+ * $config = array(
+ * 'allow_credentials_in_request_body' => true, // whether to look for credentials in the POST body in addition to the Authorize HTTP Header
+ * 'allow_public_clients' => true // if true, "public clients" (clients without a secret) may be authenticated
+ * );
+ *
+ */
+ public function __construct(ClientCredentialsInterface $storage, array $config = array())
+ {
+ $this->storage = $storage;
+ $this->config = array_merge(array(
+ 'allow_credentials_in_request_body' => true,
+ 'allow_public_clients' => true,
+ ), $config);
+ }
+
+ public function validateRequest(RequestInterface $request, ResponseInterface $response)
+ {
+ if (!$clientData = $this->getClientCredentials($request, $response)) {
+ return false;
+ }
+
+ if (!isset($clientData['client_id'])) {
+ throw new \LogicException('the clientData array must have "client_id" set');
+ }
+
+ if (!isset($clientData['client_secret']) || $clientData['client_secret'] == '') {
+ if (!$this->config['allow_public_clients']) {
+ $response->setError(400, 'invalid_client', 'client credentials are required');
+
+ return false;
+ }
+
+ if (!$this->storage->isPublicClient($clientData['client_id'])) {
+ $response->setError(400, 'invalid_client', 'This client is invalid or must authenticate using a client secret');
+
+ return false;
+ }
+ } elseif ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) {
+ $response->setError(400, 'invalid_client', 'The client credentials are invalid');
+
+ return false;
+ }
+
+ $this->clientData = $clientData;
+
+ return true;
+ }
+
+ public function getClientId()
+ {
+ return $this->clientData['client_id'];
+ }
+
+ /**
+ * Internal function used to get the client credentials from HTTP basic
+ * auth or POST data.
+ *
+ * According to the spec (draft 20), the client_id can be provided in
+ * the Basic Authorization header (recommended) or via GET/POST.
+ *
+ * @return
+ * A list containing the client identifier and password, for example
+ * @code
+ * return array(
+ * "client_id" => CLIENT_ID, // REQUIRED the client id
+ * "client_secret" => CLIENT_SECRET, // OPTIONAL the client secret (may be omitted for public clients)
+ * );
+ * @endcode
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-2.3.1
+ *
+ * @ingroup oauth2_section_2
+ */
+ public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
+ {
+ if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
+ return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
+ }
+
+ if ($this->config['allow_credentials_in_request_body']) {
+ // Using POST for HttpBasic authorization is not recommended, but is supported by specification
+ if (!is_null($request->request('client_id'))) {
+ /**
+ * client_secret can be null if the client's password is an empty string
+ * @see http://tools.ietf.org/html/rfc6749#section-2.3.1
+ */
+
+ return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret'));
+ }
+ }
+
+ if ($response) {
+ $message = $this->config['allow_credentials_in_request_body'] ? ' or body' : '';
+ $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers'.$message);
+ }
+
+ return null;
+ }
+}
diff --git a/oauth/OAuth2/Controller/AuthorizeController.php b/oauth/OAuth2/Controller/AuthorizeController.php
new file mode 100644
index 0000000..2c878a5
--- /dev/null
+++ b/oauth/OAuth2/Controller/AuthorizeController.php
@@ -0,0 +1,394 @@
+
+ * $config = array(
+ * 'allow_implicit' => false, // if the controller should allow the "implicit" grant type
+ * 'enforce_state' => true // if the controller should require the "state" parameter
+ * 'require_exact_redirect_uri' => true, // if the controller should require an exact match on the "redirect_uri" parameter
+ * 'redirect_status_code' => 302, // HTTP status code to use for redirect responses
+ * );
+ *
+ * @param OAuth2\ScopeInterface $scopeUtil OPTIONAL Instance of OAuth2\ScopeInterface to validate the requested scope
+ */
+ public function __construct(ClientInterface $clientStorage, array $responseTypes = array(), array $config = array(), ScopeInterface $scopeUtil = null)
+ {
+ $this->clientStorage = $clientStorage;
+ $this->responseTypes = $responseTypes;
+ $this->config = array_merge(array(
+ 'allow_implicit' => false,
+ 'enforce_state' => true,
+ 'require_exact_redirect_uri' => true,
+ 'redirect_status_code' => 302,
+ ), $config);
+
+ if (is_null($scopeUtil)) {
+ $scopeUtil = new Scope();
+ }
+ $this->scopeUtil = $scopeUtil;
+ }
+
+ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null)
+ {
+
+ if (!is_bool($is_authorized)) {
+ throw new \InvalidArgumentException('Argument "is_authorized" must be a boolean. This method must know if the user has granted access to the client.');
+ }
+
+ // We repeat this, because we need to re-validate. The request could be POSTed
+ // by a 3rd-party (because we are not internally enforcing NONCEs, etc)
+ if (!$this->validateAuthorizeRequest($request, $response)) {
+ return;
+ }
+
+ // If no redirect_uri is passed in the request, use client's registered one
+ if (empty($this->redirect_uri)) {
+ $clientData = $this->clientStorage->getClientDetails($this->client_id);
+ $registered_redirect_uri = $clientData['redirect_uri'];
+ }
+
+ // the user declined access to the client's application
+ if ($is_authorized === false) {
+ $redirect_uri = $this->redirect_uri ?: $registered_redirect_uri;
+ $this->setNotAuthorizedResponse($request, $response, $redirect_uri, $user_id);
+
+ return;
+ }
+
+ // build the parameters to set in the redirect URI
+ if (!$params = $this->buildAuthorizeParameters($request, $response, $user_id)) {
+ return;
+ }
+
+ $authResult = $this->responseTypes[$this->response_type]->getAuthorizeResponse($params, $user_id);
+
+ list($redirect_uri, $uri_params) = $authResult;
+
+ if (empty($redirect_uri) && !empty($registered_redirect_uri)) {
+ $redirect_uri = $registered_redirect_uri;
+ }
+
+ $uri = $this->buildUri($redirect_uri, $uri_params);
+
+ // return redirect response
+ $response->setRedirect($this->config['redirect_status_code'], $uri);
+ }
+
+ protected function setNotAuthorizedResponse(RequestInterface $request, ResponseInterface $response, $redirect_uri, $user_id = null)
+ {
+ $error = 'access_denied';
+ $error_message = 'The user denied access to your application';
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $this->state, $error, $error_message);
+ }
+
+ /*
+ * We have made this protected so this class can be extended to add/modify
+ * these parameters
+ */
+ protected function buildAuthorizeParameters($request, $response, $user_id)
+ {
+ // @TODO: we should be explicit with this in the future
+ $params = array(
+ 'scope' => $this->scope,
+ 'state' => $this->state,
+ 'client_id' => $this->client_id,
+ 'redirect_uri' => $this->redirect_uri,
+ 'response_type' => $this->response_type,
+ );
+
+ return $params;
+ }
+
+ /**
+ * @param RequestInterface $request
+ * @param ResponseInterface $response
+ * @return bool
+ */
+ public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response)
+ {
+ // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
+ if (!$client_id = $request->query('client_id', $request->request('client_id'))) {
+ // We don't have a good URI to use
+ $response->setError(400, 'invalid_client', "No client id supplied");
+
+ return false;
+ }
+
+ // Get client details
+ if (!$clientData = $this->clientStorage->getClientDetails($client_id)) {
+ $response->setError(400, 'invalid_client', 'The client id supplied is invalid');
+
+ return false;
+ }
+
+ $registered_redirect_uri = isset($clientData['redirect_uri']) ? $clientData['redirect_uri'] : '';
+
+ // Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI.
+ // @see http://tools.ietf.org/html/rfc6749#section-3.1.2
+ // @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1
+ // @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1
+ if ($supplied_redirect_uri = $request->query('redirect_uri', $request->request('redirect_uri'))) {
+ // validate there is no fragment supplied
+ $parts = parse_url($supplied_redirect_uri);
+ if (isset($parts['fragment']) && $parts['fragment']) {
+ $response->setError(400, 'invalid_uri', 'The redirect URI must not contain a fragment');
+
+ return false;
+ }
+
+ // validate against the registered redirect uri(s) if available
+ if ($registered_redirect_uri && !$this->validateRedirectUri($supplied_redirect_uri, $registered_redirect_uri)) {
+ $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match', '#section-3.1.2');
+
+ return false;
+ }
+ $redirect_uri = $supplied_redirect_uri;
+ } else {
+ // use the registered redirect_uri if none has been supplied, if possible
+ if (!$registered_redirect_uri) {
+ $response->setError(400, 'invalid_uri', 'No redirect URI was supplied or stored');
+
+ return false;
+ }
+
+ if (count(explode(' ', $registered_redirect_uri)) > 1) {
+ $response->setError(400, 'invalid_uri', 'A redirect URI must be supplied when multiple redirect URIs are registered', '#section-3.1.2.3');
+
+ return false;
+ }
+ $redirect_uri = $registered_redirect_uri;
+ }
+
+ // Select the redirect URI
+ $response_type = $request->query('response_type', $request->request('response_type'));
+
+ // for multiple-valued response types - make them alphabetical
+ if (false !== strpos($response_type, ' ')) {
+ $types = explode(' ', $response_type);
+ sort($types);
+ $response_type = ltrim(implode(' ', $types));
+ }
+
+ $state = $request->query('state', $request->request('state'));
+
+ // type and client_id are required
+ if (!$response_type || !in_array($response_type, $this->getValidResponseTypes())) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_request', 'Invalid or missing response type', null);
+
+ return false;
+ }
+
+ if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
+ if (!isset($this->responseTypes['code'])) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'authorization code grant type not supported', null);
+
+ return false;
+ }
+ if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'authorization_code')) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null);
+
+ return false;
+ }
+ if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) {
+ $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied');
+
+ return false;
+ }
+ } else {
+ if (!$this->config['allow_implicit']) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'implicit grant type not supported', null);
+
+ return false;
+ }
+ if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'implicit')) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null);
+
+ return false;
+ }
+ }
+
+ // validate requested scope if it exists
+ $requestedScope = $this->scopeUtil->getScopeFromRequest($request);
+
+ if ($requestedScope) {
+ // restrict scope by client specific scope if applicable,
+ // otherwise verify the scope exists
+ $clientScope = $this->clientStorage->getClientScope($client_id);
+ if ((empty($clientScope) && !$this->scopeUtil->scopeExists($requestedScope))
+ || (!empty($clientScope) && !$this->scopeUtil->checkScope($requestedScope, $clientScope))) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null);
+
+ return false;
+ }
+ } else {
+ // use a globally-defined default scope
+ $defaultScope = $this->scopeUtil->getDefaultScope($client_id);
+
+ if (false === $defaultScope) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_client', 'This application requires you specify a scope parameter', null);
+
+ return false;
+ }
+
+ $requestedScope = $defaultScope;
+ }
+
+ // Validate state parameter exists (if configured to enforce this)
+ if ($this->config['enforce_state'] && !$state) {
+ $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, null, 'invalid_request', 'The state parameter is required');
+
+ return false;
+ }
+
+ // save the input data and return true
+ $this->scope = $requestedScope;
+ $this->state = $state;
+ $this->client_id = $client_id;
+ // Only save the SUPPLIED redirect URI (@see http://tools.ietf.org/html/rfc6749#section-4.1.3)
+ $this->redirect_uri = $supplied_redirect_uri;
+ $this->response_type = $response_type;
+
+ return true;
+ }
+
+ /**
+ * Build the absolute URI based on supplied URI and parameters.
+ *
+ * @param $uri An absolute URI.
+ * @param $params Parameters to be append as GET.
+ *
+ * @return
+ * An absolute URI with supplied parameters.
+ *
+ * @ingroup oauth2_section_4
+ */
+ private function buildUri($uri, $params)
+ {
+ $parse_url = parse_url($uri);
+
+ // Add our params to the parsed uri
+ foreach ($params as $k => $v) {
+ if (isset($parse_url[$k])) {
+ $parse_url[$k] .= "&" . http_build_query($v, '', '&');
+ } else {
+ $parse_url[$k] = http_build_query($v, '', '&');
+ }
+ }
+
+ // Put humpty dumpty back together
+ return
+ ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "")
+ . ((isset($parse_url["user"])) ? $parse_url["user"]
+ . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "")
+ . ((isset($parse_url["host"])) ? $parse_url["host"] : "")
+ . ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "")
+ . ((isset($parse_url["path"])) ? $parse_url["path"] : "")
+ . ((isset($parse_url["query"]) && !empty($parse_url['query'])) ? "?" . $parse_url["query"] : "")
+ . ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "")
+ ;
+ }
+
+ protected function getValidResponseTypes()
+ {
+ return array(
+ self::RESPONSE_TYPE_ACCESS_TOKEN,
+ self::RESPONSE_TYPE_AUTHORIZATION_CODE,
+ );
+ }
+
+ /**
+ * Internal method for validating redirect URI supplied
+ *
+ * @param string $inputUri The submitted URI to be validated
+ * @param string $registeredUriString The allowed URI(s) to validate against. Can be a space-delimited string of URIs to
+ * allow for multiple URIs
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-3.1.2
+ */
+ protected function validateRedirectUri($inputUri, $registeredUriString)
+ {
+ if (!$inputUri || !$registeredUriString) {
+ return false; // if either one is missing, assume INVALID
+ }
+
+ $registered_uris = preg_split('/\s+/', $registeredUriString);
+ foreach ($registered_uris as $registered_uri) {
+ if ($this->config['require_exact_redirect_uri']) {
+ // the input uri is validated against the registered uri using exact match
+ if (strcmp($inputUri, $registered_uri) === 0) {
+ return true;
+ }
+ } else {
+ $registered_uri_length = strlen($registered_uri);
+ if ($registered_uri_length === 0) {
+ return false;
+ }
+
+ // the input uri is validated against the registered uri using case-insensitive match of the initial string
+ // i.e. additional query parameters may be applied
+ if (strcasecmp(substr($inputUri, 0, $registered_uri_length), $registered_uri) === 0) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Convenience methods to access the parameters derived from the validated request
+ */
+
+ public function getScope()
+ {
+ return $this->scope;
+ }
+
+ public function getState()
+ {
+ return $this->state;
+ }
+
+ public function getClientId()
+ {
+ return $this->client_id;
+ }
+
+ public function getRedirectUri()
+ {
+ return $this->redirect_uri;
+ }
+
+ public function getResponseType()
+ {
+ return $this->response_type;
+ }
+}
diff --git a/oauth/OAuth2/Controller/AuthorizeControllerInterface.php b/oauth/OAuth2/Controller/AuthorizeControllerInterface.php
new file mode 100644
index 0000000..fa07ae8
--- /dev/null
+++ b/oauth/OAuth2/Controller/AuthorizeControllerInterface.php
@@ -0,0 +1,43 @@
+ $user_id = $this->somehowDetermineUserId();
+ * > $is_authorized = $this->somehowDetermineUserAuthorization();
+ * > $response = new OAuth2\Response();
+ * > $authorizeController->handleAuthorizeRequest(
+ * > OAuth2\Request::createFromGlobals(),
+ * > $response,
+ * > $is_authorized,
+ * > $user_id);
+ * > $response->send();
+ *
+ */
+interface AuthorizeControllerInterface
+{
+ /**
+ * List of possible authentication response types.
+ * The "authorization_code" mechanism exclusively supports 'code'
+ * and the "implicit" mechanism exclusively supports 'token'.
+ *
+ * @var string
+ * @see http://tools.ietf.org/html/rfc6749#section-4.1.1
+ * @see http://tools.ietf.org/html/rfc6749#section-4.2.1
+ */
+ const RESPONSE_TYPE_AUTHORIZATION_CODE = 'code';
+ const RESPONSE_TYPE_ACCESS_TOKEN = 'token';
+
+ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null);
+
+ public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response);
+}
diff --git a/oauth/OAuth2/Controller/ResourceController.php b/oauth/OAuth2/Controller/ResourceController.php
new file mode 100644
index 0000000..f3530b2
--- /dev/null
+++ b/oauth/OAuth2/Controller/ResourceController.php
@@ -0,0 +1,112 @@
+tokenType = $tokenType;
+ $this->tokenStorage = $tokenStorage;
+
+ $this->config = array_merge(array(
+ 'www_realm' => 'Service',
+ ), $config);
+
+ if (is_null($scopeUtil)) {
+ $scopeUtil = new Scope();
+ }
+ $this->scopeUtil = $scopeUtil;
+ }
+
+ public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response, $scope = null)
+ {
+ $token = $this->getAccessTokenData($request, $response);
+
+ // Check if we have token data
+ if (is_null($token)) {
+ return false;
+ }
+
+ /**
+ * Check scope, if provided
+ * If token doesn't have a scope, it's null/empty, or it's insufficient, then throw 403
+ * @see http://tools.ietf.org/html/rfc6750#section-3.1
+ */
+ if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->scopeUtil->checkScope($scope, $token["scope"]))) {
+ $response->setError(403, 'insufficient_scope', 'The request requires higher privileges than provided by the access token');
+ $response->addHttpHeaders(array(
+ 'WWW-Authenticate' => sprintf('%s realm="%s", scope="%s", error="%s", error_description="%s"',
+ $this->tokenType->getTokenType(),
+ $this->config['www_realm'],
+ $scope,
+ $response->getParameter('error'),
+ $response->getParameter('error_description')
+ )
+ ));
+
+ return false;
+ }
+
+ // allow retrieval of the token
+ $this->token = $token;
+
+ return (bool) $token;
+ }
+
+ public function getAccessTokenData(RequestInterface $request, ResponseInterface $response)
+ {
+ // Get the token parameter
+ if ($token_param = $this->tokenType->getAccessTokenParameter($request, $response)) {
+ // Get the stored token data (from the implementing subclass)
+ // Check we have a well formed token
+ // Check token expiration (expires is a mandatory paramter)
+ if (!$token = $this->tokenStorage->getAccessToken($token_param)) {
+ $response->setError(401, 'invalid_token', 'The access token provided is invalid');
+ } elseif (!isset($token["expires"]) || !isset($token["client_id"])) {
+ $response->setError(401, 'malformed_token', 'Malformed token (missing "expires")');
+ } elseif (time() > $token["expires"]) {
+ $response->setError(401, 'invalid_token', 'The access token provided has expired');
+ } else {
+ $token["assoc_id"]=$this->tokenStorage->getUsersID($token["user_id"]);
+ return $token;
+ }
+ }
+
+ $authHeader = sprintf('%s realm="%s"', $this->tokenType->getTokenType(), $this->config['www_realm']);
+
+ if ($error = $response->getParameter('error')) {
+ $authHeader = sprintf('%s, error="%s"', $authHeader, $error);
+ if ($error_description = $response->getParameter('error_description')) {
+ $authHeader = sprintf('%s, error_description="%s"', $authHeader, $error_description);
+ }
+ }
+
+ $response->addHttpHeaders(array('WWW-Authenticate' => $authHeader));
+
+ return null;
+ }
+
+ // convenience method to allow retrieval of the token
+ public function getToken()
+ {
+ return $this->token;
+ }
+}
diff --git a/oauth/OAuth2/Controller/ResourceControllerInterface.php b/oauth/OAuth2/Controller/ResourceControllerInterface.php
new file mode 100644
index 0000000..6114219
--- /dev/null
+++ b/oauth/OAuth2/Controller/ResourceControllerInterface.php
@@ -0,0 +1,26 @@
+ if (!$resourceController->verifyResourceRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response())) {
+ * > $response->send(); // authorization failed
+ * > die();
+ * > }
+ * > return json_encode($resource); // valid token! Send the stuff!
+ *
+ */
+interface ResourceControllerInterface
+{
+ public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response, $scope = null);
+
+ public function getAccessTokenData(RequestInterface $request, ResponseInterface $response);
+}
diff --git a/oauth/OAuth2/Controller/TokenController.php b/oauth/OAuth2/Controller/TokenController.php
new file mode 100644
index 0000000..5d2d731
--- /dev/null
+++ b/oauth/OAuth2/Controller/TokenController.php
@@ -0,0 +1,295 @@
+clientAssertionType = $clientAssertionType;
+ $this->accessToken = $accessToken;
+ $this->clientStorage = $clientStorage;
+ foreach ($grantTypes as $grantType) {
+ $this->addGrantType($grantType);
+ }
+
+ if (is_null($scopeUtil)) {
+ $scopeUtil = new Scope();
+ }
+ $this->scopeUtil = $scopeUtil;
+ }
+
+ public function handleTokenRequest(RequestInterface $request, ResponseInterface $response)
+ {
+ if ($token = $this->grantAccessToken($request, $response)) {
+ // @see http://tools.ietf.org/html/rfc6749#section-5.1
+ // server MUST disable caching in headers when tokens are involved
+ $response->setStatusCode(200);
+ $response->addParameters($token);
+ $response->addHttpHeaders(array(
+ 'Cache-Control' => 'no-store',
+ 'Pragma' => 'no-cache',
+ 'Content-Type' => 'application/json'
+ ));
+ }
+ }
+
+ /**
+ * Grant or deny a requested access token.
+ * This would be called from the "/token" endpoint as defined in the spec.
+ * You can call your endpoint whatever you want.
+ *
+ * @param RequestInterface $request Request object to grant access token
+ * @param ResponseInterface $response
+ *
+ * @throws \InvalidArgumentException
+ * @throws \LogicException
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4
+ * @see http://tools.ietf.org/html/rfc6749#section-10.6
+ * @see http://tools.ietf.org/html/rfc6749#section-4.1.3
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function grantAccessToken(RequestInterface $request, ResponseInterface $response)
+ {
+ if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
+ $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2');
+ $response->addHttpHeaders(array('Allow' => 'POST'));
+
+ return null;
+ }
+
+ /**
+ * Determine grant type from request
+ * and validate the request for that grant type
+ */
+ if (!$grantTypeIdentifier = $request->request('grant_type')) {
+ $response->setError(400, 'invalid_request', 'The grant type was not specified in the request');
+
+ return null;
+ }
+
+ if (!isset($this->grantTypes[$grantTypeIdentifier])) {
+ /* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */
+ $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier));
+
+ return null;
+ }
+
+ $grantType = $this->grantTypes[$grantTypeIdentifier];
+
+ /**
+ * Retrieve the client information from the request
+ * ClientAssertionTypes allow for grant types which also assert the client data
+ * in which case ClientAssertion is handled in the validateRequest method
+ *
+ * @see OAuth2\GrantType\JWTBearer
+ * @see OAuth2\GrantType\ClientCredentials
+ */
+ if (!$grantType instanceof ClientAssertionTypeInterface) {
+ if (!$this->clientAssertionType->validateRequest($request, $response)) {
+ return null;
+ }
+ $clientId = $this->clientAssertionType->getClientId();
+ }
+
+ /**
+ * Retrieve the grant type information from the request
+ * The GrantTypeInterface object handles all validation
+ * If the object is an instance of ClientAssertionTypeInterface,
+ * That logic is handled here as well
+ */
+ if (!$grantType->validateRequest($request, $response)) {
+ return null;
+ }
+
+ if ($grantType instanceof ClientAssertionTypeInterface) {
+ $clientId = $grantType->getClientId();
+ } else {
+ // validate the Client ID (if applicable)
+ if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) {
+ $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier));
+
+ return null;
+ }
+ }
+
+ /**
+ * Validate the client can use the requested grant type
+ */
+ if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) {
+ $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id');
+
+ return false;
+ }
+
+ /**
+ * Validate the scope of the token
+ *
+ * requestedScope - the scope specified in the token request
+ * availableScope - the scope associated with the grant type
+ * ex: in the case of the "Authorization Code" grant type,
+ * the scope is specified in the authorize request
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-3.3
+ */
+
+ $requestedScope = $this->scopeUtil->getScopeFromRequest($request);
+ $availableScope = $grantType->getScope();
+
+ if ($requestedScope) {
+ // validate the requested scope
+ if ($availableScope) {
+ if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) {
+ $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request');
+
+ return null;
+ }
+ } else {
+ // validate the client has access to this scope
+ if ($clientScope = $this->clientStorage->getClientScope($clientId)) {
+ if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) {
+ $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client');
+
+ return false;
+ }
+ } elseif (!$this->scopeUtil->scopeExists($requestedScope)) {
+ $response->setError(400, 'invalid_scope', 'An unsupported scope was requested');
+
+ return null;
+ }
+ }
+ } elseif ($availableScope) {
+ // use the scope associated with this grant type
+ $requestedScope = $availableScope;
+ } else {
+ // use a globally-defined default scope
+ $defaultScope = $this->scopeUtil->getDefaultScope($clientId);
+
+ // "false" means default scopes are not allowed
+ if (false === $defaultScope) {
+ $response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter');
+
+ return null;
+ }
+
+ $requestedScope = $defaultScope;
+ }
+
+ return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope);
+ }
+
+ /**
+ * addGrantType
+ *
+ * @param GrantTypeInterface $grantType the grant type to add for the specified identifier
+ * @param string $identifier a string passed in as "grant_type" in the response that will call this grantType
+ */
+ public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
+ {
+ if (is_null($identifier) || is_numeric($identifier)) {
+ $identifier = $grantType->getQuerystringIdentifier();
+ }
+
+ $this->grantTypes[$identifier] = $grantType;
+ }
+
+ public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response)
+ {
+ if ($this->revokeToken($request, $response)) {
+ $response->setStatusCode(200);
+ $response->addParameters(array('revoked' => true));
+ }
+ }
+
+ /**
+ * Revoke a refresh or access token. Returns true on success and when tokens are invalid
+ *
+ * Note: invalid tokens do not cause an error response since the client
+ * cannot handle such an error in a reasonable way. Moreover, the
+ * purpose of the revocation request, invalidating the particular token,
+ * is already achieved.
+ *
+ * @param RequestInterface $request
+ * @param ResponseInterface $response
+ * @return bool|null
+ */
+ public function revokeToken(RequestInterface $request, ResponseInterface $response)
+ {
+ if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
+ $response->setError(405, 'invalid_request', 'The request method must be POST when revoking an access token', '#section-3.2');
+ $response->addHttpHeaders(array('Allow' => 'POST'));
+
+ return null;
+ }
+
+ $token_type_hint = $request->request('token_type_hint');
+ if (!in_array($token_type_hint, array(null, 'access_token', 'refresh_token'), true)) {
+ $response->setError(400, 'invalid_request', 'Token type hint must be either \'access_token\' or \'refresh_token\'');
+
+ return null;
+ }
+
+ $token = $request->request('token');
+ if ($token === null) {
+ $response->setError(400, 'invalid_request', 'Missing token parameter to revoke');
+
+ return null;
+ }
+
+ // @todo remove this check for v2.0
+ if (!method_exists($this->accessToken, 'revokeToken')) {
+ $class = get_class($this->accessToken);
+ throw new \RuntimeException("AccessToken {$class} does not implement required revokeToken method");
+ }
+
+ $this->accessToken->revokeToken($token, $token_type_hint);
+
+ return true;
+ }
+}
diff --git a/oauth/OAuth2/Controller/TokenControllerInterface.php b/oauth/OAuth2/Controller/TokenControllerInterface.php
new file mode 100644
index 0000000..72d7257
--- /dev/null
+++ b/oauth/OAuth2/Controller/TokenControllerInterface.php
@@ -0,0 +1,32 @@
+ $tokenController->handleTokenRequest(OAuth2\Request::createFromGlobals(), $response = new OAuth2\Response());
+ * > $response->send();
+ *
+ */
+interface TokenControllerInterface
+{
+ /**
+ * handleTokenRequest
+ *
+ * @param $request
+ * OAuth2\RequestInterface - The current http request
+ * @param $response
+ * OAuth2\ResponseInterface - An instance of OAuth2\ResponseInterface to contain the response data
+ *
+ */
+ public function handleTokenRequest(RequestInterface $request, ResponseInterface $response);
+
+ public function grantAccessToken(RequestInterface $request, ResponseInterface $response);
+}
diff --git a/oauth/OAuth2/GrantType/AuthorizationCode.php b/oauth/OAuth2/GrantType/AuthorizationCode.php
new file mode 100644
index 0000000..cae9f78
--- /dev/null
+++ b/oauth/OAuth2/GrantType/AuthorizationCode.php
@@ -0,0 +1,100 @@
+
+ */
+class AuthorizationCode implements GrantTypeInterface
+{
+ protected $storage;
+ protected $authCode;
+
+ /**
+ * @param \OAuth2\Storage\AuthorizationCodeInterface $storage REQUIRED Storage class for retrieving authorization code information
+ */
+ public function __construct(AuthorizationCodeInterface $storage)
+ {
+ $this->storage = $storage;
+ }
+
+ public function getQuerystringIdentifier()
+ {
+ return 'authorization_code';
+ }
+
+ public function validateRequest(RequestInterface $request, ResponseInterface $response)
+ {
+ if (!$request->request('code')) {
+ $response->setError(400, 'invalid_request', 'Missing parameter: "code" is required');
+
+ return false;
+ }
+
+ $code = $request->request('code');
+ if (!$authCode = $this->storage->getAuthorizationCode($code)) {
+ $response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client');
+
+ return false;
+ }
+
+ /*
+ * 4.1.3 - ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request
+ * @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3
+ */
+ if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) {
+ if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != urldecode($authCode['redirect_uri'])) {
+ $response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3");
+
+ return false;
+ }
+ }
+
+ if (!isset($authCode['expires'])) {
+ throw new \Exception('Storage must return authcode with a value for "expires"');
+ }
+
+ if ($authCode["expires"] < time()) {
+ $response->setError(400, 'invalid_grant', "The authorization code has expired");
+
+ return false;
+ }
+
+ if (!isset($authCode['code'])) {
+ $authCode['code'] = $code; // used to expire the code after the access token is granted
+ }
+
+ $this->authCode = $authCode;
+
+ return true;
+ }
+
+ public function getClientId()
+ {
+ return $this->authCode['client_id'];
+ }
+
+ public function getScope()
+ {
+ return isset($this->authCode['scope']) ? $this->authCode['scope'] : null;
+ }
+
+ public function getUserId()
+ {
+ return isset($this->authCode['user_id']) ? $this->authCode['user_id'] : null;
+ }
+
+ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
+ {
+ $token = $accessToken->createAccessToken($client_id, $user_id, $scope);
+ $this->storage->expireAuthorizationCode($this->authCode['code']);
+
+ return $token;
+ }
+}
diff --git a/oauth/OAuth2/GrantType/GrantTypeInterface.php b/oauth/OAuth2/GrantType/GrantTypeInterface.php
new file mode 100644
index 0000000..98489e9
--- /dev/null
+++ b/oauth/OAuth2/GrantType/GrantTypeInterface.php
@@ -0,0 +1,20 @@
+
+ */
+class RefreshToken implements GrantTypeInterface
+{
+ private $refreshToken;
+
+ protected $storage;
+ protected $config;
+
+ /**
+ * @param OAuth2\Storage\RefreshTokenInterface $storage REQUIRED Storage class for retrieving refresh token information
+ * @param array $config OPTIONAL Configuration options for the server
+ *
+ * $config = array(
+ * 'always_issue_new_refresh_token' => true, // whether to issue a new refresh token upon successful token request
+ * 'unset_refresh_token_after_use' => true // whether to unset the refresh token after after using
+ * );
+ *
+ */
+ public function __construct(RefreshTokenInterface $storage, $config = array())
+ {
+ $this->config = array_merge(array(
+ 'always_issue_new_refresh_token' => false,
+ 'unset_refresh_token_after_use' => true
+ ), $config);
+
+ // to preserve B.C. with v1.6
+ // @see https://github.com/bshaffer/oauth2-server-php/pull/580
+ // @todo - remove in v2.0
+ if (isset($config['always_issue_new_refresh_token']) && !isset($config['unset_refresh_token_after_use'])) {
+ $this->config['unset_refresh_token_after_use'] = $config['always_issue_new_refresh_token'];
+ }
+
+ $this->storage = $storage;
+ }
+
+ public function getQuerystringIdentifier()
+ {
+ return 'refresh_token';
+ }
+
+ public function validateRequest(RequestInterface $request, ResponseInterface $response)
+ {
+ if (!$request->request("refresh_token")) {
+ $response->setError(400, 'invalid_request', 'Missing parameter: "refresh_token" is required');
+
+ return null;
+ }
+
+ if (!$refreshToken = $this->storage->getRefreshToken($request->request("refresh_token"))) {
+ $response->setError(400, 'invalid_grant', 'Invalid refresh token');
+
+ return null;
+ }
+
+ if ($refreshToken['expires'] > 0 && $refreshToken["expires"] < time()) {
+ $response->setError(400, 'invalid_grant', 'Refresh token has expired');
+
+ return null;
+ }
+
+ // store the refresh token locally so we can delete it when a new refresh token is generated
+ $this->refreshToken = $refreshToken;
+
+ return true;
+ }
+
+ public function getClientId()
+ {
+ return $this->refreshToken['client_id'];
+ }
+
+ public function getUserId()
+ {
+ return isset($this->refreshToken['user_id']) ? $this->refreshToken['user_id'] : null;
+ }
+
+ public function getScope()
+ {
+ return isset($this->refreshToken['scope']) ? $this->refreshToken['scope'] : null;
+ }
+
+ public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
+ {
+ /*
+ * It is optional to force a new refresh token when a refresh token is used.
+ * However, if a new refresh token is issued, the old one MUST be expired
+ * @see http://tools.ietf.org/html/rfc6749#section-6
+ */
+ $issueNewRefreshToken = $this->config['always_issue_new_refresh_token'];
+ $unsetRefreshToken = $this->config['unset_refresh_token_after_use'];
+ $token = $accessToken->createAccessToken($client_id, $user_id, $scope, $issueNewRefreshToken);
+
+ if ($unsetRefreshToken) {
+ $this->storage->unsetRefreshToken($this->refreshToken['refresh_token']);
+ }
+
+ return $token;
+ }
+}
diff --git a/oauth/OAuth2/LICENSE b/oauth/OAuth2/LICENSE
new file mode 100644
index 0000000..d7ece84
--- /dev/null
+++ b/oauth/OAuth2/LICENSE
@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2014 Brent Shaffer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/oauth/OAuth2/README.md b/oauth/OAuth2/README.md
new file mode 100644
index 0000000..4ceda6c
--- /dev/null
+++ b/oauth/OAuth2/README.md
@@ -0,0 +1,8 @@
+oauth2-server-php
+=================
+
+[](https://travis-ci.org/bshaffer/oauth2-server-php)
+
+[](https://packagist.org/packages/bshaffer/oauth2-server-php)
+
+View the [complete documentation](http://bshaffer.github.io/oauth2-server-php-docs/)
\ No newline at end of file
diff --git a/oauth/OAuth2/Request.php b/oauth/OAuth2/Request.php
new file mode 100644
index 0000000..c92cee8
--- /dev/null
+++ b/oauth/OAuth2/Request.php
@@ -0,0 +1,213 @@
+initialize($query, $request, $attributes, $cookies, $files, $server, $content, $headers);
+ }
+
+ /**
+ * Sets the parameters for this request.
+ *
+ * This method also re-initializes all properties.
+ *
+ * @param array $query The GET parameters
+ * @param array $request The POST parameters
+ * @param array $attributes The request attributes (parameters parsed from the PATH_INFO, ...)
+ * @param array $cookies The COOKIE parameters
+ * @param array $files The FILES parameters
+ * @param array $server The SERVER parameters
+ * @param string $content The raw body data
+ *
+ * @api
+ */
+ public function initialize(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array(), array $files = array(), array $server = array(), $content = null, array $headers = null)
+ {
+ $this->request = $request;
+ $this->query = $query;
+ $this->attributes = $attributes;
+ $this->cookies = $cookies;
+ $this->files = $files;
+ $this->server = $server;
+ $this->content = $content;
+ $this->headers = is_null($headers) ? $this->getHeadersFromServer($this->server) : $headers;
+ }
+
+ public function query($name, $default = null)
+ {
+ return isset($this->query[$name]) ? $this->query[$name] : $default;
+ }
+
+ public function request($name, $default = null)
+ {
+ return isset($this->request[$name]) ? $this->request[$name] : $default;
+ }
+
+ public function server($name, $default = null)
+ {
+ return isset($this->server[$name]) ? $this->server[$name] : $default;
+ }
+
+ public function headers($name, $default = null)
+ {
+ $headers = array_change_key_case($this->headers);
+ $name = strtolower($name);
+
+ return isset($headers[$name]) ? $headers[$name] : $default;
+ }
+
+ public function getAllQueryParameters()
+ {
+ return $this->query;
+ }
+
+ /**
+ * Returns the request body content.
+ *
+ * @param Boolean $asResource If true, a resource will be returned
+ *
+ * @return string|resource The request body content or a resource to read the body stream.
+ */
+ public function getContent($asResource = false)
+ {
+ if (false === $this->content || (true === $asResource && null !== $this->content)) {
+ throw new \LogicException('getContent() can only be called once when using the resource return type.');
+ }
+
+ if (true === $asResource) {
+ $this->content = false;
+
+ return fopen('php://input', 'rb');
+ }
+
+ if (null === $this->content) {
+ $this->content = file_get_contents('php://input');
+ }
+
+ return $this->content;
+ }
+
+ private function getHeadersFromServer($server)
+ {
+ $headers = array();
+ foreach ($server as $key => $value) {
+ if (0 === strpos($key, 'HTTP_')) {
+ $headers[substr($key, 5)] = $value;
+ }
+ // CONTENT_* are not prefixed with HTTP_
+ elseif (in_array($key, array('CONTENT_LENGTH', 'CONTENT_MD5', 'CONTENT_TYPE'))) {
+ $headers[$key] = $value;
+ }
+ }
+
+ if (isset($server['PHP_AUTH_USER'])) {
+ $headers['PHP_AUTH_USER'] = $server['PHP_AUTH_USER'];
+ $headers['PHP_AUTH_PW'] = isset($server['PHP_AUTH_PW']) ? $server['PHP_AUTH_PW'] : '';
+ } else {
+ /*
+ * php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default
+ * For this workaround to work, add this line to your .htaccess file:
+ * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+ *
+ * A sample .htaccess file:
+ * RewriteEngine On
+ * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+ * RewriteCond %{REQUEST_FILENAME} !-f
+ * RewriteRule ^(.*)$ app.php [QSA,L]
+ */
+
+ $authorizationHeader = null;
+ if (isset($server['HTTP_AUTHORIZATION'])) {
+ $authorizationHeader = $server['HTTP_AUTHORIZATION'];
+ } elseif (isset($server['REDIRECT_HTTP_AUTHORIZATION'])) {
+ $authorizationHeader = $server['REDIRECT_HTTP_AUTHORIZATION'];
+ } elseif (function_exists('apache_request_headers')) {
+ $requestHeaders = (array) apache_request_headers();
+
+ // Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
+ $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
+
+ if (isset($requestHeaders['Authorization'])) {
+ $authorizationHeader = trim($requestHeaders['Authorization']);
+ }
+ }
+
+ if (null !== $authorizationHeader) {
+ $headers['AUTHORIZATION'] = $authorizationHeader;
+ // Decode AUTHORIZATION header into PHP_AUTH_USER and PHP_AUTH_PW when authorization header is basic
+ if (0 === stripos($authorizationHeader, 'basic')) {
+ $exploded = explode(':', base64_decode(substr($authorizationHeader, 6)));
+ if (count($exploded) == 2) {
+ list($headers['PHP_AUTH_USER'], $headers['PHP_AUTH_PW']) = $exploded;
+ }
+ }
+ }
+ }
+
+ // PHP_AUTH_USER/PHP_AUTH_PW
+ if (isset($headers['PHP_AUTH_USER'])) {
+ $headers['AUTHORIZATION'] = 'Basic '.base64_encode($headers['PHP_AUTH_USER'].':'.$headers['PHP_AUTH_PW']);
+ }
+
+ return $headers;
+ }
+
+ /**
+ * Creates a new request with values from PHP's super globals.
+ *
+ * @return Request A new request
+ *
+ * @api
+ */
+ public static function createFromGlobals()
+ {
+ $class = get_called_class();
+ $request = new $class($_GET, $_POST, array(), $_COOKIE, $_FILES, $_SERVER);
+
+ $contentType = $request->server('CONTENT_TYPE', '');
+ $requestMethod = $request->server('REQUEST_METHOD', 'GET');
+ if (0 === strpos($contentType, 'application/x-www-form-urlencoded')
+ && in_array(strtoupper($requestMethod), array('PUT', 'DELETE'))
+ ) {
+ parse_str($request->getContent(), $data);
+ $request->request = $data;
+ } elseif (0 === strpos($contentType, 'application/json')
+ && in_array(strtoupper($requestMethod), array('POST', 'PUT', 'DELETE'))
+ ) {
+ $data = json_decode($request->getContent(), true);
+ $request->request = $data;
+ }
+
+ return $request;
+ }
+}
diff --git a/oauth/OAuth2/RequestInterface.php b/oauth/OAuth2/RequestInterface.php
new file mode 100644
index 0000000..8a70d5f
--- /dev/null
+++ b/oauth/OAuth2/RequestInterface.php
@@ -0,0 +1,16 @@
+ 'Continue',
+ 101 => 'Switching Protocols',
+ 200 => 'OK',
+ 201 => 'Created',
+ 202 => 'Accepted',
+ 203 => 'Non-Authoritative Information',
+ 204 => 'No Content',
+ 205 => 'Reset Content',
+ 206 => 'Partial Content',
+ 300 => 'Multiple Choices',
+ 301 => 'Moved Permanently',
+ 302 => 'Found',
+ 303 => 'See Other',
+ 304 => 'Not Modified',
+ 305 => 'Use Proxy',
+ 307 => 'Temporary Redirect',
+ 400 => 'Bad Request',
+ 401 => 'Unauthorized',
+ 402 => 'Payment Required',
+ 403 => 'Forbidden',
+ 404 => 'Not Found',
+ 405 => 'Method Not Allowed',
+ 406 => 'Not Acceptable',
+ 407 => 'Proxy Authentication Required',
+ 408 => 'Request Timeout',
+ 409 => 'Conflict',
+ 410 => 'Gone',
+ 411 => 'Length Required',
+ 412 => 'Precondition Failed',
+ 413 => 'Request Entity Too Large',
+ 414 => 'Request-URI Too Long',
+ 415 => 'Unsupported Media Type',
+ 416 => 'Requested Range Not Satisfiable',
+ 417 => 'Expectation Failed',
+ 418 => 'I\'m a teapot',
+ 500 => 'Internal Server Error',
+ 501 => 'Not Implemented',
+ 502 => 'Bad Gateway',
+ 503 => 'Service Unavailable',
+ 504 => 'Gateway Timeout',
+ 505 => 'HTTP Version Not Supported',
+ );
+
+ public function __construct($parameters = array(), $statusCode = 200, $headers = array())
+ {
+ $this->setParameters($parameters);
+ $this->setStatusCode($statusCode);
+ $this->setHttpHeaders($headers);
+ $this->version = '1.1';
+ }
+
+ /**
+ * Converts the response object to string containing all headers and the response content.
+ *
+ * @return string The response with headers and content
+ */
+ public function __toString()
+ {
+ $headers = array();
+ foreach ($this->httpHeaders as $name => $value) {
+ $headers[$name] = (array) $value;
+ }
+
+ return
+ sprintf('HTTP/%s %s %s', $this->version, $this->statusCode, $this->statusText)."\r\n".
+ $this->getHttpHeadersAsString($headers)."\r\n".
+ $this->getResponseBody();
+ }
+
+ /**
+ * Returns the build header line.
+ *
+ * @param string $name The header name
+ * @param string $value The header value
+ *
+ * @return string The built header line
+ */
+ protected function buildHeader($name, $value)
+ {
+ return sprintf("%s: %s\n", $name, $value);
+ }
+
+ public function getStatusCode()
+ {
+ return $this->statusCode;
+ }
+
+ public function setStatusCode($statusCode, $text = null)
+ {
+ $this->statusCode = (int) $statusCode;
+ if ($this->isInvalid()) {
+ throw new \InvalidArgumentException(sprintf('The HTTP status code "%s" is not valid.', $statusCode));
+ }
+
+ $this->statusText = false === $text ? '' : (null === $text ? self::$statusTexts[$this->statusCode] : $text);
+ }
+
+ public function getStatusText()
+ {
+ return $this->statusText;
+ }
+
+ public function getParameters()
+ {
+ return $this->parameters;
+ }
+
+ public function setParameters(array $parameters)
+ {
+ $this->parameters = $parameters;
+ }
+
+ public function addParameters(array $parameters)
+ {
+ $this->parameters = array_merge($this->parameters, $parameters);
+ }
+
+ public function getParameter($name, $default = null)
+ {
+ return isset($this->parameters[$name]) ? $this->parameters[$name] : $default;
+ }
+
+ public function setParameter($name, $value)
+ {
+ $this->parameters[$name] = $value;
+ }
+
+ public function setHttpHeaders(array $httpHeaders)
+ {
+ $this->httpHeaders = $httpHeaders;
+ }
+
+ public function setHttpHeader($name, $value)
+ {
+ $this->httpHeaders[$name] = $value;
+ }
+
+ public function addHttpHeaders(array $httpHeaders)
+ {
+ $this->httpHeaders = array_merge($this->httpHeaders, $httpHeaders);
+ }
+
+ public function getHttpHeaders()
+ {
+ return $this->httpHeaders;
+ }
+
+ public function getHttpHeader($name, $default = null)
+ {
+ return isset($this->httpHeaders[$name]) ? $this->httpHeaders[$name] : $default;
+ }
+
+ public function getResponseBody($format = 'json')
+ {
+ switch ($format) {
+ case 'json':
+ return $this->parameters ? json_encode($this->parameters) : '';
+ case 'xml':
+ // this only works for single-level arrays
+ $xml = new \SimpleXMLElement('
+ * $config = array(
+ * 'token_type' => 'bearer', // token type identifier
+ * 'access_lifetime' => 3600, // time before access token expires
+ * 'refresh_token_lifetime' => 1209600, // time before refresh token expires
+ * );
+ *
+ */
+ public function __construct(AccessTokenStorageInterface $tokenStorage, RefreshTokenInterface $refreshStorage = null, array $config = array())
+ {
+ $this->tokenStorage = $tokenStorage;
+ $this->refreshStorage = $refreshStorage;
+
+ $this->config = array_merge(array(
+ 'token_type' => 'bearer',
+ 'access_lifetime' => 3600,
+ 'refresh_token_lifetime' => 1209600,
+ ), $config);
+ }
+
+ public function getAuthorizeResponse($params, $user_id = null)
+ {
+ // build the URL to redirect to
+ $result = array('query' => array());
+
+ $params += array('scope' => null, 'state' => null);
+
+ /*
+ * a refresh token MUST NOT be included in the fragment
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4.2.2
+ */
+ $includeRefreshToken = false;
+ $result["fragment"] = $this->createAccessToken($params['client_id'], $user_id, $params['scope'], $includeRefreshToken);
+
+ if (isset($params['state'])) {
+ $result["fragment"]["state"] = $params['state'];
+ }
+
+ return array($params['redirect_uri'], $result);
+ }
+
+ /**
+ * Handle the creation of access token, also issue refresh token if supported / desirable.
+ *
+ * @param $client_id client identifier related to the access token.
+ * @param $user_id user ID associated with the access token
+ * @param $scope OPTIONAL scopes to be stored in space-separated string.
+ * @param bool $includeRefreshToken if true, a new refresh_token will be added to the response
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-5
+ * @ingroup oauth2_section_5
+ */
+ public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true)
+ {
+ $includeRefreshToken = true;
+ $token = array(
+ "access_token" => $this->generateAccessToken(),
+ "token_type" => $this->config['token_type']
+// "expires_in" => $this->config['access_lifetime'],
+ );
+
+ $this->tokenStorage->setAccessToken($token["access_token"], $client_id, $user_id, $this->config['access_lifetime'] ? time() + $this->config['access_lifetime'] : null, $scope);
+
+ /*
+ * Issue a refresh token also, if we support them
+ *
+ * Refresh Tokens are considered supported if an instance of OAuth2\Storage\RefreshTokenInterface
+ * is supplied in the constructor
+ */
+ if ($includeRefreshToken && $this->refreshStorage) {
+ $token["refresh_token"] = $this->generateRefreshToken();
+ $expires = 0;
+ if ($this->config['refresh_token_lifetime'] > 0) {
+ $expires = time() + $this->config['refresh_token_lifetime'];
+ }
+ $this->refreshStorage->setRefreshToken($token['refresh_token'], $client_id, $user_id, $expires, $scope);
+ }
+
+ $token["scope"] = $scope;
+ $token["created_at"] = time();
+
+ return $token;
+ }
+
+ /**
+ * Generates an unique access token.
+ *
+ * Implementing classes may want to override this function to implement
+ * other access token generation schemes.
+ *
+ * @return
+ * An unique access token.
+ *
+ * @ingroup oauth2_section_4
+ */
+ protected function generateAccessToken()
+ {
+ if (function_exists('openssl_random_pseudo_bytes')) {
+ $randomData = openssl_random_pseudo_bytes(20);
+ if ($randomData !== false && strlen($randomData) === 20) {
+ return bin2hex($randomData);
+ }
+ }
+ if (function_exists('mcrypt_create_iv')) {
+ $randomData = mcrypt_create_iv(20, MCRYPT_DEV_URANDOM);
+ if ($randomData !== false && strlen($randomData) === 20) {
+ return bin2hex($randomData);
+ }
+ }
+ if (@file_exists('/dev/urandom')) { // Get 100 bytes of random data
+ $randomData = file_get_contents('/dev/urandom', false, null, 0, 20);
+ if ($randomData !== false && strlen($randomData) === 20) {
+ return bin2hex($randomData);
+ }
+ }
+ // Last resort which you probably should just get rid of:
+ $randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);
+
+ return substr(hash('sha512', $randomData), 0, 40);
+ }
+
+ /**
+ * Generates an unique refresh token
+ *
+ * Implementing classes may want to override this function to implement
+ * other refresh token generation schemes.
+ *
+ * @return
+ * An unique refresh.
+ *
+ * @ingroup oauth2_section_4
+ * @see OAuth2::generateAccessToken()
+ */
+ protected function generateRefreshToken()
+ {
+ return $this->generateAccessToken(); // let's reuse the same scheme for token generation
+ }
+
+ /**
+ * Handle the revoking of refresh tokens, and access tokens if supported / desirable
+ * RFC7009 specifies that "If the server is unable to locate the token using
+ * the given hint, it MUST extend its search across all of its supported token types"
+ *
+ * @param $token
+ * @param null $tokenTypeHint
+ * @return boolean
+ */
+ public function revokeToken($token, $tokenTypeHint = null)
+ {
+ if ($tokenTypeHint == 'refresh_token') {
+ if ($this->refreshStorage && $revoked = $this->refreshStorage->unsetRefreshToken($token)) {
+ return true;
+ }
+ }
+
+ /** @TODO remove in v2 */
+ if (!method_exists($this->tokenStorage, 'unsetAccessToken')) {
+ throw new \RuntimeException(
+ sprintf('Token storage %s must implement unsetAccessToken method', get_class($this->tokenStorage)
+ ));
+ }
+
+ $revoked = $this->tokenStorage->unsetAccessToken($token);
+
+ // if a typehint is supplied and fails, try other storages
+ // @see https://tools.ietf.org/html/rfc7009#section-2.1
+ if (!$revoked && $tokenTypeHint != 'refresh_token') {
+ if ($this->refreshStorage) {
+ $revoked = $this->refreshStorage->unsetRefreshToken($token);
+ }
+ }
+
+ return $revoked;
+ }
+}
diff --git a/oauth/OAuth2/ResponseType/AccessTokenInterface.php b/oauth/OAuth2/ResponseType/AccessTokenInterface.php
new file mode 100644
index 0000000..4bd3928
--- /dev/null
+++ b/oauth/OAuth2/ResponseType/AccessTokenInterface.php
@@ -0,0 +1,34 @@
+
+ */
+interface AccessTokenInterface extends ResponseTypeInterface
+{
+ /**
+ * Handle the creation of access token, also issue refresh token if supported / desirable.
+ *
+ * @param $client_id client identifier related to the access token.
+ * @param $user_id user ID associated with the access token
+ * @param $scope OPTONAL scopes to be stored in space-separated string.
+ * @param bool $includeRefreshToken if true, a new refresh_token will be added to the response
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-5
+ * @ingroup oauth2_section_5
+ */
+ public function createAccessToken($client_id, $user_id, $scope = null, $includeRefreshToken = true);
+
+ /**
+ * Handle the revoking of refresh tokens, and access tokens if supported / desirable
+ *
+ * @param $token
+ * @param $tokenTypeHint
+ * @return mixed
+ *
+ * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x
+ */
+ //public function revokeToken($token, $tokenTypeHint);
+}
diff --git a/oauth/OAuth2/ResponseType/AuthorizationCode.php b/oauth/OAuth2/ResponseType/AuthorizationCode.php
new file mode 100644
index 0000000..ecda4d7
--- /dev/null
+++ b/oauth/OAuth2/ResponseType/AuthorizationCode.php
@@ -0,0 +1,107 @@
+
+ */
+class AuthorizationCode implements AuthorizationCodeInterface
+{
+ protected $storage;
+ protected $config;
+
+ public function __construct(AuthorizationCodeStorageInterface $storage, array $config = array())
+ {
+ $this->storage = $storage;
+ $this->config = array_merge(array(
+ 'enforce_redirect' => false,
+ 'auth_code_lifetime' => 30,
+ ), $config);
+ }
+
+ public function getAuthorizeResponse($params, $user_id = null)
+ {
+ // build the URL to redirect to
+ $result = array('query' => array());
+
+ $params += array('scope' => null, 'state' => null);
+
+ $result['query']['code'] = $this->createAuthorizationCode($params['client_id'], $user_id, $params['redirect_uri'], $params['scope']);
+
+ if (isset($params['state'])) {
+ $result['query']['state'] = $params['state'];
+ }
+
+ return array($params['redirect_uri'], $result);
+ }
+
+ /**
+ * Handle the creation of the authorization code.
+ *
+ * @param $client_id
+ * Client identifier related to the authorization code
+ * @param $user_id
+ * User ID associated with the authorization code
+ * @param $redirect_uri
+ * An absolute URI to which the authorization server will redirect the
+ * user-agent to when the end-user authorization step is completed.
+ * @param $scope
+ * (optional) Scopes to be stored in space-separated string.
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4
+ * @ingroup oauth2_section_4
+ */
+ public function createAuthorizationCode($client_id, $user_id, $redirect_uri, $scope = null)
+ {
+ $code = $this->generateAuthorizationCode();
+
+ if (!$this->storage->getUsersID($user_id))
+ {
+ $this->storage->setUsersID($user_id);
+ }
+
+ // Scope API is forced here to comply with gitlab specification.
+ $this->storage->setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, time() + $this->config['auth_code_lifetime'], "api");
+
+ return $code;
+ }
+
+ /**
+ * @return
+ * TRUE if the grant type requires a redirect_uri, FALSE if not
+ */
+ public function enforceRedirect()
+ {
+ return $this->config['enforce_redirect'];
+ }
+
+ /**
+ * Generates an unique auth code.
+ *
+ * Implementing classes may want to override this function to implement
+ * other auth code generation schemes.
+ *
+ * @return
+ * An unique auth code.
+ *
+ * @ingroup oauth2_section_4
+ */
+ protected function generateAuthorizationCode()
+ {
+ $tokenLen = 40;
+ if (function_exists('openssl_random_pseudo_bytes')) {
+ $randomData = openssl_random_pseudo_bytes(100);
+ } elseif (function_exists('mcrypt_create_iv')) {
+ $randomData = mcrypt_create_iv(100, MCRYPT_DEV_URANDOM);
+ } elseif (@file_exists('/dev/urandom')) { // Get 100 bytes of random data
+ $randomData = file_get_contents('/dev/urandom', false, null, 0, 100) . uniqid(mt_rand(), true);
+ } else {
+ $randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);
+ }
+
+ return substr(hash('sha512', $randomData), 0, $tokenLen);
+ }
+}
diff --git a/oauth/OAuth2/ResponseType/AuthorizationCodeInterface.php b/oauth/OAuth2/ResponseType/AuthorizationCodeInterface.php
new file mode 100644
index 0000000..df777e2
--- /dev/null
+++ b/oauth/OAuth2/ResponseType/AuthorizationCodeInterface.php
@@ -0,0 +1,30 @@
+
+ */
+interface AuthorizationCodeInterface extends ResponseTypeInterface
+{
+ /**
+ * @return
+ * TRUE if the grant type requires a redirect_uri, FALSE if not
+ */
+ public function enforceRedirect();
+
+ /**
+ * Handle the creation of the authorization code.
+ *
+ * @param $client_id client identifier related to the authorization code
+ * @param $user_id user id associated with the authorization code
+ * @param $redirect_uri an absolute URI to which the authorization server will redirect the
+ * user-agent to when the end-user authorization step is completed.
+ * @param $scope OPTIONAL scopes to be stored in space-separated string.
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4
+ * @ingroup oauth2_section_4
+ */
+ public function createAuthorizationCode($client_id, $user_id, $redirect_uri, $scope = null);
+}
diff --git a/oauth/OAuth2/ResponseType/ResponseTypeInterface.php b/oauth/OAuth2/ResponseType/ResponseTypeInterface.php
new file mode 100644
index 0000000..f8e26a5
--- /dev/null
+++ b/oauth/OAuth2/ResponseType/ResponseTypeInterface.php
@@ -0,0 +1,8 @@
+storage = $storage;
+ }
+
+ /**
+ * Check if everything in required scope is contained in available scope.
+ *
+ * @param $required_scope
+ * A space-separated string of scopes.
+ *
+ * @return
+ * TRUE if everything in required scope is contained in available scope,
+ * and FALSE if it isn't.
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-7
+ *
+ * @ingroup oauth2_section_7
+ */
+ public function checkScope($required_scope, $available_scope)
+ {
+ $required_scope = explode(' ', trim($required_scope));
+ $available_scope = explode(' ', trim($available_scope));
+
+ return (count(array_diff($required_scope, $available_scope)) == 0);
+ }
+
+ /**
+ * Check if the provided scope exists in storage.
+ *
+ * @param $scope
+ * A space-separated string of scopes.
+ *
+ * @return
+ * TRUE if it exists, FALSE otherwise.
+ */
+ public function scopeExists($scope)
+ {
+ // Check reserved scopes first.
+ $scope = explode(' ', trim($scope));
+ $reservedScope = $this->getReservedScopes();
+ $nonReservedScopes = array_diff($scope, $reservedScope);
+ if (count($nonReservedScopes) == 0) {
+ return true;
+ } else {
+ // Check the storage for non-reserved scopes.
+ $nonReservedScopes = implode(' ', $nonReservedScopes);
+
+ return $this->storage->scopeExists($nonReservedScopes);
+ }
+ }
+
+ public function getScopeFromRequest(RequestInterface $request)
+ {
+ // "scope" is valid if passed in either POST or QUERY
+ return $request->request('scope', $request->query('scope'));
+ }
+
+ public function getDefaultScope($client_id = null)
+ {
+ return $this->storage->getDefaultScope($client_id);
+ }
+
+ /**
+ * Get reserved scopes needed by the server.
+ *
+ * In case OpenID Connect is used, these scopes must include:
+ * 'openid', offline_access'.
+ *
+ * @return
+ * An array of reserved scopes.
+ */
+ public function getReservedScopes()
+ {
+ return array('openid', 'offline_access');
+ }
+}
diff --git a/oauth/OAuth2/ScopeInterface.php b/oauth/OAuth2/ScopeInterface.php
new file mode 100644
index 0000000..5b60f9a
--- /dev/null
+++ b/oauth/OAuth2/ScopeInterface.php
@@ -0,0 +1,40 @@
+ 'OAuth2\Storage\AccessTokenInterface',
+ 'authorization_code' => 'OAuth2\Storage\AuthorizationCodeInterface',
+ 'client_credentials' => 'OAuth2\Storage\ClientCredentialsInterface',
+ 'client' => 'OAuth2\Storage\ClientInterface',
+ 'refresh_token' => 'OAuth2\Storage\RefreshTokenInterface',
+ 'user_credentials' => 'OAuth2\Storage\UserCredentialsInterface',
+ 'public_key' => 'OAuth2\Storage\PublicKeyInterface',
+ 'scope' => 'OAuth2\Storage\ScopeInterface',
+ );
+
+ protected $responseTypeMap = array(
+ 'token' => 'OAuth2\ResponseType\AccessTokenInterface',
+ 'code' => 'OAuth2\ResponseType\AuthorizationCodeInterface',
+ );
+
+ /**
+ * @param mixed $storage (array or OAuth2\Storage) - single object or array of objects implementing the
+ * required storage types (ClientCredentialsInterface and AccessTokenInterface as a minimum)
+ * @param array $config specify a different token lifetime, token header name, etc
+ * @param array $grantTypes An array of OAuth2\GrantType\GrantTypeInterface to use for granting access tokens
+ * @param array $responseTypes Response types to use. array keys should be "code" and and "token" for
+ * Access Token and Authorization Code response types
+ * @param \OAuth2\TokenType\TokenTypeInterface $tokenType The token type object to use. Valid token types are "bearer" and "mac"
+ * @param \OAuth2\ScopeInterface $scopeUtil The scope utility class to use to validate scope
+ * @param \OAuth2\ClientAssertionType\ClientAssertionTypeInterface $clientAssertionType The method in which to verify the client identity. Default is HttpBasic
+ *
+ * @ingroup oauth2_section_7
+ */
+ public function __construct($storage = array(), array $config = array(), array $grantTypes = array(), array $responseTypes = array(), TokenTypeInterface $tokenType = null, ScopeInterface $scopeUtil = null, ClientAssertionTypeInterface $clientAssertionType = null)
+ {
+ $storage = is_array($storage) ? $storage : array($storage);
+ $this->storages = array();
+ foreach ($storage as $key => $service) {
+ $this->addStorage($service, $key);
+ }
+
+ // merge all config values. These get passed to our controller objects
+ $this->config = array_merge(array(
+ 'store_encrypted_token_string' => true,
+ 'id_lifetime' => 3600,
+ 'access_lifetime' => 3600,
+ 'www_realm' => 'Service',
+ 'token_param_name' => 'access_token',
+ 'token_bearer_header_name' => 'Bearer',
+ 'enforce_state' => true,
+ 'require_exact_redirect_uri' => true,
+ 'allow_implicit' => false,
+ 'allow_credentials_in_request_body' => true,
+ 'allow_public_clients' => true,
+ 'always_issue_new_refresh_token' => false,
+ 'unset_refresh_token_after_use' => true,
+ ), $config);
+
+ foreach ($grantTypes as $key => $grantType) {
+ $this->addGrantType($grantType, $key);
+ }
+
+ foreach ($responseTypes as $key => $responseType) {
+ $this->addResponseType($responseType, $key);
+ }
+
+ $this->tokenType = $tokenType;
+ $this->scopeUtil = $scopeUtil;
+ $this->clientAssertionType = $clientAssertionType;
+ }
+
+ public function getAuthorizeController()
+ {
+ if (is_null($this->authorizeController)) {
+ $this->authorizeController = $this->createDefaultAuthorizeController();
+ }
+
+ return $this->authorizeController;
+ }
+
+ public function getTokenController()
+ {
+ if (is_null($this->tokenController)) {
+ $this->tokenController = $this->createDefaultTokenController();
+ }
+
+ return $this->tokenController;
+ }
+
+ public function getResourceController()
+ {
+ if (is_null($this->resourceController)) {
+ $this->resourceController = $this->createDefaultResourceController();
+ }
+
+ return $this->resourceController;
+ }
+
+ public function getUserInfoController()
+ {
+ if (is_null($this->userInfoController)) {
+ $this->userInfoController = $this->createDefaultUserInfoController();
+ }
+
+ return $this->userInfoController;
+ }
+
+ /**
+ * every getter deserves a setter
+ *
+ * @param AuthorizeControllerInterface $authorizeController
+ */
+ public function setAuthorizeController(AuthorizeControllerInterface $authorizeController)
+ {
+ $this->authorizeController = $authorizeController;
+ }
+
+ /**
+ * every getter deserves a setter
+ *
+ * @param TokenControllerInterface $tokenController
+ */
+ public function setTokenController(TokenControllerInterface $tokenController)
+ {
+ $this->tokenController = $tokenController;
+ }
+
+ /**
+ * every getter deserves a setter
+ *
+ * @param ResourceControllerInterface $resourceController
+ */
+ public function setResourceController(ResourceControllerInterface $resourceController)
+ {
+ $this->resourceController = $resourceController;
+ }
+
+ /**
+ * every getter deserves a setter
+ *
+ * @param UserInfoControllerInterface $userInfoController
+ */
+ public function setUserInfoController(UserInfoControllerInterface $userInfoController)
+ {
+ $this->userInfoController = $userInfoController;
+ }
+
+ /**
+ * Grant or deny a requested access token.
+ * This would be called from the "/token" endpoint as defined in the spec.
+ * Obviously, you can call your endpoint whatever you want.
+ *
+ * @param $request - \OAuth2\RequestInterface
+ * Request object to grant access token
+ *
+ * @param $response - \OAuth2\ResponseInterface
+ * Response object containing error messages (failure) or access token (success)
+ *
+ * @return ResponseInterface
+ *
+ * @throws \InvalidArgumentException
+ * @throws \LogicException
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4
+ * @see http://tools.ietf.org/html/rfc6749#section-10.6
+ * @see http://tools.ietf.org/html/rfc6749#section-4.1.3
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function handleTokenRequest(RequestInterface $request, ResponseInterface $response = null)
+ {
+ $this->response = is_null($response) ? new Response() : $response;
+ $this->getTokenController()->handleTokenRequest($request, $this->response);
+
+ return $this->response;
+ }
+
+ public function grantAccessToken(RequestInterface $request, ResponseInterface $response = null)
+ {
+ $this->response = is_null($response) ? new Response() : $response;
+ $value = $this->getTokenController()->grantAccessToken($request, $this->response);
+
+ return $value;
+ }
+
+ /**
+ * Handle a revoke token request
+ * This would be called from the "/revoke" endpoint as defined in the draft Token Revocation spec
+ *
+ * @see https://tools.ietf.org/html/rfc7009#section-2
+ *
+ * @param RequestInterface $request
+ * @param ResponseInterface $response
+ * @return Response|ResponseInterface
+ */
+ public function handleRevokeRequest(RequestInterface $request, ResponseInterface $response = null)
+ {
+ $this->response = is_null($response) ? new Response() : $response;
+ $this->getTokenController()->handleRevokeRequest($request, $this->response);
+
+ return $this->response;
+ }
+
+ /**
+ * Redirect the user appropriately after approval.
+ *
+ * After the user has approved or denied the resource request the
+ * authorization server should call this function to redirect the user
+ * appropriately.
+ *
+ * @param $request
+ * The request should have the follow parameters set in the querystring:
+ * - response_type: The requested response: an access token, an
+ * authorization code, or both.
+ * - client_id: The client identifier as described in Section 2.
+ * - redirect_uri: An absolute URI to which the authorization server
+ * will redirect the user-agent to when the end-user authorization
+ * step is completed.
+ * - scope: (optional) The scope of the resource request expressed as a
+ * list of space-delimited strings.
+ * - state: (optional) An opaque value used by the client to maintain
+ * state between the request and callback.
+ * @param ResponseInterface $response
+ * @param $is_authorized
+ * TRUE or FALSE depending on whether the user authorized the access.
+ * @param $user_id
+ * Identifier of user who authorized the client
+ *
+ * @return Response
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function handleAuthorizeRequest(RequestInterface $request, ResponseInterface $response, $is_authorized, $user_id = null)
+ {
+ $this->response = $response;
+ $this->getAuthorizeController()->handleAuthorizeRequest($request, $this->response, $is_authorized, $user_id);
+
+ return $this->response;
+ }
+
+ /**
+ * Pull the authorization request data out of the HTTP request.
+ * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
+ * by setting $config['enforce_redirect'] to true.
+ * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
+ * CSRF protection is MANDATORY. You can enforce this by setting the $config['enforce_state'] to true.
+ *
+ * The draft specifies that the parameters should be retrieved from GET, override the Response
+ * object to change this
+ *
+ * @return
+ * The authorization parameters so the authorization server can prompt
+ * the user for approval if valid.
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4.1.1
+ * @see http://tools.ietf.org/html/rfc6749#section-10.12
+ *
+ * @ingroup oauth2_section_3
+ */
+ public function validateAuthorizeRequest(RequestInterface $request, ResponseInterface $response = null)
+ {
+ $this->response = is_null($response) ? new Response() : $response;
+ $value = $this->getAuthorizeController()->validateAuthorizeRequest($request, $this->response);
+
+ return $value;
+ }
+
+ public function verifyResourceRequest(RequestInterface $request, ResponseInterface $response = null, $scope = null)
+ {
+ $this->response = is_null($response) ? new Response() : $response;
+ $value = $this->getResourceController()->verifyResourceRequest($request, $this->response, $scope);
+
+ return $value;
+ }
+
+ public function getAccessTokenData(RequestInterface $request, ResponseInterface $response = null)
+ {
+ $this->response = is_null($response) ? new Response() : $response;
+ $value = $this->getResourceController()->getAccessTokenData($request, $this->response);
+
+ return $value;
+ }
+
+ public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
+ {
+ if (!is_string($identifier)) {
+ $identifier = $grantType->getQuerystringIdentifier();
+ }
+
+ $this->grantTypes[$identifier] = $grantType;
+
+ // persist added grant type down to TokenController
+ if (!is_null($this->tokenController)) {
+ $this->getTokenController()->addGrantType($grantType, $identifier);
+ }
+ }
+
+ /**
+ * Set a storage object for the server
+ *
+ * @param $storage
+ * An object implementing one of the Storage interfaces
+ * @param $key
+ * If null, the storage is set to the key of each storage interface it implements
+ *
+ * @see storageMap
+ */
+ public function addStorage($storage, $key = null)
+ {
+ // if explicitly set to a valid key, do not "magically" set below
+ if (isset($this->storageMap[$key])) {
+ if (!is_null($storage) && !$storage instanceof $this->storageMap[$key]) {
+ throw new \InvalidArgumentException(sprintf('storage of type "%s" must implement interface "%s"', $key, $this->storageMap[$key]));
+ }
+ $this->storages[$key] = $storage;
+
+ // special logic to handle "client" and "client_credentials" strangeness
+ if ($key === 'client' && !isset($this->storages['client_credentials'])) {
+ if ($storage instanceof \OAuth2\Storage\ClientCredentialsInterface) {
+ $this->storages['client_credentials'] = $storage;
+ }
+ } elseif ($key === 'client_credentials' && !isset($this->storages['client'])) {
+ if ($storage instanceof \OAuth2\Storage\ClientInterface) {
+ $this->storages['client'] = $storage;
+ }
+ }
+ } elseif (!is_null($key) && !is_numeric($key)) {
+ throw new \InvalidArgumentException(sprintf('unknown storage key "%s", must be one of [%s]', $key, implode(', ', array_keys($this->storageMap))));
+ } else {
+ $set = false;
+ foreach ($this->storageMap as $type => $interface) {
+ if ($storage instanceof $interface) {
+ $this->storages[$type] = $storage;
+ $set = true;
+ }
+ }
+
+ if (!$set) {
+ throw new \InvalidArgumentException(sprintf('storage of class "%s" must implement one of [%s]', get_class($storage), implode(', ', $this->storageMap)));
+ }
+ }
+ }
+
+ public function addResponseType(ResponseTypeInterface $responseType, $key = null)
+ {
+ $key = $this->normalizeResponseType($key);
+
+ if (isset($this->responseTypeMap[$key])) {
+ if (!$responseType instanceof $this->responseTypeMap[$key]) {
+ throw new \InvalidArgumentException(sprintf('responseType of type "%s" must implement interface "%s"', $key, $this->responseTypeMap[$key]));
+ }
+ $this->responseTypes[$key] = $responseType;
+ } elseif (!is_null($key) && !is_numeric($key)) {
+ throw new \InvalidArgumentException(sprintf('unknown responseType key "%s", must be one of [%s]', $key, implode(', ', array_keys($this->responseTypeMap))));
+ } else {
+ $set = false;
+ foreach ($this->responseTypeMap as $type => $interface) {
+ if ($responseType instanceof $interface) {
+ $this->responseTypes[$type] = $responseType;
+ $set = true;
+ }
+ }
+
+ if (!$set) {
+ throw new \InvalidArgumentException(sprintf('Unknown response type %s. Please implement one of [%s]', get_class($responseType), implode(', ', $this->responseTypeMap)));
+ }
+ }
+ }
+
+ public function getScopeUtil()
+ {
+ if (!$this->scopeUtil) {
+ $storage = isset($this->storages['scope']) ? $this->storages['scope'] : null;
+ $this->scopeUtil = new Scope($storage);
+ }
+
+ return $this->scopeUtil;
+ }
+
+ /**
+ * every getter deserves a setter
+ *
+ * @param ScopeInterface $scopeUtil
+ */
+ public function setScopeUtil($scopeUtil)
+ {
+ $this->scopeUtil = $scopeUtil;
+ }
+
+ protected function createDefaultAuthorizeController()
+ {
+ if (!isset($this->storages['client'])) {
+ throw new \LogicException('You must supply a storage object implementing \OAuth2\Storage\ClientInterface to use the authorize server');
+ }
+ if (0 == count($this->responseTypes)) {
+ $this->responseTypes = $this->getDefaultResponseTypes();
+ }
+
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'allow_implicit enforce_state require_exact_redirect_uri')));
+
+ return new AuthorizeController($this->storages['client'], $this->responseTypes, $config, $this->getScopeUtil());
+ }
+
+ protected function createDefaultTokenController()
+ {
+ if (0 == count($this->grantTypes)) {
+ $this->grantTypes = $this->getDefaultGrantTypes();
+ }
+
+ if (is_null($this->clientAssertionType)) {
+ // see if HttpBasic assertion type is requred. If so, then create it from storage classes.
+ foreach ($this->grantTypes as $grantType) {
+ if (!$grantType instanceof ClientAssertionTypeInterface) {
+ if (!isset($this->storages['client_credentials'])) {
+ throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\ClientCredentialsInterface to use the token server');
+ }
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'allow_credentials_in_request_body allow_public_clients')));
+ $this->clientAssertionType = new HttpBasic($this->storages['client_credentials'], $config);
+ break;
+ }
+ }
+ }
+
+ if (!isset($this->storages['client'])) {
+ throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\ClientInterface to use the token server');
+ }
+
+ $accessTokenResponseType = $this->getAccessTokenResponseType();
+
+ return new TokenController($accessTokenResponseType, $this->storages['client'], $this->grantTypes, $this->clientAssertionType, $this->getScopeUtil());
+ }
+
+ protected function createDefaultResourceController()
+ {
+ if (!isset($this->storages['access_token'])) {
+ throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\AccessTokenInterface');
+ }
+
+ if (!$this->tokenType) {
+ $this->tokenType = $this->getDefaultTokenType();
+ }
+
+ $config = array_intersect_key($this->config, array('www_realm' => ''));
+
+ return new ResourceController($this->tokenType, $this->storages['access_token'], $config, $this->getScopeUtil());
+ }
+
+ protected function createDefaultUserInfoController()
+ {
+ if (!isset($this->storages['access_token'])) {
+ throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\AccessTokenInterface');
+ }
+
+ if (!$this->tokenType) {
+ $this->tokenType = $this->getDefaultTokenType();
+ }
+
+ $config = array_intersect_key($this->config, array('www_realm' => ''));
+
+ return new UserInfoController($this->tokenType, $this->storages['access_token'], $this->storages['user_claims'], $config, $this->getScopeUtil());
+ }
+
+ protected function getDefaultTokenType()
+ {
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'token_param_name token_bearer_header_name')));
+
+ return new Bearer($config);
+ }
+
+ protected function getDefaultResponseTypes()
+ {
+ $responseTypes = array();
+
+ if ($this->config['allow_implicit']) {
+ $responseTypes['token'] = $this->getAccessTokenResponseType();
+ }
+
+ if (isset($this->storages['authorization_code'])) {
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'enforce_redirect auth_code_lifetime')));
+ $responseTypes['code'] = new AuthorizationCodeResponseType($this->storages['authorization_code'], $config);
+ }
+
+ if (count($responseTypes) == 0) {
+ throw new \LogicException('You must supply an array of response_types in the constructor or implement a OAuth2\Storage\AuthorizationCodeInterface storage object or set "allow_implicit" to true and implement a OAuth2\Storage\AccessTokenInterface storage object');
+ }
+
+ return $responseTypes;
+ }
+
+ protected function getDefaultGrantTypes()
+ {
+ $grantTypes = array();
+
+ if (isset($this->storages['user_credentials'])) {
+ $grantTypes['password'] = new UserCredentials($this->storages['user_credentials']);
+ }
+
+ if (isset($this->storages['client_credentials'])) {
+ $config = array_intersect_key($this->config, array('allow_credentials_in_request_body' => ''));
+ $grantTypes['client_credentials'] = new ClientCredentials($this->storages['client_credentials'], $config);
+ }
+
+ if (isset($this->storages['refresh_token'])) {
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'always_issue_new_refresh_token unset_refresh_token_after_use')));
+ $grantTypes['refresh_token'] = new RefreshToken($this->storages['refresh_token'], $config);
+ }
+
+ if (isset($this->storages['authorization_code'])) {
+ $grantTypes['authorization_code'] = new AuthorizationCode($this->storages['authorization_code']);
+
+ }
+
+ if (count($grantTypes) == 0) {
+ throw new \LogicException('Unable to build default grant types - You must supply an array of grant_types in the constructor');
+ }
+
+ return $grantTypes;
+ }
+
+ protected function getAccessTokenResponseType()
+ {
+ if (isset($this->responseTypes['token'])) {
+ return $this->responseTypes['token'];
+ }
+
+ return $this->createDefaultAccessTokenResponseType();
+ }
+
+ protected function getIdTokenResponseType()
+ {
+ if (isset($this->responseTypes['id_token'])) {
+ return $this->responseTypes['id_token'];
+ }
+
+ return $this->createDefaultIdTokenResponseType();
+ }
+
+ protected function getIdTokenTokenResponseType()
+ {
+ if (isset($this->responseTypes['id_token token'])) {
+ return $this->responseTypes['id_token token'];
+ }
+
+ return $this->createDefaultIdTokenTokenResponseType();
+ }
+
+ protected function createDefaultAccessTokenResponseType()
+ {
+ if (!isset($this->storages['access_token'])) {
+ throw new \LogicException('You must supply a response type implementing OAuth2\ResponseType\AccessTokenInterface, or a storage object implementing OAuth2\Storage\AccessTokenInterface to use the token server');
+ }
+
+ $refreshStorage = null;
+ if (isset($this->storages['refresh_token'])) {
+ $refreshStorage = $this->storages['refresh_token'];
+ }
+
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'access_lifetime refresh_token_lifetime')));
+ $config['token_type'] = $this->tokenType ? $this->tokenType->getTokenType() : $this->getDefaultTokenType()->getTokenType();
+
+ return new AccessToken($this->storages['access_token'], $refreshStorage, $config);
+ }
+
+ protected function createDefaultIdTokenResponseType()
+ {
+ if (!isset($this->storages['public_key'])) {
+ throw new \LogicException('You must supply a storage object implementing OAuth2\Storage\PublicKeyInterface to use openid connect');
+ }
+
+ $config = array_intersect_key($this->config, array_flip(explode(' ', 'issuer id_lifetime')));
+
+ return new IdToken($this->storages['user_claims'], $this->storages['public_key'], $config);
+ }
+
+ protected function createDefaultIdTokenTokenResponseType()
+ {
+ return new IdTokenToken($this->getAccessTokenResponseType(), $this->getIdTokenResponseType());
+ }
+
+ protected function normalizeResponseType($name)
+ {
+ // for multiple-valued response types - make them alphabetical
+ if (!empty($name) && false !== strpos($name, ' ')) {
+ $types = explode(' ', $name);
+ sort($types);
+ $name = implode(' ', $types);
+ }
+
+ return $name;
+ }
+
+ public function getResponse()
+ {
+ return $this->response;
+ }
+
+ public function getStorages()
+ {
+ return $this->storages;
+ }
+
+ public function getStorage($name)
+ {
+ return isset($this->storages[$name]) ? $this->storages[$name] : null;
+ }
+
+ public function getGrantTypes()
+ {
+ return $this->grantTypes;
+ }
+
+ public function getGrantType($name)
+ {
+ return isset($this->grantTypes[$name]) ? $this->grantTypes[$name] : null;
+ }
+
+ public function getResponseTypes()
+ {
+ return $this->responseTypes;
+ }
+
+ public function getResponseType($name)
+ {
+ // for multiple-valued response types - make them alphabetical
+ $name = $this->normalizeResponseType($name);
+
+ return isset($this->responseTypes[$name]) ? $this->responseTypes[$name] : null;
+ }
+
+ public function getTokenType()
+ {
+ return $this->tokenType;
+ }
+
+ public function getClientAssertionType()
+ {
+ return $this->clientAssertionType;
+ }
+
+ public function setConfig($name, $value)
+ {
+ $this->config[$name] = $value;
+ }
+
+ public function getConfig($name, $default = null)
+ {
+ return isset($this->config[$name]) ? $this->config[$name] : $default;
+ }
+}
diff --git a/oauth/OAuth2/Storage/AccessTokenInterface.php b/oauth/OAuth2/Storage/AccessTokenInterface.php
new file mode 100644
index 0000000..85781c6
--- /dev/null
+++ b/oauth/OAuth2/Storage/AccessTokenInterface.php
@@ -0,0 +1,67 @@
+
+ */
+interface AccessTokenInterface
+{
+ /**
+ * Look up the supplied oauth_token from storage.
+ *
+ * We need to retrieve access token data as we create and verify tokens.
+ *
+ * @param $oauth_token
+ * oauth_token to be check with.
+ *
+ * @return
+ * An associative array as below, and return NULL if the supplied oauth_token
+ * is invalid:
+ * - expires: Stored expiration in unix timestamp.
+ * - client_id: (optional) Stored client identifier.
+ * - user_id: (optional) Stored user identifier.
+ * - scope: (optional) Stored scope values in space-separated string.
+ * - id_token: (optional) Stored id_token (if "use_openid_connect" is true).
+ *
+ * @ingroup oauth2_section_7
+ */
+ public function getAccessToken($oauth_token);
+
+ /**
+ * Store the supplied access token values to storage.
+ *
+ * We need to store access token data as we create and verify tokens.
+ *
+ * @param $oauth_token oauth_token to be stored.
+ * @param $client_id client identifier to be stored.
+ * @param $user_id user identifier to be stored.
+ * @param int $expires expiration to be stored as a Unix timestamp.
+ * @param string $scope OPTIONAL Scopes to be stored in space-separated string.
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function setAccessToken($oauth_token, $client_id, $user_id, $expires, $scope = null);
+
+ /**
+ * Expire an access token.
+ *
+ * This is not explicitly required in the spec, but if defined in a draft RFC for token
+ * revoking (RFC 7009) https://tools.ietf.org/html/rfc7009
+ *
+ * @param $access_token
+ * Access token to be expired.
+ *
+ * @return BOOL true if an access token was unset, false if not
+ * @ingroup oauth2_section_6
+ *
+ * @todo v2.0 include this method in interface. Omitted to maintain BC in v1.x
+ */
+ //public function unsetAccessToken($access_token)
+
+ public function getUsersID($username);
+
+}
diff --git a/oauth/OAuth2/Storage/AuthorizationCodeInterface.php b/oauth/OAuth2/Storage/AuthorizationCodeInterface.php
new file mode 100644
index 0000000..a5ae058
--- /dev/null
+++ b/oauth/OAuth2/Storage/AuthorizationCodeInterface.php
@@ -0,0 +1,118 @@
+
+ */
+interface AuthorizationCodeInterface
+{
+ /**
+ * The Authorization Code grant type supports a response type of "code".
+ *
+ * @var string
+ * @see http://tools.ietf.org/html/rfc6749#section-1.4.1
+ * @see http://tools.ietf.org/html/rfc6749#section-4.2
+ */
+ const RESPONSE_TYPE_CODE = "code";
+
+ /**
+ * Fetch authorization code data (probably the most common grant type).
+ *
+ * Retrieve the stored data for the given authorization code.
+ *
+ * Required for OAuth2::GRANT_TYPE_AUTH_CODE.
+ *
+ * @param $code
+ * Authorization code to be check with.
+ *
+ * @return
+ * An associative array as below, and NULL if the code is invalid
+ * @code
+ * return array(
+ * "client_id" => CLIENT_ID, // REQUIRED Stored client identifier
+ * "user_id" => USER_ID, // REQUIRED Stored user identifier
+ * "expires" => EXPIRES, // REQUIRED Stored expiration in unix timestamp
+ * "redirect_uri" => REDIRECT_URI, // REQUIRED Stored redirect URI
+ * "scope" => SCOPE, // OPTIONAL Stored scope values in space-separated string
+ * );
+ * @endcode
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4.1
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function getAuthorizationCode($code);
+
+ /**
+ * Take the provided authorization code values and store them somewhere.
+ *
+ * This function should be the storage counterpart to getAuthCode().
+ *
+ * If storage fails for some reason, we're not currently checking for
+ * any sort of success/failure, so you should bail out of the script
+ * and provide a descriptive fail message.
+ *
+ * Required for OAuth2::GRANT_TYPE_AUTH_CODE.
+ *
+ * @param string $code Authorization code to be stored.
+ * @param mixed $client_id Client identifier to be stored.
+ * @param mixed $user_id User identifier to be stored.
+ * @param string $redirect_uri Redirect URI(s) to be stored in a space-separated string.
+ * @param int $expires Expiration to be stored as a Unix timestamp.
+ * @param string $scope OPTIONAL Scopes to be stored in space-separated string.
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null);
+
+ /**
+ * once an Authorization Code is used, it must be expired
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-4.1.2
+ *
+ * The client MUST NOT use the authorization code
+ * more than once. If an authorization code is used more than
+ * once, the authorization server MUST deny the request and SHOULD
+ * revoke (when possible) all tokens previously issued based on
+ * that authorization code
+ *
+ */
+ public function expireAuthorizationCode($code);
+
+/*-------------------------------------------------------------------------------------------------------------------------------------------------*/
+/**
+ * @author Denis CLAVIER
+ */
+
+ /**
+ * get user id on Oauth2 server
+ *
+ * @param string $username
+ * Username of an LDAP user (often uid)
+ *
+ * @return
+ * The id associated to username in users table
+ * and FALSE if username is not in the users table
+ */
+ public function getUsersID($username);
+
+ /**
+ * set an id for username on Oauth2 server
+ *
+ * @param string $username
+ * Username of an LDAP user (often uid)
+ *
+ * @return
+ * TRUE if insertion has succeed
+ * and FALSE if is not
+ *
+ * An unique ID is linked to the username after this function
+ */
+ public function setUsersID($username);
+
+}
diff --git a/oauth/OAuth2/Storage/ClientCredentialsInterface.php b/oauth/OAuth2/Storage/ClientCredentialsInterface.php
new file mode 100644
index 0000000..3318c69
--- /dev/null
+++ b/oauth/OAuth2/Storage/ClientCredentialsInterface.php
@@ -0,0 +1,49 @@
+
+ */
+interface ClientCredentialsInterface extends ClientInterface
+{
+
+ /**
+ * Make sure that the client credentials is valid.
+ *
+ * @param $client_id
+ * Client identifier to be check with.
+ * @param $client_secret
+ * (optional) If a secret is required, check that they've given the right one.
+ *
+ * @return
+ * TRUE if the client credentials are valid, and MUST return FALSE if it isn't.
+ * @endcode
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-3.1
+ *
+ * @ingroup oauth2_section_3
+ */
+ public function checkClientCredentials($client_id, $client_secret = null);
+
+ /**
+ * Determine if the client is a "public" client, and therefore
+ * does not require passing credentials for certain grant types
+ *
+ * @param $client_id
+ * Client identifier to be check with.
+ *
+ * @return
+ * TRUE if the client is public, and FALSE if it isn't.
+ * @endcode
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-2.3
+ * @see https://github.com/bshaffer/oauth2-server-php/issues/257
+ *
+ * @ingroup oauth2_section_2
+ */
+ public function isPublicClient($client_id);
+}
diff --git a/oauth/OAuth2/Storage/ClientInterface.php b/oauth/OAuth2/Storage/ClientInterface.php
new file mode 100644
index 0000000..09a5bff
--- /dev/null
+++ b/oauth/OAuth2/Storage/ClientInterface.php
@@ -0,0 +1,66 @@
+
+ */
+interface ClientInterface
+{
+ /**
+ * Get client details corresponding client_id.
+ *
+ * OAuth says we should store request URIs for each registered client.
+ * Implement this function to grab the stored URI for a given client id.
+ *
+ * @param $client_id
+ * Client identifier to be check with.
+ *
+ * @return array
+ * Client details. The only mandatory key in the array is "redirect_uri".
+ * This function MUST return FALSE if the given client does not exist or is
+ * invalid. "redirect_uri" can be space-delimited to allow for multiple valid uris.
+ *
+ * return array(
+ * "redirect_uri" => REDIRECT_URI, // REQUIRED redirect_uri registered for the client
+ * "client_id" => CLIENT_ID, // OPTIONAL the client id
+ * "grant_types" => GRANT_TYPES, // OPTIONAL an array of restricted grant types
+ * "user_id" => USER_ID, // OPTIONAL the user identifier associated with this client
+ * "scope" => SCOPE, // OPTIONAL the scopes allowed for this client
+ * );
+ *
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function getClientDetails($client_id);
+
+ /**
+ * Get the scope associated with this client
+ *
+ * @return
+ * STRING the space-delineated scope list for the specified client_id
+ */
+ public function getClientScope($client_id);
+
+ /**
+ * Check restricted grant types of corresponding client identifier.
+ *
+ * If you want to restrict clients to certain grant types, override this
+ * function.
+ *
+ * @param $client_id
+ * Client identifier to be check with.
+ * @param $grant_type
+ * Grant type to be check with
+ *
+ * @return
+ * TRUE if the grant type is supported by this client identifier, and
+ * FALSE if it isn't.
+ *
+ * @ingroup oauth2_section_4
+ */
+ public function checkRestrictedGrantType($client_id, $grant_type);
+}
diff --git a/oauth/OAuth2/Storage/CouchbaseDB.php b/oauth/OAuth2/Storage/CouchbaseDB.php
new file mode 100755
index 0000000..1eb55f0
--- /dev/null
+++ b/oauth/OAuth2/Storage/CouchbaseDB.php
@@ -0,0 +1,331 @@
+
+ */
+class CouchbaseDB implements AuthorizationCodeInterface,
+ AccessTokenInterface,
+ ClientCredentialsInterface,
+ UserCredentialsInterface,
+ RefreshTokenInterface,
+ JwtBearerInterface,
+ OpenIDAuthorizationCodeInterface
+{
+ protected $db;
+ protected $config;
+
+ public function __construct($connection, $config = array())
+ {
+ if ($connection instanceof \Couchbase) {
+ $this->db = $connection;
+ } else {
+ if (!is_array($connection) || !is_array($connection['servers'])) {
+ throw new \InvalidArgumentException('First argument to OAuth2\Storage\CouchbaseDB must be an instance of Couchbase or a configuration array containing a server array');
+ }
+
+ $this->db = new \Couchbase($connection['servers'], (!isset($connection['username'])) ? '' : $connection['username'], (!isset($connection['password'])) ? '' : $connection['password'], $connection['bucket'], false);
+ }
+
+ $this->config = array_merge(array(
+ 'client_table' => 'oauth_clients',
+ 'access_token_table' => 'oauth_access_tokens',
+ 'refresh_token_table' => 'oauth_refresh_tokens',
+ 'code_table' => 'oauth_authorization_codes',
+ 'user_table' => 'oauth_users',
+ 'jwt_table' => 'oauth_jwt',
+ ), $config);
+ }
+
+ // Helper function to access couchbase item by type:
+ protected function getObjectByType($name,$id)
+ {
+ return json_decode($this->db->get($this->config[$name].'-'.$id),true);
+ }
+
+ // Helper function to set couchbase item by type:
+ protected function setObjectByType($name,$id,$array)
+ {
+ $array['type'] = $name;
+
+ return $this->db->set($this->config[$name].'-'.$id,json_encode($array));
+ }
+
+ // Helper function to delete couchbase item by type, wait for persist to at least 1 node
+ protected function deleteObjectByType($name,$id)
+ {
+ $this->db->delete($this->config[$name].'-'.$id,"",1);
+ }
+
+ /* ClientCredentialsInterface */
+ public function checkClientCredentials($client_id, $client_secret = null)
+ {
+ if ($result = $this->getObjectByType('client_table',$client_id)) {
+ return $result['client_secret'] == $client_secret;
+ }
+
+ return false;
+ }
+
+ public function isPublicClient($client_id)
+ {
+ if (!$result = $this->getObjectByType('client_table',$client_id)) {
+ return false;
+ }
+
+ return empty($result['client_secret']);
+ }
+
+ /* ClientInterface */
+ public function getClientDetails($client_id)
+ {
+ $result = $this->getObjectByType('client_table',$client_id);
+
+ return is_null($result) ? false : $result;
+ }
+
+ public function setClientDetails($client_id, $client_secret = null, $redirect_uri = null, $grant_types = null, $scope = null, $user_id = null)
+ {
+ if ($this->getClientDetails($client_id)) {
+
+ $this->setObjectByType('client_table',$client_id, array(
+ 'client_id' => $client_id,
+ 'client_secret' => $client_secret,
+ 'redirect_uri' => $redirect_uri,
+ 'grant_types' => $grant_types,
+ 'scope' => $scope,
+ 'user_id' => $user_id,
+ ));
+ } else {
+ $this->setObjectByType('client_table',$client_id, array(
+ 'client_id' => $client_id,
+ 'client_secret' => $client_secret,
+ 'redirect_uri' => $redirect_uri,
+ 'grant_types' => $grant_types,
+ 'scope' => $scope,
+ 'user_id' => $user_id,
+ ));
+ }
+
+ return true;
+ }
+
+ public function checkRestrictedGrantType($client_id, $grant_type)
+ {
+ $details = $this->getClientDetails($client_id);
+ if (isset($details['grant_types'])) {
+ $grant_types = explode(' ', $details['grant_types']);
+
+ return in_array($grant_type, $grant_types);
+ }
+
+ // if grant_types are not defined, then none are restricted
+ return true;
+ }
+
+ /* AccessTokenInterface */
+ public function getAccessToken($access_token)
+ {
+ $token = $this->getObjectByType('access_token_table',$access_token);
+
+ return is_null($token) ? false : $token;
+ }
+
+ public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
+ {
+ // if it exists, update it.
+ if ($this->getAccessToken($access_token)) {
+ $this->setObjectByType('access_token_table',$access_token, array(
+ 'access_token' => $access_token,
+ 'client_id' => $client_id,
+ 'expires' => $expires,
+ 'user_id' => $user_id,
+ 'scope' => $scope
+ ));
+ } else {
+ $this->setObjectByType('access_token_table',$access_token, array(
+ 'access_token' => $access_token,
+ 'client_id' => $client_id,
+ 'expires' => $expires,
+ 'user_id' => $user_id,
+ 'scope' => $scope
+ ));
+ }
+
+ return true;
+ }
+
+ /* AuthorizationCodeInterface */
+ public function getAuthorizationCode($code)
+ {
+ $code = $this->getObjectByType('code_table',$code);
+
+ return is_null($code) ? false : $code;
+ }
+
+ public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
+ {
+ // if it exists, update it.
+ if ($this->getAuthorizationCode($code)) {
+ $this->setObjectByType('code_table',$code, array(
+ 'authorization_code' => $code,
+ 'client_id' => $client_id,
+ 'user_id' => $user_id,
+ 'redirect_uri' => $redirect_uri,
+ 'expires' => $expires,
+ 'scope' => $scope,
+ 'id_token' => $id_token,
+ ));
+ } else {
+ $this->setObjectByType('code_table',$code,array(
+ 'authorization_code' => $code,
+ 'client_id' => $client_id,
+ 'user_id' => $user_id,
+ 'redirect_uri' => $redirect_uri,
+ 'expires' => $expires,
+ 'scope' => $scope,
+ 'id_token' => $id_token,
+ ));
+ }
+
+ return true;
+ }
+
+ public function expireAuthorizationCode($code)
+ {
+ $this->deleteObjectByType('code_table',$code);
+
+ return true;
+ }
+
+ /* UserCredentialsInterface */
+ public function checkUserCredentials($username, $password)
+ {
+ if ($user = $this->getUser($username)) {
+ return $this->checkPassword($user, $password);
+ }
+
+ return false;
+ }
+
+ public function getUserDetails($username)
+ {
+ if ($user = $this->getUser($username)) {
+ $user['user_id'] = $user['username'];
+ }
+
+ return $user;
+ }
+
+ /* RefreshTokenInterface */
+ public function getRefreshToken($refresh_token)
+ {
+ $token = $this->getObjectByType('refresh_token_table',$refresh_token);
+
+ return is_null($token) ? false : $token;
+ }
+
+ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
+ {
+ $this->setObjectByType('refresh_token_table',$refresh_token, array(
+ 'refresh_token' => $refresh_token,
+ 'client_id' => $client_id,
+ 'user_id' => $user_id,
+ 'expires' => $expires,
+ 'scope' => $scope
+ ));
+
+ return true;
+ }
+
+ public function unsetRefreshToken($refresh_token)
+ {
+ $this->deleteObjectByType('refresh_token_table',$refresh_token);
+
+ return true;
+ }
+
+ // plaintext passwords are bad! Override this for your application
+ protected function checkPassword($user, $password)
+ {
+ return $user['password'] == $password;
+ }
+
+ public function getUser($username)
+ {
+ $result = $this->getObjectByType('user_table',$username);
+
+ return is_null($result) ? false : $result;
+ }
+
+ public function setUser($username, $password, $firstName = null, $lastName = null)
+ {
+ if ($this->getUser($username)) {
+ $this->setObjectByType('user_table',$username, array(
+ 'username' => $username,
+ 'password' => $password,
+ 'first_name' => $firstName,
+ 'last_name' => $lastName
+ ));
+
+ } else {
+ $this->setObjectByType('user_table',$username, array(
+ 'username' => $username,
+ 'password' => $password,
+ 'first_name' => $firstName,
+ 'last_name' => $lastName
+ ));
+
+ }
+
+ return true;
+ }
+
+ public function getClientKey($client_id, $subject)
+ {
+ if (!$jwt = $this->getObjectByType('jwt_table',$client_id)) {
+ return false;
+ }
+
+ if (isset($jwt['subject']) && $jwt['subject'] == $subject) {
+ return $jwt['key'];
+ }
+
+ return false;
+ }
+
+ public function getClientScope($client_id)
+ {
+ if (!$clientDetails = $this->getClientDetails($client_id)) {
+ return false;
+ }
+
+ if (isset($clientDetails['scope'])) {
+ return $clientDetails['scope'];
+ }
+
+ return null;
+ }
+
+ public function getJti($client_id, $subject, $audience, $expiration, $jti)
+ {
+ //TODO: Needs couchbase implementation.
+ throw new \Exception('getJti() for the Couchbase driver is currently unimplemented.');
+ }
+
+ public function setJti($client_id, $subject, $audience, $expiration, $jti)
+ {
+ //TODO: Needs couchbase implementation.
+ throw new \Exception('setJti() for the Couchbase driver is currently unimplemented.');
+ }
+}
diff --git a/oauth/OAuth2/Storage/Pdo.php b/oauth/OAuth2/Storage/Pdo.php
new file mode 100644
index 0000000..ce2caf7
--- /dev/null
+++ b/oauth/OAuth2/Storage/Pdo.php
@@ -0,0 +1,370 @@
+
+ */
+class Pdo implements
+ AuthorizationCodeInterface,
+ AccessTokenInterface,
+ ClientCredentialsInterface,
+ RefreshTokenInterface,
+ ScopeInterface
+{
+ protected $db;
+ protected $config;
+
+ public function __construct($connection, $config = array())
+ {
+ if (!$connection instanceof \PDO) {
+ if (is_string($connection)) {
+ $connection = array('dsn' => $connection);
+ }
+ if (!is_array($connection)) {
+ throw new \InvalidArgumentException('First argument to OAuth2\Storage\Pdo must be an instance of PDO, a DSN string, or a configuration array');
+ }
+ if (!isset($connection['dsn'])) {
+ throw new \InvalidArgumentException('configuration array must contain "dsn"');
+ }
+ // merge optional parameters
+ $connection = array_merge(array(
+ 'username' => null,
+ 'password' => null,
+ 'options' => array(),
+ ), $connection);
+ $connection = new \PDO($connection['dsn'], $connection['username'], $connection['password'], $connection['options']);
+ }
+ $this->db = $connection;
+
+ // debugging
+ $connection->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
+
+ $this->config = array_merge(array(
+ 'client_table' => 'oauth_clients',
+ 'access_token_table' => 'oauth_access_tokens',
+ 'refresh_token_table' => 'oauth_refresh_tokens',
+ 'code_table' => 'oauth_authorization_codes',
+ 'scope_table' => 'oauth_scopes',
+ 'assoc_users_table' => 'users'
+ ), $config);
+ }
+
+ /* OAuth2\Storage\ClientCredentialsInterface */
+ public function checkClientCredentials($client_id, $client_secret = null)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
+ $stmt->execute(compact('client_id'));
+ $result = $stmt->fetch(\PDO::FETCH_ASSOC);
+
+ // make this extensible
+ return $result && $result['client_secret'] == $client_secret;
+ }
+
+ public function isPublicClient($client_id)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
+ $stmt->execute(compact('client_id'));
+
+ if (!$result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+ return false;
+ }
+
+ return empty($result['client_secret']);
+ }
+
+ /* OAuth2\Storage\ClientInterface */
+ public function getClientDetails($client_id)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table']));
+ $stmt->execute(compact('client_id'));
+
+ return $stmt->fetch(\PDO::FETCH_ASSOC);
+ }
+
+ public function getClientScope($client_id)
+ {
+ if (!$clientDetails = $this->getClientDetails($client_id)) {
+ return false;
+ }
+
+ if (isset($clientDetails['scope'])) {
+ return $clientDetails['scope'];
+ }
+
+ return null;
+ }
+
+ public function checkRestrictedGrantType($client_id, $grant_type)
+ {
+ $details = $this->getClientDetails($client_id);
+ if (isset($details['grant_types'])) {
+ $grant_types = explode(' ', $details['grant_types']);
+
+ return in_array($grant_type, (array) $grant_types);
+ }
+
+ // if grant_types are not defined, then none are restricted
+ return true;
+ }
+
+ /* OAuth2\Storage\AccessTokenInterface */
+ public function getAccessToken($access_token)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT * from %s where access_token = :access_token', $this->config['access_token_table']));
+
+ $token = $stmt->execute(compact('access_token'));
+ if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+ // convert date string back to timestamp
+ $token['expires'] = strtotime($token['expires']);
+ }
+
+ return $token;
+ }
+
+ public function setAccessToken($access_token, $client_id, $user_id, $expires, $scope = null)
+ {
+ // convert expires to datestring
+ $expires = date('Y-m-d H:i:s', $expires);
+
+ // if it exists, update it.
+ if ($this->getAccessToken($access_token)) {
+ $stmt = $this->db->prepare(sprintf('UPDATE %s SET client_id=:client_id, expires=:expires, user_id=:user_id, scope=:scope where access_token=:access_token', $this->config['access_token_table']));
+ } else {
+ $stmt = $this->db->prepare(sprintf('INSERT INTO %s (access_token, client_id, expires, user_id, scope) VALUES (:access_token, :client_id, :expires, :user_id, :scope)', $this->config['access_token_table']));
+ }
+
+ return $stmt->execute(compact('access_token', 'client_id', 'user_id', 'expires', 'scope'));
+ }
+
+ public function unsetAccessToken($access_token)
+ {
+ $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE access_token = :access_token', $this->config['access_token_table']));
+
+ $stmt->execute(compact('access_token'));
+
+ return $stmt->rowCount() > 0;
+ }
+
+ /* OAuth2\Storage\AuthorizationCodeInterface */
+ public function getAuthorizationCode($code)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT * from %s where authorization_code = :code', $this->config['code_table']));
+ $stmt->execute(compact('code'));
+
+ if ($code = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+ // convert date string back to timestamp
+ $code['expires'] = strtotime($code['expires']);
+ }
+
+ return $code;
+ }
+
+ public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null)
+ {
+ // convert expires to datestring
+ $expires = date('Y-m-d H:i:s', $expires);
+
+ // if it exists, update it.
+ if ($this->getAuthorizationCode($code)) {
+ $stmt = $this->db->prepare($sql = sprintf('UPDATE %s SET client_id=:client_id, user_id=:user_id, redirect_uri=:redirect_uri, expires=:expires, scope=:scope where authorization_code=:code', $this->config['code_table']));
+ } else {
+ $stmt = $this->db->prepare(sprintf('INSERT INTO %s (authorization_code, client_id, user_id, redirect_uri, expires, scope) VALUES (:code, :client_id, :user_id, :redirect_uri, :expires, :scope)', $this->config['code_table']));
+ }
+
+ return $stmt->execute(compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope'));
+ }
+
+ public function expireAuthorizationCode($code)
+ {
+ $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE authorization_code = :code', $this->config['code_table']));
+
+ return $stmt->execute(compact('code'));
+ }
+
+
+ /* OAuth2\Storage\RefreshTokenInterface */
+ public function getRefreshToken($refresh_token)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT * FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table']));
+
+ $token = $stmt->execute(compact('refresh_token'));
+ if ($token = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+ // convert expires to epoch time
+ $token['expires'] = strtotime($token['expires']);
+ }
+
+ return $token;
+ }
+
+ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null)
+ {
+ // convert expires to datestring
+ $expires = date('Y-m-d H:i:s', $expires);
+
+ $stmt = $this->db->prepare(sprintf('INSERT INTO %s (refresh_token, client_id, user_id, expires, scope) VALUES (:refresh_token, :client_id, :user_id, :expires, :scope)', $this->config['refresh_token_table']));
+
+ return $stmt->execute(compact('refresh_token', 'client_id', 'user_id', 'expires', 'scope'));
+ }
+
+ public function unsetRefreshToken($refresh_token)
+ {
+ $stmt = $this->db->prepare(sprintf('DELETE FROM %s WHERE refresh_token = :refresh_token', $this->config['refresh_token_table']));
+
+ $stmt->execute(compact('refresh_token'));
+
+ return $stmt->rowCount() > 0;
+ }
+
+ /* ScopeInterface */
+ public function scopeExists($scope)
+ {
+ $scope = explode(' ', $scope);
+ $whereIn = implode(',', array_fill(0, count($scope), '?'));
+ $stmt = $this->db->prepare(sprintf('SELECT count(scope) as count FROM %s WHERE scope IN (%s)', $this->config['scope_table'], $whereIn));
+ $stmt->execute($scope);
+
+ if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+ return $result['count'] == count($scope);
+ }
+
+ return false;
+ }
+
+ public function getDefaultScope($client_id = null)
+ {
+ $stmt = $this->db->prepare(sprintf('SELECT scope FROM %s WHERE is_default=:is_default', $this->config['scope_table']));
+ $stmt->execute(array('is_default' => true));
+
+ if ($result = $stmt->fetchAll(\PDO::FETCH_ASSOC)) {
+ $defaultScope = array_map(function ($row) {
+ return $row['scope'];
+ }, $result);
+
+ return implode(' ', $defaultScope);
+ }
+
+ return null;
+ }
+
+/*-------------------------------------------------------------------------------------------------------------------------------------------------*/
+/**
+ * @author Denis CLAVIER
+ */
+
+
+ /**
+ * get user id on Oauth2 server
+ *
+ * @param string $username
+ * Username of an LDAP user (often uid)
+ *
+ * @return
+ * The id associated to username in users table
+ * and FALSE if username is not in the users table
+ */
+ public function getUsersID($username)
+ {
+ $stmt = $this->db->prepare($sql = sprintf('SELECT id FROM %s WHERE username=:username', $this->config['assoc_users_table']));
+ $stmt->execute(compact('username'));
+
+ // If user exist return his id
+ if ($result = $stmt->fetch(\PDO::FETCH_ASSOC)) {
+ return $result['id'];
+ }
+
+ // If user does not exist, return false
+ return false;
+ }
+
+ /**
+ * set an id for username on Oauth2 server
+ *
+ * @param string $username
+ * Username of an LDAP user (often uid)
+ *
+ * @return
+ * TRUE if insertion has succeed
+ * and FALSE if is not
+ *
+ * An unique ID is linked to the username after this function
+ */
+ public function setUsersID($username)
+ {
+ $stmt = $this->db->prepare(sprintf('INSERT INTO %s (username) VALUES (:username)', $this->config['assoc_users_table']));
+ return $stmt->execute(compact('username'));
+ }
+
+/*-------------------------------------------------------------------------------------------------------------------------------------------------*/
+
+ /**
+ * DDL to create OAuth2 database and tables for PDO storage
+ *
+ * @see https://github.com/dsquier/oauth2-server-php-mysql
+ */
+ public function getBuildSql($dbName = 'oauth2_server_php')
+ {
+ $sql = "
+ CREATE TABLE {$this->config['client_table']} (
+ client_id VARCHAR(80) NOT NULL,
+ client_secret VARCHAR(80),
+ redirect_uri VARCHAR(2000),
+ grant_types VARCHAR(80),
+ scope VARCHAR(4000),
+ user_id VARCHAR(80),
+ PRIMARY KEY (client_id)
+ );
+
+ CREATE TABLE {$this->config['access_token_table']} (
+ access_token VARCHAR(40) NOT NULL,
+ client_id VARCHAR(80) NOT NULL,
+ user_id VARCHAR(80),
+ expires TIMESTAMP NOT NULL,
+ scope VARCHAR(4000),
+ PRIMARY KEY (access_token)
+ );
+
+ CREATE TABLE {$this->config['code_table']} (
+ authorization_code VARCHAR(40) NOT NULL,
+ client_id VARCHAR(80) NOT NULL,
+ user_id VARCHAR(80),
+ redirect_uri VARCHAR(2000),
+ expires TIMESTAMP NOT NULL,
+ scope VARCHAR(4000),
+ PRIMARY KEY (authorization_code)
+ );
+
+ CREATE TABLE {$this->config['refresh_token_table']} (
+ refresh_token VARCHAR(40) NOT NULL,
+ client_id VARCHAR(80) NOT NULL,
+ user_id VARCHAR(80),
+ expires TIMESTAMP NOT NULL,
+ scope VARCHAR(4000),
+ PRIMARY KEY (refresh_token)
+ );
+
+ CREATE TABLE {$this->config['user_table']} (
+ id SERIAL NOT NULL,
+ username VARCHAR(80) NOT NULL,
+ PRIMARY KEY (id)
+ );
+
+ CREATE TABLE {$this->config['scope_table']} (
+ scope VARCHAR(80) NOT NULL,
+ is_default BOOLEAN,
+ PRIMARY KEY (scope)
+ );
+";
+
+ return $sql;
+ }
+}
diff --git a/oauth/OAuth2/Storage/RefreshTokenInterface.php b/oauth/OAuth2/Storage/RefreshTokenInterface.php
new file mode 100644
index 0000000..e6407e4
--- /dev/null
+++ b/oauth/OAuth2/Storage/RefreshTokenInterface.php
@@ -0,0 +1,82 @@
+
+ */
+interface RefreshTokenInterface
+{
+ /**
+ * Grant refresh access tokens.
+ *
+ * Retrieve the stored data for the given refresh token.
+ *
+ * Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
+ *
+ * @param $refresh_token
+ * Refresh token to be check with.
+ *
+ * @return
+ * An associative array as below, and NULL if the refresh_token is
+ * invalid:
+ * - refresh_token: Refresh token identifier.
+ * - client_id: Client identifier.
+ * - user_id: User identifier.
+ * - expires: Expiration unix timestamp, or 0 if the token doesn't expire.
+ * - scope: (optional) Scope values in space-separated string.
+ *
+ * @see http://tools.ietf.org/html/rfc6749#section-6
+ *
+ * @ingroup oauth2_section_6
+ */
+ public function getRefreshToken($refresh_token);
+
+ /**
+ * Take the provided refresh token values and store them somewhere.
+ *
+ * This function should be the storage counterpart to getRefreshToken().
+ *
+ * If storage fails for some reason, we're not currently checking for
+ * any sort of success/failure, so you should bail out of the script
+ * and provide a descriptive fail message.
+ *
+ * Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
+ *
+ * @param $refresh_token
+ * Refresh token to be stored.
+ * @param $client_id
+ * Client identifier to be stored.
+ * @param $user_id
+ * User identifier to be stored.
+ * @param $expires
+ * Expiration timestamp to be stored. 0 if the token doesn't expire.
+ * @param $scope
+ * (optional) Scopes to be stored in space-separated string.
+ *
+ * @ingroup oauth2_section_6
+ */
+ public function setRefreshToken($refresh_token, $client_id, $user_id, $expires, $scope = null);
+
+ /**
+ * Expire a used refresh token.
+ *
+ * This is not explicitly required in the spec, but is almost implied.
+ * After granting a new refresh token, the old one is no longer useful and
+ * so should be forcibly expired in the data store so it can't be used again.
+ *
+ * If storage fails for some reason, we're not currently checking for
+ * any sort of success/failure, so you should bail out of the script
+ * and provide a descriptive fail message.
+ *
+ * @param $refresh_token
+ * Refresh token to be expired.
+ *
+ * @ingroup oauth2_section_6
+ */
+ public function unsetRefreshToken($refresh_token);
+}
diff --git a/oauth/OAuth2/Storage/ScopeInterface.php b/oauth/OAuth2/Storage/ScopeInterface.php
new file mode 100644
index 0000000..a829226
--- /dev/null
+++ b/oauth/OAuth2/Storage/ScopeInterface.php
@@ -0,0 +1,46 @@
+
+ */
+interface ScopeInterface
+{
+ /**
+ * Check if the provided scope exists.
+ *
+ * @param $scope
+ * A space-separated string of scopes.
+ *
+ * @return
+ * TRUE if it exists, FALSE otherwise.
+ */
+ public function scopeExists($scope);
+
+ /**
+ * The default scope to use in the event the client
+ * does not request one. By returning "false", a
+ * request_error is returned by the server to force a
+ * scope request by the client. By returning "null",
+ * opt out of requiring scopes
+ *
+ * @param $client_id
+ * An optional client id that can be used to return customized default scopes.
+ *
+ * @return
+ * string representation of default scope, null if
+ * scopes are not defined, or false to force scope
+ * request by the client
+ *
+ * ex:
+ * 'default'
+ * ex:
+ * null
+ */
+ public function getDefaultScope($client_id = null);
+}
diff --git a/oauth/OAuth2/TokenType/Bearer.php b/oauth/OAuth2/TokenType/Bearer.php
new file mode 100644
index 0000000..8ac8596
--- /dev/null
+++ b/oauth/OAuth2/TokenType/Bearer.php
@@ -0,0 +1,130 @@
+config = array_merge(array(
+ 'token_param_name' => 'access_token',
+ 'token_bearer_header_name' => 'Bearer',
+ ), $config);
+ }
+
+ public function getTokenType()
+ {
+ return 'Bearer';
+ }
+
+ /**
+ * Check if the request has supplied token
+ *
+ * @see https://github.com/bshaffer/oauth2-server-php/issues/349#issuecomment-37993588
+ */
+ public function requestHasToken(RequestInterface $request)
+ {
+ $headers = $request->headers('AUTHORIZATION');
+
+ // check the header, then the querystring, then the request body
+ return !empty($headers) || (bool) ($request->request($this->config['token_param_name'])) || (bool) ($request->query($this->config['token_param_name']));
+ }
+
+ /**
+ * This is a convenience function that can be used to get the token, which can then
+ * be passed to getAccessTokenData(). The constraints specified by the draft are
+ * attempted to be adheared to in this method.
+ *
+ * As per the Bearer spec (draft 8, section 2) - there are three ways for a client
+ * to specify the bearer token, in order of preference: Authorization Header,
+ * POST and GET.
+ *
+ * NB: Resource servers MUST accept tokens via the Authorization scheme
+ * (http://tools.ietf.org/html/rfc6750#section-2).
+ *
+ * @todo Should we enforce TLS/SSL in this function?
+ *
+ * @see http://tools.ietf.org/html/rfc6750#section-2.1
+ * @see http://tools.ietf.org/html/rfc6750#section-2.2
+ * @see http://tools.ietf.org/html/rfc6750#section-2.3
+ *
+ * Old Android version bug (at least with version 2.2)
+ * @see http://code.google.com/p/android/issues/detail?id=6684
+ *
+ */
+ public function getAccessTokenParameter(RequestInterface $request, ResponseInterface $response)
+ {
+ $headers = $request->headers('AUTHORIZATION');
+
+ /**
+ * Ensure more than one method is not used for including an
+ * access token
+ *
+ * @see http://tools.ietf.org/html/rfc6750#section-3.1
+ */
+ $methodsUsed = !empty($headers) + (bool) ($request->query($this->config['token_param_name'])) + (bool) ($request->request($this->config['token_param_name']));
+ if ($methodsUsed > 1) {
+ $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
+
+ return null;
+ }
+
+ /**
+ * If no authentication is provided, set the status code
+ * to 401 and return no other error information
+ *
+ * @see http://tools.ietf.org/html/rfc6750#section-3.1
+ */
+ if ($methodsUsed == 0) {
+ $response->setStatusCode(401);
+
+ return null;
+ }
+
+ // HEADER: Get the access token from the header
+ if (!empty($headers)) {
+ if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\s(\S+)/i', $headers, $matches)) {
+ $response->setError(400, 'invalid_request', 'Malformed auth header');
+
+ return null;
+ }
+
+ return $matches[1];
+ }
+
+ if ($request->request($this->config['token_param_name'])) {
+ // // POST: Get the token from POST data
+ if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) {
+ $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2');
+
+ return null;
+ }
+
+ $contentType = $request->server('CONTENT_TYPE');
+ if (false !== $pos = strpos($contentType, ';')) {
+ $contentType = substr($contentType, 0, $pos);
+ }
+
+ if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') {
+ // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
+ // @see http://tools.ietf.org/html/rfc6750#section-2.2
+ $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"');
+
+ return null;
+ }
+
+ return $request->request($this->config['token_param_name']);
+ }
+
+ // GET method
+ return $request->query($this->config['token_param_name']);
+ }
+}
diff --git a/oauth/OAuth2/TokenType/TokenTypeInterface.php b/oauth/OAuth2/TokenType/TokenTypeInterface.php
new file mode 100644
index 0000000..ad77d4a
--- /dev/null
+++ b/oauth/OAuth2/TokenType/TokenTypeInterface.php
@@ -0,0 +1,21 @@
+
+ * Adapted from Oauth2-server-php cookbook
+ * @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
+ */
+
+// include our OAuth2 Server object
+require_once __DIR__.'/server.php';
+
+$request = OAuth2\Request::createFromGlobals();
+$response = new OAuth2\Response();
+
+// validate the authorize request
+if (!$server->validateAuthorizeRequest($request, $response)) {
+ $response->send();
+ die;
+}
+
+// if user is not yet authenticated, he is redirected.
+if (!isset($_SESSION['uid']))
+{
+ //store the authorize request
+ $_SESSION['auth_page']=end(explode("/", strip_tags(trim($_SERVER['REQUEST_URI']))));
+ header('Location: index.php');
+ exit();
+}
+
+
+// display an authorization form
+if (empty($_POST)) {
+ exit('
+');
+}
+
+// print the authorization code if the user has authorized your client
+$is_authorized = ($_POST['authorized'] === 'Authorize');
+$server->handleAuthorizeRequest($request, $response, $is_authorized,$_SESSION['uid']);
+
+if ($is_authorized)
+{
+ // this is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
+ $code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
+ header('Location: ' . $response->getHttpHeader('Location'));
+ exit();
+}
+
+// Send message in case of error
+$response->send();
\ No newline at end of file
diff --git a/oauth/connexion.php b/oauth/connexion.php
new file mode 100644
index 0000000..1cd9eb5
--- /dev/null
+++ b/oauth/connexion.php
@@ -0,0 +1,74 @@
+
+ */
+
+// include our LDAP object
+require_once __DIR__.'/LDAP/LDAP.php';
+require_once __DIR__.'/LDAP/config_ldap.php';
+
+// Verify all fields have been filled
+if (empty($_POST['user']) || empty($_POST['password']))
+{
+ echo 'You must fill each field';
+ echo 'Click here to come back to login page';
+}
+else
+{
+ // Check received data length (to prevent code injection)
+ if (strlen($_POST['user']) > 15)
+ {
+ echo 'Strange username ... Please try again';
+ echo 'Click here to come back to login page';
+ }
+ elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7)
+ {
+ echo 'Strange password ... Please try again';
+ echo 'Click here to come back to login page';
+ }
+ else
+ {
+ // Remove every html tag and useless space on username (to prevent XSS)
+ $user=strip_tags(trim($_POST['user']));
+
+ $user=$_POST['user'];
+ $password=$_POST['password'];
+
+ // Open a LDAP connection
+ $ldap = new LDAP($hostname,$port);
+
+ //##################################################\\
+ // /!\ Adapt here with your LDAP config /!\ \\
+ //##################################################\\
+
+ $rdn = 'uid=' . $user . ',ou=People,o=Company';
+
+ /****************************************************/
+
+ // Check user credential on LDAP
+ if ($ldap->checkLogin($rdn,$password))
+ {
+ $_SESSION['uid']=$user;
+
+ // If user came here with an autorize request, redirect him to the authorize page. Else prompt a simple message.
+ if (isset($_SESSION['auth_page']))
+ {
+ $auth_page=$_SESSION['auth_page'];
+ header('Location: ' . $auth_page);
+ exit();
+ }
+ else
+ {
+ echo "Congratulation you are authenticated !
However there is nothing to do here ...";
+ }
+ }
+ // check login on LDAP has failed. Login and password were invalid or LDAP is unreachable
+ else
+ {
+ echo "Authetification failed ... Check your username and password.
If error persist contact your administrator.
";
+ echo 'Click here to come back to login page';
+ }
+ }
+}
diff --git a/oauth/index.php b/oauth/index.php
new file mode 100644
index 0000000..04453e8
--- /dev/null
+++ b/oauth/index.php
@@ -0,0 +1,24 @@
+
+
+
+
+
+ LDAP Connection Interface
+
+
+
+
+
+
\ No newline at end of file
diff --git a/oauth/resource.php b/oauth/resource.php
new file mode 100644
index 0000000..92cc44d
--- /dev/null
+++ b/oauth/resource.php
@@ -0,0 +1,53 @@
+
+ * Adapted from Oauth2-server-php cookbook
+ * @see http://bshaffer.github.io/oauth2-server-php-docs/cookbook/
+ */
+
+// include our OAuth2 Server object
+require_once __DIR__.'/server.php';
+
+// include our LDAP object
+require_once __DIR__.'/LDAP/LDAP.php';
+require_once __DIR__.'/LDAP/config_ldap.php';
+
+// Handle a request to a resource and authenticate the access token
+if (!$server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
+ $server->getResponse()->send();
+ die;
+}
+
+// set default error message
+$resp = array("error" => "Unknow error", "message" => "An unknown error has occured, please report this bug");
+
+// get information on user associated to the token
+$info_oauth = $server->getAccessTokenData(OAuth2\Request::createFromGlobals());
+$uid = $info_oauth["user_id"];
+$assoc_id = $info_oauth["assoc_id"];
+
+//##################################################\\
+// /!\ Adapt here with your LDAP config /!\ \\
+//##################################################\\
+
+$base = "o=Company";
+$filter = "uid=" . $uid;
+
+/****************************************************/
+
+// Open a LDAP connection
+$ldap = new LDAP($hostname,$port);
+
+// Try to get user data on the LDAP
+try
+{
+ $data = $ldap->getDataForMattermost($base,$filter);
+ $resp = array("name" => $data['cn'],"username" => $uid,"id" => $assoc_id,"state" => "active","email" => $data['mail']);
+}
+catch (Exception $e)
+{
+ $resp = array("error" => "Impossible to get data", "message" => $e->getMessage());
+}
+
+// send data or error message in JSON format
+echo json_encode($resp);
\ No newline at end of file
diff --git a/oauth/server.php b/oauth/server.php
new file mode 100644
index 0000000..307001b
--- /dev/null
+++ b/oauth/server.php
@@ -0,0 +1,25 @@
+ $dsn, 'username' => $username, 'password' => $password));
+
+// Pass a storage object or array of storage objects to the OAuth2 server class
+$server = new OAuth2\Server($storage);
+
+// Add the "Authorization Code" grant type (this is where the oauth magic happens)
+$server->addGrantType(new OAuth2\GrantType\AuthorizationCode($storage));
diff --git a/oauth/token.php b/oauth/token.php
new file mode 100644
index 0000000..f0ad755
--- /dev/null
+++ b/oauth/token.php
@@ -0,0 +1,12 @@
+ handleTokenRequest(OAuth2\Request::createFromGlobals())->send();
+?>
\ No newline at end of file