From 79cc5cf3afdbb51520f9d514551709e59370fffd Mon Sep 17 00:00:00 2001
From: Michael Kubovic <michael.kubovic@gmail.com>
Date: Mon, 27 May 2019 09:35:27 +0200
Subject: [PATCH] adds nonce support

---
 Grant/AuthCodeGrant.php                       | 55 +++++++++++++++++++
 League/Repository/AuthCodeRepository.php      | 20 +++++++
 Model/AuthorizationCode.php                   | 17 ++++++
 OpenIDConnect/IdTokenResponse.php             | 29 ++++++++++
 .../doctrine/model/AuthorizationCode.orm.xml  |  1 +
 Resources/config/services.xml                 |  4 +-
 6 files changed, 124 insertions(+), 2 deletions(-)
 create mode 100644 Grant/AuthCodeGrant.php
 create mode 100644 OpenIDConnect/IdTokenResponse.php

diff --git a/Grant/AuthCodeGrant.php b/Grant/AuthCodeGrant.php
new file mode 100644
index 00000000..b56b9ed4
--- /dev/null
+++ b/Grant/AuthCodeGrant.php
@@ -0,0 +1,55 @@
+<?php
+
+namespace Trikoder\Bundle\OAuth2Bundle\Grant;
+
+use DateInterval;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Grant\AuthCodeGrant as BaseAuthCodeGrant;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Trikoder\Bundle\OAuth2Bundle\League\Repository\AuthCodeRepository;
+use Trikoder\Bundle\OAuth2Bundle\OpenIDConnect\IdTokenResponse;
+
+/**
+ * @property-read AuthCodeRepository $authCodeRepository
+ */
+class AuthCodeGrant extends BaseAuthCodeGrant
+{
+    /** @var string|null */
+    private $nonce;
+
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
+        $authorizationRequest = parent::validateAuthorizationRequest($request);
+
+        $this->nonce = $this->getQueryStringParameter('nonce', $request, null);
+
+        return $authorizationRequest;
+    }
+
+    protected function issueAuthCode(DateInterval $authCodeTTL, ClientEntityInterface $client, $userIdentifier, $redirectUri, array $scopes = [])
+    {
+        $autCode = parent::issueAuthCode($authCodeTTL, $client, $userIdentifier, $redirectUri, $scopes);
+
+        if ($this->nonce !== null) {
+            $this->authCodeRepository->updateWithNonce($autCode, $this->nonce);
+        }
+
+        return $autCode;
+    }
+
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, DateInterval $accessTokenTTL)
+    {
+        $response = parent::respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
+
+        if ($response instanceof IdTokenResponse) {
+            $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
+            $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
+
+            $nonce = $this->authCodeRepository->getNonce($authCodePayload->auth_code_id);
+            $response->setNonce($nonce);
+        }
+
+        return $response;
+    }
+}
diff --git a/League/Repository/AuthCodeRepository.php b/League/Repository/AuthCodeRepository.php
index e8cbc51f..bb829c67 100644
--- a/League/Repository/AuthCodeRepository.php
+++ b/League/Repository/AuthCodeRepository.php
@@ -62,6 +62,26 @@ public function persistNewAuthCode(AuthCodeEntityInterface $authCode)
         $this->authorizationCodeManager->save($authorizationCode);
     }
 
+    public function updateWithNonce(AuthCodeEntityInterface $authCode, string $nonce)
+    {
+        /** @var AuthorizationCode $authorizationCode */
+        $authorizationCode = $this->authorizationCodeManager->find($authCode->getIdentifier());
+
+        if (null === $authorizationCode) {
+            throw new \LogicException('You cant update code that wasnt\'t persisted');
+        }
+
+        $authorizationCode->setNonce($nonce);
+
+        $this->authorizationCodeManager->save($authorizationCode);
+    }
+
+    public function getNonce(string $authCodeIdentifier)
+    {
+        $authCode = $this->authorizationCodeManager->find($authCodeIdentifier);
+        return $authCode->getNonce();
+    }
+
     /**
      * {@inheritdoc}
      */
diff --git a/Model/AuthorizationCode.php b/Model/AuthorizationCode.php
index 82eb6236..5310bcb2 100644
--- a/Model/AuthorizationCode.php
+++ b/Model/AuthorizationCode.php
@@ -36,6 +36,9 @@ class AuthorizationCode
      */
     private $revoked = false;
 
+    /** @var string|null */
+    private $nonce;
+
     public function __construct(
         string $identifier,
         DateTime $expiry,
@@ -94,4 +97,18 @@ public function revoke(): self
 
         return $this;
     }
+
+    public function getNonce(): ?string
+    {
+        return $this->nonce;
+    }
+
+    public function setNonce(string $nonce): self
+    {
+        if ($this->nonce === null) {
+            $this->nonce = $nonce;
+        }
+
+        return $this;
+    }
 }
diff --git a/OpenIDConnect/IdTokenResponse.php b/OpenIDConnect/IdTokenResponse.php
new file mode 100644
index 00000000..3f73e1ac
--- /dev/null
+++ b/OpenIDConnect/IdTokenResponse.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace Trikoder\Bundle\OAuth2Bundle\OpenIDConnect;
+
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
+use OpenIDConnectServer\IdTokenResponse as BaseIdTokenResponse;
+
+class IdTokenResponse extends BaseIdTokenResponse
+{
+    /** @var string|null */
+    private $nonce;
+
+    public function setNonce(string $nonce)
+    {
+        $this->nonce = $nonce;
+    }
+
+    protected function getBuilder(AccessTokenEntityInterface $accessToken, UserEntityInterface $userEntity)
+    {
+        $builder = parent::getBuilder($accessToken, $userEntity);
+
+        if (null !== $this->nonce) {
+            $builder->set('nonce', $this->nonce);
+        }
+
+        return $builder;
+    }
+}
diff --git a/Resources/config/doctrine/model/AuthorizationCode.orm.xml b/Resources/config/doctrine/model/AuthorizationCode.orm.xml
index 1beaa55b..844d5212 100644
--- a/Resources/config/doctrine/model/AuthorizationCode.orm.xml
+++ b/Resources/config/doctrine/model/AuthorizationCode.orm.xml
@@ -12,6 +12,7 @@
         <field name="userIdentifier" type="string" length="128" nullable="true" />
         <field name="scopes" type="oauth2_scope" nullable="true" />
         <field name="revoked" type="boolean" />
+        <field name="nonce" type="string" nullable="true" />
         <many-to-one field="client" target-entity="Trikoder\Bundle\OAuth2Bundle\Model\Client">
             <join-column name="client" referenced-column-name="identifier" nullable="false" />
         </many-to-one>
diff --git a/Resources/config/services.xml b/Resources/config/services.xml
index fea4a55e..57c3dc50 100644
--- a/Resources/config/services.xml
+++ b/Resources/config/services.xml
@@ -71,7 +71,7 @@
         <service id="league.oauth2.server.grant.refresh_token_grant" class="League\OAuth2\Server\Grant\RefreshTokenGrant">
             <argument type="service" id="trikoder.oauth2.league.repository.refresh_token_repository" />
         </service>
-        <service id="league.oauth2.server.grant.auth_code_grant" class="League\OAuth2\Server\Grant\AuthCodeGrant" >
+        <service id="league.oauth2.server.grant.auth_code_grant" class="Trikoder\Bundle\OAuth2Bundle\Grant\AuthCodeGrant" >
             <argument type="service" id="trikoder.oauth2.league.repository.auth_code_repository" />
             <argument type="service" id="trikoder.oauth2.league.repository.refresh_token_repository" />
             <argument key="$authCodeTTL" />
@@ -136,7 +136,7 @@
             <argument type="service" id="Symfony\Component\EventDispatcher\EventDispatcherInterface" />
         </service>
         <service id="openid_connect_server.claim_extractor" class="OpenIDConnectServer\ClaimExtractor" />
-        <service id="openid_connect_server.id_token_response" class="OpenIDConnectServer\IdTokenResponse">
+        <service id="openid_connect_server.id_token_response" class="Trikoder\Bundle\OAuth2Bundle\OpenIDConnect\IdTokenResponse">
             <argument type="service" id="trikoder.oauth2.openid_connect.repository.identity_provider" />
             <argument type="service" id="openid_connect_server.claim_extractor" />
         </service>