fix: use custom Redirect URI validation logic in RefreshTokenGrant

common/components/OAuth2/Grants/AuthCodeGrant.php

@@ -4,50 +4,24 @@
 namespace common\components\OAuth2\Grants;
 
 use common\components\OAuth2\CryptTrait;
-use common\components\OAuth2\Events\RequestedRefreshToken;
-use common\components\OAuth2\Repositories\PublicScopeRepository;
 use DateInterval;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
-use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\AuthCodeGrant as BaseAuthCodeGrant;
-use League\OAuth2\Server\RequestEvent;
-use Psr\Http\Message\ServerRequestInterface;
-use yii\helpers\StringHelper;
 
 final class AuthCodeGrant extends BaseAuthCodeGrant {
     use CryptTrait;
+    use CheckOfflineAccessScopeTrait;
+    use ValidateRedirectUriTrait;
 
     protected function issueAccessToken(
         DateInterval $accessTokenTTL,
         ClientEntityInterface $client,
         ?string $userIdentifier,
         array $scopes = [],
     ): AccessTokenEntityInterface {
-        foreach ($scopes as $i => $scope) {
-            if ($scope->getIdentifier() === PublicScopeRepository::OFFLINE_ACCESS) {
-                unset($scopes[$i]);
-                $this->getEmitter()->emit(new RequestedRefreshToken('refresh_token_requested'));
-            }
-        }
-
+        $this->checkOfflineAccessScope($scopes);
         return parent::issueAccessToken($accessTokenTTL, $client, $userIdentifier, $scopes);
     }
 
-    protected function validateRedirectUri(
-        string $redirectUri,
-        ClientEntityInterface $client,
-        ServerRequestInterface $request,
-    ): void {
-        $allowedRedirectUris = (array)$client->getRedirectUri();
-        foreach ($allowedRedirectUris as $allowedRedirectUri) {
-            if (StringHelper::startsWith($redirectUri, $allowedRedirectUri)) {
-                return;
-            }
-        }
-
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-        throw OAuthServerException::invalidClient($request);
-    }
-
 }

common/components/OAuth2/Grants/CheckOfflineAccessScopeTrait.php

@@ -0,0 +1,26 @@
+<?php
+declare(strict_types=1);
+
+namespace common\components\OAuth2\Grants;
+
+use common\components\OAuth2\Events\RequestedRefreshToken;
+use common\components\OAuth2\Repositories\PublicScopeRepository;
+use League\OAuth2\Server\EventEmitting\EventEmitter;
+
+trait CheckOfflineAccessScopeTrait {
+
+    abstract public function getEmitter(): EventEmitter;
+
+    /**
+     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
+     */
+    protected function checkOfflineAccessScope(array $scopes = []): void {
+        foreach ($scopes as $i => $scope) {
+            if ($scope->getIdentifier() === PublicScopeRepository::OFFLINE_ACCESS) {
+                unset($scopes[$i]);
+                $this->getEmitter()->emit(new RequestedRefreshToken('refresh_token_requested'));
+            }
+        }
+    }
+
+}

common/components/OAuth2/Grants/DeviceCodeGrant.php

@@ -3,9 +3,7 @@
 
 namespace common\components\OAuth2\Grants;
 
-use common\components\OAuth2\Events\RequestedRefreshToken;
 use common\components\OAuth2\Repositories\ExtendedDeviceCodeRepositoryInterface;
-use common\components\OAuth2\Repositories\PublicScopeRepository;
 use common\components\OAuth2\ResponseTypes\EmptyResponse;
 use DateInterval;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
@@ -22,6 +20,7 @@
  * @property ExtendedDeviceCodeRepositoryInterface $deviceCodeRepository
  */
 final class DeviceCodeGrant extends BaseDeviceCodeGrant {
+    use CheckOfflineAccessScopeTrait;
 
     public function __construct(
         ExtendedDeviceCodeRepositoryInterface $deviceCodeRepository,
@@ -95,12 +94,7 @@ protected function issueAccessToken(
         ?string $userIdentifier,
         array $scopes = [],
     ): AccessTokenEntityInterface {
-        foreach ($scopes as $i => $scope) {
-            if ($scope->getIdentifier() === PublicScopeRepository::OFFLINE_ACCESS) {
-                unset($scopes[$i]);
-                $this->getEmitter()->emit(new RequestedRefreshToken('refresh_token_requested'));
-            }
-        }
+        $this->checkOfflineAccessScope($scopes);
 
         return parent::issueAccessToken($accessTokenTTL, $client, $userIdentifier, $scopes);
     }

common/components/OAuth2/Grants/RefreshTokenGrant.php

@@ -20,6 +20,7 @@
 
 final class RefreshTokenGrant extends BaseRefreshTokenGrant {
     use CryptTrait;
+    use ValidateRedirectUriTrait;
 
     /**
      * Previously, refresh tokens were stored in Redis.

common/components/OAuth2/Grants/ValidateRedirectUriTrait.php

@@ -0,0 +1,34 @@
+<?php
+declare(strict_types=1);
+
+namespace common\components\OAuth2\Grants;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\EventEmitting\EventEmitter;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\RequestEvent;
+use Psr\Http\Message\ServerRequestInterface;
+use yii\helpers\StringHelper;
+
+trait ValidateRedirectUriTrait {
+
+    abstract public function getEmitter(): EventEmitter;
+
+    protected function validateRedirectUri(
+        string $redirectUri,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request,
+    ): void {
+        $allowedRedirectUris = (array)$client->getRedirectUri();
+        foreach ($allowedRedirectUris as $allowedRedirectUri) {
+            if (StringHelper::startsWith($redirectUri, $allowedRedirectUri)) {
+                return;
+            }
+        }
+
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+
+        throw OAuthServerException::invalidClient($request);
+    }
+
+}