simplesamlphp-module-oidc/src/Entities/AccessTokenEntity.php at ce15fae75dc06cfd80d0bebc4a82c8c65c8d9c65 · mrvanes/simplesamlphp-module-oidc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
<?php

declare(strict_types=1);

/*
 * This file is part of the simplesamlphp-module-oidc.
 *
 * Copyright (C) 2018 by the Spanish Research and Academic Network.
 *
 * This code was developed by Universidad de Córdoba (UCO https://www.uco.es)
 * for the RedIRIS SIR service (SIR: http://www.rediris.es/sir)
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace SimpleSAML\Module\oidc\Entities;

use DateTimeImmutable;
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Token;
use League\OAuth2\Server\CryptKey;
use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
use League\OAuth2\Server\Entities\Traits\EntityTrait;
use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
use SimpleSAML\Module\oidc\Entities\Interfaces\AccessTokenEntityInterface;
use SimpleSAML\Module\oidc\Entities\Interfaces\EntityStringRepresentationInterface;
use SimpleSAML\Module\oidc\Entities\Traits\AssociateWithAuthCodeTrait;
use SimpleSAML\Module\oidc\Entities\Traits\RevokeTokenTrait;
use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
use Stringable;

/**
 * @psalm-suppress PropertyNotSetInConstructor
 */
class AccessTokenEntity implements AccessTokenEntityInterface, EntityStringRepresentationInterface, Stringable
{
    use AccessTokenTrait;
    use TokenEntityTrait;
    use EntityTrait;
    use RevokeTokenTrait;
    use AssociateWithAuthCodeTrait;

    /**
     * String representation of access token issued to the client.
     * @var string|null $stringRepresentation
     */
    protected ?string $stringRepresentation = null;

    /**
     * Claims that were individual requested
     * @var array $requestedClaims
     */
    protected array $requestedClaims;

    /**
     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
     */
    public function __construct(
        string $id,
        OAuth2ClientEntityInterface $clientEntity,
        array $scopes,
        DateTimeImmutable $expiryDateTime,
        CryptKey $privateKey,
        protected JsonWebTokenBuilderService $jsonWebTokenBuilderService,
        int|string|null $userIdentifier = null,
        ?string $authCodeId = null,
        ?array $requestedClaims = null,
        ?bool $isRevoked = false,
        ?Configuration $jwtConfiguration = null,
        protected readonly ?FlowTypeEnum $flowTypeEnum = null,
        protected readonly ?array $authorizationDetails = null,
        protected readonly ?string $boundClientId = null,
        protected readonly ?string $boundRedirectUri = null,
        protected readonly ?string $issuerState = null,
    ) {
        $this->setIdentifier($id);
        $this->setClient($clientEntity);
        foreach ($scopes as $scope) {
            $this->addScope($scope);
        }
        $this->setExpiryDateTime($expiryDateTime);
        $this->setPrivateKey($privateKey);
        $this->setUserIdentifier($userIdentifier);
        $this->setAuthCodeId($authCodeId);
        $this->setRequestedClaims($requestedClaims ?? []);
        if ($isRevoked) {
            $this->revoke();
        }
        $jwtConfiguration !== null ? $this->jwtConfiguration = $jwtConfiguration : $this->initJwtConfiguration();
    }

    /**
     * @return array
     */
    public function getRequestedClaims(): array
    {
        return $this->requestedClaims;
    }

    public function setRequestedClaims(array $requestedClaims): void
    {
        $this->requestedClaims = $requestedClaims;
    }

    /**
     * {@inheritdoc}
     * @throws \JsonException
     */
    public function getState(): array
    {
        return [
            'id' => $this->getIdentifier(),
            'scopes' => json_encode($this->scopes, JSON_THROW_ON_ERROR),
            'expires_at' => $this->getExpiryDateTime()->format('Y-m-d H:i:s'),
            'user_id' => $this->getUserIdentifier(),
            'client_id' => $this->getClient()->getIdentifier(),
            'is_revoked' => $this->isRevoked(),
            'auth_code_id' => $this->getAuthCodeId(),
            'requested_claims' => json_encode($this->requestedClaims, JSON_THROW_ON_ERROR),
            'flow_type' => $this->flowTypeEnum?->value,
            'authorization_details' => is_array($this->authorizationDetails) ?
                json_encode($this->authorizationDetails, JSON_THROW_ON_ERROR) :
                null,
            'bound_client_id' => $this->boundClientId,
            'bound_redirect_uri' => $this->boundRedirectUri,
            'issuer_state' => $this->issuerState,
        ];
    }

    /**
     * Generate string representation, save it in a field, and return it.
     * @return string
     * @throws \League\OAuth2\Server\Exception\OAuthServerException
     */
    public function __toString(): string
    {
        return $this->stringRepresentation = $this->convertToJWT()->toString();
    }

    /**
     * Get string representation of access token at the moment of casting it to string.
     * @return string|null String representation or null if it was not cast to string yet.
     */
    public function toString(): ?string
    {
        return $this->stringRepresentation;
    }

    /**
     * Implemented instead of original AccessTokenTrait::convertToJWT() method in order to remove microseconds from
     * timestamps and to add claims like iss, etc., by using our own JWT builder service.
     *
     * @return \Lcobucci\JWT\Token
     * @throws \League\OAuth2\Server\Exception\OAuthServerException
     * @throws \Exception
     */
    protected function convertToJWT(): Token
    {
        /** @psalm-suppress ArgumentTypeCoercion */
        $jwtBuilder = $this->jsonWebTokenBuilderService->getProtocolJwtBuilder()
            ->permittedFor($this->getClient()->getIdentifier())
            ->identifiedBy((string)$this->getIdentifier())
            ->issuedAt(new DateTimeImmutable())
            ->canOnlyBeUsedAfter(new DateTimeImmutable())
            ->expiresAt($this->getExpiryDateTime())
            ->relatedTo((string) $this->getUserIdentifier())
            ->withClaim('scopes', $this->getScopes());
        if ($this->issuerState !== null) {
            $jwtBuilder = $jwtBuilder->withClaim('issuer_state', $this->issuerState);
        }

        return $this->jsonWebTokenBuilderService->getSignedProtocolJwt($jwtBuilder);
    }

    public function getFlowTypeEnum(): ?FlowTypeEnum
    {
        return $this->flowTypeEnum;
    }

    public function getAuthorizationDetails(): ?array
    {
        return $this->authorizationDetails;
    }

    public function getBoundClientId(): ?string
    {
        return $this->boundClientId;
    }

    public function getBoundRedirectUri(): ?string
    {
        return $this->boundRedirectUri;
    }

    public function getIssuerState(): ?string
    {
        return $this->issuerState;
    }
}