Merge branch 'feature/token_revocation'

Author: chervand

Module.php

@@ -12,6 +12,7 @@
 use chervand\yii2\oauth2\server\components\ResponseTypes\MacTokenResponse;
 use chervand\yii2\oauth2\server\components\Server\AuthorizationServer;
 use chervand\yii2\oauth2\server\controllers\AuthorizeController;
+use chervand\yii2\oauth2\server\controllers\RevokeController;
 use chervand\yii2\oauth2\server\controllers\TokenController;
 use chervand\yii2\oauth2\server\models\Client;
 use League\OAuth2\Server\CryptKey;
@@ -48,6 +49,10 @@ class Module extends \yii\base\Module implements BootstrapInterface
             'class' => AuthorizeController::class,
             'as corsFilter' => Cors::class,
         ],
+        'revoke' => [
+            'class' => RevokeController::class,
+            'as corsFilter' => Cors::class,
+        ],
         'token' => [
             'class' => TokenController::class,
             'as corsFilter' => Cors::class,
@@ -121,7 +126,8 @@ public function bootstrap($app)
                 ],
                 'rules' => ArrayHelper::merge([
                     ['controller' => $this->uniqueId . '/authorize'],
-                    ['controller' => $this->uniqueId . '/token']
+                    ['controller' => $this->uniqueId . '/revoke'],
+                    ['controller' => $this->uniqueId . '/token'],
                 ], $this->urlManagerRules)
             ]))->rules, false);
     }

README.md

@@ -3,6 +3,8 @@
 `chervand/yii2-oauth2-server` is a `Yii 2.0 PHP Framework` integration of [`thephpleague/oauth2-server`](https://github.com/thephpleague/oauth2-server) library which implements a standards compliant [`OAuth 2.0 Server`](https://tools.ietf.org/html/rfc6749) for PHP. It supports all of the grants defined in the specification with usage of `JWT` `Bearer` tokens.
 
 `chervand/yii2-oauth2-server` additionally provides [`MAC`](https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05) tokens support, which is not supported by the original library, because `MAC` tokens specification is currently in draft and it was not updated since 2014, so it's a pretty experimental feature.
+ 
+ It also includes tokens revocation implementation based on [RFC7009](https://tools.ietf.org/html/rfc7009).
 
 ## Installation
 
@@ -62,14 +64,18 @@ return [
                 $server->enableGrantType(new \League\OAuth2\Server\Grant\ImplicitGrant(
                     new \DateInterval('PT1H')
                 ));
-                $server->enableGrantType(new \League\OAuth2\Server\Grant\RefreshTokenGrant(
-                    $module->refreshTokenRepository
-                ));
                 $server->enableGrantType(new \League\OAuth2\Server\Grant\PasswordGrant(
                     $module->userRepository,
                     $module->refreshTokenRepository
                 ));
                 $server->enableGrantType(new \League\OAuth2\Server\Grant\ClientCredentialsGrant());
+                $server->enableGrantType(new \League\OAuth2\Server\Grant\RefreshTokenGrant(
+                    $module->refreshTokenRepository
+                ));
+                $server->enableGrantType(new \chervand\yii2\oauth2\server\components\Grant\RevokeGrant(
+                    $module->refreshTokenRepository,
+                    $module->publicKey
+                ));
             },
         ],
         // ...

components/Grant/RevokeGrant.php

@@ -0,0 +1,172 @@
+<?php
+/**
+ *
+ */
+
+namespace chervand\yii2\oauth2\server\components\Grant;
+
+use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class RevokeGrant extends AbstractGrant
+{
+    /**
+     * @var \League\OAuth2\Server\CryptKey
+     */
+    protected $publicKey;
+
+
+    /**
+     * RevokeGrant constructor.
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param CryptKey $publicKey
+     */
+    public function __construct(RefreshTokenRepositoryInterface $refreshTokenRepository, CryptKey $publicKey)
+    {
+        $this->setRefreshTokenRepository($refreshTokenRepository);
+        $this->setPublicKey($publicKey);
+    }
+
+    public function setPublicKey(CryptKey $key)
+    {
+        $this->publicKey = $key;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getIdentifier()
+    {
+        return 'revoke';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToAccessTokenRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    )
+    {
+        throw new \LogicException('This grant does not used this method');
+    }
+
+    /**
+     * "Note: invalid tokens do not cause an error response since the client
+     * cannot handle such an error in a reasonable way. Moreover, the
+     * purpose of the revocation request, invalidating the particular token,
+     * is already achieved."
+     *
+     * @see https://tools.ietf.org/html/rfc7009#section-2.2
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseTypeInterface $response
+     * @return mixed
+     * @throws OAuthServerException
+     */
+    public function respondToRevokeTokenRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $response
+    )
+    {
+        $client = $this->validateClient($request);
+        $this->invalidateToken($request, $client->getIdentifier());
+
+        return $response;
+    }
+
+    /**
+     * "If the server is unable to locate the token using
+     * the given hint, it MUST extend its search across all of its
+     * supported token types."
+     *
+     * @see https://tools.ietf.org/html/rfc7009#section-2.1
+     *
+     * @param ServerRequestInterface $request
+     * @param $clientId
+     */
+    protected function invalidateToken(ServerRequestInterface $request, $clientId)
+    {
+        $tokenTypeHint = $this->getRequestParameter('token_type_hint', $request);
+
+        $callStack = $tokenTypeHint == 'refresh_token'
+            ? ['invalidateRefreshToken', 'invalidateAccessToken']
+            : ['invalidateAccessToken', 'invalidateRefreshToken'];
+
+        foreach ($callStack as $function) {
+            if (call_user_func([$this, $function], $request, $clientId) === true) {
+                break;
+            }
+        }
+    }
+
+    /**
+     * @param ServerRequestInterface $request
+     * @param $clientId
+     * @return bool
+     */
+    protected function invalidateAccessToken(ServerRequestInterface $request, $clientId)
+    {
+        $accessToken = $this->getRequestParameter('token', $request);
+        if (is_null($accessToken)) {
+            throw OAuthServerException::invalidRequest('token');
+        }
+
+        try {
+            $token = (new Parser())->parse($accessToken);
+        } catch (\Exception $exception) {
+            return false;
+        }
+
+        if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
+            throw OAuthServerException::accessDenied('Access token could not be verified');
+        }
+
+        if ($token->getClaim('aud') !== $clientId) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
+            throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
+        }
+
+        $this->accessTokenRepository->revokeAccessToken($token->getClaim('jti'));
+
+        return true;
+    }
+
+    /**
+     * @param ServerRequestInterface $request
+     * @param $clientId
+     * @return bool
+     */
+    protected function invalidateRefreshToken(ServerRequestInterface $request, $clientId)
+    {
+        $encryptedRefreshToken = $this->getRequestParameter('token', $request);
+        if (is_null($encryptedRefreshToken)) {
+            throw OAuthServerException::invalidRequest('token');
+        }
+
+        try {
+            $refreshToken = $this->decrypt($encryptedRefreshToken);
+        } catch (\Exception $exception) {
+            return false;
+        }
+
+        $refreshTokenData = json_decode($refreshToken, true);
+        if ($refreshTokenData['client_id'] !== $clientId) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
+            throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
+        }
+
+        $this->accessTokenRepository->revokeAccessToken($refreshTokenData['access_token_id']);
+        $this->refreshTokenRepository->revokeRefreshToken($refreshTokenData['refresh_token_id']);
+
+        return true;
+    }
+}

components/Repositories/RefreshTokenRepository.php

@@ -33,32 +33,29 @@ public function getNewRefreshToken()
      */
     public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity)
     {
-        if (
-            $refreshTokenEntity instanceof RefreshToken
-            && $refreshTokenEntity->save()
-        ) {
-            return $refreshTokenEntity;
+        if ($refreshTokenEntity instanceof RefreshToken) {
+            $refreshTokenEntity->setAttribute(
+                'expired_at',
+                $refreshTokenEntity->getExpiryDateTime()->getTimestamp()
+            );
+            if ($refreshTokenEntity->save()) {
+                return $refreshTokenEntity;
+            }
         }
 
         throw OAuthServerException::serverError('Refresh token failure');
     }
 
     /**
      * {@inheritdoc}
-     *
-     * @throws OAuthServerException
      */
     public function revokeRefreshToken($tokenId)
     {
-        $updated = RefreshToken::updateAll(
+        RefreshToken::updateAll(
             ['status' => RefreshToken::STATUS_REVOKED],
             'identifier=:identifier',
             [':identifier' => $tokenId]
         );
-
-        if ($updated < 1) {
-            throw OAuthServerException::invalidRefreshToken('Cannot revoke the refresh token');
-        }
     }
 
     /**

components/ResponseTypes/RevokeResponse.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace chervand\yii2\oauth2\server\components\ResponseTypes;
+
+use League\OAuth2\Server\ResponseTypes\AbstractResponseType;
+use Psr\Http\Message\ResponseInterface;
+
+/**
+ * Class RevokeResponse
+ * @package chervand\yii2\oauth2\server\components
+ * @link https://tools.ietf.org/html/rfc7009
+ */
+class RevokeResponse extends AbstractResponseType
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function generateHttpResponse(ResponseInterface $response)
+    {
+        $response = $response
+            ->withStatus(200)
+            ->withHeader('pragma', 'no-cache')
+            ->withHeader('cache-control', 'no-store');
+
+        return $response;
+    }
+}

components/Server/AuthorizationServer.php

@@ -3,7 +3,10 @@
 namespace chervand\yii2\oauth2\server\components\Server;
 
 use chervand\yii2\oauth2\server\components\Events\AuthorizationEvent;
+use chervand\yii2\oauth2\server\components\Grant\RevokeGrant;
+use chervand\yii2\oauth2\server\components\ResponseTypes\RevokeResponse;
 use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use yii\base\Event;
@@ -13,27 +16,55 @@ class AuthorizationServer extends \League\OAuth2\Server\AuthorizationServer
     /**
      * {@inheritdoc}
      */
-    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseInterface $response)
+    public function respondToAccessTokenRequest(
+        ServerRequestInterface $request,
+        ResponseInterface $response
+    )
     {
-        try {
-
-            $response = parent::respondToAccessTokenRequest($request, $response);
-
-            if ($response instanceof ResponseInterface) {
-                Event::trigger(
-                    $this,
-                    AuthorizationEvent::USER_AUTHENTICATION_SUCCEED,
-                    new AuthorizationEvent([
-                        'request' => $request,
-                        'response' => $response,
-                    ])
-                );
-            }
+        $response = parent::respondToAccessTokenRequest($request, $response);
+
+        if ($response instanceof ResponseInterface) {
+            Event::trigger(
+                $this,
+                AuthorizationEvent::USER_AUTHENTICATION_SUCCEED,
+                new AuthorizationEvent([
+                    'request' => $request,
+                    'response' => $response,
+                ])
+            );
+        }
 
-            return $response;
+        return $response;
+    }
+
+    /**
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface $response
+     * @return ResponseInterface
+     * @throws OAuthServerException
+     */
+    public function respondToRevokeTokenRequest(
+        ServerRequestInterface $request,
+        ResponseInterface $response
+    )
+    {
+        if (
+            array_key_exists('revoke', $this->enabledGrantTypes) === true
+            && $this->enabledGrantTypes['revoke'] instanceof RevokeGrant
+        ) {
+
+            $this->responseType = new RevokeResponse();
+
+            /** @var RevokeGrant $revokeGrant */
+            $revokeGrant = $this->enabledGrantTypes['revoke'];
+            $revokeResponse = $revokeGrant->respondToRevokeTokenRequest($request, $this->getResponseType());
+
+            if ($revokeResponse instanceof ResponseTypeInterface) {
+                return $revokeResponse->generateHttpResponse($response);
+            }
 
-        } catch (OAuthServerException $exception) {
-            throw $exception;
         }
+
+        throw OAuthServerException::unsupportedGrantType();
     }
 }

composer.json

@@ -31,7 +31,7 @@
   "require": {
     "php": ">=5.6.0",
     "yiisoft/yii2": "^2.0",
-    "league/oauth2-server": "^6.0",
+    "league/oauth2-server": "^6.1",
     "guzzlehttp/guzzle": "^6.3"
   },
   "autoload": {