├── guide
└── oauthz
│ ├── menu.md
│ ├── api.md
│ ├── index.md
│ ├── extension.md
│ ├── server.md
│ ├── client.md
│ └── demo.md
├── license
├── doc
├── oauth-er.png
├── oauth-mysql.sql
├── oauth-oracle.sql
├── oauth-postgresql.sql
└── oauth-mssql.sql
├── changelog.txt
├── views
├── oauthz-client.php
├── oauthz-server-signin.php
├── oauthz-server-xrds.php
├── oauthz-server.php
├── oauthz-client-response.php
├── oauthz-server-authorize.php
├── oauthz-server-client.php
├── oauthz-server-error.php
├── oauthz-server-register.php
└── oauthz-template.php
├── roadmap.md
├── classes
├── model
│ ├── oauthz.php
│ └── oauthz
│ │ ├── authorize.php
│ │ ├── token.php
│ │ └── client.php
├── oauthz
│ ├── exception
│ │ ├── authorize.php
│ │ ├── token.php
│ │ └── access.php
│ ├── token
│ │ ├── bearer.php
│ │ ├── basic.php
│ │ ├── mac.php
│ │ └── digest.php
│ ├── extension.php
│ ├── authentication.php
│ ├── core.php
│ ├── server.php
│ ├── exception.php
│ ├── extension
│ │ ├── code.php
│ │ ├── assertion.php
│ │ ├── authorization
│ │ │ └── code.php
│ │ ├── refresh
│ │ │ └── token.php
│ │ ├── client
│ │ │ └── credentials.php
│ │ ├── password.php
│ │ └── token.php
│ ├── controller.php
│ ├── token.php
│ ├── api.php
│ └── client.php
├── oauthz.php
└── controller
│ ├── server.php
│ ├── authorize.php
│ ├── client.php
│ ├── api.php
│ └── oauth.php
├── config
├── userguide.php
├── oauth-api.php
├── oauth-client.php
└── oauth-server.php
├── messages
└── oauthz.php
├── README.md
└── i18n
└── en.php
/guide/oauthz/menu.md:
--------------------------------------------------------------------------------
1 | ## [Oauthy]()
2 | - [Demo](demo)
3 |
--------------------------------------------------------------------------------
/license:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yahasana/kohana-oauthz/HEAD/license
--------------------------------------------------------------------------------
/guide/oauthz/api.md:
--------------------------------------------------------------------------------
1 | ## Develop Protected Web Service API ##
2 |
3 |
4 |
--------------------------------------------------------------------------------
/doc/oauth-er.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Yahasana/kohana-oauthz/HEAD/doc/oauth-er.png
--------------------------------------------------------------------------------
/guide/oauthz/index.md:
--------------------------------------------------------------------------------
1 | # Oauthy
2 |
3 | OAuth protocol 2.0 implement for Kohana 3, including server and client
--------------------------------------------------------------------------------
/changelog.txt:
--------------------------------------------------------------------------------
1 |
2 | Dec 20, 2011
3 | 1) Refactor to Oauth 2.0 rev 22
4 | 2) authorization code with bearer token_type support
--------------------------------------------------------------------------------
/guide/oauthz/extension.md:
--------------------------------------------------------------------------------
1 | ## Extension ##
2 |
3 | ### Customize extension ###
4 |
5 | ### Develop new extension ###
6 |
--------------------------------------------------------------------------------
/guide/oauthz/server.md:
--------------------------------------------------------------------------------
1 | ## Server ##
2 |
3 | ### Install and configuration ###
4 |
5 | ### Resources management interface ###
--------------------------------------------------------------------------------
/guide/oauthz/client.md:
--------------------------------------------------------------------------------
1 | ## Client component ##
2 |
3 | ### Install and configuration ###
4 |
5 | ### Communicate with OAuth 2 server ###
6 |
--------------------------------------------------------------------------------
/views/oauthz-client.php:
--------------------------------------------------------------------------------
1 |
2 | Do you want to import you personal information from example.com ? Let's go
4 |
--------------------------------------------------------------------------------
/roadmap.md:
--------------------------------------------------------------------------------
1 | #Development roadmap
2 |
3 | ## Server mode ##
4 |
5 | 1. Extensions
6 | code, token, authorization_code, implicit, client credentials
7 |
8 | 2. Authentications
9 | bear, mac
10 |
11 | ### Model process ###
12 |
13 | ### Client profiles support ###
14 |
15 |
16 | ## Client mode ##
17 |
18 |
19 | ## Demo app ##
20 |
21 |
22 | ## User guide book ##
23 |
--------------------------------------------------------------------------------
/views/oauthz-server-signin.php:
--------------------------------------------------------------------------------
1 | get('user'))
3 | {
4 | $usermail = $user['mail'];
5 | }
6 | else
7 | {
8 | $usermail = '';
9 | }
10 | ?>
--------------------------------------------------------------------------------
/views/oauthz-server-xrds.php:
--------------------------------------------------------------------------------
1 | ';
4 | ?>
6 | 2011-05-10T00:00:00Z
7 | http://oauth
8 |
--------------------------------------------------------------------------------
/classes/model/oauthz.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Kohana_Model
11 | * *
12 | */
13 | class Model_Oauthz extends Kohana_Model {
14 |
15 | protected $_db = 'default';
16 |
17 | public static function factory($name, $db = NULL)
18 | {
19 | // Add the model prefix
20 | $class = 'Model_Oauthz_'.$name;
21 |
22 | return new $class($db);
23 | }
24 |
25 | } // END Model_Oauthz
26 |
--------------------------------------------------------------------------------
/config/userguide.php:
--------------------------------------------------------------------------------
1 | array(
7 |
8 | // This should be the path to this modules userguide pages, without the 'guide/'. Ex: '/guide/modulename/' would be 'modulename'
9 | 'oauthy' => array(
10 |
11 | // Whether this modules userguide pages should be shown
12 | 'enabled' => TRUE,
13 |
14 | // The name that should show up on the userguide index page
15 | 'name' => 'oauthy',
16 |
17 | // A short description of this module, shown on the index page
18 | 'description' => 'Oauth server and client for Kohana',
19 | )
20 | )
21 | );
--------------------------------------------------------------------------------
/messages/oauthz.php:
--------------------------------------------------------------------------------
1 | ':field must not be empty',
5 | 'matches' => ':field must be the same as :param1',
6 | 'regex' => ':field does not match the required format',
7 | 'exact_length' => ':field must be exactly :param1 characters long',
8 | 'min_length' => ':field must be at least :param1 characters long',
9 | 'max_length' => ':field must be less than :param1 characters long',
10 | 'in_array' => ':field must be one of the available options',
11 | 'digit' => ':field must be a digit',
12 | 'decimal' => ':field must be a decimal with :param1 places',
13 | 'range' => ':field must be within the range of :param1 to :param2',
14 | );
--------------------------------------------------------------------------------
/classes/oauthz/exception/authorize.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | class Oauthz_Exception_Authorize extends Oauthz_Exception {
13 |
14 | public function __construct($message, array $state = NULL, $code = 0)
15 | {
16 | $error_description = I18n::get('Authorization Errors Response');
17 |
18 | $this->error_description = $error_description[$message];
19 |
20 | // Pass the message to the parent
21 | parent::__construct($message, $state, $code);
22 | }
23 |
24 | } // END Oauthz_Exception_Authorize
25 |
--------------------------------------------------------------------------------
/classes/oauthz/exception/token.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | class Oauthz_Exception_Token extends Oauthz_Exception {
13 |
14 | public function __construct($message, array $state = NULL, $code = 0)
15 | {
16 | $error_description = I18n::get('Token Errors Response');
17 |
18 | $this->error_description = $error_description[$message];
19 |
20 | // Pass the message to the parent
21 | parent::__construct($message, $state, $code);
22 | }
23 |
24 | } // END Oauthz_Exception_Token
25 |
--------------------------------------------------------------------------------
/classes/oauthz/exception/access.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | class Oauthz_Exception_Access extends Oauthz_Exception {
13 |
14 | public function __construct($message, array $state = NULL, $code = 0)
15 | {
16 | $error_description = I18n::get('Access Errors Response');
17 |
18 | $this->error_description = $error_description[$message];
19 |
20 | // Pass the message to the parent
21 | parent::__construct($message, $state, $code);
22 | }
23 |
24 | } // END Oauthz_Exception_Access
25 |
--------------------------------------------------------------------------------
/views/oauthz-server.php:
--------------------------------------------------------------------------------
1 | Applications list you have registered
4 | API Key API Secret Redirect URI Scope SSH Key OP DEL render(); ?>
Register another request indentifier
15 |
--------------------------------------------------------------------------------
/classes/oauthz.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | abstract class Oauthz extends Oauthz_Core {
13 |
14 | public static function get($key = NULL, $default = NULL)
15 | {
16 | if ($key === NULL)
17 | {
18 | $default = Request::$method === 'POST' ? $_POST : $_GET;
19 | }
20 | else
21 | {
22 | $data = Request::$method === 'POST' ? $_POST : $_GET;
23 |
24 | if(isset($data[$key])) $default = $data[$key];
25 | }
26 | return $default;
27 | }
28 |
29 | public static function is_login()
30 | {
31 | return Session::instance()->get('user') OR Cookie::get('user');
32 | }
33 |
34 | } // END Oauthz
35 |
--------------------------------------------------------------------------------
/classes/controller/server.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Server
11 | * *
12 | */
13 | class Controller_Server extends Oauthz_Server {
14 |
15 | public function __construct(Request $request)
16 | {
17 | if( ! Session::instance()->get('user'))
18 | {
19 | $request->redirect('oauth/signin');
20 | }
21 |
22 | parent::__construct($request);
23 | }
24 |
25 | public function action_index()
26 | {
27 | $server = new Model_Oauthz_Client;
28 |
29 | $data = $server->lists(array('user_id' => $_SESSION['user']['uid']));
30 |
31 | $this->template->content = new View('oauthz-server', $data);
32 |
33 | $this->request->response = $this->template->render();
34 | }
35 |
36 | } // END Controller Consumer
37 |
--------------------------------------------------------------------------------
/views/oauthz-client-response.php:
--------------------------------------------------------------------------------
1 |
4 | The first request and response
5 | URI Click! to access it directly access_token response [json]
9 |
10 | The second request and response
11 | URI Click! to access it directly access_token response [json]
15 | OAuth Test Client
2 | Note: we don't store any of the information you type in.
3 | do you want to let the Approve access
8 | Deny access Service list you have register
5 | client_id redirect_uri confirm_type client_desc OP DEL
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Authentication
11 | * *
12 | */
13 | class Oauthz_Token_Basic extends Oauthz_Authentication {
14 |
15 | public function verify($token)
16 | {
17 | if($data = static::parse())
18 | {
19 | $data = $data['client_id'] === $token['client_id'] AND $data['client_secret'] === $token['client_secret'];
20 | }
21 |
22 | return $data;
23 | }
24 |
25 | public static function parse($digest = NULL)
26 | {
27 | // mod_php
28 | if(isset($_SERVER['PHP_AUTH_USER']) AND isset($_SERVER['PHP_AUTH_PW']))
29 | {
30 | $data = array('client_id' => $_SERVER['PHP_AUTH_USER'], 'client_secret' => $_SERVER['PHP_AUTH_PW']);
31 | }
32 | // most other servers
33 | elseif (isset($_SERVER['HTTP_AUTHORIZATION'])
34 | AND strpos(strtolower($_SERVER['HTTP_AUTHORIZATION']), 'basic') === 0)
35 | {
36 | $params = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)), 2);
37 |
38 | $data = array('client_id' => $params[0], 'client_secret' => $params[1]);
39 | }
40 |
41 | return empty($data) ? FALSE : $data;
42 | }
43 |
44 | } // END Oauthz_Token_Basic
45 |
--------------------------------------------------------------------------------
/classes/controller/client.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Client_Controller
11 | * *
12 | */
13 | class Controller_Client extends Oauthz_Client {
14 |
15 | public function action_index()
16 | {
17 | $template = new View('oauthz-template');
18 |
19 | $template->content = new View('oauthz-client');
20 |
21 | $this->request->response = $template->render();
22 | }
23 |
24 | public function action_test()
25 | {
26 | try
27 | {
28 | $resource = Remote::get('http://docs/api/get/1',array(
29 | CURLOPT_POST => TRUE,
30 | CURLOPT_HTTPHEADER => array('Content-Type: application/x-www-form-urlencoded;charset=UTF-8'),
31 | CURLOPT_POSTFIELDS => http_build_query(array(
32 | 'client_id' => 'OA_4bfbc43769917',
33 | //'oauth_token' => $token->access_token,
34 | //'refresh_token' => $token->refresh_token,
35 | //'expires_in' => $token->expires_in
36 | ), '', '&')
37 | ));
38 | }
39 | catch (Exception $e)
40 | {
41 | $resource = $e->getMessage();
42 | }
43 | echo ''.print_r($resource,TRUE).' ';
44 | }
45 |
46 | } // END Controller Consumer
47 |
--------------------------------------------------------------------------------
/config/oauth-api.php:
--------------------------------------------------------------------------------
1 | array(
10 |
11 | 'formats' => array(
12 | 'json' => FALSE, // 'application/json'
13 | 'xml' => FALSE, // 'application/xml'
14 | 'form' => FALSE, // 'text/plain'
15 | 'html' => FALSE, // 'text/html'
16 | 'csv' => FALSE, // 'application/csv'
17 | 'php' => FALSE, // 'text/plain'
18 | 'serialize' => FALSE // 'application/vnd.php.serialized'
19 | ),
20 |
21 | 'methods' => array(
22 | 'HEAD' => TRUE,
23 | 'GET' => TRUE,
24 | 'POST' => TRUE,
25 | 'PUT' => TRUE,
26 | 'DELETE' => TRUE
27 | ),
28 |
29 | /**
30 | * Parameters should be required when access protected resource
31 | * cryptographic token or bear token
32 | */
33 | 'bearer' => array(
34 | 'access_token' => TRUE,
35 | 'scope' => FALSE
36 | ),
37 |
38 | 'mac' => array(
39 | 'access_token' => TRUE,
40 | 'mac_key' => TRUE,
41 | 'mac_algorithm' => TRUE,
42 | 'scope' => FALSE
43 | ),
44 |
45 | 'max_requests' => array(
46 | 500, // common client
47 | 1000, // first class client
48 | 1500 // vip client
49 | )
50 |
51 | )
52 |
53 | ); // END OAuth API config
54 |
--------------------------------------------------------------------------------
/classes/controller/api.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Api
11 | * *
12 | */
13 | class Controller_Api extends Oauthz_Api {
14 |
15 | protected $_exclude = array('xrds', 'index');
16 |
17 | /**
18 | * Accessing Protected Resources
19 | *
20 | * @access public
21 | * @return void
22 | */
23 | public function action_index()
24 | {
25 | $methods = array();
26 | foreach(get_class_methods($this) as $method)
27 | {
28 | if(substr($method, 0, 7) === 'action_')
29 | {
30 | $method = ltrim($method, 'action_');
31 | $methods[$method] = url::site('/api/'.$method, TRUE);
32 | }
33 | }
34 | $this->request->response = str_replace('\\/', '/', json_encode($methods));
35 | }
36 |
37 | public function action_get($id = NULL)
38 | {
39 | $data = array(
40 | array('Humm', 'Hah'),
41 | array('Zzz', 'Yaaa'),
42 | array('Giii', 'Neee')
43 | );
44 | $this->request->response = json_encode(isset($data[$id]) ? $data[$id] : array('Hello OAuth 2.0, when you see this info, it means you successfully access protected resources',));
45 | }
46 |
47 | public function action_create()
48 | {
49 | //
50 | }
51 |
52 | public function action_update()
53 | {
54 | //
55 | }
56 |
57 | public function action_delete()
58 | {
59 | //
60 | }
61 |
62 | } // END Controller_Api
63 |
--------------------------------------------------------------------------------
/guide/oauthz/demo.md:
--------------------------------------------------------------------------------
1 | # Understand the demo step by step
2 |
3 | Note: before runing these steps, you have to setup the OAuth server. see README
4 |
5 | ### Getting the client ID from OAuth server ###
6 |
7 | + Access `http://example.com/oauth/index`
8 | + Login by an valid email address. e.g. `demo@example.com`
9 | + Register a client ID in the server page. e.g. `client_id: OAL_4D2ACB5280EF8, client_secrect: demo`
10 |
11 | ### Setting client connection settings ###
12 |
13 | 1. Request URIs options,
14 |
15 | 'oauth-uri' => 'http://example.com/oauth/code', // the uri for requesting authorization_code
16 | 'token-uri' => 'http://example.com/oauth/token', // the uri for requesting access_token
17 | 'api-uri' => 'http://example.com/api/', // the uri for requesting protected resource
18 | 'redirect_uri' => 'http://my-web-server.com/client/do' // the uri holded by yourself
19 |
20 | 2. Config the OAuth client ID and secrect `config/oauth-client.php` with the `client_id` and `client_secrect` above.
21 | 3. Note: Other options is for future, they are still in clound and waiting for implement.
22 |
23 | ### Go on, thinking you are the smart user and try to experiement the stupid service ###
24 |
25 | + Access `http://my-web-server.com/client/index`
26 | + the script in your web site now is connecting to `http://example.com/oauth/code` to get an `authorization_code`.
27 | this works in background and can NOT feel,even you are smart
28 | + What you see is `http://example.com/oauth/code?response_type=code&client_id=OA_4bfbc43769917&redirect_uri=http%3A%2F%2Fmy-web-server.com%2Fclient%2Fdo`
29 | + To approve or not to? approve will grant my-web-server.com steal some protected information, which owned by you in example.com.
30 | No? okay that is it.
31 |
32 | ### How these work? ###
33 | Hmm, I have no more time to complete this answer at this moment. help me please.
34 |
--------------------------------------------------------------------------------
/classes/oauthz/authentication.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | abstract class Oauthz_Authentication {
13 |
14 | protected $_client_id;
15 |
16 | protected $_token;
17 |
18 | public static function factory($token_type, array $config, array $params)
19 | {
20 | $token_type = 'Oauthz_Token_'.$token_type;
21 |
22 | $oauth = new $token_type;
23 |
24 | foreach($config as $key => $val)
25 | {
26 | if($val === TRUE)
27 | {
28 | if(isset($params[$key]) AND $value = rawurldecode($params[$key]))
29 | {
30 | $oauth->$key = $value;
31 | }
32 | else
33 | {
34 | throw new Oauthz_Exception_Access('invalid_grant', self::state($params));
35 | }
36 | }
37 | elseif($val !== FALSE)
38 | {
39 | $oauth->$key = $val;
40 | }
41 | }
42 |
43 | return $oauth;
44 | }
45 |
46 | public function client_id()
47 | {
48 | return $this->_client_id;
49 | }
50 |
51 | public function token()
52 | {
53 | return $this->access_token;
54 | }
55 |
56 | public static function state($params)
57 | {
58 | // Parse the "state" paramter
59 | if(isset($params['state']) AND ($state = rawurldecode($params['state'])))
60 | {
61 | $param = array('state' => $state);
62 | }
63 | else
64 | {
65 | $param = NULL;
66 | }
67 |
68 | return $param;
69 | }
70 |
71 | abstract public function verify($token);
72 |
73 | } // END Oauthz_Authentication
74 |
--------------------------------------------------------------------------------
/classes/oauthz/core.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | abstract class Oauthz_Core {
13 |
14 | const VERSION = '0.22-eva';
15 |
16 | /**
17 | * OAuth server configuration group name
18 | *
19 | * @access protected
20 | * @var string $_type
21 | */
22 | public static $type = 'default';
23 |
24 | public static function config($key = NULL, $type = NULL)
25 | {
26 | static $config;
27 |
28 | isset($type) OR $type = Oauthz::$type;
29 |
30 | if( ! isset($config[$type]))
31 | {
32 | if( ! $config[$type] = Kohana::config('oauth-server')->get($type))
33 | {
34 | throw new Kohana_Exception('There is no ":group" in your config file oauth-server.php'
35 | , array(':group' => $type));
36 | }
37 | }
38 |
39 | return isset($key) ? isset($config[$type][$key]) ? $config[$type][$key] : NULL : $config[$type];
40 | }
41 |
42 | /**
43 | * Oauthz_Signature::factory alias
44 | *
45 | * @access public
46 | * @param string $method
47 | * @param string $identifier
48 | * @return object
49 | * @see Oauthz_Signature::factory
50 | */
51 | public static function signature($method, $identifier)
52 | {
53 | return Oauthz_Signature::factory($method, $identifier);
54 | }
55 |
56 | public static function grant_access_uri($redirect)
57 | {
58 | return $redirect.URL::query();
59 | }
60 |
61 | public static function access_denied_uri($redirect = NULL)
62 | {
63 | if( ! $redirect) $redirect = Arr::get($_GET, 'redirect_uri');
64 | if( $state = Arr::get($_GET, 'state')) $state = '&state='.$state;
65 | return $redirect.'?error=access_denied'.$state;
66 | }
67 |
68 | } // END Oauthz Core
69 |
--------------------------------------------------------------------------------
/classes/oauthz/server.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Kohana_Controller
11 | * *
12 | */
13 | class Oauthz_Server extends Kohana_Controller {
14 |
15 | protected $template = 'oauthz-template';
16 |
17 | public function before()
18 | {
19 | $this->template = new View($this->template);
20 | }
21 |
22 | public function action_register($client_id = NULL)
23 | {
24 | $data = array();
25 | $client = new Model_Oauthz_Client;
26 | if($client_id)
27 | {
28 | $data = (array) $client->get($client_id, $_SESSION['user']['uid']);
29 | }
30 | elseif(isset($_POST['__v_state__']))
31 | {
32 | $_POST['user_id'] = $_SESSION['user']['uid'];
33 |
34 | $valid = empty($_POST['server_id']) ? $client->append($_POST) : $client->update($_POST['server_id'], $_POST);
35 |
36 | if($valid instanceOf Validate)
37 | {
38 | $data = $valid->as_array();
39 | $data['errors'] = $valid->errors('validate');
40 | }
41 | else
42 | {
43 | $data += $valid;
44 | }
45 | }
46 |
47 | $this->template->content = new View('oauthz-server-register', $data);
48 |
49 | $this->request->response = $this->template->render();
50 | }
51 |
52 | public function action_client()
53 | {
54 | $client = new Model_Oauthz_Client;
55 |
56 | $data = $client->lists(array('user_id' => $_SESSION['user']['uid']));
57 |
58 | $this->template->content = new View('oauthz-server-client', $data);
59 |
60 | $this->request->response = $this->template->render();
61 | }
62 |
63 | public function action_access_deny()
64 | {
65 | $this->request->status = 302; #HTTP/1.1 302 Found
66 | $this->request->headers['Content-Type'] = 'application/x-www-form-urlencoded';
67 | $this->request->headers['Location'] = 'http://example.com/rd#error=user_denied';
68 | }
69 |
70 | } // END Oauthz_Server
71 |
--------------------------------------------------------------------------------
/config/oauth-client.php:
--------------------------------------------------------------------------------
1 | array(
8 | // uri to obtain authorization code
9 | 'oauth-uri' => 'http://docs/oauth/code',
10 |
11 | // uri to obtain the access token
12 | 'token-uri' => 'http://docs/oauth/token',
13 |
14 | // Restful web service api base url
15 | 'api-uri' => 'http://docs/api/',
16 |
17 | // Must be code, token, password, client_credentials
18 | 'protocol-flow' => 'code',
19 |
20 | // Parameters for Authorization Code flow
21 | 'code' => array(
22 | 'client_id' => 'OAL@4EED687F28A72',
23 | 'client_secret' => '000000',
24 | 'token_type' => 'bearer', // bearer, hmac-sha1, rsa-sha1, md5
25 | 'scope' => '',
26 | 'state' => 'test',
27 | 'redirect_uri' => 'http://docs/client/do'
28 | ),
29 | // Parameters for Implicit Grant Flow
30 | 'token' => array(
31 | 'client_id' => 'OAL_4D2EA62621E4F',
32 | 'client_secret' => 'sss',
33 | 'token_type' => 'BEARER', // BEARER, HMAC-SHA1, RSA-SHA1, MD5
34 | 'scope' => '',
35 | 'state' => '',
36 | 'redirect_uri' => 'http://docs/client/do'
37 | ),
38 | // Parameters for Resource Owner Password Credentials Flow
39 | 'password' => array(
40 | 'username' => 'OAL_4D2EA62621E4F',
41 | 'password' => 'sss',
42 | 'client_id' => 'OAL_4D2EA62621E4F',
43 | 'client_secret' => 'sss',
44 | 'token_type' => 'BEARER', // BEARER, HMAC-SHA1, RSA-SHA1, MD5
45 | 'scope' => '',
46 | 'state' => '',
47 | ),
48 | // Parameters for Client Credentials Flow
49 | 'client_credentials' => array(
50 | 'client_id' => 'OAL_4D2EA62621E4F',
51 | 'client_secret' => 'sss',
52 | 'token_type' => 'BEARER', // BEARER, HMAC-SHA1, RSA-SHA1, MD5
53 | 'scope' => '',
54 | 'state' => '',
55 | )
56 | ),
57 |
58 | ); // END OAuth client config
59 |
--------------------------------------------------------------------------------
/views/oauthz-server-error.php:
--------------------------------------------------------------------------------
1 | param('id'))
3 | $uri = Request::$current->controller.'/'.Request::$current->action.'/';
4 | else
5 | $uri = Request::$current->uri.'/';
6 | ?>Service error codes description
7 | Request Stage Error Code Description URI ';
12 | $count = count($code_errors);
13 | foreach($code_errors as $error_code => $error_info)
14 | {
15 | ?>'.__('Authorization Response').'';
18 | $count = FALSE;
19 | }
20 | ?>/ ';
25 | }
26 |
27 | if(isset($token_errors))
28 | {
29 | echo '';
30 | $count = count($token_errors);
31 | foreach($token_errors as $error_code => $error_info)
32 | {
33 | ?>'.__('Access Token Response').'';
36 | $count = FALSE;
37 | }
38 | ?>/ ';
43 | }
44 |
45 | if(isset($access_errors))
46 | {
47 | echo ' ';
48 | $count = count($access_errors);
49 | foreach($access_errors as $error_code => $error_info)
50 | {
51 | ?>'.__('Access Protected Resource').'';
54 | $count = FALSE;
55 | }
56 | ?>/ ';
61 | }
62 | ?>
--------------------------------------------------------------------------------
/classes/oauthz/token/mac.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Authentication
11 | * *
12 | */
13 | class Oauthz_Token_Mac extends Oauthz_Authentication {
14 |
15 | public function verfiy($token)
16 | {
17 | // Pull the public key ID from the certificate
18 | $public_key = openssl_get_publickey($token->public_cert);
19 |
20 | // Check the computed signature against the one passed in the query
21 | $data = openssl_verify($this->identifier, base64_decode($this->signature), $public_key);
22 |
23 | // Release the key resource
24 | openssl_free_key($public_key);
25 |
26 | return $data === 1;
27 | }
28 |
29 | // function to parse the http auth header
30 | public static function parse($digest = NULL)
31 | {
32 | $info = FALSE;
33 |
34 | return $info;
35 | }
36 |
37 | public function rsa_sha1($token)
38 | {
39 | // Pull the private key ID from the certificate
40 | $private_key = openssl_get_privatekey($token->private_cert);
41 |
42 | // Sign using the key
43 | if(openssl_sign($this->identifier, $this->signature, $private_key) !== TRUE)
44 | {
45 | throw new Oauthy_Exception('');
46 | }
47 |
48 | // Release the key resource
49 | openssl_free_key($private_key);
50 |
51 | return base64_encode($this->signature);
52 | }
53 |
54 | public function hmac_sha1($token)
55 | {
56 | $key = rawurlencode($token->client_secret);
57 |
58 | if( ! empty($token->token_secret))
59 | {
60 | $key .= '&'.rawurlencode($token->token_secret);
61 | }
62 |
63 | return $this->signature === base64_encode(hash_hmac('sha1', $this->identifier, $key, TRUE));
64 | }
65 |
66 | /**
67 | * Normalized request string for signature verify
68 | *
69 | * @access public
70 | * @param string $method
71 | * @param string $uri
72 | * @param array $params
73 | * @return string
74 | */
75 | public static function identifier($method, $uri, array $params)
76 | {
77 | // The signature parameter MUST be excluded.
78 | unset($params['signature']);
79 |
80 | return $method.'&'.rawurlencode($uri).'&'.http_build_query($params, '', '&');
81 | }
82 |
83 | } // END Oauthz_Token_Mac
84 |
--------------------------------------------------------------------------------
/classes/oauthz/token/digest.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2011 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Authentication
11 | * *
12 | */
13 | class Oauthz_Token_Digest extends Oauthz_Authentication {
14 |
15 | public function verfiy($token)
16 | {
17 | if($data = static::parse() AND $data['username'] === $token['client_id'])
18 | {
19 | // generate the valid response
20 | $realm = md5("$token['client_id']:$data['realm']:$token['client_secret']");
21 | $method = md5("$_SERVER['REQUEST_METHOD']:$data['uri']");
22 |
23 | $data = $data['response'] === md5("$realm:$data['nonce']:$data['nc']:$data['cnonce']:$data['qop']:$method");
24 | }
25 |
26 | return $data;
27 | }
28 |
29 | // function to parse the http auth header
30 | public static function parse($digest = NULL)
31 | {
32 | if($digest === NULL)
33 | {
34 | // mod_php
35 | if (isset($_SERVER['PHP_AUTH_DIGEST']))
36 | {
37 | $digest = $_SERVER['PHP_AUTH_DIGEST'];
38 | }
39 | // most other servers
40 | elseif (isset($_SERVER['HTTP_AUTHORIZATION'])
41 | AND strpos(strtolower($_SERVER['HTTP_AUTHORIZATION']), 'digest') === 0)
42 | {
43 | $digest = substr($_SERVER['HTTP_AUTHORIZATION'], 7);
44 | }
45 | }
46 |
47 | $info = FALSE;
48 |
49 | if($digest)
50 | {
51 | // protect against missing data
52 | $fields = array(
53 | 'nonce' => 1,
54 | 'nc' => 1,
55 | 'cnonce' => 1,
56 | 'qop' => 1,
57 | 'username' => 1,
58 | 'uri' => 1,
59 | 'response' => 1,
60 | 'realm' => 1
61 | );
62 |
63 | preg_match_all('@('.implode('|', array_keys($fields)).')=[\'"]?([^\'",]+)@', $digest, $matches, PREG_SET_ORDER);
64 |
65 | $data = array();
66 |
67 | foreach($matches as $match)
68 | {
69 | $data[$match[1]] = $match[2] ? $match[2] : ($match[3] ?: $match[4]);
70 | unset($fields[$match[1]]);
71 | }
72 |
73 | empty($fields) AND $info = $data;
74 | }
75 |
76 | return $info;
77 | }
78 |
79 | } // END Oauthz_Token_Digest
80 |
--------------------------------------------------------------------------------
/views/oauthz-server-register.php:
--------------------------------------------------------------------------------
1 |
2 |
47 |
48 | Note: ☺, This should be generated from system and updated regularly in some days
49 | ☺☺, MAY include an application/x-www-form-urlencoded formatted query component, but fragment component is not allowed
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | #Kohana OAuth 2 Module #
2 |
3 | #OAuth protocal v2 [draft 22](http://tools.ietf.org/wg/oauth/)
4 |
5 | ### Requirement ###
6 | 1) php v5.2+, curl extension to run the demo
7 |
8 | 2) MySQL, SQLite, MSSQL or NOSQL database
9 |
10 | 3) Kohana [v3.0.x](http://dev.kohanaframework.org/attachments/download/1649/kohana-3.0.10.zip), I have no plan to support v3.1+ ATM
11 |
12 | 4) Apache, Nignx, a web server
13 |
14 | ## Server ##
15 |
16 | ### Install and configuration ###
17 |
18 | 1) Create the oauth data tabe by execute `oauth.sql` in doc directory
19 |
20 | 2) Configurate the server parameters in `config/oauthz-server.php`
21 |
22 | ### Modify interface show to users ###
23 |
24 | 1) Client have to register an account before they access the protected resources. they can also manage their account
25 |
26 | 2) Resource owners personal information management.
27 |
28 | ``` php
29 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Controller
11 | * *
12 | */
13 | class Controller_Oauth extends Oauthz_Controller {
14 |
15 | public function action_index()
16 | {
17 | $template = new View('oauthz-template');
18 | $template->content = 'Hello guest. ';
19 | $this->request->response = $template;
20 | }
21 |
22 | public function action_code()
23 | {
24 | $query = URL::query();
25 | $template = new View('oauthz-template');
26 | $view = new View('oauthz-server-authorize', array('authorized' => TRUE, 'query' => $query));
27 | $template->content = $view->render();
28 | $this->request->response = $template;
29 | }
30 |
31 | public function action_error($error_code = NULL)
32 | {
33 | $error = array();
34 |
35 | $errors['code_errors'] = I18n::get('Authorization Errors Response');
36 | $errors['token_errors'] = I18n::get('Token Errors Response');
37 | $errors['access_errors'] = I18n::get('Access Errors Response');
38 |
39 | if(isset($errors['code_errors'][$error_code]))
40 | {
41 | $error['code_errors'][$error_code] = $errors['code_errors'][$error_code];
42 | }
43 |
44 | if(isset($errors['token_errors'][$error_code]))
45 | {
46 | $error['token_errors'][$error_code] = $errors['code_errors'][$error_code];
47 | }
48 |
49 | if(isset($errors['access_errors'][$error_code]))
50 | {
51 | $error['access_errors'][$error_code] = $errors['code_errors'][$error_code];
52 | }
53 |
54 | if($error)
55 | {
56 | $error['error_code'] = $error_code;
57 | $errors = $error;
58 | }
59 |
60 | $template = new View('oauthz-template');
61 | $view = new View('oauthz-server-error', $errors);
62 | $template->content = $view->render();
63 | $this->request->response = $template;
64 | }
65 |
66 | public function action_signin()
67 | {
68 | if( ! empty($_POST['usermail']) AND Validate::email($_POST['usermail']))
69 | {
70 | $user = array(
71 | 'uid' => $_SERVER['REQUEST_TIME'],
72 | 'mail' => $_POST['usermail']
73 | );
74 | Cookie::set('user', json_encode($user));
75 | Session::instance()->set('user', $user);
76 | $this->request->redirect(arr::get($_GET, 'redirect', 'server/index'));
77 | }
78 | elseif($user = Oauthz::is_login())
79 | {
80 | Session::instance()->set('user', json_decode($user, TRUE));
81 | $this->request->redirect(arr::get($_GET, 'redirect', 'server/index'));
82 | }
83 |
84 | $template = new View('oauthz-template');
85 | $view = new View('oauthz-server-signin');
86 | $template->content = $view->render();
87 | $this->request->response = $template;
88 | }
89 |
90 | public function action_logout()
91 | {
92 | Cookie::delete('user');
93 | Session::instance()->delete('user');
94 | $this->request->redirect('oauth/index');
95 | }
96 |
97 | public function action_okay()
98 | {
99 | echo $this->request->referrer;
100 | }
101 |
102 | } // END Controller Consumer
103 |
--------------------------------------------------------------------------------
/i18n/en.php:
--------------------------------------------------------------------------------
1 | 'Authorization Response',
5 | 'Access Token Response' => 'Access Token Response',
6 | 'Access Protected Resource' => 'Access Protected Resource',
7 |
8 | // Error Response
9 | 'Authorization Errors Response' => array(
10 | 'invalid_request' => 'The request is missing a required parameter, includes an
11 | unsupported parameter or parameter value, or is otherwise malformed.',
12 |
13 | 'unauthorized_client' => 'The client is not authorized to request an authorization
14 | code using this method.',
15 |
16 | 'access_denied' => 'The resource owner or authorization server denied the request.',
17 |
18 | 'unsupported_response_type' => 'The authorization server does not support obtaining an
19 | authorization code using this method.',
20 |
21 | 'invalid_scope' => 'The requested scope is invalid, unknown, or malformed.',
22 |
23 | 'server_error' => 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
24 |
25 | 'temporarily_unavailable'=> 'The authorization server is currently unable to handle the
26 | request due to a temporary overloading or maintenance of the server.'
27 | ),
28 | // Error Response
29 | 'Token Errors Response' => array(
30 | 'invalid_request' => 'The request is missing a required parameter, includes an
31 | unsupported parameter or parameter value, or is otherwise malformed.',
32 |
33 | 'unauthorized_client' => 'The client is not authorized to request an access token using this method.',
34 |
35 | 'access_denied' => 'The resource owner or authorization server denied the request.',
36 |
37 | 'unsupported_response_type' => 'The authorization server does not support obtaining an access token using this method.',
38 |
39 | 'invalid_scope' => 'The requested scope is invalid, unknown, or malformed.',
40 |
41 | 'server_error' => 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
42 |
43 | 'temporarily_unavailable'=> 'The authorization server is currently unable to handle the
44 | request due to a temporary overloading or maintenance of the server.'
45 | ),
46 | // Error Response
47 | 'Access Errors Response' => array(
48 | 'invalid_request' => 'The request is missing a required parameter, includes an
49 | unsupported parameter or parameter value, repeats a
50 | parameter, includes multiple credentials, utilizes more
51 | than one mechanism for authenticating the client, or is
52 | otherwise malformed.',
53 |
54 | 'invalid_client' => 'Client authentication failed (e.g. unknown client, no
55 | client credentials included, multiple client credentials
56 | included, or unsupported credentials type).',
57 |
58 | 'invalid_grant' => 'The provided authorization grant is invalid, expired,
59 | revoked, or does not match the redirection URI used in
60 | the authorization request.',
61 |
62 | 'unauthorized_client' => 'The authenticated client is not authorized to use this
63 | authorization grant type.',
64 |
65 | 'unsupported_grant_type'=> 'The authorization grant type is not supported by the
66 | authorization server.',
67 |
68 | 'invalid_scope' => 'The requested scope is invalid, unknown, malformed, or
69 | exceeds the previously granted scope.'
70 | )
71 |
72 | );
73 |
--------------------------------------------------------------------------------
/classes/oauthz/exception.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | class Oauthz_Exception extends Exception {
13 |
14 | /**
15 | * REQUIRED. A single error code
16 | *
17 | * @access public
18 | * @var string $error
19 | */
20 | public $error;
21 |
22 | /**
23 | * OPTIONAL. A human-readable text providing additional information,
24 | * used to assist in the understanding and resolution of the error occurred.
25 | *
26 | * @access public
27 | * @var string $error_description
28 | */
29 | public $error_description;
30 |
31 | /**
32 | * OPTIONAL. A URI identifying a human-readable web page with
33 | * information about the error, used to provide the resource owner
34 | * with additional information about the error.
35 | *
36 | * @access public
37 | * @var string $error_uri
38 | */
39 | protected $error_uri;
40 |
41 | /**
42 | * Initial OAuth error codes from config settings
43 | *
44 | * @access public
45 | * @param string $message
46 | * @param string $state extras parameters
47 | * @param string $code default [ 0 ]
48 | * @return void
49 | */
50 | public function __construct($message, array $state = NULL, $code = 0)
51 | {
52 | $this->error = $message;
53 | $this->state = array_filter((array) $state);
54 |
55 | // Pass the message to the parent
56 | parent::__construct($message, $code);
57 | }
58 |
59 | public function as_json()
60 | {
61 | $state = $this->state;
62 |
63 | $params = array('error' => $this->error);
64 |
65 | if(isset($state['error_uri']))
66 | {
67 | $params['error_uri'] = url::site($state['error_uri'], TRUE);
68 |
69 | // don't append the customize error_uri to querystring
70 | unset($state['error_uri']);
71 | }
72 | else
73 | {
74 | $params['error_uri'] = url::site(Oauthz::config('error_uri'), TRUE).'/'.$this->error;
75 | }
76 |
77 | if(isset($state['error_description']))
78 | {
79 | $params['error_description'] = __($state['error_description']);
80 |
81 | // don't append the customize error_description to querystring
82 | unset($state['error_description']);
83 | }
84 | else
85 | {
86 | $params['error_description'] = $this->error_description;
87 | }
88 |
89 | empty($state) OR $params['error_uri'] .= '?'.http_build_query($state, '', '&');
90 |
91 | // JSON_UNESCAPED_SLASHES
92 | return str_replace('\\/', '/', json_encode($params));
93 | }
94 |
95 | public function as_query()
96 | {
97 | if(isset($this->state['error_uri']))
98 | {
99 | $params = array('error' => $this->error) + $this->state;
100 |
101 | if(isset($params['error_description']))
102 | {
103 | $params['error_description'] = __($params['error_description']);
104 | }
105 | else
106 | {
107 | $params['error_description'] = $this->error_description;
108 | }
109 |
110 | $error_uri = url::site($params['error_uri'], TRUE);
111 |
112 | // don't append error_uri to querystring
113 | unset($params['error_uri']);
114 |
115 | $error_uri .= '?'.http_build_query($params, '', '&');
116 | }
117 | else
118 | {
119 | // no need to expose error, error_description
120 | $error_uri = url::site(Oauthz::config('error_uri'), TRUE).'/'.$this->error;
121 |
122 | empty($this->state) OR $error_uri .= '?'.http_build_query($this->state, '', '&');
123 | }
124 |
125 | return $error_uri;
126 | }
127 |
128 | } // END OAuth_Exception
129 |
--------------------------------------------------------------------------------
/classes/oauthz/extension/code.php:
--------------------------------------------------------------------------------
1 |
8 | * @package Oauthz
9 | * @copyright (c) 2010 OALite
10 | * @license ISC License (ISCL)
11 | * @link http://oalite.com
12 | * @see Oauthz_Extension
13 | * *
14 | */
15 | class Oauthz_Extension_Code extends Oauthz_Extension {
16 |
17 | /**
18 | * REQUIRED. The client identifier as described in Section 2.1.
19 | *
20 | * @access public
21 | * @var string $client_id
22 | */
23 | public $client_id;
24 |
25 | /**
26 | * REQUIRED. The redirection URI used in the initial request.
27 | *
28 | * @access public
29 | * @var string $redirect_uri
30 | */
31 | public $redirect_uri;
32 |
33 | public $expires_in;
34 |
35 | /**
36 | * Load oauth parameters from GET or POST
37 | *
38 | * @access public
39 | * @param string $flag default [ FALSE ]
40 | * @return void
41 | * @throw Oauthz_Exception_Authorize Error Codes: invalid_request
42 | */
43 | public function __construct(array $args)
44 | {
45 | // Parse the "state" paramter
46 | if(isset($_GET['state']))
47 | {
48 | $this->state['state'] = rawurldecode($_GET['state']);
49 |
50 | unset($args['state']);
51 | }
52 |
53 | // Check all required parameters should not be empty
54 | foreach($args as $key => $val)
55 | {
56 | if($val === TRUE)
57 | {
58 | if(isset($_GET[$key]) AND $value = rawurldecode($_GET[$key]))
59 | {
60 | $this->$key = $value;
61 | }
62 | else
63 | {
64 | throw new Oauthz_Exception_Authorize('invalid_request', $this->state);
65 | }
66 | }
67 | elseif($val !== FALSE)
68 | {
69 | $this->$key = $val;
70 | }
71 | }
72 | }
73 |
74 | /**
75 | * Populate the oauth token from the request info and client info store in the server
76 | *
77 | * @access public
78 | * @param array $client
79 | * @return Oauthz_Token
80 | * @throw Oauthz_Exception_Authorize Error Codes: invalid_scope, unauthorized_client
81 | */
82 | public function execute()
83 | {
84 | // Verify the client and generate a code if successes
85 | if($client = Model_Oauthz::factory('Token')
86 | ->code($this->client_id, $this->token_type, $this->expires_in))
87 | {
88 | // audit
89 | }
90 | else
91 | {
92 | // Invalid client_id
93 | throw new Oauthz_Exception_Authorize('unauthorized_client', $this->state);
94 | }
95 |
96 | if($client['redirect_uri'] !== $this->redirect_uri)
97 | {
98 | throw new Oauthz_Exception_Authorize('unauthorized_client', $this->state);
99 | }
100 |
101 | if( ! empty($this->scope) AND ! empty($client['scope']))
102 | {
103 | if( ! in_array($this->scope, explode(' ', $client['scope'])))
104 | {
105 | // Redirect to client uri
106 | $params = $this->state;
107 | $params['error_uri'] = $this->redirect_uri;
108 |
109 | throw new Oauthz_Exception_Authorize('invalid_scope', $params);
110 | }
111 | }
112 |
113 | // Grants Authorization
114 | $token = new Oauthz_Token;
115 |
116 | $token->code = $client['code'];
117 | $token->token_type = $client['token_type'];
118 | $token->expires_in = $client['expires_in'];
119 |
120 | isset($this->state['state']) AND $token->state = $this->state['state'];
121 |
122 | return $this->redirect_uri.'?'.$token->as_query();
123 | }
124 |
125 | } // END Oauthz_Extension_Code
126 |
--------------------------------------------------------------------------------
/classes/oauthz/extension/assertion.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Oauthz_Extension
11 | * *
12 | */
13 | class Oauthz_Extension_Assertion extends Oauthz_Extension {
14 |
15 | /**
16 | * assertion_type
17 | * REQUIRED. The format of the assertion as defined by the
18 | * authorization server. The value MUST be an absolute URI.
19 | */
20 | public $assertion_type;
21 |
22 | /**
23 | * assertion
24 | * REQUIRED. The assertion.
25 | */
26 | public $assertion;
27 |
28 | /**
29 | * client_id
30 | * OPTIONAL. The client identifier as described in Section 2.1.
31 | * The authorization server MAY require including the client
32 | * credentials with the request based on the assertion properties.
33 | * client_secret
34 | * OPTIONAL. The client secret as described in Section 2.1. MUST
35 | * NOT be included if the "client_id" parameter is omitted.
36 | * scope
37 | * OPTIONAL. The scope of the access request expressed as a list
38 | * of space-delimited strings. The value of the "scope" parameter
39 | * is defined by the authorization server. If the value contains
40 | * multiple space-delimited strings, their order does not matter,
41 | * and each string adds an additional access range to the
42 | * requested scope.
43 | * format
44 | * OPTIONAL. The response format requested by the client. Value
45 | * MUST be one of "json", "xml", or "form". Alternatively, the
46 | * client MAY use the HTTP "Accept" header field with the desired
47 | * media type. Defaults to "json" if omitted and no "Accept"
48 | * header field is present.
49 | */
50 |
51 | public function __construct($args = NULL)
52 | {
53 | $params = Oauthz::parse_query();
54 | $this->assertion_type = Arr::get($params, 'username');
55 | $this->assertion = Arr::get($params, 'password');
56 |
57 | if(NULL !== $client_id = Arr::get($params, 'client_id'))
58 | $this->client_id = $client_id;
59 |
60 | if(NULL !== $client_secret = Arr::get($params, 'client_secret'))
61 | $this->client_secret = $client_secret;
62 |
63 | if(NULL !== $scope = Arr::get($params, 'scope'))
64 | $this->scope = $scope;
65 |
66 | if(NULL !== $format = Arr::get($params, 'format'))
67 | $this->format = $format;
68 | }
69 |
70 | public function execute()
71 | {
72 | $token = new Model_Oauthz_Token;
73 |
74 | if( ! $client = $token->assertion($this->client_id))
75 | {
76 | throw new Oauthz_Exception_Token('unauthorized_client', $this->state);
77 | }
78 |
79 | if($client['assertion_type'] !== $this->assertion_type)
80 | {
81 | throw new Oauthz_Exception_Token('unknown-format', $this->state);
82 | }
83 |
84 | if($client['assertion'] !== $this->assertion
85 | OR (property_exists($this, 'client_id') AND $client['client_id'] !== $this->client_id)
86 | OR (property_exists($this, 'client_secret') AND $client['client_secret'] !== sha1($this->client_secret))
87 | OR (property_exists($this, 'scope') AND ! isset($client['scope'][$this->scope]))
88 | {
89 | throw new Oauthz_Exception_Token('invalid_request', $this->state);
90 | }
91 |
92 | $token = new Oauthz_Token;
93 |
94 | // Grants Authorization
95 | // The authorization server SHOULD NOT issue a refresh token.
96 | $token->access_token = $client['access_token'];
97 | $token->assertion_type = $this->assertion_type;
98 |
99 | return $token;
100 | }
101 |
102 | } // END Oauthz_Extension_Assertion
103 |
--------------------------------------------------------------------------------
/classes/oauthz/controller.php:
--------------------------------------------------------------------------------
1 |
7 | * @package Oauthz
8 | * @copyright (c) 2010 OALite
9 | * @license ISC License (ISCL)
10 | * @link http://oalite.com
11 | * @see Kohana_Controller
12 | * *
13 | */
14 | abstract class Oauthz_Controller extends Kohana_Controller {
15 |
16 | /**
17 | * The end-user authenticates directly with the authorization server, and grants client access to its protected resources
18 | *
19 | * @access public
20 | * @return void
21 | */
22 | public function action_authorize()
23 | {
24 | try
25 | {
26 | // There is handler for this response type
27 | if($response_type = Arr::get($_GET, 'response_type'))
28 | {
29 | $arguments = Arr::get(Oauthz::config('params'), $response_type, array());
30 |
31 | if($extension = Oauthz_Extension::factory($response_type, $arguments))
32 | {
33 | if( ! Oauthz::is_login())
34 | {
35 | $this->request->redirect(Oauthz::config('login_uri').'redirect='.rawurlencode($this->request->url().url::query()));
36 | }
37 | $response = $extension->execute();
38 | }
39 | }
40 |
41 | // This response type is unsupported
42 | if( ! isset($response))
43 | {
44 | $params = isset($_GET['state']) ? array('state' => $_GET['state']) : NULL;
45 |
46 | throw new Oauthz_Exception_Authorize('unsupported_response_type', $params);
47 | }
48 | }
49 | catch (Oauthz_Exception $e)
50 | {
51 | $response = $e->as_query();
52 | }
53 |
54 | // HTTP/1.1 302 Found
55 | $this->request->status = 302;
56 | $this->request->headers['Content-Type'] = 'application/x-www-form-urlencoded';
57 | $this->request->redirect($response);
58 | }
59 |
60 | /**
61 | * Access token handler for the client requests
62 | *
63 | * @access public
64 | * @return void
65 | */
66 | public function action_token()
67 | {
68 | try
69 | {
70 | // There is handler for this grant type
71 | if($grant_type = Oauthz::get('grant_type'))
72 | {
73 | $arguments = Arr::get(Oauthz::config('params'), $grant_type, array());
74 |
75 | if($extension = Oauthz_Extension::factory($grant_type, $arguments))
76 | {
77 | $response = $extension->execute();
78 | }
79 | }
80 |
81 | if(isset($response) AND $response instanceOf Oauthz_Token)
82 | {
83 | // HTTP/1.1 200 OK
84 | $this->request->status = 200;
85 | $this->request->headers['Content-Type'] = $response->format;
86 | }
87 | else
88 | {
89 | /**
90 | * HTTP/1.1 401 (Unauthorized) for "Authorization" request header field
91 | * HTTP/1.1 400 Bad Request for other authentication scheme
92 | */
93 | $this->request->status = 400;
94 |
95 | $params = Oauthz::get('state') ? array('state' => Oauthz::get('state')) : NULL;
96 |
97 | throw new Oauthz_Exception_Token('unsupported_grant_type', $params);
98 | }
99 | }
100 | catch (Oauthz_Exception $e)
101 | {
102 | $this->request->headers['Content-Type'] = 'application/json';
103 |
104 | $response = $e->as_json();
105 | }
106 |
107 | $this->request->headers['Expires'] = 'Sat, 26 Jul 1997 05:00:00 GMT';
108 | $this->request->headers['Cache-Control'] = 'no-store, must-revalidate';
109 | $this->request->response = $response;
110 | }
111 |
112 | } // END Oauthz Server Controller
113 |
--------------------------------------------------------------------------------
/config/oauth-server.php:
--------------------------------------------------------------------------------
1 | array(
8 |
9 | 'realm' => 'REST API',
10 |
11 | // '' - no login required, 'basic' - unsecure login, 'digest' - more secure login, 'OAuth' - cool
12 | 'auth' => 'OAuth',
13 |
14 | /**
15 | * Set to FALSE to ignore the HTTP Accept and speed up each request a little.
16 | * Only do this if you are using the follow formats or /format/xml in URLs
17 | */
18 | 'http_accept'=> FALSE,
19 |
20 | // login uri for the resource owner, before he approves the client's request
21 | // [!!] this uri will be appended the redirect parameter. therefore the last char must be '?' or '&'
22 | // e.g. /user/signin?, /user/signin?my=xxx&
23 | 'login_uri' => '/oauth/signin?',
24 |
25 | // Error info base uri
26 | 'error_uri' => '/oauth/error',
27 |
28 | /**
29 | * TODO: Authentication methods for each flows
30 | */
31 | 'methods' => array(
32 | 'authorization_code' => array('basic', 'digest', 'mac'),
33 | 'access_token' => array('bearer', 'mac'),
34 | ),
35 |
36 | /**
37 | * Parameters should be required when request authorization code
38 | * cryptographic token or bear token
39 | *
40 | * TRUE: the value of this parameter is obtained from request parameters
41 | * FALSE: this parameter is disabled
42 | * otherwise: this parameter will be binded to token object
43 | */
44 | 'params' => array(
45 | // Parameters should be required for response_type endpoint
46 | 'code' => array(
47 | 'client_id' => TRUE,
48 | 'redirect_uri' => TRUE,
49 | 'scope' => FALSE,
50 | 'state' => FALSE,
51 | // authorization code expires time, default is 2 minutes
52 | 'expires_in' => 60,
53 |
54 | // The follow Parameters are used for access token request
55 | 'token_type' => 'bearer'
56 | ),
57 | // Parameters should be required for grant_type endpoint
58 | 'authorization_code' => array(
59 | 'code' => TRUE,
60 | 'redirect_uri' => TRUE,
61 | 'client_id' => TRUE,
62 | 'client_secret' => TRUE,
63 | // authorization code expires time, default is 5 minutes
64 | 'expires_in' => 300
65 | ),
66 | 'token' => array(
67 | 'code' => TRUE,
68 | 'redirect_uri' => TRUE,
69 | 'client_id' => TRUE,
70 | 'client_secret' => TRUE,
71 | 'scope' => FALSE,
72 | 'state' => FALSE,
73 | 'mac_key' => FALSE,
74 | 'mac_algorithm' => FALSE,
75 | // token expires time, default is 1 hour
76 | 'expires_in' => 3600
77 | ),
78 | 'password' => array(
79 | 'username' => TRUE,
80 | 'password' => TRUE,
81 | 'client_id' => TRUE,
82 | 'client_secret' => TRUE,
83 | 'mac_key' => FALSE,
84 | 'mac_algorithm' => FALSE,
85 | // token expires time, default is 1 hour
86 | 'expires_in' => 3600
87 | ),
88 | 'refresh_token' => array(
89 | 'refresh_token' => TRUE,
90 | 'client_id' => TRUE,
91 | 'client_secret' => TRUE,
92 | 'mac_key' => FALSE,
93 | 'mac_algorithm' => FALSE,
94 | // refresh token expires time, default is 1 day
95 | 'expires_in' => 86400
96 | ),
97 | // TODO
98 | 'assertion' => array(
99 | 'assertion_type' => TRUE,
100 | 'assertion' => TRUE,
101 | 'client_id' => TRUE,
102 | 'client_secret' => TRUE
103 | )
104 | ),
105 | 'scopes' => array(
106 | 'get' => TRUE,
107 | 'create' => TRUE,
108 | 'update' => TRUE,
109 | 'delete' => TRUE
110 | )
111 | )
112 |
113 | ); // END OAuth server config
114 |
--------------------------------------------------------------------------------
/classes/oauthz/token.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * *
11 | */
12 | class Oauthz_Token {
13 |
14 | public $format = 'json';
15 |
16 | public function __construct(array $params = array())
17 | {
18 | foreach($params as $key => $val)
19 | {
20 | $this->$key = $val;
21 | }
22 | }
23 |
24 | public function as_json()
25 | {
26 | if(empty($this->error))
27 | {
28 | $json = get_object_vars($this);
29 | foreach($json as $key => $val)
30 | {
31 | if(empty($val)) unset($json[$key]);
32 | }
33 | }
34 | else
35 | {
36 | $json = array('error' => $this->error);
37 |
38 | isset($this->state) AND $json['state'] = $this->state;
39 | }
40 |
41 | // JSON_UNESCAPED_SLASHES
42 | return str_replace('\\/', '/', json_encode($json));
43 | }
44 |
45 | public function as_xml()
46 | {
47 | $doc = new DOMDocument('1.0', 'UTF-8');
48 | $doc->formatOutput = true;
49 |
50 | $oauth = $doc->createElement('OAuth');
51 | $doc->appendChild($oauth);
52 |
53 | if(empty($this->error))
54 | {
55 | foreach(get_object_vars($this) as $key => $val)
56 | {
57 | if(empty($val)) continue;
58 |
59 | $node = $doc->createElement($key);
60 | $node->appendChild($doc->createTextNode($val));
61 | $oauth->appendChild($node);
62 | }
63 | }
64 | else
65 | {
66 | $node = $doc->createElement('error');
67 | $node->appendChild($doc->createTextNode($this->error));
68 | $oauth->appendChild($node);
69 |
70 | if(isset($this->state))
71 | {
72 | $node = $doc->createElement('state');
73 | $node->appendChild($doc->createTextNode($this->state));
74 | $oauth->appendChild($node);
75 | }
76 | }
77 | return $doc->saveXML();
78 | }
79 |
80 | public function as_query()
81 | {
82 | if(empty($this->error))
83 | {
84 | $form = get_object_vars($this);
85 | foreach($form as $key => $val)
86 | {
87 | if(empty($val)) unset($form[$key]);
88 | }
89 | }
90 | else
91 | {
92 | $form = array('error' => $this->error);
93 |
94 | isset($this->state) AND $form['state'] = $this->state;
95 |
96 | isset($this->error_uri) AND $form['error_uri'] = $this->error_uri;
97 |
98 | isset($this->error_description) AND $form['error_description'] = $this->error_description;
99 | }
100 | return http_build_query($form, '', '&');
101 | }
102 |
103 | public function as_html()
104 | {
105 | $text = '';
106 | if(empty($this->error))
107 | {
108 | $form = get_object_vars($this);
109 | foreach($form as $key => $val)
110 | {
111 | if(empty($val)) continue;
112 |
113 | $text .= ''.$key.' '.$val.' ';
114 | }
115 | }
116 | else
117 | {
118 | $text .= 'error '.$this->error.' ';
119 |
120 | isset($this->state) AND $text .= 'state '.$this->state.' ';
121 | }
122 | return $text.' ';
123 | }
124 |
125 | /**
126 | * Serialize token to string that a server would respond to
127 | *
128 | * @access public
129 | * @return string
130 | */
131 | public function __toString()
132 | {
133 | $format = $this->format;
134 | $this->format = NULL;
135 | switch($format)
136 | {
137 | case 'xml':
138 | case 'application/xhtml+xml':
139 | $res = $this->as_xml();
140 | $this->format = 'application/xml';
141 | break;
142 | case 'form':
143 | $res = $this->as_query();
144 | $this->format = 'application/x-www-form-urlencoded';
145 | break;
146 | case 'text/html':
147 | $res = $this->as_html();
148 | $this->format = 'text/html';
149 | break;
150 | default:
151 | $res = $this->as_json();
152 | $this->format = 'application/json';
153 | break;
154 | }
155 | return $res;
156 | }
157 |
158 | public function __set($key, $val)
159 | {
160 | if( ! empty($val)) $this->$key = $val;
161 | }
162 |
163 | } // END Oauthz_Token
164 |
--------------------------------------------------------------------------------
/classes/oauthz/extension/authorization/code.php:
--------------------------------------------------------------------------------
1 |
8 | * @package Oauthz
9 | * @copyright (c) 2010 OALite
10 | * @license ISC License (ISCL)
11 | * @link http://oalite.com
12 | * @see Oauthz_Extension
13 | * *
14 | */
15 | class Oauthz_Extension_Authorization_Code extends Oauthz_Extension {
16 |
17 | /**
18 | * REQUIRED. The client identifier as described in Section 2.1.
19 | *
20 | * @access public
21 | * @var string $client_id
22 | */
23 | public $client_id;
24 |
25 | /**
26 | * REQUIRED. The redirection URI used in the initial request.
27 | *
28 | * @access public
29 | * @var string $redirect_uri
30 | */
31 | public $redirect_uri;
32 |
33 | /**
34 | * Load oauth parameters from GET or POST
35 | *
36 | * @access public
37 | * @param string $flag default [ FALSE ]
38 | * @return void
39 | */
40 | public function __construct(array $args)
41 | {
42 | // Parse the "state" paramter
43 | if(isset($_POST['state']))
44 | {
45 | if($state = rawurldecode($_POST['state']))
46 | $this->state['state'] = $state;
47 |
48 | unset($args['state']);
49 | }
50 |
51 | // Check all required parameters should NOT be empty
52 | foreach($args as $key => $val)
53 | {
54 | if($val === TRUE)
55 | {
56 | if(isset($_POST[$key]) AND $value = rawurldecode($_POST[$key]))
57 | {
58 | $this->$key = $value;
59 | }
60 | else
61 | {
62 | throw new Oauthz_Exception_Authorize('invalid_request', $this->state);
63 | }
64 | }
65 | elseif($val !== FALSE)
66 | {
67 | $this->$key = $val;
68 | }
69 | }
70 | }
71 |
72 | /**
73 | * Populate the access token thu the request info and client info stored in the server
74 | *
75 | * @access public
76 | * @param array $client
77 | * @return Oauthz_Token
78 | * @throw Oauthz_Exception_Authorize Error Codes: invalid_request, invalid_scope
79 | */
80 | public function execute()
81 | {
82 | if($client = Model_Oauthz::factory('Token')
83 | ->token($this->client_id, $this->code, $this->expires_in))
84 | {
85 | //$audit = new Model_Oauthz_Audit;
86 | //$audit->audit_token($token);
87 |
88 | // Verify the oauth token send by client
89 | }
90 | else
91 | {
92 | throw new Oauthz_Exception_Token('unauthorized_client', $this->state);
93 | }
94 |
95 | if($client['redirect_uri'] !== $this->redirect_uri)
96 | {
97 | throw new Oauthz_Exception_Token('unauthorized_client', $this->state);
98 | }
99 |
100 | if($client['client_secret'] !== sha1($this->client_secret))
101 | {
102 | // Redirect to client uri
103 | $params = $this->state;
104 | $params['error_uri'] = $this->redirect_uri;
105 |
106 | throw new Oauthz_Exception_Token('unauthorized_client', $params);
107 | }
108 |
109 | if( ! empty($this->scope) AND ! empty($client['scope']))
110 | {
111 | if( ! in_array($this->scope, explode(' ', $client['scope'])))
112 | {
113 | $params = $this->state;
114 | $params['error_uri'] = $this->redirect_uri;
115 |
116 | throw new Oauthz_Exception_Authorize('invalid_scope', $params);
117 | }
118 | }
119 |
120 | if($client['expires_in'] < $_SERVER['REQUEST_TIME'])
121 | {
122 | $params = $this->state;
123 | $params['error_uri'] = $this->redirect_uri;
124 |
125 | throw new Oauthz_Exception_Access('invalid_grant', $params);
126 | }
127 |
128 | // Everything is ok, then return the token
129 | $token = new Oauthz_Token;
130 |
131 | // TODO: issue "mac" OAuth Access Token Type
132 | $token->token_type = $client['token_type'];
133 | $token->access_token = $client['access_token'];
134 | $token->refresh_token = $client['refresh_token'];
135 | $token->expires_in = $client['expires_in'];
136 |
137 | // merge other token properties, e.g. {"mac_key":"adijq39jdlaska9asud","mac_algorithm":"hmac-sha-256"}
138 | if($client['options'] AND $option = json_decode($client['options'], TRUE))
139 | {
140 | foreach($option as $key => $val)
141 | {
142 | $token->$key = $val;
143 | }
144 | }
145 |
146 | isset($this->state['state']) AND $token->state = $this->state['state'];
147 |
148 | return $token;
149 | }
150 |
151 | } // END Oauthz_Extension_Authorization_Code
152 |
--------------------------------------------------------------------------------
/classes/oauthz/api.php:
--------------------------------------------------------------------------------
1 |
6 | * @package Oauthz
7 | * @copyright (c) 2010 OALite
8 | * @license ISC License (ISCL)
9 | * @link http://oalite.com
10 | * @see Kohana_Controller
11 | * *
12 | */
13 | abstract class Oauthz_Api extends Kohana_Controller {
14 |
15 | /**
16 | * Config group name
17 | *
18 | * @access protected
19 | * @var string $_type
20 | */
21 | protected $_type = 'default';
22 |
23 | /**
24 | * methods exclude from OAuth protection
25 | *
26 | * @access protected
27 | * @var array $_exclude
28 | */
29 | protected $_exclude = array('xrds');
30 |
31 | /**
32 | * Verify the request to protected resource.
33 | * if unauthorized, redirect action to invalid_request
34 | *
35 | * @access public
36 | * @return void
37 | */
38 | public function __construct(Request $request)
39 | {
40 | // Exclude actions do NOT need to protect
41 | if( ! in_array($request->action, $this->_exclude))
42 | {
43 | $config = Kohana::config('oauth-api')->get($this->_type);
44 |
45 | switch(Request::$method)
46 | {
47 | case 'POST':
48 | $target = $_POST;
49 | break;
50 | case 'GET':
51 | $target = $_GET;
52 | break;
53 | }
54 |
55 | try
56 | {
57 | // Verify the request method supported in the config settings
58 | if( ! isset($target) OR empty($config['methods'][Request::$method]))
59 | {
60 | throw new Oauthz_Exception_Access('invalid_request', Oauthz_Authentication::state($target));
61 | }
62 |
63 | $token_type = Arr::get($target, 'token_type', 'bearer');
64 |
65 | if( ! isset($config[$token_type]))
66 | {
67 | throw new Oauthz_Exception_Access('invalid_grant', Oauthz_Authentication::state($target));
68 | }
69 |
70 | // Process the access token from the request header or body
71 | $oauth = Oauthz_Authentication::factory($token_type, $config[$token_type], $target);
72 |
73 | // Load the token information from database
74 | if( ! $token = Model_Oauthz::factory('Token')
75 | ->access_token($oauth->token()))
76 | {
77 | throw new Oauthz_Exception_Access('unauthorized_client', Oauthz_Authentication::state($target));
78 | }
79 |
80 | if($token['expires_in'] < $_SERVER['REQUEST_TIME'])
81 | {
82 | throw new Oauthz_Exception_Access('invalid_grant', Oauthz_Authentication::state($target));
83 | }
84 |
85 | // Verify the access token
86 | $oauth->verify($token);
87 | }
88 | catch (Oauthz_Exception $e)
89 | {
90 | $this->exception = $e;
91 |
92 | // Redirect the action to unauthenticated
93 | $request->action = 'unauthenticated';
94 | }
95 | }
96 |
97 | parent::__construct($request);
98 | }
99 |
100 | /**
101 | * Unauthorized response, only be called from internal
102 | *
103 | * @access public
104 | * @param string $error
105 | * @return void
106 | * @todo Add list of error codes
107 | */
108 | public function action_unauthenticated()
109 | {
110 | if($this->exception->error === 'invalid_client')
111 | {
112 | // HTTP/1.1 401 Unauthorized
113 | $this->request->status = 401;
114 | // TODO: If the client attempted to authenticate via the "Authorization" request header field
115 | // the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
116 | // $this->request->headers['WWW-Authenticate'] = 'OAuth2 realm=\'Service\','.http_build_query($error, '', ',');
117 | }
118 | else
119 | {
120 | // HTTP/1.1 400 Bad Request
121 | $this->request->status = 400;
122 | }
123 |
124 | $this->request->headers['Content-Type'] = 'application/json';
125 | $this->request->headers['Expires'] = 'Sat, 26 Jul 1997 05:00:00 GMT';
126 | $this->request->headers['Cache-Control'] = 'no-store, must-revalidate';
127 | $this->request->response = $this->exception->as_json();
128 | }
129 |
130 | /**
131 | * OAuth server auto-discovery for user
132 | *
133 | * @access public
134 | * @return void
135 | * @todo Add list of error codes
136 | */
137 | public function action_xrds()
138 | {
139 | $this->request->headers['Content-Type'] = 'application/xrds+xml';
140 | $this->request->response = View::factory('oauth-server-xrds')->render();
141 | }
142 |
143 | } // END Oauthz_Api
144 |
--------------------------------------------------------------------------------
/views/oauthz-template.php:
--------------------------------------------------------------------------------
1 | get('user');
3 | ?>
4 |
5 |
6 | OAuth Test
10 |
101 |
102 |
103 |
104 | OAuth 2.0 Test
105 |
119 |
121 |
122 |
124 |
125 |
126 |
127 |
128 | OALite Inc.
129 |
130 | Open Application Lite is a web platform that offers online software serivce to personal and medium and small-sized enterprises.
131 |
132 |