1 : <?php
2 : require_once ROOTPATH . '/library/oauth2/lib/OAuth2ServerException.php';
3 : require_once ROOTPATH . '/library/oauth2/lib/OAuth2AuthenticateException.php';
4 : require_once ROOTPATH . '/library/oauth2/lib/OAuth2RedirectException.php';
5 :
6 : /**
7 : * @mainpage
8 : * OAuth 2.0 server in PHP, originally written for
9 : * <a href="http://www.opendining.net/"> Open Dining</a>. Supports
10 : * <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-20">IETF draft v20</a>.
11 : *
12 : * Source repo has sample servers implementations for
13 : * <a href="http://php.net/manual/en/book.pdo.php"> PHP Data Objects</a> and
14 : * <a href="http://www.mongodb.org/">MongoDB</a>. Easily adaptable to other
15 : * storage engines.
16 : *
17 : * PHP Data Objects supports a variety of databases, including MySQL,
18 : * Microsoft SQL Server, SQLite, and Oracle, so you can try out the sample
19 : * to see how it all works.
20 : *
21 : * We're expanding the wiki to include more helpful documentation, but for
22 : * now, your best bet is to view the oauth.php source - it has lots of
23 : * comments.
24 : *
25 : * @author Tim Ridgely <tim.ridgely@gmail.com>
26 : * @author Aaron Parecki <aaron@parecki.com>
27 : * @author Edison Wong <hswong3i@pantarei-design.com>
28 : * @author David Rochwerger <catch.dave@gmail.com>
29 : *
30 : * @see http://code.google.com/p/oauth2-php/
31 : * @see https://github.com/quizlet/oauth2-php
32 : */
33 :
34 : /**
35 : * OAuth2.0 draft v20 server-side implementation.
36 : *
37 : * @todo Add support for Message Authentication Code (MAC) token type.
38 : *
39 : * @author Originally written by Tim Ridgely <tim.ridgely@gmail.com>.
40 : * @author Updated to draft v10 by Aaron Parecki <aaron@parecki.com>.
41 : * @author Debug, coding style clean up and documented by Edison Wong <hswong3i@pantarei-design.com>.
42 : * @author Refactored (including separating from raw POST/GET) and updated to draft v20 by David Rochwerger <catch.dave@gmail.com>.
43 : */
44 : class OAuth2 {
45 :
46 : /**
47 : * Array of persistent variables stored.
48 : */
49 : protected $conf = array();
50 :
51 : /**
52 : * Storage engine for authentication server
53 : *
54 : * @var IOAuth2Storage
55 : */
56 : protected $storage;
57 :
58 : /**
59 : * Keep track of the old refresh token. So we can unset
60 : * the old refresh tokens when a new one is issued.
61 : *
62 : * @var string
63 : */
64 : protected $oldRefreshToken;
65 :
66 : /**
67 : * Default values for configuration options.
68 : *
69 : * @var int
70 : * @see OAuth2::setDefaultOptions()
71 : */
72 : const DEFAULT_ACCESS_TOKEN_LIFETIME = 3600;
73 : const DEFAULT_REFRESH_TOKEN_LIFETIME = 1209600;
74 : const DEFAULT_AUTH_CODE_LIFETIME = 3600;
75 : const DEFAULT_WWW_REALM = 'Service';
76 :
77 : /**
78 : * Configurable options.
79 : *
80 : * @var string
81 : */
82 : const CONFIG_ACCESS_LIFETIME = 3600; // The lifetime of access token in seconds.
83 : const CONFIG_REFRESH_LIFETIME = 3600; // The lifetime of refresh token in seconds.
84 : const CONFIG_AUTH_LIFETIME = 3600; // The lifetime of auth code in seconds.
85 : const CONFIG_SUPPORTED_SCOPES = 'supported_scopes'; // Array of scopes you want to support
86 : const CONFIG_TOKEN_TYPE = 'token_type'; // Token type to respond with. Currently only "Bearer" supported.
87 : const CONFIG_WWW_REALM = 'realm';
88 : const CONFIG_ENFORCE_INPUT_REDIRECT = 'enforce_redirect'; // Set to true to enforce redirect_uri on input for both authorize and token steps.
89 : const CONFIG_ENFORCE_STATE = 'enforce_state'; // Set to true to enforce state to be passed in authorization (see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12)
90 :
91 :
92 : /**
93 : * Regex to filter out the client identifier (described in Section 2 of IETF draft).
94 : *
95 : * IETF draft does not prescribe a format for these, however I've arbitrarily
96 : * chosen alphanumeric strings with hyphens and underscores, 3-32 characters
97 : * long.
98 : *
99 : * Feel free to change.
100 : */
101 : const CLIENT_ID_REGEXP = '/^[a-z0-9-_]{3,32}$/i';
102 :
103 : /**
104 : * @defgroup oauth2_section_5 Accessing a Protected Resource
105 : * @{
106 : *
107 : * Clients access protected resources by presenting an access token to
108 : * the resource server. Access tokens act as bearer tokens, where the
109 : * token string acts as a shared symmetric secret. This requires
110 : * treating the access token with the same care as other secrets (e.g.
111 : * end-user passwords). Access tokens SHOULD NOT be sent in the clear
112 : * over an insecure channel.
113 : *
114 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
115 : */
116 :
117 : /**
118 : * Used to define the name of the OAuth access token parameter
119 : * (POST & GET). This is for the "bearer" token type.
120 : * Other token types may use different methods and names.
121 : *
122 : * IETF Draft section 2 specifies that it should be called "access_token"
123 : *
124 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06#section-2.2
125 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06#section-2.3
126 : */
127 : const TOKEN_PARAM_NAME = 'access_token';
128 :
129 : /**
130 : * When using the bearer token type, there is a specifc Authorization header
131 : * required: "Bearer"
132 : *
133 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04#section-2.1
134 : */
135 : const TOKEN_BEARER_HEADER_NAME = 'Bearer';
136 :
137 : /**
138 : * @}
139 : */
140 :
141 : /**
142 : * @defgroup oauth2_section_4 Obtaining Authorization
143 : * @{
144 : *
145 : * When the client interacts with an end-user, the end-user MUST first
146 : * grant the client authorization to access its protected resources.
147 : * Once obtained, the end-user authorization grant is expressed as an
148 : * authorization code which the client uses to obtain an access token.
149 : * To obtain an end-user authorization, the client sends the end-user to
150 : * the end-user authorization endpoint.
151 : *
152 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
153 : */
154 :
155 : /**
156 : * List of possible authentication response types.
157 : * The "authorization_code" mechanism exclusively supports 'code'
158 : * and the "implicit" mechanism exclusively supports 'token'.
159 : *
160 : * @var string
161 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
162 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.1
163 : */
164 : const RESPONSE_TYPE_AUTH_CODE = 'code';
165 : const RESPONSE_TYPE_ACCESS_TOKEN = 'token';
166 :
167 : /**
168 : * @}
169 : */
170 :
171 : /**
172 : * @defgroup oauth2_section_5 Obtaining an Access Token
173 : * @{
174 : *
175 : * The client obtains an access token by authenticating with the
176 : * authorization server and presenting its authorization grant (in the form of
177 : * an authorization code, resource owner credentials, an assertion, or a
178 : * refresh token).
179 : *
180 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
181 : */
182 :
183 : /**
184 : * Grant types support by draft 20
185 : */
186 : const GRANT_TYPE_AUTH_CODE = 'authorization_code';
187 : const GRANT_TYPE_IMPLICIT = 'token';
188 : const GRANT_TYPE_USER_CREDENTIALS = 'password';
189 : const GRANT_TYPE_CLIENT_CREDENTIALS = 'client_credentials';
190 : const GRANT_TYPE_REFRESH_TOKEN = 'refresh_token';
191 : const GRANT_TYPE_EXTENSIONS = 'extensions';
192 :
193 : /**
194 : * Regex to filter out the grant type.
195 : * NB: For extensibility, the grant type can be a URI
196 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.5
197 : */
198 : const GRANT_TYPE_REGEXP = '#^(authorization_code|token|password|client_credentials|refresh_token|http://.*)$#';
199 :
200 : /**
201 : * @}
202 : */
203 :
204 : /**
205 : * Possible token types as defined by draft 20.
206 : *
207 : * TODO: Add support for mac (and maybe other types?)
208 : *
209 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7.1
210 : */
211 : const TOKEN_TYPE_BEARER = 'bearer';
212 : const TOKEN_TYPE_MAC = 'mac'; // Currently unsupported
213 :
214 :
215 : /**
216 : * @defgroup self::HTTP_status HTTP status code
217 : * @{
218 : */
219 :
220 : /**
221 : * HTTP status codes for successful and error states as specified by draft 20.
222 : *
223 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2
224 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
225 : */
226 : const HTTP_FOUND = '302 Found';
227 : const HTTP_BAD_REQUEST = '400 Bad Request';
228 : const HTTP_UNAUTHORIZED = '401 Unauthorized';
229 : const HTTP_FORBIDDEN = '403 Forbidden';
230 : const HTTP_UNAVAILABLE = '503 Service Unavailable';
231 :
232 : /**
233 : * @}
234 : */
235 :
236 : /**
237 : * @defgroup oauth2_error Error handling
238 : * @{
239 : *
240 : * @todo Extend for i18n.
241 : * @todo Consider moving all error related functionality into a separate class.
242 : */
243 :
244 : /**
245 : * The request is missing a required parameter, includes an unsupported
246 : * parameter or parameter value, or is otherwise malformed.
247 : *
248 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
249 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
250 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
251 : */
252 : const ERROR_INVALID_REQUEST = 'invalid_request';
253 :
254 : /**
255 : * The client identifier provided is invalid.
256 : *
257 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
258 : */
259 : const ERROR_INVALID_CLIENT = 'invalid_client';
260 :
261 : /**
262 : * The client is not authorized to use the requested response type.
263 : *
264 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
265 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
266 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
267 : */
268 : const ERROR_UNAUTHORIZED_CLIENT = 'unauthorized_client';
269 :
270 : /**
271 : * The redirection URI provided does not match a pre-registered value.
272 : *
273 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2.4
274 : */
275 : const ERROR_REDIRECT_URI_MISMATCH = 'redirect_uri_mismatch';
276 :
277 : /**
278 : * The end-user or authorization server denied the request.
279 : * This could be returned, for example, if the resource owner decides to reject
280 : * access to the client at a later point.
281 : *
282 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
283 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
284 : */
285 : const ERROR_USER_DENIED = 'access_denied';
286 :
287 : /**
288 : * The requested response type is not supported by the authorization server.
289 : *
290 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
291 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
292 : */
293 : const ERROR_UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type';
294 :
295 : /**
296 : * The requested scope is invalid, unknown, or malformed.
297 : *
298 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
299 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
300 : */
301 : const ERROR_INVALID_SCOPE = 'invalid_scope';
302 :
303 : /**
304 : * The provided authorization grant is invalid, expired,
305 : * revoked, does not match the redirection URI used in the
306 : * authorization request, or was issued to another client.
307 : *
308 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
309 : */
310 : const ERROR_INVALID_GRANT = 'invalid_grant';
311 :
312 : /**
313 : * The authorization grant is not supported by the authorization server.
314 : *
315 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
316 : */
317 : const ERROR_UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type';
318 :
319 : /**
320 : * The request requires higher privileges than provided by the access token.
321 : * The resource server SHOULD respond with the HTTP 403 (Forbidden) status
322 : * code and MAY include the "scope" attribute with the scope necessary to
323 : * access the protected resource.
324 : *
325 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
326 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
327 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
328 : */
329 : const ERROR_INSUFFICIENT_SCOPE = 'invalid_scope';
330 :
331 : /**
332 : * @}
333 : */
334 :
335 : /**
336 : * Creates an OAuth2.0 server-side instance.
337 : *
338 : * @param $config - An associative array as below of config options. See CONFIG_* constants.
339 : */
340 : public function __construct(IOAuth2Storage $storage, $config = array()) {
341 0 : $this->storage = $storage;
342 :
343 : // Configuration options
344 0 : $this->setDefaultOptions();
345 0 : foreach ( $config as $name => $value ) {
346 0 : $this->setVariable($name, $value);
347 0 : }
348 0 : }
349 :
350 : /**
351 : * Default configuration options are specified here.
352 : */
353 : protected function setDefaultOptions() {
354 0 : $this->conf = array(
355 0 : self::CONFIG_ACCESS_LIFETIME => self::DEFAULT_ACCESS_TOKEN_LIFETIME,
356 0 : self::CONFIG_REFRESH_LIFETIME => self::DEFAULT_REFRESH_TOKEN_LIFETIME,
357 0 : self::CONFIG_AUTH_LIFETIME => self::DEFAULT_AUTH_CODE_LIFETIME,
358 0 : self::CONFIG_WWW_REALM => self::DEFAULT_WWW_REALM,
359 0 : self::CONFIG_TOKEN_TYPE => self::TOKEN_TYPE_BEARER,
360 0 : self::CONFIG_ENFORCE_INPUT_REDIRECT => FALSE,
361 0 : self::CONFIG_ENFORCE_STATE => FALSE,
362 0 : self::CONFIG_SUPPORTED_SCOPES => array() // This is expected to be passed in on construction. Scopes can be an aribitrary string.
363 0 : );
364 0 : }
365 :
366 : /**
367 : * Returns a persistent variable.
368 : *
369 : * @param $name
370 : * The name of the variable to return.
371 : * @param $default
372 : * The default value to use if this variable has never been set.
373 : *
374 : * @return
375 : * The value of the variable.
376 : */
377 : public function getVariable($name, $default = NULL) {
378 0 : $name = strtolower($name);
379 :
380 0 : return isset($this->conf[$name]) ? $this->conf[$name] : $default;
381 : }
382 :
383 : /**
384 : * Sets a persistent variable.
385 : *
386 : * @param $name
387 : * The name of the variable to set.
388 : * @param $value
389 : * The value to set.
390 : */
391 : public function setVariable($name, $value) {
392 0 : $name = strtolower($name);
393 :
394 0 : $this->conf[$name] = $value;
395 0 : return $this;
396 : }
397 :
398 : // Resource protecting (Section 5).
399 :
400 :
401 : /**
402 : * Check that a valid access token has been provided.
403 : * The token is returned (as an associative array) if valid.
404 : *
405 : * The scope parameter defines any required scope that the token must have.
406 : * If a scope param is provided and the token does not have the required
407 : * scope, we bounce the request.
408 : *
409 : * Some implementations may choose to return a subset of the protected
410 : * resource (i.e. "public" data) if the user has not provided an access
411 : * token or if the access token is invalid or expired.
412 : *
413 : * The IETF spec says that we should send a 401 Unauthorized header and
414 : * bail immediately so that's what the defaults are set to. You can catch
415 : * the exception thrown and behave differently if you like (log errors, allow
416 : * public access for missing tokens, etc)
417 : *
418 : * @param $scope
419 : * A space-separated string of required scope(s), if you want to check
420 : * for scope.
421 : * @return array
422 : * Token
423 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
424 : *
425 : * @ingroup oauth2_section_7
426 : */
427 : public function verifyAccessToken($token_param, $scope = NULL) {
428 0 : $tokenType = $this->getVariable(self::CONFIG_TOKEN_TYPE);
429 0 : $realm = $this->getVariable(self::CONFIG_WWW_REALM);
430 :
431 0 : if (!$token_param) { // Access token was not provided
432 0 : throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.', $scope);
433 : }
434 :
435 : // Get the stored token data (from the implementing subclass)
436 0 : $token = $this->storage->getAccessToken($token_param);
437 0 : if ($token === NULL) {
438 0 : throw new OAuth2AuthenticateException(self::HTTP_UNAUTHORIZED, $tokenType, $realm, self::ERROR_INVALID_GRANT, 'The access token provided is invalid.', $scope);
439 : }
440 :
441 : // Check we have a well formed token
442 0 : if (!isset($token["expires"]) || !isset($token["client_id"])) {
443 0 : throw new OAuth2AuthenticateException(self::HTTP_UNAUTHORIZED, $tokenType, $realm, self::ERROR_INVALID_GRANT, 'Malformed token (missing "expires" or "client_id")', $scope);
444 : }
445 :
446 : // Check token expiration (expires is a mandatory paramter)
447 0 : if (isset($token["expires"]) && time() > $token["expires"]) {
448 0 : throw new OAuth2AuthenticateException(self::HTTP_UNAUTHORIZED, $tokenType, $realm, self::ERROR_INVALID_GRANT, 'The access token provided has expired.', $scope);
449 : }
450 :
451 : // Check scope, if provided
452 : // If token doesn't have a scope, it's NULL/empty, or it's insufficient, then throw an error
453 0 : if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->checkScope($scope, $token["scope"]))) {
454 0 : throw new OAuth2AuthenticateException(self::HTTP_FORBIDDEN, $tokenType, $realm, self::ERROR_INSUFFICIENT_SCOPE, 'The request requires higher privileges than provided by the access token.', $scope);
455 : }
456 :
457 :
458 :
459 0 : session_write_close(); //Fecha session anterior
460 0 : session_id($token['refresh_token']); //Define o id da session o mesmo do resfresh token
461 0 : session_start();
462 :
463 0 : return $token;
464 : }
465 :
466 : /**
467 : * This is a convenience function that can be used to get the token, which can then
468 : * be passed to verifyAccessToken(). The constraints specified by the draft are
469 : * attempted to be adheared to in this method.
470 : *
471 : * As per the Bearer spec (draft 8, section 2) - there are three ways for a client
472 : * to specify the bearer token, in order of preference: Authorization Header,
473 : * POST and GET.
474 : *
475 : * NB: Resource servers MUST accept tokens via the Authorization scheme
476 : * (http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2).
477 : *
478 : * @todo Should we enforce TLS/SSL in this function?
479 : *
480 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1
481 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.2
482 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.3
483 : *
484 : * Old Android version bug (at least with version 2.2)
485 : * @see http://code.google.com/p/android/issues/detail?id=6684
486 : *
487 : * We don't want to test this functionality as it relies on superglobals and headers:
488 : * @codeCoverageIgnoreStart
489 : */
490 : public function getBearerToken() {
491 :
492 : if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
493 : $headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
494 : } elseif (function_exists('apache_request_headers')) {
495 : $requestHeaders = apache_request_headers();
496 :
497 : // Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
498 : $requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
499 :
500 : if (isset($requestHeaders['Authorization'])) {
501 : $headers = trim($requestHeaders['Authorization']);
502 : }
503 : }
504 :
505 : $tokenType = $this->getVariable(self::CONFIG_TOKEN_TYPE);
506 : $realm = $this->getVariable(self::CONFIG_WWW_REALM);
507 : // Check that exactly one method was used
508 : $methodsUsed = !empty($headers) + isset($_GET[self::TOKEN_PARAM_NAME]) + isset($_POST[self::TOKEN_PARAM_NAME]);
509 : if ($methodsUsed > 1) {
510 : throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'Only one method may be used to authenticate at a time (Auth header, GET or POST).');
511 : } elseif ($methodsUsed == 0) {
512 : throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'The access token was not found.');
513 : }
514 :
515 : // HEADER: Get the access token from the header
516 : if (!empty($headers)) {
517 : if (!preg_match('/' . self::TOKEN_BEARER_HEADER_NAME . '\s(\S+)/', $headers, $matches)) {
518 : throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'Malformed auth header');
519 : }
520 :
521 : return $matches[1];
522 : }
523 : // POST: Get the token from POST data
524 : if (isset($_POST[self::TOKEN_PARAM_NAME])) {
525 : if ($_SERVER['REQUEST_METHOD'] != 'POST') {
526 : throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'When putting the token in the body, the method must be POST.');
527 : }
528 :
529 : // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
530 : if (isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] != 'application/x-www-form-urlencoded') {
531 : throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'The content type for POST requests must be "application/x-www-form-urlencoded"');
532 : }
533 :
534 : return $_POST[self::TOKEN_PARAM_NAME];
535 : }
536 :
537 : // GET method
538 : return $_GET[self::TOKEN_PARAM_NAME];
539 : }
540 :
541 : /** @codeCoverageIgnoreEnd */
542 :
543 : /**
544 : * Check if everything in required scope is contained in available scope.
545 : *
546 : * @param $required_scope
547 : * Required scope to be check with.
548 : *
549 : * @return
550 : * TRUE if everything in required scope is contained in available scope,
551 : * and False if it isn't.
552 : *
553 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
554 : *
555 : * @ingroup oauth2_section_7
556 : */
557 : private function checkScope($required_scope, $available_scope) {
558 : // The required scope should match or be a subset of the available scope
559 0 : if (!is_array($required_scope)) {
560 0 : $required_scope = explode(' ', trim($required_scope));
561 0 : }
562 :
563 0 : if (!is_array($available_scope)) {
564 0 : $available_scope = explode(' ', trim($available_scope));
565 0 : }
566 :
567 0 : return (count(array_diff($required_scope, $available_scope)) == 0);
568 : }
569 :
570 : // Access token granting (Section 4).
571 :
572 :
573 : /**
574 : * Grant or deny a requested access token.
575 : * This would be called from the "/token" endpoint as defined in the spec.
576 : * Obviously, you can call your endpoint whatever you want.
577 : *
578 : * @param $inputData - The draft specifies that the parameters should be
579 : * retrieved from POST, but you can override to whatever method you like.
580 : * @throws OAuth2ServerException
581 : *
582 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
583 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.6
584 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3
585 : *
586 : * @ingroup oauth2_section_4
587 : */
588 : //ORIGINAL URI
589 : // public function grantAccessToken(array $inputData = NULL, array $authHeaders = NULL) {
590 : // $filters = array(
591 : // "grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
592 : // "scope" => array("flags" => FILTER_REQUIRE_SCALAR),
593 : // "code" => array("flags" => FILTER_REQUIRE_SCALAR),
594 : // "redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
595 : // "username" => array("flags" => FILTER_REQUIRE_SCALAR),
596 : // "password" => array("flags" => FILTER_REQUIRE_SCALAR),
597 : // "refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR),
598 : // );
599 : //
600 : // // Input data by default can be either POST or GET
601 : // if (!isset($inputData)) {
602 : // $inputData = ($_SERVER['REQUEST_METHOD'] == 'POST') ? $_POST : $_GET;
603 : // }
604 : //
605 : // // Basic authorization header
606 : // $authHeaders = isset($authHeaders) ? $authHeaders : $this->getAuthorizationHeader();
607 : //
608 : //
609 : //
610 : // // Filter input data
611 : // $input = filter_var_array($inputData, $filters);
612 : //
613 : //
614 : //
615 : // // Grant Type must be specified.
616 : // if (!$input["grant_type"]) {
617 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
618 : // }
619 : //
620 : // // Authorize the client
621 : // $client = $this->getClientCredentials($inputData, $authHeaders);
622 : //
623 : // if ($this->storage->checkClientCredentials($client[0], $client[1]) === FALSE) {
624 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'The client credentials are invalid');
625 : // }
626 : //
627 : // if (!$this->storage->checkRestrictedGrantType($client[0], $input["grant_type"])) {
628 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNAUTHORIZED_CLIENT, 'The grant type is unauthorized for this client_id');
629 : // }
630 : //
631 : // // Do the granting
632 : // //
633 : // switch ($input["grant_type"]) {
634 : // case self::GRANT_TYPE_AUTH_CODE:
635 : // if (!($this->storage instanceof IOAuth2GrantCode)) {
636 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
637 : // }
638 : //
639 : // if (!$input["code"]) {
640 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Missing parameter. "code" is required');
641 : // }
642 : //
643 : // if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
644 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, "The redirect URI parameter is required.");
645 : // }
646 : //
647 : // $stored = $this->storage->getAuthCode($input["code"]);
648 : //
649 : // // Check the code exists
650 : // if ($stored === NULL || $client[0] != $stored["client_id"]) {
651 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "Refresh token doesn't exist or is invalid for the client");
652 : // }
653 : //
654 : // // Validate the redirect URI. If a redirect URI has been provided on input, it must be validated
655 : // if ($input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
656 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or do not match");
657 : // }
658 : //
659 : // if ($stored["expires"] < time()) {
660 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "The authorization code has expired");
661 : // }
662 : // break;
663 : //
664 : // case self::GRANT_TYPE_USER_CREDENTIALS:
665 : // if (!($this->storage instanceof IOAuth2GrantUser)) {
666 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
667 : // }
668 : //
669 : // if (!$input["username"] || !$input["password"]) {
670 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required');
671 : // }
672 : //
673 : // $stored = $this->storage->checkUserCredentials($client[0], $input["username"], $input["password"]);
674 : //
675 : // if ($stored === FALSE) {
676 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT);
677 : // }
678 : // break;
679 : //
680 : // case self::GRANT_TYPE_CLIENT_CREDENTIALS:
681 : // if (!($this->storage instanceof IOAuth2GrantClient)) {
682 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
683 : // }
684 : //
685 : // if (empty($client[1])) {
686 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'The client_secret is mandatory for the "client_credentials" grant type');
687 : // }
688 : // // NB: We don't need to check for $stored==false, because it was checked above already
689 : // $stored = $this->storage->checkClientCredentialsGrant($client[0], $client[1]);
690 : // break;
691 : //
692 : // case self::GRANT_TYPE_REFRESH_TOKEN:
693 : // if (!($this->storage instanceof IOAuth2RefreshTokens)) {
694 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
695 : // }
696 : //
697 : // if (!$input["refresh_token"]) {
698 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found');
699 : // }
700 : //
701 : // $stored = $this->storage->getRefreshToken($input["refresh_token"]);
702 : //
703 : // if ($stored === NULL || $client[0] != $stored["client_id"]) {
704 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, 'Invalid refresh token');
705 : // }
706 : //
707 : // if ($stored["expires"] < time()) {
708 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, 'Refresh token has expired');
709 : // }
710 : //
711 : // // store the refresh token locally so we can delete it when a new refresh token is generated
712 : // $this->oldRefreshToken = $stored["refresh_token"];
713 : // break;
714 : //
715 : // case self::GRANT_TYPE_IMPLICIT:
716 : // /* TODO: NOT YET IMPLEMENTED */
717 : // throw new OAuth2ServerException('501 Not Implemented', 'This OAuth2 library is not yet complete. This functionality is not implemented yet.');
718 : // if (!($this->storage instanceof IOAuth2GrantImplicit)) {
719 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
720 : // }
721 : //
722 : // break;
723 : //
724 : // // Extended grant types:
725 : // case filter_var($input["grant_type"], FILTER_VALIDATE_URL):
726 : // if (!($this->storage instanceof IOAuth2GrantExtension)) {
727 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
728 : // }
729 : // $uri = filter_var($input["grant_type"], FILTER_VALIDATE_URL);
730 : // $stored = $this->storage->checkGrantExtension($uri, $inputData, $authHeaders);
731 : //
732 : // if ($stored === FALSE) {
733 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT);
734 : // }
735 : // break;
736 : //
737 : // default :
738 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
739 : // }
740 : //
741 : // if (!isset($stored["scope"])) {
742 : // $stored["scope"] = NULL;
743 : // }
744 : //
745 : // // Check scope, if provided
746 : // if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) {
747 : // throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
748 : // }
749 : //
750 : // $user_id = isset($stored['user_id']) ? $stored['user_id'] : null;
751 : // $token = $this->createAccessToken($client[0], $user_id, $stored['scope']);
752 : //
753 : //
754 : // // Send response
755 : // $this->sendJsonHeaders();
756 : // echo json_encode($token);
757 : // }
758 :
759 : public function grantAccessToken(array $inputData = NULL, array $authHeaders = NULL) {
760 : $filters = array(
761 0 : "grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
762 0 : "scope" => array("flags" => FILTER_REQUIRE_SCALAR),
763 0 : "code" => array("flags" => FILTER_REQUIRE_SCALAR),
764 0 : "redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
765 0 : "username" => array("flags" => FILTER_REQUIRE_SCALAR),
766 0 : "password" => array("flags" => FILTER_REQUIRE_SCALAR),
767 0 : "refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR),
768 0 : );
769 :
770 : // Input data by default can be either POST or GET
771 0 : if (!isset($inputData)) {
772 0 : $inputData = ($_SERVER['REQUEST_METHOD'] == 'POST') ? $_POST : $_GET;
773 0 : }
774 :
775 : // Basic authorization header
776 0 : $authHeaders = isset($authHeaders) ? $authHeaders : $this->getAuthorizationHeader();
777 :
778 :
779 :
780 : // Filter input data
781 0 : $input = filter_var_array($inputData, $filters);
782 :
783 :
784 :
785 : // Grant Type must be specified.
786 0 : if (!$input["grant_type"]) {
787 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
788 : }
789 :
790 : // Authorize the client
791 0 : $client = $this->getClientCredentials($inputData, $authHeaders);
792 :
793 0 : if ($this->storage->checkClientCredentials($client[0], $client[1]) === FALSE) {
794 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'The client credentials are invalid');
795 : }
796 :
797 0 : if (!$this->storage->checkRestrictedGrantType($client[0], $input["grant_type"])) {
798 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNAUTHORIZED_CLIENT, 'The grant type is unauthorized for this client_id');
799 : }
800 :
801 : // Do the granting
802 : //
803 0 : switch ($input["grant_type"]) {
804 0 : case self::GRANT_TYPE_AUTH_CODE:
805 0 : if (!($this->storage instanceof IOAuth2GrantCode)) {
806 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
807 : }
808 :
809 0 : if (!$input["code"]) {
810 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Missing parameter. "code" is required');
811 : }
812 :
813 0 : if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
814 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, "The redirect URI parameter is required.");
815 : }
816 :
817 0 : $stored = $this->storage->getAuthCode($input["code"]);
818 :
819 : // Check the code exists
820 0 : if ($stored === NULL || $client[0] != $stored["client_id"]) {
821 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "Refresh token doesn't exist or is invalid for the client");
822 : }
823 :
824 : // Validate the redirect URI. If a redirect URI has been provided on input, it must be validated
825 0 : if ($input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
826 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or do not match");
827 : }
828 :
829 0 : if ($stored["expires"] < time()) {
830 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "The authorization code has expired");
831 : }
832 0 : break;
833 :
834 0 : case self::GRANT_TYPE_USER_CREDENTIALS:
835 0 : if (!($this->storage instanceof IOAuth2GrantUser)) {
836 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
837 : }
838 :
839 0 : if (!$input["username"] || !$input["password"]) {
840 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required');
841 : }
842 :
843 0 : $stored = $this->storage->checkUserCredentials($client[0], $input["username"], $input["password"]);
844 :
845 0 : if ($stored === FALSE) {
846 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT);
847 : }
848 0 : break;
849 :
850 0 : case self::GRANT_TYPE_CLIENT_CREDENTIALS:
851 0 : if (!($this->storage instanceof IOAuth2GrantClient)) {
852 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
853 : }
854 :
855 0 : if (empty($client[1])) {
856 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'The client_secret is mandatory for the "client_credentials" grant type');
857 : }
858 : // NB: We don't need to check for $stored==false, because it was checked above already
859 0 : $stored = $this->storage->checkClientCredentialsGrant($client[0], $client[1]);
860 0 : break;
861 :
862 0 : case self::GRANT_TYPE_REFRESH_TOKEN:
863 0 : if (!($this->storage instanceof IOAuth2RefreshTokens)) {
864 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
865 : }
866 :
867 0 : if (!$input["refresh_token"]) {
868 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found');
869 : }
870 :
871 0 : $stored = $this->storage->getRefreshToken($input["refresh_token"]);
872 :
873 0 : if ($stored === NULL || $client[0] != $stored["client_id"]) {
874 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, 'Invalid refresh token');
875 : }
876 :
877 0 : if ($stored["expires"] < time()) {
878 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, 'Refresh token has expired');
879 : }
880 :
881 : // store the refresh token locally so we can delete it when a new refresh token is generated
882 0 : $this->oldRefreshToken = $stored["refresh_token"];
883 :
884 0 : session_write_close(); //Fecha session anterior
885 0 : session_id($stored['refresh_token']); //Define o id da session o mesmo do resfresh token
886 0 : session_start();
887 :
888 0 : break;
889 :
890 0 : case self::GRANT_TYPE_IMPLICIT:
891 : /* TODO: NOT YET IMPLEMENTED */
892 0 : throw new OAuth2ServerException('501 Not Implemented', 'This OAuth2 library is not yet complete. This functionality is not implemented yet.');
893 : if (!($this->storage instanceof IOAuth2GrantImplicit)) {
894 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
895 : }
896 :
897 : break;
898 :
899 : // Extended grant types:
900 0 : case filter_var($input["grant_type"], FILTER_VALIDATE_URL):
901 0 : if (!($this->storage instanceof IOAuth2GrantExtension)) {
902 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
903 : }
904 0 : $uri = filter_var($input["grant_type"], FILTER_VALIDATE_URL);
905 0 : $stored = $this->storage->checkGrantExtension($uri, $inputData, $authHeaders);
906 :
907 0 : if ($stored === FALSE) {
908 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT);
909 : }
910 0 : break;
911 :
912 0 : default :
913 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
914 0 : }
915 :
916 0 : if (!isset($stored["scope"])) {
917 0 : $stored["scope"] = NULL;
918 0 : }
919 :
920 : // Check scope, if provided
921 0 : if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) {
922 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
923 : }
924 :
925 0 : $user_id = isset($stored['user_id']) ? $stored['user_id'] : null;
926 0 : $token = $this->createAccessToken($client[0], $user_id, $stored['scope']);
927 :
928 : //Gerando Session Para o refresh_token
929 0 : session_write_close(); //Fecha session anterior
930 0 : session_start();
931 0 : session_id($token['refresh_token']); //Define o id da session o mesmo do resfresh token
932 0 : session_cache_expire(self::CONFIG_REFRESH_LIFETIME); //Define o tempo da session o mesmo do Refresh token
933 :
934 0 : if(isset($input["username"]) && isset($input["password"]))
935 0 : {
936 0 : $_SESSION['wallet']['user']['uid'] = $input["username"];
937 0 : $_SESSION['wallet']['user']['password'] = $input["password"];
938 0 : $_SESSION['wallet']['user']['uidNumber'] = $user_id;
939 0 : }
940 :
941 :
942 :
943 : //session_write_close(); //Fecha nova session
944 :
945 : // Send response
946 0 : $this->sendJsonHeaders();
947 0 : echo json_encode($token);
948 0 : }
949 :
950 : /**
951 : * Internal function used to get the client credentials from HTTP basic
952 : * auth or POST data.
953 : *
954 : * According to the spec (draft 20), the client_id can be provided in
955 : * the Basic Authorization header (recommended) or via GET/POST.
956 : *
957 : * @return
958 : * A list containing the client identifier and password, for example
959 : * @code
960 : * return array(
961 : * CLIENT_ID,
962 : * CLIENT_SECRET
963 : * );
964 : * @endcode
965 : *
966 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1
967 : *
968 : * @ingroup oauth2_section_2
969 : */
970 : protected function getClientCredentials(array $inputData, array $authHeaders) {
971 :
972 : // Basic Authentication is used
973 0 : if (!empty($authHeaders['PHP_AUTH_USER'])) {
974 0 : return array($authHeaders['PHP_AUTH_USER'], $authHeaders['PHP_AUTH_PW']);
975 0 : } elseif (empty($inputData['client_id'])) { // No credentials were specified
976 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'Client id was not found in the headers or body');
977 : } else {
978 : // This method is not recommended, but is supported by specification
979 0 : return array($inputData['client_id'], $inputData['client_secret']);
980 : }
981 : }
982 :
983 : // End-user/client Authorization (Section 2 of IETF Draft).
984 :
985 :
986 : /**
987 : * Pull the authorization request data out of the HTTP request.
988 : * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
989 : * by setting CONFIG_ENFORCE_INPUT_REDIRECT to true.
990 : * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
991 : * CSRF protection is MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true.
992 : *
993 : * @param $inputData - The draft specifies that the parameters should be
994 : * retrieved from GET, but you can override to whatever method you like.
995 : * @return
996 : * The authorization parameters so the authorization server can prompt
997 : * the user for approval if valid.
998 : *
999 : * @throws OAuth2ServerException
1000 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
1001 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12
1002 : *
1003 : * @ingroup oauth2_section_3
1004 : */
1005 : public function getAuthorizeParams(array $inputData = NULL) {
1006 : $filters = array(
1007 0 : "client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
1008 0 : "response_type" => array("flags" => FILTER_REQUIRE_SCALAR),
1009 0 : "redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
1010 0 : "state" => array("flags" => FILTER_REQUIRE_SCALAR),
1011 0 : "scope" => array("flags" => FILTER_REQUIRE_SCALAR)
1012 0 : );
1013 :
1014 0 : if (!isset($inputData)) {
1015 0 : $inputData = $_GET;
1016 0 : }
1017 0 : $input = filter_var_array($inputData, $filters);
1018 :
1019 : // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
1020 0 : if (!$input["client_id"]) {
1021 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "No client id supplied"); // We don't have a good URI to use
1022 : }
1023 :
1024 : // Get client details
1025 0 : $stored = $this->storage->getClientDetails($input["client_id"]);
1026 0 : if ($stored === FALSE) {
1027 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "Client id does not exist");
1028 : }
1029 :
1030 : // Make sure a valid redirect_uri was supplied. If specified, it must match the stored URI.
1031 : // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2
1032 : // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
1033 : // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
1034 0 : if (!$input["redirect_uri"] && !$stored["redirect_uri"]) {
1035 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'No redirect URL was supplied or stored.');
1036 : }
1037 0 : if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
1038 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI is mandatory and was not supplied.');
1039 : }
1040 : // Only need to validate if redirect_uri provided on input and stored.
1041 0 : if ($stored["redirect_uri"] && $input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
1042 0 : throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI provided is missing or does not match');
1043 : }
1044 :
1045 : // Select the redirect URI
1046 0 : $input["redirect_uri"] = isset($input["redirect_uri"]) ? $input["redirect_uri"] : $stored["redirect_uri"];
1047 :
1048 : // type and client_id are required
1049 0 : if (!$input["response_type"]) {
1050 0 : throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, 'Invalid or missing response type.', $input["state"]);
1051 : }
1052 :
1053 : // Check requested auth response type against interfaces of storage engine
1054 0 : $reflect = new ReflectionClass($this->storage);
1055 0 : if (!$reflect->hasConstant('RESPONSE_TYPE_' . strtoupper($input['response_type']))) {
1056 0 : throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, $input["state"]);
1057 : }
1058 :
1059 : // Validate that the requested scope is supported
1060 0 : if ($input["scope"] && !$this->checkScope($input["scope"], $this->getVariable(self::CONFIG_SUPPORTED_SCOPES))) {
1061 0 : throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.', $input["state"]);
1062 : }
1063 :
1064 : // Validate state parameter exists (if configured to enforce this)
1065 0 : if ($this->getVariable(self::CONFIG_ENFORCE_STATE) && !$input["state"]) {
1066 0 : throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, "The state parameter is required.");
1067 : }
1068 :
1069 : // Return retrieved client details together with input
1070 0 : return ($input + $stored);
1071 : }
1072 :
1073 : /**
1074 : * Redirect the user appropriately after approval.
1075 : *
1076 : * After the user has approved or denied the access request the
1077 : * authorization server should call this function to redirect the user
1078 : * appropriately.
1079 : *
1080 : * @param $is_authorized
1081 : * TRUE or FALSE depending on whether the user authorized the access.
1082 : * @param $user_id
1083 : * Identifier of user who authorized the client
1084 : * @param $params
1085 : * An associative array as below:
1086 : * - response_type: The requested response: an access token, an
1087 : * authorization code, or both.
1088 : * - client_id: The client identifier as described in Section 2.
1089 : * - redirect_uri: An absolute URI to which the authorization server
1090 : * will redirect the user-agent to when the end-user authorization
1091 : * step is completed.
1092 : * - scope: (optional) The scope of the access request expressed as a
1093 : * list of space-delimited strings.
1094 : * - state: (optional) An opaque value used by the client to maintain
1095 : * state between the request and callback.
1096 : *
1097 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
1098 : *
1099 : * @ingroup oauth2_section_4
1100 : */
1101 : public function finishClientAuthorization($is_authorized, $user_id = NULL, $params = array()) {
1102 :
1103 : // We repeat this, because we need to re-validate. In theory, this could be POSTed
1104 : // by a 3rd-party (because we are not internally enforcing NONCEs, etc)
1105 0 : $params = $this->getAuthorizeParams($params);
1106 :
1107 0 : $params += array('scope' => NULL, 'state' => NULL);
1108 0 : extract($params);
1109 :
1110 0 : if ($state !== NULL) {
1111 0 : $result["query"]["state"] = $state;
1112 0 : }
1113 :
1114 0 : if ($is_authorized === FALSE) {
1115 0 : throw new OAuth2RedirectException($redirect_uri, self::ERROR_USER_DENIED, "The user denied access to your application", $state);
1116 : } else {
1117 0 : if ($response_type == self::RESPONSE_TYPE_AUTH_CODE) {
1118 0 : $result["query"]["code"] = $this->createAuthCode($client_id, $user_id, $redirect_uri, $scope);
1119 0 : } elseif ($response_type == self::RESPONSE_TYPE_ACCESS_TOKEN) {
1120 0 : $result["fragment"] = $this->createAccessToken($client_id, $user_id, $scope);
1121 0 : }
1122 : }
1123 :
1124 0 : $this->doRedirectUriCallback($redirect_uri, $result);
1125 0 : }
1126 :
1127 : // Other/utility functions.
1128 :
1129 :
1130 : /**
1131 : * Redirect the user agent.
1132 : *
1133 : * Handle both redirect for success or error response.
1134 : *
1135 : * @param $redirect_uri
1136 : * An absolute URI to which the authorization server will redirect
1137 : * the user-agent to when the end-user authorization step is completed.
1138 : * @param $params
1139 : * Parameters to be pass though buildUri().
1140 : *
1141 : * @ingroup oauth2_section_4
1142 : */
1143 : private function doRedirectUriCallback($redirect_uri, $params) {
1144 0 : header("HTTP/1.1 " . self::HTTP_FOUND);
1145 0 : header("Location: " . $this->buildUri($redirect_uri, $params));
1146 0 : exit();
1147 : }
1148 :
1149 : /**
1150 : * Build the absolute URI based on supplied URI and parameters.
1151 : *
1152 : * @param $uri
1153 : * An absolute URI.
1154 : * @param $params
1155 : * Parameters to be append as GET.
1156 : *
1157 : * @return
1158 : * An absolute URI with supplied parameters.
1159 : *
1160 : * @ingroup oauth2_section_4
1161 : */
1162 : private function buildUri($uri, $params) {
1163 0 : $parse_url = parse_url($uri);
1164 :
1165 : // Add our params to the parsed uri
1166 0 : foreach ( $params as $k => $v ) {
1167 0 : if (isset($parse_url[$k])) {
1168 0 : $parse_url[$k] .= "&" . http_build_query($v);
1169 0 : } else {
1170 0 : $parse_url[$k] = http_build_query($v);
1171 : }
1172 0 : }
1173 :
1174 : // Put humpty dumpty back together
1175 : return
1176 0 : ((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "")
1177 0 : . ((isset($parse_url["user"])) ? $parse_url["user"]
1178 0 : . ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "")
1179 0 : . ((isset($parse_url["host"])) ? $parse_url["host"] : "")
1180 0 : . ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "")
1181 0 : . ((isset($parse_url["path"])) ? $parse_url["path"] : "")
1182 0 : . ((isset($parse_url["query"])) ? "?" . $parse_url["query"] : "")
1183 0 : . ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "")
1184 0 : ;
1185 : }
1186 :
1187 : /**
1188 : * Handle the creation of access token, also issue refresh token if support.
1189 : *
1190 : * This belongs in a separate factory, but to keep it simple, I'm just
1191 : * keeping it here.
1192 : *
1193 : * @param $client_id
1194 : * Client identifier related to the access token.
1195 : * @param $scope
1196 : * (optional) Scopes to be stored in space-separated string.
1197 : *
1198 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5
1199 : * @ingroup oauth2_section_5
1200 : */
1201 : // Função ORIGINAL;
1202 : // protected function createAccessToken($client_id, $user_id, $scope = NULL) {
1203 : //
1204 : // $token = array(
1205 : // "access_token" => $this->genAccessToken(),
1206 : // "expires_in" => $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
1207 : // "token_type" => $this->getVariable(self::CONFIG_TOKEN_TYPE),
1208 : // "scope" => $scope
1209 : // );
1210 : //
1211 : // $this->storage->setAccessToken($token["access_token"], $client_id, $user_id, time() + $this->getVariable(self::CONFIG_ACCESS_LIFETIME), $scope);
1212 : //
1213 : // // Issue a refresh token also, if we support them
1214 : // if ($this->storage instanceof IOAuth2RefreshTokens) {
1215 : // $token["refresh_token"] = $this->genAccessToken();
1216 : // $this->storage->setRefreshToken($token["refresh_token"], $client_id, $user_id, time() + $this->getVariable(self::CONFIG_REFRESH_LIFETIME), $scope);
1217 : //
1218 : // // If we've granted a new refresh token, expire the old one
1219 : // if ($this->oldRefreshToken) {
1220 : // $this->storage->unsetRefreshToken($this->oldRefreshToken);
1221 : // unset($this->oldRefreshToken);
1222 : // }
1223 : // }
1224 : //
1225 : // return $token;
1226 : // }
1227 : protected function createAccessToken($client_id, $user_id, $scope = NULL) {
1228 :
1229 : $token = array(
1230 0 : "access_token" => $this->genAccessToken(),
1231 0 : "expires_in" => $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
1232 0 : "token_type" => $this->getVariable(self::CONFIG_TOKEN_TYPE),
1233 : "scope" => $scope
1234 0 : );
1235 0 : $token["refresh_token"] = $this->genAccessToken();
1236 :
1237 0 : $this->storage->setAccessToken($token["access_token"], $client_id, $user_id, time() + $this->getVariable(self::CONFIG_ACCESS_LIFETIME), $scope , $token['refresh_token']);
1238 :
1239 : // Issue a refresh token also, if we support them
1240 0 : if ($this->storage instanceof IOAuth2RefreshTokens) {
1241 0 : $this->storage->setRefreshToken($token["refresh_token"], $client_id, $user_id, time() + $this->getVariable(self::CONFIG_REFRESH_LIFETIME), $scope);
1242 :
1243 : // If we've granted a new refresh token, expire the old one
1244 0 : if ($this->oldRefreshToken) {
1245 0 : $this->storage->unsetRefreshToken($this->oldRefreshToken);
1246 0 : unset($this->oldRefreshToken);
1247 0 : }
1248 0 : }
1249 :
1250 0 : return $token;
1251 : }
1252 :
1253 : /**
1254 : * Handle the creation of auth code.
1255 : *
1256 : * This belongs in a separate factory, but to keep it simple, I'm just
1257 : * keeping it here.
1258 : *
1259 : * @param $client_id
1260 : * Client identifier related to the access token.
1261 : * @param $redirect_uri
1262 : * An absolute URI to which the authorization server will redirect the
1263 : * user-agent to when the end-user authorization step is completed.
1264 : * @param $scope
1265 : * (optional) Scopes to be stored in space-separated string.
1266 : *
1267 : * @ingroup oauth2_section_4
1268 : */
1269 : private function createAuthCode($client_id, $user_id, $redirect_uri, $scope = NULL) {
1270 0 : $code = $this->genAuthCode();
1271 0 : $this->storage->setAuthCode($code, $client_id, $user_id, $redirect_uri, time() + $this->getVariable(self::CONFIG_AUTH_LIFETIME), $scope);
1272 0 : return $code;
1273 : }
1274 :
1275 : /**
1276 : * Generates an unique access token.
1277 : *
1278 : * Implementing classes may want to override this function to implement
1279 : * other access token generation schemes.
1280 : *
1281 : * @return
1282 : * An unique access token.
1283 : *
1284 : * @ingroup oauth2_section_4
1285 : * @see OAuth2::genAuthCode()
1286 : */
1287 : protected function genAccessToken() {
1288 0 : $tokenLen = 40;
1289 0 : if (file_exists('/dev/urandom')) { // Get 100 bytes of random data
1290 0 : $randomData = file_get_contents('/dev/urandom', false, null, 0, 100) . uniqid(mt_rand(), true);
1291 0 : } else {
1292 0 : $randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);
1293 : }
1294 0 : return substr(hash('sha512', $randomData), 0, $tokenLen);
1295 : }
1296 :
1297 : /**
1298 : * Generates an unique auth code.
1299 : *
1300 : * Implementing classes may want to override this function to implement
1301 : * other auth code generation schemes.
1302 : *
1303 : * @return
1304 : * An unique auth code.
1305 : *
1306 : * @ingroup oauth2_section_4
1307 : * @see OAuth2::genAccessToken()
1308 : */
1309 : protected function genAuthCode() {
1310 0 : return $this->genAccessToken(); // let's reuse the same scheme for token generation
1311 : }
1312 :
1313 : /**
1314 : * Pull out the Authorization HTTP header and return it.
1315 : * According to draft 20, standard basic authorization is the only
1316 : * header variable required (this does not apply to extended grant types).
1317 : *
1318 : * Implementing classes may need to override this function if need be.
1319 : *
1320 : * @todo We may need to re-implement pulling out apache headers to support extended grant types
1321 : *
1322 : * @return
1323 : * An array of the basic username and password provided.
1324 : *
1325 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1
1326 : * @ingroup oauth2_section_2
1327 : */
1328 : protected function getAuthorizationHeader() {
1329 : return array(
1330 0 : 'PHP_AUTH_USER' => isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '',
1331 0 : 'PHP_AUTH_PW' => isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''
1332 0 : );
1333 : }
1334 :
1335 : /**
1336 : * Send out HTTP headers for JSON.
1337 : *
1338 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.1
1339 : * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
1340 : *
1341 : * @ingroup oauth2_section_5
1342 : */
1343 : private function sendJsonHeaders() {
1344 0 : if (php_sapi_name() === 'cli' || headers_sent()) {
1345 0 : return;
1346 : }
1347 :
1348 0 : header("Content-Type: application/json");
1349 0 : header("Cache-Control: no-store");
1350 0 : }
1351 :
1352 : /**
1353 : * Internal method for validating redirect URI supplied
1354 : * @param string $inputUri
1355 : * @param string $storedUri
1356 : */
1357 : protected function validateRedirectUri($inputUri, $storedUri) {
1358 0 : if (!$inputUri || !$storedUri) {
1359 0 : return false; // if either one is missing, assume INVALID
1360 : }
1361 0 : return strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0;
1362 : }
1363 : }
|