Modify grants so only auth requests use default scopes

2025-05-31 14:12:07 +05:30 · 2017-11-13 22:19:44 +00:00
parent ce8248c10f
commit c895885700
8 changed files with 45 additions and 68 deletions
--- a/src/Grant/AbstractAuthorizeGrant.php
+++ b/src/Grant/AbstractAuthorizeGrant.php
@@ -33,25 +33,4 @@ abstract class AbstractAuthorizeGrant extends AbstractGrant

        return $uri . http_build_query($params);
    }
-
-    /**
-     * @param string $scope
-     */
-    public function setDefaultScope($scope)
-    {
-        $this->defaultScope = $scope;
-    }
-
-    /**
-     * @param ScopeEntityInterface[] $requestedScopes
-     * @param string $redirectUri
-     *
-     * @throws OAuthServerException
-     */
-    protected function checkScopesRequested($requestedScopes, $redirectUri = null)
-    {
-        if (empty($requestedScopes)) {
-            throw OAuthServerException::invalidScope($redirectUri);
-        }
-    }
 }
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@@ -81,6 +81,11 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    protected $privateKey;

+    /**
+     * @string
+     */
+    protected $defaultScope;
+
    /**
     * @param ClientRepositoryInterface $clientRepository
     */
@@ -147,6 +152,14 @@ abstract class AbstractGrant implements GrantTypeInterface
        $this->privateKey = $key;
    }

+    /**
+     * @param string $scope
+     */
+    public function setDefaultScope($scope)
+    {
+        $this->defaultScope = $scope;
+    }
+
    /**
     * Validate the client.
     *
@@ -213,12 +226,9 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    public function validateScopes($scopes, $redirectUri = null)
    {
-        $scopesList = array_filter(
-            explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
-            function ($scope) {
-                return !empty($scope);
-            }
-        );
+        $scopesList = array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
+            return !empty($scope);
+        });

        $validScopes = [];

@@ -232,6 +242,10 @@ abstract class AbstractGrant implements GrantTypeInterface
            $validScopes[] = $scope;
        }

+        if (empty($validScopes)) {
+            throw OAuthServerException::invalidScope($redirectUri);
+        }
+
        return $validScopes;
    }

--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -242,19 +242,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
            }
        }

-        $redirectUri = is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri();
-
        $scopes = $this->validateScopes(
            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
-            $redirectUri
+            is_array($client->getRedirectUri())
+                ? $client->getRedirectUri()[0]
+                : $client->getRedirectUri()
        );

-        try {
-            $this->checkScopesRequested($scopes, $redirectUri);
-        } catch (OAuthServerException $ex) {
-            throw $ex;
-        }
-
        $stateParameter = $this->getQueryStringParameter('state', $request);

        $authorizationRequest = new AuthorizationRequest();
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -29,7 +29,7 @@ class ClientCredentialsGrant extends AbstractGrant
    ) {
        // Validate request
        $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));

        // Finalize the requested scopes
        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
--- a/src/Grant/GrantTypeInterface.php
+++ b/src/Grant/GrantTypeInterface.php
@@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface
     */
    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);

+    /**
+     * Set the default scope.
+     *
+     * @param string $scope
+     */
+    public function setDefaultScope($scope);
+
    /**
     * Set the path to the private key.
     *
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@@ -144,19 +144,13 @@ class ImplicitGrant extends AbstractAuthorizeGrant
            }
        }

-        $redirectUri = is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri();
-
        $scopes = $this->validateScopes(
            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
-            $redirectUri
+            is_array($client->getRedirectUri())
+                ? $client->getRedirectUri()[0]
+                : $client->getRedirectUri()
        );

-        try {
-            $this->checkScopesRequested($scopes, $redirectUri);
-        } catch (OAuthServerException $ex) {
-            throw $ex;
-        }
-
        // Finalize the requested scopes
        $finalizedScopes = $this->scopeRepository->finalizeScopes(
            $scopes,
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -49,7 +49,7 @@ class PasswordGrant extends AbstractGrant
    ) {
        // Validate request
        $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
        $user = $this->validateUser($request, $client);

        // Finalize the requested scopes
--- a/src/Grant/RefreshTokenGrant.php
+++ b/src/Grant/RefreshTokenGrant.php
@@ -44,28 +44,17 @@ class RefreshTokenGrant extends AbstractGrant
        // Validate request
        $client = $this->validateClient($request);
        $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter(
+            'scope',
+            $request,
+            implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
+        );

-        // If no new scopes are requested then give the access token the original session scopes
-        if (count($scopes) === 0) {
-            $scopes = array_map(function ($scopeId) {
-                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
-
-                if ($scope instanceof ScopeEntityInterface === false) {
-                    // @codeCoverageIgnoreStart
-                    throw OAuthServerException::invalidScope($scopeId);
-                    // @codeCoverageIgnoreEnd
-                }
-
-                return $scope;
-            }, $oldRefreshToken['scopes']);
-        } else {
-            // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
-            // the request doesn't include any new scopes
-            foreach ($scopes as $scope) {
-                if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
-                    throw OAuthServerException::invalidScope($scope->getIdentifier());
-                }
+        // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
+        // the request doesn't include any new scopes
+        foreach ($scopes as $scope) {
+            if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
+                throw OAuthServerException::invalidScope($scope->getIdentifier());
            }
        }