Skip to content

Instantly share code, notes, and snippets.

@kiall
Created August 21, 2011 03:04
Show Gist options
  • Save kiall/1160047 to your computer and use it in GitHub Desktop.
Save kiall/1160047 to your computer and use it in GitHub Desktop.
<?php defined('SYSPATH') or die('No direct script access.');
/**
*
*
* @package OAuth2
* @category Library
* @author Managed I.T.
* @copyright (c) 2011 Managed I.T.
*/
class Controller_OAuth2 extends Controller {
/**
* @var OAuth2
*/
protected $_oauth;
public function before()
{
$this->_oauth = OAuth2_Provider::factory($this->request);
}
public function action_authorize()
{
Auth::instance()->force_login(ORM::factory('user', 1));
/**
* Check if the user is logged in
*/
if (Auth::instance()->logged_in())
{
$user = Auth::instance()->get_user();
$auth_params = $this->_oauth->validate_authorize_params();
// Form has been submitted
if ($request->method() == Request::POST)
{
$accepted = ($this->request->post('accepted') == 'Yes');
// Validate custom form stuff .. whatever
// authorize always ends up in a rediret .. no if's no but's..
$redirect_url = $this->_oauth->authorize($accepted, $user);
$this->request->redirect($redirect_url);
}
$client = Model_OAuth2_Client::find_client($auth_params['client_id']);
$this->response->body(View::factory('oauth2/authorize', array(
'auth_params' => $auth_params,
'client' => $client,
'user' => $user,
)));
}
else
{
$this->request->redirect(Route::url('login'));
}
}
}
<?php defined('SYSPATH') or die('No direct script access.');
/**
*
*
* @package OAuth2
* @category Library
* @author Managed I.T.
* @copyright (c) 2011 Managed I.T.
*/
class OAuth2_Provider {
public static function factory()
{
return new OAuth2_Provider();
}
/**
*
* @param Request $request
* @return array
*/
protected function _get_authorize_params(Request $request)
{
return Arr::extract($request->query(), array(
'client_id',
'response_type',
'redirect_uri',
'state',
'scope',
));
}
/**
*
* @param Request $request
* @return array
*/
protected function _validate_authorize_params(Request $request)
{
$params = $this->_get_authorize_params($request);
$validation = Validation::factory($params)
->rule('client_id', 'not_empty')
->rule('client_id', 'regex', array(':value', OAuth2::CLIENT_ID_REGEXP))
->rule('response_type', 'not_empty')
->rule('response_type', 'regex', array(':value', OAuth2::RESPONSE_TYPE_REGEXP))
->rule('redirect_uri', 'url');
if ( ! $validation->check())
{
// TODO: Get a better message
throw new OAuth2_Exception_InvalidRequest('Invalid Request...');
}
// Check we have a valid client
$client = Model_OAuth2_Client::find_client($params['client_id']);
if ( ! $client->loaded())
{
throw new OAuth2_Exception_InvalidClient('Invalid \'client_id\'');
}
// Lookup the redirect_uri if none was supplied in the URL
if ( ! Valid::url($params['redirect_uri']))
{
$params['redirect_uri'] = $client->redirect_uri;
// Is the redirect_uri still empty? Error if so..
if ( ! Valid::url($params['redirect_uri']))
throw new OAuth2_Exception_InvalidRequest('\'redirect_uri\' is required');
}
// Check if this client is allowed use this response_type
if ( ! in_array($params['response_type'], $client->allowed_response_types()))
throw new OAuth2_Exception_UnauthorizedClient('You are not allowed use the \':response_type\' response_type', array(
':response_type' => $params['response_type']
));
// Is the scope valid?
if (Valid::not_empty($params['scope']))
{
if ( ! in_array($params['scope'], OAuth2::$supported_scopes))
throw new OAuth2_Exception_UnauthorizedClient('Invalid scope \':scope\'', array(
':scope' => $params['scope']
));
}
return $params;
}
/**
*
* @param Request $request
* @return array
*/
public function authorize(Request $request, Model_User $user)
{
/**
* Request Validation
*/
$params = $this->_validate_authorize_params($params);
if ($request->method() == Request::GET)
{
// If this is a GET request, return the params for use in the form.
return $params;
}
else if ($request->method() == Request::POST)
{
// Form has been submitted .. Lets check if they agreed.
// TODO ..
$is_authorized = TRUE;
$remember = FALSE;
$url = $params['redirect_uri'];
if ( ! $is_authorized)
{
$url .= 'error='.OAuth2::ERROR_ACCESS_DENIED;
}
else
{
// Generate a code...
$auth_code = Model_OAuth2_Auth_Code::create_code($params['client_id'], $params['redirect_uri'], $params['scope']);
if ($params['response_type'] == OAuth2::RESPONSE_TYPE_CODE OR $params['response_type'] == OAuth2::RESPONSE_TYPE_CODE_AND_TOKEN)
{
$url .= '?code='.urlencode($auth_code->code);
if (Valid::not_empty($params['state']))
{
$url .= '&state='.urlencode($params['state']);
}
if (Valid::not_empty($params['scope']))
{
$url .= '&scope='.urlencode($params['scope']);
}
}
if ($params['response_type'] == OAuth2::RESPONSE_TYPE_TOKEN OR $params['response_type'] == OAuth2::RESPONSE_TYPE_CODE_AND_TOKEN)
{
// Generate a token
$access_token = Model_OAuth2_Token::create_token($params['client_id'], $params['scope']);
$url .= '#access_token='.$access_token->access_token;
if (Valid::not_empty($params['state']))
{
$url .= '&state='.urlencode($params['state']);
}
if (Valid::not_empty($params['scope']))
{
$url .= '&scope='.urlencode($params['scope']);
}
}
}
// Send the user back to the 3rd party..
$request->redirect($url);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment