Merge pull request #2 from chalasr/readd-deprecated-grants

Adding back deprecated password & implicit grants

Author: chalasr

src/DependencyInjection/Configuration.php

@@ -87,6 +87,10 @@ private function createAuthorizationServerNode(): NodeDefinition
                     ->info('Whether to enable the client credentials grant')
                     ->defaultTrue()
                 ->end()
+                ->booleanNode('enable_password_grant')
+                    ->info('Whether to enable the password grant')
+                    ->defaultTrue()
+                ->end()
                 ->booleanNode('enable_refresh_token_grant')
                     ->info('Whether to enable the refresh token grant')
                     ->defaultTrue()
@@ -99,6 +103,10 @@ private function createAuthorizationServerNode(): NodeDefinition
                     ->info('Whether to require code challenge for public clients for the auth code grant')
                     ->defaultTrue()
                 ->end()
+                ->booleanNode('enable_implicit_grant')
+                    ->info('Whether to enable the implicit grant')
+                    ->defaultTrue()
+                ->end()
             ->end()
         ;
 

src/DependencyInjection/LeagueOAuth2ServerExtension.php

@@ -25,6 +25,8 @@
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
+use League\OAuth2\Server\Grant\ImplicitGrant;
+use League\OAuth2\Server\Grant\PasswordGrant;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
 use League\OAuth2\Server\ResourceServer;
 use LogicException;
@@ -155,6 +157,13 @@ private function configureAuthorizationServer(ContainerBuilder $container, array
             ]);
         }
 
+        if ($config['enable_password_grant']) {
+            $authorizationServer->addMethodCall('enableGrantType', [
+                new Reference(PasswordGrant::class),
+                new Definition(DateInterval::class, [$config['access_token_ttl']]),
+            ]);
+        }
+
         if ($config['enable_refresh_token_grant']) {
             $authorizationServer->addMethodCall('enableGrantType', [
                 new Reference(RefreshTokenGrant::class),
@@ -169,11 +178,25 @@ private function configureAuthorizationServer(ContainerBuilder $container, array
             ]);
         }
 
+        if ($config['enable_implicit_grant']) {
+            $authorizationServer->addMethodCall('enableGrantType', [
+                new Reference(ImplicitGrant::class),
+                new Definition(DateInterval::class, [$config['access_token_ttl']]),
+            ]);
+        }
+
         $this->configureGrants($container, $config);
     }
 
     private function configureGrants(ContainerBuilder $container, array $config): void
     {
+        $container
+            ->getDefinition(PasswordGrant::class)
+            ->addMethodCall('setRefreshTokenTTL', [
+                new Definition(DateInterval::class, [$config['refresh_token_ttl']]),
+            ])
+        ;
+
         $container
             ->getDefinition(RefreshTokenGrant::class)
             ->addMethodCall('setRefreshTokenTTL', [
@@ -191,6 +214,11 @@ private function configureGrants(ContainerBuilder $container, array $config): vo
         if (false === $config['require_code_challenge_for_public_clients']) {
             $authCodeGrantDefinition->addMethodCall('disableRequireCodeChallengeForPublicClients');
         }
+
+        $container
+            ->getDefinition(ImplicitGrant::class)
+            ->replaceArgument('$accessTokenTTL', new Definition(DateInterval::class, [$config['access_token_ttl']]))
+        ;
     }
 
     /**

src/Event/UserResolveEvent.php

@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Event;
+
+use League\Bundle\OAuth2ServerBundle\Model\Client;
+use League\Bundle\OAuth2ServerBundle\Model\Grant;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+final class UserResolveEvent extends Event
+{
+    /**
+     * @var string
+     */
+    private $username;
+
+    /**
+     * @var string
+     */
+    private $password;
+
+    /**
+     * @var Grant
+     */
+    private $grant;
+
+    /**
+     * @var Client
+     */
+    private $client;
+
+    /**
+     * @var UserInterface|null
+     */
+    private $user;
+
+    public function __construct(string $username, string $password, Grant $grant, Client $client)
+    {
+        $this->username = $username;
+        $this->password = $password;
+        $this->grant = $grant;
+        $this->client = $client;
+    }
+
+    public function getUsername(): string
+    {
+        return $this->username;
+    }
+
+    public function getPassword(): string
+    {
+        return $this->password;
+    }
+
+    public function getGrant(): Grant
+    {
+        return $this->grant;
+    }
+
+    public function getClient(): Client
+    {
+        return $this->client;
+    }
+
+    public function getUser(): ?UserInterface
+    {
+        return $this->user;
+    }
+
+    public function setUser(?UserInterface $user): self
+    {
+        $this->user = $user;
+
+        return $this;
+    }
+}

src/League/Repository/ScopeRepository.php

@@ -11,6 +11,7 @@
 use League\Bundle\OAuth2ServerBundle\Model\Client as ClientModel;
 use League\Bundle\OAuth2ServerBundle\Model\Grant as GrantModel;
 use League\Bundle\OAuth2ServerBundle\Model\Scope as ScopeModel;
+use League\Bundle\OAuth2ServerBundle\OAuth2Events;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
@@ -78,7 +79,13 @@ public function finalizeScopes(
         $scopes = $this->setupScopes($client, $this->scopeConverter->toDomainArray($scopes));
 
         $event = $this->eventDispatcher->dispatch(
-            new ScopeResolveEvent($scopes, new GrantModel($grantType), $client, $userIdentifier)
+            new ScopeResolveEvent(
+                $scopes,
+                new GrantModel($grantType),
+                $client,
+                $userIdentifier
+            ),
+            OAuth2Events::SCOPE_RESOLVE
         );
 
         return $this->scopeConverter->toLeagueArray($event->getScopes());

src/League/Repository/UserRepository.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\League\Repository;
+
+use League\Bundle\OAuth2ServerBundle\Converter\UserConverterInterface;
+use League\Bundle\OAuth2ServerBundle\Event\UserResolveEvent;
+use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
+use League\Bundle\OAuth2ServerBundle\Model\Grant as GrantModel;
+use League\Bundle\OAuth2ServerBundle\OAuth2Events;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+
+final class UserRepository implements UserRepositoryInterface
+{
+    /**
+     * @var ClientManagerInterface
+     */
+    private $clientManager;
+
+    /**
+     * @var EventDispatcherInterface
+     */
+    private $eventDispatcher;
+
+    /**
+     * @var UserConverterInterface
+     */
+    private $userConverter;
+
+    public function __construct(
+        ClientManagerInterface $clientManager,
+        EventDispatcherInterface $eventDispatcher,
+        UserConverterInterface $userConverter
+    ) {
+        $this->clientManager = $clientManager;
+        $this->eventDispatcher = $eventDispatcher;
+        $this->userConverter = $userConverter;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getUserEntityByUserCredentials(
+        $username,
+        $password,
+        $grantType,
+        ClientEntityInterface $clientEntity
+    ) {
+        $client = $this->clientManager->find($clientEntity->getIdentifier());
+
+        $event = $this->eventDispatcher->dispatch(
+            new UserResolveEvent(
+                $username,
+                $password,
+                new GrantModel($grantType),
+                $client
+            ),
+            OAuth2Events::USER_RESOLVE
+        );
+
+        $user = $event->getUser();
+
+        if (null === $user) {
+            return null;
+        }
+
+        return $this->userConverter->toLeague($user);
+    }
+}

src/OAuth2Events.php

@@ -6,6 +6,14 @@
 
 final class OAuth2Events
 {
+    /**
+     * The USER_RESOLVE event occurs when the client requests a "password"
+     * grant type from the authorization server.
+     *
+     * You should set a valid user here if applicable.
+     */
+    public const USER_RESOLVE = 'league.oauth2-server.user_resolve';
+
     /**
      * The SCOPE_RESOLVE event occurs right before the user obtains their
      * valid access token.
@@ -16,7 +24,7 @@ final class OAuth2Events
 
     /**
      * The AUTHORIZATION_REQUEST_RESOLVE event occurs right before the system
-     * completes the authorization request.
+     * complete the authorization request.
      *
      * You could approve or deny the authorization request, or set the uri where
      * must be redirected to resolve the authorization request.

src/OAuth2Grants.php

@@ -21,6 +21,19 @@ final class OAuth2Grants
     public const CLIENT_CREDENTIALS = 'client_credentials';
 
     /**
+     * @see https://tools.ietf.org/html/rfc6749#section-1.3.2
+     *
+     * @var string
+     */
+    public const IMPLICIT = 'implicit';
+
+    /**
+     * @see https://tools.ietf.org/html/rfc6749#section-1.3.3
+     *
+     * @var string
+     */
+    public const PASSWORD = 'password';
+
     /**
      * @see https://tools.ietf.org/html/rfc6749#section-6
      *
@@ -32,8 +45,10 @@ public static function has(string $grant): bool
     {
         return \in_array($grant, [
             self::CLIENT_CREDENTIALS,
+            self::PASSWORD,
             self::REFRESH_TOKEN,
             self::AUTHORIZATION_CODE,
+            self::IMPLICIT,
         ]);
     }
 }

src/Resources/config/services.xml

@@ -31,6 +31,13 @@
         </service>
         <service id="League\OAuth2\Server\Repositories\ScopeRepositoryInterface" alias="League\Bundle\OAuth2ServerBundle\League\Repository\ScopeRepository" />
 
+        <service id="League\Bundle\OAuth2ServerBundle\League\Repository\UserRepository">
+            <argument type="service" id="League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface" />
+            <argument type="service" id="Symfony\Component\EventDispatcher\EventDispatcherInterface" />
+            <argument type="service" id="League\Bundle\OAuth2ServerBundle\Converter\UserConverter" />
+        </service>
+        <service id="League\OAuth2\Server\Repositories\UserRepositoryInterface" alias="League\Bundle\OAuth2ServerBundle\League\Repository\UserRepository" />
+
         <service id="League\Bundle\OAuth2ServerBundle\League\Repository\AuthCodeRepository">
             <argument type="service" id="League\Bundle\OAuth2ServerBundle\Manager\AuthorizationCodeManagerInterface" />
             <argument type="service" id="League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface" />
@@ -80,6 +87,12 @@
         <service id="League\OAuth2\Server\Grant\ClientCredentialsGrant" />
         <service id="league.oauth2.server.grant.client_credentials_grant" alias="League\OAuth2\Server\Grant\ClientCredentialsGrant" />
 
+        <service id="League\OAuth2\Server\Grant\PasswordGrant">
+            <argument type="service" id="League\OAuth2\Server\Repositories\UserRepositoryInterface" />
+            <argument type="service" id="League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface" />
+        </service>
+        <service id="league.oauth2.server.grant.password_grant" alias="League\OAuth2\Server\Grant\PasswordGrant" />
+
         <service id="League\OAuth2\Server\Grant\RefreshTokenGrant">
             <argument type="service" id="League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface" />
         </service>
@@ -92,6 +105,11 @@
         </service>
         <service id="league.oauth2.server.grant.auth_code_grant" alias="League\OAuth2\Server\Grant\AuthCodeGrant" />
 
+        <service id="League\OAuth2\Server\Grant\ImplicitGrant">
+            <argument key="$accessTokenTTL" />
+        </service>
+        <service id="league.oauth2.server.grant.implicit_grant" alias="League\OAuth2\Server\Grant\ImplicitGrant" />
+
         <!-- Authorization controller -->
         <service id="League\Bundle\OAuth2ServerBundle\Controller\AuthorizationController">
             <argument type="service" id="League\OAuth2\Server\AuthorizationServer" />

tests/Acceptance/AuthorizationEndpointTest.php

@@ -294,6 +294,46 @@ public function testAuthCodeRequestWithClientWhoIsAllowedToMakeARequestWithPlain
         $this->assertSame(FixtureFactory::FIXTURE_PUBLIC_CLIENT_ALLOWED_TO_USE_PLAIN_CHALLENGE_METHOD, $authCode->getClient()->getIdentifier());
     }
 
+    public function testSuccessfulTokenRequest(): void
+    {
+        $this->client
+            ->getContainer()
+            ->get('event_dispatcher')
+            ->addListener(OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE, static function (AuthorizationRequestResolveEvent $event): void {
+                $event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
+            });
+
+        timecop_freeze(new DateTimeImmutable());
+
+        try {
+            $this->client->request(
+                'GET',
+                '/authorize',
+                [
+                    'client_id' => FixtureFactory::FIXTURE_CLIENT_FIRST,
+                    'response_type' => 'token',
+                    'state' => 'foobar',
+                ]
+            );
+        } finally {
+            timecop_return();
+        }
+
+        $response = $this->client->getResponse();
+
+        $this->assertSame(302, $response->getStatusCode());
+        $redirectUri = $response->headers->get('Location');
+
+        $this->assertStringStartsWith(FixtureFactory::FIXTURE_CLIENT_FIRST_REDIRECT_URI, $redirectUri);
+        $fragment = [];
+        parse_str(parse_url($redirectUri, PHP_URL_FRAGMENT), $fragment);
+        $this->assertArrayHasKey('access_token', $fragment);
+        $this->assertArrayHasKey('token_type', $fragment);
+        $this->assertArrayHasKey('expires_in', $fragment);
+        $this->assertArrayHasKey('state', $fragment);
+        $this->assertEquals('foobar', $fragment['state']);
+    }
+
     public function testCodeRequestRedirectToResolutionUri(): void
     {
         $this->client