ElyBy-Mirror/oauth2-server
1
0
Fork 0
mirror of https://github.com/elyby/oauth2-server.git synced 2025-03-03 15:12:52 +05:30
Code Issues Packages Projects Releases Wiki Activity

Modify grants so only auth requests use default scopes

Browse Source
This commit is contained in:
Sephster 2017-11-13 22:19:44 +00:00
parent ce8248c10f
commit c895885700
8 changed files with 45 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/Grant/AbstractAuthorizeGrant.php
View File

@ -33,25 +33,4 @@ abstract class AbstractAuthorizeGrant extends AbstractGrant
return $uri . http_build_query($params); return $uri . http_build_query($params);
} }
/**
* @param string $scope
*/
public function setDefaultScope($scope)
{
$this->defaultScope = $scope;
}
/**
* @param ScopeEntityInterface[] $requestedScopes
* @param string $redirectUri
*
* @throws OAuthServerException
*/
protected function checkScopesRequested($requestedScopes, $redirectUri = null)
{
if (empty($requestedScopes)) {
throw OAuthServerException::invalidScope($redirectUri);
}
}
} }

26
src/Grant/AbstractGrant.php
View File

@ -81,6 +81,11 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
protected $privateKey; protected $privateKey;
/**
* @string
*/
protected $defaultScope;
/** /**
* @param ClientRepositoryInterface $clientRepository * @param ClientRepositoryInterface $clientRepository
*/ */
@ -147,6 +152,14 @@ abstract class AbstractGrant implements GrantTypeInterface
$this->privateKey = $key; $this->privateKey = $key;
} }
/**
* @param string $scope
*/
public function setDefaultScope($scope)
{
$this->defaultScope = $scope;
}
/** /**
* Validate the client. * Validate the client.
* *
@ -213,12 +226,9 @@ abstract class AbstractGrant implements GrantTypeInterface
*/ */
public function validateScopes($scopes, $redirectUri = null) public function validateScopes($scopes, $redirectUri = null)
{ {
$scopesList = array_filter( $scopesList = array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), return !empty($scope);
function ($scope) { });
return !empty($scope);
}
);
$validScopes = []; $validScopes = [];
@ -232,6 +242,10 @@ abstract class AbstractGrant implements GrantTypeInterface
$validScopes[] = $scope; $validScopes[] = $scope;
} }
if (empty($validScopes)) {
throw OAuthServerException::invalidScope($redirectUri);
}
return $validScopes; return $validScopes;
} }

12
src/Grant/AuthCodeGrant.php
View File

@ -242,19 +242,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
} }
} }
$redirectUri = is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri();
$scopes = $this->validateScopes( $scopes = $this->validateScopes(
$this->getQueryStringParameter('scope', $request, $this->defaultScope), $this->getQueryStringParameter('scope', $request, $this->defaultScope),
$redirectUri is_array($client->getRedirectUri())
? $client->getRedirectUri()[0]
: $client->getRedirectUri()
); );
try {
$this->checkScopesRequested($scopes, $redirectUri);
} catch (OAuthServerException $ex) {
throw $ex;
}
$stateParameter = $this->getQueryStringParameter('state', $request); $stateParameter = $this->getQueryStringParameter('state', $request);
$authorizationRequest = new AuthorizationRequest(); $authorizationRequest = new AuthorizationRequest();

2
src/Grant/ClientCredentialsGrant.php
View File

@ -29,7 +29,7 @@ class ClientCredentialsGrant extends AbstractGrant
) { ) {
// Validate request // Validate request
$client = $this->validateClient($request); $client = $this->validateClient($request);
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request)); $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
// Finalize the requested scopes // Finalize the requested scopes
$finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client); $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);

7
src/Grant/GrantTypeInterface.php
View File

@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface
*/ */
public function setScopeRepository(ScopeRepositoryInterface $scopeRepository); public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
/**
* Set the default scope.
*
* @param string $scope
*/
public function setDefaultScope($scope);
/** /**
* Set the path to the private key. * Set the path to the private key.
* *

12
src/Grant/ImplicitGrant.php
View File

@ -144,19 +144,13 @@ class ImplicitGrant extends AbstractAuthorizeGrant
} }
} }
$redirectUri = is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri();
$scopes = $this->validateScopes( $scopes = $this->validateScopes(
$this->getQueryStringParameter('scope', $request, $this->defaultScope), $this->getQueryStringParameter('scope', $request, $this->defaultScope),
$redirectUri is_array($client->getRedirectUri())
? $client->getRedirectUri()[0]
: $client->getRedirectUri()
); );
try {
$this->checkScopesRequested($scopes, $redirectUri);
} catch (OAuthServerException $ex) {
throw $ex;
}
// Finalize the requested scopes // Finalize the requested scopes
$finalizedScopes = $this->scopeRepository->finalizeScopes( $finalizedScopes = $this->scopeRepository->finalizeScopes(
$scopes, $scopes,

2
src/Grant/PasswordGrant.php
View File

@ -49,7 +49,7 @@ class PasswordGrant extends AbstractGrant
) { ) {
// Validate request // Validate request
$client = $this->validateClient($request); $client = $this->validateClient($request);
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request)); $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
$user = $this->validateUser($request, $client); $user = $this->validateUser($request, $client);
// Finalize the requested scopes // Finalize the requested scopes

31
src/Grant/RefreshTokenGrant.php
View File

@ -44,28 +44,17 @@ class RefreshTokenGrant extends AbstractGrant
// Validate request // Validate request
$client = $this->validateClient($request); $client = $this->validateClient($request);
$oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier()); $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request)); $scopes = $this->validateScopes($this->getRequestParameter(
'scope',
$request,
implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
);
// If no new scopes are requested then give the access token the original session scopes // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
if (count($scopes) === 0) { // the request doesn't include any new scopes
$scopes = array_map(function ($scopeId) { foreach ($scopes as $scope) {
$scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId); if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
throw OAuthServerException::invalidScope($scope->getIdentifier());
if ($scope instanceof ScopeEntityInterface === false) {
// @codeCoverageIgnoreStart
throw OAuthServerException::invalidScope($scopeId);
// @codeCoverageIgnoreEnd
}
return $scope;
}, $oldRefreshToken['scopes']);
} else {
// The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
// the request doesn't include any new scopes
foreach ($scopes as $scope) {
if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
throw OAuthServerException::invalidScope($scope->getIdentifier());
}
} }
} }