Support for client credentials grant

robertlemke · robertlemke · commit 9d69b8ec22d5 · 2017-11-21T14:56:44.000+01:00
diff --git a/Classes/OAuthClient.php b/Classes/OAuthClient.php
@@ -139,6 +139,41 @@ public function getRequestFactory(): RequestFactory
         return new RequestFactory();
     }
 
+    /**
+     * Add credentials for a Client Credentials Grant
+     *
+     * @param string $clientId
+     * @param string $clientSecret
+     * @param string $scope
+     * @throws IdentityProviderException
+     */
+    public function addClientCredentials(string $clientId, string $clientSecret, string $scope = '')
+    {
+        $oAuthProvider = $this->createOAuthProvider($clientId, $clientSecret);
+
+        try {
+            $this->logger->log(sprintf(static::getServiceName() . 'Setting client credentials for client "%s" using a %s bytes long secret.', $clientId, strlen($clientSecret)), LOG_INFO);
+
+            $oldOAuthToken = $this->getOAuthToken();
+            if ($oldOAuthToken !== null) {
+                $this->entityManager->remove($oldOAuthToken);
+                $this->entityManager->flush();
+
+                $this->logger->log(sprintf(static::getServiceName() . 'Removed old OAuth token for client "%s".', $clientId), LOG_INFO);
+            }
+
+            $accessToken = $oAuthProvider->getAccessToken('client_credentials');
+            $oAuthToken = $this->createNewOAuthToken($clientId, $clientSecret, 'client_credentials', $accessToken, $scope);
+
+            $this->logger->log(sprintf(static::getServiceName() . 'Persisted new OAuth token for client "%s" with expiry time %s.', $clientId, $accessToken->getExpires()), LOG_INFO);
+
+            $this->entityManager->persist($oAuthToken);
+            $this->entityManager->flush();
+        } catch (IdentityProviderException $e) {
+            throw $e;
+        }
+    }
+
     /**
      * Start OAuth authorization
      *
@@ -202,7 +237,7 @@ public function finishAuthorization(string $code, string $state, string $scope)
             }
 
             $accessToken = $oAuthProvider->getAccessToken('authorization_code', ['code' => $code]);
-            $oAuthToken = $this->createNewOAuthToken($clientId, $clientSecret, $accessToken, $scope);
+            $oAuthToken = $this->createNewOAuthToken($clientId, $clientSecret, 'authorization_code', $accessToken, $scope);
 
             $this->logger->log(sprintf(static::getServiceName() . ': Persisted new OAuth token for client "%s" with expiry time %s.', $clientId, $accessToken->getExpires()), LOG_INFO);
 
@@ -280,6 +315,32 @@ public function getAuthenticatedRequest(string $relativeUri, string $method = 'G
             $oAuthToken = $this->getOAuthToken();
         }
         $oAuthProvider = $this->createOAuthProvider($oAuthToken->clientId, $oAuthToken->clientSecret);
+
+        if ($oAuthToken->expires < new \DateTimeImmutable()) {
+            switch($oAuthToken->grantType) {
+                case 'authorization_code':
+                    $this->refreshAuthorization($oAuthToken->clientId, '');
+                    $oAuthToken = $this->getOAuthToken();
+                break;
+                case 'client_credentials':
+                    try {
+                        $newAccessToken = $oAuthProvider->getAccessToken('client_credentials');
+                    } catch(IdentityProviderException $exception) {
+                        $this->logger->log(sprintf(static::getServiceName() . 'Failed retrieving new OAuth access token for client "%s" (client credentials grant): %s', $oAuthToken->clientId, $exception->getMessage()), LOG_ERR);
+                        throw $exception;
+                    }
+
+                    $oAuthToken->accessToken = $newAccessToken->getToken();
+                    $oAuthToken->expires = ($newAccessToken->getExpires() ? \DateTimeImmutable::createFromFormat('U', $newAccessToken->getExpires()) : null);
+
+                    $this->logger->log(sprintf(static::getServiceName() . 'Persisted new OAuth token for client "%s" with expiry time %s.', $oAuthToken->clientId, $newAccessToken->getExpires()), LOG_INFO);
+
+                    $this->entityManager->persist($oAuthToken);
+                    $this->entityManager->flush();
+                break;
+            }
+        }
+
         $body = ($bodyFields !== [] ? \GuzzleHttp\json_encode($bodyFields) : '');
 
         return $oAuthProvider->getAuthenticatedRequest(
@@ -336,15 +397,17 @@ public function renderRedirectUri(): string
      *
      * @param string $clientId
      * @param string $clientSecret
+     * @param string $grantType
      * @param AccessToken $accessToken
      * @param string $scope
      * @return OAuthToken
      */
-    protected function createNewOAuthToken(string $clientId, string $clientSecret, AccessToken $accessToken, string $scope): OAuthToken
+    protected function createNewOAuthToken(string $clientId, string $clientSecret, string $grantType, AccessToken $accessToken, string $scope): OAuthToken
     {
         $oAuthToken = new OAuthToken();
         $oAuthToken->clientId = $clientId;
         $oAuthToken->serviceName = static::getServiceName();
+        $oAuthToken->grantType = $grantType;
         $oAuthToken->clientSecret = $clientSecret;
         $oAuthToken->accessToken = $accessToken->getToken();
         $oAuthToken->refreshToken = $accessToken->getRefreshToken();
diff --git a/Classes/OAuthToken.php b/Classes/OAuthToken.php
@@ -26,15 +26,23 @@ class OAuthToken
     /**
      * @var string
      */
+    public $grantType;
+
+    /**
+     * @var string
+     * @ORM\Column(nullable = true, length=5000)
+     */
     public $clientSecret;
 
     /**
      * @var string
+     * @ORM\Column(length=5000)
      */
     public $accessToken;
 
     /**
      * @var string
+     * @ORM\Column(nullable = true, length=5000)
      */
     public $refreshToken;
 
diff --git a/Migrations/Mysql/Version20171121130544.php b/Migrations/Mysql/Version20171121130544.php
@@ -0,0 +1,40 @@
+<?php
+namespace Neos\Flow\Persistence\Doctrine\Migrations;
+
+use Doctrine\DBAL\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+
+/**
+ *
+ */
+class Version20171121130544 extends AbstractMigration
+{
+
+    /**
+     * @return string
+     */
+    public function getDescription()
+    {
+        return 'Introduce grant type';
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     */
+    public function up(Schema $schema)
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on "mysql".');
+        $this->addSql('ALTER TABLE flownative_oauth2_client_oauthtoken ADD granttype VARCHAR(255) NOT NULL');
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     */
+    public function down(Schema $schema)
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on "mysql".');
+        $this->addSql('ALTER TABLE flownative_oauth2_client_oauthtoken DROP granttype');
+    }
+}
diff --git a/Migrations/Mysql/Version20171121134206.php b/Migrations/Mysql/Version20171121134206.php
@@ -0,0 +1,40 @@
+<?php
+namespace Neos\Flow\Persistence\Doctrine\Migrations;
+
+use Doctrine\DBAL\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+
+/**
+ *
+ */
+class Version20171121134206 extends AbstractMigration
+{
+
+    /**
+     * @return string
+     */
+    public function getDescription()
+    {
+        return 'Make refresh token optional';
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     */
+    public function up(Schema $schema)
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on "mysql".');
+        $this->addSql('ALTER TABLE flownative_oauth2_client_oauthtoken CHANGE refreshtoken refreshtoken VARCHAR(255) DEFAULT NULL');
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     */
+    public function down(Schema $schema)
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on "mysql".');
+        $this->addSql('ALTER TABLE flownative_oauth2_client_oauthtoken CHANGE refreshtoken refreshtoken VARCHAR(255) NOT NULL COLLATE utf8_unicode_ci');
+    }
+}
diff --git a/Migrations/Mysql/Version20171121134844.php b/Migrations/Mysql/Version20171121134844.php
@@ -0,0 +1,40 @@
+<?php
+namespace Neos\Flow\Persistence\Doctrine\Migrations;
+
+use Doctrine\DBAL\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+
+/**
+ *
+ */
+class Version20171121134844 extends AbstractMigration
+{
+
+    /**
+     * @return string
+     */
+    public function getDescription()
+    {
+        return 'Longer fields for tokens and secret';
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     */
+    public function up(Schema $schema)
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on "mysql".');
+        $this->addSql('ALTER TABLE flownative_oauth2_client_oauthtoken CHANGE clientsecret clientsecret VARCHAR(5000) DEFAULT NULL, CHANGE accesstoken accesstoken VARCHAR(5000) NOT NULL, CHANGE refreshtoken refreshtoken VARCHAR(5000) DEFAULT NULL');
+    }
+
+    /**
+     * @param Schema $schema
+     * @return void
+     */
+    public function down(Schema $schema)
+    {
+        $this->abortIf($this->connection->getDatabasePlatform()->getName() != 'mysql', 'Migration can only be executed safely on "mysql".');
+        $this->addSql('ALTER TABLE flownative_oauth2_client_oauthtoken CHANGE clientsecret clientsecret VARCHAR(255) NOT NULL COLLATE utf8_unicode_ci, CHANGE accesstoken accesstoken VARCHAR(255) NOT NULL COLLATE utf8_unicode_ci, CHANGE refreshtoken refreshtoken VARCHAR(255) DEFAULT NULL COLLATE utf8_unicode_ci');
+    }
+}
