = new AuthorizationCode($this->storages['authorization_code']);
}
if (count($grantTypes) == 0) {
throw new \LogicException('Unable to build default grant types - You must supply an array of grant_types in the constructor');
}
return $grantTypes;
}
protected function getAccessTokenResponseType()
{
if (isset($this->responseTypes['token'])) {
return $this->responseTypes['token'];
}
return $this->createDefaultAccessTokenResponseType();
}
protected function getIdTokenResponseType()
{
if (isset($this->responseTypes['id_token'])) {
return $this->responseTypes['id_token'];
}
return $this->createDefaultIdTokenResponseType();
}
protected function getIdTokenTokenResponseType()
{
if (isset($this->responseTypes['id_token token'])) {
return $this->responseTypes['id_token token'];
}
return $this->createDefaultIdTokenTokenResponseType();
}
protected function createDefaultAccessTokenResponseType()
{
if (!isset($this->storages['access_token'])) {
throw new \LogicException('You must supply a response type implementing OAuth2\ResponseType\AccessTokenInterface, or a storage object implementing OAuth2\Storage\AccessTokenInterface to use the token server');
}
$refreshStorage = null;
if (isset($this->storages['refresh_token'])) {
$refreshStorage = $this->storages['refresh_token'];
}
$config = array_intersect_key($this->config, array_flip(explode(' ', 'access_lifetime refresh_token_lifetime')));
$config['token_type'] = $this->tokenType ? $this->tokenType->getTokenType() : $this->getDefaultTokenType()->getTokenType();
return new AccessToken($this->storages['access_token'], $refreshStorage, $config);
}
protected function createDefaultIdTokenResponseType()
{
if (!isset($this->storages['public_key'])) {
throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\PublicKeyInterface to use openid connect');
}
$config = array_intersect_key($this->config, array_flip(explode(' ', 'issuer id_lifetime')));
return new IdToken($this->storages['user_claims'], $this->storages['public_key'], $config);
}
protected function createDefaultIdTokenTokenResponseType()
{
return new IdTokenToken($this->getAccessTokenResponseType(), $this->getIdTokenResponseType());
}
protected function normalizeResponseType($name)
{
// for multiple-valued response types - make them alphabetical
if (!empty($name) && false !== strpos($name, ' ')) {
$types = explode(' ', $name);
sort($types);
$name = implode(' ', $types);
}
return $name;
}
public function getResponse()
{
return $this->response;
}
public function getStorages()
{
return $this->storages;
}
public function getStorage($name)
{
return isset($this->storages[$name]) ? $this->storages[$name] : null;
}
public function getGrantTypes()
{
return $this->grantTypes;
}
public function getGrantType($name)
{
return isset($this->grantTypes[$name]) ? $this->grantTypes[$name] : null;
}
public function getResponseTypes()
{
return $this->responseTypes;
}
public function getResponseType($name)
{
// for multiple-valued response types - make them alphabetical
$name = $this->normalizeResponseType($name);
return isset($this->responseTypes[$name]) ? $this->responseTypes[$name] : null;
}
public function getTokenType()
{
return $this->tokenType;
}
public function getClientAssertionType()
{
return $this->clientAssertionType;
}
public function setConfig($name, $value)
{
$this->config[$name] = $value;
}
public function getConfig($name, $default = null)
{
return isset($this->config[$name]) ? $this->config[$name] : $default;
}
}

67
oauth/OAuth2/Storage/AccessTokenInterface.php Normal file
View File

@ -0,0 +1,67 @@
<?php
namespace OAuth2\Storage;
/**
* Implement this interface to specify where the OAuth2 Server
* should get/save access tokens
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface AccessTokenInterface
{
/**
* Look up the supplied oauth_token from storage.
*
* We need to retrieve access token data as we create and verify tokens.
*
* @param $oauth_token
* oauth_token to be check with.
*
* @return
* An associative array as below, and return NULL if the supplied oauth_token
* is invalid:
* - expires: Stored expiration in unix timestamp.
* - client_id: (optional) Stored client identifier.
* - user_id: (optional) Stored user identifier.
* - scope: (optional) Stored scope values in space-separated string.
* - id_token: (optional) Stored id_token (if "use_openid_connect" is true).
*
* @ingroup oauth2_section_7
*/
public function getAccessToken($oauth_token);
/**
* Store the supplied access token values to storage.
*
* We need to store access token data as we create and verify tokens.
*
* @param $oauth_token oauth_token to be stored.
* @param $client_id client identifier to be stored.
* @param $user_id user identifier to be stored.
* @param int $expires expiration to be stored as a Unix timestamp.
* @param string $scope OPTIONAL Scopes to be stored in space-separated string.
*
* @ingroup oauth2_section_4
*/
public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null);
/**
* Expire an access token.
*
* This is not explicitly required in the spec, but if defined in a draft RFC for token
* revoking (RFC 7009) https://tools.ietf.org/html/rfc7009
*
* @param $access_token
* Access token to be expired.
*
* @return BOOL true if an access token was unset, false if not
* @ingroup oauth2_section_6
*
* @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x
*/
//public function unsetAccessToken($access_token)
public function getUsersID($username);
}

118
oauth/OAuth2/Storage/AuthorizationCodeInterface.php Normal file
View File

@ -0,0 +1,118 @@
<?php
namespace OAuth2\Storage;
/**
* Implement this interface to specify where the OAuth2 Server
* should get/save authorization codes for the "Authorization Code"
* grant type
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface AuthorizationCodeInterface
{
/**
* The Authorization Code grant type supports a response type of "code".
*
* @var string
* @see http://tools.ietf.org/html/rfc6749#section-1.4.1
* @see http://tools.ietf.org/html/rfc6749#section-4.2
*/
const RESPONSE_TYPE_CODE = "code";
/**
* Fetch authorization code data (probably the most common grant type).
*
* Retrieve the stored data for the given authorization code.
*
* Required for OAuth2::GRANT_TYPE_AUTH_CODE.
*
* @param $code
* Authorization code to be check with.
*
* @return
* An associative array as below, and NULL if the code is invalid
* @code
* return array(
* "client_id" => CLIENT_ID, // REQUIRED Stored client identifier
* "user_id" => USER_ID, // REQUIRED Stored user identifier
* "expires" => EXPIRES, // REQUIRED Stored expiration in unix timestamp
* "redirect_uri" => REDIRECT_URI, // REQUIRED Stored redirect URI
* "scope" => SCOPE, // OPTIONAL Stored scope values in space-separated string
* );
* @endcode
*
* @see http://tools.ietf.org/html/rfc6749#section-4.1
*
* @ingroup oauth2_section_4
*/
public function getAuthorizationCode($code);
/**
* Take the provided authorization code values and store them somewhere.
*
* This function should be the storage counterpart to getAuthCode().
*
* If storage fails for some reason, we're not currently checking for
* any sort of success/failure, so you should bail out of the script
* and provide a descriptive fail message.
*
* Required for OAuth2::GRANT_TYPE_AUTH_CODE.
*
* @param string $code Authorization code to be stored.
* @param mixed $client_id Client identifier to be stored.
* @param mixed $user_id User identifier to be stored.
* @param string $redirect_uri Redirect URI(s) to be stored in a space-separated string.
* @param int $expires Expiration to be stored as a Unix timestamp.
* @param string $scope OPTIONAL Scopes to be stored in space-separated string.
*
* @ingroup oauth2_section_4
*/
public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null);
/**
* once an Authorization Code is used, it must be expired
*
* @see http://tools.ietf.org/html/rfc6749#section-4.1.2
*
* The client MUST NOT use the authorization code
* more than once. If an authorization code is used more than
* once, the authorization server MUST deny the request and SHOULD
* revoke (when possible) all tokens previously issued based on
* that authorization code
*
*/
public function expireAuthorizationCode($code);
/*-------------------------------------------------------------------------------------------------------------------------------------------------*/
/**
* @author Denis CLAVIER <clavierd at gmail dot com>
*/
/**
* get user id on Oauth2 server
*
* @param string $username
* Username of an LDAP user (often uid)
*
* @return
* The id associated to username in users table
* and FALSE if username is not in the users table
*/
public function getUsersID($username);
/**
* set an id for username on Oauth2 server
*
* @param string $username
* Username of an LDAP user (often uid)
*
* @return
* TRUE if insertion has succeed
* and FALSE if is not
*
* An unique ID is linked to the username after this function
*/
public function setUsersID($username);
}

49
oauth/OAuth2/Storage/ClientCredentialsInterface.php Normal file
View File

@ -0,0 +1,49 @@
<?php
namespace OAuth2\Storage;
/**
* Implement this interface to specify how the OAuth2 Server
* should verify client credentials
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface ClientCredentialsInterface extends ClientInterface
{
/**
* Make sure that the client credentials is valid.
*
* @param $client_id
* Client identifier to be check with.
* @param $client_secret
* (optional) If a secret is required, check that they've given the right one.
*
* @return
* TRUE if the client credentials are valid, and MUST return FALSE if it isn't.
* @endcode
*
* @see http://tools.ietf.org/html/rfc6749#section-3.1
*
* @ingroup oauth2_section_3
*/
public function checkClientCredentials($client_id, $client_secret = null);
/**
* Determine if the client is a "public" client, and therefore
* does not require passing credentials for certain grant types
*
* @param $client_id
* Client identifier to be check with.
*
* @return
* TRUE if the client is public, and FALSE if it isn't.
* @endcode
*
* @see http://tools.ietf.org/html/rfc6749#section-2.3
* @see https://github.com/bshaffer/oauth2-server-php/issues/257
*
* @ingroup oauth2_section_2
*/
public function isPublicClient($client_id);
}

66
oauth/OAuth2/Storage/ClientInterface.php Normal file
View File

@ -0,0 +1,66 @@
<?php
namespace OAuth2\Storage;
/**
* Implement this interface to specify where the OAuth2 Server
* should retrieve client information
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface ClientInterface
{
/**
* Get client details corresponding client_id.
*
* OAuth says we should store request URIs for each registered client.
* Implement this function to grab the stored URI for a given client id.
*
* @param $client_id
* Client identifier to be check with.
*
* @return array
* Client details. The only mandatory key in the array is "redirect_uri".
* This function MUST return FALSE if the given client does not exist or is
* invalid. "redirect_uri" can be space-delimited to allow for multiple valid uris.
* <code>
* return array(
* "redirect_uri" => REDIRECT_URI, // REQUIRED redirect_uri registered for the client
* "client_id" => CLIENT_ID, // OPTIONAL the client id
* "grant_types" => GRANT_TYPES, // OPTIONAL an array of restricted grant types
* "user_id" => USER_ID, // OPTIONAL the user identifier associated with this client
* "scope" => SCOPE, // OPTIONAL the scopes allowed for this client
* );
* </code>
*
* @ingroup oauth2_section_4
*/
public function getClientDetails($client_id);
/**
* Get the scope associated with this client
*
* @return
* STRING the space-delineated scope list for the specified client_id
*/
public function getClientScope($client_id);
/**
* Check restricted grant types of corresponding client identifier.
*
* If you want to restrict clients to certain grant types, override this
* function.
*
* @param $client_id
* Client identifier to be check with.
* @param $grant_type
* Grant type to be check with
*
* @return
* TRUE if the grant type is supported by this client identifier, and
* FALSE if it isn't.
*
* @ingroup oauth2_section_4
*/
public function checkRestrictedGrantType($client_id, $grant_type);
}

331
oauth/OAuth2/Storage/CouchbaseDB.php Executable file
View File

@ -0,0 +1,331 @@
<?php
namespace OAuth2\Storage;
use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
/**
* Simple Couchbase storage for all storage types
*
* This class should be extended or overridden as required
*
* NOTE: Passwords are stored in plaintext, which is never
* a good idea. Be sure to override this for your application
*
* @author Tom Park <tom@raucter.com>
*/
class CouchbaseDB implements AuthorizationCodeInterface,
AccessTokenInterface,
ClientCredentialsInterface,
UserCredentialsInterface,
RefreshTokenInterface,
JwtBearerInterface,
OpenIDAuthorizationCodeInterface
{
protected $db;
protected $config;
public function __construct($connection, $config = array())
{
if ($connection instanceof \Couchbase) {
$this->db = $connection;
} else {
if (!is_array($connection) || !is_array($connection['servers'])) {
throw new \InvalidArgumentException('First argument to OAuth2\Storage\CouchbaseDB must be an instance of Couchbase or a configuration array containing a server array');
}
$this->db = new \Couchbase($connection['servers'], (!isset($connection['username'])) ? '' : $connection['username'], (!isset($connection['password'])) ? '' : $connection['password'], $connection['bucket'], false);
}
$this->config = array_merge(array(
'client_table' => 'oauth_clients',
'access_token_table' => 'oauth_access_tokens',
'refresh_token_table' => 'oauth_refresh_tokens',
'code_table' => 'oauth_authorization_codes',
'user_table' => 'oauth_users',
'jwt_table' => 'oauth_jwt',
), $config);
}
// Helper function to access couchbase item by type:
protected function getObjectByType($name,$id)
{
return json_decode($this->db->get($this->config[$name].'-'.$id),true);
}
// Helper function to set couchbase item by type:
protected function setObjectByType($name,$id,$array)
{
$array['type'] = $name;
return $this->db->set($this->config[$name].'-'.$id,json_encode($array));
}
// Helper function to delete couchbase item by type, wait for persist to at least 1 node
protected function deleteObjectByType($name,$id)
{
$this->db->delete($this->config[$name].'-'.$id,"",1);
}
/* ClientCredentialsInterface */
public function checkClientCredentials($client_id, $client_secret = null)
{
if ($result = $this->getObjectByType('client_table',$client_id)) {
return $result['client_secret'] == $client_secret;
}
return false;
}
public function isPublicClient($client_id)
{
if (!$result = $this->getObjectByType('client_table',$client_id)) {
return false;
}
return empty($result['client_secret']);
}
/* ClientInterface */
public function getClientDetails($client_id)
{
$result = $this->getObjectByType('client_table',$client_id);
return is_null($result) ? false : $result;
}
public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
{
if ($this->getClientDetails($client_id)) {
$this->setObjectByType('client_table',$client_id, array(
'client_id' => $client_id,
'client_secret' => $client_secret,
'redirect_uri' => $redirect_uri,
'grant_types' => $grant_types,
'scope' => $scope,
'user_id' => $user_id,
));
} else {
$this->setObjectByType('client_table',$client_id, array(
'client_id' => $client_id,
'client_secret' => $client_secret,
'redirect_uri' => $redirect_uri,
'grant_types' => $grant_types,
'scope' => $scope,
'user_id' => $user_id,
));
}
return true;
}
public function checkRestrictedGrantType($client_id, $grant_type)
{
$details = $this->getClientDetails($client_id);
if (isset($details['grant_types'])) {
$grant_types = explode(' ', $details['grant_types']);
return in_array($grant_type, $grant_types);
}
// if grant_types are not defined, then none are restricted
return true;
}
/* AccessTokenInterface */
public function getAccessToken($access_token)
{
$token = $this->getObjectByType('access_token_table',$access_token);
return is_null($token) ? false : $token;
}
public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
{
// if it exists, update it.
if ($this->getAccessToken($access_token)) {
$this->setObjectByType('access_token_table',$access_token, array(
'access_token' => $access_token,
'client_id' => $client_id,
'expires' => $expires,
'user_id' => $user_id,
'scope' => $scope
));
} else {
$this->setObjectByType('access_token_table',$access_token, array(
'access_token' => $access_token,
'client_id' => $client_id,
'expires' => $expires,
'user_id' => $user_id,
'scope' => $scope
));
}
return true;
}
/* AuthorizationCodeInterface */
public function getAuthorizationCode($code)
{
$code = $this->getObjectByType('code_table',$code);
return is_null($code) ? false : $code;
}
public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
{
// if it exists, update it.
if ($this->getAuthorizationCode($code)) {
$this->setObjectByType('code_table',$code, array(
'authorization_code' => $code,
'client_id' => $client_id,
'user_id' => $user_id,
'redirect_uri' => $redirect_uri,
'expires' => $expires,
'scope' => $scope,
'id_token' => $id_token,
));
} else {
$this->setObjectByType('code_table',$code,array(
'authorization_code' => $code,
'client_id' => $client_id,
'user_id' => $user_id,
'redirect_uri' => $redirect_uri,
'expires' => $expires,
'scope' => $scope,
'id_token' => $id_token,
));
}
return true;
}
public function expireAuthorizationCode($code)
{
$this->deleteObjectByType('code_table',$code);
return true;
}
/* UserCredentialsInterface */
public function checkUserCredentials($username, $password)
{
if ($user = $this->getUser($username)) {
return $this->checkPassword($user, $password);
}
return false;
}
public function getUserDetails($username)
{
if ($user = $this->getUser($username)) {
$user['user_id'] = $user['username'];
}
return $user;
}
/* RefreshTokenInterface */
public function getRefreshToken($refresh_token)
{
$token = $this->getObjectByType('refresh_token_table',$refresh_token);
return is_null($token) ? false : $token;
}
public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
{
$this->setObjectByType('refresh_token_table',$refresh_token, array(
'refresh_token' => $refresh_token,
'client_id' => $client_id,
'user_id' => $user_id,
'expires' => $expires,
'scope' => $scope
));
return true;
}
public function unsetRefreshToken($refresh_token)
{
$this->deleteObjectByType('refresh_token_table',$refresh_token);
return true;
}
// plaintext passwords are bad! Override this for your application
protected function checkPassword($user, $password)
{
return $user['password'] == $password;
}
public function getUser($username)
{
$result = $this->getObjectByType('user_table',$username);
return is_null($result) ? false : $result;
}
public function setUser($username, $password, $firstName = null, $lastName = null)
{
if ($this->getUser($username)) {
$this->setObjectByType('user_table',$username, array(
'username' => $username,
'password' => $password,
'first_name' => $firstName,
'last_name' => $lastName
));
} else {
$this->setObjectByType('user_table',$username, array(
'username' => $username,
'password' => $password,
'first_name' => $firstName,
'last_name' => $lastName
));
}
return true;
}
public function getClientKey($client_id, $subject)
{
if (!$jwt = $this->getObjectByType('jwt_table',$client_id)) {
return false;
}
if (isset($jwt['subject']) && $jwt['subject'] == $subject) {
return $jwt['key'];
}
return false;
}
public function getClientScope($client_id)
{
if (!$clientDetails = $this->getClientDetails($client_id)) {
return false;
}
if (isset($clientDetails['scope'])) {
return $clientDetails['scope'];
}
return null;
}
public function getJti($client_id, $subject, $audience, $expiration, $jti)
{
//TODO: Needs couchbase implementation.
throw new \Exception('getJti() for the Couchbase driver is currently unimplemented.');
}
public function setJti($client_id, $subject, $audience, $expiration, $jti)
{
//TODO: Needs couchbase implementation.
throw new \Exception('setJti() for the Couchbase driver is currently unimplemented.');
}
}

370
oauth/OAuth2/Storage/Pdo.php Normal file
View File

@ -0,0 +1,370 @@
<?php
namespace OAuth2\Storage;
/**
* Simple PDO storage for all storage types
*
* NOTE: This class is meant to get users started
* quickly. If your application requires further
* customization, extend this class or create your own.
*
* NOTE: Passwords are stored in plaintext, which is never
* a good idea. Be sure to override this for your application
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
class Pdo implements
AuthorizationCodeInterface,
AccessTokenInterface,
ClientCredentialsInterface,
RefreshTokenInterface,
ScopeInterface
{
protected $db;
protected $config;
public function __construct($connection, $config = array())
{
if (!$connection instanceof \PDO) {
if (is_string($connection)) {
$connection = array('dsn' => $connection);
}
if (!is_array($connection)) {
throw new \InvalidArgumentException('First argument to OAuth2\Storage\Pdo must be an instance of PDO, a DSN string, or a configuration array');
}
if (!isset($connection['dsn'])) {
throw new \InvalidArgumentException('configuration array must contain "dsn"');
}
// merge optional parameters
$connection = array_merge(array(
'username' => null,
'password' => null,
'options' => array(),
), $connection);
$connection = new \PDO($connection['dsn'], $connection['username'], $connection['password'], $connection['options']);
}
$this->db = $connection;
// debugging
$connection->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
$this->config = array_merge(array(
'client_table' => 'oauth_clients',
'access_token_table' => 'oauth_access_tokens',
'refresh_token_table' => 'oauth_refresh_tokens',
'code_table' => 'oauth_authorization_codes',
'scope_table' => 'oauth_scopes',
'assoc_users_table' => 'users'
), $config);
}
/* OAuth2\Storage\ClientCredentialsInterface */
public function checkClientCredentials($client_id, $client_secret = null)
{
$stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
$stmt->execute(compact('client_id'));
$result = $stmt->fetch(\PDO::FETCH_ASSOC);
// make this extensible
return $result && $result['client_secret'] == $client_secret;
}
public function isPublicClient($client_id)
{
$stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
$stmt->execute(compact('client_id'));
if (!$result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
return false;
}
return empty($result['client_secret']);
}
/* OAuth2\Storage\ClientInterface */
public function getClientDetails($client_id)
{
$stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
$stmt->execute(compact('client_id'));
return $stmt->fetch(\PDO::FETCH_ASSOC);
}
public function getClientScope($client_id)
{
if (!$clientDetails = $this->getClientDetails($client_id)) {
return false;
}
if (isset($clientDetails['scope'])) {
return $clientDetails['scope'];
}
return null;
}
public function checkRestrictedGrantType($client_id, $grant_type)
{
$details = $this->getClientDetails($client_id);
if (isset($details['grant_types'])) {
$grant_types = explode(' ', $details['grant_types']);
return in_array($grant_type, (array) $grant_types);
}
// if grant_types are not defined, then none are restricted
return true;
}
/* OAuth2\Storage\AccessTokenInterface */
public function getAccessToken($access_token)
{
$stmt = $this->db->prepare(sprintf('SELECT * from %s where access_token = :access_token', $this->config['access_token_table']));
$token = $stmt->execute(compact('access_token'));
if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) {
// convert date string back to timestamp
$token['expires'] = strtotime($token['expires']);
}
return $token;
}
public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
{
// convert expires to datestring
$expires = date('Y-m-d H:i:s', $expires);
// if it exists, update it.
if ($this->getAccessToken($access_token)) {
$stmt = $this->db->prepare(sprintf('UPDATE %s SET client_id=:client_id, expires=:expires, user_id=:user_id, scope=:scope where access_token=:access_token', $this->config['access_token_table']));
} else {
$stmt = $this->db->prepare(sprintf('INSERT INTO %s (access_token, client_id, expires, user_id, scope) VALUES (:access_token, :client_id, :expires, :user_id, :scope)', $this->config['access_token_table']));
}
return $stmt->execute(compact('access_token', 'client_id', 'user_id', 'expires', 'scope'));
}
public function unsetAccessToken($access_token)
{
$stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE access_token = :access_token', $this->config['access_token_table']));
$stmt->execute(compact('access_token'));
return $stmt->rowCount() > 0;
}
/* OAuth2\Storage\AuthorizationCodeInterface */
public function getAuthorizationCode($code)
{
$stmt = $this->db->prepare(sprintf('SELECT * from %s where authorization_code = :code', $this->config['code_table']));
$stmt->execute(compact('code'));
if ($code = $stmt->fetch(\PDO::FETCH_ASSOC)) {
// convert date string back to timestamp
$code['expires'] = strtotime($code['expires']);
}
return $code;
}
public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null)
{
// convert expires to datestring
$expires = date('Y-m-d H:i:s', $expires);
// if it exists, update it.
if ($this->getAuthorizationCode($code)) {
$stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_id=:client_id, user_id=:user_id, redirect_uri=:redirect_uri, expires=:expires, scope=:scope where authorization_code=:code', $this->config['code_table']));
} else {
$stmt = $this->db->prepare(sprintf('INSERT INTO %s (authorization_code, client_id, user_id, redirect_uri, expires, scope) VALUES (:code, :client_id, :user_id, :redirect_uri, :expires, :scope)', $this->config['code_table']));
}
return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope'));
}
public function expireAuthorizationCode($code)
{
$stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE authorization_code = :code', $this->config['code_table']));
return $stmt->execute(compact('code'));
}
/* OAuth2\Storage\RefreshTokenInterface */
public function getRefreshToken($refresh_token)
{
$stmt = $this->db->prepare(sprintf('SELECT * FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table']));
$token = $stmt->execute(compact('refresh_token'));
if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) {
// convert expires to epoch time
$token['expires'] = strtotime($token['expires']);
}
return $token;
}
public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
{
// convert expires to datestring
$expires = date('Y-m-d H:i:s', $expires);
$stmt = $this->db->prepare(sprintf('INSERT INTO %s (refresh_token, client_id, user_id, expires, scope) VALUES (:refresh_token, :client_id, :user_id, :expires, :scope)', $this->config['refresh_token_table']));
return $stmt->execute(compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'));
}
public function unsetRefreshToken($refresh_token)
{
$stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table']));
$stmt->execute(compact('refresh_token'));
return $stmt->rowCount() > 0;
}
/* ScopeInterface */
public function scopeExists($scope)
{
$scope = explode(' ', $scope);
$whereIn = implode(',', array_fill(0, count($scope), '?'));
$stmt = $this->db->prepare(sprintf('SELECT count(scope) as count FROM %s WHERE scope IN (%s)', $this->config['scope_table'], $whereIn));
$stmt->execute($scope);
if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
return $result['count'] == count($scope);
}
return false;
}
public function getDefaultScope($client_id = null)
{
$stmt = $this->db->prepare(sprintf('SELECT scope FROM %s WHERE is_default=:is_default', $this->config['scope_table']));
$stmt->execute(array('is_default' => true));
if ($result = $stmt->fetchAll(\PDO::FETCH_ASSOC)) {
$defaultScope = array_map(function ($row) {
return $row['scope'];
}, $result);
return implode(' ', $defaultScope);
}
return null;
}
/*-------------------------------------------------------------------------------------------------------------------------------------------------*/
/**
* @author Denis CLAVIER <clavierd at gmail dot com>
*/
/**
* get user id on Oauth2 server
*
* @param string $username
* Username of an LDAP user (often uid)
*
* @return
* The id associated to username in users table
* and FALSE if username is not in the users table
*/
public function getUsersID($username)
{
$stmt = $this->db->prepare($sql = sprintf('SELECT id FROM %s WHERE username=:username', $this->config['assoc_users_table']));
$stmt->execute(compact('username'));
// If user exist return his id
if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
return $result['id'];
}
// If user does not exist, return false
return false;
}
/**
* set an id for username on Oauth2 server
*
* @param string $username
* Username of an LDAP user (often uid)
*
* @return
* TRUE if insertion has succeed
* and FALSE if is not
*
* An unique ID is linked to the username after this function
*/
public function setUsersID($username)
{
$stmt = $this->db->prepare(sprintf('INSERT INTO %s (username) VALUES (:username)', $this->config['assoc_users_table']));
return $stmt->execute(compact('username'));
}
/*-------------------------------------------------------------------------------------------------------------------------------------------------*/
/**
* DDL to create OAuth2 database and tables for PDO storage
*
* @see https://github.com/dsquier/oauth2-server-php-mysql
*/
public function getBuildSql($dbName = 'oauth2_server_php')
{
$sql = "
CREATE TABLE {$this->config['client_table']} (
client_id VARCHAR(80) NOT NULL,
client_secret VARCHAR(80),
redirect_uri VARCHAR(2000),
grant_types VARCHAR(80),
scope VARCHAR(4000),
user_id VARCHAR(80),
PRIMARY KEY (client_id)
);
CREATE TABLE {$this->config['access_token_table']} (
access_token VARCHAR(40) NOT NULL,
client_id VARCHAR(80) NOT NULL,
user_id VARCHAR(80),
expires TIMESTAMP NOT NULL,
scope VARCHAR(4000),
PRIMARY KEY (access_token)
);
CREATE TABLE {$this->config['code_table']} (
authorization_code VARCHAR(40) NOT NULL,
client_id VARCHAR(80) NOT NULL,
user_id VARCHAR(80),
redirect_uri VARCHAR(2000),
expires TIMESTAMP NOT NULL,
scope VARCHAR(4000),
PRIMARY KEY (authorization_code)
);
CREATE TABLE {$this->config['refresh_token_table']} (
refresh_token VARCHAR(40) NOT NULL,
client_id VARCHAR(80) NOT NULL,
user_id VARCHAR(80),
expires TIMESTAMP NOT NULL,
scope VARCHAR(4000),
PRIMARY KEY (refresh_token)
);
CREATE TABLE {$this->config['user_table']} (
id SERIAL NOT NULL,
username VARCHAR(80) NOT NULL,
PRIMARY KEY (id)
);
CREATE TABLE {$this->config['scope_table']} (
scope VARCHAR(80) NOT NULL,
is_default BOOLEAN,
PRIMARY KEY (scope)
);
";
return $sql;
}
}

82
oauth/OAuth2/Storage/RefreshTokenInterface.php Normal file
View File

@ -0,0 +1,82 @@
<?php
namespace OAuth2\Storage;
/**
* Implement this interface to specify where the OAuth2 Server
* should get/save refresh tokens for the "Refresh Token"
* grant type
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface RefreshTokenInterface
{
/**
* Grant refresh access tokens.
*
* Retrieve the stored data for the given refresh token.
*
* Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
*
* @param $refresh_token
* Refresh token to be check with.
*
* @return
* An associative array as below, and NULL if the refresh_token is
* invalid:
* - refresh_token: Refresh token identifier.
* - client_id: Client identifier.
* - user_id: User identifier.
* - expires: Expiration unix timestamp, or 0 if the token doesn't expire.
* - scope: (optional) Scope values in space-separated string.
*
* @see http://tools.ietf.org/html/rfc6749#section-6
*
* @ingroup oauth2_section_6
*/
public function getRefreshToken($refresh_token);
/**
* Take the provided refresh token values and store them somewhere.
*
* This function should be the storage counterpart to getRefreshToken().
*
* If storage fails for some reason, we're not currently checking for
* any sort of success/failure, so you should bail out of the script
* and provide a descriptive fail message.
*
* Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
*
* @param $refresh_token
* Refresh token to be stored.
* @param $client_id
* Client identifier to be stored.
* @param $user_id
* User identifier to be stored.
* @param $expires
* Expiration timestamp to be stored. 0 if the token doesn't expire.
* @param $scope
* (optional) Scopes to be stored in space-separated string.
*
* @ingroup oauth2_section_6
*/
public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null);
/**
* Expire a used refresh token.
*
* This is not explicitly required in the spec, but is almost implied.
* After granting a new refresh token, the old one is no longer useful and
* so should be forcibly expired in the data store so it can't be used again.
*
* If storage fails for some reason, we're not currently checking for
* any sort of success/failure, so you should bail out of the script
* and provide a descriptive fail message.
*
* @param $refresh_token
* Refresh token to be expired.
*
* @ingroup oauth2_section_6
*/
public function unsetRefreshToken($refresh_token);
}

46
oauth/OAuth2/Storage/ScopeInterface.php Normal file
View File

@ -0,0 +1,46 @@
<?php
namespace OAuth2\Storage;
/**
* Implement this interface to specify where the OAuth2 Server
* should retrieve data involving the relevent scopes associated
* with this implementation.
*
* @author Brent Shaffer <bshafs at gmail dot com>
*/
interface ScopeInterface
{
/**
* Check if the provided scope exists.
*
* @param $scope
* A space-separated string of scopes.
*
* @return
* TRUE if it exists, FALSE otherwise.
*/
public function scopeExists($scope);
/**
* The default scope to use in the event the client
* does not request one. By returning "false", a
* request_error is returned by the server to force a
* scope request by the client. By returning "null",
* opt out of requiring scopes
*
* @param $client_id
* An optional client id that can be used to return customized default scopes.
*
* @return
* string representation of default scope, null if
* scopes are not defined, or false to force scope
* request by the client
*
* ex:
* 'default'
* ex:
* null
*/
public function getDefaultScope($client_id = null);
}

130
oauth/OAuth2/TokenType/Bearer.php Normal file
View File

@ -0,0 +1,130 @@
<?php
namespace OAuth2\TokenType;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
*
*/
class Bearer implements TokenTypeInterface
{
private $config;
public function __construct(array $config = array())
{
$this->config = array_merge(array(
'token_param_name' => 'access_token',
'token_bearer_header_name' => 'Bearer',
), $config);
}
public function getTokenType()
{
return 'Bearer';
}
/**
* Check if the request has supplied token
*
* @see https://github.com/bshaffer/oauth2-server-php/issues/349#issuecomment-37993588
*/
public function requestHasToken(RequestInterface $request)
{
$headers = $request->headers('AUTHORIZATION');
// check the header, then the querystring, then the request body
return !empty($headers) || (bool) ($request->request($this->config['token_param_name'])) || (bool) ($request->query($this->config['token_param_name']));
}
/**
* This is a convenience function that can be used to get the token, which can then
* be passed to getAccessTokenData(). The constraints specified by the draft are
* attempted to be adheared to in this method.
*
* As per the Bearer spec (draft 8, section 2) - there are three ways for a client
* to specify the bearer token, in order of preference: Authorization Header,
* POST and GET.
*
* NB: Resource servers MUST accept tokens via the Authorization scheme
* (http://tools.ietf.org/html/rfc6750#section-2).
*
* @todo Should we enforce TLS/SSL in this function?
*
* @see http://tools.ietf.org/html/rfc6750#section-2.1
* @see http://tools.ietf.org/html/rfc6750#section-2.2
* @see http://tools.ietf.org/html/rfc6750#section-2.3
*
* Old Android version bug (at least with version 2.2)
* @see http://code.google.com/p/android/issues/detail?id=6684
*
*/
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response)
{
$headers = $request->headers('AUTHORIZATION');
/**
* Ensure more than one method is not used for including an
* access token
*
* @see http://tools.ietf.org/html/rfc6750#section-3.1
*/
$methodsUsed = !empty($headers) + (bool) ($request->query($this->config['token_param_name'])) + (bool) ($request->request($this->config['token_param_name']));
if ($methodsUsed > 1) {
$response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
return null;
}
/**
* If no authentication is provided, set the status code
* to 401 and return no other error information
*
* @see http://tools.ietf.org/html/rfc6750#section-3.1
*/
if ($methodsUsed == 0) {
$response->setStatusCode(401);
return null;
}
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\s(\S+)/i', $headers, $matches)) {
$response->setError(400, 'invalid_request', 'Malformed auth header');
return null;
}
return $matches[1];
}
if ($request->request($this->config['token_param_name'])) {
// // POST: Get the token from POST data
if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) {
$response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2');
return null;
}
$contentType = $request->server('CONTENT_TYPE');
if (false !== $pos = strpos($contentType, ';')) {
$contentType = substr($contentType, 0, $pos);
}
if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') {
// IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
// @see http://tools.ietf.org/html/rfc6750#section-2.2
$response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"');
return null;
}
return $request->request($this->config['token_param_name']);
}
// GET method
return $request->query($this->config['token_param_name']);
}
}

21
oauth/OAuth2/TokenType/TokenTypeInterface.php Normal file
View File

@ -0,0 +1,21 @@
<?php
namespace OAuth2\TokenType;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
interface TokenTypeInterface
{
/**
* Token type identification string
*
* ex: "bearer" or "mac"
*/
public function getTokenType();
/**
* Retrieves the token string from the request object
*/
public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response);
}

55
oauth/authorize.php Normal file
View File

@ -0,0 +1,55 @@
<?php
session_start();
/**
* @author Denis CLAVIER <clavierd at gmail dot com>
* Adapted from Oauth2-server-php cookbook
* @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
*/
// include our OAuth2 Server object
require_once __DIR__.'/server.php';
$request = OAuth2\Request::createFromGlobals();
$response = new OAuth2\Response();
// validate the authorize request
if (!$server->validateAuthorizeRequest($request, $response)) {
$response->send();
die;
}
// if user is not yet authenticated, he is redirected.
if (!isset($_SESSION['uid']))
{
//store the authorize request
$_SESSION['auth_page']=end(explode("/", strip_tags(trim($_SERVER['REQUEST_URI']))));
header('Location: index.php');
exit();
}
// display an authorization form
if (empty($_POST)) {
exit('
<form method="post">
<label>Mattermost wants to access your LDAP informations (ID, complete name, mail) </label><br />
<input type="submit" name="authorized" value="Authorize">
<input type="submit" name="authorized" value="Deny">
</form>');
}
// print the authorization code if the user has authorized your client
$is_authorized = ($_POST['authorized'] === 'Authorize');
$server->handleAuthorizeRequest($request, $response, $is_authorized,$_SESSION['uid']);
if ($is_authorized)
{
// this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
header('Location: ' . $response->getHttpHeader('Location'));
exit();
}
// Send message in case of error
$response->send();

74
oauth/connexion.php Normal file
View File

@ -0,0 +1,74 @@
<?php
session_start();
/**
* @author Denis CLAVIER <clavierd at gmail dot com>
*/
// include our LDAP object
require_once __DIR__.'/LDAP/LDAP.php';
require_once __DIR__.'/LDAP/config_ldap.php';
// Verify all fields have been filled
if (empty($_POST['user']) || empty($_POST['password']))
{
echo 'You must fill each field';
echo 'Click <a href="./index.php">here</a> to come back to login page';
}
else
{
// Check received data length (to prevent code injection)
if (strlen($_POST['user']) > 15)
{
echo 'Strange username ... Please try again';
echo 'Click <a href="./index.php">here</a> to come back to login page';
}
elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7)
{
echo 'Strange password ... Please try again';
echo 'Click <a href="./index.php">here</a> to come back to login page';
}
else
{
// Remove every html tag and useless space on username (to prevent XSS)
$user=strip_tags(trim($_POST['user']));
$user=$_POST['user'];
$password=$_POST['password'];
// Open a LDAP connection
$ldap = new LDAP($hostname,$port);
//##################################################\\
// /!\ Adapt here with your LDAP config /!\ \\
//##################################################\\
$rdn = 'uid=' . $user . ',ou=People,o=Company';
/****************************************************/
// Check user credential on LDAP
if ($ldap->checkLogin($rdn,$password))
{
$_SESSION['uid']=$user;
// If user came here with an autorize request, redirect him to the authorize page. Else prompt a simple message.
if (isset($_SESSION['auth_page']))
{
$auth_page=$_SESSION['auth_page'];
header('Location: ' . $auth_page);
exit();
}
else
{
echo "Congratulation you are authenticated ! <br /><br /> However there is nothing to do here ...";
}
}
// check login on LDAP has failed. Login and password were invalid or LDAP is unreachable
else
{
echo "Authetification failed ... Check your username and password.<br />If error persist contact your administrator.<br /><br />";
echo 'Click <a href="./index.php">here</a> to come back to login page';
}
}
}

24
oauth/index.php Normal file
View File

@ -0,0 +1,24 @@
<?php
session_start();
?>
<!DOCTYPE html>
<html>
<head>
<title>LDAP Connection Interface</title>
</head>
<body>
<form method="post" action="connexion.php">
<fieldset>
<legend>Connection</legend>
<p>
<label for="user">Username :</label><input name="user" type="text" id="user" /><br />
<label for="password">Password :</label><input type="password" name="password" id="password" />
</p>
</fieldset>
<p><input type="submit" value="Connexion" /></p>
</form>
</body>
</html>

53
oauth/resource.php Normal file
View File

@ -0,0 +1,53 @@
<?php
/**
* @author Denis CLAVIER <clavierd at gmail dot com>
* Adapted from Oauth2-server-php cookbook
* @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
*/
// include our OAuth2 Server object
require_once __DIR__.'/server.php';
// include our LDAP object
require_once __DIR__.'/LDAP/LDAP.php';
require_once __DIR__.'/LDAP/config_ldap.php';
// Handle a request to a resource and authenticate the access token
if (!$server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
$server->getResponse()->send();
die;
}
// set default error message
$resp = array("error" => "Unknow error", "message" => "An unknown error has occured, please report this bug");
// get information on user associated to the token
$info_oauth = $server->getAccessTokenData(OAuth2\Request::createFromGlobals());
$uid = $info_oauth["user_id"];
$assoc_id = $info_oauth["assoc_id"];
//##################################################\\
// /!\ Adapt here with your LDAP config /!\ \\
//##################################################\\
$base = "o=Company";
$filter = "uid=" . $uid;
/****************************************************/
// Open a LDAP connection
$ldap = new LDAP($hostname,$port);
// Try to get user data on the LDAP
try
{
$data = $ldap->getDataForMattermost($base,$filter);
$resp = array("name" => $data['cn'],"username" => $uid,"id" => $assoc_id,"state" => "active","email" => $data['mail']);
}
catch (Exception $e)
{
$resp = array("error" => "Impossible to get data", "message" => $e->getMessage());
}
// send data or error message in JSON format
echo json_encode($resp);

25
oauth/server.php Normal file
View File

@ -0,0 +1,25 @@
<?php
/**
* Adapted from Oauth2-server-php cookbook
* @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
*/
$dsn = 'pgsql:dbname=oauth_db;host=localhost;port=5432';
$username = 'oauth';
$password = 'oauth_secure-pass';
// error reporting (this is a demo, after all!)
ini_set('display_errors',1);error_reporting(E_ALL);
// Autoloading (composer is preferred, but for this example let's just do this)
require_once('OAuth2/Autoloader.php');
OAuth2\Autoloader::register();
//$dsn is the Data Source Name for your database, for exmaple "mysql:dbname=my_oauth2_db;host=localhost"
$storage = new OAuth2\Storage\Pdo(array('dsn' => $dsn, 'username' => $username, 'password' => $password));
// Pass a storage object or array of storage objects to the OAuth2 server class
$server = new OAuth2\Server($storage);
// Add the "Authorization Code" grant type (this is where the oauth magic happens)
$server->addGrantType(new OAuth2\GrantType\AuthorizationCode($storage));

12
oauth/token.php Normal file
View File

@ -0,0 +1,12 @@
<?php
/**
* Adapted from Oauth2-server-php cookbook
* @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
*/
// include our OAuth2 Server object
require_once __DIR__.'/server.php';
// Handle a request for an OAuth2.0 Access Token and send the response to the client
$server->handleTokenRequest(OAuth2\Request::createFromGlobals())->send();
?>