ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2024-11-15 01:36:02 +05:30
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/auth-code-scopes' into develop. Fixes #44

Browse Source
This commit is contained in:
Alex Bilbie 2013-05-10 17:40:52 -07:00
commit 5eb4227709
7 changed files with 126 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
sql/mysql.sql
View File

@ -38,12 +38,13 @@ CREATE TABLE `oauth_session_access_tokens` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8; ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `oauth_session_authcodes` ( CREATE TABLE `oauth_session_authcodes` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`session_id` int(10) unsigned NOT NULL, `session_id` int(10) unsigned NOT NULL,
`auth_code` char(40) NOT NULL, `auth_code` char(40) NOT NULL,
`auth_code_expires` int(10) unsigned NOT NULL, `auth_code_expires` int(10) unsigned NOT NULL,
`scope_ids` char(255) DEFAULT NULL, PRIMARY KEY (`id`),
PRIMARY KEY (`session_id`), KEY `session_id` (`session_id`),
CONSTRAINT `f_oaseau_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION CONSTRAINT `oauth_session_authcodes_ibfk_1` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8; ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `oauth_session_redirects` ( CREATE TABLE `oauth_session_redirects` (
@ -70,7 +71,7 @@ CREATE TABLE `oauth_scopes` (
`name` varchar(255) NOT NULL, `name` varchar(255) NOT NULL,
`description` varchar(255) DEFAULT NULL, `description` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`), PRIMARY KEY (`id`),
UNIQUE KEY `u_oasc_sc` (`scope_key`) UNIQUE KEY `u_oasc_sc` (`scope`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8; ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `oauth_session_token_scopes` ( CREATE TABLE `oauth_session_token_scopes` (
@ -82,4 +83,13 @@ CREATE TABLE `oauth_session_token_scopes` (
KEY `f_oasetosc_scid` (`scope_id`), KEY `f_oasetosc_scid` (`scope_id`),
CONSTRAINT `f_oasetosc_scid` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION, CONSTRAINT `f_oasetosc_scid` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
CONSTRAINT `f_oasetosc_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION CONSTRAINT `f_oasetosc_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `oauth_session_authcode_scopes` (
`oauth_session_authcode_id` int(10) unsigned NOT NULL,
`scope_id` smallint(5) unsigned NOT NULL,
KEY `oauth_session_authcode_id` (`oauth_session_authcode_id`),
KEY `scope_id` (`scope_id`),
CONSTRAINT `oauth_session_authcode_scopes_ibfk_2` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE,
CONSTRAINT `oauth_session_authcode_scopes_ibfk_1` FOREIGN KEY (`oauth_session_authcode_id`) REFERENCES `oauth_session_authcodes` (`id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8; ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

34
src/League/OAuth2/Server/Grant/AuthCode.php
View File

@ -193,13 +193,6 @@ class AuthCode implements GrantTypeInterface {
// Remove any old sessions the user might have // Remove any old sessions the user might have
$this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId); $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId);
// List of scopes IDs
$scopeIds = array();
foreach ($authParams['scopes'] as $scope)
{
$scopeIds[] = $scope['id'];
}
// Create a new session // Create a new session
$sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId); $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId);
@ -207,7 +200,12 @@ class AuthCode implements GrantTypeInterface {
$this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']); $this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']);
// Associate the auth code // Associate the auth code
$this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL, implode(',', $scopeIds)); $authCodeId = $this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL);
// Associate the scopes to the auth code
foreach ($authParams['scopes'] as $scope) {
$this->authServer->getStorage('session')->associateAuthCodeScope($authCodeId, $scope['id']);
}
return $authCode; return $authCode;
} }
@ -249,30 +247,30 @@ class AuthCode implements GrantTypeInterface {
} }
// Verify the authorization code matches the client_id and the request_uri // Verify the authorization code matches the client_id and the request_uri
$session = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']); $authCodeDetails = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
if ( ! $session) { if ( ! $authCodeDetails) {
throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9); throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9);
} }
// A session ID was returned so update it with an access token and remove the authorisation code // Get any associated scopes
$scopes = $this->authServer->getStorage('session')->getAuthCodeScopes($authCodeDetails['authcode_id']);
// A session ID was returned so update it with an access token and remove the authorisation code
$accessToken = SecureKey::make(); $accessToken = SecureKey::make();
$accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL(); $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
$accessTokenExpires = time() + $accessTokenExpiresIn; $accessTokenExpires = time() + $accessTokenExpiresIn;
// Remove the auth code // Remove the auth code
$this->authServer->getStorage('session')->removeAuthCode($session['id']); $this->authServer->getStorage('session')->removeAuthCode($authCodeDetails['session_id']);
// Create an access token // Create an access token
$accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($session['id'], $accessToken, $accessTokenExpires); $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($authCodeDetails['session_id'], $accessToken, $accessTokenExpires);
// Associate scopes with the access token // Associate scopes with the access token
if ( ! is_null($session['scope_ids'])) { if (count($scopes) > 0) {
$scopeIds = explode(',', $session['scope_ids']); foreach ($scopes as $scope) {
$this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['scope_id']);
foreach ($scopeIds as $scopeId) {
$this->authServer->getStorage('session')->associateScope($accessTokenId, $scopeId);
} }
} }

42
src/League/OAuth2/Server/Storage/PDO/Session.php
View File

@ -70,17 +70,18 @@ class Session implements SessionInterface
$stmt->execute(); $stmt->execute();
} }
public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null) public function associateAuthCode($sessionId, $authCode, $expireTime)
{ {
$db = \ezcDbInstance::get(); $db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids) $stmt = $db->prepare('INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires)
VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)'); VALUE (:sessionId, :authCode, :authCodeExpires)');
$stmt->bindValue(':sessionId', $sessionId); $stmt->bindValue(':sessionId', $sessionId);
$stmt->bindValue(':authCode', $authCode); $stmt->bindValue(':authCode', $authCode);
$stmt->bindValue(':authCodeExpires', $expireTime); $stmt->bindValue(':authCodeExpires', $expireTime);
$stmt->bindValue(':scopeIds', $scopeIds);
$stmt->execute(); $stmt->execute();
return $db->lastInsertId();
} }
public function removeAuthCode($sessionId) public function removeAuthCode($sessionId)
@ -96,12 +97,12 @@ class Session implements SessionInterface
{ {
$db = \ezcDbInstance::get(); $db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions JOIN $stmt = $db->prepare('SELECT oauth_sessions.id AS session_id, oauth_session_authcodes.id AS authcode_id
oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id JOIN FROM oauth_sessions JOIN oauth_session_authcodes ON oauth_session_authcodes.`session_id`
oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE = oauth_sessions.id JOIN oauth_session_redirects ON oauth_session_redirects.`session_id`
oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode AND = oauth_sessions.id WHERE oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code`
`oauth_session_authcodes`.`auth_code_expires` >= :time AND `oauth_session_redirects`.`redirect_uri` = :authCode AND `oauth_session_authcodes`.`auth_code_expires` >= :time AND
= :redirectUri'); `oauth_session_redirects`.`redirect_uri` = :redirectUri');
$stmt->bindValue(':clientId', $clientId); $stmt->bindValue(':clientId', $clientId);
$stmt->bindValue(':redirectUri', $redirectUri); $stmt->bindValue(':redirectUri', $redirectUri);
$stmt->bindValue(':authCode', $authCode); $stmt->bindValue(':authCode', $authCode);
@ -160,6 +161,27 @@ class Session implements SessionInterface
return ($result === false) ? false : (array) $result; return ($result === false) ? false : (array) $result;
} }
public function associateAuthCodeScope($authCodeId, $scopeId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('INSERT INTO `oauth_session_authcode_scopes` (`oauth_session_authcode_id`, `scope_id`) VALUES (:authCodeId, :scopeId)');
$stmt->bindValue(':authCodeId', $authCodeId);
$stmt->bindValue(':scopeId', $scopeId);
$stmt->execute();
}
public function getAuthCodeScopes($oauthSessionAuthCodeId)
{
$db = \ezcDbInstance::get();
$stmt = $db->prepare('SELECT scope_id FROM `oauth_session_authcode_scopes` WHERE oauth_session_authcode_id = :authCodeId');
$stmt->bindValue(':authCodeId', $oauthSessionAuthCodeId);
$stmt->execute();
return $stmt->fetchAll();
}
public function associateScope($accessTokenId, $scopeId) public function associateScope($accessTokenId, $scopeId)
{ {
$db = \ezcDbInstance::get(); $db = \ezcDbInstance::get();

59
src/League/OAuth2/Server/Storage/SessionInterface.php
View File

@ -102,17 +102,16 @@ interface SessionInterface
* Example SQL query: * Example SQL query:
* *
* <code> * <code>
* INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids) * INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires)
* VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds) * VALUE (:sessionId, :authCode, :authCodeExpires)
* </code> * </code>
* *
* @param int $sessionId The session ID * @param int $sessionId The session ID
* @param string $authCode The authorization code * @param string $authCode The authorization code
* @param int $expireTime Unix timestamp of the access token expiry time * @param int $expireTime Unix timestamp of the access token expiry time
* @param string $scopeIds Comma seperated list of scope IDs to be later associated (default = null) * @return int The auth code ID
* @return void
*/ */
public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null); public function associateAuthCode($sessionId, $authCode, $expireTime);
/** /**
* Remove an associated authorization token from a session * Remove an associated authorization token from a session
@ -134,7 +133,7 @@ interface SessionInterface
* Example SQL query: * Example SQL query:
* *
* <code> * <code>
* SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions * SELECT oauth_sessions.id AS session_id, oauth_session_authcodes.id AS authcode_id FROM oauth_sessions
* JOIN oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id * JOIN oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id
* JOIN oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE * JOIN oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
* oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode * oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode
@ -146,8 +145,8 @@ interface SessionInterface
* *
* <code> * <code>
* array( * array(
* 'id' => (int), // the session ID * 'session_id' => (int)
* 'scope_ids' => (string) * 'authcode_id' => (int)
* ) * )
* </code> * </code>
* *
@ -240,6 +239,50 @@ interface SessionInterface
*/ */
public function getAccessToken($accessTokenId); public function getAccessToken($accessTokenId);
/**
* Associate scopes with an auth code (bound to the session)
*
* Example SQL query:
*
* <code>
* INSERT INTO `oauth_session_authcode_scopes` (`oauth_session_authcode_id`, `scope_id`) VALUES
* (:authCodeId, :scopeId)
* </code>
*
* @param int $authCodeId The auth code ID
* @param int $scopeId The scope ID
* @return void
*/
public function associateAuthCodeScope($authCodeId, $scopeId);
/**
* Get the scopes associated with an auth code
*
* Example SQL query:
*
* <code>
* SELECT scope_id FROM `oauth_session_authcode_scopes` WHERE oauth_session_authcode_id = :authCodeId
* </code>
*
* Expected response:
*
* <code>
* array(
* array(
* 'scope_id' => (int)
* ),
* array(
* 'scope_id' => (int)
* ),
* ...
* )
* </code>
*
* @param int $oauthSessionAuthCodeId The session ID
* @return array
*/
public function getAuthCodeScopes($oauthSessionAuthCodeId);
/** /**
* Associate a scope with an access token * Associate a scope with an access token
* *

3
tests/authorization/AuthCodeGrantTest.php
View File

@ -376,7 +376,8 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
$this->session->shouldReceive('createSession')->andReturn(1); $this->session->shouldReceive('createSession')->andReturn(1);
$this->session->shouldReceive('associateScope')->andReturn(null); $this->session->shouldReceive('associateScope')->andReturn(null);
$this->session->shouldReceive('associateRedirectUri')->andReturn(null); $this->session->shouldReceive('associateRedirectUri')->andReturn(null);
$this->session->shouldReceive('associateAuthCode')->andReturn(null); $this->session->shouldReceive('associateAuthCode')->andReturn(1);
$this->session->shouldReceive('associateAuthCodeScope')->andReturn(null);
$a = $this->returnDefault(); $a = $this->returnDefault();
$g = new League\OAuth2\Server\Grant\AuthCode($a); $g = new League\OAuth2\Server\Grant\AuthCode($a);

11
tests/authorization/AuthServerTest.php
View File

@ -358,13 +358,14 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
)); ));
$this->session->shouldReceive('validateAuthCode')->andReturn(array( $this->session->shouldReceive('validateAuthCode')->andReturn(array(
'id' => 1, 'session_id' => 1,
'scope_ids' => '1' 'authcode_id' => 1
)); ));
$this->session->shouldReceive('updateSession')->andReturn(null); $this->session->shouldReceive('updateSession')->andReturn(null);
$this->session->shouldReceive('removeAuthCode')->andReturn(null); $this->session->shouldReceive('removeAuthCode')->andReturn(null);
$this->session->shouldReceive('associateAccessToken')->andReturn(1); $this->session->shouldReceive('associateAccessToken')->andReturn(1);
$this->session->shouldReceive('associateScope')->andReturn(null); $this->session->shouldReceive('associateScope')->andReturn(null);
$this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
$a = $this->returnDefault(); $a = $this->returnDefault();
$a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a)); $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
@ -399,6 +400,8 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
$this->session->shouldReceive('updateSession')->andReturn(null); $this->session->shouldReceive('updateSession')->andReturn(null);
$this->session->shouldReceive('removeAuthCode')->andReturn(null); $this->session->shouldReceive('removeAuthCode')->andReturn(null);
$this->session->shouldReceive('associateAccessToken')->andReturn(1); $this->session->shouldReceive('associateAccessToken')->andReturn(1);
$this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
$this->session->shouldReceive('associateScope')->andReturn(null);
$a = $this->returnDefault(); $a = $this->returnDefault();
$a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a)); $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
@ -436,6 +439,8 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
$this->session->shouldReceive('updateSession')->andReturn(null); $this->session->shouldReceive('updateSession')->andReturn(null);
$this->session->shouldReceive('removeAuthCode')->andReturn(null); $this->session->shouldReceive('removeAuthCode')->andReturn(null);
$this->session->shouldReceive('associateAccessToken')->andReturn(1); $this->session->shouldReceive('associateAccessToken')->andReturn(1);
$this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
$this->session->shouldReceive('associateScope')->andReturn(null);
$a = $this->returnDefault(); $a = $this->returnDefault();
$grant = new League\OAuth2\Server\Grant\AuthCode($a); $grant = new League\OAuth2\Server\Grant\AuthCode($a);
@ -477,6 +482,8 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
$this->session->shouldReceive('updateSession')->andReturn(null); $this->session->shouldReceive('updateSession')->andReturn(null);
$this->session->shouldReceive('removeAuthCode')->andReturn(null); $this->session->shouldReceive('removeAuthCode')->andReturn(null);
$this->session->shouldReceive('associateAccessToken')->andReturn(1); $this->session->shouldReceive('associateAccessToken')->andReturn(1);
$this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
$this->session->shouldReceive('associateScope')->andReturn(null);
$a = $this->returnDefault(); $a = $this->returnDefault();
$a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a)); $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));

2
tests/authorization/RefreshTokenTest.php
View File

@ -42,6 +42,8 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
$this->session->shouldReceive('removeAuthCode')->andReturn(null); $this->session->shouldReceive('removeAuthCode')->andReturn(null);
$this->session->shouldReceive('associateAccessToken')->andReturn(1); $this->session->shouldReceive('associateAccessToken')->andReturn(1);
$this->session->shouldReceive('associateRefreshToken')->andReturn(1); $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
$this->session->shouldReceive('associateScope')->andReturn(null);
$this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
$a = $this->returnDefault(); $a = $this->returnDefault();
$a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a)); $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));