Refresh token is encrypted payload now instead of JWT

This commit is contained in:
Alex Bilbie 2016-01-14 23:47:06 +00:00
parent 304ea2baf4
commit 0b061e3086

View File

@ -25,6 +25,7 @@ use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface; use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface; use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
use League\OAuth2\Server\Utils\KeyCrypt;
use League\OAuth2\Server\Utils\SecureKey; use League\OAuth2\Server\Utils\SecureKey;
use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Message\ServerRequestInterface;
use Symfony\Component\EventDispatcher\Event; use Symfony\Component\EventDispatcher\Event;
@ -92,11 +93,11 @@ class RefreshTokenGrant extends AbstractGrant
throw OAuthServerException::invalidRequest('client_secret', null, '`%s` parameter is missing'); throw OAuthServerException::invalidRequest('client_secret', null, '`%s` parameter is missing');
} }
$refreshTokenJwt = isset($request->getParsedBody()['refresh_token']) $encryptedRefreshToken = isset($request->getParsedBody()['refresh_token'])
? $request->getParsedBody()['refresh_token'] ? $request->getParsedBody()['refresh_token']
: null; : null;
if ($refreshTokenJwt === null) { if ($encryptedRefreshToken === null) {
throw OAuthServerException::invalidRequest('refresh_token', null, '`%s` parameter is missing'); throw OAuthServerException::invalidRequest('refresh_token', null, '`%s` parameter is missing');
} }
@ -115,27 +116,23 @@ class RefreshTokenGrant extends AbstractGrant
// Validate refresh token // Validate refresh token
try { try {
$oldRefreshToken = (new Parser())->parse($refreshTokenJwt); $oldRefreshToken = KeyCrypt::decrypt($encryptedRefreshToken, $this->pathToPublicKey);
} catch (\InvalidArgumentException $e) { } catch (\LogicException $e) {
throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token'); throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token: ' . $e->getMessage());
}
if ($oldRefreshToken->verify(new Sha256(), new Key($this->pathToPublicKey)) === false) {
throw OAuthServerException::invalidRefreshToken('Cannot validate refresh token signature');
} }
$validation = new ValidationData(); $oldRefreshTokenData = json_decode($oldRefreshToken, true);
$validation->setAudience($client->getIdentifier()); // Validates refresh token hasn't expired if ($oldRefreshTokenData['client_id'] !== $client->getIdentifier()) {
$validation->setCurrentTime(time()); // Validates token hasn't expired throw OAuthServerException::invalidRefreshToken('Token is not linked to client' . ' got: ' . $client->getIdentifier() . ' expected: '. $oldRefreshTokenData['client_id']);
if ($oldRefreshToken->validate($validation) === false) {
throw OAuthServerException::invalidRefreshToken('Token has expired or is not linked to client');
} }
if ($oldRefreshToken->getClaim('type') !== 'refreshToken') { if ($oldRefreshTokenData['expire_time'] < time()) {
throw OAuthServerException::invalidRefreshToken('Token is not a refresh token'); throw OAuthServerException::invalidRefreshToken('Token has expired');
} }
// Get the scopes for the original session if ($this->refreshTokenRepository->isRefreshTokenRevoked($oldRefreshTokenData['refresh_token_id']) === true) {
$scopes = $oldRefreshToken->getClaim('scopes'); throw OAuthServerException::invalidRefreshToken('Token has been revoked');
}
// Get and validate any requested scopes // Get and validate any requested scopes
$scopeParam = isset($request->getParsedBody()['scope']) $scopeParam = isset($request->getParsedBody()['scope'])
@ -145,12 +142,12 @@ class RefreshTokenGrant extends AbstractGrant
// If no new scopes are requested then give the access token the original session scopes // If no new scopes are requested then give the access token the original session scopes
if (count($requestedScopes) === 0) { if (count($requestedScopes) === 0) {
$newScopes = $scopes; $newScopes = $oldRefreshTokenData['scopes'];
} else { } else {
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
// the request doesn't include any new scopes // the request doesn't include any new scopes
foreach ($requestedScopes as $requestedScope) { foreach ($requestedScopes as $requestedScope) {
if (in_array($requestedScope->getIdentifier(), $scopes) === false) { if (in_array($requestedScope->getIdentifier(), $oldRefreshTokenData['scopes']) === false) {
throw OAuthServerException::invalidScope($requestedScope->getIdentifier()); throw OAuthServerException::invalidScope($requestedScope->getIdentifier());
} }
} }
@ -163,7 +160,7 @@ class RefreshTokenGrant extends AbstractGrant
$accessToken->setIdentifier(SecureKey::generate()); $accessToken->setIdentifier(SecureKey::generate());
$accessToken->setExpiryDateTime((new \DateTime())->add($tokenTTL)); $accessToken->setExpiryDateTime((new \DateTime())->add($tokenTTL));
$accessToken->setClient($client); $accessToken->setClient($client);
$accessToken->setUserIdentifier($oldRefreshToken->getClaim('sub')); $accessToken->setUserIdentifier($oldRefreshTokenData['user_id']);
foreach ($newScopes as $scope) { foreach ($newScopes as $scope) {
$accessToken->addScope($scope); $accessToken->addScope($scope);
} }