PageRenderTime 59ms CodeModel.GetById 32ms RepoModel.GetById 1ms app.codeStats 0ms

/src/auth/Google_OAuth2.php

https://bitbucket.org/insigngmbh/googlephpapi
PHP | 453 lines | 294 code | 56 blank | 103 comment | 64 complexity | acb231b360ef09762189f89776789982 MD5 | raw file
    

  1. <?php
    2. 

  2. /*
    3. 

  3.  * Copyright 2008 Google Inc.
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.  * you may not use this file except in compliance with the License.
    7. 

  7.  * You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *     http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  */
    17. 

  17. 

  18. require_once "Google_Verifier.php";
    19. 

  19. require_once "Google_LoginTicket.php";
    20. 

  20. require_once "service/Google_Utils.php";
    21. 

  21. 

  22. /**
    23. 

  23.  * Authentication class that deals with the OAuth 2 web-server authentication flow
    24. 

  24.  *
    25. 

  25.  * @author Chris Chabot <chabotc@google.com>
    26. 

  26.  * @author Chirag Shah <chirags@google.com>
    27. 

  27.  *
    28. 

  28.  */
    29. 

  29. class Google_OAuth2 extends Google_Auth {
    30. 

  30.   public $clientId;
    31. 

  31.   public $clientSecret;
    32. 

  32.   public $developerKey;
    33. 

  33.   public $token;
    34. 

  34.   public $redirectUri;
    35. 

  35.   public $state;
    36. 

  36.   public $accessType = 'offline';
    37. 

  37.   public $approvalPrompt = 'force';
    38. 

  38.   public $requestVisibleActions;
    39. 

  39. 

  40.   /** @var Google_AssertionCredentials $assertionCredentials */
    41. 

  41.   public $assertionCredentials;
    42. 

  42. 

  43.   const OAUTH2_REVOKE_URI = 'https://accounts.google.com/o/oauth2/revoke';
    44. 

  44.   const OAUTH2_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token';
    45. 

  45.   const OAUTH2_AUTH_URL = 'https://accounts.google.com/o/oauth2/auth';
    46. 

  46.   const OAUTH2_FEDERATED_SIGNON_CERTS_URL = 'https://www.googleapis.com/oauth2/v1/certs';
    47. 

  47.   const CLOCK_SKEW_SECS = 300; // five minutes in seconds
    48. 

  48.   const AUTH_TOKEN_LIFETIME_SECS = 300; // five minutes in seconds
    49. 

  49.   const MAX_TOKEN_LIFETIME_SECS = 86400; // one day in seconds
    50. 

  50. 

  51.   /**
    52. 

  52.    * Instantiates the class, but does not initiate the login flow, leaving it
    53. 

  53.    * to the discretion of the caller (which is done by calling authenticate()).
    54. 

  54.    */
    55. 

  55.   public function __construct() {
    56. 

  56.     global $apiConfig;
    57. 

  57. 

  58.     if (! empty($apiConfig['developer_key'])) {
    59. 

  59.       $this->developerKey = $apiConfig['developer_key'];
    60. 

  60.     }
    61. 

  61. 

  62.     if (! empty($apiConfig['oauth2_client_id'])) {
    63. 

  63.       $this->clientId = $apiConfig['oauth2_client_id'];
    64. 

  64.     }
    65. 

  65. 

  66.     if (! empty($apiConfig['oauth2_client_secret'])) {
    67. 

  67.       $this->clientSecret = $apiConfig['oauth2_client_secret'];
    68. 

  68.     }
    69. 

  69. 

  70.     if (! empty($apiConfig['oauth2_redirect_uri'])) {
    71. 

  71.       $this->redirectUri = $apiConfig['oauth2_redirect_uri'];
    72. 

  72.     }
    73. 

  73. 

  74.     if (! empty($apiConfig['oauth2_access_type'])) {
    75. 

  75.       $this->accessType = $apiConfig['oauth2_access_type'];
    76. 

  76.     }
    77. 

  77. 

  78.     if (! empty($apiConfig['oauth2_approval_prompt'])) {
    79. 

  79.       $this->approvalPrompt = $apiConfig['oauth2_approval_prompt'];
    80. 

  80.     }
    81. 

  81. 

  82.   }
    83. 

  83. 

  84.   /**
    85. 

  85.    * @param $service
    86. 

  86.    * @param string|null $code
    87. 

  87.    * @throws Google_AuthException
    88. 

  88.    * @return string
    89. 

  89.    */
    90. 

  90.   public function authenticate($service, $code = null) {
    91. 

  91.     if (!$code && isset($_GET['code'])) {
    92. 

  92.       $code = $_GET['code'];
    93. 

  93.     }
    94. 

  94. 

  95.     if ($code) {
    96. 

  96.       // We got here from the redirect from a successful authorization grant, fetch the access token
    97. 

  97.       $request = Google_Client::$io->makeRequest(new Google_HttpRequest(self::OAUTH2_TOKEN_URI, 'POST', array(), array(
    98. 

  98.           'code' => $code,
    99. 

  99.           'grant_type' => 'authorization_code',
    100. 

  100.           'redirect_uri' => $this->redirectUri,
    101. 

  101.           'client_id' => $this->clientId,
    102. 

  102.           'client_secret' => $this->clientSecret
    103. 

  103.       )));
    104. 

  104. 

  105.       if ($request->getResponseHttpCode() == 200) {
    106. 

  106.         $this->setAccessToken($request->getResponseBody());
    107. 

  107.         $this->token['created'] = time();
    108. 

  108.         return $this->getAccessToken();
    109. 

  109.       } else {
    110. 

  110.         $response = $request->getResponseBody();
    111. 

  111.         $decodedResponse = json_decode($response, true);
    112. 

  112.         if ($decodedResponse != null && $decodedResponse['error']) {
    113. 

  113.           $response = $decodedResponse['error'];
    114. 

  114.         }
    115. 

  115.         throw new Google_AuthException("Error fetching OAuth2 access token, message: '$response'", $request->getResponseHttpCode());
    116. 

  116.       }
    117. 

  117.     }
    118. 

  118. 

  119.     $authUrl = $this->createAuthUrl($service['scope']);
    120. 

  120.     header('Location: ' . $authUrl);
    121. 

  121.     return true;
    122. 

  122.   }
    123. 

  123. 

  124.   /**
    125. 

  125.    * Create a URL to obtain user authorization.
    126. 

  126.    * The authorization endpoint allows the user to first
    127. 

  127.    * authenticate, and then grant/deny the access request.
    128. 

  128.    * @param string $scope The scope is expressed as a list of space-delimited strings.
    129. 

  129.    * @return string
    130. 

  130.    */
    131. 

  131.   public function createAuthUrl($scope) {
    132. 

  132.     $params = array(
    133. 

  133.         'response_type=code',
    134. 

  134.         'redirect_uri=' . urlencode($this->redirectUri),
    135. 

  135.         'client_id=' . urlencode($this->clientId),
    136. 

  136.         'scope=' . urlencode($scope),
    137. 

  137.         'access_type=' . urlencode($this->accessType),
    138. 

  138.         'approval_prompt=' . urlencode($this->approvalPrompt),
    139. 

  139.     );
    140. 

  140. 

  141.     // if the list of scopes contains plus.login, add request_visible_actions
    142. 

  142.     // to auth URL
    143. 

  143.     if(strpos($scope, 'plus.login') && count($this->requestVisibleActions) > 0) {
    144. 

  144.         $params[] = 'request_visible_actions=' .
    145. 

  145.             urlencode($this->requestVisibleActions);
    146. 

  146.     }
    147. 

  147. 

  148.     if (isset($this->state)) {
    149. 

  149.       $params[] = 'state=' . urlencode($this->state);
    150. 

  150.     }
    151. 

  151.     $params = implode('&', $params);
    152. 

  152.     return self::OAUTH2_AUTH_URL . "?$params";
    153. 

  153.   }
    154. 

  154. 

  155.   /**
    156. 

  156.    * @param string $token
    157. 

  157.    * @throws Google_AuthException
    158. 

  158.    */
    159. 

  159.   public function setAccessToken($token) {
    160. 

  160.     $token = json_decode($token, true);
    161. 

  161.     if ($token == null) {
    162. 

  162.       throw new Google_AuthException('Could not json decode the token');
    163. 

  163.     }
    164. 

  164.     if (! isset($token['access_token'])) {
    165. 

  165.       throw new Google_AuthException("Invalid token format");
    166. 

  166.     }
    167. 

  167.     $this->token = $token;
    168. 

  168.   }
    169. 

  169. 

  170.   public function getAccessToken() {
    171. 

  171.     return json_encode($this->token);
    172. 

  172.   }
    173. 

  173. 

  174.   public function setDeveloperKey($developerKey) {
    175. 

  175.     $this->developerKey = $developerKey;
    176. 

  176.   }
    177. 

  177. 

  178.   public function setState($state) {
    179. 

  179.     $this->state = $state;
    180. 

  180.   }
    181. 

  181. 

  182.   public function setAccessType($accessType) {
    183. 

  183.     $this->accessType = $accessType;
    184. 

  184.   }
    185. 

  185. 

  186.   public function setApprovalPrompt($approvalPrompt) {
    187. 

  187.     $this->approvalPrompt = $approvalPrompt;
    188. 

  188.   }
    189. 

  189. 

  190.   public function setAssertionCredentials(Google_AssertionCredentials $creds) {
    191. 

  191.     $this->assertionCredentials = $creds;
    192. 

  192.   }
    193. 

  193. 

  194.   /**
    195. 

  195.    * Include an accessToken in a given apiHttpRequest.
    196. 

  196.    * @param Google_HttpRequest $request
    197. 

  197.    * @return Google_HttpRequest
    198. 

  198.    * @throws Google_AuthException
    199. 

  199.    */
    200. 

  200.   public function sign(Google_HttpRequest $request) {
    201. 

  201.     // add the developer key to the request before signing it
    202. 

  202.     if ($this->developerKey) {
    203. 

  203.       $requestUrl = $request->getUrl();
    204. 

  204.       $requestUrl .= (strpos($request->getUrl(), '?') === false) ? '?' : '&';
    205. 

  205.       $requestUrl .=  'key=' . urlencode($this->developerKey);
    206. 

  206.       $request->setUrl($requestUrl);
    207. 

  207.     }
    208. 

  208. 

  209.     // Cannot sign the request without an OAuth access token.
    210. 

  210.     if (null == $this->token && null == $this->assertionCredentials) {
    211. 

  211.       return $request;
    212. 

  212.     }
    213. 

  213. 

  214.     // Check if the token is set to expire in the next 30 seconds
    215. 

  215.     // (or has already expired).
    216. 

  216.     if ($this->isAccessTokenExpired()) {
    217. 

  217.       if ($this->assertionCredentials) {
    218. 

  218.         $this->refreshTokenWithAssertion();
    219. 

  219.       } else {
    220. 

  220.         if (! array_key_exists('refresh_token', $this->token)) {
    221. 

  221.             throw new Google_AuthException("The OAuth 2.0 access token has expired, "
    222. 

  222.                 . "and a refresh token is not available. Refresh tokens are not "
    223. 

  223.                 . "returned for responses that were auto-approved.");
    224. 

  224.         }
    225. 

  225.         $this->refreshToken($this->token['refresh_token']);
    226. 

  226.       }
    227. 

  227.     }
    228. 

  228. 

  229.     // Add the OAuth2 header to the request
    230. 

  230.     $request->setRequestHeaders(
    231. 

  231.         array('Authorization' => 'Bearer ' . $this->token['access_token'])
    232. 

  232.     );
    233. 

  233. 

  234.     return $request;
    235. 

  235.   }
    236. 

  236. 

  237.   /**
    238. 

  238.    * Fetches a fresh access token with the given refresh token.
    239. 

  239.    * @param string $refreshToken
    240. 

  240.    * @return void
    241. 

  241.    */
    242. 

  242.   public function refreshToken($refreshToken) {
    243. 

  243.     $this->refreshTokenRequest(array(
    244. 

  244.         'client_id' => $this->clientId,
    245. 

  245.         'client_secret' => $this->clientSecret,
    246. 

  246.         'refresh_token' => $refreshToken,
    247. 

  247.         'grant_type' => 'refresh_token'
    248. 

  248.     ));
    249. 

  249.   }
    250. 

  250. 

  251.   /**
    252. 

  252.    * Fetches a fresh access token with a given assertion token.
    253. 

  253.    * @param Google_AssertionCredentials $assertionCredentials optional.
    254. 

  254.    * @return void
    255. 

  255.    */
    256. 

  256.   public function refreshTokenWithAssertion($assertionCredentials = null) {
    257. 

  257.     if (!$assertionCredentials) {
    258. 

  258.       $assertionCredentials = $this->assertionCredentials;
    259. 

  259.     }
    260. 

  260. 

  261.     $this->refreshTokenRequest(array(
    262. 

  262.         'grant_type' => 'assertion',
    263. 

  263.         'assertion_type' => $assertionCredentials->assertionType,
    264. 

  264.         'assertion' => $assertionCredentials->generateAssertion(),
    265. 

  265.     ));
    266. 

  266.   }
    267. 

  267. 

  268.   private function refreshTokenRequest($params) {
    269. 

  269.     $http = new Google_HttpRequest(self::OAUTH2_TOKEN_URI, 'POST', array(), $params);
    270. 

  270.     $request = Google_Client::$io->makeRequest($http);
    271. 

  271. 

  272.     $code = $request->getResponseHttpCode();
    273. 

  273.     $body = $request->getResponseBody();
    274. 

  274.     if (200 == $code) {
    275. 

  275.       $token = json_decode($body, true);
    276. 

  276.       if ($token == null) {
    277. 

  277.         throw new Google_AuthException("Could not json decode the access token");
    278. 

  278.       }
    279. 

  279. 

  280.       if (! isset($token['access_token']) || ! isset($token['expires_in'])) {
    281. 

  281.         throw new Google_AuthException("Invalid token format");
    282. 

  282.       }
    283. 

  283. 

  284.       $this->token['access_token'] = $token['access_token'];
    285. 

  285.       $this->token['expires_in'] = $token['expires_in'];
    286. 

  286.       $this->token['created'] = time();
    287. 

  287.     } else {
    288. 

  288.       throw new Google_AuthException("Error refreshing the OAuth2 token, message: '$body'", $code);
    289. 

  289.     }
    290. 

  290.   }
    291. 

  291. 

  292.     /**
    293. 

  293.      * Revoke an OAuth2 access token or refresh token. This method will revoke the current access
    294. 

  294.      * token, if a token isn't provided.
    295. 

  295.      * @throws Google_AuthException
    296. 

  296.      * @param string|null $token The token (access token or a refresh token) that should be revoked.
    297. 

  297.      * @return boolean Returns True if the revocation was successful, otherwise False.
    298. 

  298.      */
    299. 

  299.   public function revokeToken($token = null) {
    300. 

  300.     if (!$token) {
    301. 

  301.       $token = $this->token['access_token'];
    302. 

  302.     }
    303. 

  303.     $request = new Google_HttpRequest(self::OAUTH2_REVOKE_URI, 'POST', array(), "token=$token");
    304. 

  304.     $response = Google_Client::$io->makeRequest($request);
    305. 

  305.     $code = $response->getResponseHttpCode();
    306. 

  306.     if ($code == 200) {
    307. 

  307.       $this->token = null;
    308. 

  308.       return true;
    309. 

  309.     }
    310. 

  310. 

  311.     return false;
    312. 

  312.   }
    313. 

  313. 

  314.   /**
    315. 

  315.    * Returns if the access_token is expired.
    316. 

  316.    * @return bool Returns True if the access_token is expired.
    317. 

  317.    */
    318. 

  318.   public function isAccessTokenExpired() {
    319. 

  319.     if (null == $this->token) {
    320. 

  320.       return true;
    321. 

  321.     }
    322. 

  322. 

  323.     // If the token is set to expire in the next 30 seconds.
    324. 

  324.     $expired = ($this->token['created']
    325. 

  325.         + ($this->token['expires_in'] - 30)) < time();
    326. 

  326. 

  327.     return $expired;
    328. 

  328.   }
    329. 

  329. 

  330.   // Gets federated sign-on certificates to use for verifying identity tokens.
    331. 

  331.   // Returns certs as array structure, where keys are key ids, and values
    332. 

  332.   // are PEM encoded certificates.
    333. 

  333.   private function getFederatedSignOnCerts() {
    334. 

  334.     // This relies on makeRequest caching certificate responses.
    335. 

  335.     $request = Google_Client::$io->makeRequest(new Google_HttpRequest(
    336. 

  336.         self::OAUTH2_FEDERATED_SIGNON_CERTS_URL));
    337. 

  337.     if ($request->getResponseHttpCode() == 200) {
    338. 

  338.       $certs = json_decode($request->getResponseBody(), true);
    339. 

  339.       if ($certs) {
    340. 

  340.         return $certs;
    341. 

  341.       }
    342. 

  342.     }
    343. 

  343.     throw new Google_AuthException(
    344. 

  344.         "Failed to retrieve verification certificates: '" .
    345. 

  345.             $request->getResponseBody() . "'.",
    346. 

  346.         $request->getResponseHttpCode());
    347. 

  347.   }
    348. 

  348. 

  349.   /**
    350. 

  350.    * Verifies an id token and returns the authenticated apiLoginTicket.
    351. 

  351.    * Throws an exception if the id token is not valid.
    352. 

  352.    * The audience parameter can be used to control which id tokens are
    353. 

  353.    * accepted.  By default, the id token must have been issued to this OAuth2 client.
    354. 

  354.    *
    355. 

  355.    * @param $id_token
    356. 

  356.    * @param $audience
    357. 

  357.    * @return Google_LoginTicket
    358. 

  358.    */
    359. 

  359.   public function verifyIdToken($id_token = null, $audience = null) {
    360. 

  360.     if (!$id_token) {
    361. 

  361.       $id_token = $this->token['id_token'];
    362. 

  362.     }
    363. 

  363. 

  364.     $certs = $this->getFederatedSignonCerts();
    365. 

  365.     if (!$audience) {
    366. 

  366.       $audience = $this->clientId;
    367. 

  367.     }
    368. 

  368.     return $this->verifySignedJwtWithCerts($id_token, $certs, $audience);
    369. 

  369.   }
    370. 

  370. 

  371.   // Verifies the id token, returns the verified token contents.
    372. 

  372.   // Visible for testing.
    373. 

  373.   function verifySignedJwtWithCerts($jwt, $certs, $required_audience) {
    374. 

  374.     $segments = explode(".", $jwt);
    375. 

  375.     if (count($segments) != 3) {
    376. 

  376.       throw new Google_AuthException("Wrong number of segments in token: $jwt");
    377. 

  377.     }
    378. 

  378.     $signed = $segments[0] . "." . $segments[1];
    379. 

  379.     $signature = Google_Utils::urlSafeB64Decode($segments[2]);
    380. 

  380. 

  381.     // Parse envelope.
    382. 

  382.     $envelope = json_decode(Google_Utils::urlSafeB64Decode($segments[0]), true);
    383. 

  383.     if (!$envelope) {
    384. 

  384.       throw new Google_AuthException("Can't parse token envelope: " . $segments[0]);
    385. 

  385.     }
    386. 

  386. 

  387.     // Parse token
    388. 

  388.     $json_body = Google_Utils::urlSafeB64Decode($segments[1]);
    389. 

  389.     $payload = json_decode($json_body, true);
    390. 

  390.     if (!$payload) {
    391. 

  391.       throw new Google_AuthException("Can't parse token payload: " . $segments[1]);
    392. 

  392.     }
    393. 

  393. 

  394.     // Check signature
    395. 

  395.     $verified = false;
    396. 

  396.     foreach ($certs as $keyName => $pem) {
    397. 

  397.       $public_key = new Google_PemVerifier($pem);
    398. 

  398.       if ($public_key->verify($signed, $signature)) {
    399. 

  399.         $verified = true;
    400. 

  400.         break;
    401. 

  401.       }
    402. 

  402.     }
    403. 

  403. 

  404.     if (!$verified) {
    405. 

  405.       throw new Google_AuthException("Invalid token signature: $jwt");
    406. 

  406.     }
    407. 

  407. 

  408.     // Check issued-at timestamp
    409. 

  409.     $iat = 0;
    410. 

  410.     if (array_key_exists("iat", $payload)) {
    411. 

  411.       $iat = $payload["iat"];
    412. 

  412.     }
    413. 

  413.     if (!$iat) {
    414. 

  414.       throw new Google_AuthException("No issue time in token: $json_body");
    415. 

  415.     }
    416. 

  416.     $earliest = $iat - self::CLOCK_SKEW_SECS;
    417. 

  417. 

  418.     // Check expiration timestamp
    419. 

  419.     $now = time();
    420. 

  420.     $exp = 0;
    421. 

  421.     if (array_key_exists("exp", $payload)) {
    422. 

  422.       $exp = $payload["exp"];
    423. 

  423.     }
    424. 

  424.     if (!$exp) {
    425. 

  425.       throw new Google_AuthException("No expiration time in token: $json_body");
    426. 

  426.     }
    427. 

  427.     if ($exp >= $now + self::MAX_TOKEN_LIFETIME_SECS) {
    428. 

  428.       throw new Google_AuthException(
    429. 

  429.           "Expiration time too far in future: $json_body");
    430. 

  430.     }
    431. 

  431. 

  432.     $latest = $exp + self::CLOCK_SKEW_SECS;
    433. 

  433.     if ($now < $earliest) {
    434. 

  434.       throw new Google_AuthException(
    435. 

  435.           "Token used too early, $now < $earliest: $json_body");
    436. 

  436.     }
    437. 

  437.     if ($now > $latest) {
    438. 

  438.       throw new Google_AuthException(
    439. 

  439.           "Token used too late, $now > $latest: $json_body");
    440. 

  440.     }
    441. 

  441. 

  442.     // TODO(beaton): check issuer field?
    443. 

  443. 

  444.     // Check audience
    445. 

  445.     $aud = $payload["aud"];
    446. 

  446.     if ($aud != $required_audience) {
    447. 

  447.       throw new Google_AuthException("Wrong recipient, $aud != $required_audience: $json_body");
    448. 

  448.     }
    449. 

  449. 

  450.     // All good.
    451. 

  451.     return new Google_LoginTicket($envelope, $payload);
    452. 

  452.   }
    453. 

  453. }
    454. 

  454.