Improve support for Client Credentials flow

robertlemke · robertlemke · commit a39e4ba8ca9b · 2020-05-13T14:05:04.000+02:00
diff --git a/Classes/Authorization.php b/Classes/Authorization.php
@@ -153,6 +153,14 @@ public function getScope(): string
         return $this->scope;
     }
 
+    /**
+     * @param string $scope
+     */
+    public function setScope(string $scope): void
+    {
+        $this->scope = $scope;
+    }
+
     /**
      * @return array
      */
diff --git a/Classes/Controller/OAuthController.php b/Classes/Controller/OAuthController.php
@@ -6,6 +6,8 @@
 use Neos\Flow\Annotations\CompileStatic;
 use Neos\Flow\Http\Uri;
 use Neos\Flow\Mvc\Controller\ActionController;
+use Neos\Flow\Mvc\Exception\StopActionException;
+use Neos\Flow\Mvc\Exception\UnsupportedRequestTypeException;
 use Neos\Flow\ObjectManagement\ObjectManagerInterface;
 use Neos\Flow\Reflection\ReflectionService;
 
@@ -32,19 +34,21 @@ public function initializeObject(): void
      * @param Uri $returnToUri
      * @param string $serviceType
      * @param string $serviceName
-     * @throws
-     * FIXME: Re-Implement
+     * @param string $scope
+     * @throws OAuthClientException
+     * @throws StopActionException
+     * @throws UnsupportedRequestTypeException
      */
-    public function startAuthorizationAction(string $clientId, string $clientSecret, Uri $returnToUri, string $serviceType, string $serviceName): void
+    public function startAuthorizationAction(string $clientId, string $clientSecret, Uri $returnToUri, string $serviceType, string $serviceName, string $scope): void
     {
-//        if (!isset($this->serviceTypes[$serviceType])) {
-//            throw new OAuthClientException(sprintf('Failed starting OAuth2 authorization, because the given service type "%s" is unknown.', $serviceType), 1511187873921);
-//        }
-//
-//        $client = new $this->serviceTypes[$serviceName]($serviceName);
-//        assert($client instanceof OAuthClient);
-//        $authorizeUri = $client->startAuthorization($clientId, $clientSecret, $returnToUri);
-//        $this->redirectToUri($authorizeUri);
+        if (!isset($this->serviceTypes[$serviceType])) {
+            throw new OAuthClientException(sprintf('Failed starting OAuth2 authorization, because the given service type "%s" is unknown.', $serviceType), 1511187873921);
+        }
+
+        $client = new $this->serviceTypes[$serviceName]($serviceName);
+        assert($client instanceof OAuthClient);
+        $authorizeUri = $client->startAuthorization($clientId, $clientSecret, $returnToUri, $scope);
+        $this->redirectToUri($authorizeUri);
     }
 
     /**
@@ -58,9 +62,12 @@ public function startAuthorizationAction(string $clientId, string $clientSecret,
      * @param string $serviceName The OAuth service name, ie. the identifier of the concrete configuration of the given OAuth service implementation
      * @param string $state The state by which the OAuth client can find the authorization in progress
      * @param string $code The code issued by the OAuth server
-     * @throws
+     * @param string $scope The scope issued by the OAuth server
+     * @throws OAuthClientException
+     * @throws StopActionException
+     * @throws UnsupportedRequestTypeException
      */
-    public function finishAuthorizationAction(string $serviceType, string $serviceName, string $state, string $code): void
+    public function finishAuthorizationAction(string $serviceType, string $serviceName, string $state, string $code, string $scope = ''): void
     {
         if (!isset($this->serviceTypes[$serviceType])) {
             throw new OAuthClientException(sprintf('OAuth: Failed finishing OAuth2 authorization because the given service type "%s" is unknown.', $serviceName), 1511193117184);
@@ -69,7 +76,7 @@ public function finishAuthorizationAction(string $serviceType, string $serviceNa
         if (!$client instanceof OAuthClient) {
             throw new OAuthClientException(sprintf('OAuth: Failed finishing authorization because of unexpected class type: "%s" must implement %s.', get_class($client), OAuthClient::class), 1568735389);
         }
-        $this->redirectToUri($client->finishAuthorization($state, $code));
+        $this->redirectToUri($client->finishAuthorization($state, $code, $scope));
     }
 
     /**
diff --git a/Classes/OAuthClient.php b/Classes/OAuthClient.php
@@ -5,6 +5,7 @@
 use Doctrine\ORM\EntityManagerInterface;
 use Doctrine\ORM\ORMException;
 use GuzzleHttp\Client;
+use GuzzleHttp\Exception\GuzzleException;
 use GuzzleHttp\Psr7\Response;
 use GuzzleHttp\Psr7\Uri;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
@@ -16,7 +17,7 @@
 use Neos\Flow\Annotations as Flow;
 use Neos\Flow\Core\Bootstrap;
 use Neos\Flow\Http\HttpRequestHandlerInterface;
-use Neos\Flow\Log\Utility\LogEnvironment;
+use Neos\Flow\Http\Request;
 use Neos\Flow\Mvc\ActionRequest;
 use Neos\Flow\Mvc\Routing\Exception\MissingActionNameException;
 use Neos\Flow\Mvc\Routing\UriBuilder;
@@ -281,10 +282,11 @@ public function startAuthorization(string $clientId, string $clientSecret, UriIn
      *
      * @param string $stateIdentifier The state identifier, passed back by the OAuth server as the "state" parameter
      * @param string $code The authorization code given by the OAuth server
+     * @param string $scope The scope granted by the OAuth server
      * @return UriInterface The URI to return to
      * @throws OAuthClientException
      */
-    public function finishAuthorization(string $stateIdentifier, string $code): UriInterface
+    public function finishAuthorization(string $stateIdentifier, string $code, string $scope): UriInterface
     {
         $stateFromCache = $this->stateCache->get($stateIdentifier);
         if (empty($stateFromCache)) {
@@ -307,6 +309,7 @@ public function finishAuthorization(string $stateIdentifier, string $code): UriI
             $this->logger->info(sprintf('OAuth (%s): Persisting OAuth token for authorization "%s" with expiry time %s.', $this->getServiceType(), $authorizationId, $accessToken->getExpires()));
 
             $authorization->setAccessToken($accessToken);
+            $authorization->setScope($scope);
 
             $this->entityManager->persist($authorization);
             $this->entityManager->flush();
@@ -368,87 +371,60 @@ public function getAuthorization(string $authorizationId): ?Authorization
     }
 
     /**
-     * Returns a prepared request which provides the needed header for OAuth authentication
+     * Returns a prepared request to an OAuth 2.0 service provider using Bearer token authentication
      *
+     * @param Authorization $authorization
      * @param string $relativeUri A relative URI of the web server, prepended by the base URI
      * @param string $method The HTTP method, for example "GET" or "POST"
      * @param array $bodyFields Associative array of body fields to send (optional)
      * @return RequestInterface
-     * @throws IdentityProviderException
      * @throws OAuthClientException
      */
-    public function getAuthenticatedRequest(string $relativeUri, string $method = 'GET', array $bodyFields = []): RequestInterface
+    public function getAuthenticatedRequest(Authorization $authorization, string $relativeUri, string $method = 'GET', array $bodyFields = []): RequestInterface
     {
-        $oAuthToken = $this->getAuthorization();
-        if (!$oAuthToken instanceof Authorization) {
-            throw new OAuthClientException('No OAuthToken found.', 1505321014388);
-        }
-
-        $oAuthProvider = $this->createOAuthProvider($oAuthToken->getClientId(), $oAuthToken->getClientSecret());
-
-        if ($oAuthToken->expires < new \DateTimeImmutable()) {
-            switch ($oAuthToken->getGrantType()) {
-                case Authorization::GRANT_AUTHORIZATION_CODE:
-                    $this->refreshAuthorization('fixme-authorization-id', $oAuthToken->getClientId(), 'fixme-return-to-uri');
-                    $oAuthToken = $this->getAuthorization();
-                break;
-                case Authorization::GRANT_CLIENT_CREDENTIALS:
-                    try {
-                        $newAccessToken = $oAuthProvider->getAccessToken(Authorization::GRANT_CLIENT_CREDENTIALS);
-                    } catch (IdentityProviderException $exception) {
-                        $this->logger->error(sprintf($this->getServiceType() . 'Failed retrieving new OAuth access token for client "%s" (client credentials grant): %s', $oAuthToken->clientId, $exception->getMessage()));
-                        throw $exception;
-                    }
-
-                    $oAuthToken->accessToken = $newAccessToken->getToken();
-                    $oAuthToken->expires = ($newAccessToken->getExpires() ? \DateTimeImmutable::createFromFormat('U', $newAccessToken->getExpires()) : null);
-
-                    $this->logger->info(sprintf('OAuth (%s): Persisted new OAuth token for client "%s" with expiry time %s.', $this->getServiceType(), $oAuthToken->clientId, $newAccessToken->getExpires()));
-
-                    $this->entityManager->persist($oAuthToken);
-                    $this->entityManager->flush();
-                break;
-            }
+        $accessToken = $authorization->getAccessToken();
+        if ($accessToken === null) {
+            throw new OAuthClientException(sprintf($this->getServiceType() . 'Failed getting an authenticated request for client ID "%s" because the authorization contained no access token', $authorization->getClientId()), 1589300319);
         }
 
-        $body = ($bodyFields !== [] ? \GuzzleHttp\json_encode($bodyFields) : '');
-
+        $oAuthProvider = $this->createOAuthProvider($authorization->getClientId(), $authorization->getClientSecret());
         return $oAuthProvider->getAuthenticatedRequest(
             $method,
             $this->getBaseUri() . $relativeUri,
-            $oAuthToken->getAccessToken(),
+            $authorization->getAccessToken(),
             [
                 'headers' => [
                     'Content-Type' => 'application/json'
                 ],
-                'body' => $body
+                'body' => ($bodyFields !== [] ? \GuzzleHttp\json_encode($bodyFields) : '')
             ]
         );
     }
 
     /**
+     * Sends an HTTP request to an OAuth 2.0 service provider using Bearer token authentication
+     *
+     * @param Authorization $authorization
      * @param string $relativeUri
      * @param string $method
      * @param array $bodyFields
      * @return Response
+     * @throws GuzzleException
+     * @throws OAuthClientException
      */
-    public function sendAuthenticatedRequest(string $relativeUri, string $method = 'GET', array $bodyFields = []): Response
+    public function sendAuthenticatedRequest(Authorization $authorization, string $relativeUri, string $method = 'GET', array $bodyFields = []): Response
     {
         if ($this->httpClient === null) {
-            $this->httpClient = new Client();
+            $this->httpClient = new Client(['allow_redirects' => false]);
         }
-        // FIXME
-#        return $this->httpClient->send($this->getAuthenticatedRequest($relativeUri, $method, $bodyFields));
+        return $this->httpClient->send($this->getAuthenticatedRequest($authorization, $relativeUri, $method, $bodyFields));
     }
 
     /**
      * @return string
-     * @throws
-     * FIXME
      */
     public function renderFinishAuthorizationUri(): string
     {
-        return '';
         $currentRequestHandler = $this->bootstrap->getActiveRequestHandler();
         if ($currentRequestHandler instanceof HttpRequestHandlerInterface) {
             $httpRequest = $currentRequestHandler->getHttpRequest();
