Skip to content

Commit

Permalink
Add per grant type configuration options
Browse files Browse the repository at this point in the history
  • Loading branch information
HypeMC committed Apr 19, 2020
1 parent 5cdbbdc commit a1aefea
Show file tree
Hide file tree
Showing 5 changed files with 607 additions and 88 deletions.
183 changes: 155 additions & 28 deletions DependencyInjection/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
use Symfony\Component\Config\Definition\Builder\TreeBuilder;
use Symfony\Component\Config\Definition\ConfigurationInterface;
use Trikoder\Bundle\OAuth2Bundle\OAuth2Grants;

final class Configuration implements ConfigurationInterface
{
Expand All @@ -27,11 +28,11 @@ public function getConfigTreeBuilder(): TreeBuilder
$rootNode
->children()
->scalarNode('exception_event_listener_priority')
->info('The priority of the event listener that converts an Exception to a Response')
->info('The priority of the event listener that converts an Exception to a Response.')
->defaultValue(10)
->end()
->scalarNode('role_prefix')
->info('Set a custom prefix that replaces the default \'ROLE_OAUTH2_\' role prefix')
->info('Set a custom prefix that replaces the default "ROLE_OAUTH2_" role prefix.')
->defaultValue('ROLE_OAUTH2_')
->cannotBeEmpty()
->end()
Expand All @@ -55,7 +56,7 @@ private function createAuthorizationServerNode(): NodeDefinition
->cannotBeEmpty()
->end()
->scalarNode('private_key_passphrase')
->info('Passphrase of the private key, if any')
->info('Passphrase of the private key, if any.')
->defaultValue(null)
->end()
->scalarNode('encryption_key')
Expand All @@ -64,48 +65,174 @@ private function createAuthorizationServerNode(): NodeDefinition
->cannotBeEmpty()
->end()
->enumNode('encryption_key_type')
->info("The type of value of 'encryption_key'")
->info('The type of value of "encryption_key".')
->values(['plain', 'defuse'])
->defaultValue('plain')
->end()
->scalarNode('access_token_ttl')
->info("How long the issued access token should be valid for.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->info("How long the issued access token should be valid for, used as a default if there is no grant type specific value set.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->cannotBeEmpty()
->defaultValue('PT1H')
->end()
->scalarNode('refresh_token_ttl')
->info("How long the issued refresh token should be valid for.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->info("How long the issued refresh token should be valid for, used as a default if there is no grant type specific value set.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->cannotBeEmpty()
->defaultValue('P1M')
->end()

// @TODO Remove in v4 start

->scalarNode('auth_code_ttl')
->info("How long the issued auth code should be valid for.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->info("How long the issued authorization code should be valid for.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->cannotBeEmpty()
->defaultValue('PT10M')
->end()
->booleanNode('enable_client_credentials_grant')
->info('Whether to enable the client credentials grant')
->defaultTrue()
->setDeprecated('"%path%.%node%" is deprecated, use "%path%.grant_types.authorization_code.auth_code_ttl" instead.')
->beforeNormalization()
->ifNull()
->thenUnset()
->end()
->end()
->booleanNode('enable_password_grant')
->info('Whether to enable the password grant')
->defaultTrue()
->booleanNode('require_code_challenge_for_public_clients')
->info('Whether to require code challenge for public clients for the authorization code grant.')
->setDeprecated('"%path%.%node%" is deprecated, use "%path%.grant_types.authorization_code.require_code_challenge_for_public_clients" instead.')
->beforeNormalization()
->ifNull()
->thenUnset()
->end()
->end()
->booleanNode('enable_refresh_token_grant')
->info('Whether to enable the refresh token grant')
->defaultTrue()
->end()
;

foreach (OAuth2Grants::ALL as $grantType => $grantTypeName) {
$oldGrantType = 'authorization_code' === $grantType ? 'auth_code' : $grantType;

$node
->children()
->booleanNode(sprintf('enable_%s_grant', $oldGrantType))
->info(sprintf('Whether to enable the %s grant.', $grantTypeName))
->setDeprecated(sprintf('"%%path%%.%%node%%" is deprecated, use "%%path%%.grant_types.%s.enable" instead.', $grantType))
->beforeNormalization()
->ifNull()
->thenUnset()
->end()
->end()
->end()
->booleanNode('enable_auth_code_grant')
->info('Whether to enable the authorization code grant')
->defaultTrue()
;
}

// @TODO Remove in v4 end

$node->append($this->createAuthorizationServerGrantTypesNode());

$node
->validate()
->always(static function ($v): array {
$grantTypesWithRefreshToken = array_flip(OAuth2Grants::WITH_REFRESH_TOKEN);

foreach ($v['grant_types'] as $grantType => &$grantTypeConfig) {
$grantTypeConfig['access_token_ttl'] = $grantTypeConfig['access_token_ttl'] ?? $v['access_token_ttl'];

if (isset($grantTypesWithRefreshToken[$grantType])) {
$grantTypeConfig['refresh_token_ttl'] = $grantTypeConfig['refresh_token_ttl'] ?? $v['refresh_token_ttl'];
}

// @TODO Remove in v4 start
$oldGrantType = 'authorization_code' === $grantType ? 'auth_code' : $grantType;

$grantTypeConfig['enable'] = $v[sprintf('enable_%s_grant', $oldGrantType)] ?? $grantTypeConfig['enable'];

if ('authorization_code' === $grantType) {
$grantTypeConfig['auth_code_ttl'] = $v['auth_code_ttl'] ?? $grantTypeConfig['auth_code_ttl'];
$grantTypeConfig['require_code_challenge_for_public_clients'] = $v['require_code_challenge_for_public_clients']
?? $grantTypeConfig['require_code_challenge_for_public_clients'];
}
// @TODO Remove in v4 end
}

unset(
$v['access_token_ttl'],
$v['refresh_token_ttl'],
// @TODO Remove in v4 start
$v['enable_auth_code_grant'],
$v['enable_client_credentials_grant'],
$v['enable_implicit_grant'],
$v['enable_password_grant'],
$v['enable_refresh_token_grant'],
$v['auth_code_ttl'],
$v['require_code_challenge_for_public_clients']
// @TODO Remove in v4 end
);

return $v;
})
->end()
;

return $node;
}

private function createAuthorizationServerGrantTypesNode(): NodeDefinition
{
$treeBuilder = new TreeBuilder('grant_types');
$node = $treeBuilder->getRootNode();

$node
->info('Enable and configure grant types.')
->addDefaultsIfNotSet()
;

foreach (OAuth2Grants::ALL as $grantType => $grantTypeName) {
$node
->children()
->arrayNode($grantType)
->addDefaultsIfNotSet()
->children()
->booleanNode('enable')
->info(sprintf('Whether to enable the %s grant.', $grantTypeName))
->defaultTrue()
->end()
->scalarNode('access_token_ttl')
->info(sprintf('How long the issued access token should be valid for the %s grant.', $grantTypeName))
->cannotBeEmpty()
->beforeNormalization()
->ifNull()
->thenUnset()
->end()
->end()
->end()
->end()
->end()
->booleanNode('require_code_challenge_for_public_clients')
->info('Whether to require code challenge for public clients for the auth code grant')
->defaultTrue()
;
}

foreach (OAuth2Grants::WITH_REFRESH_TOKEN as $grantType) {
$node
->find($grantType)
->children()
->scalarNode('refresh_token_ttl')
->info(sprintf('How long the issued refresh token should be valid for the %s grant.', OAuth2Grants::ALL[$grantType]))
->cannotBeEmpty()
->beforeNormalization()
->ifNull()
->thenUnset()
->end()
->end()
->end()
->end()
->booleanNode('enable_implicit_grant')
->info('Whether to enable the implicit grant')
->defaultTrue()
;
}

$node
->find('authorization_code')
->children()
->scalarNode('auth_code_ttl')
->info("How long the issued authorization code should be valid for.\nThe value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters")
->cannotBeEmpty()
->defaultValue('PT10M')
->end()
->booleanNode('require_code_challenge_for_public_clients')
->info('Whether to require code challenge for public clients for the authorization code grant.')
->defaultTrue()
->end()
->end()
->end()
;
Expand All @@ -122,7 +249,7 @@ private function createResourceServerNode(): NodeDefinition
->isRequired()
->children()
->scalarNode('public_key')
->info("Full path to the public key file\nHow to generate a public key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys")
->info("Full path to the public key file.\nHow to generate a public key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys")
->example('/var/oauth/public.key')
->isRequired()
->cannotBeEmpty()
Expand Down
37 changes: 21 additions & 16 deletions DependencyInjection/TrikoderOAuth2Extension.php
Original file line number Diff line number Diff line change
Expand Up @@ -150,38 +150,40 @@ private function configureAuthorizationServer(ContainerBuilder $container, array
$authorizationServer->replaceArgument('$encryptionKey', new Reference('trikoder.oauth2.defuse_key'));
}

if ($config['enable_client_credentials_grant']) {
$grantTypes = $config['grant_types'];

if ($grantTypes['client_credentials']['enable']) {
$authorizationServer->addMethodCall('enableGrantType', [
new Reference(ClientCredentialsGrant::class),
new Definition(DateInterval::class, [$config['access_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['client_credentials']['access_token_ttl']]),
]);
}

if ($config['enable_password_grant']) {
if ($grantTypes['password']['enable']) {
$authorizationServer->addMethodCall('enableGrantType', [
new Reference(PasswordGrant::class),
new Definition(DateInterval::class, [$config['access_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['password']['access_token_ttl']]),
]);
}

if ($config['enable_refresh_token_grant']) {
if ($grantTypes['refresh_token']['enable']) {
$authorizationServer->addMethodCall('enableGrantType', [
new Reference(RefreshTokenGrant::class),
new Definition(DateInterval::class, [$config['access_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['refresh_token']['access_token_ttl']]),
]);
}

if ($config['enable_auth_code_grant']) {
if ($grantTypes['authorization_code']['enable']) {
$authorizationServer->addMethodCall('enableGrantType', [
new Reference(AuthCodeGrant::class),
new Definition(DateInterval::class, [$config['access_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['authorization_code']['access_token_ttl']]),
]);
}

if ($config['enable_implicit_grant']) {
if ($grantTypes['implicit']['enable']) {
$authorizationServer->addMethodCall('enableGrantType', [
new Reference(ImplicitGrant::class),
new Definition(DateInterval::class, [$config['access_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['implicit']['access_token_ttl']]),
]);
}

Expand All @@ -190,34 +192,37 @@ private function configureAuthorizationServer(ContainerBuilder $container, array

private function configureGrants(ContainerBuilder $container, array $config): void
{
$grantTypes = $config['grant_types'];

$container
->getDefinition(PasswordGrant::class)
->addMethodCall('setRefreshTokenTTL', [
new Definition(DateInterval::class, [$config['refresh_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['password']['refresh_token_ttl']]),
])
;

$container
->getDefinition(RefreshTokenGrant::class)
->addMethodCall('setRefreshTokenTTL', [
new Definition(DateInterval::class, [$config['refresh_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['refresh_token']['refresh_token_ttl']]),
])
;

$authCodeGrantDefinition = $container->getDefinition(AuthCodeGrant::class);
$authCodeGrantDefinition->replaceArgument('$authCodeTTL', new Definition(DateInterval::class, [$config['auth_code_ttl']]))
$authCodeGrantDefinition
->replaceArgument('$authCodeTTL', new Definition(DateInterval::class, [$grantTypes['authorization_code']['auth_code_ttl']]))
->addMethodCall('setRefreshTokenTTL', [
new Definition(DateInterval::class, [$config['refresh_token_ttl']]),
new Definition(DateInterval::class, [$grantTypes['authorization_code']['refresh_token_ttl']]),
])
;

if (false === $config['require_code_challenge_for_public_clients']) {
if (false === $grantTypes['authorization_code']['require_code_challenge_for_public_clients']) {
$authCodeGrantDefinition->addMethodCall('disableRequireCodeChallengeForPublicClients');
}

$container
->getDefinition(ImplicitGrant::class)
->replaceArgument('$accessTokenTTL', new Definition(DateInterval::class, [$config['access_token_ttl']]))
->replaceArgument('$accessTokenTTL', new Definition(DateInterval::class, [$grantTypes['implicit']['access_token_ttl']]))
;
}

Expand Down
27 changes: 20 additions & 7 deletions OAuth2Grants.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,27 @@ final class OAuth2Grants
*/
public const REFRESH_TOKEN = 'refresh_token';

public const WITH_REFRESH_TOKEN = [
'authorization_code',
'password',
'refresh_token',
];

public const ALL = [
self::AUTHORIZATION_CODE => 'authorization code',
self::CLIENT_CREDENTIALS => 'client credentials',
self::IMPLICIT => 'implicit',
self::PASSWORD => 'password',
self::REFRESH_TOKEN => 'refresh token',
];

/**
* @deprecated Will be removed in v4, use {@see OAuth2Grants::ALL} instead
*
* @TODO Remove in v4.
*/
public static function has(string $grant): bool
{
return \in_array($grant, [
self::CLIENT_CREDENTIALS,
self::PASSWORD,
self::REFRESH_TOKEN,
self::AUTHORIZATION_CODE,
self::IMPLICIT,
]);
return isset(self::ALL[$grant]);
}
}
Loading

0 comments on commit a1aefea

Please sign in to comment.