Merge pull request #74 from Spomky/ImplicitGrantTypeTests

Implicit Grant Type test added
FriendsOfSymfony · Dec 29, 2014 · ce444e6 · ce444e6
2 parents 23e7653 + 05b2889
commit ce444e6
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 11 deletions.
diff --git a/lib/OAuth2.php b/lib/OAuth2.php
@@ -374,6 +374,15 @@ class OAuth2
      */
     const ERROR_INSUFFICIENT_SCOPE = 'invalid_scope';
 
+    /**
+     * Access tokens and error message can be transported from the authorization endpoint to the redirect URI
+     * using the query or the fragment component
+     *
+     * @var string
+     */
+    const TRANSPORT_QUERY    = 'query';
+    const TRANSPORT_FRAGMENT = 'fragment';
+
     /**
      * @}
      */
@@ -1111,7 +1120,7 @@ protected function getAuthorizeParams(Request $request = null)
             }
         } elseif ($input['response_type'] == self::RESPONSE_TYPE_ACCESS_TOKEN) {
             if (!$this->storage instanceof IOAuth2GrantImplicit) {
-                throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, null, $input["state"]);
+                throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, null, $input["state"], self::TRANSPORT_FRAGMENT);
             }
         } else {
             throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, null, $input["state"]);
@@ -1213,22 +1222,22 @@ public function finishClientAuthorization($isAuthorized, $data = null, Request $
         );
 
         $result = array();
-        if ($params["state"]) {
-            $result["query"]["state"] = $params["state"];
-        }
 
         if ($isAuthorized === false) {
-            throw new OAuth2RedirectException($params["redirect_uri"], self::ERROR_USER_DENIED, "The user denied access to your application", $params["state"]);
+            $method = $params["response_type"] == self::RESPONSE_TYPE_AUTH_CODE?self::TRANSPORT_QUERY:self::TRANSPORT_FRAGMENT;
+            throw new OAuth2RedirectException($params["redirect_uri"], self::ERROR_USER_DENIED, "The user denied access to your application", $params["state"], $method);
         } else {
-            if ($params["response_type"] == self::RESPONSE_TYPE_AUTH_CODE) {
-                $result["query"]["code"] = $this->createAuthCode(
+            if ($params["response_type"] === self::RESPONSE_TYPE_AUTH_CODE) {
+                $result[self::TRANSPORT_QUERY]['state'] = $params["state"];
+                $result[self::TRANSPORT_QUERY]["code"] = $this->createAuthCode(
                     $params["client"],
                     $data,
                     $params["redirect_uri"],
                     $scope
                 );
-            } elseif ($params["response_type"] == self::RESPONSE_TYPE_ACCESS_TOKEN) {
-                $result["fragment"] = $this->createAccessToken($params["client"], $data, $scope, null, false);
+            } elseif ($params["response_type"] === self::RESPONSE_TYPE_ACCESS_TOKEN) {
+                $result[self::TRANSPORT_FRAGMENT]['state'] = $params["state"];
+                $result[self::TRANSPORT_FRAGMENT] += $this->createAccessToken($params["client"], $data, $scope, null, false);
             }
         }
 

diff --git a/lib/OAuth2RedirectException.php b/lib/OAuth2RedirectException.php
@@ -18,6 +18,13 @@ class OAuth2RedirectException extends OAuth2ServerException
      */
     protected $redirectUri;
 
+    /**
+     * Parameters are added into 'query' or 'fragment'
+     *
+     * @var string
+     */
+    protected $method;
+
     /**
      * @param string $redirectUri      An absolute URI to which the authorization server will redirect the user-agent to when the end-user authorization step is completed.
      * @param string $error            A single error code as described in Section 4.1.2.1
@@ -28,10 +35,11 @@ class OAuth2RedirectException extends OAuth2ServerException
      *
      * @ingroup oauth2_error
      */
-    public function __construct($redirectUri, $error, $errorDescription = null, $state = null)
+    public function __construct($redirectUri, $error, $errorDescription = null, $state = null, $method = OAuth2::TRANSPORT_QUERY)
     {
         parent::__construct(OAuth2::HTTP_FOUND, $error, $errorDescription);
 
+        $this->method = $method;
         $this->redirectUri = $redirectUri;
         if ($state) {
             $this->errorData['state'] = $state;
@@ -47,7 +55,7 @@ public function __construct($redirectUri, $error, $errorDescription = null, $sta
      */
     public function getResponseHeaders()
     {
-        $params = array('query' => $this->errorData);
+        $params = array($this->method => $this->errorData);
 
         return array(
             'Location' => $this->buildUri($this->redirectUri, $params),

diff --git a/tests/Fixtures/OAuth2ImplicitStub.php b/tests/Fixtures/OAuth2ImplicitStub.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace OAuth2\Tests\Fixtures;
+
+use OAuth2\IOAuth2GrantImplicit;
+
+class OAuth2ImplicitStub extends OAuth2StorageStub implements IOAuth2GrantImplicit
+{
+}
diff --git a/tests/OAuth2ImplicitGrantTypeTest.php b/tests/OAuth2ImplicitGrantTypeTest.php
@@ -0,0 +1,74 @@
+<?php
+
+use OAuth2\OAuth2;
+use OAuth2\OAuth2ServerException;
+use OAuth2\Model\OAuth2Client;
+use OAuth2\Tests\Fixtures\OAuth2ImplicitStub;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * OAuth2 test case.
+ */
+class OAuth2ImplicitGrantTypeTest extends PHPUnit_Framework_TestCase
+{
+    /**
+     * The actual token ID is irrelevant, so choose one:
+     * @var string
+     */
+    private $tokenId = 'my_token';
+
+    /**
+     * Tests OAuth2->grantAccessToken() with implicit
+     *
+     */
+    public function testGrantAccessTokenWithGrantImplicit()
+    {
+        //$this->fixture->grantAccessToken(/* parameters */);
+
+        $stub = new OAuth2ImplicitStub();
+        $stub->addClient(new OAuth2Client('blah', 'foo', array('http://www.example.com/')));
+        $oauth2 = new OAuth2($stub);
+
+        $data = new \stdClass();
+
+        $response = $oauth2->finishClientAuthorization(true, $data, new Request(array(
+                'client_id' => 'blah',
+                'redirect_uri' => 'http://www.example.com/?foo=bar',
+                'response_type' => 'token',
+                'state' => '42',
+        )));
+
+        $this->assertRegExp('/^http:\/\/www.example.com\/\?foo=bar#state=42&access_token=[^"]+&expires_in=3600&token_type=bearer$/', $response->headers->get('Location'));
+    }
+
+    /**
+     * Tests OAuth2->grantAccessToken() with implicit
+     *
+     */
+    public function testRejectedAccessTokenWithGrantImplicit()
+    {
+        //$this->fixture->grantAccessToken(/* parameters */);
+
+        $stub = new OAuth2ImplicitStub();
+        $stub->addClient(new OAuth2Client('blah', 'foo', array('http://www.example.com/')));
+        $oauth2 = new OAuth2($stub);
+
+        $data = new \stdClass();
+
+        try {
+            $response = $oauth2->finishClientAuthorization(false, $data, new Request(array(
+                    'client_id' => 'blah',
+                    'redirect_uri' => 'http://www.example.com/?foo=bar',
+                    'state' => '42',
+                    'response_type' => 'token',
+            )));
+            $this->fail('The expected exception OAuth2ServerException was not thrown');
+        } catch (OAuth2ServerException $e) {
+            $this->assertSame('access_denied', $e->getMessage());
+            $this->assertSame('The user denied access to your application', $e->getDescription());
+            $this->assertSame(array(
+                'Location' => 'http://www.example.com/?foo=bar#error=access_denied&error_description=The+user+denied+access+to+your+application&state=42',
+            ), $e->getResponseHeaders());
+        }
+    }
+}