Authorize based on grant type

src/GrantType/AbstractGrantTypeHandler.php

@@ -11,9 +11,11 @@
 
 namespace AuthBucket\OAuth2\GrantType;
 
+use AuthBucket\OAuth2\Exception\InvalidGrantException;
 use AuthBucket\OAuth2\Exception\InvalidRequestException;
 use AuthBucket\OAuth2\Exception\InvalidScopeException;
 use AuthBucket\OAuth2\Exception\ServerErrorException;
+use AuthBucket\OAuth2\Model\AuthorizeInterface;
 use AuthBucket\OAuth2\Model\ModelManagerFactoryInterface;
 use AuthBucket\OAuth2\Symfony\Component\Security\Core\Authentication\Token\ClientCredentialsToken;
 use AuthBucket\OAuth2\TokenType\TokenTypeHandlerFactoryInterface;
@@ -30,6 +32,8 @@
  */
 abstract class AbstractGrantTypeHandler implements GrantTypeHandlerInterface
 {
+    const GRANT_TYPE = null;
+
     protected $tokenStorage;
     protected $encoderFactory;
     protected $validator;
@@ -122,19 +126,27 @@ protected function checkScope(
 
         // Compare if given scope within all authorized scopes.
         $scopeAuthorized = [];
+        $grantTypeAuthorized = [];
         $authorizeManager = $this->modelManagerFactory->getModelManager('authorize');
+        /** @var AuthorizeInterface $result */
         $result = $authorizeManager->readModelOneBy([
             'clientId' => $clientId,
             'username' => $username,
         ]);
         if ($result !== null) {
             $scopeAuthorized = $result->getScope();
+            $grantTypeAuthorized = $result->getGrantType();
         }
         if (array_intersect($scope, $scopeAuthorized) !== $scope) {
             throw new InvalidScopeException([
                 'error_description' => 'The requested scope exceeds the scope granted by the resource owner.',
             ]);
         }
+        if (!in_array(static::GRANT_TYPE, $grantTypeAuthorized)) {
+            throw new InvalidGrantException([
+                'error_description' => 'The requested grant is invalid.',
+            ]);
+        }
 
         return $scope;
     }

src/GrantType/AuthorizationCodeGrantTypeHandler.php

@@ -23,6 +23,8 @@
  */
 class AuthorizationCodeGrantTypeHandler extends AbstractGrantTypeHandler
 {
+    const GRANT_TYPE = 'authorization_code';
+
     public function handle(Request $request)
     {
         // Fetch client_id from authenticated token.

src/GrantType/ClientCredentialsGrantTypeHandler.php

@@ -21,6 +21,8 @@
  */
 class ClientCredentialsGrantTypeHandler extends AbstractGrantTypeHandler
 {
+    const GRANT_TYPE = 'client_credentials';
+
     public function handle(Request $request)
     {
         // Fetch client_id from authenticated token.

src/GrantType/PasswordGrantTypeHandler.php

@@ -30,6 +30,8 @@
  */
 class PasswordGrantTypeHandler extends AbstractGrantTypeHandler
 {
+    const GRANT_TYPE = 'password';
+
     public function handle(Request $request)
     {
         // Fetch client_id from authenticated token.

src/GrantType/RefreshTokenGrantTypeHandler.php

@@ -24,6 +24,8 @@
  */
 class RefreshTokenGrantTypeHandler extends AbstractGrantTypeHandler
 {
+    const GRANT_TYPE = 'refresh_token';
+
     public function handle(Request $request)
     {
         // Fetch client_id from authenticated token.

src/Model/AuthorizeInterface.php

@@ -65,4 +65,11 @@ public function setScope($scope);
      * @return array
      */
     public function getScope();
+
+    /**
+     * Get Grant types that this client is allowed to use.
+     *
+     * @return array
+     */
+    public function getGrantType();
 }

src/ResponseType/AbstractResponseTypeHandler.php

@@ -11,10 +11,12 @@
 
 namespace AuthBucket\OAuth2\ResponseType;
 
+use AuthBucket\OAuth2\Exception\InvalidGrantException;
 use AuthBucket\OAuth2\Exception\InvalidRequestException;
 use AuthBucket\OAuth2\Exception\InvalidScopeException;
 use AuthBucket\OAuth2\Exception\ServerErrorException;
 use AuthBucket\OAuth2\Exception\UnauthorizedClientException;
+use AuthBucket\OAuth2\Model\AuthorizeInterface;
 use AuthBucket\OAuth2\Model\ModelManagerFactoryInterface;
 use AuthBucket\OAuth2\TokenType\TokenTypeHandlerFactoryInterface;
 use Symfony\Component\HttpFoundation\Request;
@@ -30,6 +32,7 @@
  */
 abstract class AbstractResponseTypeHandler implements ResponseTypeHandlerInterface
 {
+    const GRANT_TYPE = null;
     protected $tokenStorage;
     protected $validator;
     protected $modelManagerFactory;
@@ -230,6 +233,7 @@ protected function checkScope(
         // Compare if given scope within all authorized scopes.
         $scopeAuthorized = [];
         $authorizeManager = $this->modelManagerFactory->getModelManager('authorize');
+        /** @var AuthorizeInterface $result */
         $result = $authorizeManager->readModelOneBy([
             'clientId' => $clientId,
             'username' => $username,
@@ -245,6 +249,13 @@ protected function checkScope(
             ]);
         }
 
+        if (!in_array(static::GRANT_TYPE, $result->getGrantType())) {
+            throw new InvalidGrantException([
+                'state' => $state,
+                'error_description' => 'The requested grant is invalid.',
+            ]);
+        }
+
         return $scope;
     }
 }

src/ResponseType/CodeResponseTypeHandler.php

@@ -11,6 +11,7 @@
 
 namespace AuthBucket\OAuth2\ResponseType;
 
+use AuthBucket\OAuth2\GrantType\AuthorizationCodeGrantTypeHandler;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -21,6 +22,8 @@
  */
 class CodeResponseTypeHandler extends AbstractResponseTypeHandler
 {
+    const GRANT_TYPE = AuthorizationCodeGrantTypeHandler::GRANT_TYPE;
+
     public function handle(Request $request)
     {
         // Fetch username from authenticated token.

src/ResponseType/TokenResponseTypeHandler.php

@@ -22,6 +22,8 @@
  */
 class TokenResponseTypeHandler extends AbstractResponseTypeHandler
 {
+    const GRANT_TYPE = 'implicit';
+
     public function handle(Request $request)
     {
         // Fetch username from authenticated token.

tests/TestBundle/DataFixtures/ORM/AuthorizeFixture.php

@@ -77,6 +77,11 @@ public function load(ObjectManager $manager)
             ->setUsername('demousername1')
             ->setScope([
                 'demoscope1',
+            ])
+            ->setGrantType([
+                'authorization_code',
+                'password',
+                'implicit',
             ]);
         $manager->persist($model);
 
@@ -86,6 +91,9 @@ public function load(ObjectManager $manager)
             ->setScope([
                 'demoscope1',
                 'demoscope2',
+            ])
+            ->setGrantType([
+                'authorization_code',
             ]);
         $manager->persist($model);
 
@@ -96,6 +104,11 @@ public function load(ObjectManager $manager)
                 'demoscope1',
                 'demoscope2',
                 'demoscope3',
+            ])
+            ->setGrantType([
+                'authorization_code',
+                'password',
+                'implicit',
             ]);
         $manager->persist($model);
 
@@ -106,6 +119,9 @@ public function load(ObjectManager $manager)
                 'demoscope1',
                 'demoscope2',
                 'demoscope3',
+            ])
+            ->setGrantType([
+                'client_credentials',
             ]);
         $manager->persist($model);
 

tests/TestBundle/Entity/Authorize.php

@@ -52,6 +52,13 @@ class Authorize implements AuthorizeInterface
      */
     protected $scope;
 
+    /**
+     * @var array
+     *
+     * @ORM\Column(name="grant_type", type="array")
+     */
+    protected $grantType;
+
     /**
      * Get id.
      *
@@ -133,4 +140,26 @@ public function getScope()
     {
         return $this->scope;
     }
+
+    /**
+     * Set grant type.
+     *
+     * @param array $grantType
+     *
+     * @return Authorize
+     */
+    public function setGrantType($grantType)
+    {
+        $this->grantType = $grantType;
+    }
+
+    /**
+     * Get grant type.
+     *
+     * @return array
+     */
+    public function getGrantType()
+    {
+        return $this->grantType;
+    }
 }