openinfra
/
openstackid
Code Issues Proposed changes
openstackid/app/libs/OAuth2/GrantTypes/RefreshBearerTokenGrantType...

216 lines
7.0 KiB
PHP
Raw Blame History

<?php namespace OAuth2\GrantTypes;
/**
* Copyright 2016 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
use Exception;
use OAuth2\Exceptions\InvalidApplicationType;
use OAuth2\Exceptions\InvalidGrantTypeException;
use OAuth2\Exceptions\InvalidOAuth2Request;
use OAuth2\Exceptions\UseRefreshTokenException;
use OAuth2\Models\IClient;
use OAuth2\Repositories\IClientRepository;
use OAuth2\Services\ITokenService;
use OAuth2\OAuth2Protocol;
use OAuth2\Requests\OAuth2RefreshAccessTokenRequest;
use OAuth2\Requests\OAuth2Request;
use OAuth2\Requests\OAuth2TokenRequest;
use OAuth2\Responses\OAuth2AccessTokenResponse;
use OAuth2\Responses\OAuth2Response;
use OAuth2\Services\IClientService;
use Utils\Services\ILogService;
/**
* Class RefreshBearerTokenGrantType
* @see http://tools.ietf.org/html/rfc6749#section-6
* @package OAuth2\GrantTypes
*/
final class RefreshBearerTokenGrantType extends AbstractGrantType
{
/**
* RefreshBearerTokenGrantType constructor.
* @param IClientService $client_service
* @param IClientRepository $client_repository
* @param ITokenService $token_service
* @param ILogService $log_service
*/
public function __construct
(
IClientService $client_service,
IClientRepository $client_repository,
ITokenService $token_service,
ILogService $log_service
)
{
parent::__construct($client_service, $client_repository, $token_service, $log_service);
}
/**
* @param OAuth2Request $request
* @return bool
*/
public function canHandle(OAuth2Request $request)
{
return
$request instanceof OAuth2TokenRequest &&
$request->isValid() &&
$request->getGrantType() == $this->getType();
}
/** Not implemented , there is no first process phase on this grant type
* @param OAuth2Request $request
* @return mixed|void
* @throws Exception
*/
public function handle(OAuth2Request $request)
{
throw new InvalidOAuth2Request('not implemented!');
}
/**
* Access Token issuance using a refresh token
* The authorization server MUST:
* o require client authentication for confidential clients or for any
* client that was issued client credentials (or with other
* authentication requirements),
* o authenticate the client if client authentication is included and
* ensure that the refresh token was issued to the authenticated
* client, and
* o validate the refresh token.
* @param OAuth2Request $request
* @return OAuth2Response
* @throws UseRefreshTokenException
* @throws InvalidOAuth2Request
* @throws InvalidApplicationType
* @throws InvalidGrantTypeException
*/
public function completeFlow(OAuth2Request $request)
{
if (!($request instanceof OAuth2RefreshAccessTokenRequest)) {
throw new InvalidOAuth2Request;
}
parent::completeFlow($request);
if (!$this->current_client->canRequestRefreshTokens()) {
throw new InvalidApplicationType
(
sprintf
(
'client id %s client type must be %s or %s or support PKCE',
$this->client_auth_context->getId(),
IClient::ApplicationType_Web_App,
IClient::ApplicationType_Native
)
);
}
if (!$this->current_client->useRefreshToken()) {
throw new UseRefreshTokenException
(
sprintf
(
"current client id %s could not use refresh tokens",
$this->client_auth_context->getId()
)
);
}
$refresh_token_value = $request->getRefreshToken();
$scope = $request->getScope();
$refresh_token = $this->token_service->getRefreshToken($refresh_token_value);
if (is_null($refresh_token)) {
throw new InvalidGrantTypeException
(
sprintf
(
"refresh token %s does not exists!",
$refresh_token_value
)
);
}
if ($refresh_token->getClientId() !== $this->current_client->getClientId()) {
throw new InvalidGrantTypeException
(
sprintf
(
"refresh token %s does not belongs to client %s",
$refresh_token_value, $this->current_client->getClientId()
)
);
}
$new_refresh_token = null;
$access_token = $this->token_service->createAccessTokenFromRefreshToken($refresh_token, $scope);
/*
* the authorization server could employ refresh token
* rotation in which a new refresh token is issued with every access
* token refresh response. The previous refresh token is invalidated
* but retained by the authorization server. If a refresh token is
* compromised and subsequently used by both the attacker and the
* legitimate client, one of them will present an invalidated refresh
* token, which will inform the authorization server of the breach.
*/
if ($this->current_client->useRotateRefreshTokenPolicy()) {
$this->token_service->invalidateRefreshToken($refresh_token_value);
$new_refresh_token = $this->token_service->createRefreshToken($access_token, true);
}
$response = new OAuth2AccessTokenResponse
(
$access_token->getValue(),
$access_token->getLifetime(),
!is_null($new_refresh_token) ? $new_refresh_token->getValue() : null,
$scope
);
return $response;
}
/**
* @return string
*/
public function getType()
{
return OAuth2Protocol::OAuth2Protocol_GrantType_RefreshToken;
}
/**
* @return array
* @throws InvalidOAuth2Request
*/
public function getResponseType()
{
throw new InvalidOAuth2Request('not implemented!');
}
/**
* @param OAuth2Request $request
* @return null|OAuth2Response
*/
public function buildTokenRequest(OAuth2Request $request)
{
if ($request instanceof OAuth2TokenRequest) {
if ($request->getGrantType() !== $this->getType()) {
return null;
}
return new OAuth2RefreshAccessTokenRequest($request->getMessage());
}
return null;
}
}
View Git Blame Copy Permalink