vendor/league/oauth2-server/src/Grant/AuthCodeGrant.php line 260

Open in your IDE?
  1. <?php
  2. /**
  3.  * @author      Alex Bilbie <hello@alexbilbie.com>
  4.  * @copyright   Copyright (c) Alex Bilbie
  5.  * @license     http://mit-license.org/
  6.  *
  7.  * @link        https://github.com/thephpleague/oauth2-server
  8.  */
  10. namespace League\OAuth2\Server\Grant;
  12. use DateInterval;
  13. use DateTimeImmutable;
  14. use Exception;
  15. use League\OAuth2\Server\CodeChallengeVerifiers\CodeChallengeVerifierInterface;
  16. use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier;
  17. use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
  18. use League\OAuth2\Server\Entities\ClientEntityInterface;
  19. use League\OAuth2\Server\Entities\UserEntityInterface;
  20. use League\OAuth2\Server\Exception\OAuthServerException;
  21. use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
  22. use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
  23. use League\OAuth2\Server\RequestAccessTokenEvent;
  24. use League\OAuth2\Server\RequestEvent;
  25. use League\OAuth2\Server\RequestRefreshTokenEvent;
  26. use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
  27. use League\OAuth2\Server\ResponseTypes\RedirectResponse;
  28. use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
  29. use LogicException;
  30. use Psr\Http\Message\ServerRequestInterface;
  31. use stdClass;
  33. class AuthCodeGrant extends AbstractAuthorizeGrant
  34. {
  35.     /**
  36.      * @var DateInterval
  37.      */
  38.     private $authCodeTTL;
  40.     /**
  41.      * @var bool
  42.      */
  43.     private $requireCodeChallengeForPublicClients true;
  45.     /**
  46.      * @var CodeChallengeVerifierInterface[]
  47.      */
  48.     private $codeChallengeVerifiers = [];
  50.     /**
  51.      * @param AuthCodeRepositoryInterface     $authCodeRepository
  52.      * @param RefreshTokenRepositoryInterface $refreshTokenRepository
  53.      * @param DateInterval                    $authCodeTTL
  54.      *
  55.      * @throws Exception
  56.      */
  57.     public function __construct(
  58.         AuthCodeRepositoryInterface $authCodeRepository,
  59.         RefreshTokenRepositoryInterface $refreshTokenRepository,
  60.         DateInterval $authCodeTTL
  61.     ) {
  62.         $this->setAuthCodeRepository($authCodeRepository);
  63.         $this->setRefreshTokenRepository($refreshTokenRepository);
  64.         $this->authCodeTTL $authCodeTTL;
  65.         $this->refreshTokenTTL = new DateInterval('P1M');
  67.         if (\in_array('sha256'\hash_algos(), true)) {
  68.             $s256Verifier = new S256Verifier();
  69.             $this->codeChallengeVerifiers[$s256Verifier->getMethod()] = $s256Verifier;
  70.         }
  72.         $plainVerifier = new PlainVerifier();
  73.         $this->codeChallengeVerifiers[$plainVerifier->getMethod()] = $plainVerifier;
  74.     }
  76.     /**
  77.      * Disable the requirement for a code challenge for public clients.
  78.      */
  79.     public function disableRequireCodeChallengeForPublicClients()
  80.     {
  81.         $this->requireCodeChallengeForPublicClients false;
  82.     }
  84.     /**
  85.      * Respond to an access token request.
  86.      *
  87.      * @param ServerRequestInterface $request
  88.      * @param ResponseTypeInterface  $responseType
  89.      * @param DateInterval           $accessTokenTTL
  90.      *
  91.      * @throws OAuthServerException
  92.      *
  93.      * @return ResponseTypeInterface
  94.      */
  95.     public function respondToAccessTokenRequest(
  96.         ServerRequestInterface $request,
  97.         ResponseTypeInterface $responseType,
  98.         DateInterval $accessTokenTTL
  99.     ) {
  100.         list($clientId) = $this->getClientCredentials($request);
  102.         $client $this->getClientEntityOrFail($clientId$request);
  104.         // Only validate the client if it is confidential
  105.         if ($client->isConfidential()) {
  106.             $this->validateClient($request);
  107.         }
  109.         $encryptedAuthCode $this->getRequestParameter('code'$requestnull);
  111.         if (!\is_string($encryptedAuthCode)) {
  112.             throw OAuthServerException::invalidRequest('code');
  113.         }
  115.         try {
  116.             $authCodePayload \json_decode($this->decrypt($encryptedAuthCode));
  118.             $this->validateAuthorizationCode($authCodePayload$client$request);
  120.             $scopes $this->scopeRepository->finalizeScopes(
  121.                 $this->validateScopes($authCodePayload->scopes),
  122.                 $this->getIdentifier(),
  123.                 $client,
  124.                 $authCodePayload->user_id
  125.             );
  126.         } catch (LogicException $e) {
  127.             throw OAuthServerException::invalidRequest('code''Cannot decrypt the authorization code'$e);
  128.         }
  130.         $codeVerifier $this->getRequestParameter('code_verifier'$requestnull);
  132.         // If a code challenge isn't present but a code verifier is, reject the request to block PKCE downgrade attack
  133.         if (empty($authCodePayload->code_challenge) && $codeVerifier !== null) {
  134.             throw OAuthServerException::invalidRequest(
  135.                 'code_challenge',
  136.                 'code_verifier received when no code_challenge is present'
  137.             );
  138.         }
  140.         if (!empty($authCodePayload->code_challenge)) {
  141.             $this->validateCodeChallenge($authCodePayload$codeVerifier);
  142.         }
  144.         // Issue and persist new access token
  145.         $accessToken $this->issueAccessToken($accessTokenTTL$client$authCodePayload->user_id$scopes);
  146.         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED$request$accessToken));
  147.         $responseType->setAccessToken($accessToken);
  149.         // Issue and persist new refresh token if given
  150.         $refreshToken $this->issueRefreshToken($accessToken);
  152.         if ($refreshToken !== null) {
  153.             $this->getEmitter()->emit(new RequestRefreshTokenEvent(RequestEvent::REFRESH_TOKEN_ISSUED$request$refreshToken));
  154.             $responseType->setRefreshToken($refreshToken);
  155.         }
  157.         // Revoke used auth code
  158.         $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);
  160.         return $responseType;
  161.     }
  163.     private function validateCodeChallenge($authCodePayload$codeVerifier)
  164.     {
  165.         if ($codeVerifier === null) {
  166.             throw OAuthServerException::invalidRequest('code_verifier');
  167.         }
  169.         // Validate code_verifier according to RFC-7636
  170.         // @see: https://tools.ietf.org/html/rfc7636#section-4.1
  171.         if (\preg_match('/^[A-Za-z0-9-._~]{43,128}$/'$codeVerifier) !== 1) {
  172.             throw OAuthServerException::invalidRequest(
  173.                 'code_verifier',
  174.                 'Code Verifier must follow the specifications of RFC-7636.'
  175.             );
  176.         }
  178.         if (\property_exists($authCodePayload'code_challenge_method')) {
  179.             if (isset($this->codeChallengeVerifiers[$authCodePayload->code_challenge_method])) {
  180.                 $codeChallengeVerifier $this->codeChallengeVerifiers[$authCodePayload->code_challenge_method];
  182.                 if ($codeChallengeVerifier->verifyCodeChallenge($codeVerifier$authCodePayload->code_challenge) === false) {
  183.                     throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
  184.                 }
  185.             } else {
  186.                 throw OAuthServerException::serverError(
  187.                     \sprintf(
  188.                         'Unsupported code challenge method `%s`',
  189.                         $authCodePayload->code_challenge_method
  190.                     )
  191.                 );
  192.             }
  193.         }
  194.     }
  196.     /**
  197.      * Validate the authorization code.
  198.      *
  199.      * @param stdClass               $authCodePayload
  200.      * @param ClientEntityInterface  $client
  201.      * @param ServerRequestInterface $request
  202.      */
  203.     private function validateAuthorizationCode(
  204.         $authCodePayload,
  205.         ClientEntityInterface $client,
  206.         ServerRequestInterface $request
  207.     ) {
  208.         if (!\property_exists($authCodePayload'auth_code_id')) {
  209.             throw OAuthServerException::invalidRequest('code''Authorization code malformed');
  210.         }
  212.         if (\time() > $authCodePayload->expire_time) {
  213.             throw OAuthServerException::invalidRequest('code''Authorization code has expired');
  214.         }
  216.         if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
  217.             throw OAuthServerException::invalidRequest('code''Authorization code has been revoked');
  218.         }
  220.         if ($authCodePayload->client_id !== $client->getIdentifier()) {
  221.             throw OAuthServerException::invalidRequest('code''Authorization code was not issued to this client');
  222.         }
  224.         // The redirect URI is required in this request
  225.         $redirectUri $this->getRequestParameter('redirect_uri'$requestnull);
  226.         if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
  227.             throw OAuthServerException::invalidRequest('redirect_uri');
  228.         }
  230.         if ($authCodePayload->redirect_uri !== $redirectUri) {
  231.             throw OAuthServerException::invalidRequest('redirect_uri''Invalid redirect URI');
  232.         }
  233.     }
  235.     /**
  236.      * Return the grant identifier that can be used in matching up requests.
  237.      *
  238.      * @return string
  239.      */
  240.     public function getIdentifier()
  241.     {
  242.         return 'authorization_code';
  243.     }
  245.     /**
  246.      * {@inheritdoc}
  247.      */
  248.     public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
  249.     {
  250.         return (
  251.             \array_key_exists('response_type'$request->getQueryParams())
  252.             && $request->getQueryParams()['response_type'] === 'code'
  253.             && isset($request->getQueryParams()['client_id'])
  254.         );
  255.     }
  257.     /**
  258.      * {@inheritdoc}
  259.      */
  260.     public function validateAuthorizationRequest(ServerRequestInterface $request)
  261.     {
  262.         $clientId $this->getQueryStringParameter(
  263.             'client_id',
  264.             $request,
  265.             $this->getServerParameter('PHP_AUTH_USER'$request)
  266.         );
  268.         if ($clientId === null) {
  269.             throw OAuthServerException::invalidRequest('client_id');
  270.         }
  272.         $client $this->getClientEntityOrFail($clientId$request);
  274.         $redirectUri $this->getQueryStringParameter('redirect_uri'$request);
  276.         if ($redirectUri !== null) {
  277.             if (!\is_string($redirectUri)) {
  278.                 throw OAuthServerException::invalidRequest('redirect_uri');
  279.             }
  281.             $this->validateRedirectUri($redirectUri$client$request);
  282.         } elseif (empty($client->getRedirectUri()) ||
  283.             (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
  284.             $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED$request));
  286.             throw OAuthServerException::invalidClient($request);
  287.         }
  289.         $defaultClientRedirectUri \is_array($client->getRedirectUri())
  290.             ? $client->getRedirectUri()[0]
  291.             : $client->getRedirectUri();
  293.         $scopes $this->validateScopes(
  294.             $this->getQueryStringParameter('scope'$request$this->defaultScope),
  295.             $redirectUri ?? $defaultClientRedirectUri
  296.         );
  298.         $stateParameter $this->getQueryStringParameter('state'$request);
  300.         $authorizationRequest = new AuthorizationRequest();
  301.         $authorizationRequest->setGrantTypeId($this->getIdentifier());
  302.         $authorizationRequest->setClient($client);
  303.         $authorizationRequest->setRedirectUri($redirectUri);
  305.         if ($stateParameter !== null) {
  306.             $authorizationRequest->setState($stateParameter);
  307.         }
  309.         $authorizationRequest->setScopes($scopes);
  311.         $codeChallenge $this->getQueryStringParameter('code_challenge'$request);
  313.         if ($codeChallenge !== null) {
  314.             $codeChallengeMethod $this->getQueryStringParameter('code_challenge_method'$request'plain');
  316.             if (\array_key_exists($codeChallengeMethod$this->codeChallengeVerifiers) === false) {
  317.                 throw OAuthServerException::invalidRequest(
  318.                     'code_challenge_method',
  319.                     'Code challenge method must be one of ' \implode(', '\array_map(
  320.                         function ($method) {
  321.                             return '`' $method '`';
  322.                         },
  323.                         \array_keys($this->codeChallengeVerifiers)
  324.                     ))
  325.                 );
  326.             }
  328.             // Validate code_challenge according to RFC-7636
  329.             // @see: https://tools.ietf.org/html/rfc7636#section-4.2
  330.             if (\preg_match('/^[A-Za-z0-9-._~]{43,128}$/'$codeChallenge) !== 1) {
  331.                 throw OAuthServerException::invalidRequest(
  332.                     'code_challenge',
  333.                     'Code challenge must follow the specifications of RFC-7636.'
  334.                 );
  335.             }
  337.             $authorizationRequest->setCodeChallenge($codeChallenge);
  338.             $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
  339.         } elseif ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
  340.             throw OAuthServerException::invalidRequest('code_challenge''Code challenge must be provided for public clients');
  341.         }
  343.         return $authorizationRequest;
  344.     }
  346.     /**
  347.      * {@inheritdoc}
  348.      */
  349.     public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
  350.     {
  351.         if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
  352.             throw new LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
  353.         }
  355.         $finalRedirectUri $authorizationRequest->getRedirectUri()
  356.                           ?? $this->getClientRedirectUri($authorizationRequest);
  358.         // The user approved the client, redirect them back with an auth code
  359.         if ($authorizationRequest->isAuthorizationApproved() === true) {
  360.             $authCode $this->issueAuthCode(
  361.                 $this->authCodeTTL,
  362.                 $authorizationRequest->getClient(),
  363.                 $authorizationRequest->getUser()->getIdentifier(),
  364.                 $authorizationRequest->getRedirectUri(),
  365.                 $authorizationRequest->getScopes()
  366.             );
  368.             $payload = [
  369.                 'client_id' => $authCode->getClient()->getIdentifier(),
  370.                 'redirect_uri' => $authCode->getRedirectUri(),
  371.                 'auth_code_id' => $authCode->getIdentifier(),
  372.                 'scopes' => $authCode->getScopes(),
  373.                 'user_id' => $authCode->getUserIdentifier(),
  374.                 'expire_time' => (new DateTimeImmutable())->add($this->authCodeTTL)->getTimestamp(),
  375.                 'code_challenge' => $authorizationRequest->getCodeChallenge(),
  376.                 'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
  377.             ];
  379.             $jsonPayload \json_encode($payload);
  381.             if ($jsonPayload === false) {
  382.                 throw new LogicException('An error was encountered when JSON encoding the authorization request response');
  383.             }
  385.             $response = new RedirectResponse();
  386.             $response->setRedirectUri(
  387.                 $this->makeRedirectUri(
  388.                     $finalRedirectUri,
  389.                     [
  390.                         'code' => $this->encrypt($jsonPayload),
  391.                         'state' => $authorizationRequest->getState(),
  392.                     ]
  393.                 )
  394.             );
  396.             return $response;
  397.         }
  399.         // The user denied the client, redirect them back with an error
  400.         throw OAuthServerException::accessDenied(
  401.             'The user denied the request',
  402.             $this->makeRedirectUri(
  403.                 $finalRedirectUri,
  404.                 [
  405.                     'state' => $authorizationRequest->getState(),
  406.                 ]
  407.             )
  408.         );
  409.     }
  411.     /**
  412.      * Get the client redirect URI if not set in the request.
  413.      *
  414.      * @param AuthorizationRequest $authorizationRequest
  415.      *
  416.      * @return string
  417.      */
  418.     private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
  419.     {
  420.         return \is_array($authorizationRequest->getClient()->getRedirectUri())
  421.                 ? $authorizationRequest->getClient()->getRedirectUri()[0]
  422.                 : $authorizationRequest->getClient()->getRedirectUri();
  423.     }
  424. }