Merge branch 'draft-21'

Dave Rochwerger · Dave Rochwerger · commit 07d0b8966391 · 2012-01-06T16:20:42.000-08:00
Conflicts:
	lib/OAuth2.php
diff --git a/lib/OAuth2.php b/lib/OAuth2.php
@@ -1,7 +1,7 @@
 <?php
-require_once('OAuth2ServerException.php');
-require_once('OAuth2AuthenticateException.php');
-require_once('OAuth2RedirectException.php');
+require 'OAuth2ServerException.php';
+require 'OAuth2AuthenticateException.php';
+require 'OAuth2RedirectException.php';
 /**
  * @mainpage
  * OAuth 2.0 server in PHP, originally written for
@@ -85,6 +85,7 @@ class OAuth2 {
   const CONFIG_TOKEN_TYPE             = 'token_type';             // Token type to respond with. Currently only "Bearer" supported.
   const CONFIG_WWW_REALM              = 'realm';
   const CONFIG_ENFORCE_INPUT_REDIRECT = 'enforce_redirect';       // Set to true to enforce redirect_uri on input for both authorize and token steps.
+  const CONFIG_ENFORCE_STATE          = 'enforce_state';          // Set to true to enforce state to be passed in authorization (see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12)
   
 	/**
    * Regex to filter out the client identifier (described in Section 2 of IETF draft).
@@ -354,6 +355,7 @@ protected function setDefaultOptions() {
   		self::CONFIG_WWW_REALM              => self::DEFAULT_WWW_REALM,
   		self::CONFIG_TOKEN_TYPE             => self::TOKEN_TYPE_BEARER,
   		self::CONFIG_ENFORCE_INPUT_REDIRECT => FALSE,
+  		self::CONFIG_ENFORCE_STATE          => FALSE,
       self::CONFIG_SUPPORTED_SCOPES       => array() // This is expected to be passed in on construction. Scopes can be an aribitrary string.  
   	);
   }
@@ -551,15 +553,13 @@ private function checkScope($required_scope, $available_scope) {
    * This would be called from the "/token" endpoint as defined in the spec.
    * Obviously, you can call your endpoint whatever you want.
    * 
-   * FIXME: According to section 4.1.3 (http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.3),
-   * if the "Authorization Request" (auth_code) contained the redirect_uri, then it becomes mandatory when requesting the access token.
-   * This is *not* currently enforced in this library.
-   * 
    * @param $inputData - The draft specifies that the parameters should be
    * retrieved from POST, but you can override to whatever method you like.
    * @throws OAuth2ServerException
    * 
    * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
+   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.6
+   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3
    *
    * @ingroup oauth2_section_4
    */
@@ -617,10 +617,13 @@ public function grantAccessToken(array $inputData = NULL, array $authHeaders = N
         if ($stored === NULL || $client[0] != $stored["client_id"])
           throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "Refresh token doesn't exist or is invalid for the client");
         
-        // Validate the redirect URI
+        // Validate the redirect URI. They must match EXACTLY (as opposed to authorization step where they only need to have the same beginning).
+        // See http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.6
+        // Because we store the validated redirect_uri in getAuthorizeParams() (which is either the stored or input param) we are able to
+        // do this check everytime (regardless of whether a confidential or public client is being used).
         $missing = (!$stored["redirect_uri"] && !$input["redirect_uri"]); // both stored and supplied are missing - we must have at least one!
-        if ($missing || !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"]))
-          throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or invalid");
+        if ($missing || $input["redirect_uri"] !== $stored["redirect_uri"])
+          throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or do not match");
 
         if ($stored["expires"] < time())
           throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "The authorization code has expired");
@@ -702,7 +705,7 @@ public function grantAccessToken(array $inputData = NULL, array $authHeaders = N
       
     // Check scope, if provided
     if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"])))
-      throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE);
+      throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
 
     $user_id = isset($stored['user_id']) ? $stored['user_id'] : null;
     $token = $this->createAccessToken($client[0], $user_id, $stored['scope']);
@@ -739,7 +742,7 @@ protected function getClientCredentials(array $inputData, array $authHeaders) {
       return array($authHeaders['PHP_AUTH_USER'], $authHeaders['PHP_AUTH_PW']);
     }
     elseif (empty($inputData['client_id'])) { // No credentials were specified
-       throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT);
+       throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'Client id was not found in the headers or body');
     }
     else {
       // This method is not recommended, but is supported by specification
@@ -751,8 +754,10 @@ protected function getClientCredentials(array $inputData, array $authHeaders) {
 
   /**
    * Pull the authorization request data out of the HTTP request.
-   * The redirect_uri is OPTIONAL as per draft 20. But your implenetation can enforce it
-   * by setting CONFIG_ENFORCE_INPUT_REDIRECT to true.
+   *   - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
+   *     by setting CONFIG_ENFORCE_INPUT_REDIRECT to true.
+   *   - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
+   *     CSRF protection is MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true.
    *
    * @param $inputData - The draft specifies that the parameters should be
    * retrieved from GET, but you can override to whatever method you like.
@@ -762,6 +767,7 @@ protected function getClientCredentials(array $inputData, array $authHeaders) {
    *
    * @throws OAuth2ServerException
    * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
+   * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12
    * 
    * @ingroup oauth2_section_3
    */
@@ -786,8 +792,8 @@ public function getAuthorizeParams(array $inputData = NULL) {
     
     // Get client details
     $stored = $this->storage->getClientDetails($input["client_id"]);
-    if (empty($stored) || !is_array($stored)) {
-      throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT);
+    if ($stored === FALSE) {
+      throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "Client id does not exist");
     }
     
     // Make sure a valid redirect_uri was supplied. If specified, it must match the stored URI.
@@ -801,7 +807,7 @@ public function getAuthorizeParams(array $inputData = NULL) {
       throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI is mandatory and was not supplied.');
     }
     if ($stored["redirect_uri"] && $input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
-      throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The rediect URI provided is missing or does not match');
+      throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI provided is missing or does not match');
     }
     
     // Select the redirect URI
@@ -819,7 +825,11 @@ public function getAuthorizeParams(array $inputData = NULL) {
 
     // Validate that the requested scope is supported
     if ($input["scope"] && !$this->checkScope($input["scope"], $this->getVariable(self::CONFIG_SUPPORTED_SCOPES)))
-      throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_SCOPE, NULL, $input["state"]);
+      throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.', $input["state"]);
+      
+    // Validate state parameter exists (if configured to enforce this)
+    if ($this->getVariable(self::CONFIG_ENFORCE_STATE) && !$input["state"]) 
+      throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, "The state parameter is required.");
 
     // Return retrieved client details together with input
     return ($input + $stored);
@@ -1047,8 +1057,8 @@ protected function genAuthCode() {
    */
   protected function getAuthorizationHeader() {
     return array(
-      'PHP_AUTH_USER' => $_SERVER['PHP_AUTH_USER'],
-      'PHP_AUTH_PW'   => $_SERVER['PHP_AUTH_PW']    
+      'PHP_AUTH_USER' => isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '',
+      'PHP_AUTH_PW'   => isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '',
     );
   }
 
diff --git a/server/examples/mongo/lib/OAuth2StorageMongo.php b/server/examples/mongo/lib/OAuth2StorageMongo.php
@@ -6,10 +6,10 @@
  * 
  */
 
-require_once __DIR__.'/../../../../lib/OAuth2.php';
-require_once __DIR__.'/../../../../lib/IOAuth2Storage.php';
-require_once __DIR__.'/../../../../lib/IOAuth2GrantCode.php';
-require_once __DIR__.'/../../../../lib/IOAuth2RefreshTokens.php';
+require __DIR__.'/../../../../lib/OAuth2.php';
+require __DIR__.'/../../../../lib/IOAuth2Storage.php';
+require __DIR__.'/../../../../lib/IOAuth2GrantCode.php';
+require __DIR__.'/../../../../lib/IOAuth2RefreshTokens.php';
 
 /**
  * Mongo storage engine for the OAuth2 Library.
diff --git a/server/examples/pdo/lib/OAuth2StoragePdo.php b/server/examples/pdo/lib/OAuth2StoragePdo.php
@@ -8,10 +8,10 @@
  *   new PDOOAuth2( new PDO('mysql:dbname=mydb;host=localhost', 'user', 'pass') );
  */
 
-require_once __DIR__.'/../../../../lib/OAuth2.php';
-require_once __DIR__.'/../../../../lib/IOAuth2Storage.php';
-require_once __DIR__.'/../../../../lib/IOAuth2GrantCode.php';
-require_once __DIR__.'/../../../../lib/IOAuth2RefreshTokens.php';
+require __DIR__.'/../../../../lib/OAuth2.php';
+require __DIR__.'/../../../../lib/IOAuth2Storage.php';
+require __DIR__.'/../../../../lib/IOAuth2GrantCode.php';
+require __DIR__.'/../../../../lib/IOAuth2RefreshTokens.php';
 
 /**
  * PDO storage engine for the OAuth2 Library.
diff --git a/tests/All_OAuth2_Tests.php b/tests/All_OAuth2_Tests.php
@@ -13,7 +13,7 @@ public function __construct() {
     $this->setName ( 'OAuth2Suite' );
 
     foreach (glob(__DIR__.'/*Test.php') as $filename) {
-      require_once($filename);
+      require $filename;
       $class = basename($filename, '.php');
       $this->addTestSuite($class);
     }
diff --git a/tests/OAuth2OutputTest.php b/tests/OAuth2OutputTest.php
@@ -1,7 +1,7 @@
 <?php
-require_once(__DIR__ . '/../lib/OAuth2.php');
-require_once(__DIR__ . '/../lib/IOAuth2Storage.php');
-require_once(__DIR__ . '/../lib/IOAuth2GrantCode.php');
+require __DIR__ . '/../lib/OAuth2.php';
+require __DIR__ . '/../lib/IOAuth2Storage.php';
+require __DIR__ . '/../lib/IOAuth2GrantCode.php';
 
 /**
  * OAuth2 test cases that invovle capturing output.
diff --git a/tests/OAuth2Test.php b/tests/OAuth2Test.php
@@ -1,7 +1,7 @@
 <?php
-require_once(__DIR__ . '/../lib/OAuth2.php');
-require_once(__DIR__ . '/../lib/IOAuth2Storage.php');
-require_once(__DIR__ . '/../lib/IOAuth2GrantCode.php');
+require __DIR__ . '/../lib/OAuth2.php';
+require __DIR__ . '/../lib/IOAuth2Storage.php';
+require __DIR__ . '/../lib/IOAuth2GrantCode.php';
 
 /**
  * OAuth2 test case.

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ public function __construct() {`
`13`	`13`	`$this->setName ( 'OAuth2Suite' );`
`14`	`14`
`15`	`15`	`foreach (glob(__DIR__.'/*Test.php') as $filename) {`
`16`		`- require_once($filename);`
	`16`	`+ require $filename;`
`17`	`17`	`$class = basename($filename, '.php');`
`18`	`18`	`$this->addTestSuite($class);`
`19`	`19`	`}`