Support token revocation and introspection #1473
Conversation
|
@Sephster , as mentioned #1453 (comment), it would be great to have more maintainers for this repository! @hafezdivandari is an excellent professional with extensive knowledge of OAuth2. Having more people to support the project would certainly help its growth and maintenance! 🚀 |
| use EmitterAwarePolyfill; | ||
| use CryptTrait; | ||
|
|
||
| protected ClientRepositoryInterface $clientRepository; | ||
|
|
||
| protected AccessTokenRepositoryInterface $accessTokenRepository; | ||
|
|
||
| protected RefreshTokenRepositoryInterface $refreshTokenRepository; |
There was a problem hiding this comment.
From AbstractGrant class.
| public function setClientRepository(ClientRepositoryInterface $clientRepository): void | ||
| { | ||
| $this->clientRepository = $clientRepository; | ||
| } | ||
|
|
||
| public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessTokenRepository): void | ||
| { | ||
| $this->accessTokenRepository = $accessTokenRepository; | ||
| } | ||
|
|
||
| public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository): void | ||
| { | ||
| $this->refreshTokenRepository = $refreshTokenRepository; | ||
| } |
There was a problem hiding this comment.
From AbstractGrant class.
| /** | ||
| * Validate the client. | ||
| * | ||
| * @throws OAuthServerException | ||
| */ | ||
| protected function validateClient(ServerRequestInterface $request): ClientEntityInterface | ||
| { | ||
| [$clientId, $clientSecret] = $this->getClientCredentials($request); | ||
|
|
||
| $client = $this->getClientEntityOrFail($clientId, $request); | ||
|
|
||
| if ($client->isConfidential()) { | ||
| if ($clientSecret === '') { | ||
| throw OAuthServerException::invalidRequest('client_secret'); | ||
| } | ||
|
|
||
| if ( | ||
| $this->clientRepository->validateClient( | ||
| $clientId, | ||
| $clientSecret, | ||
| $this instanceof GrantTypeInterface ? $this->getIdentifier() : null | ||
| ) === false | ||
| ) { | ||
| $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); | ||
|
|
||
| throw OAuthServerException::invalidClient($request); | ||
| } | ||
| } | ||
|
|
||
| return $client; | ||
| } |
There was a problem hiding this comment.
Moved from AbstractGrant class.
| $this->clientRepository->validateClient( | ||
| $clientId, | ||
| $clientSecret, | ||
| $this instanceof GrantTypeInterface ? $this->getIdentifier() : null |
There was a problem hiding this comment.
This line is the only change on this method, since getIdentifier() method is defined on GrantTypeInterface only.
| /** | ||
| * Wrapper around ClientRepository::getClientEntity() that ensures we emit | ||
| * an event and throw an exception if the repo doesn't return a client | ||
| * entity. | ||
| * | ||
| * This is a bit of defensive coding because the interface contract | ||
| * doesn't actually enforce non-null returns/exception-on-no-client so | ||
| * getClientEntity might return null. By contrast, this method will | ||
| * always either return a ClientEntityInterface or throw. | ||
| * | ||
| * @throws OAuthServerException | ||
| */ | ||
| protected function getClientEntityOrFail(string $clientId, ServerRequestInterface $request): ClientEntityInterface | ||
| { | ||
| $client = $this->clientRepository->getClientEntity($clientId); | ||
|
|
||
| if ($client instanceof ClientEntityInterface === false) { | ||
| $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); | ||
| throw OAuthServerException::invalidClient($request); | ||
| } | ||
|
|
||
| return $client; | ||
| } |
There was a problem hiding this comment.
Moved from AbstractGrant class.
| use Psr\Http\Message\ResponseInterface; | ||
| use Psr\Http\Message\ServerRequestInterface; | ||
|
|
||
| class TokenIntrospectionHandler extends AbstractTokenHandler |
There was a problem hiding this comment.
This class implements "Token Introspection RFC7662". This class also allows customizing the introspection response by injecting a IntrospectionResponseTypeInterface instance.
| use Psr\Http\Message\ResponseInterface; | ||
| use Psr\Http\Message\ServerRequestInterface; | ||
|
|
||
| class TokenRevocationHandler extends AbstractTokenHandler |
There was a problem hiding this comment.
This class implements "Token Revocation RFC7009".
| use DateTimeInterface; | ||
| use Psr\Http\Message\ResponseInterface; | ||
|
|
||
| class IntrospectionResponse implements IntrospectionResponseTypeInterface |
There was a problem hiding this comment.
This class implements Introspection Response. RFC7662 section 2.2
|
|
||
| use Psr\Http\Message\ResponseInterface; | ||
|
|
||
| interface IntrospectionResponseTypeInterface |
There was a problem hiding this comment.
Defines an interface for introspection response type.
| use Psr\Http\Message\ResponseInterface; | ||
| use Psr\Http\Message\ServerRequestInterface; | ||
|
|
||
| class TokenServer implements EmitterAwareInterface |
There was a problem hiding this comment.
This class defines 2 methods to respond to token revocation and token introspection requests. Also allows injecting customized token revocation/introspection handlers.
This class is inspired by AuthorizationServer and ResourceServer classes.
Fixes #806
Fixes #1350
Closes #1255
Closes #1135
Closes #995
Closes #925
It's much easier to implement Token Revocation RFC7009 and Token Introspection RFC7662 at the same time! These 2 RFCs have most of the logic in common:
"application/x-www-form-urlencoded" data:
tokenis required, accepts either an access token or a refresh token.token_type_hintis optional to help the server optimize the token lookup.access_tokenorrefresh_token.Authorization: Basic {client_credentials}headerclient_idandclient_secretparameters.400:invalid_requestthe requiredtokenparameter was not sent.401:invalid_clientthe request is not authorized. Client credentials were not sent or invalid.200: The token is revoked, expired, doesn't exists, or was not issued to the client making the request:activefield set tofalse.{ "active": false }200: The token is valid, active, and was issued to the client making the request:activefield set totrue.{ "active": true, ... }Implementation
Summary
Summary of file changes in order of appearance.
New
AbstractHandlerclassAbstractGrantandAbstractTokenHandlerclasses.clientRepository,accessTokenRepository, andrefreshTokenRepositoryproperties have been moved to this class from childAbstractGrantclass.setClientRepository,setAccessTokenRepository,setRefreshTokenRepository,getClientCredentials,parseParam,getRequestParameter,getBasicAuthCredentials,getQueryStringParameter,getCookieParameter,getServerParameter, andvalidateEncryptedRefreshTokenmethods have been moved to this class from childAbstractGrantclass without any change.validateClientmethod from childAbstractGranthas been moved to this class with a minor change: The call togetIdentifier()isGrantTypeInterfacespecific.getClientEntityOrFailmethod from childAbstractGranthas been moved to this class. This method is also overridden on childAbstractGrant: Call tosupportsGrantTypemethod isAbstracGrantspecific.validateEncryptedRefreshTokenis extracted fromRefreshTokenGrant::validateOldRefreshTokenmethod.Change
AuthorizationValidators\BearerTokenValidatorclassJwtValidatorInterfaceinterface.validateAuthorizationmethod into a newvalidateJwtmethod.validateJwtmethod also accepts optional$clientIdargument. If a$clientIdis provided, it verifies whether the token was issued to the given client.New
AuthorizationValidators\JwtValidatorInterfaceinterfaceBearerTokenValidatorclass.validateJwtmethod.AbstractTokenHandler::setJwtValidator()method.Change
Exception\OAuthServerExceptionclassunsupportedTokenTypemethod.Change
Grant\AbstractGrantclassAbstractHandlerclass.AbstractHandlerclass.getClientEntityOrFailmethod.Change
Grant\RefreshTokenGrantclassvalidateOldRefreshTokenmethod has been extracted into a new parent AbstractHandler::validateEncryptedRefreshToken method.New
Handlers\AbstractTokenHandlerclassAbstractHandlerclass.TokenHandlerInterfaceinterface.setPublicKeyandsetJwtValidatormethods that to allow injecting a customized JWT validator.validateToken,validateAccessTokenandvalidateRefreshTokenmethods that have been used byTokenIntrospectionHandlerandTokenRevocationHandlerclasses.New
Handlers\TokenHandlerInterfaceinterfaceAbstractTokenHandlerclass.setTokenRevocationHandlerandsetTokenIntrospectionHandlermethods of theTokenServerclass.New
Handlers\TokenIntrospectionHandlerclassAbstractTokenHandlerclass.respondToRequestmethod that responds to "Token Introspection RFC7662" request.setResponseTypemethod that allows injecting a customized response type.New
Handlers\TokenRevocationHandlerclassAbstractTokenHandlerclass.respondToRequestmethod that responds to "Token Revocation RFC7009" request.New
ResponseTypes\IntrospectionResponseclassIntrospectionResponseTypeInterfaceinterface.generateHttpResponsemethod to generate "Token Revocation RFC7009" response.New
ResponseTypes\IntrospectionResponseTypeInterfaceclassIntrospectionResponseclass.TokenIntrospectionHandler::setResponseTypemethod that allows injecting a customized response type.New
TokenServerclassrespondToTokenRevocationRequestandrespondToTokenIntrospectionRequestmethods to respond to the respective request.setTokenRevocationHandlerandsetTokenIntrospectionHandlermethods that allows injecting customized handlers.