1.0.7 merge

Signed-off-by: Michael Gooden <michael@bluepointweb.com>

CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
-## 1.0.0 (released 2012-02-15)
+## 1.0.7 (released 2013-03-04)
 
-* First release
+* Added method `requireStateParam()`
+* Added method `requireScopeParam()`
+
+## 1.0.6 (released 2013-02-22)
+
+* Added links to tutorials in the README
+* Added missing `state` parameter request to the `checkAuthoriseParams()` method.
+
+## 1.0.5 (released 2013-02-21)
+
+* Fixed the SQL example for SessionInterface::getScopes()
+
+## 1.0.3 (released 2013-02-20)
+
+* Changed all instances of the "authentication server" to "authorization server"
+
+## 1.0.2 (released 2013-02-20)
+
+* Fixed MySQL create table order
+* Fixed version number in composer.json
+
+## 1.0.1 (released 2013-02-19)
+
+* Updated AuthServer.php to use `self::getParam()`
+
+## 1.0.0 (released 2013-02-15)
+
+* First major release

README.md

@@ -1,6 +1,6 @@
 # PHP OAuth Framework
 
-The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authentication server and resource server.
+The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server.
 
 ## Package Installation
 
@@ -9,7 +9,7 @@ The framework is provided as a Composer package which can be installed by adding
 ```javascript
 {
 	"require": {
-		"lncd\OAuth2": "*"
+		"lncd/OAuth2": "*"
 	}
 }
 ```
@@ -20,22 +20,26 @@ The library features 100% unit test code coverage. To run the tests yourself run
 
 ## Current Features
 
-### Authentication Server
+### Authorization Server
 
-The authentication server is a flexible class and following core specification grants are implemented:
+The authorization server is a flexible class and following core specification grants are implemented:
 
-* authentication code ([section 4.1](http://tools.ietf.org/html/rfc6749#section-4.1))
+* authorization code ([section 4.1](http://tools.ietf.org/html/rfc6749#section-4.1))
 * refresh token ([section 6](http://tools.ietf.org/html/rfc6749#section-6))
 * client credentials ([section 2.3.1](http://tools.ietf.org/html/rfc6749#section-2.3.1))
 * password (user credentials) ([section 4.3](http://tools.ietf.org/html/rfc6749#section-4.3))
 
+A tutorial on how to use the authorization server can be found at [http://alexbilbie.com/2013/02/developing-an-oauth2-authorization-server/](http://alexbilbie.com/2013/02/developing-an-oauth2-authorization-server/).
+
 ### Resource Server
 
 The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct permission to access resources.
 
+A tutorial on how to use the resource server can be found at [http://alexbilbie.com/2013/02/securing-your-api-with-oauth-2/](http://alexbilbie.com/2013/02/securing-your-api-with-oauth-2/).
+
 ## Future Goals
 
-### Authentication Server
+### Authorization Server
 
 * Support for [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/).
 * Support for [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
@@ -49,4 +53,4 @@ This code was principally developed by [Alex Bilbie](http://alexbilbie.com/) ([T
 Valuable contribtions have been made by the following:
 
 * [Dan Horrigan](http://dandoescode.com) ([Twitter](https://twitter.com/dandoescode)|[Github](https://github.com/dandoescode))
-* [Nick Jackson](http://nickjackson.me) ([Twitter](https://twitter.com/jacksonj04)|[Github](https://github.com/jacksonj04))
+* [Nick Jackson](http://nickjackson.me) ([Twitter](https://twitter.com/jacksonj04)|[Github](https://github.com/jacksonj04))

build/phpunit.xml

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="../tests/Bootstrap.php">
 	<testsuites>
-		<testsuite name="Authentication Server">
-			<directory suffix="Test.php">../tests/authentication</directory>
+		<testsuite name="Authorization Server">
+			<directory suffix="Test.php">../tests/authorization</directory>
 		</testsuite>
 		<testsuite name="Resource Server">
 			<directory suffix="Test.php">../tests/resource</directory>

composer.json

@@ -1,8 +1,7 @@
 {
 	"name": "lncd/oauth2",
-	"description": "OAuth 2.0 Framework",
-	"version": "1.0.0",
-	"version": "1.0.1",
+	"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants",
+	"version": "1.0.7",
 	"homepage": "https://github.com/lncd/OAuth2",
 	"license": "MIT",
 	"require": {

sql/mysql.sql

@@ -1,12 +1,3 @@
-CREATE TABLE `oauth_client_endpoints` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(40) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(255) DEFAULT NULL,
-  PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`),
-  CONSTRAINT `oauth_client_endpoints_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
 CREATE TABLE `oauth_clients` (
   `id` varchar(40) NOT NULL DEFAULT '',
   `secret` varchar(40) NOT NULL DEFAULT '',
@@ -15,15 +6,13 @@ CREATE TABLE `oauth_clients` (
   PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
-CREATE TABLE `oauth_session_scopes` (
+CREATE TABLE `oauth_client_endpoints` (
   `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `session_id` int(11) unsigned NOT NULL,
-  `scope_id` int(11) unsigned NOT NULL,
+  `client_id` varchar(40) NOT NULL DEFAULT '',
+  `redirect_uri` varchar(255) DEFAULT NULL,
   PRIMARY KEY (`id`),
-  KEY `session_id` (`session_id`),
-  KEY `scope_id` (`scope_id`),
-  CONSTRAINT `oauth_session_scopes_ibfk_5` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE,
-  CONSTRAINT `oauth_session_scopes_ibfk_4` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
+  KEY `client_id` (`client_id`),
+  CONSTRAINT `oauth_client_endpoints_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_sessions` (
@@ -50,4 +39,15 @@ CREATE TABLE `oauth_scopes` (
   `description` varchar(255) DEFAULT '',
   PRIMARY KEY (`id`),
   UNIQUE KEY `scope` (`scope`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_scopes` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `session_id` int(11) unsigned NOT NULL,
+  `scope_id` int(11) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `session_id` (`session_id`),
+  KEY `scope_id` (`scope_id`),
+  CONSTRAINT `oauth_session_scopes_ibfk_5` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `oauth_session_scopes_ibfk_4` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

src/OAuth2/AuthServer.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * OAuth 2.0 Authentication Server
+ * OAuth 2.0 Authorization Server
  *
  * @package     lncd/oauth2
  * @author      Alex Bilbie <hello@alexbilbie.com>
@@ -19,7 +19,7 @@ use OAuth2\Storage\ScopeInterface;
 use OAuth2\Grant\GrantTypeInterface;
 
 /**
- * OAuth 2.0 authentication server class
+ * OAuth 2.0 authorization server class
  */
 class AuthServer
 {
@@ -57,6 +57,18 @@ class AuthServer
      */
     static protected $grantTypes = array();
 
+    /**
+     * Require the "scope" parameter to be in checkAuthoriseParams()
+     * @var boolean
+     */
+    protected $requireScopeParam = true;
+
+    /**
+     * Require the "state" parameter to be in checkAuthoriseParams()
+     * @var boolean
+     */
+    protected $requireStateParam = false;
+
     /**
      * The request object
      * @var Util\RequestInterface
@@ -122,7 +134,7 @@ class AuthServer
     }
 
     /**
-     * Create a new OAuth2 authentication server
+     * Create a new OAuth2 authorization server
      *
      * @param ClientInterface  $client  A class which inherits from Storage/ClientInterface
      * @param SessionInterface $session A class which inherits from Storage/SessionInterface
@@ -164,6 +176,26 @@ class AuthServer
         return (array_key_exists($identifier, self::$grantTypes));
     }
 
+    /**
+     * Require the "scope" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function requireScopeParam($require = true)
+    {
+        $this->requireScopeParam = $require;
+    }
+
+    /**
+     * Require the "state" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function requireStateParam($require = false)
+    {
+        $this->requireStateParam = $require;
+    }
+
     /**
      * Get the scope delimeter
      *
@@ -249,7 +281,7 @@ class AuthServer
     public function checkAuthoriseParams($inputParams = array())
     {
         // Auth params
-        $authParams = self::getParam(array('client_id', 'redirect_uri', 'response_type', 'scope'), 'get', $inputParams);
+        $authParams = self::getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams);
 
         if (is_null($authParams['client_id'])) {
             throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'client_id'), 0);
@@ -259,6 +291,10 @@ class AuthServer
             throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'redirect_uri'), 0);
         }
 
+        if ($this->requireStateParam === true && is_null($authParams['redirect_uri'])) {
+            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'redirect_uri'), 0);
+        }
+
         // Validate client ID and redirect URI
         $clientDetails = self::getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);
 
@@ -285,7 +321,7 @@ class AuthServer
             if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
         }
 
-        if (count($scopes) === 0) {
+        if ($this->requireScopeParam === true && count($scopes) === 0) {
             throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'scope'), 0);
         }
 

src/OAuth2/Storage/SessionInterface.php

@@ -105,25 +105,6 @@ interface SessionInterface
      *  redirect_uri = $redirectUri AND auth_code = $authCode
      * </code>
      *
-     * Response:
-     *
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [client_id] => (string) The client ID
-     *     [redirect_uri] => (string) The redirect URI
-     *     [owner_type] => (string) The session owner type
-     *     [owner_id] => (string) The session owner's ID
-     *     [auth_code] => (string) The authorisation code
-     *     [stage] => (string) The session's stage
-     *     [first_requested] => (int) Unix timestamp of the time the session was
-     *      first generated
-     *     [last_updated] => (int) Unix timestamp of the time the session was
-     *      last updated
-     * )
-     * </code>
-     *
      * @param  string     $clientId    The client ID
      * @param  string     $redirectUri The redirect URI
      * @param  string     $authCode    The authorisation code
@@ -201,7 +182,12 @@ interface SessionInterface
      * @param  int    $accessTokenExpires    The UNIX timestamp of when the new token expires
      * @return void
      */
-    public function updateRefreshToken($sessionId, $newAccessToken, $newRefreshToken, $accessTokenExpires);
+    public function updateRefreshToken(
+        $sessionId,
+        $newAccessToken,
+        $newRefreshToken,
+        $accessTokenExpires
+    );
 
     /**
      * Associates a session with a scope
@@ -225,10 +211,9 @@ interface SessionInterface
      * Example SQL query:
      *
      * <code>
-     * SELECT oauth_scopes.scope, oauth_scopes.name, oauth_scopes.description
-     *  FROM oauth_session_scopes JOIN oauth_scopes ON
-     *  oauth_session_scopes.scope = oauth_scopes.scope
-     *  WHERE access_token = $accessToken
+     * SELECT oauth_scopes.scope FROM oauth_session_scopes JOIN oauth_scopes ON
+     *  oauth_session_scopes.scope_id = oauth_scopes.id WHERE
+     *  session_id = $sessionId
      * </code>
      *
      * Response:
@@ -236,17 +221,16 @@ interface SessionInterface
      * <code>
      * Array
      * (
-     *     [0] => Array
-     *         (
-     *             [scope] => (string) The scope
-     *             [name] => (string) The scope's name
-     *             [description] => (string) The scope's description
-     *         )
+     *     [0] => (string) The scope
+     *     [1] => (string) The scope
+     *     [2] => (string) The scope
+     *     ...
+     *     ...
      * )
      * </code>
      *
-     * @param  string $accessToken The access token
+     * @param  int   $sessionId The session ID
      * @return array
      */
-    public function getScopes($accessToken);
+    public function getScopes($sessionId);
 }

tests/authorization/AuthServerTest.php

@@ -2,7 +2,7 @@
 
 use \Mockery as m;
 
-class Authentication_Server_test extends PHPUnit_Framework_TestCase
+class Authorization_Server_test extends PHPUnit_Framework_TestCase
 {
     private $client;
     private $session;
@@ -89,6 +89,32 @@ class Authentication_Server_test extends PHPUnit_Framework_TestCase
         $this->assertEquals(';', $a->getScopeDelimeter());
     }
 
+    public function test_requireScopeParam()
+    {
+        $a = $this->returnDefault();
+        $a->requireScopeParam(false);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('requireScopeParam');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertFalse($v);
+    }
+
+    public function test_requireStateParam()
+    {
+        $a = $this->returnDefault();
+        $a->requireStateParam(true);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('requireStateParam');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertTrue($v);
+    }
+
     public function test_getExpiresIn()
     {
         $a = $this->returnDefault();
@@ -284,7 +310,8 @@ class Authentication_Server_test extends PHPUnit_Framework_TestCase
             'client_id' =>  1234,
             'redirect_uri'  =>  'http://foo/redirect',
             'response_type' =>  'code',
-            'scope' =>  'foo'
+            'scope' =>  'foo',
+            'state' =>  'xyz'
         ));
 
         $this->assertEquals(array(
@@ -305,7 +332,8 @@ class Authentication_Server_test extends PHPUnit_Framework_TestCase
                     'description'   =>  'Foo Name Description'
                 )
             ),
-            'scope' =>  'foo'
+            'scope' =>  'foo',
+            'state' =>  'xyz'
         ), $v);
     }
 
@@ -332,6 +360,7 @@ class Authentication_Server_test extends PHPUnit_Framework_TestCase
         $_GET['redirect_uri'] = 'http://foo/redirect';
         $_GET['response_type'] = 'code';
         $_GET['scope'] = 'foo';
+        $_GET['state'] = 'xyz';
 
         $request = new OAuth2\Util\Request($_GET);
         $a->setRequest($request);
@@ -356,7 +385,8 @@ class Authentication_Server_test extends PHPUnit_Framework_TestCase
                     'description'   =>  'Foo Name Description'
                 )
             ),
-            'scope' =>  'foo'
+            'scope' =>  'foo',
+            'state' =>  'xyz'
         ), $v);
     }