PK cž•Rü´EN, N, COPYINGnu €žÙ˜
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2015 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
PK cž•RØ~¨Ñ½ ½ CODE_OF_CONDUCT.mdnu €žÙ˜ # Contributor Code of Conduct
As contributors and maintainers of this project,
and in the interest of fostering an open and welcoming community,
we pledge to respect all people who contribute through reporting issues,
posting feature requests, updating documentation,
submitting pull requests or patches, and other activities.
We are committed to making participation in this project
a harassment-free experience for everyone,
regardless of level of experience, gender, gender identity and expression,
sexual orientation, disability, personal appearance,
body size, race, ethnicity, age, religion, or nationality.
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery
* Personal attacks
* Trolling or insulting/derogatory comments
* Public or private harassment
* Publishing other's private information,
such as physical or electronic
addresses, without explicit permission
* Other unethical or unprofessional conduct.
Project maintainers have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct.
By adopting this Code of Conduct,
project maintainers commit themselves to fairly and consistently
applying these principles to every aspect of managing this project.
Project maintainers who do not follow or enforce the Code of Conduct
may be permanently removed from the project team.
This code of conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community.
Instances of abusive, harassing, or otherwise unacceptable behavior
may be reported by opening an issue
or contacting one or more of the project maintainers.
This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0,
available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)
PK cž•R°/’è" è" README.mdnu €žÙ˜ # Google Auth Library for PHP
- Homepage
- http://www.github.com/google/google-auth-library-php
- Reference Docs
- https://googleapis.github.io/google-auth-library-php/master/
- Authors
- Tim Emiola
- Stanley Cheung
- Brent Shaffer
- Copyright
- Copyright © 2015 Google, Inc.
- License
- Apache 2.0
## Description
This is Google's officially supported PHP client library for using OAuth 2.0
authorization and authentication with Google APIs.
### Installing via Composer
The recommended way to install the google auth library is through
[Composer](http://getcomposer.org).
```bash
# Install Composer
curl -sS https://getcomposer.org/installer | php
```
Next, run the Composer command to install the latest stable version:
```bash
composer.phar require google/auth
```
## Application Default Credentials
This library provides an implementation of
[application default credentials][application default credentials] for PHP.
The Application Default Credentials provide a simple way to get authorization
credentials for use in calling Google APIs.
They are best suited for cases when the call needs to have the same identity
and authorization level for the application independent of the user. This is
the recommended approach to authorize calls to Cloud APIs, particularly when
you're building an application that uses Google Compute Engine.
#### Download your Service Account Credentials JSON file
To use `Application Default Credentials`, You first need to download a set of
JSON credentials for your project. Go to **APIs & Services** > **Credentials** in
the [Google Developers Console][developer console] and select
**Service account** from the **Add credentials** dropdown.
> This file is your *only copy* of these credentials. It should never be
> committed with your source code, and should be stored securely.
Once downloaded, store the path to this file in the
`GOOGLE_APPLICATION_CREDENTIALS` environment variable.
```php
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
```
> PHP's `putenv` function is just one way to set an environment variable.
> Consider using `.htaccess` or apache configuration files as well.
#### Enable the API you want to use
Before making your API call, you must be sure the API you're calling has been
enabled. Go to **APIs & Auth** > **APIs** in the
[Google Developers Console][developer console] and enable the APIs you'd like to
call. For the example below, you must enable the `Drive API`.
#### Call the APIs
As long as you update the environment variable below to point to *your* JSON
credentials file, the following code should output a list of your Drive files.
```php
use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];
// create middleware
$middleware = ApplicationDefaultCredentials::getMiddleware($scopes);
$stack = HandlerStack::create();
$stack->push($middleware);
// create the HTTP client
$client = new Client([
'handler' => $stack,
'base_uri' => 'https://www.googleapis.com',
'auth' => 'google_auth' // authorize all requests
]);
// make the request
$response = $client->get('drive/v2/files');
// show the result!
print_r((string) $response->getBody());
```
##### Guzzle 5 Compatibility
If you are using [Guzzle 5][Guzzle 5], replace the `create middleware` and
`create the HTTP Client` steps with the following:
```php
// create the HTTP client
$client = new Client([
'base_url' => 'https://www.googleapis.com',
'auth' => 'google_auth' // authorize all requests
]);
// create subscriber
$subscriber = ApplicationDefaultCredentials::getSubscriber($scopes);
$client->getEmitter()->attach($subscriber);
```
#### Call using an ID Token
If your application is running behind Cloud Run, or using Cloud Identity-Aware
Proxy (IAP), you will need to fetch an ID token to access your application. For
this, use the static method `getIdTokenMiddleware` on
`ApplicationDefaultCredentials`.
```php
use Google\Auth\ApplicationDefaultCredentials;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
// specify the path to your application credentials
putenv('GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json');
// Provide the ID token audience. This can be a Client ID associated with an IAP application,
// Or the URL associated with a CloudRun App
// $targetAudience = 'IAP_CLIENT_ID.apps.googleusercontent.com';
// $targetAudience = 'https://service-1234-uc.a.run.app';
$targetAudience = 'YOUR_ID_TOKEN_AUDIENCE';
// create middleware
$middleware = ApplicationDefaultCredentials::getIdTokenMiddleware($targetAudience);
$stack = HandlerStack::create();
$stack->push($middleware);
// create the HTTP client
$client = new Client([
'handler' => $stack,
'auth' => 'google_auth',
// Cloud Run, IAP, or custom resource URL
'base_uri' => 'https://YOUR_PROTECTED_RESOURCE',
]);
// make the request
$response = $client->get('/');
// show the result!
print_r((string) $response->getBody());
```
For invoking Cloud Run services, your service account will need the
[`Cloud Run Invoker`](https://cloud.google.com/run/docs/authenticating/service-to-service)
IAM permission.
For invoking Cloud Identity-Aware Proxy, you will need to pass the Client ID
used when you set up your protected resource as the target audience. See how to
[secure your IAP app with signed headers](https://cloud.google.com/iap/docs/signed-headers-howto).
#### Call using a specific JSON key
If you want to use a specific JSON key instead of using `GOOGLE_APPLICATION_CREDENTIALS` environment variable, you can
do this:
```php
use Google\Auth\CredentialsLoader;
use Google\Auth\Middleware\AuthTokenMiddleware;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;
// Define the Google Application Credentials array
$jsonKey = ['key' => 'value'];
// define the scopes for your API call
$scopes = ['https://www.googleapis.com/auth/drive.readonly'];
// Load credentials
$creds = CredentialsLoader::makeCredentials($scopes, $jsonKey);
// optional caching
// $creds = new FetchAuthTokenCache($creds, $cacheConfig, $cache);
// create middleware
$middleware = new AuthTokenMiddleware($creds);
$stack = HandlerStack::create();
$stack->push($middleware);
// create the HTTP client
$client = new Client([
'handler' => $stack,
'base_uri' => 'https://www.googleapis.com',
'auth' => 'google_auth' // authorize all requests
]);
// make the request
$response = $client->get('drive/v2/files');
// show the result!
print_r((string) $response->getBody());
```
#### Verifying JWTs
If you are [using Google ID tokens to authenticate users][google-id-tokens], use
the `Google\Auth\AccessToken` class to verify the ID token:
```php
use Google\Auth\AccessToken;
$auth = new AccessToken();
$auth->verify($idToken);
```
If your app is running behind [Google Identity-Aware Proxy][iap-id-tokens]
(IAP), you can verify the ID token coming from the IAP server by pointing to the
appropriate certificate URL for IAP. This is because IAP signs the ID
tokens with a different key than the Google Identity service:
```php
use Google\Auth\AccessToken;
$auth = new AccessToken();
$auth->verify($idToken, [
'certsLocation' => AccessToken::IAP_CERT_URL
]);
```
[google-id-tokens]: https://developers.google.com/identity/sign-in/web/backend-auth
[iap-id-tokens]: https://cloud.google.com/iap/docs/signed-headers-howto
## License
This library is licensed under Apache 2.0. Full license text is
available in [COPYING][copying].
## Contributing
See [CONTRIBUTING][contributing].
## Support
Please
[report bugs at the project on Github](https://github.com/google/google-auth-library-php/issues). Don't
hesitate to
[ask questions](http://stackoverflow.com/questions/tagged/google-auth-library-php)
about the client or APIs on [StackOverflow](http://stackoverflow.com).
[google-apis-php-client]: https://github.com/google/google-api-php-client
[application default credentials]: https://developers.google.com/accounts/docs/application-default-credentials
[contributing]: https://github.com/google/google-auth-library-php/tree/master/.github/CONTRIBUTING.md
[copying]: https://github.com/google/google-auth-library-php/tree/master/COPYING
[Guzzle]: https://github.com/guzzle/guzzle
[Guzzle 5]: http://docs.guzzlephp.org/en/5.3
[developer console]: https://console.developers.google.com
PK cž•RF%›½k k src/OAuth2.phpnu €žÙ˜ self::DEFAULT_EXPIRY_SECONDS,
'extensionParams' => [],
'authorizationUri' => null,
'redirectUri' => null,
'tokenCredentialUri' => null,
'state' => null,
'username' => null,
'password' => null,
'clientId' => null,
'clientSecret' => null,
'issuer' => null,
'sub' => null,
'audience' => null,
'signingKey' => null,
'signingKeyId' => null,
'signingAlgorithm' => null,
'scope' => null,
'additionalClaims' => [],
], $config);
$this->setAuthorizationUri($opts['authorizationUri']);
$this->setRedirectUri($opts['redirectUri']);
$this->setTokenCredentialUri($opts['tokenCredentialUri']);
$this->setState($opts['state']);
$this->setUsername($opts['username']);
$this->setPassword($opts['password']);
$this->setClientId($opts['clientId']);
$this->setClientSecret($opts['clientSecret']);
$this->setIssuer($opts['issuer']);
$this->setSub($opts['sub']);
$this->setExpiry($opts['expiry']);
$this->setAudience($opts['audience']);
$this->setSigningKey($opts['signingKey']);
$this->setSigningKeyId($opts['signingKeyId']);
$this->setSigningAlgorithm($opts['signingAlgorithm']);
$this->setScope($opts['scope']);
$this->setExtensionParams($opts['extensionParams']);
$this->setAdditionalClaims($opts['additionalClaims']);
$this->updateToken($opts);
}
/**
* Verifies the idToken if present.
*
* - if none is present, return null
* - if present, but invalid, raises DomainException.
* - otherwise returns the payload in the idtoken as a PHP object.
*
* The behavior of this method varies depending on the version of
* `firebase/php-jwt` you are using. In versions lower than 3.0.0, if
* `$publicKey` is null, the key is decoded without being verified. In
* newer versions, if a public key is not given, this method will throw an
* `\InvalidArgumentException`.
*
* @param string $publicKey The public key to use to authenticate the token
* @param array $allowed_algs List of supported verification algorithms
* @throws \DomainException if the token is missing an audience.
* @throws \DomainException if the audience does not match the one set in
* the OAuth2 class instance.
* @throws \UnexpectedValueException If the token is invalid
* @throws SignatureInvalidException If the signature is invalid.
* @throws BeforeValidException If the token is not yet valid.
* @throws ExpiredException If the token has expired.
* @return null|object
*/
public function verifyIdToken($publicKey = null, $allowed_algs = array())
{
$idToken = $this->getIdToken();
if (is_null($idToken)) {
return null;
}
$resp = $this->jwtDecode($idToken, $publicKey, $allowed_algs);
if (!property_exists($resp, 'aud')) {
throw new \DomainException('No audience found the id token');
}
if ($resp->aud != $this->getAudience()) {
throw new \DomainException('Wrong audience present in the id token');
}
return $resp;
}
/**
* Obtains the encoded jwt from the instance data.
*
* @param array $config array optional configuration parameters
* @return string
*/
public function toJwt(array $config = [])
{
if (is_null($this->getSigningKey())) {
throw new \DomainException('No signing key available');
}
if (is_null($this->getSigningAlgorithm())) {
throw new \DomainException('No signing algorithm specified');
}
$now = time();
$opts = array_merge([
'skew' => self::DEFAULT_SKEW_SECONDS,
], $config);
$assertion = [
'iss' => $this->getIssuer(),
'aud' => $this->getAudience(),
'exp' => ($now + $this->getExpiry()),
'iat' => ($now - $opts['skew']),
];
foreach ($assertion as $k => $v) {
if (is_null($v)) {
throw new \DomainException($k . ' should not be null');
}
}
if (!(is_null($this->getScope()))) {
$assertion['scope'] = $this->getScope();
}
if (!(is_null($this->getSub()))) {
$assertion['sub'] = $this->getSub();
}
$assertion += $this->getAdditionalClaims();
return $this->jwtEncode(
$assertion,
$this->getSigningKey(),
$this->getSigningAlgorithm(),
$this->getSigningKeyId()
);
}
/**
* Generates a request for token credentials.
*
* @return RequestInterface the authorization Url.
*/
public function generateCredentialsRequest()
{
$uri = $this->getTokenCredentialUri();
if (is_null($uri)) {
throw new \DomainException('No token credential URI was set.');
}
$grantType = $this->getGrantType();
$params = array('grant_type' => $grantType);
switch ($grantType) {
case 'authorization_code':
$params['code'] = $this->getCode();
$params['redirect_uri'] = $this->getRedirectUri();
$this->addClientCredentials($params);
break;
case 'password':
$params['username'] = $this->getUsername();
$params['password'] = $this->getPassword();
$this->addClientCredentials($params);
break;
case 'refresh_token':
$params['refresh_token'] = $this->getRefreshToken();
$this->addClientCredentials($params);
break;
case self::JWT_URN:
$params['assertion'] = $this->toJwt();
break;
default:
if (!is_null($this->getRedirectUri())) {
# Grant type was supposed to be 'authorization_code', as there
# is a redirect URI.
throw new \DomainException('Missing authorization code');
}
unset($params['grant_type']);
if (!is_null($grantType)) {
$params['grant_type'] = $grantType;
}
$params = array_merge($params, $this->getExtensionParams());
}
$headers = [
'Cache-Control' => 'no-store',
'Content-Type' => 'application/x-www-form-urlencoded',
];
return new Request(
'POST',
$uri,
$headers,
Psr7\build_query($params)
);
}
/**
* Fetches the auth tokens based on the current state.
*
* @param callable $httpHandler callback which delivers psr7 request
* @return array the response
*/
public function fetchAuthToken(callable $httpHandler = null)
{
if (is_null($httpHandler)) {
$httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient());
}
$response = $httpHandler($this->generateCredentialsRequest());
$credentials = $this->parseTokenResponse($response);
$this->updateToken($credentials);
return $credentials;
}
/**
* Obtains a key that can used to cache the results of #fetchAuthToken.
*
* The key is derived from the scopes.
*
* @return string a key that may be used to cache the auth token.
*/
public function getCacheKey()
{
if (is_array($this->scope)) {
return implode(':', $this->scope);
}
if ($this->audience) {
return $this->audience;
}
// If scope has not set, return null to indicate no caching.
return null;
}
/**
* Parses the fetched tokens.
*
* @param ResponseInterface $resp the response.
* @return array the tokens parsed from the response body.
* @throws \Exception
*/
public function parseTokenResponse(ResponseInterface $resp)
{
$body = (string)$resp->getBody();
if ($resp->hasHeader('Content-Type') &&
$resp->getHeaderLine('Content-Type') == 'application/x-www-form-urlencoded'
) {
$res = array();
parse_str($body, $res);
return $res;
}
// Assume it's JSON; if it's not throw an exception
if (null === $res = json_decode($body, true)) {
throw new \Exception('Invalid JSON response');
}
return $res;
}
/**
* Updates an OAuth 2.0 client.
*
* Example:
* ```
* $oauth->updateToken([
* 'refresh_token' => 'n4E9O119d',
* 'access_token' => 'FJQbwq9',
* 'expires_in' => 3600
* ]);
* ```
*
* @param array $config
* The configuration parameters related to the token.
*
* - refresh_token
* The refresh token associated with the access token
* to be refreshed.
*
* - access_token
* The current access token for this client.
*
* - id_token
* The current ID token for this client.
*
* - expires_in
* The time in seconds until access token expiration.
*
* - expires_at
* The time as an integer number of seconds since the Epoch
*
* - issued_at
* The timestamp that the token was issued at.
*/
public function updateToken(array $config)
{
$opts = array_merge([
'extensionParams' => [],
'access_token' => null,
'id_token' => null,
'expires_in' => null,
'expires_at' => null,
'issued_at' => null,
], $config);
$this->setExpiresAt($opts['expires_at']);
$this->setExpiresIn($opts['expires_in']);
// By default, the token is issued at `Time.now` when `expiresIn` is set,
// but this can be used to supply a more precise time.
if (!is_null($opts['issued_at'])) {
$this->setIssuedAt($opts['issued_at']);
}
$this->setAccessToken($opts['access_token']);
$this->setIdToken($opts['id_token']);
// The refresh token should only be updated if a value is explicitly
// passed in, as some access token responses do not include a refresh
// token.
if (array_key_exists('refresh_token', $opts)) {
$this->setRefreshToken($opts['refresh_token']);
}
}
/**
* Builds the authorization Uri that the user should be redirected to.
*
* @param array $config configuration options that customize the return url
* @return UriInterface the authorization Url.
* @throws InvalidArgumentException
*/
public function buildFullAuthorizationUri(array $config = [])
{
if (is_null($this->getAuthorizationUri())) {
throw new InvalidArgumentException(
'requires an authorizationUri to have been set'
);
}
$params = array_merge([
'response_type' => 'code',
'access_type' => 'offline',
'client_id' => $this->clientId,
'redirect_uri' => $this->redirectUri,
'state' => $this->state,
'scope' => $this->getScope(),
], $config);
// Validate the auth_params
if (is_null($params['client_id'])) {
throw new InvalidArgumentException(
'missing the required client identifier'
);
}
if (is_null($params['redirect_uri'])) {
throw new InvalidArgumentException('missing the required redirect URI');
}
if (!empty($params['prompt']) && !empty($params['approval_prompt'])) {
throw new InvalidArgumentException(
'prompt and approval_prompt are mutually exclusive'
);
}
// Construct the uri object; return it if it is valid.
$result = clone $this->authorizationUri;
$existingParams = Psr7\parse_query($result->getQuery());
$result = $result->withQuery(
Psr7\build_query(array_merge($existingParams, $params))
);
if ($result->getScheme() != 'https') {
throw new InvalidArgumentException(
'Authorization endpoint must be protected by TLS'
);
}
return $result;
}
/**
* Sets the authorization server's HTTP endpoint capable of authenticating
* the end-user and obtaining authorization.
*
* @param string $uri
*/
public function setAuthorizationUri($uri)
{
$this->authorizationUri = $this->coerceUri($uri);
}
/**
* Gets the authorization server's HTTP endpoint capable of authenticating
* the end-user and obtaining authorization.
*
* @return UriInterface
*/
public function getAuthorizationUri()
{
return $this->authorizationUri;
}
/**
* Gets the authorization server's HTTP endpoint capable of issuing tokens
* and refreshing expired tokens.
*
* @return string
*/
public function getTokenCredentialUri()
{
return $this->tokenCredentialUri;
}
/**
* Sets the authorization server's HTTP endpoint capable of issuing tokens
* and refreshing expired tokens.
*
* @param string $uri
*/
public function setTokenCredentialUri($uri)
{
$this->tokenCredentialUri = $this->coerceUri($uri);
}
/**
* Gets the redirection URI used in the initial request.
*
* @return string
*/
public function getRedirectUri()
{
return $this->redirectUri;
}
/**
* Sets the redirection URI used in the initial request.
*
* @param string $uri
*/
public function setRedirectUri($uri)
{
if (is_null($uri)) {
$this->redirectUri = null;
return;
}
// redirect URI must be absolute
if (!$this->isAbsoluteUri($uri)) {
// "postmessage" is a reserved URI string in Google-land
// @see https://developers.google.com/identity/sign-in/web/server-side-flow
if ('postmessage' !== (string)$uri) {
throw new InvalidArgumentException(
'Redirect URI must be absolute'
);
}
}
$this->redirectUri = (string)$uri;
}
/**
* Gets the scope of the access requests as a space-delimited String.
*
* @return string
*/
public function getScope()
{
if (is_null($this->scope)) {
return $this->scope;
}
return implode(' ', $this->scope);
}
/**
* Sets the scope of the access request, expressed either as an Array or as
* a space-delimited String.
*
* @param string|array $scope
* @throws InvalidArgumentException
*/
public function setScope($scope)
{
if (is_null($scope)) {
$this->scope = null;
} elseif (is_string($scope)) {
$this->scope = explode(' ', $scope);
} elseif (is_array($scope)) {
foreach ($scope as $s) {
$pos = strpos($s, ' ');
if ($pos !== false) {
throw new InvalidArgumentException(
'array scope values should not contain spaces'
);
}
}
$this->scope = $scope;
} else {
throw new InvalidArgumentException(
'scopes should be a string or array of strings'
);
}
}
/**
* Gets the current grant type.
*
* @return string
*/
public function getGrantType()
{
if (!is_null($this->grantType)) {
return $this->grantType;
}
// Returns the inferred grant type, based on the current object instance
// state.
if (!is_null($this->code)) {
return 'authorization_code';
}
if (!is_null($this->refreshToken)) {
return 'refresh_token';
}
if (!is_null($this->username) && !is_null($this->password)) {
return 'password';
}
if (!is_null($this->issuer) && !is_null($this->signingKey)) {
return self::JWT_URN;
}
return null;
}
/**
* Sets the current grant type.
*
* @param $grantType
* @throws InvalidArgumentException
*/
public function setGrantType($grantType)
{
if (in_array($grantType, self::$knownGrantTypes)) {
$this->grantType = $grantType;
} else {
// validate URI
if (!$this->isAbsoluteUri($grantType)) {
throw new InvalidArgumentException(
'invalid grant type'
);
}
$this->grantType = (string)$grantType;
}
}
/**
* Gets an arbitrary string designed to allow the client to maintain state.
*
* @return string
*/
public function getState()
{
return $this->state;
}
/**
* Sets an arbitrary string designed to allow the client to maintain state.
*
* @param string $state
*/
public function setState($state)
{
$this->state = $state;
}
/**
* Gets the authorization code issued to this client.
*/
public function getCode()
{
return $this->code;
}
/**
* Sets the authorization code issued to this client.
*
* @param string $code
*/
public function setCode($code)
{
$this->code = $code;
}
/**
* Gets the resource owner's username.
*/
public function getUsername()
{
return $this->username;
}
/**
* Sets the resource owner's username.
*
* @param string $username
*/
public function setUsername($username)
{
$this->username = $username;
}
/**
* Gets the resource owner's password.
*/
public function getPassword()
{
return $this->password;
}
/**
* Sets the resource owner's password.
*
* @param $password
*/
public function setPassword($password)
{
$this->password = $password;
}
/**
* Sets a unique identifier issued to the client to identify itself to the
* authorization server.
*/
public function getClientId()
{
return $this->clientId;
}
/**
* Sets a unique identifier issued to the client to identify itself to the
* authorization server.
*
* @param $clientId
*/
public function setClientId($clientId)
{
$this->clientId = $clientId;
}
/**
* Gets a shared symmetric secret issued by the authorization server, which
* is used to authenticate the client.
*/
public function getClientSecret()
{
return $this->clientSecret;
}
/**
* Sets a shared symmetric secret issued by the authorization server, which
* is used to authenticate the client.
*
* @param $clientSecret
*/
public function setClientSecret($clientSecret)
{
$this->clientSecret = $clientSecret;
}
/**
* Gets the Issuer ID when using assertion profile.
*/
public function getIssuer()
{
return $this->issuer;
}
/**
* Sets the Issuer ID when using assertion profile.
*
* @param string $issuer
*/
public function setIssuer($issuer)
{
$this->issuer = $issuer;
}
/**
* Gets the target sub when issuing assertions.
*/
public function getSub()
{
return $this->sub;
}
/**
* Sets the target sub when issuing assertions.
*
* @param string $sub
*/
public function setSub($sub)
{
$this->sub = $sub;
}
/**
* Gets the target audience when issuing assertions.
*/
public function getAudience()
{
return $this->audience;
}
/**
* Sets the target audience when issuing assertions.
*
* @param string $audience
*/
public function setAudience($audience)
{
$this->audience = $audience;
}
/**
* Gets the signing key when using an assertion profile.
*/
public function getSigningKey()
{
return $this->signingKey;
}
/**
* Sets the signing key when using an assertion profile.
*
* @param string $signingKey
*/
public function setSigningKey($signingKey)
{
$this->signingKey = $signingKey;
}
/**
* Gets the signing key id when using an assertion profile.
*
* @return string
*/
public function getSigningKeyId()
{
return $this->signingKeyId;
}
/**
* Sets the signing key id when using an assertion profile.
*
* @param string $signingKeyId
*/
public function setSigningKeyId($signingKeyId)
{
$this->signingKeyId = $signingKeyId;
}
/**
* Gets the signing algorithm when using an assertion profile.
*
* @return string
*/
public function getSigningAlgorithm()
{
return $this->signingAlgorithm;
}
/**
* Sets the signing algorithm when using an assertion profile.
*
* @param string $signingAlgorithm
*/
public function setSigningAlgorithm($signingAlgorithm)
{
if (is_null($signingAlgorithm)) {
$this->signingAlgorithm = null;
} elseif (!in_array($signingAlgorithm, self::$knownSigningAlgorithms)) {
throw new InvalidArgumentException('unknown signing algorithm');
} else {
$this->signingAlgorithm = $signingAlgorithm;
}
}
/**
* Gets the set of parameters used by extension when using an extension
* grant type.
*/
public function getExtensionParams()
{
return $this->extensionParams;
}
/**
* Sets the set of parameters used by extension when using an extension
* grant type.
*
* @param $extensionParams
*/
public function setExtensionParams($extensionParams)
{
$this->extensionParams = $extensionParams;
}
/**
* Gets the number of seconds assertions are valid for.
*/
public function getExpiry()
{
return $this->expiry;
}
/**
* Sets the number of seconds assertions are valid for.
*
* @param int $expiry
*/
public function setExpiry($expiry)
{
$this->expiry = $expiry;
}
/**
* Gets the lifetime of the access token in seconds.
*/
public function getExpiresIn()
{
return $this->expiresIn;
}
/**
* Sets the lifetime of the access token in seconds.
*
* @param int $expiresIn
*/
public function setExpiresIn($expiresIn)
{
if (is_null($expiresIn)) {
$this->expiresIn = null;
$this->issuedAt = null;
} else {
$this->issuedAt = time();
$this->expiresIn = (int)$expiresIn;
}
}
/**
* Gets the time the current access token expires at.
*
* @return int
*/
public function getExpiresAt()
{
if (!is_null($this->expiresAt)) {
return $this->expiresAt;
}
if (!is_null($this->issuedAt) && !is_null($this->expiresIn)) {
return $this->issuedAt + $this->expiresIn;
}
return null;
}
/**
* Returns true if the acccess token has expired.
*
* @return bool
*/
public function isExpired()
{
$expiration = $this->getExpiresAt();
$now = time();
return !is_null($expiration) && $now >= $expiration;
}
/**
* Sets the time the current access token expires at.
*
* @param int $expiresAt
*/
public function setExpiresAt($expiresAt)
{
$this->expiresAt = $expiresAt;
}
/**
* Gets the time the current access token was issued at.
*/
public function getIssuedAt()
{
return $this->issuedAt;
}
/**
* Sets the time the current access token was issued at.
*
* @param int $issuedAt
*/
public function setIssuedAt($issuedAt)
{
$this->issuedAt = $issuedAt;
}
/**
* Gets the current access token.
*/
public function getAccessToken()
{
return $this->accessToken;
}
/**
* Sets the current access token.
*
* @param string $accessToken
*/
public function setAccessToken($accessToken)
{
$this->accessToken = $accessToken;
}
/**
* Gets the current ID token.
*/
public function getIdToken()
{
return $this->idToken;
}
/**
* Sets the current ID token.
*
* @param $idToken
*/
public function setIdToken($idToken)
{
$this->idToken = $idToken;
}
/**
* Gets the refresh token associated with the current access token.
*/
public function getRefreshToken()
{
return $this->refreshToken;
}
/**
* Sets the refresh token associated with the current access token.
*
* @param $refreshToken
*/
public function setRefreshToken($refreshToken)
{
$this->refreshToken = $refreshToken;
}
/**
* Sets additional claims to be included in the JWT token
*
* @param array $additionalClaims
*/
public function setAdditionalClaims(array $additionalClaims)
{
$this->additionalClaims = $additionalClaims;
}
/**
* Gets the additional claims to be included in the JWT token.
*
* @return array
*/
public function getAdditionalClaims()
{
return $this->additionalClaims;
}
/**
* The expiration of the last received token.
*
* @return array|null
*/
public function getLastReceivedToken()
{
if ($token = $this->getAccessToken()) {
// the bare necessity of an auth token
$authToken = [
'access_token' => $token,
'expires_at' => $this->getExpiresAt(),
];
} elseif ($idToken = $this->getIdToken()) {
$authToken = [
'id_token' => $idToken,
'expires_at' => $this->getExpiresAt(),
];
} else {
return null;
}
if ($expiresIn = $this->getExpiresIn()) {
$authToken['expires_in'] = $expiresIn;
}
if ($issuedAt = $this->getIssuedAt()) {
$authToken['issued_at'] = $issuedAt;
}
if ($refreshToken = $this->getRefreshToken()) {
$authToken['refresh_token'] = $refreshToken;
}
return $authToken;
}
/**
* Get the client ID.
*
* Alias of {@see Google\Auth\OAuth2::getClientId()}.
*
* @param callable $httpHandler
* @return string
* @access private
*/
public function getClientName(callable $httpHandler = null)
{
return $this->getClientId();
}
/**
* @todo handle uri as array
*
* @param string $uri
* @return null|UriInterface
*/
private function coerceUri($uri)
{
if (is_null($uri)) {
return;
}
return Psr7\uri_for($uri);
}
/**
* @param string $idToken
* @param string|array|null $publicKey
* @param array $allowedAlgs
* @return object
*/
private function jwtDecode($idToken, $publicKey, $allowedAlgs)
{
if (class_exists('Firebase\JWT\JWT')) {
return \Firebase\JWT\JWT::decode($idToken, $publicKey, $allowedAlgs);
}
return \JWT::decode($idToken, $publicKey, $allowedAlgs);
}
private function jwtEncode($assertion, $signingKey, $signingAlgorithm, $signingKeyId = null)
{
if (class_exists('Firebase\JWT\JWT')) {
return \Firebase\JWT\JWT::encode(
$assertion,
$signingKey,
$signingAlgorithm,
$signingKeyId
);
}
return \JWT::encode($assertion, $signingKey, $signingAlgorithm, $signingKeyId);
}
/**
* Determines if the URI is absolute based on its scheme and host or path
* (RFC 3986).
*
* @param string $uri
* @return bool
*/
private function isAbsoluteUri($uri)
{
$uri = $this->coerceUri($uri);
return $uri->getScheme() && ($uri->getHost() || $uri->getPath());
}
/**
* @param array $params
* @return array
*/
private function addClientCredentials(&$params)
{
$clientId = $this->getClientId();
$clientSecret = $this->getClientSecret();
if ($clientId && $clientSecret) {
$params['client_id'] = $clientId;
$params['client_secret'] = $clientSecret;
}
return $params;
}
}
PK cž•R¯Ö‡›v v src/CacheTrait.phpnu €žÙ˜ cache)) {
return;
}
$key = $this->getFullCacheKey($k);
if (is_null($key)) {
return;
}
$cacheItem = $this->cache->getItem($key);
if ($cacheItem->isHit()) {
return $cacheItem->get();
}
}
/**
* Saves the value in the cache when that is available.
*/
private function setCachedValue($k, $v)
{
if (is_null($this->cache)) {
return;
}
$key = $this->getFullCacheKey($k);
if (is_null($key)) {
return;
}
$cacheItem = $this->cache->getItem($key);
$cacheItem->set($v);
$cacheItem->expiresAfter($this->cacheConfig['lifetime']);
return $this->cache->save($cacheItem);
}
private function getFullCacheKey($key)
{
if (is_null($key)) {
return;
}
$key = $this->cacheConfig['prefix'] . $key;
// ensure we do not have illegal characters
$key = preg_replace('|[^a-zA-Z0-9_\.!]|', '', $key);
// Hash keys if they exceed $maxKeyLength (defaults to 64)
if ($this->maxKeyLength && strlen($key) > $this->maxKeyLength) {
$key = substr(hash('sha256', $key), 0, $this->maxKeyLength);
}
return $key;
}
}
PK cž•RúöªP?
?
# src/Subscriber/SimpleSubscriber.phpnu €žÙ˜ config = array_merge([], $config);
}
/**
* @return array
*/
public function getEvents()
{
return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]];
}
/**
* Updates the request query with the developer key if auth is set to simple.
*
* Example:
* ```
* use Google\Auth\Subscriber\SimpleSubscriber;
* use GuzzleHttp\Client;
*
* $my_key = 'is not the same as yours';
* $subscriber = new SimpleSubscriber(['key' => $my_key]);
*
* $client = new Client([
* 'base_url' => 'https://www.googleapis.com/discovery/v1/',
* 'defaults' => ['auth' => 'simple']
* ]);
* $client->getEmitter()->attach($subscriber);
*
* $res = $client->get('drive/v2/rest');
* ```
*
* @param BeforeEvent $event
*/
public function onBefore(BeforeEvent $event)
{
// Requests using "auth"="simple" with the developer key.
$request = $event->getRequest();
if ($request->getConfig()['auth'] != 'simple') {
return;
}
$request->getQuery()->overwriteWith($this->config);
}
}
PK cž•RÇFqW . src/Subscriber/ScopedAccessTokenSubscriber.phpnu €žÙ˜ '
*/
class ScopedAccessTokenSubscriber implements SubscriberInterface
{
use CacheTrait;
const DEFAULT_CACHE_LIFETIME = 1500;
/**
* @var CacheItemPoolInterface
*/
private $cache;
/**
* @var callable The access token generator function
*/
private $tokenFunc;
/**
* @var array|string The scopes used to generate the token
*/
private $scopes;
/**
* @var array
*/
private $cacheConfig;
/**
* Creates a new ScopedAccessTokenSubscriber.
*
* @param callable $tokenFunc a token generator function
* @param array|string $scopes the token authentication scopes
* @param array $cacheConfig configuration for the cache when it's present
* @param CacheItemPoolInterface $cache an implementation of CacheItemPoolInterface
*/
public function __construct(
callable $tokenFunc,
$scopes,
array $cacheConfig = null,
CacheItemPoolInterface $cache = null
) {
$this->tokenFunc = $tokenFunc;
if (!(is_string($scopes) || is_array($scopes))) {
throw new \InvalidArgumentException(
'wants scope should be string or array'
);
}
$this->scopes = $scopes;
if (!is_null($cache)) {
$this->cache = $cache;
$this->cacheConfig = array_merge([
'lifetime' => self::DEFAULT_CACHE_LIFETIME,
'prefix' => '',
], $cacheConfig);
}
}
/**
* @return array
*/
public function getEvents()
{
return ['before' => ['onBefore', RequestEvents::SIGN_REQUEST]];
}
/**
* Updates the request with an Authorization header when auth is 'scoped'.
*
* E.g this could be used to authenticate using the AppEngine AppIdentityService.
*
* Example:
* ```
* use google\appengine\api\app_identity\AppIdentityService;
* use Google\Auth\Subscriber\ScopedAccessTokenSubscriber;
* use GuzzleHttp\Client;
*
* $scope = 'https://www.googleapis.com/auth/taskqueue'
* $subscriber = new ScopedAccessToken(
* 'AppIdentityService::getAccessToken',
* $scope,
* ['prefix' => 'Google\Auth\ScopedAccessToken::'],
* $cache = new Memcache()
* );
*
* $client = new Client([
* 'base_url' => 'https://www.googleapis.com/taskqueue/v1beta2/projects/',
* 'defaults' => ['auth' => 'scoped']
* ]);
* $client->getEmitter()->attach($subscriber);
*
* $res = $client->get('myproject/taskqueues/myqueue');
* ```
*
* @param BeforeEvent $event
*/
public function onBefore(BeforeEvent $event)
{
// Requests using "auth"="scoped" will be authorized.
$request = $event->getRequest();
if ($request->getConfig()['auth'] != 'scoped') {
return;
}
$auth_header = 'Bearer ' . $this->fetchToken();
$request->setHeader('authorization', $auth_header);
}
/**
* @return string
*/
private function getCacheKey()
{
$key = null;
if (is_string($this->scopes)) {
$key .= $this->scopes;
} elseif (is_array($this->scopes)) {
$key .= implode(':', $this->scopes);
}
return $key;
}
/**
* Determine if token is available in the cache, if not call tokenFunc to
* fetch it.
*
* @return string
*/
private function fetchToken()
{
$cacheKey = $this->getCacheKey();
$cached = $this->getCachedValue($cacheKey);
if (!empty($cached)) {
return $cached;
}
$token = call_user_func($this->tokenFunc, $this->scopes);
$this->setCachedValue($cacheKey, $token);
return $token;
}
}
PK cž•RÐoòé] ] &