adds code id_token grant type to openid connect

bshaffer · Apr 4, 2015 · cac7a23 · cac7a23
1 parent dfa7c36
commit cac7a23
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 1 deletion.
diff --git a/src/OAuth2/OpenID/Controller/AuthorizeController.php b/src/OAuth2/OpenID/Controller/AuthorizeController.php
@@ -76,6 +76,7 @@ protected function getValidResponseTypes()
             self::RESPONSE_TYPE_AUTHORIZATION_CODE,
             self::RESPONSE_TYPE_ID_TOKEN,
             self::RESPONSE_TYPE_ID_TOKEN_TOKEN,
+            self::RESPONSE_TYPE_CODE_ID_TOKEN,
         );
     }
 

diff --git a/src/OAuth2/OpenID/Controller/AuthorizeControllerInterface.php b/src/OAuth2/OpenID/Controller/AuthorizeControllerInterface.php
@@ -6,4 +6,5 @@ interface AuthorizeControllerInterface
 {
     const RESPONSE_TYPE_ID_TOKEN = 'id_token';
     const RESPONSE_TYPE_ID_TOKEN_TOKEN = 'id_token token';
+    const RESPONSE_TYPE_CODE_ID_TOKEN  = 'code id_token';
 }
diff --git a/src/OAuth2/OpenID/ResponseType/CodeIdToken.php b/src/OAuth2/OpenID/ResponseType/CodeIdToken.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace OAuth2\OpenID\ResponseType;
+
+class CodeIdToken implements CodeIdTokenInterface
+{
+    protected $authCode;
+    protected $idToken;
+
+    public function __construct(AuthorizationCodeInterface $authCode, IdTokenInterface $idToken)
+    {
+        $this->authCode = $authCode;
+        $this->idToken = $idToken;
+    }
+
+    public function getAuthorizeResponse($params, $user_id = null)
+    {
+        $result = $this->authCode->getAuthorizeResponse($params, $user_id);
+        $id_token = $this->idToken->createIdToken($params['client_id'], $user_id, $params['nonce']);
+        $result[1]['query']['id_token'] = $id_token;
+
+        return $result;
+    }
+}
diff --git a/src/OAuth2/OpenID/ResponseType/CodeIdTokenInterface.php b/src/OAuth2/OpenID/ResponseType/CodeIdTokenInterface.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace OAuth2\OpenID\ResponseType;
+
+use OAuth2\ResponseType\ResponseTypeInterface;
+
+interface CodeIdTokenInterface extends ResponseTypeInterface
+{
+}
diff --git a/src/OAuth2/OpenID/ResponseType/IdTokenToken.php b/src/OAuth2/OpenID/ResponseType/IdTokenToken.php
@@ -9,7 +9,7 @@ class IdTokenToken implements IdTokenTokenInterface
     protected $accessToken;
     protected $idToken;
 
-    public function __construct(AccessTokenInterface $accessToken, IdToken $idToken)
+    public function __construct(AccessTokenInterface $accessToken, IdTokenInterface $idToken)
     {
         $this->accessToken = $accessToken;
         $this->idToken = $idToken;

diff --git a/src/OAuth2/Server.php b/src/OAuth2/Server.php
@@ -20,6 +20,7 @@
 use OAuth2\ResponseType\AuthorizationCode as AuthorizationCodeResponseType;
 use OAuth2\ResponseType\AccessToken;
 use OAuth2\ResponseType\JwtAccessToken;
+use OAuth2\OpenID\ResponseType\CodeIdToken;
 use OAuth2\OpenID\ResponseType\IdToken;
 use OAuth2\OpenID\ResponseType\IdTokenToken;
 use OAuth2\TokenType\TokenTypeInterface;
@@ -81,6 +82,7 @@ class Server implements ResourceControllerInterface,
         'code' => 'OAuth2\ResponseType\AuthorizationCodeInterface',
         'id_token' => 'OAuth2\OpenID\ResponseType\IdTokenInterface',
         'id_token token' => 'OAuth2\OpenID\ResponseType\IdTokenTokenInterface',
+        'code id_token' => 'OAuth2\OpenID\ResponseType\CodeIdTokenInterface',
     );
 
     /**
@@ -133,6 +135,10 @@ public function __construct($storage = array(), array $config = array(), array $
         $this->tokenType = $tokenType;
         $this->scopeUtil = $scopeUtil;
         $this->clientAssertionType = $clientAssertionType;
+
+        if ($this->config['use_openid_connect']) {
+            $this->validateOpenIdConnect();
+        }
     }
 
     public function getAuthorizeController()
@@ -571,6 +577,7 @@ protected function getDefaultResponseTypes()
                     throw new \LogicException("Your authorization_code storage must implement OAuth2\OpenID\Storage\AuthorizationCodeInterface to work when 'use_openid_connect' is true");
                 }
                 $responseTypes['code'] = new OpenIDAuthorizationCodeResponseType($this->storages['authorization_code'], $config);
+                $responseTypes['code id_token'] = new CodeIdToken($responseTypes['code'], $responseTypes['id_token']);
             } else {
                 $responseTypes['code'] = new AuthorizationCodeResponseType($this->storages['authorization_code'], $config);
             }
@@ -726,6 +733,14 @@ protected function createDefaultIdTokenTokenResponseType()
         return new IdTokenToken($this->getAccessTokenResponseType(), $this->getIdTokenResponseType());
     }
 
+    protected function validateOpenIdConnect()
+    {
+        $authCodeGrant = $this->getGrantType('authorization_code');
+        if (!empty($authCodeGrant) && !$authCodeGrant instanceof OpenIDAuthorizationCodeGrantType) {
+            throw new \InvalidArgumentException('You have enabled OpenID Connect, but supplied a grant type that does not support it.');
+        }
+    }
+
     protected function normalizeResponseType($name)
     {
         // for multiple-valued response types - make them alphabetical