[11.x] Support prompting login when redirecting for authorization (#1577)

* Support prompting login when redirecting for authorization

* use fragment on redirect uri for implicit grant

* bind StatefulGuard

* formatting

Co-authored-by: Taylor Otwell <[email protected]>

Author: hafezdivandari

routes/web.php

@@ -8,17 +8,18 @@
     'middleware' => 'throttle',
 ]);
 
+Route::get('/authorize', [
+    'uses' => 'AuthorizationController@authorize',
+    'as' => 'authorizations.authorize',
+    'middleware' => 'web',
+]);
+
 Route::middleware(['web', 'auth'])->group(function () {
     Route::post('/token/refresh', [
         'uses' => 'TransientTokenController@refresh',
         'as' => 'token.refresh',
     ]);
 
-    Route::get('/authorize', [
-        'uses' => 'AuthorizationController@authorize',
-        'as' => 'authorizations.authorize',
-    ]);
-
     Route::post('/authorize', [
         'uses' => 'ApproveAuthorizationController@approve',
         'as' => 'authorizations.approve',

src/Http/Controllers/AuthorizationController.php

@@ -2,6 +2,8 @@
 
 namespace Laravel\Passport\Http\Controllers;
 
+use Illuminate\Auth\AuthenticationException;
+use Illuminate\Contracts\Auth\StatefulGuard;
 use Illuminate\Contracts\Routing\ResponseFactory;
 use Illuminate\Http\Request;
 use Illuminate\Support\Str;
@@ -10,6 +12,7 @@
 use Laravel\Passport\Passport;
 use Laravel\Passport\TokenRepository;
 use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use Nyholm\Psr7\Response as Psr7Response;
 use Psr\Http\Message\ServerRequestInterface;
 
@@ -31,17 +34,28 @@ class AuthorizationController
      */
     protected $response;
 
+    /**
+     * The guard implementation.
+     *
+     * @var \Illuminate\Contracts\Auth\StatefulGuard
+     */
+    protected $guard;
+
     /**
      * Create a new controller instance.
      *
      * @param  \League\OAuth2\Server\AuthorizationServer  $server
      * @param  \Illuminate\Contracts\Routing\ResponseFactory  $response
+     * @param  \Illuminate\Contracts\Auth\StatefulGuard  $guard
      * @return void
      */
-    public function __construct(AuthorizationServer $server, ResponseFactory $response)
+    public function __construct(AuthorizationServer $server,
+                                ResponseFactory $response,
+                                StatefulGuard $guard)
     {
         $this->server = $server;
         $this->response = $response;
+        $this->guard = $guard;
     }
 
     /**
@@ -62,6 +76,23 @@ public function authorize(ServerRequestInterface $psrRequest,
             return $this->server->validateAuthorizationRequest($psrRequest);
         });
 
+        if ($this->guard->guest()) {
+            return $request->get('prompt') === 'none'
+                    ? $this->denyRequest($authRequest)
+                    : $this->promptForLogin($request);
+        }
+
+        if ($request->get('prompt') === 'login' &&
+            ! $request->session()->get('promptedForLogin', false)) {
+            $this->guard->logout();
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+
+            return $this->promptForLogin($request);
+        }
+
+        $request->session()->forget('promptedForLogin');
+
         $scopes = $this->parseScopes($authRequest);
         $user = $request->user();
         $client = $clients->find($authRequest->getClient()->getIdentifier());
@@ -142,11 +173,26 @@ protected function approveRequest($authRequest, $user)
      * Deny the authorization request.
      *
      * @param  \League\OAuth2\Server\RequestTypes\AuthorizationRequest  $authRequest
-     * @param  \Illuminate\Database\Eloquent\Model  $user
+     * @param  \Illuminate\Database\Eloquent\Model|null  $user
      * @return \Illuminate\Http\Response
      */
-    protected function denyRequest($authRequest, $user)
+    protected function denyRequest($authRequest, $user = null)
     {
+        if (is_null($user)) {
+            $uri = $authRequest->getRedirectUri()
+                ?? (is_array($authRequest->getClient()->getRedirectUri())
+                    ? $authRequest->getClient()->getRedirectUri()[0]
+                    : $authRequest->getClient()->getRedirectUri());
+
+            $separator = $authRequest->getGrantTypeId() === 'implicit' ? '#' : '?';
+
+            $uri = $uri.(str_contains($uri, $separator) ? '&' : $separator).'state='.$authRequest->getState();
+
+            return $this->withErrorHandling(function () use ($uri) {
+                throw OAuthServerException::accessDenied('Unauthenticated', $uri);
+            });
+        }
+
         $authRequest->setUser(new User($user->getAuthIdentifier()));
 
         $authRequest->setAuthorizationApproved(false);
@@ -157,4 +203,18 @@ protected function denyRequest($authRequest, $user)
             );
         });
     }
+
+    /**
+     * Prompt the user to login by throwing an AuthenticationException.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     *
+     * @throws \Illuminate\Auth\AuthenticationException
+     */
+    protected function promptForLogin($request)
+    {
+        $request->session()->put('promptedForLogin', true);
+
+        throw new AuthenticationException;
+    }
 }

src/PassportServiceProvider.php

@@ -5,6 +5,7 @@
 use DateInterval;
 use Illuminate\Auth\Events\Logout;
 use Illuminate\Config\Repository as Config;
+use Illuminate\Contracts\Auth\StatefulGuard;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Cookie;
 use Illuminate\Support\Facades\Event;
@@ -14,6 +15,7 @@
 use Laravel\Passport\Bridge\PersonalAccessGrant;
 use Laravel\Passport\Bridge\RefreshTokenRepository;
 use Laravel\Passport\Guards\TokenGuard;
+use Laravel\Passport\Http\Controllers\AuthorizationController;
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Parser;
 use League\OAuth2\Server\AuthorizationServer;
@@ -134,6 +136,10 @@ public function register()
 
         Passport::setClientUuids($this->app->make(Config::class)->get('passport.client_uuids', false));
 
+        $this->app->when(AuthorizationController::class)
+                ->needs(StatefulGuard::class)
+                ->give(fn () => Auth::guard(config('passport.guard', null)));
+
         $this->registerAuthorizationServer();
         $this->registerClientRepository();
         $this->registerJWTParser();