fernando/luos
1
0
Fork 0
Code Releases Activity
Files
eacb057a58deabccbb388cc449545e99c2e18801
luos/workflow/engine/src/ProcessMaker/Services/OAuth2/PmClientCredentials.php
Erik Amaru Ortiz bbd30afd80 FIX for OAuth new grant types over php >= 5.3.3
2014-08-21 17:01:00 -04:00

130 lines
4.2 KiB
PHP
Raw Blame History

<?php
namespace ProcessMaker\Services\OAuth2;
use OAuth2\ClientAssertionType\HttpBasic;
use OAuth2\ResponseType\AccessTokenInterface;
use OAuth2\Storage\ClientCredentialsInterface;
use OAuth2\RequestInterface;
use OAuth2\ResponseInterface;
/**
* @author Brent Shaffer <bshafs at gmail dot com>
*
* @see OAuth2_ClientAssertionType_HttpBasic
*/
class PmClientCredentials implements \OAuth2\GrantType\GrantTypeInterface
{
private $clientData;
protected $storage;
protected $config;
public function __construct(ClientCredentialsInterface $storage, array $config = array())
{
$this->storage = $storage;
$this->config = array_merge(array(
'allow_credentials_in_request_body' => true
), $config);
}
public function validateRequest(RequestInterface $request, ResponseInterface $response)
{
if (!$clientData = $this->getClientCredentials($request, $response)) {
return false;
}
if (!isset($clientData['client_id']) || !isset($clientData['client_secret'])) {
throw new \LogicException('the clientData array must have "client_id" and "client_secret" values set.');
}
if ($this->storage->checkClientCredentials($clientData['client_id'], $clientData['client_secret']) === false) {
$response->setError(400, 'invalid_client', 'The client credentials are invalid');
return false;
}
if (!$this->storage->checkRestrictedGrantType($clientData['client_id'], $request->request('grant_type'))) {
$response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id');
return false;
}
$this->clientData = $clientData;
return true;
}
public function getClientId()
{
return $this->clientData['client_id'];
}
/**
* Internal function used to get the client credentials from HTTP basic
* auth or POST data.
*
* According to the spec (draft 20), the client_id can be provided in
* the Basic Authorization header (recommended) or via GET/POST.
*
* @return
* A list containing the client identifier and password, for example
* @code
* return array(
* "client_id" => CLIENT_ID, // REQUIRED the client id
* "client_secret" => CLIENT_SECRET, // REQUIRED the client secret
* );
* @endcode
*
* @see http://tools.ietf.org/html/rfc6749#section-2.3.1
*
* @ingroup oauth2_section_2
*/
public function getClientCredentials(RequestInterface $request, ResponseInterface $response = null)
{
if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
}
if ($this->config['allow_credentials_in_request_body']) {
// Using POST for HttpBasic authorization is not recommended, but is supported by specification
if (!is_null($request->request('client_id'))) {
/**
* client_secret can be null if the client's password is an empty string
* @see http://tools.ietf.org/html/rfc6749#section-2.3.1
*/
return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret', ''));
}
}
if ($response) {
$response->setError(400, 'invalid_client', 'Client credentials were not found in the headers or body');
}
return null;
}
public function getQuerystringIdentifier()
{
return 'client_credentials';
}
public function getScope()
{
return null;
}
public function getUserId()
{
return null;
}
public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
{
/*
* Client Credentials Grant does NOT include a refresh token
* @see http://tools.ietf.org/html/rfc6749#section-4.4.3
*/
$includeRefreshToken = false;
return $accessToken->createAccessToken($client_id, $user_id, $scope, $includeRefreshToken);
}
}
View Git Blame Copy Permalink