From c996b665285dffde76ac9452b1e7bc3e2dd55f22 Mon Sep 17 00:00:00 2001 From: Andrew Millington Date: Wed, 18 Oct 2017 22:08:41 +0100 Subject: [PATCH] Add means to set default scopes for grants --- src/Grant/AbstractGrant.php | 30 +++++++++++++++++++++------- src/Grant/AuthCodeGrant.php | 2 +- src/Grant/ClientCredentialsGrant.php | 6 +++--- src/Grant/GrantTypeInterface.php | 7 +++++++ src/Grant/ImplicitGrant.php | 6 +++--- src/Grant/PasswordGrant.php | 6 +++--- src/Grant/RefreshTokenGrant.php | 4 ++-- 7 files changed, 42 insertions(+), 19 deletions(-) diff --git a/src/Grant/AbstractGrant.php b/src/Grant/AbstractGrant.php index 3ac98cf4..b52b14cb 100644 --- a/src/Grant/AbstractGrant.php +++ b/src/Grant/AbstractGrant.php @@ -56,6 +56,11 @@ abstract class AbstractGrant implements GrantTypeInterface */ protected $scopeRepository; + /** + * @var string + */ + protected $defaultScope = ''; + /** * @var AuthCodeRepositoryInterface */ @@ -105,6 +110,14 @@ abstract class AbstractGrant implements GrantTypeInterface $this->scopeRepository = $scopeRepository; } + /** + * @param string $scope + */ + public function setDefaultScope($scope) + { + $this->defaultScope = $scope; + } + /** * @param RefreshTokenRepositoryInterface $refreshTokenRepository */ @@ -211,10 +224,8 @@ abstract class AbstractGrant implements GrantTypeInterface * * @return ScopeEntityInterface[] */ - public function validateScopes( - $scopes, - $redirectUri = null - ) { + public function validateScopes($scopes, $redirectUri = null) + { $scopesList = array_filter( explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) { @@ -222,7 +233,8 @@ abstract class AbstractGrant implements GrantTypeInterface } ); - $scopes = []; + $validScopes = []; + foreach ($scopesList as $scopeItem) { $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem); @@ -230,10 +242,14 @@ abstract class AbstractGrant implements GrantTypeInterface throw OAuthServerException::invalidScope($scopeItem, $redirectUri); } - $scopes[] = $scope; + $validScopes[] = $scope; } - return $scopes; + if (empty($validScopes)) { + throw OAuthServerException::missingScope($redirectUri); + } + + return $validScopes; } /** diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index a138366f..a8528bb5 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -243,7 +243,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant } $scopes = $this->validateScopes( - $this->getQueryStringParameter('scope', $request), + $this->getQueryStringParameter('scope', $request, $this->defaultScope), is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri() diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php index b5b968d4..ed157aaf 100644 --- a/src/Grant/ClientCredentialsGrant.php +++ b/src/Grant/ClientCredentialsGrant.php @@ -29,13 +29,13 @@ class ClientCredentialsGrant extends AbstractGrant ) { // Validate request $client = $this->validateClient($request); - $scopes = $this->validateScopes($this->getRequestParameter('scope', $request)); + $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope)); // Finalize the requested scopes - $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client); + $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client); // Issue and persist access token - $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $scopes); + $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes); // Inject access token into response type $responseType->setAccessToken($accessToken); diff --git a/src/Grant/GrantTypeInterface.php b/src/Grant/GrantTypeInterface.php index 7aa98242..0e721435 100644 --- a/src/Grant/GrantTypeInterface.php +++ b/src/Grant/GrantTypeInterface.php @@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface */ public function setScopeRepository(ScopeRepositoryInterface $scopeRepository); + /** + * Set the default scope. + * + * @param string $scope + */ + public function setDefaultScope($scope); + /** * Set the path to the private key. * diff --git a/src/Grant/ImplicitGrant.php b/src/Grant/ImplicitGrant.php index 466f32ce..9f000eb0 100644 --- a/src/Grant/ImplicitGrant.php +++ b/src/Grant/ImplicitGrant.php @@ -145,14 +145,14 @@ class ImplicitGrant extends AbstractAuthorizeGrant } $scopes = $this->validateScopes( - $this->getQueryStringParameter('scope', $request), + $this->getQueryStringParameter('scope', $request, $this->defaultScope), is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri() ); // Finalize the requested scopes - $scopes = $this->scopeRepository->finalizeScopes( + $finalizedScopes = $this->scopeRepository->finalizeScopes( $scopes, $this->getIdentifier(), $client @@ -165,7 +165,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant $authorizationRequest->setClient($client); $authorizationRequest->setRedirectUri($redirectUri); $authorizationRequest->setState($stateParameter); - $authorizationRequest->setScopes($scopes); + $authorizationRequest->setScopes($finalizedScopes); return $authorizationRequest; } diff --git a/src/Grant/PasswordGrant.php b/src/Grant/PasswordGrant.php index 31755613..cfd7e9fe 100644 --- a/src/Grant/PasswordGrant.php +++ b/src/Grant/PasswordGrant.php @@ -49,14 +49,14 @@ class PasswordGrant extends AbstractGrant ) { // Validate request $client = $this->validateClient($request); - $scopes = $this->validateScopes($this->getRequestParameter('scope', $request)); + $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope)); $user = $this->validateUser($request, $client); // Finalize the requested scopes - $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier()); + $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier()); // Issue and persist new tokens - $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes); + $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes); $refreshToken = $this->issueRefreshToken($accessToken); // Inject tokens into response diff --git a/src/Grant/RefreshTokenGrant.php b/src/Grant/RefreshTokenGrant.php index 53dfdf7d..4fda5974 100644 --- a/src/Grant/RefreshTokenGrant.php +++ b/src/Grant/RefreshTokenGrant.php @@ -44,11 +44,11 @@ class RefreshTokenGrant extends AbstractGrant // Validate request $client = $this->validateClient($request); $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier()); - $scopes = $this->validateScopes($this->getRequestParameter('scope', $request)); + $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope)); // If no new scopes are requested then give the access token the original session scopes if (count($scopes) === 0) { - $scopes = array_map(function ($scopeId) use ($client) { + $scopes = array_map(function ($scopeId) { $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId); if ($scope instanceof ScopeEntityInterface === false) {