2727 */
2828
2929
30- /**
31- * The default duration in seconds of the access token lifetime.
32- */
33- define ("OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME " , 3600 );
34-
35- /**
36- * The default duration in seconds of the authorization code lifetime.
37- */
38- define ("OAUTH2_DEFAULT_AUTH_CODE_LIFETIME " , 30 );
39-
40- /**
41- * The default duration in seconds of the refresh token lifetime.
42- */
43- define ("OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME " , 1209600 );
44-
45-
4630/**
4731 * @defgroup oauth2_section_2 Client Credentials
4832 * @{
8569 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3
8670 */
8771
88- /**
89- * Denotes "token" authorization response type.
90- */
91- define ("OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN " , "token " );
92-
93- /**
94- * Denotes "code" authorization response type.
95- */
96- define ("OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE " , "code " );
97-
98- /**
99- * Denotes "code-and-token" authorization response type.
100- */
101- define ("OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN " , "code-and-token " );
102-
10372/**
10473 * Regex to filter out the authorization response type.
10574 */
@@ -359,145 +328,89 @@ class OAuth2 {
359328 protected $ confarray ();
360329
361330 /**
362- *
331+ * Storage engine for authentication server
363332 *
364333 * @var IOAuth2Storage
365334 */
366335 protected $ storage
367-
368- // Stuff that can get overridden by subclasses.
369- // Override the ones you need.
370-
371- /**
372- * Return supported authorization response types.
373- *
374- * You should override this function with your supported response types.
375- *
376- * @return
377- * A list as below. If you support all authorization response types,
378- * then you'd do:
379- * @code
380- * return array(
381- * OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE,
382- * OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN,
383- * OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN,
384- * );
385- * @endcode
386- *
387- * @ingroup oauth2_section_3
388- */
389- protected function getSupportedAuthResponseTypes () {
390- return array (
391- OAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE ,
392- OAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN ,
393- OAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN
394- );
395- }
396-
336+
397337 /**
398- * Return supported scopes.
399- *
400- * If you want to support scope use, then have this function return a list
401- * of all acceptable scopes (used to throw the invalid-scope error).
402- *
403- * @return
404- * A list as below, for example:
405- * @code
406- * return array(
407- * 'my-friends',
408- * 'photos',
409- * 'whatever-else',
410- * );
411- * @endcode
412- *
413- * @ingroup oauth2_section_3
338+ * Keep track of the old refresh token. So we can unset
339+ * the old refresh tokens when a new one is issued.
340+ *
341+ * @var string
414342 */
415- protected function getSupportedScopes () {
416- return array ();
417- }
343+ protected $ oldRefreshToken
418344
419345 /**
420- * Check restricted authorization response types of corresponding Client
421- * identifier.
422- *
423- * If you want to restrict clients to certain authorization response types,
424- * override this function.
425- *
426- * @param $client_id
427- * Client identifier to be check with.
428- * @param $response_type
429- * Authorization response type to be check with, would be one of the
430- * values contained in OAUTH2_AUTH_RESPONSE_TYPE_REGEXP.
431- *
432- * @return
433- * TRUE if the authorization response type is supported by this
434- * client identifier, and FALSE if it isn't.
435- *
436- * @ingroup oauth2_section_3
346+ * Default values for configuration options.
347+ *
348+ * @var int
349+ * @see OAuth2::setDefaultOptions()
437350 */
438- protected function checkRestrictedAuthResponseType ($ client_id$ response_type
439- return TRUE ;
440- }
441-
351+ const DEFAULT_ACCESS_TOKEN_LIFETIME = 3600 ;
352+ const DEFAULT_REFRESH_TOKEN_LIFETIME = 30 ;
353+ const DEFAULT_AUTH_CODE_LIFETIME = 1209600 ;
354+ const DEFAULT_WWW_REALM = 'Service ' ;
355+
442356 /**
443- * Check restricted grant types of corresponding client identifier.
444- *
445- * If you want to restrict clients to certain grant types, override this
446- * function.
447- *
448- * @param $client_id
449- * Client identifier to be check with.
450- * @param $grant_type
451- * Grant type to be check with, would be one of the values contained in
452- * OAUTH2_GRANT_TYPE_REGEXP.
453- *
454- * @return
455- * TRUE if the grant type is supported by this client identifier, and
456- * FALSE if it isn't.
457- *
458- * @ingroup oauth2_section_4
357+ * Configurable options.
358+ *
359+ * @var string
459360 */
460- protected function checkRestrictedGrantType ($ client_id$ grant_type
461- return TRUE ;
462- }
463-
361+ const CONFIG_ACCESS_LIFETIME = 'access_token_lifetime ' ; // The lifetime of access token in seconds.
362+ const CONFIG_REFRESH_LIFETIME = 'refresh_token_lifetime ' ; // The lifetime of refresh token in seconds.
363+ const CONFIG_AUTH_LIFETIME = 'auth_code_lifetime ' ; // The lifetime of auth code in seconds.
364+ const CONFIG_DISPLAY_ERROR = 'display_error ' ; // Whether to show verbose error messages in the response.
365+ const CONFIG_SUPPORTED_AUTH = 'supported_auth_types ' ; // Array of supported auth types
366+ const CONFIG_SUPPORTED_SCOPES = 'supported_scopes ' ; // Array of scopes you want to support
367+ const CONFIG_DEFAULT_REALM = 'default_auth_realm ' ; // Realm you want to send in a WWW-Authenticate header
368+
464369 /**
465- * Get default authentication realm for WWW-Authenticate header.
466- *
467- * Change this to whatever authentication realm you want to send in a
468- * WWW-Authenticate header.
469- *
470- * @return
471- * A string that you want to send in a WWW-Authenticate header.
472- *
473- * @ingroup oauth2_error
370+ * List of possible authentication response types.
371+ * You can specify the CONFIG_SUPPORTED_AUTH array with one or
372+ * more the below options.
373+ *
374+ * @var string
375+ * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-3
474376 */
475- protected function getDefaultAuthenticationRealm () {
476- return "Service " ;
477- }
478-
479- // End stuff that should get overridden.
480-
377+ const AUTH_RESPONSE_TYPE_AUTH_CODE = 'code ' ;
378+ const AUTH_RESPONSE_TYPE_ACCESS_TOKEN = 'token ' ;
379+ const AUTH_RESPONSE_TYPE_CODE_AND_TOKEN = 'code-and-token ' ;
380+
481381 /**
482382 * Creates an OAuth2.0 server-side instance.
483383 *
484- * @param $config
485- * An associative array as below:
486- * - access_token_lifetime: (optional) The lifetime of access token in
487- * seconds.
488- * - auth_code_lifetime: (optional) The lifetime of authorization code in
489- * seconds.
490- * - refresh_token_lifetime: (optional) The lifetime of refresh token in
491- * seconds.
492- * - display_error: (optional) Whether to show verbose error messages in
493- * the response.
384+ * @param $config - An associative array as below of config options. See CONFIG_* constants.
494385 */
495386 public function __construct (IOAuth2Storage $ storage$ configarray ()) {
496387 $ this storage = $ storage
388+
389+ // Configuration options
390+ $ this setDefaultOptions ();
497391 foreach ($ configas $ name$ value
498392 $ this setVariable ($ name$ value
499393 }
500394 }
395+
396+ /**
397+ * Default configuration options are specified here.
398+ */
399+ protected function setDefaultOptions () {
400+ $ this conf = array (
401+ self ::CONFIG_ACCESS_LIFETIME => self ::DEFAULT_ACCESS_TOKEN_LIFETIME ,
402+ self ::CONFIG_REFRESH_LIFETIME => self ::DEFAULT_REFRESH_TOKEN_LIFETIME ,
403+ self ::CONFIG_AUTH_LIFETIME => self ::DEFAULT_AUTH_CODE_LIFETIME ,
404+ self ::CONFIG_DEFAULT_REALM => self ::DEFAULT_REALM ,
405+ self ::CONFIG_SUPPORTED_AUTH => array (
406+ self ::AUTH_RESPONSE_TYPE_AUTH_CODE ,
407+ self ::AUTH_RESPONSE_TYPE_ACCESS_TOKEN ,
408+ self ::AUTH_RESPONSE_TYPE_CODE_AND_TOKEN
409+ ),
410+ // This is expected to be passed in on construction. Scopes can be an aribitrary string.
411+ self ::CONFIG_SUPPORTED_SCOPES => array ()
412+ );
413+ }
501414
502415 /**
503416 * Returns a persistent variable.
@@ -764,7 +677,7 @@ public function grantAccessToken(array $inputData = NULL) {
764677 $ this errorJsonResponse (OAUTH2_HTTP_BAD_REQUEST , OAUTH2_ERROR_EXPIRED_TOKEN );
765678
766679 // store the refresh token locally so we can delete it when a new refresh token is generated
767- $ this setVariable ( ' _old_refresh_token ' , $ stored"refresh_token " ]) ;
680+ $ this oldRefreshToken = $ stored"refresh_token " ];
768681
769682 break ;
770683 case OAUTH2_GRANT_TYPE_NONE :
@@ -946,10 +859,10 @@ public function finishClientAuthorization($is_authorized, $user_id = NULL, $para
946859 $ result"query " ]["error " ] = OAUTH2_ERROR_USER_DENIED ;
947860 }
948861 else {
949- if ($ response_typeOAUTH2_AUTH_RESPONSE_TYPE_AUTH_CODE || $ response_typeOAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN )
862+ if ($ response_typeself :: AUTH_RESPONSE_TYPE_AUTH_CODE || $ response_typeself :: AUTH_RESPONSE_TYPE_CODE_AND_TOKEN )
950863 $ result"query " ]["code " ] = $ this createAuthCode ($ client_id$ user_id$ redirect_uri$ scope
951864
952- if ($ response_typeOAUTH2_AUTH_RESPONSE_TYPE_ACCESS_TOKEN || $ response_typeOAUTH2_AUTH_RESPONSE_TYPE_CODE_AND_TOKEN )
865+ if ($ response_typeself :: AUTH_RESPONSE_TYPE_ACCESS_TOKEN || $ response_typeself :: AUTH_RESPONSE_TYPE_CODE_AND_TOKEN )
953866 $ result"fragment " ] = $ this createAccessToken ($ client_id$ user_id$ scope
954867 }
955868
@@ -1029,19 +942,20 @@ protected function createAccessToken($client_id, $user_id, $scope=NULL) {
1029942
1030943 $ tokenarray (
1031944 "access_token " => $ this genAccessToken (),
1032- "expires_in " => $ this getVariable (' access_token_lifetime ' , OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME ),
945+ "expires_in " => $ this getVariable (self :: CONFIG_ACCESS_LIFETIME ),
1033946 "scope " => $ scope
1034947 );
1035948
1036- $ this storage ->setAccessToken ($ token"access_token " ], $ client_id$ user_idtime () + $ this getVariable (' access_token_lifetime ' , OAUTH2_DEFAULT_ACCESS_TOKEN_LIFETIME ), $ scope
949+ $ this storage ->setAccessToken ($ token"access_token " ], $ client_id$ user_idtime () + $ this getVariable (self :: CONFIG_ACCESS_LIFETIME ), $ scope
1037950
1038951 // Issue a refresh token also, if we support them
1039952 if (in_array (OAUTH2_GRANT_TYPE_REFRESH_TOKEN , $ this storage ->getSupportedGrantTypes ())) {
1040953 $ token"refresh_token " ] = $ this genAccessToken ();
1041- $ this storage ->setRefreshToken ($ token"refresh_token " ], $ client_id$ user_idtime () + $ this getVariable (' refresh_token_lifetime ' , OAUTH2_DEFAULT_REFRESH_TOKEN_LIFETIME ), $ scope
954+ $ this storage ->setRefreshToken ($ token"refresh_token " ], $ client_id$ user_idtime () + $ this getVariable (self :: CONFIG_REFRESH_LIFETIME ), $ scope
1042955 // If we've granted a new refresh token, expire the old one
1043- if ($ this getVariable ('_old_refresh_token ' ))
1044- $ this storage ->unsetRefreshToken ($ this getVariable ('_old_refresh_token ' ));
956+ if ($ this oldRefreshToken )
957+ $ this storage ->unsetRefreshToken ($ this oldRefreshToken );
958+ unset($ this oldRefreshToken );
1045959 }
1046960
1047961 return $ token
@@ -1065,7 +979,7 @@ protected function createAccessToken($client_id, $user_id, $scope=NULL) {
1065979 */
1066980 private function createAuthCode ($ client_id$ user_id$ redirect_uri$ scopeNULL ) {
1067981 $ code$ this genAuthCode ();
1068- $ this storage ->setAuthCode ($ code$ client_id$ user_id$ redirect_uritime () + $ this getVariable (' auth_code_lifetime ' , OAUTH2_DEFAULT_AUTH_CODE_LIFETIME ), $ scope
982+ $ this storage ->setAuthCode ($ code$ client_id$ user_id$ redirect_uritime () + $ this getVariable (self :: CONFIG_AUTH_LIFETIME ), $ scope
1069983 return $ code
1070984 }
1071985
@@ -1169,10 +1083,10 @@ private function errorDoRedirectUriCallback($redirect_uri, $error, $error_descri
11691083 if ($ state
11701084 $ result"query " ]["state " ] = $ state
11711085
1172- if ($ this getVariable (' display_error ' $ error_description
1086+ if ($ this getVariable (self :: CONFIG_DISPLAY_ERROR ) && $ error_description
11731087 $ result"query " ]["error_description " ] = $ error_description
11741088
1175- if ($ this getVariable (' display_error ' $ error_uri
1089+ if ($ this getVariable (self :: CONFIG_DISPLAY_ERROR ) && $ error_uri
11761090 $ result"query " ]["error_uri " ] = $ error_uri
11771091
11781092 $ this doRedirectUriCallback ($ redirect_uri$ result
@@ -1201,10 +1115,10 @@ private function errorDoRedirectUriCallback($redirect_uri, $error, $error_descri
12011115 private function errorJsonResponse ($ http_status_code$ error$ error_descriptionNULL , $ error_uriNULL ) {
12021116 $ result'error ' ] = $ error
12031117
1204- if ($ this getVariable (' display_error ' $ error_description
1118+ if ($ this getVariable (self :: CONFIG_DISPLAY_ERROR ) && $ error_description
12051119 $ result"error_description " ] = $ error_description
12061120
1207- if ($ this getVariable (' display_error ' $ error_uri
1121+ if ($ this getVariable (self :: CONFIG_DISPLAY_ERROR ) && $ error_uri
12081122 $ result"error_uri " ] = $ error_uri
12091123
12101124 header ("HTTP/1.1 " . $ http_status_code
@@ -1252,10 +1166,10 @@ private function errorWWWAuthenticateResponseHeader($http_status_code, $realm, $
12521166 if ($ error
12531167 $ result", error=' " . $ error"' " ;
12541168
1255- if ($ this getVariable (' display_error ' $ error_description
1169+ if ($ this getVariable (self :: CONFIG_DISPLAY_ERROR ) && $ error_description
12561170 $ result", error_description=' " . $ error_description"' " ;
12571171
1258- if ($ this getVariable (' display_error ' $ error_uri
1172+ if ($ this getVariable (self :: CONFIG_DISPLAY_ERROR ) && $ error_uri
12591173 $ result", error_uri=' " . $ error_uri"' " ;
12601174
12611175 if ($ scope
0 commit comments