OAuth2.php | searchcode

/lib/OAuth2.php

https://github.com/thomascoding/oauth2-php
PHP | 1138 lines | 420 code | 139 blank | 579 comment | 91 complexity | 107d7fdc372a3f7d67860141f6fd40c3 MD5 | raw file
Possible License(s): MIT

<?php
require 'OAuth2ServerException.php';
require 'OAuth2AuthenticateException.php';
require 'OAuth2RedirectException.php';

/**
 * @mainpage
 * OAuth 2.0 server in PHP, originally written for
 * <a href="http://www.opendining.net/"> Open Dining</a>. Supports
 * <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-20">IETF draft v20</a>.
 *
 * Source repo has sample servers implementations for
 * <a href="http://php.net/manual/en/book.pdo.php"> PHP Data Objects</a> and
 * <a href="http://www.mongodb.org/">MongoDB</a>. Easily adaptable to other
 * storage engines.
 *
 * PHP Data Objects supports a variety of databases, including MySQL,
 * Microsoft SQL Server, SQLite, and Oracle, so you can try out the sample
 * to see how it all works.
 *
 * We're expanding the wiki to include more helpful documentation, but for
 * now, your best bet is to view the oauth.php source - it has lots of
 * comments.
 *
 * @author Tim Ridgely <tim.ridgely@gmail.com>
 * @author Aaron Parecki <aaron@parecki.com>
 * @author Edison Wong <hswong3i@pantarei-design.com>
 * @author David Rochwerger <catch.dave@gmail.com>
 *
 * @see http://code.google.com/p/oauth2-php/
 * @see https://github.com/quizlet/oauth2-php
 */

/**
 * OAuth2.0 draft v20 server-side implementation.
 * 
 * @todo Add support for Message Authentication Code (MAC) token type.
 *
 * @author Originally written by Tim Ridgely <tim.ridgely@gmail.com>.
 * @author Updated to draft v10 by Aaron Parecki <aaron@parecki.com>.
 * @author Debug, coding style clean up and documented by Edison Wong <hswong3i@pantarei-design.com>.
 * @author Refactored (including separating from raw POST/GET) and updated to draft v20 by David Rochwerger <catch.dave@gmail.com>.
 */
class OAuth2 {
	
	/**
	 * Array of persistent variables stored.
	 */
	protected $conf = array();
	
	/**
	 * Storage engine for authentication server
	 * 
	 * @var IOAuth2Storage
	 */
	protected $storage;
	
	/**
	 * Keep track of the old refresh token. So we can unset
	 * the old refresh tokens when a new one is issued.
	 * 
	 * @var string
	 */
	protected $oldRefreshToken;
	
	/**
	 * Default values for configuration options.
	 * 
	 * @var int
	 * @see OAuth2::setDefaultOptions()
	 */
	const DEFAULT_ACCESS_TOKEN_LIFETIME = 3600;
	const DEFAULT_REFRESH_TOKEN_LIFETIME = 1209600;
	const DEFAULT_AUTH_CODE_LIFETIME = 30;
	const DEFAULT_WWW_REALM = 'Service';
	
	/**
	 * Configurable options.
	 * 
	 * @var string
	 */
	const CONFIG_ACCESS_LIFETIME = 'access_token_lifetime'; // The lifetime of access token in seconds.
	const CONFIG_REFRESH_LIFETIME = 'refresh_token_lifetime'; // The lifetime of refresh token in seconds.
	const CONFIG_AUTH_LIFETIME = 'auth_code_lifetime'; // The lifetime of auth code in seconds.
	const CONFIG_SUPPORTED_SCOPES = 'supported_scopes'; // Array of scopes you want to support
	const CONFIG_TOKEN_TYPE = 'token_type'; // Token type to respond with. Currently only "Bearer" supported.
	const CONFIG_WWW_REALM = 'realm';
	const CONFIG_ENFORCE_INPUT_REDIRECT = 'enforce_redirect'; // Set to true to enforce redirect_uri on input for both authorize and token steps.
	const CONFIG_ENFORCE_STATE = 'enforce_state'; // Set to true to enforce state to be passed in authorization (see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12)
	

	/**
	 * Regex to filter out the client identifier (described in Section 2 of IETF draft).
	 *
	 * IETF draft does not prescribe a format for these, however I've arbitrarily
	 * chosen alphanumeric strings with hyphens and underscores, 3-32 characters
	 * long.
	 *
	 * Feel free to change.
	 */
	const CLIENT_ID_REGEXP = '/^[a-z0-9-_]{3,32}$/i';
	
	/**
	 * @defgroup oauth2_section_5 Accessing a Protected Resource
	 * @{
	 *
	 * Clients access protected resources by presenting an access token to
	 * the resource server. Access tokens act as bearer tokens, where the
	 * token string acts as a shared symmetric secret. This requires
	 * treating the access token with the same care as other secrets (e.g.
	 * end-user passwords). Access tokens SHOULD NOT be sent in the clear
	 * over an insecure channel.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
	 */
	
	/**
	 * Used to define the name of the OAuth access token parameter
	 * (POST & GET). This is for the "bearer" token type.
	 * Other token types may use different methods and names.
	 *
	 * IETF Draft section 2 specifies that it should be called "access_token"
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06#section-2.2
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-06#section-2.3
	 */
	const TOKEN_PARAM_NAME = 'access_token';
	
	/**
	 * When using the bearer token type, there is a specifc Authorization header
	 * required: "Bearer"
	 * 
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04#section-2.1
	 */
	const TOKEN_BEARER_HEADER_NAME = 'Bearer';
	
	/**
	 * @}
	 */
	
	/**
	 * @defgroup oauth2_section_4 Obtaining Authorization
	 * @{
	 *
	 * When the client interacts with an end-user, the end-user MUST first
	 * grant the client authorization to access its protected resources.
	 * Once obtained, the end-user authorization grant is expressed as an
	 * authorization code which the client uses to obtain an access token.
	 * To obtain an end-user authorization, the client sends the end-user to
	 * the end-user authorization endpoint.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
	 */
	
	/**
	 * List of possible authentication response types.
	 * The "authorization_code" mechanism exclusively supports 'code'
	 * and the "implicit" mechanism exclusively supports 'token'.
	 * 
	 * @var string
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.1
	 */
	const RESPONSE_TYPE_AUTH_CODE = 'code';
	const RESPONSE_TYPE_ACCESS_TOKEN = 'token';
	
	/**
	 * @}
	 */
	
	/**
	 * @defgroup oauth2_section_5 Obtaining an Access Token
	 * @{
	 *
	 * The client obtains an access token by authenticating with the
	 * authorization server and presenting its authorization grant (in the form of
	 * an authorization code, resource owner credentials, an assertion, or a
	 * refresh token).
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
	 */
	
	/**
	 * Grant types support by draft 20
	 */
	const GRANT_TYPE_AUTH_CODE = 'authorization_code';
	const GRANT_TYPE_IMPLICIT = 'token';
	const GRANT_TYPE_USER_CREDENTIALS = 'password';
	const GRANT_TYPE_CLIENT_CREDENTIALS = 'client_credentials';
	const GRANT_TYPE_REFRESH_TOKEN = 'refresh_token';
	const GRANT_TYPE_EXTENSIONS = 'extensions';
	
	/**
	 * Regex to filter out the grant type.
	 * NB: For extensibility, the grant type can be a URI
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.5
	 */
	const GRANT_TYPE_REGEXP = '#^(authorization_code|token|password|client_credentials|refresh_token|http://.*)$#';
	
	/**
	 * @}
	 */
	
	/**
	 * Possible token types as defined by draft 20.
	 * 
	 * TODO: Add support for mac (and maybe other types?)
	 * 
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7.1 
	 */
	const TOKEN_TYPE_BEARER = 'bearer';
	const TOKEN_TYPE_MAC = 'mac'; // Currently unsupported
	

	/**
	 * @defgroup self::HTTP_status HTTP status code
	 * @{
	 */
	
	/**
	 * HTTP status codes for successful and error states as specified by draft 20.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const HTTP_FOUND = '302 Found';
	const HTTP_BAD_REQUEST = '400 Bad Request';
	const HTTP_UNAUTHORIZED = '401 Unauthorized';
	const HTTP_FORBIDDEN = '403 Forbidden';
	const HTTP_UNAVAILABLE = '503 Service Unavailable';
	
	/**
	 * @}
	 */
	
	/**
	 * @defgroup oauth2_error Error handling
	 * @{
	 *
	 * @todo Extend for i18n.
	 * @todo Consider moving all error related functionality into a separate class.
	 */
	
	/**
	 * The request is missing a required parameter, includes an unsupported
	 * parameter or parameter value, or is otherwise malformed.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const ERROR_INVALID_REQUEST = 'invalid_request';
	
	/**
	 * The client identifier provided is invalid.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const ERROR_INVALID_CLIENT = 'invalid_client';
	
	/**
	 * The client is not authorized to use the requested response type.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const ERROR_UNAUTHORIZED_CLIENT = 'unauthorized_client';
	
	/**
	 * The redirection URI provided does not match a pre-registered value.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2.4
	 */
	const ERROR_REDIRECT_URI_MISMATCH = 'redirect_uri_mismatch';
	
	/**
	 * The end-user or authorization server denied the request.
	 * This could be returned, for example, if the resource owner decides to reject
	 * access to the client at a later point.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
	 */
	const ERROR_USER_DENIED = 'access_denied';
	
	/**
	 * The requested response type is not supported by the authorization server.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
	 */
	const ERROR_UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type';
	
	/**
	 * The requested scope is invalid, unknown, or malformed.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
	 */
	const ERROR_INVALID_SCOPE = 'invalid_scope';
	
	/**
	 * The provided authorization grant is invalid, expired,
	 * revoked, does not match the redirection URI used in the
	 * authorization request, or was issued to another client.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const ERROR_INVALID_GRANT = 'invalid_grant';
	
	/**
	 * The authorization grant is not supported by the authorization server.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const ERROR_UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type';
	
	/**
	 * The request requires higher privileges than provided by the access token.
	 * The resource server SHOULD respond with the HTTP 403 (Forbidden) status
	 * code and MAY include the "scope" attribute with the scope necessary to
	 * access the protected resource.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 */
	const ERROR_INSUFFICIENT_SCOPE = 'invalid_scope';

	/**
	 * @}
	 */
	
	/**
	 * Creates an OAuth2.0 server-side instance.
	 *
	 * @param $config - An associative array as below of config options. See CONFIG_* constants.
	 */
	public function __construct(IOAuth2Storage $storage, $config = array()) {
		$this->storage = $storage;
		
		// Configuration options
		$this->setDefaultOptions();
		foreach ( $config as $name => $value ) {
			$this->setVariable($name, $value);
		}
	}

	/**
	 * Default configuration options are specified here.
	 */
	protected function setDefaultOptions() {
		$this->conf = array(
			self::CONFIG_ACCESS_LIFETIME => self::DEFAULT_ACCESS_TOKEN_LIFETIME,
			self::CONFIG_REFRESH_LIFETIME => self::DEFAULT_REFRESH_TOKEN_LIFETIME,
			self::CONFIG_AUTH_LIFETIME => self::DEFAULT_AUTH_CODE_LIFETIME,
			self::CONFIG_WWW_REALM => self::DEFAULT_WWW_REALM,
			self::CONFIG_TOKEN_TYPE => self::TOKEN_TYPE_BEARER,
			self::CONFIG_ENFORCE_INPUT_REDIRECT => FALSE,
			self::CONFIG_ENFORCE_STATE => FALSE,
			self::CONFIG_SUPPORTED_SCOPES => array() // This is expected to be passed in on construction. Scopes can be an aribitrary string.
		);  
	}

	/**
	 * Returns a persistent variable.
	 *
	 * @param $name
	 * The name of the variable to return.
	 * @param $default
	 * The default value to use if this variable has never been set.
	 *
	 * @return
	 * The value of the variable.
	 */
	public function getVariable($name, $default = NULL) {
		$name = strtolower($name);
		
		return isset($this->conf[$name]) ? $this->conf[$name] : $default;
	}

	/**
	 * Sets a persistent variable.
	 *
	 * @param $name
	 * The name of the variable to set.
	 * @param $value
	 * The value to set.
	 */
	public function setVariable($name, $value) {
		$name = strtolower($name);
		
		$this->conf[$name] = $value;
		return $this;
	}

	// Resource protecting (Section 5).
	

	/**
	 * Check that a valid access token has been provided.
	 * The token is returned (as an associative array) if valid.
	 *
	 * The scope parameter defines any required scope that the token must have.
	 * If a scope param is provided and the token does not have the required
	 * scope, we bounce the request.
	 *
	 * Some implementations may choose to return a subset of the protected
	 * resource (i.e. "public" data) if the user has not provided an access
	 * token or if the access token is invalid or expired.
	 *
	 * The IETF spec says that we should send a 401 Unauthorized header and
	 * bail immediately so that's what the defaults are set to. You can catch
	 * the exception thrown and behave differently if you like (log errors, allow
	 * public access for missing tokens, etc)
	 *
	 * @param $scope
	 * A space-separated string of required scope(s), if you want to check
	 * for scope.
	 * @return array
	 * Token
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
	 *
	 * @ingroup oauth2_section_7
	 */
	public function verifyAccessToken($token_param, $scope = NULL) {
		$tokenType = $this->getVariable(self::CONFIG_TOKEN_TYPE);
		$realm = $this->getVariable(self::CONFIG_WWW_REALM);
		
		if (!$token_param) { // Access token was not provided
			throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.', $scope);
		}
		
		// Get the stored token data (from the implementing subclass)
		$token = $this->storage->getAccessToken($token_param);
		if ($token === NULL) {
			throw new OAuth2AuthenticateException(self::HTTP_UNAUTHORIZED, $tokenType, $realm, self::ERROR_INVALID_GRANT, 'The access token provided is invalid.', $scope);
		}
		
		// Check we have a well formed token
		if (!isset($token["expires"]) || !isset($token["client_id"])) {
			throw new OAuth2AuthenticateException(self::HTTP_UNAUTHORIZED, $tokenType, $realm, self::ERROR_INVALID_GRANT, 'Malformed token (missing "expires" or "client_id")', $scope);
		}
		
		// Check token expiration (expires is a mandatory paramter)
		if (isset($token["expires"]) && time() > $token["expires"]) {
			throw new OAuth2AuthenticateException(self::HTTP_UNAUTHORIZED, $tokenType, $realm, self::ERROR_INVALID_GRANT, 'The access token provided has expired.', $scope);
		}
		
		// Check scope, if provided
		// If token doesn't have a scope, it's NULL/empty, or it's insufficient, then throw an error
		if ($scope && (!isset($token["scope"]) || !$token["scope"] || !$this->checkScope($scope, $token["scope"]))) {
			throw new OAuth2AuthenticateException(self::HTTP_FORBIDDEN, $tokenType, $realm, self::ERROR_INSUFFICIENT_SCOPE, 'The request requires higher privileges than provided by the access token.', $scope);
		}
		
		return $token;
	}

	/**
	 * This is a convenience function that can be used to get the token, which can then
	 * be passed to verifyAccessToken(). The constraints specified by the draft are
	 * attempted to be adheared to in this method.
	 * 
	 * As per the Bearer spec (draft 8, section 2) - there are three ways for a client
	 * to specify the bearer token, in order of preference: Authorization Header,
	 * POST and GET.
	 * 
	 * NB: Resource servers MUST accept tokens via the Authorization scheme
	 * (http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2).
	 * 
	 * @todo Should we enforce TLS/SSL in this function?
	 * 
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.2
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2.3
	 * 
	 * Old Android version bug (at least with version 2.2)
	 * @see http://code.google.com/p/android/issues/detail?id=6684
	 * 
	 * We don't want to test this functionality as it relies on superglobals and headers:
	 * @codeCoverageIgnoreStart
	 */
	public function getBearerToken() {
		if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
			$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
		} elseif (function_exists('apache_request_headers')) {
			$requestHeaders = apache_request_headers();
			
			// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
			$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
			
			if (isset($requestHeaders['Authorization'])) {
				$headers = trim($requestHeaders['Authorization']);
			}
		}
		
		$tokenType = $this->getVariable(self::CONFIG_TOKEN_TYPE);
		$realm = $this->getVariable(self::CONFIG_WWW_REALM);
		
		// Check that exactly one method was used
		$methodsUsed = !empty($headers) + isset($_GET[self::TOKEN_PARAM_NAME]) + isset($_POST[self::TOKEN_PARAM_NAME]);
		if ($methodsUsed > 1) {
			throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'Only one method may be used to authenticate at a time (Auth header, GET or POST).');
		} elseif ($methodsUsed == 0) {
			throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'The access token was not found.');
		}
		
		// HEADER: Get the access token from the header
		if (!empty($headers)) {
			if (!preg_match('/' . self::TOKEN_BEARER_HEADER_NAME . '\s(\S+)/', $headers, $matches)) {
				throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'Malformed auth header');
			}
			
			return $matches[1];
		}
		
		// POST: Get the token from POST data
		if (isset($_POST[self::TOKEN_PARAM_NAME])) {
			if ($_SERVER['REQUEST_METHOD'] != 'POST') {
				throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'When putting the token in the body, the method must be POST.');
			}
			
			// IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
			if (isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] != 'application/x-www-form-urlencoded') {
				throw new OAuth2AuthenticateException(self::HTTP_BAD_REQUEST, $tokenType, $realm, self::ERROR_INVALID_REQUEST, 'The content type for POST requests must be "application/x-www-form-urlencoded"');
			}
			
			return $_POST[self::TOKEN_PARAM_NAME];
		}
		
		// GET method
		return $_GET[self::TOKEN_PARAM_NAME];
	}

	/** @codeCoverageIgnoreEnd */
	
	/**
	 * Check if everything in required scope is contained in available scope.
	 *
	 * @param $required_scope
	 * Required scope to be check with.
	 *
	 * @return
	 * TRUE if everything in required scope is contained in available scope,
	 * and False if it isn't.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-7
	 *
	 * @ingroup oauth2_section_7
	 */
	private function checkScope($required_scope, $available_scope) {
		// The required scope should match or be a subset of the available scope
		if (!is_array($required_scope)) {
			$required_scope = explode(' ', trim($required_scope));
		}
		
		if (!is_array($available_scope)) {
			$available_scope = explode(' ', trim($available_scope));
		}
		
		return (count(array_diff($required_scope, $available_scope)) == 0);
	}

	// Access token granting (Section 4).
	

	/**
	 * Grant or deny a requested access token.
	 * This would be called from the "/token" endpoint as defined in the spec.
	 * Obviously, you can call your endpoint whatever you want.
	 * 
	 * @param $inputData - The draft specifies that the parameters should be
	 * retrieved from POST, but you can override to whatever method you like.
	 * @throws OAuth2ServerException
	 * 
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.6
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-4.1.3
	 *
	 * @ingroup oauth2_section_4
	 */
	public function grantAccessToken(array $inputData = NULL, array $authHeaders = NULL) {
		$filters = array(
			"grant_type" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::GRANT_TYPE_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
			"scope" => array("flags" => FILTER_REQUIRE_SCALAR),
			"code" => array("flags" => FILTER_REQUIRE_SCALAR),
			"redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
			"username" => array("flags" => FILTER_REQUIRE_SCALAR),
			"password" => array("flags" => FILTER_REQUIRE_SCALAR),
			"refresh_token" => array("flags" => FILTER_REQUIRE_SCALAR),
		);
		
		// Input data by default can be either POST or GET
		if (!isset($inputData)) {
			$inputData = ($_SERVER['REQUEST_METHOD'] == 'POST') ? $_POST : $_GET;
		}
		
		// Basic authorization header
		$authHeaders = isset($authHeaders) ? $authHeaders : $this->getAuthorizationHeader();
		
		// Filter input data
		$input = filter_var_array($inputData, $filters);
		
		// Grant Type must be specified.
		if (!$input["grant_type"]) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
		}
		
		// Authorize the client
		$client = $this->getClientCredentials($inputData, $authHeaders);
		
		if ($this->storage->checkClientCredentials($client[0], $client[1]) === FALSE) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'The client credentials are invalid');
		}
		
		if (!$this->storage->checkRestrictedGrantType($client[0], $input["grant_type"])) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNAUTHORIZED_CLIENT, 'The grant type is unauthorized for this client_id');
		}
		
		// Do the granting
		switch ($input["grant_type"]) {
			case self::GRANT_TYPE_AUTH_CODE:
				if (!($this->storage instanceof IOAuth2GrantCode)) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
				}
				
				if (!$input["code"]) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Missing parameter. "code" is required');
				}
				
				if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, "The redirect URI parameter is required.");
				}
				
				$stored = $this->storage->getAuthCode($input["code"]);
				
				// Check the code exists
				if ($stored === NULL || $client[0] != $stored["client_id"]) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "Refresh token doesn't exist or is invalid for the client");
				}
				
				// Validate the redirect URI. If a redirect URI has been provided on input, it must be validated
				if ($input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, "The redirect URI is missing or do not match");
				}
				
				if ($stored["expires"] < time()) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, "The authorization code has expired");
				}
				break;
			
			case self::GRANT_TYPE_USER_CREDENTIALS:
				if (!($this->storage instanceof IOAuth2GrantUser)) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
				}
				
				if (!$input["username"] || !$input["password"]) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Missing parameters. "username" and "password" required');
				}
				
				$stored = $this->storage->checkUserCredentials($client[0], $input["username"], $input["password"]);
				
				if ($stored === FALSE) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT);
				}
				break;
			
			case self::GRANT_TYPE_CLIENT_CREDENTIALS:
				if (!($this->storage instanceof IOAuth2GrantClient)) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
				}
				
				if (empty($client[1])) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'The client_secret is mandatory for the "client_credentials" grant type');
				}
				// NB: We don't need to check for $stored==false, because it was checked above already
				$stored = $this->storage->checkClientCredentialsGrant($client[0], $client[1]);
				break;
			
			case self::GRANT_TYPE_REFRESH_TOKEN:
				if (!($this->storage instanceof IOAuth2RefreshTokens)) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
				}
				
				if (!$input["refresh_token"]) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found');
				}
				
				$stored = $this->storage->getRefreshToken($input["refresh_token"]);
				
				if ($stored === NULL || $client[0] != $stored["client_id"]) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, 'Invalid refresh token');
				}
				
				if ($stored["expires"] < time()) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT, 'Refresh token has expired');
				}
				
				// store the refresh token locally so we can delete it when a new refresh token is generated
				$this->oldRefreshToken = $stored["refresh_token"];
				break;
			
			case self::GRANT_TYPE_IMPLICIT:
				/* TODO: NOT YET IMPLEMENTED */
				throw new OAuth2ServerException('501 Not Implemented', 'This OAuth2 library is not yet complete. This functionality is not implemented yet.');
				if (!($this->storage instanceof IOAuth2GrantImplicit)) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
				}
				
				break;
			
			// Extended grant types:
			case filter_var($input["grant_type"], FILTER_VALIDATE_URL):
				if (!($this->storage instanceof IOAuth2GrantExtension)) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_UNSUPPORTED_GRANT_TYPE);
				}
				$uri = filter_var($input["grant_type"], FILTER_VALIDATE_URL);
				$stored = $this->storage->checkGrantExtension($uri, $inputData, $authHeaders);
				
				if ($stored === FALSE) {
					throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_GRANT);
				}
				break;
			
			default :
				throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, 'Invalid grant_type parameter or parameter missing');
		}
		
		if (!isset($stored["scope"])) {
			$stored["scope"] = NULL;
		}
		
		// Check scope, if provided
		if ($input["scope"] && (!is_array($stored) || !isset($stored["scope"]) || !$this->checkScope($input["scope"], $stored["scope"]))) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.');
		}
		
		$user_id = isset($stored['user_id']) ? $stored['user_id'] : null;
		$token = $this->createAccessToken($client[0], $user_id, $stored['scope']);
		
		// Send response
		$this->sendJsonHeaders();
		echo json_encode($token);
	}

	/**
	 * Internal function used to get the client credentials from HTTP basic
	 * auth or POST data.
	 * 
	 * According to the spec (draft 20), the client_id can be provided in
	 * the Basic Authorization header (recommended) or via GET/POST.
	 *
	 * @return
	 * A list containing the client identifier and password, for example
	 * @code
	 * return array(
	 * CLIENT_ID,
	 * CLIENT_SECRET
	 * );
	 * @endcode
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1
	 *
	 * @ingroup oauth2_section_2
	 */
	protected function getClientCredentials(array $inputData, array $authHeaders) {
		
		// Basic Authentication is used
		if (!empty($authHeaders['PHP_AUTH_USER'])) {
			return array($authHeaders['PHP_AUTH_USER'], $authHeaders['PHP_AUTH_PW']);
		} elseif (empty($inputData['client_id'])) { // No credentials were specified
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'Client id was not found in the headers or body');
		} else {
			// This method is not recommended, but is supported by specification
			return array($inputData['client_id'], $inputData['client_secret']);
		}
	}

	// End-user/client Authorization (Section 2 of IETF Draft).
	

	/**
	 * Pull the authorization request data out of the HTTP request.
	 * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
	 * by setting CONFIG_ENFORCE_INPUT_REDIRECT to true.
	 * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
	 * CSRF protection is MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true.
	 *
	 * @param $inputData - The draft specifies that the parameters should be
	 * retrieved from GET, but you can override to whatever method you like.
	 * @return
	 * The authorization parameters so the authorization server can prompt
	 * the user for approval if valid.
	 *
	 * @throws OAuth2ServerException
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12
	 * 
	 * @ingroup oauth2_section_3
	 */
	public function getAuthorizeParams(array $inputData = NULL) {
		$filters = array(
			"client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR),
			"response_type" => array("flags" => FILTER_REQUIRE_SCALAR),
			"redirect_uri" => array("filter" => FILTER_SANITIZE_URL),
			"state" => array("flags" => FILTER_REQUIRE_SCALAR),
			"scope" => array("flags" => FILTER_REQUIRE_SCALAR)
		);
		
		if (!isset($inputData)) {
			$inputData = $_GET;
		}
		$input = filter_var_array($inputData, $filters);
		
		// Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
		if (!$input["client_id"]) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "No client id supplied"); // We don't have a good URI to use
		}
		
		// Get client details
		$stored = $this->storage->getClientDetails($input["client_id"]);
		if ($stored === FALSE) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "Client id does not exist");
		}
		
		// Make sure a valid redirect_uri was supplied. If specified, it must match the stored URI.
		// @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2
		// @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
		// @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
		if (!$input["redirect_uri"] && !$stored["redirect_uri"]) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'No redirect URL was supplied or stored.');
		}
		if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI is mandatory and was not supplied.');
		}
		// Only need to validate if redirect_uri provided on input and stored.
		if ($stored["redirect_uri"] && $input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
			throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI provided is missing or does not match');
		}
		
		// Select the redirect URI
		$input["redirect_uri"] = isset($input["redirect_uri"]) ? $input["redirect_uri"] : $stored["redirect_uri"];

		// type and client_id are required
		if (!$input["response_type"]) {
			throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, 'Invalid or missing response type.', $input["state"]);
		}

		if ($input['response_type'] != self::RESPONSE_TYPE_AUTH_CODE && $input['response_type'] != self::RESPONSE_TYPE_ACCESS_TOKEN) {
			throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, $input["state"]);
		}

		// Validate that the requested scope is supported
		if ($input["scope"] && !$this->checkScope($input["scope"], $this->getVariable(self::CONFIG_SUPPORTED_SCOPES))) {
			throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.', $input["state"]);
		}
		
		// Validate state parameter exists (if configured to enforce this)
		if ($this->getVariable(self::CONFIG_ENFORCE_STATE) && !$input["state"]) {
			throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, "The state parameter is required.");
		}
		
		// Return retrieved client details together with input
		return ($input + $stored);
	}

	/**
	 * Redirect the user appropriately after approval.
	 *
	 * After the user has approved or denied the access request the
	 * authorization server should call this function to redirect the user
	 * appropriately.
	 *
	 * @param $is_authorized
	 * TRUE or FALSE depending on whether the user authorized the access.
	 * @param $user_id
	 * Identifier of user who authorized the client
	 * @param $params
	 * An associative array as below:
	 * - response_type: The requested response: an access token, an
	 * authorization code, or both.
	 * - client_id: The client identifier as described in Section 2.
	 * - redirect_uri: An absolute URI to which the authorization server
	 * will redirect the user-agent to when the end-user authorization
	 * step is completed.
	 * - scope: (optional) The scope of the access request expressed as a
	 * list of space-delimited strings.
	 * - state: (optional) An opaque value used by the client to maintain
	 * state between the request and callback.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4
	 *
	 * @ingroup oauth2_section_4
	 */
	public function finishClientAuthorization($is_authorized, $user_id = NULL, $params = array()) {
		list($redirect_uri, $result) = $this->getAuthResult($is_authorized, $user_id, $params);
		$this->doRedirectUriCallback($redirect_uri, $result);
	}

	// same params as above
	public function getAuthResult($is_authorized, $user_id = NULL, $params = array()) {

		// We repeat this, because we need to re-validate. In theory, this could be POSTed
		// by a 3rd-party (because we are not internally enforcing NONCEs, etc)
		$params = $this->getAuthorizeParams($params);
		
		$params += array('scope' => NULL, 'state' => NULL);
		extract($params);
		
		if ($state !== NULL) {
			$result["query"]["state"] = $state;
		}
		
		if ($is_authorized === FALSE) {
			throw new OAuth2RedirectException($redirect_uri, self::ERROR_USER_DENIED, "The user denied access to your application", $state);
		} else {
			if ($response_type == self::RESPONSE_TYPE_AUTH_CODE) {
				$result["query"]["code"] = $this->createAuthCode($client_id, $user_id, $redirect_uri, $scope);
			} elseif ($response_type == self::RESPONSE_TYPE_ACCESS_TOKEN) {
				$result["fragment"] = $this->createAccessToken($client_id, $user_id, $scope);
			}
		}

		return array($redirect_uri, $result);
	}

	// Other/utility functions.
	

	/**
	 * Redirect the user agent.
	 *
	 * Handle both redirect for success or error response.
	 *
	 * @param $redirect_uri
	 * An absolute URI to which the authorization server will redirect
	 * the user-agent to when the end-user authorization step is completed.
	 * @param $params
	 * Parameters to be pass though buildUri().
	 *
	 * @ingroup oauth2_section_4
	 */
	private function doRedirectUriCallback($redirect_uri, $params) {
		header("HTTP/1.1 " . self::HTTP_FOUND);
		header("Location: " . $this->buildUri($redirect_uri, $params));
		exit();
	}

	/**
	 * Build the absolute URI based on supplied URI and parameters.
	 *
	 * @param $uri
	 * An absolute URI.
	 * @param $params
	 * Parameters to be append as GET.
	 *
	 * @return
	 * An absolute URI with supplied parameters.
	 *
	 * @ingroup oauth2_section_4
	 */
	private function buildUri($uri, $params) {
		$parse_url = parse_url($uri);
		
		// Add our params to the parsed uri
		foreach ( $params as $k => $v ) {
			if (isset($parse_url[$k])) {
				$parse_url[$k] .= "&" . http_build_query($v);
			} else {
				$parse_url[$k] = http_build_query($v);
			}
		}
		
		// Put humpty dumpty back together
		return
			((isset($parse_url["scheme"])) ? $parse_url["scheme"] . "://" : "")
			. ((isset($parse_url["user"])) ? $parse_url["user"]
			. ((isset($parse_url["pass"])) ? ":" . $parse_url["pass"] : "") . "@" : "")
			. ((isset($parse_url["host"])) ? $parse_url["host"] : "")
			. ((isset($parse_url["port"])) ? ":" . $parse_url["port"] : "")
			. ((isset($parse_url["path"])) ? $parse_url["path"] : "")
			. ((isset($parse_url["query"])) ? "?" . $parse_url["query"] : "")
			. ((isset($parse_url["fragment"])) ? "#" . $parse_url["fragment"] : "")
		;
	}

	/**
	 * Handle the creation of access token, also issue refresh token if support.
	 *
	 * This belongs in a separate factory, but to keep it simple, I'm just
	 * keeping it here.
	 *
	 * @param $client_id
	 * Client identifier related to the access token.
	 * @param $scope
	 * (optional) Scopes to be stored in space-separated string.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5
	 * @ingroup oauth2_section_5
	 */
	protected function createAccessToken($client_id, $user_id, $scope = NULL) {
		
		$token = array(
			"access_token" => $this->genAccessToken(),
			"expires_in" => $this->getVariable(self::CONFIG_ACCESS_LIFETIME),
			"token_type" => $this->getVariable(self::CONFIG_TOKEN_TYPE),
			"scope" => $scope
		);
		
		$this->storage->setAccessToken($token["access_token"], $client_id, $user_id, time() + $this->getVariable(self::CONFIG_ACCESS_LIFETIME), $scope);
		
		// Issue a refresh token also, if we support them
		if ($this->storage instanceof IOAuth2RefreshTokens) {
			$token["refresh_token"] = $this->genAccessToken();
			$this->storage->setRefreshToken($token["refresh_token"], $client_id, $user_id, time() + $this->getVariable(self::CONFIG_REFRESH_LIFETIME), $scope);
			
			// If we've granted a new refresh token, expire the old one
			if ($this->oldRefreshToken) {
				$this->storage->unsetRefreshToken($this->oldRefreshToken);
				unset($this->oldRefreshToken);
			}
		}
		
		return $token;
	}

	/**
	 * Handle the creation of auth code.
	 *
	 * This belongs in a separate factory, but to keep it simple, I'm just
	 * keeping it here.
	 *
	 * @param $client_id
	 * Client identifier related to the access token.
	 * @param $redirect_uri
	 * An absolute URI to which the authorization server will redirect the
	 * user-agent to when the end-user authorization step is completed.
	 * @param $scope
	 * (optional) Scopes to be stored in space-separated string.
	 *
	 * @ingroup oauth2_section_4
	 */
	private function createAuthCode($client_id, $user_id, $redirect_uri, $scope = NULL) {
		$code = $this->genAuthCode();
		$this->storage->setAuthCode($code, $client_id, $user_id, $redirect_uri, time() + $this->getVariable(self::CONFIG_AUTH_LIFETIME), $scope);
		return $code;
	}

	/**
	 * Generates an unique access token.
	 *
	 * Implementing classes may want to override this function to implement
	 * other access token generation schemes.
	 *
	 * @return
	 * An unique access token.
	 *
	 * @ingroup oauth2_section_4
	 * @see OAuth2::genAuthCode()
	 */
	protected function genAccessToken() {
		$tokenLen = 40;
		if (file_exists('/dev/urandom')) { // Get 100 bytes of random data
			$randomData = file_get_contents('/dev/urandom', false, null, 0, 100) . uniqid(mt_rand(), true);
		} else {
			$randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);
		}
		return substr(hash('sha512', $randomData), 0, $tokenLen);
	}

	/**
	 * Generates an unique auth code.
	 *
	 * Implementing classes may want to override this function to implement
	 * other auth code generation schemes.
	 *
	 * @return
	 * An unique auth code.
	 *
	 * @ingroup oauth2_section_4
	 * @see OAuth2::genAccessToken()
	 */
	protected function genAuthCode() {
		return $this->genAccessToken(); // let's reuse the same scheme for token generation
	}

	/**
	 * Pull out the Authorization HTTP header and return it.
	 * According to draft 20, standard basic authorization is the only
	 * header variable required (this does not apply to extended grant types).
	 *
	 * Implementing classes may need to override this function if need be.
	 * 
	 * @todo We may need to re-implement pulling out apache headers to support extended grant types
	 *
	 * @return
	 * An array of the basic username and password provided.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-2.4.1
	 * @ingroup oauth2_section_2
	 */
	protected function getAuthorizationHeader() {
		return array(
			'PHP_AUTH_USER' => isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : '',
			'PHP_AUTH_PW' => isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''
		);
	}

	/**
	 * Send out HTTP headers for JSON.
	 *
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.1
	 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
	 *
	 * @ingroup oauth2_section_5
	 */
	private function sendJsonHeaders() {
		if (php_sapi_name() === 'cli' || headers_sent()) {
			return;
		}
		
		header("Content-Type: application/json");
		header("Cache-Control: no-store");
	}

	/**
	 * Internal method for validating redirect URI supplied 
	 * @param string $inputUri
	 * @param string $storedUri
	 */
	protected function validateRedirectUri($inputUri, $storedUri) {
		if (!$inputUri || !$storedUri) {
			return false; // if either one is missing, assume INVALID
		}
		return strcasecmp(substr($inputUri, 0, strlen($storedUri)), $storedUri) === 0;
	}
}