Public Member Functions | |
| __construct ($connection, $config=array()) | |
| checkClientCredentials ($client_id, $client_secret=null) | |
| isPublicClient ($client_id) | |
| getClientDetails ($client_id) | |
| setClientDetails ($client_id, $client_secret=null, $redirect_uri=null, $grant_types=null, $scope=null, $user_id=null) | |
| checkRestrictedGrantType ($client_id, $grant_type) | |
| getAccessToken ($access_token) | |
| setAccessToken ($access_token, $client_id, $user_id, $expires, $scope=null) | |
| unsetAccessToken ($access_token) | |
| getAuthorizationCode ($code) | |
| setAuthorizationCode ($authorization_code, $client_id, $user_id, $redirect_uri, $expires, $scope=null, $id_token=null) | |
| expireAuthorizationCode ($code) | |
| checkUserCredentials ($username, $password) | |
| getUserDetails ($username) | |
| getUserClaims ($user_id, $claims) | |
| getRefreshToken ($refresh_token) | |
| setRefreshToken ($refresh_token, $client_id, $user_id, $expires, $scope=null) | |
| unsetRefreshToken ($refresh_token) | |
| getUser ($username) | |
| setUser ($username, $password, $first_name=null, $last_name=null) | |
| scopeExists ($scope) | |
| getDefaultScope ($client_id=null) | |
| getClientKey ($client_id, $subject) | |
| getClientScope ($client_id) | |
| getJti ($client_id, $subject, $audience, $expires, $jti) | |
| setJti ($client_id, $subject, $audience, $expires, $jti) | |
| getPublicKey ($client_id='0') | |
| getPrivateKey ($client_id='0') | |
| getEncryptionAlgorithm ($client_id=null) | |
 Public Member Functions inherited from OAuth2\Storage\AuthorizationCodeInterface | |
| setAuthorizationCode ($code, $client_id, $user_id, $redirect_uri, $expires, $scope=null) | |
| Public Member Functions inherited from OAuth2\ResponseType\AuthorizationCodeInterface | |
| enforceRedirect () | |
| createAuthorizationCode ($client_id, $user_id, $redirect_uri, $scope=null) | |
| Public Member Functions inherited from OAuth2\ResponseType\ResponseTypeInterface | |
| getAuthorizeResponse ($params, $user_id=null) | |
Protected Member Functions | |
| getUserClaim ($claim, $userDetails) | |
| checkPassword ($user, $password) | |
Protected Attributes | |
| $client | |
| $config | |
Additional Inherited Members | |
| Public Attributes inherited from OAuth2\Storage\AuthorizationCodeInterface | |
| const | RESPONSE_TYPE_CODE = "code" |
| Public Attributes inherited from OAuth2\OpenID\Storage\UserClaimsInterface | |
| const | VALID_CLAIMS = 'profile email address phone' |
| const | PROFILE_CLAIM_VALUES = 'name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at' |
| const | EMAIL_CLAIM_VALUES = 'email email_verified' |
| const | ADDRESS_CLAIM_VALUES = 'formatted street_address locality region postal_code country' |
| const | PHONE_CLAIM_VALUES = 'phone_number phone_number_verified' |
Detailed Description
DynamoDB storage for all storage types
To use, install "aws/aws-sdk-php" via composer composer require aws/aws-sdk-php:dev-master
Once this is done, instantiate the DynamoDB client $storage = new OAuth2\Storage\Dynamodb(array("key" => "YOURKEY", "secret" => "YOURSECRET", "region" => "YOURREGION"));
Table :
- oauth_access_tokens (primary hash key : access_token)
- oauth_authorization_codes (primary hash key : authorization_code)
- oauth_clients (primary hash key : client_id)
- oauth_jwt (primary hash key : client_id, primary range key : subject)
- oauth_public_keys (primary hash key : client_id)
- oauth_refresh_tokens (primary hash key : refresh_token)
- oauth_scopes (primary hash key : scope, secondary index : is_default-index hash key is_default)
- oauth_users (primary hash key : username)
Definition at line 34 of file DynamoDB.php.
Constructor & Destructor Documentation
◆ __construct()
| OAuth2\Storage\DynamoDB::__construct | ( | $connection, | |
$config = array() |
|||
| ) |
Definition at line 49 of file DynamoDB.php.
Member Function Documentation
◆ checkClientCredentials()
| OAuth2\Storage\DynamoDB::checkClientCredentials | ( | $client_id, | |
$client_secret = null |
|||
| ) |
Make sure that the client credentials is valid.
- Parameters
-
$client_id Client identifier to be check with. $client_secret (optional) If a secret is required, check that they've given the right one.
- Returns
- TRUE if the client credentials are valid, and MUST return FALSE if it isn't.
Implements OAuth2\Storage\ClientCredentialsInterface.
Definition at line 80 of file DynamoDB.php.
◆ checkPassword()
|
protected |
Definition at line 343 of file DynamoDB.php.
◆ checkRestrictedGrantType()
| OAuth2\Storage\DynamoDB::checkRestrictedGrantType | ( | $client_id, | |
| $grant_type | |||
| ) |
Check restricted grant types of corresponding client identifier.
If you want to restrict clients to certain grant types, override this function.
- Parameters
-
$client_id Client identifier to be check with. $grant_type Grant type to be check with
- Returns
- TRUE if the grant type is supported by this client identifier, and FALSE if it isn't.
Implements OAuth2\Storage\ClientInterface.
Definition at line 137 of file DynamoDB.php.
◆ checkUserCredentials()
| OAuth2\Storage\DynamoDB::checkUserCredentials | ( | $username, | |
| $password | |||
| ) |
Grant access tokens for basic user credentials.
Check the supplied username and password for validity.
You can also use the $client_id param to do any checks required based on a client, if you need that.
Required for OAuth2::GRANT_TYPE_USER_CREDENTIALS.
- Parameters
-
$username Username to be check with. $password Password to be check with.
- Returns
- TRUE if the username and password are valid, and FALSE if it isn't. Moreover, if the username and password are valid, and you want to
Implements OAuth2\Storage\UserCredentialsInterface.
Definition at line 243 of file DynamoDB.php.
◆ expireAuthorizationCode()
| OAuth2\Storage\DynamoDB::expireAuthorizationCode | ( | $code | ) |
once an Authorization Code is used, it must be exipired
The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code
Implements OAuth2\Storage\AuthorizationCodeInterface.
Definition at line 231 of file DynamoDB.php.
◆ getAccessToken()
| OAuth2\Storage\DynamoDB::getAccessToken | ( | $oauth_token | ) |
Look up the supplied oauth_token from storage.
We need to retrieve access token data as we create and verify tokens.
- Parameters
-
$oauth_token oauth_token to be check with.
- Returns
- An associative array as below, and return NULL if the supplied oauth_token is invalid:
- expires: Stored expiration in unix timestamp.
- client_id: (optional) Stored client identifier.
- user_id: (optional) Stored user identifier.
- scope: (optional) Stored scope values in space-separated string.
- id_token: (optional) Stored id_token (if "use_openid_connect" is true).
Implements OAuth2\Storage\AccessTokenInterface.
Definition at line 151 of file DynamoDB.php.
◆ getAuthorizationCode()
| OAuth2\Storage\DynamoDB::getAuthorizationCode | ( | $code | ) |
Fetch authorization code data (probably the most common grant type).
Retrieve the stored data for the given authorization code.
Required for OAuth2::GRANT_TYPE_AUTH_CODE.
- Parameters
-
$code Authorization code to be check with.
- Returns
- An associative array as below, and NULL if the code is invalid return array("client_id" => CLIENT_ID, // REQUIRED Stored client identifier"user_id" => USER_ID, // REQUIRED Stored user identifier"expires" => EXPIRES, // REQUIRED Stored expiration in unix timestamp"redirect_uri" => REDIRECT_URI, // REQUIRED Stored redirect URI"scope" => SCOPE, // OPTIONAL Stored scope values in space-separated string);
Implements OAuth2\Storage\AuthorizationCodeInterface.
Definition at line 196 of file DynamoDB.php.
◆ getClientDetails()
| OAuth2\Storage\DynamoDB::getClientDetails | ( | $client_id | ) |
Get client details corresponding client_id.
OAuth says we should store request URIs for each registered client. Implement this function to grab the stored URI for a given client id.
- Parameters
-
$client_id Client identifier to be check with.
- Returns
- array Client details. The only mandatory key in the array is "redirect_uri". This function MUST return FALSE if the given client does not exist or is invalid. "redirect_uri" can be space-delimited to allow for multiple valid uris.
return array( "redirect_uri" => REDIRECT_URI, // REQUIRED redirect_uri registered for the client "client_id" => CLIENT_ID, // OPTIONAL the client id "grant_types" => GRANT_TYPES, // OPTIONAL an array of restricted grant types "user_id" => USER_ID, // OPTIONAL the user identifier associated with this client "scope" => SCOPE, // OPTIONAL the scopes allowed for this client );
Implements OAuth2\Storage\ClientInterface.
Definition at line 105 of file DynamoDB.php.
◆ getClientKey()
| OAuth2\Storage\DynamoDB::getClientKey | ( | $client_id, | |
| $subject | |||
| ) |
Get the public key associated with a client_id
- Parameters
-
$client_id Client identifier to be checked with.
- Returns
- STRING Return the public key for the client_id if it exists, and MUST return FALSE if it doesn't.
Implements OAuth2\Storage\JwtBearerInterface.
Definition at line 431 of file DynamoDB.php.
◆ getClientScope()
| OAuth2\Storage\DynamoDB::getClientScope | ( | $client_id | ) |
Get the scope associated with this client
- Returns
- STRING the space-delineated scope list for the specified client_id
Implements OAuth2\Storage\ClientInterface.
Definition at line 445 of file DynamoDB.php.
◆ getDefaultScope()
| OAuth2\Storage\DynamoDB::getDefaultScope | ( | $client_id = null | ) |
The default scope to use in the event the client does not request one. By returning "false", a request_error is returned by the server to force a scope request by the client. By returning "null", opt out of requiring scopes
- Parameters
-
$client_id An optional client id that can be used to return customized default scopes.
- Returns
- string representation of default scope, null if scopes are not defined, or false to force scope request by the client
ex: 'default' ex: null
Implements OAuth2\Storage\ScopeInterface.
Definition at line 403 of file DynamoDB.php.
◆ getEncryptionAlgorithm()
| OAuth2\Storage\DynamoDB::getEncryptionAlgorithm | ( | $client_id = null | ) |
Implements OAuth2\Storage\PublicKeyInterface.
Definition at line 499 of file DynamoDB.php.
◆ getJti()
| OAuth2\Storage\DynamoDB::getJti | ( | $client_id, | |
| $subject, | |||
| $audience, | |||
| $expiration, | |||
| $jti | |||
| ) |
Get a jti (JSON token identifier) by matching against the client_id, subject, audience and expiration.
- Parameters
-
$client_id Client identifier to match. $subject The subject to match. $audience The audience to match. $expiration The expiration of the jti. $jti The jti to match.
- Returns
- An associative array as below, and return NULL if the jti does not exist.
- issuer: Stored client identifier.
- subject: Stored subject.
- audience: Stored audience.
- expires: Stored expiration in unix timestamp.
- jti: The stored jti.
Implements OAuth2\Storage\JwtBearerInterface.
Definition at line 458 of file DynamoDB.php.
◆ getPrivateKey()
| OAuth2\Storage\DynamoDB::getPrivateKey | ( | $client_id = '0' | ) |
Implements OAuth2\Storage\PublicKeyInterface.
Definition at line 485 of file DynamoDB.php.
◆ getPublicKey()
| OAuth2\Storage\DynamoDB::getPublicKey | ( | $client_id = '0' | ) |
Implements OAuth2\Storage\PublicKeyInterface.
Definition at line 469 of file DynamoDB.php.
◆ getRefreshToken()
| OAuth2\Storage\DynamoDB::getRefreshToken | ( | $refresh_token | ) |
Grant refresh access tokens.
Retrieve the stored data for the given refresh token.
Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
- Parameters
-
$refresh_token Refresh token to be check with.
- Returns
- An associative array as below, and NULL if the refresh_token is invalid:
- refresh_token: Refresh token identifier.
- client_id: Client identifier.
- user_id: User identifier.
- expires: Expiration unix timestamp, or 0 if the token doesn't expire.
- scope: (optional) Scope values in space-separated string.
Implements OAuth2\Storage\RefreshTokenInterface.
Definition at line 301 of file DynamoDB.php.
◆ getUser()
| OAuth2\Storage\DynamoDB::getUser | ( | $username | ) |
Definition at line 348 of file DynamoDB.php.
◆ getUserClaim()
|
protected |
Definition at line 283 of file DynamoDB.php.
◆ getUserClaims()
| OAuth2\Storage\DynamoDB::getUserClaims | ( | $user_id, | |
| $scope | |||
| ) |
Return claims about the provided user id.
Groups of claims are returned based on the requested scopes. No group is required, and no claim is required.
- Parameters
-
$user_id The id of the user for which claims should be returned. $scope The requested scope. Scopes with matching claims: profile, email, address, phone.
- Returns
- An array in the claim => value format.
Implements OAuth2\OpenID\Storage\UserClaimsInterface.
Definition at line 258 of file DynamoDB.php.
◆ getUserDetails()
| OAuth2\Storage\DynamoDB::getUserDetails | ( | $username | ) |
- Returns
- ARRAY the associated "user_id" and optional "scope" values This function MUST return FALSE if the requested user does not exist or is invalid. "scope" is a space-separated list of restricted scopes. return array("user_id" => USER_ID, // REQUIRED user_id to be stored with the authorization code or access token"scope" => SCOPE // OPTIONAL space-separated list of restricted scopes);
Implements OAuth2\Storage\UserCredentialsInterface.
Definition at line 252 of file DynamoDB.php.
◆ isPublicClient()
| OAuth2\Storage\DynamoDB::isPublicClient | ( | $client_id | ) |
Determine if the client is a "public" client, and therefore does not require passing credentials for certain grant types
- Parameters
-
$client_id Client identifier to be check with.
- Returns
- TRUE if the client is public, and FALSE if it isn't.
- See also
- http://tools.ietf.org/html/rfc6749#section-2.3
- https://github.com/bshaffer/oauth2-server-php/issues/257
Implements OAuth2\Storage\ClientCredentialsInterface.
Definition at line 90 of file DynamoDB.php.
◆ scopeExists()
| OAuth2\Storage\DynamoDB::scopeExists | ( | $scope | ) |
Check if the provided scope exists.
- Parameters
-
$scope A space-separated string of scopes.
- Returns
- TRUE if it exists, FALSE otherwise.
Implements OAuth2\Storage\ScopeInterface.
Definition at line 381 of file DynamoDB.php.
◆ setAccessToken()
| OAuth2\Storage\DynamoDB::setAccessToken | ( | $oauth_token, | |
| $client_id, | |||
| $user_id, | |||
| $expires, | |||
$scope = null |
|||
| ) |
Store the supplied access token values to storage.
We need to store access token data as we create and verify tokens.
- Parameters
-
$oauth_token oauth_token to be stored. $client_id client identifier to be stored. $user_id user identifier to be stored. int $expires expiration to be stored as a Unix timestamp. string $scope OPTIONAL Scopes to be stored in space-separated string.
Implements OAuth2\Storage\AccessTokenInterface.
Definition at line 168 of file DynamoDB.php.
◆ setAuthorizationCode()
| OAuth2\Storage\DynamoDB::setAuthorizationCode | ( | $code, | |
| $client_id, | |||
| $user_id, | |||
| $redirect_uri, | |||
| $expires, | |||
$scope = null, |
|||
$id_token = null |
|||
| ) |
Take the provided authorization code values and store them somewhere.
This function should be the storage counterpart to getAuthCode().
If storage fails for some reason, we're not currently checking for any sort of success/failure, so you should bail out of the script and provide a descriptive fail message.
Required for OAuth2::GRANT_TYPE_AUTH_CODE.
- Parameters
-
$code authorization code to be stored. $client_id client identifier to be stored. $user_id user identifier to be stored. string $redirect_uri redirect URI(s) to be stored in a space-separated string. int $expires expiration to be stored as a Unix timestamp. string $scope OPTIONAL scopes to be stored in space-separated string. string $id_token OPTIONAL the OpenID Connect id_token.
Implements OAuth2\OpenID\Storage\AuthorizationCodeInterface.
Definition at line 215 of file DynamoDB.php.
◆ setClientDetails()
| OAuth2\Storage\DynamoDB::setClientDetails | ( | $client_id, | |
$client_secret = null, |
|||
$redirect_uri = null, |
|||
$grant_types = null, |
|||
$scope = null, |
|||
$user_id = null |
|||
| ) |
Definition at line 124 of file DynamoDB.php.
◆ setJti()
| OAuth2\Storage\DynamoDB::setJti | ( | $client_id, | |
| $subject, | |||
| $audience, | |||
| $expiration, | |||
| $jti | |||
| ) |
Store a used jti so that we can check against it to prevent replay attacks.
- Parameters
-
$client_id Client identifier to insert. $subject The subject to insert. $audience The audience to insert. $expiration The expiration of the jti. $jti The jti to insert.
Implements OAuth2\Storage\JwtBearerInterface.
Definition at line 463 of file DynamoDB.php.
◆ setRefreshToken()
| OAuth2\Storage\DynamoDB::setRefreshToken | ( | $refresh_token, | |
| $client_id, | |||
| $user_id, | |||
| $expires, | |||
$scope = null |
|||
| ) |
Take the provided refresh token values and store them somewhere.
This function should be the storage counterpart to getRefreshToken().
If storage fails for some reason, we're not currently checking for any sort of success/failure, so you should bail out of the script and provide a descriptive fail message.
Required for OAuth2::GRANT_TYPE_REFRESH_TOKEN.
- Parameters
-
$refresh_token Refresh token to be stored. $client_id Client identifier to be stored. $user_id User identifier to be stored. $expires Expiration timestamp to be stored. 0 if the token doesn't expire. $scope (optional) Scopes to be stored in space-separated string.
Implements OAuth2\Storage\RefreshTokenInterface.
Definition at line 316 of file DynamoDB.php.
◆ setUser()
Definition at line 363 of file DynamoDB.php.
◆ unsetAccessToken()
| OAuth2\Storage\DynamoDB::unsetAccessToken | ( | $access_token | ) |
Definition at line 185 of file DynamoDB.php.
◆ unsetRefreshToken()
| OAuth2\Storage\DynamoDB::unsetRefreshToken | ( | $refresh_token | ) |
Expire a used refresh token.
This is not explicitly required in the spec, but is almost implied. After granting a new refresh token, the old one is no longer useful and so should be forcibly expired in the data store so it can't be used again.
If storage fails for some reason, we're not currently checking for any sort of success/failure, so you should bail out of the script and provide a descriptive fail message.
- Parameters
-
$refresh_token Refresh token to be expirse.
Implements OAuth2\Storage\RefreshTokenInterface.
Definition at line 332 of file DynamoDB.php.
Member Data Documentation
◆ $client
|
protected |
Definition at line 46 of file DynamoDB.php.
◆ $config
|
protected |
Definition at line 47 of file DynamoDB.php.
The documentation for this class was generated from the following file:
- plugins/OAuth2/Storage/DynamoDB.php
