mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-27 07:20:18 +05:30
Refresh token is encrypted payload now instead of JWT
This commit is contained in:
parent
304ea2baf4
commit
0b061e3086
@ -25,6 +25,7 @@ use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
|
|||||||
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
|
use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
|
||||||
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
||||||
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
|
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
|
||||||
|
use League\OAuth2\Server\Utils\KeyCrypt;
|
||||||
use League\OAuth2\Server\Utils\SecureKey;
|
use League\OAuth2\Server\Utils\SecureKey;
|
||||||
use Psr\Http\Message\ServerRequestInterface;
|
use Psr\Http\Message\ServerRequestInterface;
|
||||||
use Symfony\Component\EventDispatcher\Event;
|
use Symfony\Component\EventDispatcher\Event;
|
||||||
@ -92,11 +93,11 @@ class RefreshTokenGrant extends AbstractGrant
|
|||||||
throw OAuthServerException::invalidRequest('client_secret', null, '`%s` parameter is missing');
|
throw OAuthServerException::invalidRequest('client_secret', null, '`%s` parameter is missing');
|
||||||
}
|
}
|
||||||
|
|
||||||
$refreshTokenJwt = isset($request->getParsedBody()['refresh_token'])
|
$encryptedRefreshToken = isset($request->getParsedBody()['refresh_token'])
|
||||||
? $request->getParsedBody()['refresh_token']
|
? $request->getParsedBody()['refresh_token']
|
||||||
: null;
|
: null;
|
||||||
|
|
||||||
if ($refreshTokenJwt === null) {
|
if ($encryptedRefreshToken === null) {
|
||||||
throw OAuthServerException::invalidRequest('refresh_token', null, '`%s` parameter is missing');
|
throw OAuthServerException::invalidRequest('refresh_token', null, '`%s` parameter is missing');
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -115,27 +116,23 @@ class RefreshTokenGrant extends AbstractGrant
|
|||||||
|
|
||||||
// Validate refresh token
|
// Validate refresh token
|
||||||
try {
|
try {
|
||||||
$oldRefreshToken = (new Parser())->parse($refreshTokenJwt);
|
$oldRefreshToken = KeyCrypt::decrypt($encryptedRefreshToken, $this->pathToPublicKey);
|
||||||
} catch (\InvalidArgumentException $e) {
|
} catch (\LogicException $e) {
|
||||||
throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token');
|
throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token: ' . $e->getMessage());
|
||||||
}
|
|
||||||
if ($oldRefreshToken->verify(new Sha256(), new Key($this->pathToPublicKey)) === false) {
|
|
||||||
throw OAuthServerException::invalidRefreshToken('Cannot validate refresh token signature');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$validation = new ValidationData();
|
$oldRefreshTokenData = json_decode($oldRefreshToken, true);
|
||||||
$validation->setAudience($client->getIdentifier()); // Validates refresh token hasn't expired
|
if ($oldRefreshTokenData['client_id'] !== $client->getIdentifier()) {
|
||||||
$validation->setCurrentTime(time()); // Validates token hasn't expired
|
throw OAuthServerException::invalidRefreshToken('Token is not linked to client' . ' got: ' . $client->getIdentifier() . ' expected: '. $oldRefreshTokenData['client_id']);
|
||||||
if ($oldRefreshToken->validate($validation) === false) {
|
|
||||||
throw OAuthServerException::invalidRefreshToken('Token has expired or is not linked to client');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($oldRefreshToken->getClaim('type') !== 'refreshToken') {
|
if ($oldRefreshTokenData['expire_time'] < time()) {
|
||||||
throw OAuthServerException::invalidRefreshToken('Token is not a refresh token');
|
throw OAuthServerException::invalidRefreshToken('Token has expired');
|
||||||
}
|
}
|
||||||
|
|
||||||
// Get the scopes for the original session
|
if ($this->refreshTokenRepository->isRefreshTokenRevoked($oldRefreshTokenData['refresh_token_id']) === true) {
|
||||||
$scopes = $oldRefreshToken->getClaim('scopes');
|
throw OAuthServerException::invalidRefreshToken('Token has been revoked');
|
||||||
|
}
|
||||||
|
|
||||||
// Get and validate any requested scopes
|
// Get and validate any requested scopes
|
||||||
$scopeParam = isset($request->getParsedBody()['scope'])
|
$scopeParam = isset($request->getParsedBody()['scope'])
|
||||||
@ -145,12 +142,12 @@ class RefreshTokenGrant extends AbstractGrant
|
|||||||
|
|
||||||
// If no new scopes are requested then give the access token the original session scopes
|
// If no new scopes are requested then give the access token the original session scopes
|
||||||
if (count($requestedScopes) === 0) {
|
if (count($requestedScopes) === 0) {
|
||||||
$newScopes = $scopes;
|
$newScopes = $oldRefreshTokenData['scopes'];
|
||||||
} else {
|
} else {
|
||||||
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
|
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
|
||||||
// the request doesn't include any new scopes
|
// the request doesn't include any new scopes
|
||||||
foreach ($requestedScopes as $requestedScope) {
|
foreach ($requestedScopes as $requestedScope) {
|
||||||
if (in_array($requestedScope->getIdentifier(), $scopes) === false) {
|
if (in_array($requestedScope->getIdentifier(), $oldRefreshTokenData['scopes']) === false) {
|
||||||
throw OAuthServerException::invalidScope($requestedScope->getIdentifier());
|
throw OAuthServerException::invalidScope($requestedScope->getIdentifier());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -163,7 +160,7 @@ class RefreshTokenGrant extends AbstractGrant
|
|||||||
$accessToken->setIdentifier(SecureKey::generate());
|
$accessToken->setIdentifier(SecureKey::generate());
|
||||||
$accessToken->setExpiryDateTime((new \DateTime())->add($tokenTTL));
|
$accessToken->setExpiryDateTime((new \DateTime())->add($tokenTTL));
|
||||||
$accessToken->setClient($client);
|
$accessToken->setClient($client);
|
||||||
$accessToken->setUserIdentifier($oldRefreshToken->getClaim('sub'));
|
$accessToken->setUserIdentifier($oldRefreshTokenData['user_id']);
|
||||||
foreach ($newScopes as $scope) {
|
foreach ($newScopes as $scope) {
|
||||||
$accessToken->addScope($scope);
|
$accessToken->addScope($scope);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user