PageRenderTime 49ms CodeModel.GetById 19ms RepoModel.GetById 1ms app.codeStats 0ms

/google-api-php-client/src/auth/apiOAuth2.php

https://bitbucket.org/baddog/google-latitude-history
PHP | 391 lines | 258 code | 44 blank | 89 comment | 55 complexity | a1f788156e3ce3f0ad6a15253b720ea8 MD5 | raw file
    

  1. <?php
    2. 

  2. /*
    3. 

  3.  * Copyright 2008 Google Inc.
    4. 

  4.  *
    5. 

  5.  * Licensed under the Apache License, Version 2.0 (the "License");
    6. 

  6.  * you may not use this file except in compliance with the License.
    7. 

  7.  * You may obtain a copy of the License at
    8. 

  8.  *
    9. 

  9.  *     http://www.apache.org/licenses/LICENSE-2.0
    10. 

  10.  *
    11. 

  11.  * Unless required by applicable law or agreed to in writing, software
    12. 

  12.  * distributed under the License is distributed on an "AS IS" BASIS,
    13. 

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14. 

  14.  * See the License for the specific language governing permissions and
    15. 

  15.  * limitations under the License.
    16. 

  16.  */
    17. 

  17. 

  18. require_once "apiVerifier.php";
    19. 

  19. require_once "apiLoginTicket.php";
    20. 

  20. require_once "service/apiUtils.php";
    21. 

  21. 

  22. /**
    23. 

  23.  * Authentication class that deals with the OAuth 2 web-server authentication flow
    24. 

  24.  *
    25. 

  25.  * @author Chris Chabot <chabotc@google.com>
    26. 

  26.  * @author Chirag Shah <chirags@google.com>
    27. 

  27.  *
    28. 

  28.  */
    29. 

  29. class apiOAuth2 extends apiAuth {
    30. 

  30.   public $clientId;
    31. 

  31.   public $clientSecret;
    32. 

  32.   public $developerKey;
    33. 

  33.   public $accessToken;
    34. 

  34.   public $redirectUri;
    35. 

  35.   public $state;
    36. 

  36.   public $accessType = 'offline';
    37. 

  37.   public $approvalPrompt = 'force';
    38. 

  38. 

  39.   const OAUTH2_REVOKE_URI = 'https://accounts.google.com/o/oauth2/revoke';
    40. 

  40.   const OAUTH2_TOKEN_URI = 'https://accounts.google.com/o/oauth2/token';
    41. 

  41.   const OAUTH2_AUTH_URL = 'https://accounts.google.com/o/oauth2/auth';
    42. 

  42.   const OAUTH2_FEDERATED_SIGNON_CERTS_URL = 'https://www.googleapis.com/oauth2/v1/certs';
    43. 

  43.   const CLOCK_SKEW_SECS = 300; // five minutes in seconds
    44. 

  44.   const AUTH_TOKEN_LIFETIME_SECS = 300; // five minutes in seconds
    45. 

  45.   const MAX_TOKEN_LIFETIME_SECS = 86400; // one day in seconds
    46. 

  46. 

  47.   /**
    48. 

  48.    * Instantiates the class, but does not initiate the login flow, leaving it
    49. 

  49.    * to the discretion of the caller (which is done by calling authenticate()).
    50. 

  50.    */
    51. 

  51.   public function __construct() {
    52. 

  52.     global $apiConfig;
    53. 

  53.     
    54. 

  54.     if (! empty($apiConfig['developer_key'])) {
    55. 

  55.       $this->developerKey = $apiConfig['developer_key'];
    56. 

  56.     }
    57. 

  57. 

  58.     if (! empty($apiConfig['oauth2_client_id'])) {
    59. 

  59.       $this->clientId = $apiConfig['oauth2_client_id'];
    60. 

  60.     }
    61. 

  61. 

  62.     if (! empty($apiConfig['oauth2_client_secret'])) {
    63. 

  63.       $this->clientSecret = $apiConfig['oauth2_client_secret'];
    64. 

  64.     }
    65. 

  65. 

  66.     if (! empty($apiConfig['oauth2_redirect_uri'])) {
    67. 

  67.       $this->redirectUri = $apiConfig['oauth2_redirect_uri'];
    68. 

  68.     }
    69. 

  69.     
    70. 

  70.     if (! empty($apiConfig['oauth2_access_type'])) {
    71. 

  71.       $this->accessType = $apiConfig['oauth2_access_type'];
    72. 

  72.     }
    73. 

  73. 

  74.     if (! empty($apiConfig['oauth2_approval_prompt'])) {
    75. 

  75.       $this->approvalPrompt = $apiConfig['oauth2_approval_prompt'];
    76. 

  76.     }
    77. 

  77.   }
    78. 

  78. 

  79.   /**
    80. 

  80.    * @param $service
    81. 

  81.    * @return string
    82. 

  82.    * @throws apiAuthException
    83. 

  83.    */
    84. 

  84.   public function authenticate($service) {
    85. 

  85.     if (isset($_GET['code'])) {
    86. 

  86.       // We got here from the redirect from a successful authorization grant, fetch the access token
    87. 

  87.       $request = apiClient::$io->makeRequest(new apiHttpRequest(self::OAUTH2_TOKEN_URI, 'POST', array(), array(
    88. 

  88.           'code' => $_GET['code'],
    89. 

  89.           'grant_type' => 'authorization_code',
    90. 

  90.           'redirect_uri' => $this->redirectUri,
    91. 

  91.           'client_id' => $this->clientId,
    92. 

  92.           'client_secret' => $this->clientSecret
    93. 

  93.       )));
    94. 

  94. 

  95.       if ($request->getResponseHttpCode() == 200) {
    96. 

  96.         $this->setAccessToken($request->getResponseBody());
    97. 

  97.         $this->accessToken['created'] = time();
    98. 

  98.         return $this->getAccessToken();
    99. 

  99.       } else {
    100. 

  100.         $response = $request->getResponseBody();
    101. 

  101.         $decodedResponse = json_decode($response, true);
    102. 

  102.         if ($decodedResponse != $response && $decodedResponse != null && $decodedResponse['error']) {
    103. 

  103.           $response = $decodedResponse['error'];
    104. 

  104.         }
    105. 

  105.         throw new apiAuthException("Error fetching OAuth2 access token, message: '$response'", $request->getResponseHttpCode());
    106. 

  106.       }
    107. 

  107.     }
    108. 

  108. 

  109.     $authUrl = $this->createAuthUrl($service['scope']);
    110. 

  110.     header('Location: ' . $authUrl);
    111. 

  111.   } 
    112. 

  112. 

  113.   /**
    114. 

  114.    * Create a URL to obtain user authorization.
    115. 

  115.    * The authorization endpoint allows the user to first
    116. 

  116.    * authenticate, and then grant/deny the access request.
    117. 

  117.    * @param string $scope The scope is expressed as a list of space-delimited strings.
    118. 

  118.    * @return string
    119. 

  119.    */
    120. 

  120.   public function createAuthUrl($scope) {
    121. 

  121.     $params = array(
    122. 

  122.         'response_type=code',
    123. 

  123.         'redirect_uri=' . urlencode($this->redirectUri),
    124. 

  124.         'client_id=' . urlencode($this->clientId),
    125. 

  125.         'scope=' . urlencode($scope),
    126. 

  126.         'access_type=' . urlencode($this->accessType),
    127. 

  127.         'approval_prompt=' . urlencode($this->approvalPrompt)
    128. 

  128.     );
    129. 

  129. 

  130.     if (isset($this->state)) {
    131. 

  131.       $params[] = 'state=' . urlencode($this->state);
    132. 

  132.     }
    133. 

  133.     $params = implode('&', $params);
    134. 

  134.     return self::OAUTH2_AUTH_URL . "?$params";
    135. 

  135.   }
    136. 

  136. 

  137.   /**
    138. 

  138.    * @param $accessToken
    139. 

  139.    * @throws apiAuthException Thrown when $accessToken is invalid.
    140. 

  140.    */
    141. 

  141.   public function setAccessToken($accessToken) {
    142. 

  142.     $accessToken = json_decode($accessToken, true);
    143. 

  143.     if ($accessToken == null) {
    144. 

  144.       throw new apiAuthException('Could not json decode the access token');
    145. 

  145.     }
    146. 

  146.     if (! isset($accessToken['access_token'])) {
    147. 

  147.       throw new apiAuthException("Invalid token format");
    148. 

  148.     }
    149. 

  149.     $this->accessToken = $accessToken;
    150. 

  150.   }
    151. 

  151. 

  152.   public function getAccessToken() {
    153. 

  153.     return json_encode($this->accessToken);
    154. 

  154.   }
    155. 

  155. 

  156.   public function setDeveloperKey($developerKey) {
    157. 

  157.     $this->developerKey = $developerKey;
    158. 

  158.   }
    159. 

  159. 

  160.   public function setState($state) {
    161. 

  161.     $this->state = $state;
    162. 

  162.   }
    163. 

  163. 

  164.   public function setAccessType($accessType) {
    165. 

  165.     $this->accessType = $accessType;
    166. 

  166.   }
    167. 

  167. 

  168.   public function setApprovalPrompt($approvalPrompt) {
    169. 

  169.     $this->approvalPrompt = $approvalPrompt;
    170. 

  170.   }
    171. 

  171. 

  172.   /**
    173. 

  173.    * Include an accessToken in a given apiHttpRequest.
    174. 

  174.    * @param apiHttpRequest $request
    175. 

  175.    * @return apiHttpRequest
    176. 

  176.    * @throws apiAuthException
    177. 

  177.    */
    178. 

  178.   public function sign(apiHttpRequest $request) {
    179. 

  179.     // add the developer key to the request before signing it
    180. 

  180.     if ($this->developerKey) {
    181. 

  181.       $requestUrl = $request->getUrl();
    182. 

  182.       $requestUrl .= (strpos($request->getUrl(), '?') === false) ? '?' : '&';
    183. 

  183.       $requestUrl .=  'key=' . urlencode($this->developerKey);
    184. 

  184.       $request->setUrl($requestUrl);
    185. 

  185.     }
    186. 

  186. 

  187.     // Cannot sign the request without an OAuth access token.
    188. 

  188.     if (null == $this->accessToken) {
    189. 

  189.       return $request;
    190. 

  190.     }
    191. 

  191. 

  192.     // If the token is set to expire in the next 30 seconds (or has already
    193. 

  193.     // expired), refresh it and set the new token.
    194. 

  194.     $expired = ($this->accessToken['created'] + ($this->accessToken['expires_in'] - 30)) < time();
    195. 

  195.     if ($expired) {
    196. 

  196.       if (! array_key_exists('refresh_token', $this->accessToken)) {
    197. 

  197.         throw new apiAuthException("The OAuth 2.0 access token has expired, "
    198. 

  198.             . "and a refresh token is not available. Refresh tokens are not "
    199. 

  199.             . "returned for responses that were auto-approved.");
    200. 

  200.       }
    201. 

  201.       $this->refreshToken($this->accessToken['refresh_token']);
    202. 

  202.     }
    203. 

  203. 

  204.     // Add the OAuth2 header to the request
    205. 

  205.     $request->setRequestHeaders(
    206. 

  206.         array('Authorization' => 'Bearer ' . $this->accessToken['access_token'])
    207. 

  207.     );
    208. 

  208. 

  209.     return $request;
    210. 

  210.   }
    211. 

  211. 

  212.   /**
    213. 

  213.    * Fetches a fresh access token with the given refresh token.
    214. 

  214.    * @param string $refreshToken
    215. 

  215.    * @return void
    216. 

  216.    */
    217. 

  217.   public function refreshToken($refreshToken) {
    218. 

  218.     $params = array(
    219. 

  219.         'client_id' => $this->clientId,
    220. 

  220.         'client_secret' => $this->clientSecret,
    221. 

  221.         'refresh_token' => $refreshToken,
    222. 

  222.         'grant_type' => 'refresh_token'
    223. 

  223.     );
    224. 

  224.     $request = apiClient::$io->makeRequest(
    225. 

  225.           new apiHttpRequest(self::OAUTH2_TOKEN_URI, 'POST', array(), $params));
    226. 

  226.     $code = $request->getResponseHttpCode();
    227. 

  227.     $body = $request->getResponseBody();
    228. 

  228.     if ($code == 200) {
    229. 

  229.       $token = json_decode($body, true);
    230. 

  230.       if ($token == null) {
    231. 

  231.         throw new apiAuthException("Could not json decode the access token");
    232. 

  232.       }
    233. 

  233.       
    234. 

  234.       if (! isset($token['access_token']) || ! isset($token['expires_in'])) {
    235. 

  235.         throw new apiAuthException("Invalid token format");
    236. 

  236.       }
    237. 

  237.       
    238. 

  238.       $this->accessToken['access_token'] = $token['access_token'];
    239. 

  239.       $this->accessToken['expires_in'] = $token['expires_in'];
    240. 

  240.       $this->accessToken['created'] = time();
    241. 

  241.     } else {
    242. 

  242.       throw new apiAuthException("Error refreshing the OAuth2 token, message: '$body'", $code);
    243. 

  243.     }
    244. 

  244.   }
    245. 

  245. 

  246.     /**
    247. 

  247.      * Revoke an OAuth2 access token or refresh token. This method will revoke the current access
    248. 

  248.      * token, if a token isn't provided.
    249. 

  249.      * @throws apiAuthException
    250. 

  250.      * @param string|null $token The token (access token or a refresh token) that should be revoked.
    251. 

  251.      * @return boolean Returns True if the revocation was successful, otherwise False.
    252. 

  252.      */
    253. 

  253.   public function revokeToken($token = null) {
    254. 

  254.     if (!$token) {
    255. 

  255.       $token = $this->accessToken['access_token'];
    256. 

  256.     }
    257. 

  257.     $request = new apiHttpRequest(self::OAUTH2_REVOKE_URI, 'POST', array(), "token=$token");
    258. 

  258.     $response = apiClient::$io->makeRequest($request);
    259. 

  259.     $code = $response->getResponseHttpCode();
    260. 

  260.     if ($code == 200) {
    261. 

  261.       $this->accessToken = null;
    262. 

  262.       return true;
    263. 

  263.     }
    264. 

  264. 

  265.     return false;
    266. 

  266.   }
    267. 

  267. 

  268.   // Gets federated sign-on certificates to use for verifying identity tokens.
    269. 

  269.   // Returns certs as array structure, where keys are key ids, and values
    270. 

  270.   // are PEM encoded certificates.
    271. 

  271.   private function getFederatedSignOnCerts() {
    272. 

  272.     // This relies on makeRequest caching certificate responses.
    273. 

  273.     $request = apiClient::$io->makeRequest(new apiHttpRequest(
    274. 

  274.         self::OAUTH2_FEDERATED_SIGNON_CERTS_URL));
    275. 

  275.     if ($request->getResponseHttpCode() == 200) {
    276. 

  276.       $certs = json_decode($request->getResponseBody(), true);
    277. 

  277.       if ($certs) {
    278. 

  278.         return $certs;
    279. 

  279.       }
    280. 

  280.     }
    281. 

  281.     throw new apiAuthException(
    282. 

  282.         "Failed to retrieve verification certificates: '" .
    283. 

  283.             $request->getResponseBody() . "'.",
    284. 

  284.         $request->getResponseHttpCode());
    285. 

  285.   }
    286. 

  286. 

  287.   /**
    288. 

  288.    * Verifies an id token and returns the authenticated apiLoginTicket.
    289. 

  289.    * Throws an exception if the id token is not valid.
    290. 

  290.    * The audience parameter can be used to control which id tokens are
    291. 

  291.    * accepted.  By default, the id token must have been issued to this OAuth2 client.
    292. 

  292.    *
    293. 

  293.    * @param $id_token
    294. 

  294.    * @param $audience
    295. 

  295.    * @return apiLoginTicket
    296. 

  296.    */
    297. 

  297.   public function verifyIdToken($id_token = null, $audience = null) {
    298. 

  298.     if (!$id_token) {
    299. 

  299.       $id_token = $this->accessToken['id_token'];
    300. 

  300.     }
    301. 

  301. 

  302.     $certs = $this->getFederatedSignonCerts();
    303. 

  303.     if (!$audience) {
    304. 

  304.       $audience = $this->clientId;
    305. 

  305.     }
    306. 

  306.     return $this->verifySignedJwtWithCerts($id_token, $certs, $audience);
    307. 

  307.   }
    308. 

  308. 

  309.   // Verifies the id token, returns the verified token contents.
    310. 

  310.   // Visible for testing.
    311. 

  311.   function verifySignedJwtWithCerts($jwt, $certs, $required_audience) {
    312. 

  312.     $segments = explode(".", $jwt);
    313. 

  313.     if (count($segments) != 3) {
    314. 

  314.       throw new apiAuthException("Wrong number of segments in token: $jwt");
    315. 

  315.     }
    316. 

  316.     $signed = $segments[0] . "." . $segments[1];
    317. 

  317.     $signature = apiUtils::urlSafeB64Decode($segments[2]);
    318. 

  318. 

  319.     // Parse envelope.
    320. 

  320.     $envelope = json_decode(apiUtils::urlSafeB64Decode($segments[0]), true);
    321. 

  321.     if (!$envelope) {
    322. 

  322.       throw new apiAuthException("Can't parse token envelope: " . $segments[0]);
    323. 

  323.     }
    324. 

  324. 

  325.     // Parse token
    326. 

  326.     $json_body = apiUtils::urlSafeB64Decode($segments[1]);
    327. 

  327.     $payload = json_decode($json_body, true);
    328. 

  328.     if (!$payload) {
    329. 

  329.       throw new apiAuthException("Can't parse token payload: " . $segments[1]);
    330. 

  330.     }
    331. 

  331. 

  332.     // Check signature
    333. 

  333.     $verified = false;
    334. 

  334.     foreach ($certs as $keyName => $pem) {
    335. 

  335.       $public_key = new apiPemVerifier($pem);
    336. 

  336.       if ($public_key->verify($signed, $signature)) {
    337. 

  337.         $verified = true;
    338. 

  338.         break;
    339. 

  339.       }
    340. 

  340.     }
    341. 

  341. 

  342.     if (!$verified) {
    343. 

  343.       throw new apiAuthException("Invalid token signature: $jwt");
    344. 

  344.     }
    345. 

  345. 

  346.     // Check issued-at timestamp
    347. 

  347.     $iat = 0;
    348. 

  348.     if (array_key_exists("iat", $payload)) {
    349. 

  349.       $iat = $payload["iat"];
    350. 

  350.     }
    351. 

  351.     if (!$iat) {
    352. 

  352.       throw new apiAuthException("No issue time in token: $json_body");
    353. 

  353.     }
    354. 

  354.     $earliest = $iat - self::CLOCK_SKEW_SECS;
    355. 

  355. 

  356.     // Check expiration timestamp
    357. 

  357.     $now = time();
    358. 

  358.     $exp = 0;
    359. 

  359.     if (array_key_exists("exp", $payload)) {
    360. 

  360.       $exp = $payload["exp"];
    361. 

  361.     }
    362. 

  362.     if (!$exp) {
    363. 

  363.       throw new apiAuthException("No expiration time in token: $json_body");
    364. 

  364.     }
    365. 

  365.     if ($exp >= $now + self::MAX_TOKEN_LIFETIME_SECS) {
    366. 

  366.       throw new apiAuthException(
    367. 

  367.           "Expiration time too far in future: $json_body");
    368. 

  368.     }
    369. 

  369. 

  370.     $latest = $exp + self::CLOCK_SKEW_SECS;
    371. 

  371.     if ($now < $earliest) {
    372. 

  372.       throw new apiAuthException(
    373. 

  373.           "Token used too early, $now < $earliest: $json_body");
    374. 

  374.     }
    375. 

  375.     if ($now > $latest) {
    376. 

  376.       throw new apiAuthException(
    377. 

  377.           "Token used too late, $now > $latest: $json_body");
    378. 

  378.     }
    379. 

  379. 

  380.     // TODO(beaton): check issuer field?
    381. 

  381. 

  382.     // Check audience
    383. 

  383.     $aud = $payload["aud"];
    384. 

  384.     if ($aud != $required_audience) {
    385. 

  385.       throw new apiAuthException("Wrong recipient, $aud != $required_audience: $json_body");
    386. 

  386.     }
    387. 

  387. 

  388.     // All good.
    389. 

  389.     return new apiLoginTicket($envelope, $payload);
    390. 

  390.   }
    391. 

  391. }
    392.