Merge pull request #54 from ajgarlag/fix-scope-comparison

Fix scope comparison
trikoder · May 23, 2019 · 7ad80d0 · 7ad80d0
2 parents de3e338 + 4a72527
commit 7ad80d0
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 2 deletions.
diff --git a/League/Repository/ScopeRepository.php b/League/Repository/ScopeRepository.php
@@ -109,10 +109,12 @@ private function setupScopes(ClientModel $client, array $requestedScopes): array
         }
 
         $finalizedScopes = [];
+        $clientScopesAsStrings = array_map('strval', $clientScopes);
 
         foreach ($requestedScopes as $requestedScope) {
-            if (!\in_array($requestedScope, $clientScopes, true)) {
-                throw OAuthServerException::invalidScope((string) $requestedScope);
+            $requestedScopeAsString = (string) $requestedScope;
+            if (!\in_array($requestedScopeAsString, $clientScopesAsStrings, true)) {
+                throw OAuthServerException::invalidScope($requestedScopeAsString);
             }
 
             $finalizedScopes[] = $requestedScope;

diff --git a/Tests/Integration/AuthorizationServerTest.php b/Tests/Integration/AuthorizationServerTest.php
@@ -247,6 +247,38 @@ public function testValidClientCredentialsGrantWithInheritedScope(): void
         );
     }
 
+    public function testValidClientCredentialsGrantWithRequestedScope(): void
+    {
+        $request = $this->createAuthorizationRequest('quux_restricted_scopes:beer', [
+            'grant_type' => 'client_credentials',
+            'scope' => 'rock',
+        ]);
+
+        timecop_freeze(new DateTime());
+
+        $response = $this->handleAuthorizationRequest($request);
+
+        timecop_return();
+
+        $accessToken = $this->getAccessToken($response['access_token']);
+
+        // Response assertions.
+        $this->assertSame('Bearer', $response['token_type']);
+        $this->assertSame(3600, $response['expires_in']);
+        $this->assertInstanceOf(AccessToken::class, $accessToken);
+
+        // Make sure the access token is issued for the given client ID.
+        $this->assertSame('quux_restricted_scopes', $accessToken->getClient()->getIdentifier());
+
+        // The access token should have the requested scope.
+        $this->assertEquals(
+            [
+                $this->scopeManager->find(FixtureFactory::FIXTURE_SCOPE_SECOND),
+            ],
+            $accessToken->getScopes()
+        );
+    }
+
     public function testValidPasswordGrant(): void
     {
         $this->eventDispatcher->addListener('trikoder.oauth2.user_resolve', function (UserResolveEvent $event) {