mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-01-07 12:33:53 +05:30
A refresh token should be bound to a client ID
This commit is contained in:
parent
86a483f288
commit
c0683586e2
@ -57,7 +57,10 @@ CREATE TABLE `oauth_session_refresh_tokens` (
|
|||||||
`session_access_token_id` int(10) unsigned NOT NULL,
|
`session_access_token_id` int(10) unsigned NOT NULL,
|
||||||
`refresh_token` char(40) NOT NULL DEFAULT '',
|
`refresh_token` char(40) NOT NULL DEFAULT '',
|
||||||
`refresh_token_expires` int(10) unsigned NOT NULL,
|
`refresh_token_expires` int(10) unsigned NOT NULL,
|
||||||
|
`client_id` char(40) NOT NULL DEFAULT '',
|
||||||
PRIMARY KEY (`session_access_token_id`),
|
PRIMARY KEY (`session_access_token_id`),
|
||||||
|
KEY `client_id` (`client_id`),
|
||||||
|
CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
|
||||||
CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
|
CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
|
||||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
|
||||||
|
|
||||||
|
@ -283,7 +283,7 @@ class AuthCode implements GrantTypeInterface {
|
|||||||
if ($this->authServer->hasGrantType('refresh_token')) {
|
if ($this->authServer->hasGrantType('refresh_token')) {
|
||||||
$refreshToken = SecureKey::make();
|
$refreshToken = SecureKey::make();
|
||||||
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
|
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
|
||||||
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
|
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
|
||||||
$response['refresh_token'] = $refreshToken;
|
$response['refresh_token'] = $refreshToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -214,7 +214,7 @@ class Password implements GrantTypeInterface {
|
|||||||
if ($this->authServer->hasGrantType('refresh_token')) {
|
if ($this->authServer->hasGrantType('refresh_token')) {
|
||||||
$refreshToken = SecureKey::make();
|
$refreshToken = SecureKey::make();
|
||||||
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
|
$refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
|
||||||
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
|
$this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
|
||||||
$response['refresh_token'] = $refreshToken;
|
$response['refresh_token'] = $refreshToken;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -143,7 +143,7 @@ class RefreshToken implements GrantTypeInterface {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Validate refresh token
|
// Validate refresh token
|
||||||
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
|
$accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);
|
||||||
|
|
||||||
if ($accessTokenId === false) {
|
if ($accessTokenId === false) {
|
||||||
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
|
throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
|
||||||
@ -168,7 +168,7 @@ class RefreshToken implements GrantTypeInterface {
|
|||||||
$this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
|
$this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
|
$this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
'access_token' => $accessToken,
|
'access_token' => $accessToken,
|
||||||
|
@ -91,15 +91,16 @@ class Session implements SessionInterface
|
|||||||
* @param int $expireTime Unix timestamp of the refresh token expiry time
|
* @param int $expireTime Unix timestamp of the refresh token expiry time
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
|
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId)
|
||||||
{
|
{
|
||||||
$db = \ezcDbInstance::get();
|
$db = \ezcDbInstance::get();
|
||||||
|
|
||||||
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
|
$stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE
|
||||||
(:accessTokenId, :refreshToken, :expireTime)');
|
(:accessTokenId, :refreshToken, :expireTime, :clientId)');
|
||||||
$stmt->bindValue(':accessTokenId', $accessTokenId);
|
$stmt->bindValue(':accessTokenId', $accessTokenId);
|
||||||
$stmt->bindValue(':refreshToken', $refreshToken);
|
$stmt->bindValue(':refreshToken', $refreshToken);
|
||||||
$stmt->bindValue(':expireTime', $expireTime);
|
$stmt->bindValue(':expireTime', $expireTime);
|
||||||
|
$stmt->bindValue(':clientId', $clientId);
|
||||||
$stmt->execute();
|
$stmt->execute();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -188,13 +189,14 @@ class Session implements SessionInterface
|
|||||||
* @param string $refreshToken The access token
|
* @param string $refreshToken The access token
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public function validateRefreshToken($refreshToken)
|
public function validateRefreshToken($refreshToken, $clientId)
|
||||||
{
|
{
|
||||||
$db = \ezcDbInstance::get();
|
$db = \ezcDbInstance::get();
|
||||||
|
|
||||||
$stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
|
$stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
|
||||||
refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
|
refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time());
|
||||||
$stmt->bindValue(':refreshToken', $refreshToken);
|
$stmt->bindValue(':refreshToken', $refreshToken);
|
||||||
|
$stmt->bindValue(':clientId', $clientId);
|
||||||
$stmt->execute();
|
$stmt->execute();
|
||||||
|
|
||||||
$result = $stmt->fetchObject();
|
$result = $stmt->fetchObject();
|
||||||
|
@ -91,9 +91,10 @@ interface SessionInterface
|
|||||||
* @param int $accessTokenId The access token ID
|
* @param int $accessTokenId The access token ID
|
||||||
* @param string $refreshToken The refresh token
|
* @param string $refreshToken The refresh token
|
||||||
* @param int $expireTime Unix timestamp of the refresh token expiry time
|
* @param int $expireTime Unix timestamp of the refresh token expiry time
|
||||||
|
* @param string $clientId The client ID
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
|
public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Assocate an authorization code with a session
|
* Assocate an authorization code with a session
|
||||||
@ -191,13 +192,14 @@ interface SessionInterface
|
|||||||
*
|
*
|
||||||
* <code>
|
* <code>
|
||||||
* SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
|
* SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
|
||||||
* AND refresh_token_expires >= UNIX_TIMESTAMP(NOW())
|
* AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
|
||||||
* </code>
|
* </code>
|
||||||
*
|
*
|
||||||
* @param string $refreshToken The access token
|
* @param string $refreshToken The access token
|
||||||
|
* @param string $clientId The client ID
|
||||||
* @return int|bool The ID of the access token the refresh token is linked to (or false if invalid)
|
* @return int|bool The ID of the access token the refresh token is linked to (or false if invalid)
|
||||||
*/
|
*/
|
||||||
public function validateRefreshToken($refreshToken);
|
public function validateRefreshToken($refreshToken, $clientId);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get an access token by ID
|
* Get an access token by ID
|
||||||
|
Loading…
Reference in New Issue
Block a user