fix: #225: register for autoconfiguration of League\OAuth2\Server\Grant\GrantTypeInterface

Author: TLG-Gildas

docs/implementing-custom-grant-type.md

@@ -43,7 +43,9 @@
     ```
 
 1. In order to enable the new grant type in the authorization server you must register the service in the container.
-And the service must be tagged with the `league.oauth2_server.authorization_server.grant` tag:
+`\League\OAuth2\Server\Grant\GrantTypeInterface` is registered for autoconfiguration
+
+    - but you can manually declare the service with the `league.oauth2_server.authorization_server.grant` tag:
 
     ```yaml
     services:
@@ -53,7 +55,24 @@ And the service must be tagged with the `league.oauth2_server.authorization_serv
           - {name: league.oauth2_server.authorization_server.grant}
     ```
 
-    You could define a custom access token TTL for your grant using `accessTokenTTL` tag attribute :
+   - If you prefer php configuration, you could use `AutoconfigureTag` symfony attribute for the same result :
+
+    ```php
+   <?php
+   ...
+
+   use Symfony\Component\DependencyInjection\Attribute\AutoconfigureTag;
+
+   #[AutoconfigureTag(name: 'league.oauth2_server.authorization_server.grant')]
+   final class FakeGrant extends AbstractGrant implements GrantTypeInterface
+   {
+       ...
+   }
+    ```
+
+1. In order to defined access token TTL for your custom grant, you could:
+
+    - define a custom access token TTL for your grant using `accessTokenTTL` tag attribute :
 
     ```yaml
     services:
@@ -63,7 +82,7 @@ And the service must be tagged with the `league.oauth2_server.authorization_serv
           - {name: league.oauth2_server.authorization_server.grant, accessTokenTTL: PT5H}
     ```
 
-    If you prefer php configuration, you could use `AutoconfigureTag` symfony attribute for the same result :
+    - or via `AutoconfigureTag` :
 
     ```php
    <?php
@@ -78,7 +97,22 @@ And the service must be tagged with the `league.oauth2_server.authorization_serv
    }
     ```
 
-    If `accessTokenTTL` tag attribute is not defined, then bundle config is used `league_oauth2_server.authorization_server.access_token_ttl` (same as `league.oauth2_server.access_token_ttl.default` service container parameter). \
+    - and last option is usage of `\League\Bundle\OAuth2ServerBundle\Attribute\WithAccessTokenTTL` attribute (note: service must be registered with correct tag before, this is already done if autoconfiguration is activated):
+
+    ```php
+   <?php
+   ...
+
+   use League\Bundle\OAuth2ServerBundle\Attribute\WithAccessTokenTTL;
+
+   #[WithAccessTokenTTL(accessTokenTTL: 'PT5H')]
+   final class FakeGrant extends AbstractGrant implements GrantTypeInterface
+   {
+       ...
+   }
+    ```
+
+    For all of these options, if `accessTokenTTL` is not defined, then bundle config is used `league_oauth2_server.authorization_server.access_token_ttl` (same as `league.oauth2_server.access_token_ttl.default` service container parameter). \
     `null` is considered as defined, to allow to unset ttl. \
    `league_oauth2_server.authorization_server.refresh_token_ttl` is also accessible for your implementation using `league.oauth2_server.refresh_token_ttl.default` service container parameter.
 

src/Attribute/WithAccessTokenTTL.php

@@ -0,0 +1,12 @@
+<?php declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Attribute;
+
+#[\Attribute(\Attribute::TARGET_CLASS)]
+class WithAccessTokenTTL
+{
+    // we don't allow to pass directly \DateInterval, to not break symfony container dumping which require serializable object
+    public function __construct(public readonly string|null $accessTokenTTL)
+    {
+    }
+}

src/DependencyInjection/CompilerPass/GrantTypePass.php

@@ -4,6 +4,7 @@
 
 namespace League\Bundle\OAuth2ServerBundle\DependencyInjection\CompilerPass;
 
+use League\Bundle\OAuth2ServerBundle\Attribute\WithAccessTokenTTL;
 use League\Bundle\OAuth2ServerBundle\AuthorizationServer\GrantTypeInterface;
 use League\OAuth2\Server\AuthorizationServer;
 use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
@@ -27,32 +28,49 @@ public function process(ContainerBuilder $container): void
 
         // enable grant type for each
         foreach ($taggedServices as $id => $tags) {
-            // skip of custom grant using \League\Bundle\OAuth2ServerBundle\AuthorizationServer\GrantTypeInterface
-            // since there are handled by \League\Bundle\OAuth2ServerBundle\AuthorizationServer\GrantConfigurator
-            // TODO remove code bloc when bundle interface and configurator will be deleted
+            // we only use the first tag
+            // this allow to override autoregistration of interface to be able to set accessTokenTTL
+            // since autoregistered tag are defined in last
+            $attributes = array_shift($tags);
+
             try {
                 $grantDefinition = $container->findDefinition($id);
                 /** @var class-string|null $grantClass */
                 $grantClass = $grantDefinition->getClass();
                 if (null !== $grantClass) {
                     $refGrantClass = new \ReflectionClass($grantClass);
+
+                    // skip of custom grant using \League\Bundle\OAuth2ServerBundle\AuthorizationServer\GrantTypeInterface
+                    // since there are handled by \League\Bundle\OAuth2ServerBundle\AuthorizationServer\GrantConfigurator
+                    // TODO remove code bloc when bundle interface and configurator will be deleted
                     if ($refGrantClass->implementsInterface(GrantTypeInterface::class)) {
                         continue;
                     }
+
+                    // read of accessTokenTTL from WithAccessTokenTTL attribute
+                    $withAccessTokenTTLAttributes = $refGrantClass->getAttributes(WithAccessTokenTTL::class);
+                    if (count($withAccessTokenTTLAttributes) > 0) {
+                        // we only use first attribute, because WithAccessTokenTTL is not repeatable
+                        /** @var \ReflectionAttribute<WithAccessTokenTTL> $withAccessTokenTTLAttribute */
+                        $withAccessTokenTTLAttributeArguments = array_shift($withAccessTokenTTLAttributes)->getArguments();
+                        $attributes['accessTokenTTL'] = array_shift($withAccessTokenTTLAttributeArguments);
+                    }
                 }
             } catch (\ReflectionException) {
-                // handling of this service as native one
+                // handling of this service as native one or without attribute
             }
 
-            foreach ($tags as $attributes) {
-                $definition->addMethodCall('enableGrantType', [
-                    new Reference($id),
-                    // use accessTokenTTL tag attribute if exists, otherwise use global bundle config
-                    new Definition(\DateInterval::class, [\array_key_exists('accessTokenTTL', $attributes)
-                        ? $attributes['accessTokenTTL']
-                        : $container->getParameter('league.oauth2_server.access_token_ttl.default')]),
-                ]);
-            }
+            // use WithAccessTokenTTL value then accessTokenTTL tag attribute if exists, otherwise use global bundle config
+            $accessTokenTTLValue = \array_key_exists('accessTokenTTL', $attributes)
+                ? $attributes['accessTokenTTL']
+                : $container->getParameter('league.oauth2_server.access_token_ttl.default');
+
+            $definition->addMethodCall('enableGrantType', [
+                new Reference($id),
+                (is_string($accessTokenTTLValue))
+                    ? new Definition(\DateInterval::class, [$accessTokenTTLValue])
+                    : $accessTokenTTLValue,
+            ]);
         }
     }
 }

src/DependencyInjection/LeagueOAuth2ServerExtension.php

@@ -31,6 +31,7 @@
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
+use League\OAuth2\Server\Grant\GrantTypeInterface as LeagueGrantTypeInterface;
 use League\OAuth2\Server\Grant\ImplicitGrant;
 use League\OAuth2\Server\Grant\PasswordGrant;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
@@ -69,6 +70,9 @@ public function load(array $configs, ContainerBuilder $container)
         $container->findDefinition(OAuth2Authenticator::class)
             ->setArgument(3, $config['role_prefix']);
 
+        $container->registerForAutoconfiguration(LeagueGrantTypeInterface::class)
+            ->addTag('league.oauth2_server.authorization_server.grant');
+
         // TODO remove code bloc when bundle interface and configurator will be deleted
         $container->registerForAutoconfiguration(GrantTypeInterface::class)
             ->addTag('league.oauth2_server.authorization_server.grant');

tests/Acceptance/TokenEndpointTest.php

@@ -63,7 +63,7 @@ public function testSuccessfulClientCredentialsRequest(): void
         $jsonResponse = json_decode($response->getContent(), true);
 
         $this->assertSame('Bearer', $jsonResponse['token_type']);
-        $this->assertLessThanOrEqual(3600, $jsonResponse['expires_in']);
+        $this->assertLessThanOrEqual(7200, $jsonResponse['expires_in']);
         $this->assertGreaterThan(0, $jsonResponse['expires_in']);
         $this->assertNotEmpty($jsonResponse['access_token']);
         $this->assertArrayNotHasKey('refresh_token', $jsonResponse);
@@ -118,7 +118,7 @@ public function testSuccessfulPasswordRequest(): void
         $jsonResponse = json_decode($response->getContent(), true);
 
         $this->assertSame('Bearer', $jsonResponse['token_type']);
-        $this->assertLessThanOrEqual(3600, $jsonResponse['expires_in']);
+        $this->assertLessThanOrEqual(7200, $jsonResponse['expires_in']);
         $this->assertGreaterThan(0, $jsonResponse['expires_in']);
         $this->assertNotEmpty($jsonResponse['access_token']);
         $this->assertNotEmpty($jsonResponse['refresh_token']);
@@ -184,7 +184,7 @@ public function testSuccessfulRefreshTokenRequest(): void
         $jsonResponse = json_decode($response->getContent(), true);
 
         $this->assertSame('Bearer', $jsonResponse['token_type']);
-        $this->assertLessThanOrEqual(3600, $jsonResponse['expires_in']);
+        $this->assertLessThanOrEqual(7200, $jsonResponse['expires_in']);
         $this->assertGreaterThan(0, $jsonResponse['expires_in']);
         $this->assertNotEmpty($jsonResponse['access_token']);
         $this->assertNotEmpty($jsonResponse['refresh_token']);
@@ -228,7 +228,7 @@ public function testSuccessfulAuthorizationCodeRequest(): void
         $jsonResponse = json_decode($response->getContent(), true);
 
         $this->assertSame('Bearer', $jsonResponse['token_type']);
-        $this->assertLessThanOrEqual(3600, $jsonResponse['expires_in']);
+        $this->assertLessThanOrEqual(7200, $jsonResponse['expires_in']);
         $this->assertGreaterThan(0, $jsonResponse['expires_in']);
         $this->assertNotEmpty($jsonResponse['access_token']);
         $this->assertEmpty($response->headers->get('foo'), 'bar');
@@ -277,7 +277,7 @@ public function testSuccessfulAuthorizationCodeRequestWithPublicClient(): void
         $jsonResponse = json_decode($response->getContent(), true);
 
         $this->assertSame('Bearer', $jsonResponse['token_type']);
-        $this->assertLessThanOrEqual(3600, $jsonResponse['expires_in']);
+        $this->assertLessThanOrEqual(7200, $jsonResponse['expires_in']);
         $this->assertGreaterThan(0, $jsonResponse['expires_in']);
         $this->assertNotEmpty($jsonResponse['access_token']);
         $this->assertNotEmpty($jsonResponse['refresh_token']);

tests/Fixtures/FakeGrantNullAccessTokenTTL.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Tests\Fixtures;
+
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Nyholm\Psr7\Response;
+use Psr\Http\Message\ServerRequestInterface;
+
+final class FakeGrantNullAccessTokenTTL extends AbstractGrant implements GrantTypeInterface
+{
+    public function getIdentifier(): string
+    {
+        return self::class;
+    }
+
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, \DateInterval $accessTokenTTL): ResponseTypeInterface
+    {
+        return new Response();
+    }
+}

tests/Fixtures/FakeGrantNullAccessTokenTTLWithAttribute.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Tests\Fixtures;
+
+use League\Bundle\OAuth2ServerBundle\Attribute\WithAccessTokenTTL;
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Nyholm\Psr7\Response;
+use Psr\Http\Message\ServerRequestInterface;
+
+#[WithAccessTokenTTL(accessTokenTTL: null)]
+final class FakeGrantNullAccessTokenTTLWithAttribute extends AbstractGrant implements GrantTypeInterface
+{
+    public function getIdentifier(): string
+    {
+        return self::class;
+    }
+
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, \DateInterval $accessTokenTTL): ResponseTypeInterface
+    {
+        return new Response();
+    }
+}

tests/Fixtures/FakeGrantUndefinedAccessTokenTTL.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Tests\Fixtures;
+
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Nyholm\Psr7\Response;
+use Psr\Http\Message\ServerRequestInterface;
+
+final class FakeGrantUndefinedAccessTokenTTL extends AbstractGrant implements GrantTypeInterface
+{
+    public function getIdentifier(): string
+    {
+        return self::class;
+    }
+
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, \DateInterval $accessTokenTTL): ResponseTypeInterface
+    {
+        return new Response();
+    }
+}

tests/Fixtures/FakeGrantUndefinedAccessTokenTTLOnlyAutoconfigured.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Tests\Fixtures;
+
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Nyholm\Psr7\Response;
+use Psr\Http\Message\ServerRequestInterface;
+
+final class FakeGrantUndefinedAccessTokenTTLOnlyAutoconfigured extends AbstractGrant implements GrantTypeInterface
+{
+    public function getIdentifier(): string
+    {
+        return self::class;
+    }
+
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, \DateInterval $accessTokenTTL): ResponseTypeInterface
+    {
+        return new Response();
+    }
+}

tests/Fixtures/FakeGrantWithAttribute.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Tests\Fixtures;
+
+use League\Bundle\OAuth2ServerBundle\Attribute\WithAccessTokenTTL;
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Nyholm\Psr7\Response;
+use Psr\Http\Message\ServerRequestInterface;
+
+#[WithAccessTokenTTL(accessTokenTTL: 'PT5H')]
+final class FakeGrantWithAttribute extends AbstractGrant implements GrantTypeInterface
+{
+    public function getIdentifier(): string
+    {
+        return self::class;
+    }
+
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, \DateInterval $accessTokenTTL): ResponseTypeInterface
+    {
+        return new Response();
+    }
+}

tests/Integration/AuthorizationServerCustomGrantTest.php

@@ -5,6 +5,11 @@
 namespace League\Bundle\OAuth2ServerBundle\Tests\Integration;
 
 use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeGrant;
+use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeGrantNullAccessTokenTTL;
+use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeGrantNullAccessTokenTTLWithAttribute;
+use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeGrantUndefinedAccessTokenTTL;
+use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeGrantUndefinedAccessTokenTTLOnlyAutoconfigured;
+use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeGrantWithAttribute;
 use League\Bundle\OAuth2ServerBundle\Tests\Fixtures\FakeLegacyGrant;
 use League\OAuth2\Server\AuthorizationServer;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
@@ -28,14 +33,25 @@ public function testAuthorizationServerHasOurCustomGrantEnabled(): void
         $enabledGrantTypes = $reflectionProperty->getValue($authorizationServer);
         $grantTypeAccessTokenTTL = $reflectionTTLProperty->getValue($authorizationServer);
 
-        $this->assertArrayHasKey('fake_grant', $enabledGrantTypes);
-        $this->assertInstanceOf(FakeGrant::class, $enabledGrantTypes['fake_grant']);
-        $this->assertArrayHasKey('fake_grant', $grantTypeAccessTokenTTL);
-        $this->assertEquals(new \DateInterval('PT5H'), $grantTypeAccessTokenTTL['fake_grant']);
+        $this->assertGrantConfig('fake_grant', new \DateInterval('PT5H'), $enabledGrantTypes, $grantTypeAccessTokenTTL, FakeGrant::class);
+        $this->assertGrantConfig(FakeGrantNullAccessTokenTTL::class, new \DateInterval('PT1H'), $enabledGrantTypes, $grantTypeAccessTokenTTL);
+        $this->assertGrantConfig(FakeGrantUndefinedAccessTokenTTL::class, new \DateInterval('PT2H'), $enabledGrantTypes, $grantTypeAccessTokenTTL);
+
+        $this->assertGrantConfig(FakeGrantWithAttribute::class, new \DateInterval('PT5H'), $enabledGrantTypes, $grantTypeAccessTokenTTL);
+        $this->assertGrantConfig(FakeGrantNullAccessTokenTTLWithAttribute::class, new \DateInterval('PT1H'), $enabledGrantTypes, $grantTypeAccessTokenTTL);
+        $this->assertGrantConfig(FakeGrantUndefinedAccessTokenTTLOnlyAutoconfigured::class, new \DateInterval('PT2H'), $enabledGrantTypes, $grantTypeAccessTokenTTL);
 
         // TODO remove code bloc when bundle interface and configurator will be deleted
-        $this->assertArrayHasKey('fake_legacy_grant', $enabledGrantTypes);
-        $this->assertInstanceOf(FakeLegacyGrant::class, $enabledGrantTypes['fake_legacy_grant']);
-        $this->assertEquals(new \DateInterval('PT5H'), $enabledGrantTypes['fake_legacy_grant']->getAccessTokenTTL());
+        $this->assertGrantConfig('fake_legacy_grant', new \DateInterval('PT5H'), $enabledGrantTypes, $grantTypeAccessTokenTTL, FakeLegacyGrant::class);
+    }
+
+    private function assertGrantConfig(string $grantId, \DateInterval|null $accessTokenTTL, array $enabledGrantTypes, array $grantTypeAccessTokenTTL, string|null $grantClass = null): void
+    {
+        $grantClass ??= $grantId;
+
+        $this->assertArrayHasKey($grantId, $enabledGrantTypes);
+        $this->assertInstanceOf($grantClass, $enabledGrantTypes[$grantId]);
+        $this->assertArrayHasKey($grantId, $grantTypeAccessTokenTTL);
+        $this->assertEquals($accessTokenTTL, $grantTypeAccessTokenTTL[$grantId]);
     }
 }