clientAssertionType = $clientAssertionType; $this->accessToken = $accessToken; foreach ($grantTypes as $grantType) { $this->addGrantType($grantType); } if (is_null($scopeUtil)) { $scopeUtil = new Scope(); } $this->scopeUtil = $scopeUtil; } public function handleTokenRequest(RequestInterface $request, ResponseInterface $response) { if ($token = $this->grantAccessToken($request, $response)) { // @see http://tools.ietf.org/html/rfc6749#section-5.1 // server MUST disable caching in headers when tokens are involved $response->setStatusCode(200); $response->addParameters($token); $response->addHttpHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache')); } } /** * Grant or deny a requested access token. * This would be called from the "/token" endpoint as defined in the spec. * You can call your endpoint whatever you want. * * @param $request - RequestInterface * Request object to grant access token * * @throws InvalidArgumentException * @throws LogicException * * @see http://tools.ietf.org/html/rfc6749#section-4 * @see http://tools.ietf.org/html/rfc6749#section-10.6 * @see http://tools.ietf.org/html/rfc6749#section-4.1.3 * * @ingroup oauth2_section_4 */ public function grantAccessToken(RequestInterface $request, ResponseInterface $response) { if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2'); $response->addHttpHeaders(array('Allow' => 'POST')); return null; } /* Determine grant type from request * and validate the request for that grant type */ if (!$grantTypeIdentifier = $request->request('grant_type')) { $response->setError(400, 'invalid_request', 'The grant type was not specified in the request'); return null; } if (!isset($this->grantTypes[$grantTypeIdentifier])) { /* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */ $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier)); return null; } $grantType = $this->grantTypes[$grantTypeIdentifier]; /* Retrieve the client information from the request * ClientAssertionTypes allow for grant types which also assert the client data * in which case ClientAssertion is handled in the validateRequest method * * @see OAuth2\GrantType\JWTBearer * @see OAuth2\GrantType\ClientCredentials */ if (!$grantType instanceof ClientAssertionTypeInterface) { if (!$this->clientAssertionType->validateRequest($request, $response)) { return null; } $clientId = $this->clientAssertionType->getClientId(); } /* Retrieve the grant type information from the request * The GrantTypeInterface object handles all validation * If the object is an instance of ClientAssertionTypeInterface, * That logic is handled here as well */ if (!$grantType->validateRequest($request, $response)) { return null; } if ($grantType instanceof ClientAssertionTypeInterface) { $clientId = $grantType->getClientId(); } else { // validate the Client ID (if applicable) if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) { $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier)); return null; } } /* * Validate the scope of the token * If the grant type returns a value for the scope, * as is the case with the "Authorization Code" grant type, * this value must be verified with the scope being requested */ $availableScope = $grantType->getScope(); if (!$requestedScope = $this->scopeUtil->getScopeFromRequest($request)) { if (!$availableScope) { if (false === $defaultScope = $this->scopeUtil->getDefaultScope($clientId)) { $response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter'); return null; } } $requestedScope = $availableScope ? $availableScope : $defaultScope; } if (($requestedScope && !$this->scopeUtil->scopeExists($requestedScope, $clientId)) || ($availableScope && !$this->scopeUtil->checkScope($requestedScope, $availableScope))) { $response->setError(400, 'invalid_scope', 'An unsupported scope was requested'); return null; } return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope); } /** * addGrantType * * @param grantType - OAuth2\GrantTypeInterface * the grant type to add for the specified identifier * @param identifier - string * a string passed in as "grant_type" in the response that will call this grantType **/ public function addGrantType(GrantTypeInterface $grantType, $identifier = null) { if (is_null($identifier) || is_numeric($identifier)) { $identifier = $grantType->getQuerystringIdentifier(); } $this->grantTypes[$identifier] = $grantType; } }