A refresh token should be bound to a client ID

2025-05-31 14:12:07 +05:30 · 2013-05-09 07:55:10 -07:00
parent 86a483f288
commit c0683586e2
6 changed files with 19 additions and 12 deletions
--- a/sql/mysql.sql
+++ b/sql/mysql.sql
@@ -57,7 +57,10 @@ CREATE TABLE `oauth_session_refresh_tokens` (
  `session_access_token_id` int(10) unsigned NOT NULL,
  `refresh_token` char(40) NOT NULL DEFAULT '',
  `refresh_token_expires` int(10) unsigned NOT NULL,
+  `client_id` char(40) NOT NULL DEFAULT '',
  PRIMARY KEY (`session_access_token_id`),
+  KEY `client_id` (`client_id`),
+  CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
  CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

--- a/src/League/OAuth2/Server/Grant/AuthCode.php
+++ b/src/League/OAuth2/Server/Grant/AuthCode.php
@@ -283,7 +283,7 @@ class AuthCode implements GrantTypeInterface {
        if ($this->authServer->hasGrantType('refresh_token')) {
            $refreshToken = SecureKey::make();
            $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
-            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
            $response['refresh_token'] = $refreshToken;
        }

--- a/src/League/OAuth2/Server/Grant/Password.php
+++ b/src/League/OAuth2/Server/Grant/Password.php
@@ -214,7 +214,7 @@ class Password implements GrantTypeInterface {
        if ($this->authServer->hasGrantType('refresh_token')) {
            $refreshToken = SecureKey::make();
            $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
-            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
            $response['refresh_token'] = $refreshToken;
        }

--- a/src/League/OAuth2/Server/Grant/RefreshToken.php
+++ b/src/League/OAuth2/Server/Grant/RefreshToken.php
@@ -143,7 +143,7 @@ class RefreshToken implements GrantTypeInterface {
        }

        // Validate refresh token
-        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
+        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);

        if ($accessTokenId === false) {
            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
@@ -168,7 +168,7 @@ class RefreshToken implements GrantTypeInterface {
            $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
        }

-        $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
+        $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);

        return array(
            'access_token'  =>  $accessToken,
--- a/src/League/OAuth2/Server/Storage/PDO/Session.php
+++ b/src/League/OAuth2/Server/Storage/PDO/Session.php
@@ -91,15 +91,16 @@ class Session implements SessionInterface
     * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
     * @return void
     */
-    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId)
    {
        $db = \ezcDbInstance::get();

-        $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
-         (:accessTokenId, :refreshToken, :expireTime)');
+        $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE
+         (:accessTokenId, :refreshToken, :expireTime, :clientId)');
        $stmt->bindValue(':accessTokenId', $accessTokenId);
        $stmt->bindValue(':refreshToken', $refreshToken);
        $stmt->bindValue(':expireTime', $expireTime);
+        $stmt->bindValue(':clientId', $clientId);
        $stmt->execute();
    }

@@ -188,13 +189,14 @@ class Session implements SessionInterface
     * @param  string $refreshToken The access token
     * @return void
     */
-    public function validateRefreshToken($refreshToken)
+    public function validateRefreshToken($refreshToken, $clientId)
    {
        $db = \ezcDbInstance::get();

        $stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
-         refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
+         refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time());
        $stmt->bindValue(':refreshToken', $refreshToken);
+        $stmt->bindValue(':clientId', $clientId);
        $stmt->execute();

        $result = $stmt->fetchObject();
--- a/src/League/OAuth2/Server/Storage/SessionInterface.php
+++ b/src/League/OAuth2/Server/Storage/SessionInterface.php
@@ -91,9 +91,10 @@ interface SessionInterface
     * @param  int    $accessTokenId The access token ID
     * @param  string $refreshToken  The refresh token
     * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
+     * @param  string $clientId      The client ID
     * @return void
     */
-    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);

    /**
     * Assocate an authorization code with a session
@@ -191,13 +192,14 @@ interface SessionInterface
     *
     * <code>
     * SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
-     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW())
+     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
     * </code>
     *
     * @param  string   $refreshToken The access token
+     * @param  string   $clientId     The client ID
     * @return int|bool               The ID of the access token the refresh token is linked to (or false if invalid)
     */
-    public function validateRefreshToken($refreshToken);
+    public function validateRefreshToken($refreshToken, $clientId);

    /**
     * Get an access token by ID