Added 5.0.0-RC1 release notes

prevent double persist of token when doing refresh grant

.gitattributes

@@ -0,0 +1,13 @@
+* text=auto
+
+/examples export-ignore
+/tests export-ignore
+/.gitattributes export-ignore
+/.gitignore export-ignore
+/.travis.yml export-ignore
+.travis.yml export-ignore
+.scrutinizer.yml export-ignore
+/phpunit.xml.dist export-ignore
+/CHANGELOG.md export-ignore
+/CONTRIBUTING.md export-ignore
+/README.md export-ignore

.gitignore

@@ -1,5 +1,8 @@
-/vendor/
+/vendor
 /composer.lock
-/docs/build/
-/build/logs/
-/build/coverage/
+phpunit.xml
+.idea
+/examples/vendor
+examples/public.key
+examples/private.key
+build

.scrutinizer.yml

@@ -0,0 +1,37 @@
+filter:
+    excluded_paths:
+        - tests/*
+        - vendor/*
+        - examples/*
+checks:
+    php:
+        code_rating: true
+        remove_extra_empty_lines: true
+        remove_php_closing_tag: true
+        remove_trailing_whitespace: true
+        fix_use_statements:
+            remove_unused: true
+            preserve_multiple: false
+            preserve_blanklines: true
+            order_alphabetically: true
+        fix_php_opening_tag: true
+        fix_linefeed: true
+        fix_line_ending: true
+        fix_identation_4spaces: true
+        fix_doc_comments: true
+tools:
+    external_code_coverage:
+        timeout: 600
+        runs: 3
+    php_code_coverage: false
+    php_code_sniffer:
+        config:
+            standard: PSR2
+        filter:
+            paths: ['src']
+    php_loc:
+        enabled: true
+        excluded_dirs: [vendor, tests, examples]
+    php_cpd:
+        enabled: true
+        excluded_dirs: [vendor, tests, examples]

.styleci.yml

@@ -0,0 +1,53 @@
+preset: psr2
+
+enabled:
+  - binary_operator_spaces
+  - blank_line_before_return
+  - concat_with_spaces
+  - function_typehint_space
+  - hash_to_slash_comment
+  - include
+  - lowercase_cast
+  - method_separation
+  - native_function_casing
+  - no_blank_lines_after_class_opening
+  - no_blank_lines_between_uses
+  - no_duplicate_semicolons
+  - no_leading_import_slash
+  - no_leading_namespace_whitespace
+  - no_multiline_whitespace_before_semicolons
+  - no_php4_constructor
+  - no_short_bool_cast
+  - no_singleline_whitespace_before_semicolons
+  - no_trailing_comma_in_singleline_array
+  - no_unreachable_default_argument_value
+  - no_unused_imports
+  - no_whitespace_before_comma_in_array
+  - ordered_imports
+  - phpdoc_align
+  - phpdoc_indent
+  - phpdoc_inline_tag
+  - phpdoc_no_access
+  - phpdoc_no_simplified_null_return
+  - phpdoc_order
+  - phpdoc_property
+  - phpdoc_scalar
+  - phpdoc_separation
+  - phpdoc_to_comment
+  - phpdoc_trim
+  - phpdoc_type_to_var
+  - phpdoc_types
+  - phpdoc_var_without_name
+  - print_to_echo
+  - short_array_syntax
+  - short_scalar_cast
+  - simplified_null_return
+  - single_quote
+  - spaces_cast
+  - standardize_not_equal
+  - ternary_operator_spaces
+  - trailing_comma_in_multiline_array
+  - trim_array_spaces
+  - unary_operator_spaces
+  - whitespace_after_comma_in_array
+  - whitespacy_lines

.travis.yml

@@ -0,0 +1,24 @@
+language: php
+
+sudo: false
+
+cache:
+  directories:
+  - vendor
+
+php:
+  - 5.5
+  - 5.6
+  - 7.0
+  - hhvm
+
+install:
+  - travis_retry composer install --no-interaction --prefer-source
+
+script:
+  - vendor/bin/phpunit
+
+branches:
+  only:
+    - master
+    - V5-WIP

CHANGELOG.md

@@ -0,0 +1,226 @@
+# Changelog
+
+## 5.0.0-RC1 (release 2016-03-24)
+
+Version 5 is a complete code rewrite.
+
+* JWT support
+* PSR-7 support
+* Improved exception errors
+* Replace all occurrences of the term "Storage" with "Repository"
+* Simplify repositories
+* Entities conform to interfaces and use traits
+* Auth code grant updated
+    * Allow support for public clients
+    * Add support for #439
+* Client credentials grant updated
+* Password grant updated
+    * Allow support for public clients
+* Refresh token grant updated
+* Implement Implicit grant
+* Bearer token output type
+* Remove MAC token output type
+* Authorization server rewrite
+* Resource server class moved to PSR-7 middleware
+* Tests
+* Much much better documentation
+
+## 4.1.5 (released 2016-01-04)
+
+* Enable Symfony 3.0 support (#412)
+
+## 4.1.4 (released 2015-11-13)
+
+* Fix for determining access token in header (Issue #328)
+* Refresh tokens are now returned for MAC responses (Issue #356)
+* Added integration list to readme (Issue #341)
+* Expose parameter passed to exceptions (Issue #345)
+* Removed duplicate routing setup code (Issue #346)
+* Docs fix (Issues #347, #360, #380)
+* Examples fix (Issues #348, #358)
+* Fix typo in docblock (Issue #352)
+* Improved timeouts for MAC tokens (Issue #364)
+* `hash_hmac()` should output raw binary data, not hexits (Issue #370)
+* Improved regex for matching all Base64 characters (Issue #371)
+* Fix incorrect signature parameter (Issue #372)
+* AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
+* Added priority argument to event listener (Issue #388)
+
+## 4.1.3 (released 2015-03-22)
+
+* Docblock, namespace and inconsistency fixes (Issue #303)
+* Docblock type fix (Issue #310)
+* Example bug fix (Issue #300)
+* Updated league/event to ~2.1 (Issue #311)
+* Fixed missing session scope (Issue #319)
+* Updated interface docs (Issue #323)
+* `.travis.yml` updates
+
+## 4.1.2 (released 2015-01-01)
+
+* Remove side-effects in hash_equals() implementation (Issue #290)
+
+## 4.1.1 (released 2014-12-31)
+
+* Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
+
+## 4.1.0 (released 2014-12-27)
+
+* Added MAC token support (Issue #158)
+* Fixed example init code (Issue #280)
+* Toggle refresh token rotation (Issue #286)
+* Docblock fixes
+
+## 4.0.5 (released 2014-12-15)
+
+* Prevent duplicate session in auth code grant (Issue #282)
+
+## 4.0.4 (released 2014-12-03)
+
+* Ensure refresh token hasn't expired (Issue #270)
+
+## 4.0.3 (released 2014-12-02)
+
+* Fix bad type hintings (Issue #267)
+* Do not forget to set the expire time (Issue #268)
+
+## 4.0.2 (released 2014-11-21)
+
+* Improved interfaces (Issue #255)
+* Learnt how to spell delimiter and so `getScopeDelimiter()` and `setScopeDelimiter()` methods have been renamed
+* Docblock improvements (Issue #254)
+
+## 4.0.1 (released 2014-11-09)
+
+* Alias the master branch in composer.json (Issue #243)
+* Numerous PHP CodeSniffer fixes (Issue #244)
+* .travis.yml update (Issue #245)
+* The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
+
+## 4.0.0 (released 2014-11-08)
+
+* Complete rewrite
+* Check out the documentation - [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com)
+
+## 3.2.0 (released 2014-04-16)
+
+* Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
+
+## 3.1.2 (released 2014-02-26)
+
+* Support Authorization being an environment variable. [See more](http://fortrabbit.com/docs/essentials/quirks-and-constraints#authorization-header)
+
+## 3.1.1 (released 2013-12-05)
+
+* Normalize headers when `getallheaders()` is available (Issues #108 and #114)
+
+## 3.1.0 (released 2013-12-05)
+
+* No longer necessary to inject the authorisation server into a grant, the server will inject itself
+* Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
+
+## 3.0.1 (released 2013-12-02)
+
+* Forgot to tell TravisCI from testing PHP 5.3
+
+## 3.0.0 (released 2013-12-02)
+
+* Fixed spelling of Implicit grant class (Issue #84)
+* Travis CI now tests for PHP 5.5
+* Fixes for checking headers for resource server (Issues #79 and #)
+* The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
+* All grants no longer remove old sessions by default
+* All grants now support custom access token TTL (Issue #92)
+* All methods which didn't before return a value now return `$this` to support method chaining
+* Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
+* Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
+* Moved some grant related functions into a trait to reduce duplicate code
+
+## 2.1.1 (released 2013-06-02)
+
+* Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
+* Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
+* Updated some duff docblocks
+* Corrected array key call in Resource.php (Issue #63)
+
+## 2.1 (released 2013-05-10)
+
+* Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
+* New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
+* Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
+* The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
+* You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
+* The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
+* Scopes associated to authorization codes are not held in their own table (Issue #44)
+* Database schema updates.
+
+## 2.0.5 (released 2013-05-09)
+
+* Fixed `oauth_session_token_scopes` table primary key
+* Removed `DEFAULT ''` that has slipped into some tables
+* Fixed docblock for `SessionInterface::associateRefreshToken()`
+
+## 2.0.4 (released 2013-05-09)
+
+* Renamed primary key in oauth_client_endpoints table
+* Adding missing column to oauth_session_authcodes
+* SECURITY FIX: A refresh token should be bound to a client ID
+
+## 2.0.3 (released 2013-05-08)
+
+* Fixed a link to code in composer.json
+
+## 2.0.2 (released 2013-05-08)
+
+* Updated README with wiki guides
+* Removed `null` as default parameters in some methods in the storage interfaces
+* Fixed license copyright
+
+## 2.0.0 (released 2013-05-08)
+
+**If you're upgrading from v1.0.8 there are lots of breaking changes**
+
+* Rewrote the session storage interface from scratch so methods are more obvious
+* Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
+* Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
+* A session can have multiple associated access tokens
+* Individual grants can have custom expire times for access tokens
+* Authorization codes now have a TTL of 10 minutes by default (can be manually set)
+* Refresh tokens now have a TTL of one week by default (can be manually set)
+* The client credentials grant will no longer gives out refresh tokens as per the specification
+
+## 1.0.8 (released 2013-03-18)
+
+* Fixed check for required state parameter
+* Fixed check that user's credentials are correct in Password grant
+
+## 1.0.7 (released 2013-03-04)
+
+* Added method `requireStateParam()`
+* Added method `requireScopeParam()`
+
+## 1.0.6 (released 2013-02-22)
+
+* Added links to tutorials in the README
+* Added missing `state` parameter request to the `checkAuthoriseParams()` method.
+
+## 1.0.5 (released 2013-02-21)
+
+* Fixed the SQL example for SessionInterface::getScopes()
+
+## 1.0.3 (released 2013-02-20)
+
+* Changed all instances of the "authentication server" to "authorization server"
+
+## 1.0.2 (released 2013-02-20)
+
+* Fixed MySQL create table order
+* Fixed version number in composer.json
+
+## 1.0.1 (released 2013-02-19)
+
+* Updated AuthServer.php to use `self::getParam()`
+
+## 1.0.0 (released 2013-02-15)
+
+* First major release

CONDUCT.md

@@ -0,0 +1,22 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community in a direct capacity. Personal views, beliefs and values of individuals do not necessarily reflect those of the organisation or affiliated individuals and organisations.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

CONTRIBUTING.md

@@ -0,0 +1,15 @@
+Thanks for contributing to this project.
+
+
+**Please submit your pull request against the `develop` branch only.**
+
+
+Please ensure that you run `phpunit` from the project root after you've made any changes.
+
+If you've added something new please create a new unit test, if you've changed something please update any unit tests as appropritate.
+
+We're trying to ensure there is **100%** test code coverage (including testing PHP errors and exceptions) so please ensure any new/updated tests cover all of your changes.
+
+Thank you,
+
+@alexbilbie

LICENSE

@@ -1,20 +1,20 @@
 MIT License
 
-Copyright (C) 2012 University of Lincoln
+Copyright (C) Alex Bilbie
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of 
-this software and associated documentation files (the "Software"), to deal in 
-the Software without restriction, including without limitation the rights to 
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all 
+The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,43 +1,71 @@
-# PHP OAuth Framework
+# PHP OAuth 2.0 Server by [@alexbilbie](https://twitter.com/alexbilbie)
 
-The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authentication server, resource server and client library with support for a major OAuth 2 providers.
+[![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
+[![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
+[![Build Status](https://img.shields.io/travis/thephpleague/oauth2-server/master.svg?style=flat-square)](https://travis-ci.org/thephpleague/oauth2-server)
+[![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server/code-structure)
+[![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
+[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)
 
-## Package Installation
+`league/oauth2-server` is a a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
 
-The framework is provided as a Composer package which can be installed by adding the package to your composer.json file:
+It supports out of the box the following grants:
 
-```javascript
-{
-	"require": {  
-		"lncd\Oauth2": "*"  
-	}
-}
-```
+* Authorization code grant
+* Implicit grant
+* Client credentials grant
+* Resource owner password credentials grant
+* Refresh grant
 
-## Package Integration
+You can also easily define your own grants.
 
-Check out the [wiki](https://github.com/lncd/OAuth2/wiki)
+In addition it supports the following token response types:
 
-## Current Features
+* Bearer (JWT) tokens
+* MAC tokens
 
-### Authentication Server
+You can also create you own tokens.
 
-The authentication server is a flexible class that supports the standard authorization code grant.
+## Requirements
 
-### Resource Server
+The following versions of PHP are supported:
 
-The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct permission to access resources.
+* PHP 5.5 (>=5.5.9)
+* PHP 5.6
+* PHP 7.0
+* HHVM
 
+## Documentation
 
+The library documentation can be found at [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com). 
+You can contribute to this documentation in the [gh-pages branch](https://github.com/thephpleague/oauth2-server/tree/gh-pages/).
 
+## Changelog
 
-## Future Goals
+[See the project releases page](https://github.com/thephpleague/oauth2-server/releases)
 
-### Authentication Server
+## Contributing
 
-* Support for [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/).
-* Support for [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
+Please see [CONTRIBUTING.md](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) and [CONDUCT.md](https://github.com/thephpleague/oauth2-server/blob/master/CONDUCT.md) for details.
 
----
+## Support
 
-This code will be developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which has been funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
+Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague/oauth2-server/issues).
+
+If you have any questions about OAuth _please_ open a ticket here; please **don't** email the address below.
+
+## Security
+
+If you discover any security related issues, please email hello@alexbilbie.com instead of using the issue tracker.
+
+## License
+
+This package is released under the MIT License. See the bundled [LICENSE](https://github.com/thephpleague/oauth2-server/blob/master/LICENSE) file for details.
+
+## Credits
+
+This code is principally developed and maintained by [Alex Bilbie](https://twitter.com/alexbilbie).
+
+Special thanks to [all of these awesome contributors](https://github.com/thephpleague/oauth2-server/contributors)
+
+The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.

build.xml

@@ -1,142 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project name="PHP OAuth 2.0 Server" default="build">
-
-	<target name="build" depends="prepare,lint,phploc,pdepend,phpmd-ci,phpcs-ci,phpcpd,composer,phpunit,phpdox,phpcb"/>
-	
-	<target name="build-parallel" depends="prepare,lint,tools-parallel,phpcb"/>
-	
-	<target name="minimal" depends="prepare,lint,phploc,pdepend,phpcpd,composer,phpunit,phpdox,phpcb" />
-	
-	<target name="tools-parallel" description="Run tools in parallel">
-		<parallel threadCount="2">
-			<sequential>
-				<antcall target="pdepend"/>
-				<antcall target="phpmd-ci"/>
-			</sequential>
-			<antcall target="phpcpd"/>
-			<antcall target="phpcs-ci"/>
-			<antcall target="phploc"/>
-			<antcall target="phpdox"/>
-		</parallel>
-	</target>
-	
-	<target name="clean" description="Cleanup build artifacts">
-		<delete dir="${basedir}/build/api"/>
-		<delete dir="${basedir}/build/code-browser"/>
-		<delete dir="${basedir}/build/coverage"/>
-		<delete dir="${basedir}/build/logs"/>
-		<delete dir="${basedir}/build/pdepend"/>
-	</target>
-	
-	<target name="prepare" depends="clean" description="Prepare for build">
-		<mkdir dir="${basedir}/build/api"/>
-		<mkdir dir="${basedir}/build/code-browser"/>
-		<mkdir dir="${basedir}/build/coverage"/>
-		<mkdir dir="${basedir}/build/logs"/>
-		<mkdir dir="${basedir}/build/pdepend"/>
-		<mkdir dir="${basedir}/build/phpdox"/>
-	</target>
-	
-	<target name="lint">
-		<apply executable="php" failonerror="true">
-			<arg value="-l" />
-			
-			<fileset dir="${basedir}/src">
-				<include name="**/*.php" />
-				<modified />
-			</fileset>
-		</apply>
-	</target>
-	
-	<target name="phploc" description="Measure project size using PHPLOC">
-		<exec executable="phploc">
-			<arg value="--log-csv" />
-			<arg value="${basedir}/build/logs/phploc.csv" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="pdepend" description="Calculate software metrics using PHP_Depend">
-		<exec executable="pdepend">
-			<arg value="--jdepend-xml=${basedir}/build/logs/jdepend.xml" />
-			<arg value="--jdepend-chart=${basedir}/build/pdepend/dependencies.svg" />
-			<arg value="--overview-pyramid=${basedir}/build/pdepend/overview-pyramid.svg" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpmd" description="Perform project mess detection using PHPMD and print human readable output. Intended for usage on the command line before committing.">
-		<exec executable="phpmd">
-			<arg path="${basedir}/src" />
-			<arg value="text" />
-			<arg value="${basedir}/build/phpmd.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpmd-ci" description="Perform project mess detection using PHPMD creating a log file for the continuous integration server">
-		<exec executable="phpmd">
-			<arg path="${basedir}/src" />
-			<arg value="xml" />
-			<arg value="${basedir}/build/phpmd.xml" />
-			<arg value="--reportfile" />
-			<arg value="${basedir}/build/logs/pmd.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpcs" description="Find coding standard violations using PHP_CodeSniffer and print human readable output. Intended for usage on the command line before committing.">
-		<exec executable="phpcs">
-			<arg value="--standard=${basedir}/build/phpcs.xml" />
-			<arg value="--extensions=php" />
-			<arg value="--ignore=third_party/CIUnit" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpcs-ci" description="Find coding standard violations using PHP_CodeSniffer creating a log file for the continuous integration server">
-		<exec executable="phpcs" output="/dev/null">
-			<arg value="--report=checkstyle" />
-			<arg value="--report-file=${basedir}/build/logs/checkstyle.xml" />
-			<arg value="--standard=${basedir}/build/phpcs.xml" />
-			<arg value="--extensions=php" />
-			<arg value="--ignore=third_party/CIUnit" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpcpd" description="Find duplicate code using PHPCPD">
-		<exec executable="phpcpd">
-			<arg value="--log-pmd" />
-			<arg value="${basedir}/build/logs/pmd-cpd.xml" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-
-	<target name="composer" description="Install Composer requirements">
-		<exec executable="composer.phar" failonerror="true">
-			<arg value="install" />
-			<arg value="--dev" />
-		</exec>
-	</target>
-
-	<target name="phpunit" description="Run unit tests with PHPUnit">
-		<exec executable="${basedir}/vendor/bin/phpunit" failonerror="true">
-			<arg value="--configuration" />
-			<arg value="${basedir}/build/phpunit.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpdox" description="Generate API documentation using phpDox">
-		<exec executable="phpdox"/>
-	</target>
-	
-	<target name="phpcb" description="Aggregate tool output with PHP_CodeBrowser">
-		<exec executable="phpcb">
-			<arg value="--log" />
-			<arg path="${basedir}/build/logs" />
-			<arg value="--source" />
-			<arg path="${basedir}/src" />
-			<arg value="--output" />
-			<arg path="${basedir}/build/code-browser" />
-		</exec>
-	</target>
-</project>

build/phpcs.xml

@@ -1,8 +0,0 @@
-<?xml version="1.0"?>
-<ruleset name="PHP_CodeSniffer">
-
-	<description>PHP_CodeSniffer configuration</description>
-
-	<rule ref="PSR2"/>
-
-</ruleset>

build/phpmd.xml

@@ -1,14 +0,0 @@
-<ruleset name="OAuth 2.0 Server"
-	xmlns="http://pmd.sf.net/ruleset/1.0.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://pmd.sf.net/ruleset/1.0.0
-		http://pmd.sf.net/ruleset_xml_schema.xsd"
-	xsi:noNamespaceSchemaLocation="http://pmd.sf.net/ruleset_xml_schema.xsd">
-
-	<description>
-		Ruleset for OAuth 2.0 server
-	</description>
-
-	<!-- Import the entire unused code rule set -->
-	<rule ref="rulesets/unusedcode.xml" />
-</ruleset>

build/phpunit.xml

@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false">
-	<testsuites>
-		<testsuite name="Authentication Server">
-			<directory suffix="test.php">../tests/authentication</directory>
-		</testsuite>
-		<testsuite name="Resource Server">
-			<directory suffix="test.php">../tests/resource</directory>
-		</testsuite>
-	</testsuites>
-	<filter>
-		<blacklist>
-			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
-			<directory suffix=".php">PHP_LIBDIR</directory>
-			<directory suffix=".php">../vendor/composer</directory>
-		</blacklist>
-	</filter>
-	<logging>
-		<log type="coverage-html" target="coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="35" highLowerBound="70"/>
-		<log type="coverage-clover" target="logs/clover.xml"/>
-		<log type="junit" target="logs/junit.xml" logIncompleteSkipped="false"/>
-	</logging>
-</phpunit>

composer.json

@@ -1,40 +1,73 @@
 {
-	"name": "lncd/Oauth2",
-	"description": "OAuth 2.0 Framework",
-	"version": "0.2.1",
-	"homepage": "https://github.com/lncd/OAuth2",
-	"license": "MIT",
-	"require": {
-		"php": ">=5.3.0"
-	},
-	"require-dev": {
-		"EHER/PHPUnit": "*"
-	},
-	"repositories": [
-		{
-			"type": "git",
-			"url": "https://github.com/lncd/OAuth2"
-		}
-	],
-	"keywords": [
-		"oauth",
-		"oauth2",
-		"server",
-		"authorization",
-		"authentication",
-		"resource"
-	],
-	"authors": [
-		{
-			"name": "Alex Bilbie",
-			"email": "oauth2server@alexbilbie.com",
-			"homepage": "http://www.httpster.org",
-			"role": "Developer"
-		}
-	],
-	"autoload": {
-		"psr-0": {
-			"Oauth2": "src/"
-		}
-	}
-}
+    "name": "league/oauth2-server",
+    "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
+    "homepage": "http://oauth2.thephpleague.com/",
+    "license": "MIT",
+    "require": {
+        "php": ">=5.5.9",
+        "league/event": "^2.1",
+        "lcobucci/jwt": "^3.1",
+        "paragonie/random_compat": "^1.1",
+        "psr/http-message": "^1.0"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "^4.8",
+        "league/plates": "^3.1",
+        "zendframework/zend-diactoros": "^1.0"
+    },
+    "repositories": [
+        {
+            "type": "git",
+            "url": "https://github.com/thephpleague/oauth2-server.git"
+        }
+    ],
+    "keywords": [
+        "oauth",
+        "oauth2",
+        "oauth 2",
+        "oauth 2.0",
+        "server",
+        "auth",
+        "authorization",
+        "authorisation",
+        "authentication",
+        "resource",
+        "api",
+        "auth",
+        "protect",
+        "secure"
+    ],
+    "authors": [
+        {
+            "name": "Alex Bilbie",
+            "email": "hello@alexbilbie.com",
+            "homepage": "http://www.alexbilbie.com",
+            "role": "Developer"
+        }
+    ],
+    "replace": {
+        "lncd/oauth2": "*",
+        "league/oauth2server": "*"
+    },
+    "autoload": {
+        "psr-4": {
+            "League\\OAuth2\\Server\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "LeagueTests\\": "tests/"
+        }
+    },
+    "extra": {
+        "branch-alias": {
+            "dev-V5-WIP": "5.0-dev"
+        }
+    },
+    "suggest": {
+        "league/plates": "Used for parsing authorization code templates",
+        "twig/twig": "Used for parsing authorization code templates",
+        "smarty/smarty": "Used for parsing authorization code templates",
+        "mustache/mustache": "Used for parsing authorization code templates"
+    }
+}

examples/README.md

@@ -0,0 +1,53 @@
+# Example implementations
+
+## Installation
+
+0. Run `composer install --no-dev` in this directory to install dependencies
+0. Create a private key `openssl genrsa -out private.key 1024`
+0. Create a public key `openssl rsa -in private.key -pubout > public.key`
+0. `cd` into the public directory
+0. Start a PHP server `php -S localhost:4444`
+
+## Testing the client credentials grant example
+
+Send the following cURL request:
+
+```
+curl -X "POST" "http://localhost:4444/client_credentials.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=client_credentials" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "scope=basic email"
+```
+
+## Testing the password grant example
+
+Send the following cURL request:
+
+```
+curl -X "POST" "http://localhost:4444/password.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=password" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "username=alex" \
+	--data-urlencode "password=whisky" \
+	--data-urlencode "scope=basic email"
+```
+
+## Testing the refresh token grant example
+
+Send the following cURL request. Replace `{{REFRESH_TOKEN}}` with a refresh token from another grant above:
+
+```
+curl -X "POST" "http://localhost:4444/refresh_token.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=refresh_token" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "refresh_token={{REFRESH_TOKEN}}"
+```

examples/composer.json

@@ -0,0 +1,18 @@
+{
+    "repositories": [
+        {
+            "type": "path",
+            "url": ".."
+        }
+    ],
+    "require": {
+        "slim/slim": "3.0.*",
+        "league/oauth2-server": "dev-V5-WIP",
+        "league/plates": "^3.1"
+    },
+    "autoload": {
+        "psr-4": {
+            "OAuth2ServerExamples\\": "src/"
+        }
+    }
+}

examples/composer.lock

@@ -0,0 +1,537 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
+        "This file is @generated automatically"
+    ],
+    "hash": "143453cc35e7f499b130b6460222dc5a",
+    "content-hash": "1ea46581fb6db25f323a37a45ef74f95",
+    "packages": [
+        {
+            "name": "container-interop/container-interop",
+            "version": "1.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/container-interop/container-interop.git",
+                "reference": "fc08354828f8fd3245f77a66b9e23a6bca48297e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/container-interop/container-interop/zipball/fc08354828f8fd3245f77a66b9e23a6bca48297e",
+                "reference": "fc08354828f8fd3245f77a66b9e23a6bca48297e",
+                "shasum": ""
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Interop\\Container\\": "src/Interop/Container/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "description": "Promoting the interoperability of container objects (DIC, SL, etc.)",
+            "time": "2014-12-30 15:22:37"
+        },
+        {
+            "name": "lcobucci/jwt",
+            "version": "3.1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/lcobucci/jwt.git",
+                "reference": "31499db4e692b343cec7ff345932899f98fde1cf"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/31499db4e692b343cec7ff345932899f98fde1cf",
+                "reference": "31499db4e692b343cec7ff345932899f98fde1cf",
+                "shasum": ""
+            },
+            "require": {
+                "ext-openssl": "*",
+                "php": ">=5.5"
+            },
+            "require-dev": {
+                "mdanter/ecc": "~0.3",
+                "mikey179/vfsstream": "~1.5",
+                "phpmd/phpmd": "~2.2",
+                "phpunit/php-invoker": "~1.1",
+                "phpunit/phpunit": "~4.5",
+                "squizlabs/php_codesniffer": "~2.3"
+            },
+            "suggest": {
+                "mdanter/ecc": "Required to use Elliptic Curves based algorithms."
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.1-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Lcobucci\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Luís Otávio Cobucci Oblonczyk",
+                    "email": "lcobucci@gmail.com",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to work with JSON Web Token and JSON Web Signature",
+            "keywords": [
+                "JWS",
+                "jwt"
+            ],
+            "time": "2015-11-15 01:42:47"
+        },
+        {
+            "name": "league/event",
+            "version": "2.1.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/event.git",
+                "reference": "e4bfc88dbcb60c8d8a2939a71f9813e141bbe4cd"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/event/zipball/e4bfc88dbcb60c8d8a2939a71f9813e141bbe4cd",
+                "reference": "e4bfc88dbcb60c8d8a2939a71f9813e141bbe4cd",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.4.0"
+            },
+            "require-dev": {
+                "henrikbjorn/phpspec-code-coverage": "~1.0.1",
+                "phpspec/phpspec": "~2.0.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.2-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\Event\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Frank de Jonge",
+                    "email": "info@frenky.net"
+                }
+            ],
+            "description": "Event package",
+            "keywords": [
+                "emitter",
+                "event",
+                "listener"
+            ],
+            "time": "2015-05-21 12:24:47"
+        },
+        {
+            "name": "league/oauth2-server",
+            "version": "dev-V5-WIP",
+            "dist": {
+                "type": "path",
+                "url": "../",
+                "reference": "0fbe109e2004c71feac2bd14fd85aff97704b2e5",
+                "shasum": null
+            },
+            "require": {
+                "lcobucci/jwt": "^3.1",
+                "league/event": "^2.1",
+                "paragonie/random_compat": "^1.1",
+                "php": ">=5.5.9",
+                "psr/http-message": "^1.0"
+            },
+            "replace": {
+                "league/oauth2server": "*",
+                "lncd/oauth2": "*"
+            },
+            "require-dev": {
+                "league/plates": "^3.1",
+                "phpunit/phpunit": "^4.8",
+                "zendframework/zend-diactoros": "^1.0"
+            },
+            "suggest": {
+                "league/plates": "Used for parsing authorization code templates",
+                "mustache/mustache": "Used for parsing authorization code templates",
+                "smarty/smarty": "Used for parsing authorization code templates",
+                "twig/twig": "Used for parsing authorization code templates"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-V5-WIP": "5.0-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\OAuth2\\Server\\": "src/"
+                }
+            },
+            "autoload-dev": {
+                "psr-4": {
+                    "LeagueTests\\": "tests/"
+                }
+            },
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alex Bilbie",
+                    "email": "hello@alexbilbie.com",
+                    "homepage": "http://www.alexbilbie.com",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
+            "homepage": "http://oauth2.thephpleague.com/",
+            "keywords": [
+                "api",
+                "auth",
+                "auth",
+                "authentication",
+                "authorisation",
+                "authorization",
+                "oauth",
+                "oauth 2",
+                "oauth 2.0",
+                "oauth2",
+                "protect",
+                "resource",
+                "secure",
+                "server"
+            ]
+        },
+        {
+            "name": "league/plates",
+            "version": "3.1.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/plates.git",
+                "reference": "2d8569e9f140a70d6a05db38006926f7547cb802"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/plates/zipball/2d8569e9f140a70d6a05db38006926f7547cb802",
+                "reference": "2d8569e9f140a70d6a05db38006926f7547cb802",
+                "shasum": ""
+            },
+            "require-dev": {
+                "mikey179/vfsstream": "~1.4.0",
+                "phpunit/phpunit": "~4.0",
+                "squizlabs/php_codesniffer": "~1.5"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.0-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\Plates\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Jonathan Reinink",
+                    "email": "jonathan@reinink.ca",
+                    "role": "Developer"
+                }
+            ],
+            "description": "Plates, the native PHP template system that's fast, easy to use and easy to extend.",
+            "homepage": "http://platesphp.com",
+            "keywords": [
+                "league",
+                "package",
+                "templates",
+                "templating",
+                "views"
+            ],
+            "time": "2015-07-09 02:14:40"
+        },
+        {
+            "name": "nikic/fast-route",
+            "version": "v0.6.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/nikic/FastRoute.git",
+                "reference": "31fa86924556b80735f98b294a7ffdfb26789f22"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/nikic/FastRoute/zipball/31fa86924556b80735f98b294a7ffdfb26789f22",
+                "reference": "31fa86924556b80735f98b294a7ffdfb26789f22",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.4.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "FastRoute\\": "src/"
+                },
+                "files": [
+                    "src/functions.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Nikita Popov",
+                    "email": "nikic@php.net"
+                }
+            ],
+            "description": "Fast request router for PHP",
+            "keywords": [
+                "router",
+                "routing"
+            ],
+            "time": "2015-06-18 19:15:47"
+        },
+        {
+            "name": "paragonie/random_compat",
+            "version": "v1.4.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/paragonie/random_compat.git",
+                "reference": "c7e26a21ba357863de030f0b9e701c7d04593774"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/c7e26a21ba357863de030f0b9e701c7d04593774",
+                "reference": "c7e26a21ba357863de030f0b9e701c7d04593774",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.2.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "4.*|5.*"
+            },
+            "suggest": {
+                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+            },
+            "type": "library",
+            "autoload": {
+                "files": [
+                    "lib/random.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Paragon Initiative Enterprises",
+                    "email": "security@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+            "keywords": [
+                "csprng",
+                "pseudorandom",
+                "random"
+            ],
+            "time": "2016-03-18 20:34:03"
+        },
+        {
+            "name": "pimple/pimple",
+            "version": "v3.0.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/silexphp/Pimple.git",
+                "reference": "a30f7d6e57565a2e1a316e1baf2a483f788b258a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/silexphp/Pimple/zipball/a30f7d6e57565a2e1a316e1baf2a483f788b258a",
+                "reference": "a30f7d6e57565a2e1a316e1baf2a483f788b258a",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-0": {
+                    "Pimple": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                }
+            ],
+            "description": "Pimple, a simple Dependency Injection Container",
+            "homepage": "http://pimple.sensiolabs.org",
+            "keywords": [
+                "container",
+                "dependency injection"
+            ],
+            "time": "2015-09-11 15:10:35"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "85d63699f0dbedb190bbd4b0d2b9dc707ea4c298"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/85d63699f0dbedb190bbd4b0d2b9dc707ea4c298",
+                "reference": "85d63699f0dbedb190bbd4b0d2b9dc707ea4c298",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "time": "2015-05-04 20:22:00"
+        },
+        {
+            "name": "slim/slim",
+            "version": "3.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/slimphp/Slim.git",
+                "reference": "3b06f0f2d84dabbe81b6cea46ace46a3e883253e"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/3b06f0f2d84dabbe81b6cea46ace46a3e883253e",
+                "reference": "3b06f0f2d84dabbe81b6cea46ace46a3e883253e",
+                "shasum": ""
+            },
+            "require": {
+                "container-interop/container-interop": "^1.1",
+                "nikic/fast-route": "^0.6",
+                "php": ">=5.5.0",
+                "pimple/pimple": "^3.0",
+                "psr/http-message": "^1.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Slim\\": "Slim"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Rob Allen",
+                    "email": "rob@akrabat.com",
+                    "homepage": "http://akrabat.com"
+                },
+                {
+                    "name": "Josh Lockhart",
+                    "email": "hello@joshlockhart.com",
+                    "homepage": "https://joshlockhart.com"
+                },
+                {
+                    "name": "Gabriel Manricks",
+                    "email": "gmanricks@me.com",
+                    "homepage": "http://gabrielmanricks.com"
+                },
+                {
+                    "name": "Andrew Smith",
+                    "email": "a.smith@silentworks.co.uk",
+                    "homepage": "http://silentworks.co.uk"
+                }
+            ],
+            "description": "Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs",
+            "homepage": "http://slimframework.com",
+            "keywords": [
+                "api",
+                "framework",
+                "micro",
+                "router"
+            ],
+            "time": "2015-12-07 14:11:09"
+        }
+    ],
+    "packages-dev": [],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": {
+        "league/oauth2-server": 20
+    },
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": [],
+    "platform-dev": []
+}

examples/public/api.php

@@ -0,0 +1,74 @@
+<?php
+
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Setup the authorization server
+        $server = new Server(
+            new ClientRepository(),
+            new AccessTokenRepository(),
+            new ScopeRepository(),
+            'file://' . __DIR__ . '/../private.key',
+            'file://' . __DIR__ . '/../public.key'
+        );
+
+        return $server;
+    },
+]);
+
+$app->add(
+    new \League\OAuth2\Server\Middleware\ResourceServerMiddleware(
+        $app->getContainer()->get(Server::class)
+    )
+);
+
+$app->get('/users', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+
+    $users = [
+        [
+            'id'    => 123,
+            'name'  => 'Alex',
+            'email' => 'alex@thephpleague.com',
+        ],
+        [
+            'id'    => 124,
+            'name'  => 'Frank',
+            'email' => 'frank@thephpleague.com',
+        ],
+        [
+            'id'    => 125,
+            'name'  => 'Phil',
+            'email' => 'phil@thephpleague.com',
+        ],
+    ];
+
+    if (in_array('basic', $request->getAttribute('oauth_scopes')) === false) {
+        for ($i = 0; $i < count($users); $i++) {
+            unset($users[$i]['name']);
+        }
+    }
+
+    if (in_array('email', $request->getAttribute('oauth_scopes')) === false) {
+        for ($i = 0; $i < count($users); $i++) {
+            unset($users[$i]['email']);
+        }
+    }
+
+    $response->getBody()->write(json_encode($users));
+
+    return $response->withStatus(200);
+});
+
+$app->run();

examples/public/auth_code.php

@@ -0,0 +1,91 @@
+<?php
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\AuthCodeRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use OAuth2ServerExamples\Repositories\UserRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $scopeRepository = new ScopeRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $authCodeRepository = new AuthCodeRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+        $userRepository = new UserRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the authentication code grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new AuthCodeGrant(
+                $authCodeRepository,
+                $refreshTokenRepository,
+                $userRepository,
+                new \DateInterval('PT10M')
+            ),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->any('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\Server $server */
+    $server = $app->getContainer()->get(Server::class);
+
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\Server $server */
+    $server = $app->getContainer()->get(Server::class);
+
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/client_credentials.php

@@ -0,0 +1,64 @@
+<?php
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\ClientCredentialsGrant;
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $scopeRepository = new ScopeRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the client credentials grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new ClientCredentialsGrant(),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\Server $server */
+    $server = $app->getContainer()->get(Server::class);
+
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/implicit.php

@@ -0,0 +1,66 @@
+<?php
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\ImplicitGrant;
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use OAuth2ServerExamples\Repositories\UserRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $scopeRepository = new ScopeRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $userRepository = new UserRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the implicit grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new ImplicitGrant($userRepository),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->any('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\Server $server */
+    $server = $app->getContainer()->get(Server::class);
+
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/middleware_use.php

@@ -0,0 +1,95 @@
+<?php
+
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use League\OAuth2\Server\Grant\RefreshTokenGrant;
+use League\OAuth2\Server\Middleware\AuthenticationServerMiddleware;
+use League\OAuth2\Server\Middleware\ResourceServerMiddleware;
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\AuthCodeRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use OAuth2ServerExamples\Repositories\UserRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $scopeRepository = new ScopeRepository();
+        $authCodeRepository = new AuthCodeRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+        $userRepository = new UserRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the authentication code grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new AuthCodeGrant(
+                $authCodeRepository,
+                $refreshTokenRepository,
+                $userRepository,
+                new \DateInterval('PT10M')
+            ),
+            new \DateInterval('PT1H')
+        );
+
+        // Enable the refresh token grant on the server with a token TTL of 1 month
+        $server->enableGrantType(
+            new RefreshTokenGrant($refreshTokenRepository),
+            new \DateInterval('PT1M')
+        );
+
+        return $server;
+    },
+]);
+
+// Access token issuer
+$app->post('/access_token', function () {
+})->add(new AuthenticationServerMiddleware($app->getContainer()->get(Server::class)));
+
+// Secured API
+$app->group('/api', function () {
+    $this->get('/user', function (ServerRequestInterface $request, ResponseInterface $response) {
+        $params = [];
+
+        if (in_array('basic', $request->getAttribute('oauth_scopes', []))) {
+            $params = [
+                'id'   => 1,
+                'name' => 'Alex',
+                'city' => 'London',
+            ];
+        }
+
+        if (in_array('email', $request->getAttribute('oauth_scopes', []))) {
+            $params['email'] = 'alex@example.com';
+        }
+
+        $body = new Stream('php://temp', 'r+');
+        $body->write(json_encode($params));
+
+        return $response->withBody($body);
+    });
+})->add(new ResourceServerMiddleware($app->getContainer()->get(Server::class)));
+
+$app->run();

examples/public/password.php

@@ -0,0 +1,68 @@
+<?php
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\PasswordGrant;
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use OAuth2ServerExamples\Repositories\UserRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $scopeRepository = new ScopeRepository();
+        $userRepository = new UserRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the password grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new PasswordGrant($userRepository, $refreshTokenRepository),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\Server $server */
+    $server = $app->getContainer()->get(Server::class);
+
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/refresh_token.php

@@ -0,0 +1,66 @@
+<?php
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\RefreshTokenGrant;
+use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    Server::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $scopeRepository = new ScopeRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        // Setup the authorization server
+        $server = new Server(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            $publicKeyPath
+        );
+
+        // Enable the refresh token grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new RefreshTokenGrant($refreshTokenRepository),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\Server $server */
+    $server = $app->getContainer()->get(Server::class);
+
+    try {
+        return $server->respondToRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/src/Entities/ClientEntity.php

@@ -0,0 +1,85 @@
+<?php
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+
+class ClientEntity implements ClientEntityInterface
+{
+    use EntityTrait;
+
+    private $name;
+
+    private $secret;
+
+    private $redirectUri;
+
+    /**
+     * Get the client's name.
+     *
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Set the client's name.
+     *
+     * @param string $name
+     */
+    public function setName($name)
+    {
+        $this->name = $name;
+    }
+
+    /**
+     * @param string $secret
+     */
+    public function setSecret($secret)
+    {
+        $this->secret = $secret;
+    }
+
+    /**
+     * Get the hashed client secret
+     *
+     * @return string
+     */
+    public function getSecret()
+    {
+        return $this->secret;
+    }
+
+    /**
+     * Set the client's redirect uri.
+     *
+     * @param string $redirectUri
+     */
+    public function setRedirectUri($redirectUri)
+    {
+        $this->redirectUri = $redirectUri;
+    }
+
+    /**
+     * Returns the registered redirect URI.
+     *
+     * @return string
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+
+    /**
+     * Returns true if the client is capable of keeping it's secrets secret.
+     *
+     * @return bool
+     */
+    public function canKeepASecret()
+    {
+        return $this->secret !== null;
+    }
+}

examples/src/Entities/ScopeEntity.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+
+class ScopeEntity implements ScopeEntityInterface
+{
+    use EntityTrait;
+
+    public function jsonSerialize()
+    {
+        return $this->getIdentifier();
+    }
+}

examples/src/Entities/UserEntity.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+
+class UserEntity implements UserEntityInterface
+{
+    /**
+     * Return the user's identifier.
+     *
+     * @return mixed
+     */
+    public function getIdentifier()
+    {
+        return 1;
+    }
+}

examples/src/Repositories/AccessTokenRepository.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+
+class AccessTokenRepository implements AccessTokenRepositoryInterface
+{
+    /**
+     * Persists a new access token to permanent storage.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessTokenEntity
+     */
+    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
+    {
+        // TODO: Implement persistNewAccessToken() method.
+    }
+
+    /**
+     * Revoke an access token.
+     *
+     * @param string $tokenId
+     */
+    public function revokeAccessToken($tokenId)
+    {
+        // TODO: Implement revokeAccessToken() method.
+    }
+
+    /**
+     * Check if the access token has been revoked.
+     *
+     * @param string $tokenId
+     *
+     * @return bool Return true if this token has been revoked
+     */
+    public function isAccessTokenRevoked($tokenId)
+    {
+        // TODO: Implement isAccessTokenRevoked() method.
+    }
+}

examples/src/Repositories/AuthCodeRepository.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+
+class AuthCodeRepository implements AuthCodeRepositoryInterface
+{
+    /**
+     * Persists a new auth code to permanent storage.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntity
+     */
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    {
+        // TODO: Implement persistNewAuthCode() method.
+    }
+
+    /**
+     * Revoke an auth code.
+     *
+     * @param string $codeId
+     */
+    public function revokeAuthCode($codeId)
+    {
+        // TODO: Implement revokeAuthCode() method.
+    }
+
+    /**
+     * Check if the auth code has been revoked.
+     *
+     * @param string $codeId
+     *
+     * @return bool Return true if this code has been revoked
+     */
+    public function isAuthCodeRevoked($codeId)
+    {
+        // TODO: Implement isAuthCodeRevoked() method.
+    }
+}

examples/src/Repositories/ClientRepository.php

@@ -0,0 +1,36 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use OAuth2ServerExamples\Entities\ClientEntity;
+
+class ClientRepository implements ClientRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getClientEntity($clientIdentifier, $clientSecret = null, $redirectUri = null, $grantType = null)
+    {
+        $clients = [
+            'myawesomeapp' => [
+                'secret'       => password_hash('abc123', PASSWORD_BCRYPT),
+                'name'         => 'My Awesome App',
+                'redirect_uri' => 'http://foo/bar',
+            ],
+        ];
+
+        // Check if client is registered
+        if (array_key_exists($clientIdentifier, $clients) === false) {
+            return;
+        }
+
+        $client = new ClientEntity();
+        $client->setIdentifier($clientIdentifier);
+        $client->setName($clients[$clientIdentifier]['name']);
+        $client->setRedirectUri($clients[$clientIdentifier]['redirect_uri']);
+        $client->setSecret($clients[$clientIdentifier]['secret']);
+
+        return $client;
+    }
+}

examples/src/Repositories/RefreshTokenRepository.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+
+class RefreshTokenRepository implements RefreshTokenRepositoryInterface
+{
+    /**
+     * Create a new refresh token_name.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshTokenEntityInterface
+     */
+    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntityInterface)
+    {
+        // TODO: Implement persistNewRefreshToken() method.
+    }
+
+    /**
+     * Revoke the refresh token.
+     *
+     * @param string $tokenId
+     */
+    public function revokeRefreshToken($tokenId)
+    {
+        // TODO: Implement revokeRefreshToken() method.
+    }
+
+    /**
+     * Check if the refresh token has been revoked.
+     *
+     * @param string $tokenId
+     *
+     * @return bool Return true if this token has been revoked
+     */
+    public function isRefreshTokenRevoked($tokenId)
+    {
+        // TODO: Implement isRefreshTokenRevoked() method.
+    }
+}

examples/src/Repositories/ScopeRepository.php

@@ -0,0 +1,46 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use OAuth2ServerExamples\Entities\ScopeEntity;
+
+class ScopeRepository implements ScopeRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getScopeEntityByIdentifier($scopeIdentifier)
+    {
+        $scopes = [
+            'basic' => [
+                'description' => 'Basic details about you',
+            ],
+            'email' => [
+                'description' => 'Your email address',
+            ],
+        ];
+
+        if (array_key_exists($scopeIdentifier, $scopes) === false) {
+            return;
+        }
+
+        $scope = new ScopeEntity();
+        $scope->setIdentifier($scopeIdentifier);
+
+        return $scope;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function finalizeScopes(
+        array $scopes,
+        $grantType,
+        ClientEntityInterface $clientEntity,
+        $userIdentifier = null
+    ) {
+        return $scopes;
+    }
+}

examples/src/Repositories/UserRepository.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use OAuth2ServerExamples\Entities\ScopeEntity;
+use OAuth2ServerExamples\Entities\UserEntity;
+
+class UserRepository implements UserRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getUserEntityByUserCredentials(
+        $username,
+        $password,
+        $grantType,
+        ClientEntityInterface $clientEntity
+    ) {
+        if ($username === 'alex' && $password === 'whisky') {
+            $scope = new ScopeEntity();
+            $scope->setIdentifier('email');
+            $scopes[] = $scope;
+
+            return new UserEntity();
+        }
+
+        return;
+    }
+}

phpunit.xml.dist

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="true"
+         stopOnFailure="true" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
+    <testsuites>
+        <testsuite name="Tests">
+            <directory>./tests/</directory>
+        </testsuite>
+    </testsuites>
+    <filter>
+        <whitelist addUncoveredFilesFromWhitelist="true">
+            <directory suffix=".php">src</directory>
+            <exclude>
+                <directory suffix=".php">src/ResponseTypes/DefaultTemplates</directory>
+                <directory suffix=".php">src/TemplateRenderer</directory>
+            </exclude>
+        </whitelist>
+    </filter>
+    <logging>
+        <log type="coverage-text" target="php://stdout" title="thephpleague/oauth2-server" charset="UTF-8" yui="true"
+             highlight="true" lowUpperBound="60" highLowerBound="90"/>
+        <log type="coverage-html" target="build/coverage" title="thephpleague/oauth2-server" charset="UTF-8" yui="true"
+             highlight="true" lowUpperBound="60" highLowerBound="90"/>
+    </logging>
+</phpunit>

src/AuthorizationValidators/AuthorizationValidatorInterface.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace League\OAuth2\Server\AuthorizationValidators;
+
+use Psr\Http\Message\ServerRequestInterface;
+
+interface AuthorizationValidatorInterface
+{
+    /**
+     * Determine the access token in the authorization header and append OAUth properties to the request
+     *  as attributes.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return ServerRequestInterface
+     */
+    public function validateAuthorization(ServerRequestInterface $request);
+}

src/AuthorizationValidators/BearerTokenValidator.php

@@ -0,0 +1,66 @@
+<?php
+
+namespace League\OAuth2\Server\AuthorizationValidators;
+
+use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use League\OAuth2\Server\CryptTrait;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class BearerTokenValidator implements AuthorizationValidatorInterface
+{
+    use CryptTrait;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * BearerTokenValidator constructor.
+     *
+     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
+    {
+        $this->accessTokenRepository = $accessTokenRepository;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorization(ServerRequestInterface $request)
+    {
+        if ($request->hasHeader('authorization') === false) {
+            throw OAuthServerException::accessDenied('Missing "Authorization" header');
+        }
+
+        $header = $request->getHeader('authorization');
+        $jwt = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]));
+
+        try {
+            // Attempt to parse and validate the JWT
+            $token = (new Parser())->parse($jwt);
+            if ($token->verify(new Sha256(), $this->publicKeyPath) === false) {
+                throw OAuthServerException::accessDenied('Access token could not be verified');
+            }
+
+            // Check if token has been revoked
+            if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) {
+                throw OAuthServerException::accessDenied('Access token has been revoked');
+            }
+
+            // Return the request with additional attributes
+            return $request
+                ->withAttribute('oauth_access_token_id', $token->getClaim('jti'))
+                ->withAttribute('oauth_client_id', $token->getClaim('aud'))
+                ->withAttribute('oauth_user_id', $token->getClaim('sub'))
+                ->withAttribute('oauth_scopes', $token->getClaim('scopes'));
+        } catch (\InvalidArgumentException $exception) {
+            // JWT couldn't be parsed so return the request as is
+            throw OAuthServerException::accessDenied($exception->getMessage());
+        }
+    }
+}

src/CryptTrait.php

@@ -0,0 +1,122 @@
+<?php
+/**
+ * Public/private key encryption.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server;
+
+trait CryptTrait
+{
+    /**
+     * @var string
+     */
+    protected $privateKeyPath;
+
+    /**
+     * @var string
+     */
+    protected $publicKeyPath;
+
+    /**
+     * Set path to private key.
+     *
+     * @param string $privateKeyPath
+     */
+    public function setPrivateKeyPath($privateKeyPath)
+    {
+        if (strpos($privateKeyPath, 'file://') !== 0) {
+            $privateKeyPath = 'file://' . $privateKeyPath;
+        }
+
+        $this->privateKeyPath = $privateKeyPath;
+    }
+
+    /**
+     * Set path to public key.
+     *
+     * @param string $publicKeyPath
+     */
+    public function setPublicKeyPath($publicKeyPath)
+    {
+        if (strpos($publicKeyPath, 'file://') !== 0) {
+            $publicKeyPath = 'file://' . $publicKeyPath;
+        }
+
+        $this->publicKeyPath = $publicKeyPath;
+    }
+
+    /**
+     * Encrypt data with a private key.
+     *
+     * @param string $unencryptedData
+     *
+     * @return string
+     */
+    protected function encrypt($unencryptedData)
+    {
+        $privateKey = openssl_pkey_get_private($this->privateKeyPath);
+        $privateKeyDetails = @openssl_pkey_get_details($privateKey);
+        if ($privateKeyDetails === null) {
+            throw new \LogicException(sprintf('Could not get details of private key: %s', $this->privateKeyPath));
+        }
+
+        $chunkSize = ceil($privateKeyDetails['bits'] / 8) - 11;
+        $output = '';
+
+        while ($unencryptedData) {
+            $chunk = substr($unencryptedData, 0, $chunkSize);
+            $unencryptedData = substr($unencryptedData, $chunkSize);
+            if (openssl_private_encrypt($chunk, $encrypted, $privateKey) === false) {
+                // @codeCoverageIgnoreStart
+                throw new \LogicException('Failed to encrypt data');
+                // @codeCoverageIgnoreEnd
+            }
+            $output .= $encrypted;
+        }
+        openssl_free_key($privateKey);
+
+        return base64_encode($output);
+    }
+
+    /**
+     * Decrypt data with a public key.
+     *
+     * @param string $encryptedData
+     *
+     * @throws \LogicException
+     *
+     * @return string
+     */
+    protected function decrypt($encryptedData)
+    {
+        $publicKey = openssl_pkey_get_public($this->publicKeyPath);
+        $publicKeyDetails = @openssl_pkey_get_details($publicKey);
+        if ($publicKeyDetails === null) {
+            throw new \LogicException(sprintf('Could not get details of public key: %s', $this->publicKeyPath));
+        }
+
+        $chunkSize = ceil($publicKeyDetails['bits'] / 8);
+        $output = '';
+
+        $encryptedData = base64_decode($encryptedData);
+
+        while ($encryptedData) {
+            $chunk = substr($encryptedData, 0, $chunkSize);
+            $encryptedData = substr($encryptedData, $chunkSize);
+            if (openssl_public_decrypt($chunk, $decrypted, $publicKey/*, OPENSSL_PKCS1_OAEP_PADDING*/) === false) {
+                // @codeCoverageIgnoreStart
+                throw new \LogicException('Failed to decrypt data');
+                // @codeCoverageIgnoreEnd
+            }
+            $output .= $decrypted;
+        }
+        openssl_free_key($publicKey);
+
+        return $output;
+    }
+}

src/Entities/AccessTokenEntity.php

@@ -0,0 +1,36 @@
+<?php
+
+namespace League\OAuth2\Server\Entities;
+
+use Lcobucci\JWT\Builder;
+use Lcobucci\JWT\Signer\Key;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AccessTokenEntity implements AccessTokenEntityInterface
+{
+    use EntityTrait, TokenEntityTrait;
+
+    /**
+     * Generate a JWT from the access token
+     *
+     * @param string $privateKeyPath
+     *
+     * @return string
+     */
+    public function convertToJWT($privateKeyPath)
+    {
+        return (new Builder())
+            ->setAudience($this->getClient()->getIdentifier())
+            ->setId($this->getIdentifier(), true)
+            ->setIssuedAt(time())
+            ->setNotBefore(time())
+            ->setExpiration($this->getExpiryDateTime()->getTimestamp())
+            ->setSubject($this->getUserIdentifier())
+            ->set('scopes', $this->getScopes())
+            ->sign(new Sha256(), new Key($privateKeyPath))
+            ->getToken();
+    }
+}

src/Entities/AuthCodeEntity.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace League\OAuth2\Server\Entities;
+
+use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+/**
+ * Class AuthCodeEntity.
+ */
+class AuthCodeEntity implements AuthCodeEntityInterface
+{
+    use EntityTrait, TokenEntityTrait;
+
+    protected $redirectUri;
+
+    /**
+     * @return string
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+
+    /**
+     * @param string $uri
+     */
+    public function setRedirectUri($uri)
+    {
+        $this->redirectUri = $uri;
+    }
+}

src/Entities/Interfaces/AccessTokenEntityInterface.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface AccessTokenEntityInterface extends TokenInterface
+{
+    /**
+     * Generate a JWT from the access token
+     *
+     * @param string $privateKeyPath
+     *
+     * @return string
+     */
+    public function convertToJWT($privateKeyPath);
+}

src/Entities/Interfaces/AuthCodeEntityInterface.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface AuthCodeEntityInterface extends TokenInterface
+{
+    /**
+     * @return string
+     */
+    public function getRedirectUri();
+
+    /**
+     * @param string $uri
+     */
+    public function setRedirectUri($uri);
+}

src/Entities/Interfaces/ClientEntityInterface.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface ClientEntityInterface
+{
+    /**
+     * Get the client's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Set the client's identifier.
+     *
+     * @param $identifier
+     */
+    public function setIdentifier($identifier);
+
+    /**
+     * Get the client's name.
+     *
+     * @return string
+     */
+    public function getName();
+
+    /**
+     * Set the client's name.
+     *
+     * @param string $name
+     */
+    public function setName($name);
+
+    /**
+     * Set the client's redirect uri.
+     *
+     * @param string $redirectUri
+     */
+    public function setRedirectUri($redirectUri);
+
+    /**
+     * Returns the registered redirect URI.
+     *
+     * @return string
+     */
+    public function getRedirectUri();
+}

src/Entities/Interfaces/RefreshTokenEntityInterface.php

@@ -0,0 +1,55 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface RefreshTokenEntityInterface
+{
+    /**
+     * Get the token's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Set the token's identifier.
+     *
+     * @param $identifier
+     */
+    public function setIdentifier($identifier);
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return \DateTime
+     */
+    public function getExpiryDateTime();
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param \DateTime $dateTime
+     */
+    public function setExpiryDateTime(\DateTime $dateTime);
+
+    /**
+     * Set the access token that the refresh token was associated with.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessToken
+     */
+    public function setAccessToken(AccessTokenEntityInterface $accessToken);
+
+    /**
+     * Get the access token that the refresh token was originally associated with.
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface
+     */
+    public function getAccessToken();
+
+    /**
+     * Has the token expired?
+     *
+     * @return bool
+     */
+    public function isExpired();
+}

src/Entities/Interfaces/ScopeEntityInterface.php

@@ -0,0 +1,20 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface ScopeEntityInterface extends \JsonSerializable
+{
+    /**
+     * Get the scope's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Set the scope's identifier.
+     *
+     * @param $identifier
+     */
+    public function setIdentifier($identifier);
+}

src/Entities/Interfaces/TokenInterface.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface TokenInterface
+{
+    /**
+     * Get the token's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Set the token's identifier.
+     *
+     * @param $identifier
+     */
+    public function setIdentifier($identifier);
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return \DateTime
+     */
+    public function getExpiryDateTime();
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param \DateTime $dateTime
+     */
+    public function setExpiryDateTime(\DateTime $dateTime);
+
+    /**
+     * Set the identifier of the user associated with the token.
+     *
+     * @param string|int $identifier The identifier of the user
+     */
+    public function setUserIdentifier($identifier);
+
+    /**
+     * Get the token user's identifier.
+     *
+     * @return string|int
+     */
+    public function getUserIdentifier();
+
+    /**
+     * Get the client that the token was issued to.
+     *
+     * @return ClientEntityInterface
+     */
+    public function getClient();
+
+    /**
+     * Set the client that the token was issued to.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     */
+    public function setClient(ClientEntityInterface $client);
+
+    /**
+     * Associate a scope with the token.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface $scope
+     */
+    public function addScope(ScopeEntityInterface $scope);
+
+    /**
+     * Return an array of scopes associated with the token.
+     *
+     * @return ScopeEntityInterface[]
+     */
+    public function getScopes();
+
+    /**
+     * Has the token expired?
+     *
+     * @return bool
+     */
+    public function isExpired();
+}

src/Entities/Interfaces/UserEntityInterface.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Interfaces;
+
+interface UserEntityInterface
+{
+    /**
+     * Return the user's identifier.
+     *
+     * @return mixed
+     */
+    public function getIdentifier();
+}

src/Entities/RefreshTokenEntity.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace League\OAuth2\Server\Entities;
+
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\RefreshTokenTrait;
+
+/**
+ * Class RefreshTokenEntity.
+ */
+class RefreshTokenEntity implements RefreshTokenEntityInterface
+{
+    use EntityTrait, RefreshTokenTrait;
+}

src/Entities/Traits/EntityTrait.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait EntityTrait
+{
+    /*
+     * @var string
+     */
+    protected $identifier;
+
+    /**
+     * @return mixed
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * @param mixed $identifier
+     */
+    public function setIdentifier($identifier)
+    {
+        $this->identifier = $identifier;
+    }
+}

src/Entities/Traits/RefreshTokenTrait.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+use DateTime;
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+
+trait RefreshTokenTrait
+{
+    /**
+     * @var AccessTokenEntityInterface
+     */
+    protected $accessToken;
+
+    /**
+     * @var DateTime
+     */
+    protected $expiryDateTime;
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setAccessToken(AccessTokenEntityInterface $accessToken)
+    {
+        $this->accessToken = $accessToken;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getAccessToken()
+    {
+        return $this->accessToken;
+    }
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return DateTime
+     */
+    public function getExpiryDateTime()
+    {
+        return $this->expiryDateTime;
+    }
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param DateTime $dateTime
+     */
+    public function setExpiryDateTime(DateTime $dateTime)
+    {
+        $this->expiryDateTime = $dateTime;
+    }
+
+    /**
+     * Has the token expired?
+     *
+     * @return bool
+     */
+    public function isExpired()
+    {
+        return (new DateTime()) > $this->getExpiryDateTime();
+    }
+}

src/Entities/Traits/TokenEntityTrait.php

@@ -0,0 +1,120 @@
+<?php
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+use DateTime;
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+
+trait TokenEntityTrait
+{
+    /**
+     * @var ScopeEntityInterface[]
+     */
+    protected $scopes = [];
+
+    /**
+     * @var DateTime
+     */
+    protected $expiryDateTime;
+
+    /**
+     * @var string|int
+     */
+    protected $userIdentifier;
+
+    /**
+     * @var ClientEntityInterface
+     */
+    protected $client;
+
+    /**
+     * Associate a scope with the token.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface $scope
+     */
+    public function addScope(ScopeEntityInterface $scope)
+    {
+        $this->scopes[$scope->getIdentifier()] = $scope;
+    }
+
+    /**
+     * Return an array of scopes associated with the token.
+     *
+     * @return ScopeEntityInterface[]
+     */
+    public function getScopes()
+    {
+        return array_values($this->scopes);
+    }
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return DateTime
+     */
+    public function getExpiryDateTime()
+    {
+        return $this->expiryDateTime;
+    }
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param DateTime $dateTime
+     */
+    public function setExpiryDateTime(DateTime $dateTime)
+    {
+        $this->expiryDateTime = $dateTime;
+    }
+
+    /**
+     * Set the identifier of the user associated with the token.
+     *
+     * @param string|int $identifier The identifier of the user
+     */
+    public function setUserIdentifier($identifier)
+    {
+        $this->userIdentifier = $identifier;
+    }
+
+    /**
+     * Get the token user's identifier.
+     *
+     * @return string|int
+     */
+    public function getUserIdentifier()
+    {
+        return $this->userIdentifier;
+    }
+
+    /**
+     * Get the client that the token was issued to.
+     *
+     * @return ClientEntityInterface
+     */
+    public function getClient()
+    {
+        return $this->client;
+    }
+
+    /**
+     * Set the client that the token was issued to.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     */
+    public function setClient(ClientEntityInterface $client)
+    {
+        $this->client = $client;
+    }
+
+    /**
+     * Has the token expired?
+     *
+     * @return bool
+     */
+    public function isExpired()
+    {
+        return (new DateTime()) > $this->getExpiryDateTime();
+    }
+}

src/Exception/OAuthServerException.php

@@ -0,0 +1,265 @@
+<?php
+
+namespace League\OAuth2\Server\Exception;
+
+use Psr\Http\Message\ResponseInterface;
+
+class OAuthServerException extends \Exception
+{
+    /**
+     * @var int
+     */
+    private $httpStatusCode;
+
+    /**
+     * @var string
+     */
+    private $errorType;
+
+    /**
+     * @var null|string
+     */
+    private $hint;
+
+    /**
+     * @var null|string
+     */
+    private $redirectUri;
+
+    /**
+     * Throw a new exception.
+     *
+     * @param string      $message        Error message
+     * @param int         $code           Error code
+     * @param string      $errorType      Error type
+     * @param int         $httpStatusCode HTTP status code to send (default = 400)
+     * @param null|string $hint           A helper hint
+     * @param null|string $redirectUri    A HTTP URI to redirect the user back to
+     */
+    public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null)
+    {
+        parent::__construct($message, $code);
+        $this->httpStatusCode = $httpStatusCode;
+        $this->errorType = $errorType;
+        $this->hint = $hint;
+        $this->redirectUri = $redirectUri;
+    }
+
+    /**
+     * Unsupported grant type error.
+     *
+     * @return static
+     */
+    public static function unsupportedGrantType()
+    {
+        $errorMessage = 'The authorization grant type is not supported by the authorization server.';
+        $hint = 'Check the `grant_type` parameter';
+
+        return new static($errorMessage, 2, 'unsupported_grant_type', 400, $hint);
+    }
+
+    /**
+     * Invalid request error.
+     *
+     * @param string      $parameter The invalid parameter
+     * @param string|null $hint
+     *
+     * @return static
+     */
+    public static function invalidRequest($parameter, $hint = null)
+    {
+        $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' .
+            'includes a parameter more than once, or is otherwise malformed.';
+        $hint = ($hint === null) ? sprintf('Check the `%s` parameter', $parameter) : $hint;
+
+        return new static($errorMessage, 3, 'invalid_request', 400, $hint);
+    }
+
+    /**
+     * Invalid client error.
+     *
+     * @return static
+     */
+    public static function invalidClient()
+    {
+        $errorMessage = 'Client authentication failed';
+
+        return new static($errorMessage, 4, 'invalid_client', 401);
+    }
+
+    /**
+     * Invalid scope error.
+     *
+     * @param string      $scope       The bad scope
+     * @param null|string $redirectUri A HTTP URI to redirect the user back to
+     *
+     * @return static
+     */
+    public static function invalidScope($scope, $redirectUri = null)
+    {
+        $errorMessage = 'The requested scope is invalid, unknown, or malformed';
+        $hint = sprintf('Check the `%s` scope', $scope);
+
+        return new static($errorMessage, 5, 'invalid_scope', 400, $hint, $redirectUri);
+    }
+
+    /**
+     * Invalid credentials error.
+     *
+     * @return static
+     */
+    public static function invalidCredentials()
+    {
+        return new static('The user credentials were incorrect.', 6, 'invalid_credentials', 401);
+    }
+
+    /**
+     * Server error.
+     *
+     * @param $hint
+     *
+     * @return static
+     */
+    public static function serverError($hint)
+    {
+        return new static(
+            'The authorization server encountered an unexpected condition which prevented it from fulfilling'
+            . ' the request: ' . $hint,
+            7,
+            'server_error',
+            500
+        );
+    }
+
+    /**
+     * Invalid refresh token.
+     *
+     * @param string|null $hint
+     *
+     * @return static
+     */
+    public static function invalidRefreshToken($hint = null)
+    {
+        return new static('The refresh token is invalid.', 8, 'invalid_request', 400, $hint);
+    }
+
+    /**
+     * Access denied.
+     *
+     * @param string|null $hint
+     * @param string|null $redirectUri
+     *
+     * @return static
+     */
+    public static function accessDenied($hint = null, $redirectUri = null)
+    {
+        return new static(
+            'The resource owner or authorization server denied the request.',
+            9,
+            'access_denied',
+            401,
+            $hint,
+            $redirectUri
+        );
+    }
+
+    /**
+     * @return string
+     */
+    public function getErrorType()
+    {
+        return $this->errorType;
+    }
+
+    /**
+     * Generate a HTTP response.
+     *
+     * @param \Psr\Http\Message\ResponseInterface $response
+     * @param bool                                $useFragment True if errors should be in the URI fragment instead of
+     *                                                         query string
+     *
+     * @return \Psr\Http\Message\ResponseInterface
+     */
+    public function generateHttpResponse(ResponseInterface $response, $useFragment = false)
+    {
+        $headers = $this->getHttpHeaders();
+
+        $payload = [
+            'error'   => $this->getErrorType(),
+            'message' => $this->getMessage(),
+        ];
+
+        if ($this->hint !== null) {
+            $payload['hint'] = $this->hint;
+        }
+
+        if ($this->redirectUri !== null) {
+            if ($useFragment === true) {
+                $this->redirectUri .= (strstr($this->redirectUri, '#') === false) ? '#' : '&';
+            } else {
+                $this->redirectUri .= (strstr($this->redirectUri, '?') === false) ? '?' : '&';
+            }
+
+            return $response->withStatus(302)->withHeader('Location', $this->redirectUri . http_build_query($payload));
+        }
+
+        foreach ($headers as $header => $content) {
+            $response = $response->withHeader($header, $content);
+        }
+
+        $response->getBody()->write(json_encode($payload));
+
+        return $response->withStatus($this->getHttpStatusCode());
+    }
+
+    /**
+     * Get all headers that have to be send with the error response.
+     *
+     * @return array Array with header values
+     */
+    public function getHttpHeaders()
+    {
+        $headers = [
+            'Content-type' => 'application/json',
+        ];
+
+        // Add "WWW-Authenticate" header
+        //
+        // RFC 6749, section 5.2.:
+        // "If the client attempted to authenticate via the 'Authorization'
+        // request header field, the authorization server MUST
+        // respond with an HTTP 401 (Unauthorized) status code and
+        // include the "WWW-Authenticate" response header field
+        // matching the authentication scheme used by the client.
+        // @codeCoverageIgnoreStart
+        if ($this->errorType === 'invalid_client') {
+            $authScheme = 'Basic';
+            if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER) !== false
+                && strpos($_SERVER['HTTP_AUTHORIZATION'], 'Bearer') === 0
+            ) {
+                $authScheme = 'Bearer';
+            }
+            $headers[] = 'WWW-Authenticate: ' . $authScheme . ' realm="OAuth"';
+        }
+        // @codeCoverageIgnoreEnd
+        return $headers;
+    }
+
+    /**
+     * Returns the HTTP status code to send when the exceptions is output.
+     *
+     * @return int
+     */
+    public function getHttpStatusCode()
+    {
+        return $this->httpStatusCode;
+    }
+
+    /**
+     * @return null|string
+     */
+    public function getHint()
+    {
+        return $this->hint;
+    }
+}

src/Grant/AbstractAuthorizeGrant.php

@@ -0,0 +1,66 @@
+<?php
+/**
+ * Abstract authorization grant.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\TemplateRenderer\PlatesRenderer;
+use League\OAuth2\Server\TemplateRenderer\RendererInterface;
+use League\Plates\Engine;
+
+abstract class AbstractAuthorizeGrant extends AbstractGrant
+{
+    /**
+     * @var \League\OAuth2\Server\TemplateRenderer\RendererInterface
+     */
+    protected $templateRenderer;
+
+    /**
+     * Set the template renderer
+     *
+     * @param RendererInterface $templateRenderer
+     */
+    public function setTemplateRenderer(RendererInterface $templateRenderer)
+    {
+        $this->templateRenderer = $templateRenderer;
+    }
+
+    /**
+     * Retrieve template renderer.
+     *
+     * @return \League\OAuth2\Server\TemplateRenderer\RendererInterface
+     */
+    protected function getTemplateRenderer()
+    {
+        if (!$this->templateRenderer instanceof RendererInterface) {
+            $this->templateRenderer = new PlatesRenderer(
+                new Engine(__DIR__ . '/../TemplateRenderer/DefaultTemplates'),
+                'login_user',
+                'authorize_client'
+            );
+        }
+
+        return $this->templateRenderer;
+    }
+
+    /**
+     * @param string $uri
+     * @param array  $params
+     * @param string $queryDelimiter
+     *
+     * @return string
+     */
+    public function makeRedirectUri($uri, $params = [], $queryDelimiter = '?')
+    {
+        $uri .= (strstr($uri, $queryDelimiter) === false) ? $queryDelimiter : '&';
+
+        return $uri . http_build_query($params);
+    }
+}

src/Grant/AbstractGrant.php

@@ -0,0 +1,397 @@
+<?php
+/**
+ * OAuth 2.0 Abstract grant.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Grant;
+
+use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\CryptTrait;
+use League\OAuth2\Server\Entities\AccessTokenEntity;
+use League\OAuth2\Server\Entities\AuthCodeEntity;
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntity;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Abstract grant class.
+ */
+abstract class AbstractGrant implements GrantTypeInterface
+{
+    use EmitterAwareTrait, CryptTrait;
+
+    const SCOPE_DELIMITER_STRING = ' ';
+
+    /**
+     * @var ServerRequestInterface
+     */
+    protected $request;
+
+    /**
+     * @var ClientRepositoryInterface
+     */
+    protected $clientRepository;
+
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    protected $accessTokenRepository;
+
+    /**
+     * @var ScopeRepositoryInterface
+     */
+    protected $scopeRepository;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface
+     */
+    protected $authCodeRepository;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface
+     */
+    protected $refreshTokenRepository;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\UserRepositoryInterface
+     */
+    protected $userRepository;
+
+    /**
+     * @var \DateInterval
+     */
+    protected $refreshTokenTTL;
+
+    /**
+     * @param ClientRepositoryInterface $clientRepository
+     */
+    public function setClientRepository(ClientRepositoryInterface $clientRepository)
+    {
+        $this->clientRepository = $clientRepository;
+    }
+
+    /**
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessTokenRepository)
+    {
+        $this->accessTokenRepository = $accessTokenRepository;
+    }
+
+    /**
+     * @param ScopeRepositoryInterface $scopeRepository
+     */
+    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository)
+    {
+        $this->scopeRepository = $scopeRepository;
+    }
+
+    /**
+     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     */
+    public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository)
+    {
+        $this->refreshTokenRepository = $refreshTokenRepository;
+    }
+
+    /**
+     * @param \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface $authCodeRepository
+     */
+    public function setAuthCodeRepository(AuthCodeRepositoryInterface $authCodeRepository)
+    {
+        $this->authCodeRepository = $authCodeRepository;
+    }
+
+    /**
+     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface $userRepository
+     */
+    public function setUserRepository(UserRepositoryInterface $userRepository)
+    {
+        $this->userRepository = $userRepository;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL)
+    {
+        $this->refreshTokenTTL = $refreshTokenTTL;
+    }
+
+    /**
+     * Validate the client.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface
+     */
+    protected function validateClient(ServerRequestInterface $request)
+    {
+        $clientId = $this->getRequestParameter(
+            'client_id',
+            $request,
+            $this->getServerParameter('PHP_AUTH_USER', $request)
+        );
+        if (is_null($clientId)) {
+            throw OAuthServerException::invalidRequest('client_id', '`%s` parameter is missing');
+        }
+
+        // If the client is confidential require the client secret
+        $clientSecret = $this->getRequestParameter(
+            'client_secret',
+            $request,
+            $this->getServerParameter('PHP_AUTH_PW', $request)
+        );
+
+        $client = $this->clientRepository->getClientEntity(
+            $clientId,
+            $this->getIdentifier(),
+            $clientSecret
+        );
+
+        if (!$client instanceof ClientEntityInterface) {
+            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+            throw OAuthServerException::invalidClient();
+        }
+
+        // If a redirect URI is provided ensure it matches what is pre-registered
+        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
+        if ($redirectUri !== null && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)) {
+            throw OAuthServerException::invalidClient();
+        }
+
+        return $client;
+    }
+
+    /**
+     * Validate scopes in the request.
+     *
+     * @param string                                                          $scopes
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     * @param string                                                          $redirectUri
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
+     */
+    public function validateScopes(
+        $scopes,
+        ClientEntityInterface $client,
+        $redirectUri = null
+    ) {
+        $scopesList = array_filter(
+            explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
+            function ($scope) {
+                return !empty($scope);
+            }
+        );
+
+        $scopes = [];
+        foreach ($scopesList as $scopeItem) {
+            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
+
+            if (($scope instanceof ScopeEntityInterface) === false) {
+                throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
+            }
+
+            $scopes[] = $scope;
+        }
+
+        return $scopes;
+    }
+
+    /**
+     * Retrieve request parameter.
+     *
+     * @param string                                   $parameter
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param mixed                                    $default
+     *
+     * @return null|string
+     */
+    protected function getRequestParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        $requestParameters = (array) $request->getParsedBody();
+
+        return isset($requestParameters[$parameter]) ? $requestParameters[$parameter] : $default;
+    }
+
+    /**
+     * Retrieve query string parameter.
+     *
+     * @param string                                   $parameter
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param mixed                                    $default
+     *
+     * @return null|string
+     */
+    protected function getQueryStringParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        return isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : $default;
+    }
+
+    /**
+     * Retrieve cookie parameter.
+     *
+     * @param string                                   $parameter
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param mixed                                    $default
+     *
+     * @return null|string
+     */
+    protected function getCookieParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        return isset($request->getCookieParams()[$parameter]) ? $request->getCookieParams()[$parameter] : $default;
+    }
+
+    /**
+     * Retrieve server parameter.
+     *
+     * @param string                                   $parameter
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param mixed                                    $default
+     *
+     * @return null|string
+     */
+    protected function getServerParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        return isset($request->getServerParams()[$parameter]) ? $request->getServerParams()[$parameter] : $default;
+    }
+
+    /**
+     * Issue an access token.
+     *
+     * @param \DateInterval                                                    $accessTokenTTL
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface  $client
+     * @param string                                                           $userIdentifier
+     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[] $scopes
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface
+     */
+    protected function issueAccessToken(
+        \DateInterval $accessTokenTTL,
+        ClientEntityInterface $client,
+        $userIdentifier,
+        array $scopes = []
+    ) {
+        $accessToken = new AccessTokenEntity();
+        $accessToken->setIdentifier($this->generateUniqueIdentifier());
+        $accessToken->setExpiryDateTime((new \DateTime())->add($accessTokenTTL));
+        $accessToken->setClient($client);
+        $accessToken->setUserIdentifier($userIdentifier);
+
+        foreach ($scopes as $scope) {
+            $accessToken->addScope($scope);
+        }
+
+        $this->accessTokenRepository->persistNewAccessToken($accessToken);
+
+        return $accessToken;
+    }
+
+    /**
+     * Issue an auth code.
+     *
+     * @param \DateInterval                                                    $authCodeTTL
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface  $client
+     * @param string                                                           $userIdentifier
+     * @param string                                                           $redirectUri
+     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[] $scopes
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface
+     */
+    protected function issueAuthCode(
+        \DateInterval $authCodeTTL,
+        ClientEntityInterface $client,
+        $userIdentifier,
+        $redirectUri,
+        array $scopes = []
+    ) {
+        $authCode = new AuthCodeEntity();
+        $authCode->setIdentifier($this->generateUniqueIdentifier());
+        $authCode->setExpiryDateTime((new \DateTime())->add($authCodeTTL));
+        $authCode->setClient($client);
+        $authCode->setUserIdentifier($userIdentifier);
+        $authCode->setRedirectUri($redirectUri);
+
+        foreach ($scopes as $scope) {
+            $authCode->addScope($scope);
+        }
+
+        $this->authCodeRepository->persistNewAuthCode($authCode);
+
+        return $authCode;
+    }
+
+    /**
+     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessToken
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface
+     */
+    protected function issueRefreshToken(AccessTokenEntityInterface $accessToken)
+    {
+        $refreshToken = new RefreshTokenEntity();
+        $refreshToken->setIdentifier($this->generateUniqueIdentifier());
+        $refreshToken->setExpiryDateTime((new \DateTime())->add($this->refreshTokenTTL));
+        $refreshToken->setAccessToken($accessToken);
+
+        $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
+
+        return $refreshToken;
+    }
+
+    /**
+     * Generate a new unique identifier.
+     *
+     * @param int $length
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return string
+     */
+    protected function generateUniqueIdentifier($length = 40)
+    {
+        try {
+            return bin2hex(random_bytes($length));
+            // @codeCoverageIgnoreStart
+        } catch (\TypeError $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred');
+        } catch (\Error $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred');
+        } catch (\Exception $e) {
+            // If you get this message, the CSPRNG failed hard.
+            throw OAuthServerException::serverError('Could not generate a random string');
+        }
+        // @codeCoverageIgnoreEnd
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToRequest(ServerRequestInterface $request)
+    {
+        $requestParameters = (array) $request->getParsedBody();
+
+        return (
+            array_key_exists('grant_type', $requestParameters)
+            && $requestParameters['grant_type'] === $this->getIdentifier()
+        );
+    }
+}

src/Grant/AuthCodeGrant.php

@@ -0,0 +1,350 @@
+<?php
+
+namespace League\OAuth2\Server\Grant;
+
+use DateInterval;
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\ResponseTypes\HtmlResponse;
+use League\OAuth2\Server\ResponseTypes\RedirectResponse;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use League\OAuth2\Server\TemplateRenderer\RendererInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class AuthCodeGrant extends AbstractAuthorizeGrant
+{
+    /**
+     * @var \DateInterval
+     */
+    private $authCodeTTL;
+
+    /**
+     * @param \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface     $authCodeRepository
+     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface         $userRepository
+     * @param \DateInterval                                                      $authCodeTTL
+     * @param \League\OAuth2\Server\TemplateRenderer\RendererInterface|null      $templateRenderer
+     */
+    public function __construct(
+        AuthCodeRepositoryInterface $authCodeRepository,
+        RefreshTokenRepositoryInterface $refreshTokenRepository,
+        UserRepositoryInterface $userRepository,
+        \DateInterval $authCodeTTL,
+        RendererInterface $templateRenderer = null
+    ) {
+        $this->setAuthCodeRepository($authCodeRepository);
+        $this->setRefreshTokenRepository($refreshTokenRepository);
+        $this->setUserRepository($userRepository);
+        $this->authCodeTTL = $authCodeTTL;
+        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->templateRenderer = $templateRenderer;
+    }
+
+    /**
+     * Respond to an authorization request.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \Psr\Http\Message\ResponseInterface
+     */
+    protected function respondToAuthorizationRequest(
+        ServerRequestInterface $request
+    ) {
+        $clientId = $this->getQueryStringParameter(
+            'client_id',
+            $request,
+            $this->getServerParameter('PHP_AUTH_USER', $request)
+        );
+        if (is_null($clientId)) {
+            throw OAuthServerException::invalidRequest('client_id');
+        }
+
+        $client = $this->clientRepository->getClientEntity(
+            $clientId,
+            $this->getIdentifier()
+        );
+
+        if ($client instanceof ClientEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+            throw OAuthServerException::invalidClient();
+        }
+
+        $redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
+        if ($redirectUriParameter !== $client->getRedirectUri()) {
+            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+            throw OAuthServerException::invalidClient();
+        }
+
+        $scopes = $this->validateScopes(
+            $this->getQueryStringParameter('scope', $request),
+            $client,
+            $client->getRedirectUri()
+        );
+
+        $postbackUri = sprintf(
+            '//%s%s',
+            $request->getServerParams()['HTTP_HOST'],
+            $request->getServerParams()['REQUEST_URI']
+        );
+
+        $userId = null;
+        $userHasApprovedClient = null;
+        if ($this->getRequestParameter('action', $request, null) !== null) {
+            $userHasApprovedClient = ($this->getRequestParameter('action', $request) === 'approve');
+        }
+
+        // Check if the user has been authenticated
+        $oauthCookie = $this->getCookieParameter('oauth_authorize_request', $request, null);
+        if ($oauthCookie !== null) {
+            try {
+                $oauthCookiePayload = json_decode($this->decrypt($oauthCookie));
+                if (is_object($oauthCookiePayload)) {
+                    $userId = $oauthCookiePayload->user_id;
+                }
+            } catch (\LogicException $e) {
+                throw OAuthServerException::serverError($e->getMessage());
+            }
+        }
+
+        // The username + password might be available in $_POST
+        $usernameParameter = $this->getRequestParameter('username', $request, null);
+        $passwordParameter = $this->getRequestParameter('password', $request, null);
+
+        $loginError = null;
+
+        // Assert if the user has logged in already
+        if ($userId === null && $usernameParameter !== null && $passwordParameter !== null) {
+            $userEntity = $this->userRepository->getUserEntityByUserCredentials(
+                $usernameParameter,
+                $passwordParameter,
+                $this->getIdentifier(),
+                $client
+            );
+
+            if ($userEntity instanceof UserEntityInterface) {
+                $userId = $userEntity->getIdentifier();
+            } else {
+                $loginError = 'Incorrect username or password';
+            }
+        }
+
+        // The user hasn't logged in yet so show a login form
+        if ($userId === null) {
+            $html = $this->getTemplateRenderer()->renderLogin([
+                'error'        => $loginError,
+                'postback_uri' => $this->makeRedirectUri(
+                    $postbackUri,
+                    $request->getQueryParams()
+                ),
+            ]);
+
+            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
+            $htmlResponse->setStatusCode(403);
+            $htmlResponse->setHtml($html);
+
+            return $htmlResponse;
+        }
+
+        // The user hasn't approved the client yet so show an authorize form
+        if ($userId !== null && $userHasApprovedClient === null) {
+            $html = $this->getTemplateRenderer()->renderAuthorize([
+                'client'       => $client,
+                'scopes'       => $scopes,
+                'postback_uri' => $this->makeRedirectUri(
+                    $postbackUri,
+                    $request->getQueryParams()
+                ),
+            ]);
+
+            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
+            $htmlResponse->setStatusCode(200);
+            $htmlResponse->setHtml($html);
+            $htmlResponse->setHeader('set-cookie', sprintf(
+                'oauth_authorize_request=%s; Expires=%s',
+                urlencode($this->encrypt(
+                    json_encode([
+                        'user_id' => $userId,
+                    ])
+                )),
+                (new \DateTime())->add(new \DateInterval('PT5M'))->format('D, d M Y H:i:s e')
+            ));
+
+            return $htmlResponse;
+        }
+
+        // The user has either approved or denied the client, so redirect them back
+        $redirectUri = $client->getRedirectUri();
+        $redirectPayload = [];
+
+        $stateParameter = $this->getQueryStringParameter('state', $request);
+        if ($stateParameter !== null) {
+            $redirectPayload['state'] = $stateParameter;
+        }
+
+        // THe user approved the client, redirect them back with an auth code
+        if ($userHasApprovedClient === true) {
+
+            // Finalize the requested scopes
+            $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
+
+            $authCode = $this->issueAuthCode(
+                $this->authCodeTTL,
+                $client,
+                $userId,
+                $redirectUri,
+                $scopes
+            );
+
+            $redirectPayload['code'] = $this->encrypt(
+                json_encode(
+                    [
+                        'client_id'    => $authCode->getClient()->getIdentifier(),
+                        'redirect_uri' => $authCode->getRedirectUri(),
+                        'auth_code_id' => $authCode->getIdentifier(),
+                        'scopes'       => $authCode->getScopes(),
+                        'user_id'      => $authCode->getUserIdentifier(),
+                        'expire_time'  => (new \DateTime())->add($this->authCodeTTL)->format('U'),
+                    ]
+                )
+            );
+
+            $response = new RedirectResponse($this->accessTokenRepository);
+            $response->setRedirectUri(
+                $this->makeRedirectUri(
+                    $redirectUri,
+                    $redirectPayload
+                )
+            );
+
+            return $response;
+        }
+
+        // The user denied the client, redirect them back with an error
+        throw OAuthServerException::accessDenied('The user denied the request', (string) $redirectUri);
+    }
+
+    /**
+     * Respond to an access token request.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface                  $request
+     * @param \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface $responseType
+     * @param \DateInterval                                             $accessTokenTTL
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface
+     */
+    protected function respondToAccessTokenRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        DateInterval $accessTokenTTL
+    ) {
+        // The redirect URI is required in this request
+        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
+        if (is_null($redirectUri)) {
+            throw OAuthServerException::invalidRequest('redirect_uri');
+        }
+
+        // Validate request
+        $client = $this->validateClient($request);
+        $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
+
+        if ($encryptedAuthCode === null) {
+            throw OAuthServerException::invalidRequest('code');
+        }
+
+        // Validate the authorization code
+        try {
+            $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
+            if (time() > $authCodePayload->expire_time) {
+                throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
+            }
+
+            if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
+                throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
+            }
+
+            if ($authCodePayload->client_id !== $client->getIdentifier()) {
+                throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
+            }
+
+            if ($authCodePayload->redirect_uri !== $redirectUri) {
+                throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
+            }
+
+            $scopes = [];
+            foreach ($authCodePayload->scopes as $scopeId) {
+                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
+
+                if (!$scope) {
+                    // @codeCoverageIgnoreStart
+                    throw OAuthServerException::invalidScope($scopeId);
+                    // @codeCoverageIgnoreEnd
+                }
+
+                $scopes[] = $scope;
+            }
+        } catch (\LogicException  $e) {
+            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code');
+        }
+
+        // Issue and persist access + refresh tokens
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $refreshToken = $this->issueRefreshToken($accessToken);
+
+        // Inject tokens into response type
+        $responseType->setAccessToken($accessToken);
+        $responseType->setRefreshToken($refreshToken);
+
+        return $responseType;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    ) {
+        if (
+            array_key_exists('response_type', $request->getQueryParams())
+            && $request->getQueryParams()['response_type'] === 'code'
+        ) {
+            return $this->respondToAuthorizationRequest($request);
+        }
+
+        return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToRequest(ServerRequestInterface $request)
+    {
+        return
+            (
+                array_key_exists('response_type', $request->getQueryParams())
+                && $request->getQueryParams()['response_type'] === 'code'
+                && isset($request->getQueryParams()['client_id'])
+            )
+            || parent::canRespondToRequest($request);
+    }
+
+    /**
+     * Return the grant identifier that can be used in matching up requests.
+     *
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return 'authorization_code';
+    }
+}

src/Grant/ClientCredentialsGrant.php

@@ -0,0 +1,52 @@
+<?php
+/**
+ * OAuth 2.0 Client credentials grant.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Client credentials grant class.
+ */
+class ClientCredentialsGrant extends AbstractGrant
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    ) {
+        // Validate request
+        $client = $this->validateClient($request);
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
+
+        // Finalize the requested scopes
+        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
+
+        // Issue and persist access token
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $client->getIdentifier(), $scopes);
+
+        // Inject access token into response type
+        $responseType->setAccessToken($accessToken);
+
+        return $responseType;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getIdentifier()
+    {
+        return 'client_credentials';
+    }
+}

src/Grant/GrantTypeInterface.php

@@ -0,0 +1,102 @@
+<?php
+/**
+ * OAuth 2.0 Grant type interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Grant;
+
+use League\Event\EmitterAwareInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Grant type interface.
+ */
+interface GrantTypeInterface extends EmitterAwareInterface
+{
+    /**
+     * Set refresh token TTL.
+     *
+     * @param \DateInterval $refreshTokenTTL
+     */
+    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL);
+
+    /**
+     * Return the grant identifier that can be used in matching up requests.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Respond to an incoming request.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface                  $request
+     * @param \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface $responseType
+     * @param \DateInterval                                             $accessTokenTTL
+     *
+     * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    );
+
+    /**
+     * The grant type should return true if it is able to respond to this request.
+     *
+     * For example most grant types will check that the $_POST['grant_type'] property matches it's identifier property.
+     *
+     * Some grants, such as the authorization code grant can respond to multiple requests
+     *  - i.e. a client requesting an authorization code and requesting an access token
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     *
+     * @return bool
+     */
+    public function canRespondToRequest(ServerRequestInterface $request);
+
+    /**
+     * Set the client repository.
+     *
+     * @param \League\OAuth2\Server\Repositories\ClientRepositoryInterface $clientRepository
+     */
+    public function setClientRepository(ClientRepositoryInterface $clientRepository);
+
+    /**
+     * Set the access token repository.
+     *
+     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessTokenRepository);
+
+    /**
+     * Set the scope repository.
+     *
+     * @param \League\OAuth2\Server\Repositories\ScopeRepositoryInterface $scopeRepository
+     */
+    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
+
+    /**
+     * Set the path to the private key.
+     *
+     * @param string $privateKeyPath
+     */
+    public function setPrivateKeyPath($privateKeyPath);
+
+    /**
+     * Set the path to the public key.
+     *
+     * @param string $publicKeyPath
+     */
+    public function setPublicKeyPath($publicKeyPath);
+}

src/Grant/ImplicitGrant.php

@@ -0,0 +1,219 @@
+<?php
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\ResponseTypes\HtmlResponse;
+use League\OAuth2\Server\ResponseTypes\RedirectResponse;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use League\OAuth2\Server\TemplateRenderer\RendererInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class ImplicitGrant extends AbstractAuthorizeGrant
+{
+    /**
+     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface    $userRepository
+     * @param \League\OAuth2\Server\TemplateRenderer\RendererInterface|null $templateRenderer
+     */
+    public function __construct(UserRepositoryInterface $userRepository, RendererInterface $templateRenderer = null)
+    {
+        $this->setUserRepository($userRepository);
+        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->templateRenderer = $templateRenderer;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToRequest(ServerRequestInterface $request)
+    {
+        return (array_key_exists('response_type', $request->getQueryParams())
+            && $request->getQueryParams()['response_type'] === 'token');
+    }
+
+    /**
+     * Return the grant identifier that can be used in matching up requests.
+     *
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return 'implicit';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    ) {
+        $clientId = $this->getQueryStringParameter(
+            'client_id',
+            $request,
+            $this->getServerParameter('PHP_AUTH_USER', $request)
+        );
+        if (is_null($clientId)) {
+            throw OAuthServerException::invalidRequest('client_id');
+        }
+
+        $client = $this->clientRepository->getClientEntity(
+            $clientId,
+            $this->getIdentifier()
+        );
+
+        if ($client instanceof ClientEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+            throw OAuthServerException::invalidClient();
+        }
+
+        $redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
+        if ($redirectUriParameter !== $client->getRedirectUri()) {
+            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+            throw OAuthServerException::invalidClient();
+        }
+
+        $scopes = $this->validateScopes(
+            $this->getQueryStringParameter('scope', $request),
+            $client,
+            $client->getRedirectUri()
+        );
+
+        $postbackUri = sprintf(
+            '//%s%s',
+            $request->getServerParams()['HTTP_HOST'],
+            $request->getServerParams()['REQUEST_URI']
+        );
+
+        $userId = null;
+        $userHasApprovedClient = null;
+        if ($this->getRequestParameter('action', $request, null) !== null) {
+            $userHasApprovedClient = ($this->getRequestParameter('action', $request) === 'approve');
+        }
+
+        // Check if the user has been authenticated
+        $oauthCookie = $this->getCookieParameter('oauth_authorize_request', $request, null);
+        if ($oauthCookie !== null) {
+            try {
+                $oauthCookiePayload = json_decode($this->decrypt($oauthCookie));
+                if (is_object($oauthCookiePayload)) {
+                    $userId = $oauthCookiePayload->user_id;
+                }
+            } catch (\LogicException $e) {
+                throw OAuthServerException::serverError($e->getMessage());
+            }
+        }
+
+        // The username + password might be available in $_POST
+        $usernameParameter = $this->getRequestParameter('username', $request, null);
+        $passwordParameter = $this->getRequestParameter('password', $request, null);
+
+        $loginError = null;
+
+        // Assert if the user has logged in already
+        if ($userId === null && $usernameParameter !== null && $passwordParameter !== null) {
+            $userEntity = $this->userRepository->getUserEntityByUserCredentials(
+                $usernameParameter,
+                $passwordParameter,
+                $this->getIdentifier(),
+                $client
+            );
+
+            if ($userEntity instanceof UserEntityInterface) {
+                $userId = $userEntity->getIdentifier();
+            } else {
+                $loginError = 'Incorrect username or password';
+            }
+        }
+
+        // The user hasn't logged in yet so show a login form
+        if ($userId === null) {
+            $html = $this->getTemplateRenderer()->renderLogin([
+                'error'        => $loginError,
+                'postback_uri' => $this->makeRedirectUri(
+                    $postbackUri,
+                    $request->getQueryParams()
+                ),
+            ]);
+
+            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
+            $htmlResponse->setStatusCode(403);
+            $htmlResponse->setHtml($html);
+
+            return $htmlResponse;
+        }
+
+        // The user hasn't approved the client yet so show an authorize form
+        if ($userId !== null && $userHasApprovedClient === null) {
+            $html = $this->getTemplateRenderer()->renderAuthorize([
+                'client'       => $client,
+                'scopes'       => $scopes,
+                'postback_uri' => $this->makeRedirectUri(
+                    $postbackUri,
+                    $request->getQueryParams()
+                ),
+            ]);
+
+            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
+            $htmlResponse->setStatusCode(200);
+            $htmlResponse->setHtml($html);
+            $htmlResponse->setHeader('set-cookie', sprintf(
+                'oauth_authorize_request=%s; Expires=%s',
+                urlencode($this->encrypt(
+                    json_encode([
+                        'user_id' => $userId,
+                    ])
+                )),
+                (new \DateTime())->add(new \DateInterval('PT5M'))->format('D, d M Y H:i:s e')
+            ));
+
+            return $htmlResponse;
+        }
+
+        // The user has either approved or denied the client, so redirect them back
+        $redirectUri = $client->getRedirectUri();
+        $redirectPayload = [];
+
+        $stateParameter = $this->getQueryStringParameter('state', $request);
+        if ($stateParameter !== null) {
+            $redirectPayload['state'] = $stateParameter;
+        }
+
+        // THe user approved the client, redirect them back with an access token
+        if ($userHasApprovedClient === true) {
+
+            // Finalize the requested scopes
+            $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
+
+            $accessToken = $this->issueAccessToken(
+                $accessTokenTTL,
+                $client,
+                $userId,
+                $scopes
+            );
+
+            $redirectPayload['access_token'] = (string) $accessToken->convertToJWT($this->privateKeyPath);
+            $redirectPayload['token_type'] = 'bearer';
+            $redirectPayload['expires_in'] = time() - $accessToken->getExpiryDateTime()->getTimestamp();
+
+            $response = new RedirectResponse($this->accessTokenRepository);
+            $response->setRedirectUri(
+                $this->makeRedirectUri(
+                    $redirectUri,
+                    $redirectPayload,
+                    '#'
+                )
+            );
+
+            return $response;
+        }
+
+        // The user denied the client, redirect them back with an error
+        throw OAuthServerException::accessDenied('The user denied the request', (string) $redirectUri);
+    }
+}

src/Grant/PasswordGrant.php

@@ -0,0 +1,110 @@
+<?php
+/**
+ * OAuth 2.0 Password grant.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Password grant class.
+ */
+class PasswordGrant extends AbstractGrant
+{
+    /**
+     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface         $userRepository
+     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     */
+    public function __construct(
+        UserRepositoryInterface $userRepository,
+        RefreshTokenRepositoryInterface $refreshTokenRepository
+    ) {
+        $this->setUserRepository($userRepository);
+        $this->setRefreshTokenRepository($refreshTokenRepository);
+
+        $this->refreshTokenTTL = new \DateInterval('P1M');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    ) {
+        // Validate request
+        $client = $this->validateClient($request);
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
+        $user = $this->validateUser($request, $client);
+
+        // Finalize the requested scopes
+        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
+
+        // Issue and persist new tokens
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
+        $refreshToken = $this->issueRefreshToken($accessToken);
+
+        // Inject tokens into response
+        $responseType->setAccessToken($accessToken);
+        $responseType->setRefreshToken($refreshToken);
+
+        return $responseType;
+    }
+
+    /**
+     * @param \Psr\Http\Message\ServerRequestInterface                        $request
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
+     */
+    protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client)
+    {
+        $username = $this->getRequestParameter('username', $request);
+        if (is_null($username)) {
+            throw OAuthServerException::invalidRequest('username', '`%s` parameter is missing');
+        }
+
+        $password = $this->getRequestParameter('password', $request);
+        if (is_null($password)) {
+            throw OAuthServerException::invalidRequest('password', '`%s` parameter is missing');
+        }
+
+        $user = $this->userRepository->getUserEntityByUserCredentials(
+            $username,
+            $password,
+            $this->getIdentifier(),
+            $client
+        );
+        if (!$user instanceof UserEntityInterface) {
+            $this->getEmitter()->emit(new RequestEvent('user.authentication.failed', $request));
+
+            throw OAuthServerException::invalidCredentials();
+        }
+
+        return $user;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getIdentifier()
+    {
+        return 'password';
+    }
+}

src/Grant/RefreshTokenGrant.php

@@ -0,0 +1,135 @@
+<?php
+/**
+ * OAuth 2.0 Refresh token grant.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Refresh token grant.
+ */
+class RefreshTokenGrant extends AbstractGrant
+{
+    /**
+     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     */
+    public function __construct(RefreshTokenRepositoryInterface $refreshTokenRepository)
+    {
+        $this->setRefreshTokenRepository($refreshTokenRepository);
+
+        $this->refreshTokenTTL = new \DateInterval('P1M');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function respondToRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        \DateInterval $accessTokenTTL
+    ) {
+        // Validate request
+        $client = $this->validateClient($request);
+        $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
+
+        // If no new scopes are requested then give the access token the original session scopes
+        if (count($scopes) === 0) {
+            $scopes = array_map(function ($scopeId) use ($client) {
+                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
+
+                if (!$scope) {
+                    // @codeCoverageIgnoreStart
+                    throw OAuthServerException::invalidScope($scopeId);
+                    // @codeCoverageIgnoreEnd
+                }
+
+                return $scope;
+            }, $oldRefreshToken['scopes']);
+        } else {
+            // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
+            // the request doesn't include any new scopes
+            foreach ($scopes as $scope) {
+                if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
+                    throw OAuthServerException::invalidScope($scope->getIdentifier());
+                }
+            }
+        }
+
+        // Expire old tokens
+        $this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
+        $this->refreshTokenRepository->revokeRefreshToken($oldRefreshToken['refresh_token_id']);
+
+        // Issue and persist new tokens
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $oldRefreshToken['user_id'], $scopes);
+        $refreshToken = $this->issueRefreshToken($accessToken);
+
+        // Inject tokens into response
+        $responseType->setAccessToken($accessToken);
+        $responseType->setRefreshToken($refreshToken);
+
+        return $responseType;
+    }
+
+    /**
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param string                                   $clientId
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return array
+     */
+    protected function validateOldRefreshToken(ServerRequestInterface $request, $clientId)
+    {
+        $encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);
+        if (is_null($encryptedRefreshToken)) {
+            throw OAuthServerException::invalidRequest('refresh_token');
+        }
+
+        // Validate refresh token
+        try {
+            $refreshToken = $this->decrypt($encryptedRefreshToken);
+        } catch (\LogicException $e) {
+            throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token: ' . $e->getMessage());
+        }
+
+        $refreshTokenData = json_decode($refreshToken, true);
+        if ($refreshTokenData['client_id'] !== $clientId) {
+            $this->getEmitter()->emit(new RequestEvent('refresh_token.client.failed', $request));
+            throw OAuthServerException::invalidRefreshToken(
+                'Token is not linked to client,' .
+                ' got: ' . $clientId .
+                ' expected: ' . $refreshTokenData['client_id']
+            );
+        }
+
+        if ($refreshTokenData['expire_time'] < time()) {
+            throw OAuthServerException::invalidRefreshToken('Token has expired');
+        }
+
+        if ($this->refreshTokenRepository->isRefreshTokenRevoked($refreshTokenData['refresh_token_id']) === true) {
+            throw OAuthServerException::invalidRefreshToken('Token has been revoked');
+        }
+
+        return $refreshTokenData;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getIdentifier()
+    {
+        return 'refresh_token';
+    }
+}

src/Middleware/AuthenticationServerMiddleware.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace League\OAuth2\Server\Middleware;
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Server;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class AuthenticationServerMiddleware
+{
+    /**
+     * @var \League\OAuth2\Server\Server
+     */
+    private $server;
+
+    /**
+     * AuthenticationServerMiddleware constructor.
+     *
+     * @param \League\OAuth2\Server\Server $server
+     */
+    public function __construct(Server $server)
+    {
+        $this->server = $server;
+    }
+
+    /**
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param \Psr\Http\Message\ResponseInterface      $response
+     * @param callable                                 $next
+     *
+     * @return \Psr\Http\Message\ResponseInterface
+     */
+    public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
+    {
+        try {
+            $response = $this->server->respondToRequest($request, $response);
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse($response);
+            // @codeCoverageIgnoreStart
+        } catch (\Exception $exception) {
+            $response->getBody()->write($exception->getMessage());
+
+            return $response->withStatus(500);
+            // @codeCoverageIgnoreEnd
+        }
+
+        // Pass the request and response on to the next responder in the chain
+        return $next($request, $response);
+    }
+}

src/Middleware/ResourceServerMiddleware.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace League\OAuth2\Server\Middleware;
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Server;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class ResourceServerMiddleware
+{
+    /**
+     * @var \League\OAuth2\Server\Server
+     */
+    private $server;
+
+    /**
+     * ResourceServerMiddleware constructor.
+     *
+     * @param \League\OAuth2\Server\Server $server
+     */
+    public function __construct(Server $server)
+    {
+        $this->server = $server;
+    }
+
+    /**
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param \Psr\Http\Message\ResponseInterface      $response
+     * @param callable                                 $next
+     *
+     * @return \Psr\Http\Message\ResponseInterface
+     */
+    public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
+    {
+        try {
+            $request = $this->server->validateAuthenticatedRequest($request);
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse($response);
+            // @codeCoverageIgnoreStart
+        } catch (\Exception $exception) {
+            $response->getBody()->write($exception->getMessage());
+
+            return $response->withStatus(500);
+            // @codeCoverageIgnoreEnd
+        }
+
+        // Pass the request and response on to the next responder in the chain
+        return $next($request, $response);
+    }
+}

src/Oauth2/Authentication/Database.php

@@ -1,320 +0,0 @@
-<?php
-
-namespace Oauth2\Authentication;
-
-interface Database
-{
-    /**
-     * Validate a client
-     * 
-     * Database query:
-     * 
-     * <code>
-     * # Client ID + redirect URI
-     * SELECT clients.id FROM clients LEFT JOIN client_endpoints ON
-     *  client_endpoints.client_id = clients.id WHERE clients.id = $clientId AND
-     *  client_endpoints.redirect_uri = $redirectUri
-     * 
-     * # Client ID + client secret
-     * SELECT clients.id FROM clients  WHERE clients.id = $clientId AND
-     *  clients.secret = $clientSecret
-     * 
-     * # Client ID + client secret + redirect URI
-     * SELECT clients.id FROM clients LEFT JOIN client_endpoints ON
-     *  client_endpoints.client_id = clients.id WHERE clients.id = $clientId AND
-     *  clients.secret = $clientSecret AND client_endpoints.redirect_uri =
-     *  $redirectUri
-     * </code>
-     * 
-     * @param  string $clientId     The client's ID
-     * @param  string $clientSecret The client's secret (default = "null")
-     * @param  string $redirectUri  The client's redirect URI (default = "null")
-     * @return [type]               [description]
-     */
-    public function validateClient(
-        $clientId,
-        $clientSecret = null,
-        $redirectUri = null
-    );
-
-    /**
-     * Create a new OAuth session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * INSERT INTO oauth_sessions (client_id, redirect_uri, owner_type,
-     *  owner_id, auth_code, access_token, stage, first_requested, last_updated)
-     *  VALUES ($clientId, $redirectUri, $type, $typeId, $authCode,
-     *  $accessToken, $stage, UNIX_TIMESTAMP(NOW()), UNIX_TIMESTAMP(NOW()))
-     * </code>
-     * 
-     * @param  string $clientId    The client ID
-     * @param  string $redirectUri The redirect URI
-     * @param  string $type        The session owner's type (default = "user")
-     * @param  string $typeId      The session owner's ID (default = "null")
-     * @param  string $authCode    The authorisation code (default = "null")
-     * @param  string $accessToken The access token (default = "null")
-     * @param  string $stage       The stage of the session (default ="request")
-     * @return [type]              [description]
-     */
-    public function newSession(
-        $clientId,
-        $redirectUri,
-        $type = 'user',
-        $typeId = null,
-        $authCode = null,
-        $accessToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    );
-
-    /**
-     * Update an OAuth session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_sessions SET auth_code = $authCode, access_token =
-     *  $accessToken, stage = $stage, last_updated = UNIX_TIMESTAMP(NOW()) WHERE
-     *  id = $sessionId
-     * </code>
-     * 
-     * @param  string $sessionId   The session ID
-     * @param  string $authCode    The authorisation code (default = "null")
-     * @param  string $accessToken The access token (default = "null")
-     * @param  string $stage       The stage of the session (default ="request")
-     * @return void
-     */
-    public function updateSession(
-        $sessionId,
-        $authCode = null,
-        $accessToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    );
-
-    /**
-     * Delete an OAuth session
-     * 
-     * <code>
-     * DELETE FROM oauth_sessions WHERE client_id = $clientId AND owner_type =
-     *  $type AND owner_id = $typeId
-     * </code>
-     * 
-     * @param  string $clientId The client ID
-     * @param  string $type     The session owner's type 
-     * @param  string $typeId   The session owner's ID
-     * @return [type]           [description]
-     */
-    public function deleteSession(
-        $clientId,
-        $type,
-        $typeId
-    );
-
-    /**
-     * Validate that an authorisation code is valid
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT id FROM oauth_sessions WHERE client_id = $clientID AND
-     *  redirect_uri = $redirectUri AND auth_code = $authCode
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [client_id] => (string) The client ID
-     *     [redirect_uri] => (string) The redirect URI
-     *     [owner_type] => (string) The session owner type
-     *     [owner_id] => (string) The session owner's ID
-     *     [auth_code] => (string) The authorisation code
-     *     [stage] => (string) The session's stage
-     *     [first_requested] => (int) Unix timestamp of the time the session was
-     *      first generated
-     *     [last_updated] => (int) Unix timestamp of the time the session was
-     *      last updated
-     * )
-     * </code>
-     * 
-     * @param  string     $clientId    The client ID
-     * @param  string     $redirectUri The redirect URI
-     * @param  string     $authCode    The authorisation code
-     * @return int|bool                Returns the session ID if the auth code
-     *  is valid otherwise returns false 
-     */
-    public function validateAuthCode(
-        $clientId,
-        $redirectUri,
-        $authCode
-    );
-
-    /**
-     * Return the session ID for a given session owner and client combination
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT id FROM oauth_sessions WHERE client_id = $clientId
-     *  AND owner_type = $type AND owner_id = $typeId
-     * </code>
-     * 
-     * @param  string      $type     The session owner's type 
-     * @param  string      $typeId   The session owner's ID
-     * @param  string      $clientId The client ID
-     * @return string|null           Return the session ID as an integer if 
-     *  found otherwise returns false
-     */
-    public function hasSession(
-        $type,
-        $typeId,
-        $clientId
-    );
-
-    /**
-     * Return the access token for a given session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT access_token FROM oauth_sessions WHERE id = $sessionId
-     * </code>
-     * 
-     * @param  int         $sessionId The OAuth session ID
-     * @return string|null            Returns the access token as a string if
-     *  found otherwise returns null
-     */
-    public function getAccessToken($sessionId);
-
-    /**
-     * Removes an authorisation code associated with a session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_sessions SET auth_code = NULL WHERE id = $sessionId
-     * </code>
-     * 
-     * @param  int    $sessionId The OAuth session ID
-     * @return void
-     */
-    public function removeAuthCode($sessionId);
-
-    /**
-     * Sets a sessions access token
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_sessions SET access_token = $accessToken WHERE id = 
-     *  $sessionId
-     * </code>
-     * 
-     * @param int    $sessionId   The OAuth session ID
-     * @param string $accessToken The access token
-     * @return void
-     */
-    public function setAccessToken(
-        $sessionId,
-        $accessToken
-    );
-
-    /**
-     * Associates a session with a scope
-     * 
-     * Database query:
-     * 
-     * <code>
-     * INSERT INTO oauth_session_scopes (session_id, scope) VALUE ($sessionId, 
-     *  $scope)
-     * </code>
-     * 
-     * @param int    $sessionId The session ID
-     * @param string $scope     The scope
-     * @return void
-     */
-    public function addSessionScope(
-        $sessionId,
-        $scope
-    );
-
-    /**
-     * Return information about a scope
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT * FROM scopes WHERE scope = $scope
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The scope's ID
-     *     [scope] => (string) The scope itself
-     *     [name] => (string) The scope's name
-     *     [description] => (string) The scope's description
-     * )
-     * </code>
-     * 
-     * @param  string $scope The scope
-     * @return array         
-     */
-    public function getScope($scope);
-
-    /**
-     * Associate a session's scopes with an access token
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_session_scopes SET access_token = $accessToken WHERE 
-     *  session_id = $sessionId
-     * </code>
-     * 
-     * @param  int    $sessionId   The session ID
-     * @param  string $accessToken The access token
-     * @return void
-     */
-    public function updateSessionScopeAccessToken(
-        $sessionId,
-        $accessToken
-    );
-
-    /**
-     * Return the scopes associated with an access token
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT scopes.scope, scopes.name, scopes.description FROM 
-     * oauth_session_scopes JOIN scopes ON oauth_session_scopes.scope = 
-     *  scopes.scope WHERE access_token = $accessToken
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [0] => Array
-     *         (
-     *             [scope] => (string) The scope
-     *             [name] => (string) The scope's name
-     *             [description] => (string) The scope's description
-     *         )
-     * )
-     * </code>
-     * 
-     * @param  string $accessToken The access token
-     * @return array
-     */
-    public function accessTokenScopes($accessToken);
-}

src/Oauth2/Authentication/Server.php

@@ -1,517 +0,0 @@
-<?php
-
-namespace Oauth2\Authentication;
-
-class OAuthServerClientException extends \Exception
-{
-
-}
-
-class OAuthServerUserException extends \Exception
-{
-
-}
-
-class OAuthServerException extends \Exception
-{
-
-}
-
-class Server
-{
-    /**
-     * Reference to the database abstractor
-     * @var object
-     */
-    private $_db = null;
-
-    /**
-     * Server configuration
-     * @var array
-     */
-    private $_config = array(
-        'scope_delimeter'       =>  ',',
-        'access_token_ttl'   =>  null
-    );
-
-    /**
-     * Supported response types
-     * @var array
-     */
-    private $_responseTypes =   array(
-        'code'
-    );
-    
-    /**
-     * Supported grant types
-     * @var array
-     */
-    private $_grantTypes    =   array(
-        'authorization_code'
-    );
-
-    /**
-     * Exception error codes
-     * @var array
-     */
-    public $exceptionCodes = array(
-        0   =>  'invalid_request',
-        1   =>  'unauthorized_client',
-        2   =>  'access_denied',
-        3   =>  'unsupported_response_type',
-        4   =>  'invalid_scope',
-        5   =>  'server_error',
-        6   =>  'temporarily_unavailable',
-        7   =>  'unsupported_grant_type',
-        8   =>  'invalid_client',
-        9   =>  'invalid_grant'
-    );
-
-    /**
-     * Error codes.
-     * 
-     * To provide i8ln errors just overwrite the keys
-     * 
-     * @var array
-     */
-    public $errors = array(
-        'invalid_request'   =>  'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
-        'unauthorized_client'   =>  'The client is not authorized to request an access token using this method.',
-        'access_denied' =>  'The resource owner or authorization server denied the request.',
-        'unsupported_response_type' =>  'The authorization server does not support obtaining an access token using this method.',
-        'invalid_scope' =>  'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
-        'server_error'  =>  'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
-        'temporarily_unavailable'   =>  'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.',
-        'unsupported_grant_type'    =>  'The authorization grant type is not supported by the authorization server',
-        'invalid_client'    =>  'Client authentication failed',
-        'invalid_grant'     =>  'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.'
-    );
-
-    /**
-     * Constructor
-     * 
-     * @access public
-     * @param  array $options Optional list of options to overwrite the defaults
-     * @return void
-     */
-    public function __construct($options = null)
-    {
-        if ($options !== null) {
-            $this->options = array_merge($this->_config, $options);
-        }
-    }
-
-    /**
-     * Register a database abstrator class
-     * 
-     * @access public
-     * @param  object $db A class that implements OAuth2ServerDatabase
-     * @return void
-     */
-    public function registerDbAbstractor($db)
-    {
-        $this->_db = $db;
-    }
-
-    /**
-     * Check client authorise parameters
-     * 
-     * @access public
-     * @param  array $authParams Optional array of parsed $_GET keys
-     * @return array             Authorise request parameters
-     */
-    public function checkClientAuthoriseParams($authParams = null)
-    {
-        $params = array();
-
-        // Client ID
-        if ( ! isset($authParams['client_id']) && ! isset($_GET['client_id'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
-
-        } else {
-
-            $params['client_id'] = (isset($authParams['client_id'])) ? $authParams['client_id'] : $_GET['client_id'];
-
-        }
-
-        // Redirect URI
-        if ( ! isset($authParams['redirect_uri']) && ! isset($_GET['redirect_uri'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
-
-        } else {
-
-            $params['redirect_uri'] = (isset($authParams['redirect_uri'])) ? $authParams['redirect_uri'] : $_GET['redirect_uri'];
-
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = $this->_dbCall('validateClient', $params['client_id'], null, $params['redirect_uri']);
-
-        if ($clientDetails === false) {
-
-            throw new OAuthServerClientException($this->errors['invalid_client'], 8);
-        }
-
-        // Response type
-        if ( ! isset($authParams['response_type']) && ! isset($_GET['response_type'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'response_type'), 0);
-
-        } else {
-
-            $params['response_type'] = (isset($authParams['response_type'])) ? $authParams['response_type'] : $_GET['response_type'];
-
-            // Ensure response type is one that is recognised
-            if ( ! in_array($params['response_type'], $this->_responseTypes)) {
-
-                throw new OAuthServerClientException($this->errors['unsupported_response_type'], 3);
-
-            }
-        }
-
-        // Get and validate scopes
-        if (isset($authParams['scope']) || isset($_GET['scope'])) {
-
-            $scopes = (isset($_GET['scope'])) ? $_GET['scope'] : $authParams['scope'];
-
-            $scopes = explode($this->_config['scope_delimeter'], $scopes);
-
-            // Remove any junk scopes
-            for ($i = 0; $i < count($scopes); $i++) {
-                $scopes[$i] = trim($scopes[$i]);
-
-                if ($scopes[$i] === '') {
-                    unset($scopes[$i]);
-                }
-            }
-
-            if (count($scopes) === 0) {
-
-                throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'scope'), 0);
-            }
-
-            $params['scopes'] = array();
-
-            foreach ($scopes as $scope) {
-
-                $scopeDetails = $this->_dbCall('getScope', $scope);
-                
-                if ($scopeDetails === false) {
-
-                    throw new OAuthServerClientException(sprintf($this->errors['invalid_scope'], $scope), 4);
-
-                }
-
-                $params['scopes'][] = $scopeDetails;
-
-            }
-        }
-
-        return $params;
-    }
-
-    /**
-     * Parse a new authorise request
-     * 
-     * @param  string $type            The session owner's type
-     * @param  string $typeId          The session owner's ID
-     * @param  array  $authoriseParams The authorise request $_GET parameters
-     * @return string                  An authorisation code
-     */
-    public function newAuthoriseRequest($type, $typeId, $authoriseParams)
-    {
-        // Remove any old sessions the user might have
-        $this->_dbCall('deleteSession',
-            $authoriseParams['client_id'],
-            $type,
-            $typeId
-        );
-
-        // Create the new auth code
-        $authCode = $this->newAuthCode(
-            $authoriseParams['client_id'], 
-            'user',
-            $typeId,
-            $authoriseParams['redirect_uri'], 
-            $authoriseParams['scopes']
-        );
-
-        return $authCode;
-    }
-
-    /**
-     * Generate a unique code
-     * 
-     * Generate a unique code for an authorisation code, or token
-     * 
-     * @return string A unique code
-     */
-    private function generateCode()
-    {
-        return sha1(uniqid(microtime()));
-    }
-
-    /**
-     * Create a new authorisation code
-     * 
-     * @param  string $clientId    The client ID
-     * @param  string $type        The type of the owner of the session
-     * @param  string $typeId      The session owner's ID
-     * @param  string $redirectUri The redirect URI
-     * @param  array  $scopes      The requested scopes
-     * @param  string $accessToken The access token (default = null)
-     * @return string              An authorisation code
-     */
-    private function newAuthCode($clientId, $type, $typeId, $redirectUri, $scopes = array(), $accessToken = null)
-    {
-        $authCode = $this->generateCode();
-
-        // If an access token exists then update the existing session with the 
-        // new authorisation code otherwise create a new session
-        if ($accessToken !== null) {
-
-            $this->_dbCall('updateSession',
-                $clientId,
-                $type,
-                $typeId,
-                $authCode,
-                $accessToken,
-                'request'
-            );
-        
-        } else {
-
-            // Delete any existing sessions just to be sure
-            $this->_dbCall('deleteSession', $clientId, $type, $typeId);
-               
-            // Create a new session     
-            $sessionId = $this->_dbCall('newSession',
-                $clientId,
-                $redirectUri,
-                $type,
-                $typeId,
-                $authCode,
-                null,
-                null,
-                'request'
-            );
-                        
-            // Add the scopes
-            foreach ($scopes as $key => $scope) {
-
-                $this->_dbCall('addSessionScope', $sessionId, $scope['scope']);
-
-            }
-
-        }
-        
-        return $authCode;
-    }
-
-    /**
-     * Issue an access token
-     * 
-     * @access public
-     * 
-     * @param  array $authParams Optional array of parsed $_POST keys
-     * 
-     * @return array             Authorise request parameters
-     */
-    public function issueAccessToken($authParams = null)
-    {
-        $params = array();
-
-        if ( ! isset($authParams['grant_type']) && ! isset($_POST['grant_type'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'grant_type'), 0);
-
-        } else {
-
-            $params['grant_type'] = (isset($authParams['grant_type'])) ? $authParams['grant_type'] : $_POST['grant_type'];
-
-            // Ensure grant type is one that is recognised
-            if ( ! in_array($params['grant_type'], $this->_grantTypes)) {
-
-                throw new OAuthServerClientException($this->errors['unsupported_grant_type'], 7);
-
-            }
-        }
-
-        switch ($params['grant_type'])
-        {
-            
-            case 'authorization_code': // Authorization code grant
-                return $this->completeAuthCodeGrant($authParams, $params);
-                break;  
-
-            case 'refresh_token': // Refresh token
-            case 'password': // Resource owner password credentials grant
-            case 'client_credentials': // Client credentials grant
-            default: // Unsupported
-                throw new OAuthServerException($this->errors['server_error'] . 'Tried to process an unsuppported grant type.', 5);
-                break;
-        }
-    }
-
-    /**
-     * Complete the authorisation code grant
-     * 
-     * @access private
-     * 
-     * @param  array $authParams Array of parsed $_POST keys
-     * @param  array $params     Generated parameters from issueAccessToken()
-     * 
-     * @return array             Authorise request parameters
-     */
-    private function completeAuthCodeGrant($authParams = array(), $params = array())
-    {
-        // Client ID
-        if ( ! isset($authParams['client_id']) && ! isset($_POST['client_id'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
-
-        } else {
-
-            $params['client_id'] = (isset($authParams['client_id'])) ? $authParams['client_id'] : $_POST['client_id'];
-
-        }
-
-        // Client secret
-        if ( ! isset($authParams['client_secret']) && ! isset($_POST['client_secret'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'client_secret'), 0);
-
-        } else {
-
-            $params['client_secret'] = (isset($authParams['client_secret'])) ? $authParams['client_secret'] : $_POST['client_secret'];
-
-        }
-
-        // Redirect URI
-        if ( ! isset($authParams['redirect_uri']) && ! isset($_POST['redirect_uri'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
-
-        } else {
-
-            $params['redirect_uri'] = (isset($authParams['redirect_uri'])) ? $authParams['redirect_uri'] : $_POST['redirect_uri'];
-
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = $this->_dbCall('validateClient',
-            $params['client_id'],
-            $params['client_secret'], 
-            $params['redirect_uri']
-        );
-
-        if ($clientDetails === false) {
-
-            throw new OAuthServerClientException($this->errors['invalid_client'], 8);
-        }
-
-        // The authorization code
-        if ( ! isset($authParams['code']) && ! isset($_POST['code'])) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_request'], 'code'), 0);
-
-        } else {
-
-            $params['code'] = (isset($authParams['code'])) ? $authParams['code'] : $_POST['code'];
-
-        }
-
-        // Verify the authorization code matches the client_id and the
-        //  request_uri
-        $session = $this->_dbCall('validateAuthCode',
-            $params['client_id'],
-            $params['redirect_uri'],
-            $params['code']
-        );
-
-        if ( ! $session) {
-
-            throw new OAuthServerClientException(sprintf($this->errors['invalid_grant'], 'code'), 9);
-        
-        } else {
-
-            // A session ID was returned so update it with an access token,
-            //  remove the authorisation code, change the stage to 'granted'
-
-            $accessToken = $this->generateCode();
-
-            $accessTokenExpires = ($this->_config['access_token_ttl'] === null) ? null : time() + $this->_config['access_token_ttl'];
-
-            $this->_dbCall('updateSession',
-                $session['id'],
-                null,
-                $accessToken,
-                $accessTokenExpires,
-                'granted'
-            );
-
-            // Update the session's scopes to reference the access token
-            $this->_dbCall('updateSessionScopeAccessToken',
-                $session['id'],
-                $accessToken
-            );
-
-            return array(
-                'access_token'  =>  $accessToken,
-                'token_type'    =>  'bearer',
-                'expires_in'    =>  $this->_config['access_token_ttl']
-            );
-        }
-    }
-
-    /**
-     * Generates the redirect uri with appended params
-     * 
-     * @param  string $redirectUri     The redirect URI
-     * @param  array  $params          The parameters to be appended to the URL
-     * @param  string $query_delimeter The query string delimiter (default: ?)
-     * 
-     * @return string                  The updated redirect URI
-     */
-    public function redirectUri($redirectUri, $params = array(), $queryDelimeter = '?')
-    {
-      
-        if (strstr($redirectUri, $queryDelimeter)) {
-
-            $redirectUri = $redirectUri . '&' . http_build_query($params);
-
-        } else {
-
-            $redirectUri = $redirectUri . $queryDelimeter . http_build_query($params);
-
-        }
-        
-        return $redirectUri;
-
-    }
-
-    /**
-     * Call database methods from the abstractor
-     * 
-     * @return mixed The query result
-     */
-    private function _dbCall()
-    {
-        if ($this->_db === null) {
-            throw new OAuthServerException('No registered database abstractor');
-        }
-
-        if ( ! $this->_db instanceof Database) {
-            throw new OAuthServerException('Registered database abstractor is not an instance of Oauth2\Authentication\Database');
-        }
-
-        $args = func_get_args();
-        $method = $args[0];
-        unset($args[0]);
-        $params = array_values($args);
-
-        return call_user_func_array(array($this->_db, $method), $params);
-    }
-}

src/Oauth2/Resource/Database.php

@@ -1,59 +0,0 @@
-<?php
-
-namespace Oauth2\Resource;
-
-interface Database
-{
-    /**
-     * Validate an access token and return the session details.
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT id, owner_type, owner_id FROM oauth_sessions WHERE access_token =
-     *  $accessToken AND stage = 'granted' AND
-     *  access_token_expires > UNIX_TIMESTAMP(now())
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [owner_type] => (string) The session owner type
-     *     [owner_id] => (string) The session owner's ID
-     * )
-     * </code>
-     * 
-     * @param  string     $accessToken The access token
-     * @return array|bool              Return an array on success or false on failure
-     */
-    public function validateAccessToken($accessToken);
-
-    /**
-     * Returns the scopes that the session is authorised with.
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT scope FROM oauth_session_scopes WHERE access_token =
-     *  '291dca1c74900f5f252de351e0105aa3fc91b90b'
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *      [0] => (string) A scope
-     *      [1] => (string) Another scope
-     *      ...
-     * )
-     * </code>
-     * 
-     * @param  int   $sessionId The session ID
-     * @return array            A list of scopes
-     */
-    public function sessionScopes($sessionId);
-}

src/Oauth2/Resource/Server.php

@@ -1,228 +0,0 @@
-<?php
-
-namespace Oauth2\Resource;
-
-class OAuthResourceServerException extends \Exception
-{
-
-}
-
-class Server
-{
-    /**
-     * Reference to the database abstractor
-     * @var object
-     */
-    private $_db = null;
-
-    /**
-     * The access token.
-     * @access private
-     */
-    private $_accessToken = null;
-
-    /**
-     * The scopes the access token has access to.
-     * @access private
-     */
-    private $_scopes = array();
-
-    /**
-     * The type of owner of the access token.
-     * @access private
-     */
-    private $_type = null;
-
-    /**
-     * The ID of the owner of the access token.
-     * @access private
-     */
-    private $_typeId = null;
-
-    /**
-     * Server configuration
-     * @var array
-     */
-    private $_config = array(
-        'token_key' =>  'oauth_token'
-    );
-
-    /**
-     * Error codes.
-     * 
-     * To provide i8ln errors just overwrite the keys
-     * 
-     * @var array
-     */
-    public $errors = array(
-        'missing_access_token'  =>  'An access token was not presented with the request',
-        'invalid_access_token'  =>  'The access token is not registered with the resource server'
-    );
-
-    /**
-     * Constructor
-     * 
-     * @access public
-     * @return void
-     */
-    public function __construct($options = null)
-    {
-        if ($options !== null) {
-            $this->config = array_merge($this->config, $options);
-        }
-    }
-
-    /**
-     * Magic method to test if access token represents a particular owner type
-     * @param  string $method     The method name
-     * @param  mixed  $arguements The method arguements
-     * @return bool               If method is valid, and access token is owned by the requested party then true,
-     */
-    public function __call($method, $arguements = null)
-    {
-        if (substr($method, 0, 2) === 'is') {
-
-            if ($this->_type === strtolower(substr($method, 2))) {
-                return $this->_typeId;
-            }
-            
-            return false;
-        }
-
-        trigger_error('Call to undefined function ' . $method . '()');
-    }
-
-    /**
-     * Register a database abstrator class
-     * 
-     * @access public
-     * @param  object $db A class that implements OAuth2ServerDatabase
-     * @return void
-     */
-    public function registerDbAbstractor($db)
-    {
-        $this->_db = $db;
-    }
-    
-    /**
-     * Init function
-     * 
-     * @access public
-     * @return void
-     */
-    public function init()
-    {
-        $accessToken = null;
-
-        
-        $_SERVER['REQUEST_METHOD'] = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : null;
-
-        // Try and get the access token via an access_token or oauth_token parameter
-        switch ($_SERVER['REQUEST_METHOD'])
-        {           
-            case 'POST':
-                $accessToken = isset($_POST[$this->_config['token_key']]) ? $_POST[$this->_config['token_key']] : null;
-                break;
-
-            default:
-            $accessToken = isset($_GET[$this->_config['token_key']]) ? $_GET[$this->_config['token_key']] : null;
-                break;
-        }
-
-        // Try and get an access token from the auth header
-        if (function_exists('getallheaders')) {
-
-            $headers = getallheaders();
-            
-            if (isset($headers['Authorization'])) {
-
-                $rawToken = trim(str_replace('Bearer', '', $headers['Authorization']));
-
-                if ( ! empty($rawToken)) {
-                    $accessToken = base64_decode($rawToken);
-                }
-            }
-        }
-        
-        if ($accessToken) {
-
-            $result = $this->_dbCall('validateAccessToken', $accessToken);
-
-            if ($result === false) {
-
-                throw new OAuthResourceServerException($this->errors['invalid_access_token']);
-
-            } else {
-
-                $this->_accessToken = $accessToken;
-                $this->_type = $result['owner_type'];
-                $this->_typeId = $result['owner_id'];
-
-                // Get the scopes
-                $this->_scopes = $this->_dbCall('sessionScopes', $result['id']);
-            }
-
-        } else {
-
-            throw new OAuthResourceServerException($this->errors['missing_access_token']);
-
-        }
-    }
-    
-    /**
-     * Test if the access token has a specific scope
-     * 
-     * @param mixed $scopes Scope(s) to check
-     * 
-     * @access public
-     * @return string|bool
-     */
-    public function hasScope($scopes)
-    {
-        if (is_string($scopes)) {
-
-            if (in_array($scopes, $this->_scopes)) {
-                return true;
-            }
-            
-            return false;
-
-        } elseif (is_array($scopes)) {
-
-            foreach ($scopes as $scope) {
-
-                if ( ! in_array($scope, $this->_scopes)) {
-                    return false;
-                }
-
-            }
-            
-            return true;
-        }
-        
-        return false;
-    }
-
-    /**
-     * Call database methods from the abstractor
-     * 
-     * @return mixed The query result
-     */
-    private function _dbCall()
-    {
-        if ($this->_db === null) {
-            throw new OAuthResourceServerException('No registered database abstractor');
-        }
-
-        if ( ! $this->_db instanceof Database) {
-            throw new OAuthResourceServerException('Registered database abstractor is not an instance of Oauth2\Resource\Database');
-        }
-
-        $args = func_get_args();
-        $method = $args[0];
-        unset($args[0]);
-        $params = array_values($args);
-
-        return call_user_func_array(array($this->_db, $method), $params);
-    }
-}

src/Repositories/AccessTokenRepositoryInterface.php

@@ -0,0 +1,42 @@
+<?php
+/**
+ * OAuth 2.0 Access token storage interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+
+/**
+ * Access token interface.
+ */
+interface AccessTokenRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Persists a new access token to permanent storage.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessTokenEntity
+     */
+    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity);
+
+    /**
+     * Revoke an access token.
+     *
+     * @param string $tokenId
+     */
+    public function revokeAccessToken($tokenId);
+
+    /**
+     * Check if the access token has been revoked.
+     *
+     * @param string $tokenId
+     *
+     * @return bool Return true if this token has been revoked
+     */
+    public function isAccessTokenRevoked($tokenId);
+}

src/Repositories/AuthCodeRepositoryInterface.php

@@ -0,0 +1,42 @@
+<?php
+/**
+ * OAuth 2.0 Auth code storage interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+
+/**
+ * Auth code storage interface.
+ */
+interface AuthCodeRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Persists a new auth code to permanent storage.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntity
+     */
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
+
+    /**
+     * Revoke an auth code.
+     *
+     * @param string $codeId
+     */
+    public function revokeAuthCode($codeId);
+
+    /**
+     * Check if the auth code has been revoked.
+     *
+     * @param string $codeId
+     *
+     * @return bool Return true if this code has been revoked
+     */
+    public function isAuthCodeRevoked($codeId);
+}

src/Repositories/ClientRepositoryInterface.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * OAuth 2.0 Client storage interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Repositories;
+
+/**
+ * Client storage interface.
+ */
+interface ClientRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Get a client.
+     *
+     * @param string      $clientIdentifier The client's identifier
+     * @param string      $grantType        The grant type used
+     * @param null|string $clientSecret     The client's secret (if sent)
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface
+     */
+    public function getClientEntity($clientIdentifier, $grantType, $clientSecret = null);
+}

src/Repositories/MacTokenInterface.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ * OAuth 2.0 MAC Token Interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Storage;
+
+use League\OAuth2\Server\Repositories\RepositoryInterface;
+
+/**
+ * MacTokenInterface.
+ */
+interface MacTokenInterface extends RepositoryInterface
+{
+    /**
+     * Create a MAC key linked to an access token.
+     *
+     * @param string $macKey
+     * @param string $accessToken
+     */
+    public function persistMacTokenEntity($macKey, $accessToken);
+
+    /**
+     * Get a MAC key by access token.
+     *
+     * @param string $accessToken
+     *
+     * @return string
+     */
+    public function getMacKeyByAccessTokenString($accessToken);
+}

src/Repositories/RefreshTokenRepositoryInterface.php

@@ -0,0 +1,42 @@
+<?php
+/**
+ * OAuth 2.0 Refresh token storage interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+
+/**
+ * Refresh token interface.
+ */
+interface RefreshTokenRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Create a new refresh token_name.
+     *
+     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshTokenEntity
+     */
+    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity);
+
+    /**
+     * Revoke the refresh token.
+     *
+     * @param string $tokenId
+     */
+    public function revokeRefreshToken($tokenId);
+
+    /**
+     * Check if the refresh token has been revoked.
+     *
+     * @param string $tokenId
+     *
+     * @return bool Return true if this token has been revoked
+     */
+    public function isRefreshTokenRevoked($tokenId);
+}

src/Repositories/RepositoryInterface.php

@@ -0,0 +1,18 @@
+<?php
+/**
+ * OAuth 2.0 Repository interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Repositories;
+
+/**
+ * Repository interface.
+ */
+interface RepositoryInterface
+{
+}

src/Repositories/ScopeRepositoryInterface.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * OAuth 2.0 Scope storage interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+
+/**
+ * Scope interface.
+ */
+interface ScopeRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Return information about a scope.
+     *
+     * @param string $identifier The scope identifier
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface
+     */
+    public function getScopeEntityByIdentifier($identifier);
+
+    /**
+     * Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
+     * append additional scopes or remove requested scopes.
+     *
+     * @param ScopeEntityInterface[]                                          $scopes
+     * @param string                                                          $grantType
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
+     * @param null|string                                                     $userIdentifier
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
+     */
+    public function finalizeScopes(
+        array $scopes,
+        $grantType,
+        ClientEntityInterface $clientEntity,
+        $userIdentifier = null
+    );
+}

src/Repositories/UserRepositoryInterface.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace League\OAuth2\Server\Repositories;
+
+use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+
+interface UserRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Get a user entity.
+     *
+     * @param string                                                          $username
+     * @param string                                                          $password
+     * @param string                                                          $grantType    The grant type used
+     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
+     *
+     * @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
+     */
+    public function getUserEntityByUserCredentials(
+        $username,
+        $password,
+        $grantType,
+        ClientEntityInterface $clientEntity
+    );
+}

src/RequestEvent.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace League\OAuth2\Server;
+
+use League\Event\Event;
+use Psr\Http\Message\ServerRequestInterface;
+
+class RequestEvent extends Event
+{
+    /**
+     * @var \Psr\Http\Message\ServerRequestInterface
+     */
+    private $request;
+
+    /**
+     * RequestEvent constructor.
+     *
+     * @param string                                   $name
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     */
+    public function __construct($name, ServerRequestInterface $request)
+    {
+        parent::__construct($name);
+        $this->request = $request;
+    }
+
+    /**
+     * @return ServerRequestInterface
+     */
+    public function getRequest()
+    {
+        return $this->request;
+    }
+}

src/ResponseTypes/AbstractResponseType.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * OAuth 2.0 Abstract Response Type.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\ResponseTypes;
+
+use League\OAuth2\Server\CryptTrait;
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+
+abstract class AbstractResponseType implements ResponseTypeInterface
+{
+    use CryptTrait;
+
+    /**
+     * @var \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface
+     */
+    protected $accessToken;
+
+    /**
+     * @var \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface
+     */
+    protected $refreshToken;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface
+     */
+    protected $accessTokenRepository;
+
+    /**
+     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
+    {
+        $this->accessTokenRepository = $accessTokenRepository;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setAccessToken(AccessTokenEntityInterface $accessToken)
+    {
+        $this->accessToken = $accessToken;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setRefreshToken(RefreshTokenEntityInterface $refreshToken)
+    {
+        $this->refreshToken = $refreshToken;
+    }
+}

src/ResponseTypes/BearerTokenResponse.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * OAuth 2.0 Bearer Token Type.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\ResponseTypes;
+
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use Psr\Http\Message\ResponseInterface;
+
+class BearerTokenResponse extends AbstractResponseType
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function generateHttpResponse(ResponseInterface $response)
+    {
+        $expireDateTime = $this->accessToken->getExpiryDateTime()->getTimestamp();
+
+        $jwtAccessToken = $this->accessToken->convertToJWT($this->privateKeyPath);
+
+        $responseParams = [
+            'token_type'   => 'Bearer',
+            'expires_in'   => $expireDateTime - (new \DateTime())->getTimestamp(),
+            'access_token' => (string) $jwtAccessToken,
+        ];
+
+        if ($this->refreshToken instanceof RefreshTokenEntityInterface) {
+            $refreshToken = $this->encrypt(
+                json_encode(
+                    [
+                        'client_id'        => $this->accessToken->getClient()->getIdentifier(),
+                        'refresh_token_id' => $this->refreshToken->getIdentifier(),
+                        'access_token_id'  => $this->accessToken->getIdentifier(),
+                        'scopes'           => $this->accessToken->getScopes(),
+                        'user_id'          => $this->accessToken->getUserIdentifier(),
+                        'expire_time'      => $expireDateTime,
+                    ]
+                )
+            );
+
+            $responseParams['refresh_token'] = $refreshToken;
+        }
+
+        $response = $response
+            ->withStatus(200)
+            ->withHeader('pragma', 'no-cache')
+            ->withHeader('cache-control', 'no-store')
+            ->withHeader('content-type', 'application/json; charset=UTF-8');
+
+        $response->getBody()->write(json_encode($responseParams));
+
+        return $response;
+    }
+}

src/ResponseTypes/HtmlResponse.php

@@ -0,0 +1,66 @@
+<?php
+
+namespace League\OAuth2\Server\ResponseTypes;
+
+use Psr\Http\Message\ResponseInterface;
+
+class HtmlResponse extends AbstractResponseType
+{
+    /**
+     * @var string
+     */
+    private $html = '';
+
+    /**
+     * @var int
+     */
+    private $statusCode = 200;
+
+    /**
+     * @var array
+     */
+    private $headers = [];
+
+    /**
+     * @param string $html
+     */
+    public function setHtml($html)
+    {
+        $this->html = $html;
+    }
+
+    /**
+     * @param int $statusCode
+     */
+    public function setStatusCode($statusCode = 200)
+    {
+        $this->statusCode = $statusCode;
+    }
+
+    /**
+     * @param ResponseInterface $response
+     *
+     * @return ResponseInterface
+     */
+    public function generateHttpResponse(ResponseInterface $response)
+    {
+        $response->getBody()->write($this->html);
+
+        foreach ($this->headers as $key => $value) {
+            $response = $response->withHeader($key, $value);
+        }
+
+        return $response
+            ->withStatus($this->statusCode)
+            ->withHeader('content-type', 'text/html');
+    }
+
+    /**
+     * @param string $key
+     * @param string $value
+     */
+    public function setHeader($key, $value)
+    {
+        $this->headers[$key] = $value;
+    }
+}

src/ResponseTypes/RedirectResponse.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace League\OAuth2\Server\ResponseTypes;
+
+use Psr\Http\Message\ResponseInterface;
+
+class RedirectResponse extends AbstractResponseType
+{
+    /**
+     * @var string
+     */
+    private $redirectUri;
+
+    /**
+     * @param string $redirectUri
+     */
+    public function setRedirectUri($redirectUri)
+    {
+        $this->redirectUri = $redirectUri;
+    }
+
+    /**
+     * @param ResponseInterface $response
+     *
+     * @return ResponseInterface
+     */
+    public function generateHttpResponse(ResponseInterface $response)
+    {
+        return $response->withStatus(302)->withHeader('location', $this->redirectUri);
+    }
+}

src/ResponseTypes/ResponseTypeInterface.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * OAuth 2.0 Response Type Interface.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\ResponseTypes;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use Psr\Http\Message\ResponseInterface;
+
+interface ResponseTypeInterface
+{
+    /**
+     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessToken
+     */
+    public function setAccessToken(AccessTokenEntityInterface $accessToken);
+
+    /**
+     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshToken
+     */
+    public function setRefreshToken(RefreshTokenEntityInterface $refreshToken);
+
+    /**
+     * @param ResponseInterface $response
+     *
+     * @return ResponseInterface
+     */
+    public function generateHttpResponse(ResponseInterface $response);
+}

src/Server.php

@@ -0,0 +1,194 @@
+<?php
+
+namespace League\OAuth2\Server;
+
+use DateInterval;
+use League\Event\EmitterAwareInterface;
+use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class Server implements EmitterAwareInterface
+{
+    use EmitterAwareTrait;
+
+    /**
+     * @var \League\OAuth2\Server\Grant\GrantTypeInterface[]
+     */
+    protected $enabledGrantTypes = [];
+
+    /**
+     * @var \DateInterval[]
+     */
+    protected $grantTypeAccessTokenTTL = [];
+
+    /**
+     * @var string
+     */
+    protected $privateKeyPath;
+
+    /**
+     * @var ResponseTypeInterface
+     */
+    protected $responseType;
+
+    /**
+     * @var string
+     */
+    private $publicKeyPath;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\ClientRepositoryInterface
+     */
+    private $clientRepository;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var \League\OAuth2\Server\Repositories\ScopeRepositoryInterface
+     */
+    private $scopeRepository;
+
+    /**
+     * @var \League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface
+     */
+    private $authorizationValidator;
+
+    /**
+     * New server instance.
+     *
+     * @param \League\OAuth2\Server\Repositories\ClientRepositoryInterface                       $clientRepository
+     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface                  $accessTokenRepository
+     * @param \League\OAuth2\Server\Repositories\ScopeRepositoryInterface                        $scopeRepository
+     * @param string                                                                             $privateKeyPath
+     * @param string                                                                             $publicKeyPath
+     * @param null|\League\OAuth2\Server\ResponseTypes\ResponseTypeInterface                     $responseType
+     * @param null|\League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface $authorizationValidator
+     */
+    public function __construct(
+        ClientRepositoryInterface $clientRepository,
+        AccessTokenRepositoryInterface $accessTokenRepository,
+        ScopeRepositoryInterface $scopeRepository,
+        $privateKeyPath,
+        $publicKeyPath,
+        ResponseTypeInterface $responseType = null,
+        AuthorizationValidatorInterface $authorizationValidator = null
+    ) {
+        $this->clientRepository = $clientRepository;
+        $this->accessTokenRepository = $accessTokenRepository;
+        $this->scopeRepository = $scopeRepository;
+        $this->privateKeyPath = $privateKeyPath;
+        $this->publicKeyPath = $publicKeyPath;
+        $this->responseType = $responseType;
+        $this->authorizationValidator = $authorizationValidator;
+    }
+
+    /**
+     * Enable a grant type on the server.
+     *
+     * @param \League\OAuth2\Server\Grant\GrantTypeInterface $grantType
+     * @param \DateInterval                                  $accessTokenTTL
+     */
+    public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL)
+    {
+        $grantType->setAccessTokenRepository($this->accessTokenRepository);
+        $grantType->setClientRepository($this->clientRepository);
+        $grantType->setScopeRepository($this->scopeRepository);
+        $grantType->setPrivateKeyPath($this->privateKeyPath);
+        $grantType->setPublicKeyPath($this->publicKeyPath);
+        $grantType->setEmitter($this->getEmitter());
+
+        $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
+
+        $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
+    }
+
+    /**
+     * Return an access token response.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface|null $request
+     * @param \Psr\Http\Message\ResponseInterface|null      $response
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \Psr\Http\Message\ResponseInterface
+     */
+    public function respondToRequest(ServerRequestInterface $request, ResponseInterface $response)
+    {
+        $tokenResponse = null;
+        while ($tokenResponse === null && $grantType = array_shift($this->enabledGrantTypes)) {
+            /** @var \League\OAuth2\Server\Grant\GrantTypeInterface $grantType */
+            if ($grantType->canRespondToRequest($request)) {
+                $tokenResponse = $grantType->respondToRequest(
+                    $request,
+                    $this->getResponseType(),
+                    $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
+                );
+            }
+        }
+
+        if ($tokenResponse instanceof ResponseTypeInterface) {
+            return $tokenResponse->generateHttpResponse($response);
+        }
+
+        throw OAuthServerException::unsupportedGrantType();
+    }
+
+    /**
+     * Determine the access token validity.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface $request
+     *
+     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     *
+     * @return \Psr\Http\Message\ServerRequestInterface
+     */
+    public function validateAuthenticatedRequest(ServerRequestInterface $request)
+    {
+        return $this->getAuthorizationValidator()->validateAuthorization($request);
+    }
+
+    /**
+     * Get the token type that grants will return in the HTTP response.
+     *
+     * @return ResponseTypeInterface
+     */
+    protected function getResponseType()
+    {
+        if (!$this->responseType instanceof ResponseTypeInterface) {
+            $this->responseType = new BearerTokenResponse($this->accessTokenRepository);
+        }
+
+        $this->responseType->setPublicKeyPath($this->publicKeyPath);
+        $this->responseType->setPrivateKeyPath($this->privateKeyPath);
+
+        return $this->responseType;
+    }
+
+    /**
+     * @return \League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface
+     */
+    protected function getAuthorizationValidator()
+    {
+        if (!$this->authorizationValidator instanceof AuthorizationValidatorInterface) {
+            $this->authorizationValidator = new BearerTokenValidator($this->accessTokenRepository);
+        }
+
+        $this->authorizationValidator->setPublicKeyPath($this->publicKeyPath);
+        $this->authorizationValidator->setPrivateKeyPath($this->privateKeyPath);
+
+        return $this->authorizationValidator;
+    }
+}

src/TemplateRenderer/AbstractRenderer.php

@@ -0,0 +1,70 @@
+<?php
+/**
+ * Base template renderer.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\TemplateRenderer;
+
+abstract class AbstractRenderer implements RendererInterface
+{
+    /**
+     * @var string
+     */
+    protected $loginTemplate;
+
+    /**
+     * @var string
+     */
+    protected $authorizeTemplate;
+
+    /**
+     * PlatesRenderer constructor.
+     *
+     * @param string $loginTemplate
+     * @param string $authorizeTemplate
+     */
+    public function __construct($loginTemplate, $authorizeTemplate)
+    {
+        $this->loginTemplate = $loginTemplate;
+        $this->authorizeTemplate = $authorizeTemplate;
+    }
+
+    /**
+     * Render login template.
+     *
+     * @param array $data
+     *
+     * @return string
+     */
+    public function renderLogin(array $data = [])
+    {
+        return $this->render($this->loginTemplate, $data);
+    }
+
+    /**
+     * Render authorize template.
+     *
+     * @param array $data
+     *
+     * @return string
+     */
+    public function renderAuthorize(array $data = [])
+    {
+        return $this->render($this->authorizeTemplate, $data);
+    }
+
+    /**
+     * Render template.
+     *
+     * @param string $template
+     * @param array  $data
+     *
+     * @return string
+     */
+    abstract protected function render($template, array $data = []);
+}

src/TemplateRenderer/DefaultTemplates/authorize_client.php

@@ -0,0 +1,35 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>Authorize <?=$this->e($client->getName())?></title>
+</head>
+
+<body>
+
+<h1>
+    Authorize <?=$this->e($client->getName())?>
+</h1>
+
+<p>
+    Do you want to authorize <?=$this->e($client->getName())?> to access the following data?
+</p>
+
+<ul>
+    <?php foreach ($scopes as $scope): ?>
+        <li><?=$scope->getIdentifier()?></li>
+    <?php endforeach; ?>
+</ul>
+
+<form method="POST">
+    <input type="hidden" value="approve" name="action">
+    <button type="submit">Approve</button>
+</form>
+
+<form method="POST">
+    <input type="hidden" value="deny" name="action">
+    <button type="submit">Deny</button>
+</form>
+
+</body>
+</html>

src/TemplateRenderer/DefaultTemplates/login_user.php

@@ -0,0 +1,35 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>Login</title>
+</head>
+
+<body>
+
+    <h1>Login</h1>
+
+    <?php if ($error !== null): ?>
+    <div style="border:solid 1px red; padding: 1rem; margin-bottom:1rem">
+        <?=$this->e($error)?>
+    </div>
+    <?php endif; ?>
+
+    <form method="POST">
+
+        <label for="username">Username</label>
+        <input type="text" id="username" name="username">
+
+        <br>
+
+        <label for="password">Password</label>
+        <input type="password" id="password" name="password">
+
+        <br>
+
+        <input type="submit" value="Login">
+
+    </form>
+
+</body>
+</html>

src/TemplateRenderer/MustacheRenderer.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Mustache template renderer bridge.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\TemplateRenderer;
+
+class MustacheRenderer extends AbstractRenderer
+{
+    /**
+     * @var \Mustache_Engine
+     */
+    private $engine;
+
+    /**
+     * PlatesRenderer constructor.
+     *
+     * @param \Mustache_Engine $engine
+     * @param string           $loginTemplate
+     * @param string           $authorizeTemplate
+     */
+    public function __construct(\Mustache_Engine $engine, $loginTemplate, $authorizeTemplate)
+    {
+        parent::__construct($loginTemplate, $authorizeTemplate);
+
+        $this->engine = $engine;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function render($template, array $data = [])
+    {
+        return $this->engine->render($template, $data);
+    }
+}

src/TemplateRenderer/PlatesRenderer.php

@@ -0,0 +1,47 @@
+<?php
+/**
+ * Plates template renderer bridge.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\TemplateRenderer;
+
+use League\Plates\Engine;
+
+class PlatesRenderer extends AbstractRenderer
+{
+    /**
+     * @var \League\Plates\Engine
+     */
+    private $engine;
+
+    /**
+     * PlatesRenderer constructor.
+     *
+     * @param \League\Plates\Engine $engine
+     * @param string                $loginTemplate
+     * @param string                $authorizeTemplate
+     */
+    public function __construct(Engine $engine, $loginTemplate, $authorizeTemplate)
+    {
+        parent::__construct($loginTemplate, $authorizeTemplate);
+
+        $this->engine = $engine;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function render($template, array $data = [])
+    {
+        if ($this->engine->getFileExtension()) {
+            $template = preg_replace(sprintf('/\.%s$/', $this->engine->getFileExtension()), '', $template);
+        }
+
+        return $this->engine->render($template, $data);
+    }
+}

src/TemplateRenderer/RendererInterface.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace League\OAuth2\Server\TemplateRenderer;
+
+interface RendererInterface
+{
+    /**
+     * Render login template.
+     *
+     * @param array $data
+     *
+     * @return string
+     */
+    public function renderLogin(array $data = []);
+
+    /**
+     * Render authorize template.
+     *
+     * @param array $data
+     *
+     * @return string
+     */
+    public function renderAuthorize(array $data = []);
+}

src/TemplateRenderer/SmartyRenderer.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * Smarty template renderer bridge.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\TemplateRenderer;
+
+class SmartyRenderer extends AbstractRenderer
+{
+    /**
+     * Smarty class.
+     *
+     * @var \Smarty
+     */
+    private $smarty;
+
+    /**
+     * PlatesRenderer constructor.
+     *
+     * @param \Smarty $smarty
+     * @param string  $loginTemplate
+     * @param string  $authorizeTemplate
+     */
+    public function __construct(\Smarty $smarty, $loginTemplate, $authorizeTemplate)
+    {
+        parent::__construct($loginTemplate, $authorizeTemplate);
+
+        $this->smarty = $smarty;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function render($template, array $data = [])
+    {
+        $this->smarty->assign($data);
+
+        $output = $this->smarty->fetch($template);
+
+        $this->smarty->clear_assign(array_keys($data));
+
+        return $output;
+    }
+}

src/TemplateRenderer/TwigRenderer.php

@@ -0,0 +1,41 @@
+<?php
+/**
+ * Twig template renderer bridge.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+namespace League\OAuth2\Server\TemplateRenderer;
+
+class TwigRenderer extends AbstractRenderer
+{
+    /**
+     * @var \Twig_Environment
+     */
+    private $environment;
+
+    /**
+     * PlatesRenderer constructor.
+     *
+     * @param \Twig_Environment $environment
+     * @param string            $loginTemplate
+     * @param string            $authorizeTemplate
+     */
+    public function __construct(\Twig_Environment $environment, $loginTemplate, $authorizeTemplate)
+    {
+        parent::__construct($loginTemplate, $authorizeTemplate);
+
+        $this->environment = $environment;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function render($template, array $data = [])
+    {
+        return $this->environment->loadTemplate($template)->render($data);
+    }
+}

src/sql/database.sql

@@ -1,59 +0,0 @@
--- Create syntax for TABLE 'clients'
-CREATE TABLE `clients` (
-  `id` varchar(40) NOT NULL DEFAULT '',
-  `secret` varchar(40) NOT NULL DEFAULT '',
-  `name` varchar(255) NOT NULL DEFAULT '',
-  `auto_approve` tinyint(1) NOT NULL DEFAULT '0',
-  PRIMARY KEY (`id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'client_endpoints'
-CREATE TABLE `client_endpoints` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(40) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(255) DEFAULT NULL,
-  PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`),
-  CONSTRAINT `client_endpoints_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'oauth_sessions'
-CREATE TABLE `oauth_sessions` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(32) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(250) NOT NULL DEFAULT '',
-  `owner_type` enum('user','client') NOT NULL DEFAULT 'user',
-  `owner_id` varchar(255) DEFAULT NULL,
-  `auth_code` varchar(40) DEFAULT '',
-  `access_token` varchar(40) DEFAULT '',
-  `access_token_expires` int(10) DEFAULT NULL,
-  `stage` enum('requested','granted') NOT NULL DEFAULT 'requested',
-  `first_requested` int(10) unsigned NOT NULL,
-  `last_updated` int(10) unsigned NOT NULL,
-  PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'scopes'
-CREATE TABLE `scopes` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `scope` varchar(255) NOT NULL DEFAULT '',
-  `name` varchar(255) NOT NULL DEFAULT '',
-  `description` varchar(255) DEFAULT '',
-  PRIMARY KEY (`id`),
-  UNIQUE KEY `scope` (`scope`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'oauth_session_scopes'
-CREATE TABLE `oauth_session_scopes` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `session_id` int(11) unsigned NOT NULL,
-  `access_token` varchar(40) NOT NULL DEFAULT '',
-  `scope` varchar(255) NOT NULL DEFAULT '',
-  PRIMARY KEY (`id`),
-  KEY `session_id` (`session_id`),
-  KEY `access_token` (`access_token`),
-  KEY `scope` (`scope`),
-  CONSTRAINT `oauth_session_scopes_ibfk_3` FOREIGN KEY (`scope`) REFERENCES `scopes` (`scope`) ON DELETE CASCADE ON UPDATE CASCADE,
-  CONSTRAINT `oauth_session_scopes_ibfk_4` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;

test

@@ -1 +0,0 @@
-vendor/bin/phpunit --coverage-text --configuration build/phpunit.xml

tests/Bootstrap.php

@@ -0,0 +1,11 @@
+<?php
+
+if (!@include_once __DIR__ . '/../vendor/autoload.php') {
+    $message = <<<MSG
+You must set up the project dependencies, run the following commands:
+> wget http://getcomposer.org/composer.phar
+> php composer.phar install
+MSG;
+
+    exit($message);
+}

tests/CryptTraitTest.php

@@ -0,0 +1,46 @@
+<?php
+
+namespace LeagueTests\Utils;
+
+use LeagueTests\Stubs\CryptTraitStub;
+
+class CryptTraitTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * CryptTrait stub
+     */
+    protected $cryptStub;
+
+    public function setUp()
+    {
+        $this->cryptStub = new CryptTraitStub;
+    }
+
+    public function testEncryptDecrypt()
+    {
+        $payload = 'alex loves whisky';
+        $encrypted = $this->cryptStub->doEncrypt($payload);
+        $plainText = $this->cryptStub->doDecrypt($encrypted);
+
+        $this->assertNotEquals($payload, $encrypted);
+        $this->assertEquals($payload, $plainText);
+    }
+
+    /**
+     * @expectedException \LogicException
+     */
+    public function testBadPrivateKey()
+    {
+        $this->cryptStub->setPrivateKeyPath(__DIR__ . '/Stubs/public.key');
+        $this->cryptStub->doEncrypt('');
+    }
+
+    /**
+     * @expectedException \LogicException
+     */
+    public function testBadPublicKey()
+    {
+        $this->cryptStub->setPublicKeyPath(__DIR__ . '/Stubs/private.key');
+        $this->cryptStub->doDecrypt('');
+    }
+}

tests/Grant/AbstractGrantTest.php

@@ -0,0 +1,370 @@
+<?php
+
+namespace LeagueTests\Grant;
+
+use League\Event\Emitter;
+use League\OAuth2\Server\Entities\AccessTokenEntity;
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\ScopeEntity;
+use Zend\Diactoros\ServerRequest;
+
+class AbstractGrantTest extends \PHPUnit_Framework_TestCase
+{
+    public function testGetSet()
+    {
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setPrivateKeyPath('./private.key');
+        $grantMock->setPublicKeyPath('./public.key');
+        $grantMock->setEmitter(new Emitter());
+    }
+
+    public function testValidateClientPublic()
+    {
+        $client = new ClientEntity();
+
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id' => 'foo',
+            ]
+        );
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $result = $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+        $this->assertEquals($client, $result);
+    }
+
+    public function testValidateClientConfidential()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $client->setRedirectUri('http://foo/bar');
+
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'redirect_uri'  => 'http://foo/bar',
+            ]
+        );
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $result = $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+        $this->assertEquals($client, $result);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateClientMissingClientId()
+    {
+        $client = new ClientEntity();
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateClientMissingClientSecret()
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn(null);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody([
+            'client_id' => 'foo',
+        ]);
+
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateClientInvalidClientSecret()
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn(null);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'foo',
+        ]);
+
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateClientInvalidRedirectUri()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody([
+            'client_id'     => 'foo',
+            'redirect_uri'  => 'http://bar/foo',
+        ]);
+
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateClientBadClient()
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn(null);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+        ]);
+
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest, true);
+    }
+
+    public function testCanRespondToRequest()
+    {
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->method('getIdentifier')->willReturn('foobar');
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody([
+            'grant_type' => 'foobar',
+        ]);
+
+        $this->assertTrue($grantMock->canRespondToRequest($serverRequest));
+    }
+
+    public function testIssueRefreshToken()
+    {
+        $refreshTokenRepoMock = $this->getMock(RefreshTokenRepositoryInterface::class);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setRefreshTokenTTL(new \DateInterval('PT1M'));
+        $grantMock->setRefreshTokenRepository($refreshTokenRepoMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $issueRefreshTokenMethod = $abstractGrantReflection->getMethod('issueRefreshToken');
+        $issueRefreshTokenMethod->setAccessible(true);
+
+        $accessToken = new AccessTokenEntity();
+        /** @var RefreshTokenEntityInterface $refreshToken */
+        $refreshToken = $issueRefreshTokenMethod->invoke($grantMock, $accessToken);
+        $this->assertTrue($refreshToken instanceof RefreshTokenEntityInterface);
+        $this->assertFalse($refreshToken->isExpired());
+        $this->assertEquals($accessToken, $refreshToken->getAccessToken());
+    }
+
+    public function testIssueAccessToken()
+    {
+        $accessTokenRepoMock = $this->getMock(AccessTokenRepositoryInterface::class);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setAccessTokenRepository($accessTokenRepoMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $issueAccessTokenMethod = $abstractGrantReflection->getMethod('issueAccessToken');
+        $issueAccessTokenMethod->setAccessible(true);
+
+        /** @var AccessTokenEntityInterface $accessToken */
+        $accessToken = $issueAccessTokenMethod->invoke(
+            $grantMock,
+            new \DateInterval('PT1H'),
+            new ClientEntity(),
+            123,
+            [new ScopeEntity()]
+        );
+        $this->assertTrue($accessToken instanceof AccessTokenEntityInterface);
+        $this->assertFalse($accessToken->isExpired());
+    }
+
+    public function testIssueAuthCode()
+    {
+        $authCodeRepoMock = $this->getMock(AuthCodeRepositoryInterface::class);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setAuthCodeRepository($authCodeRepoMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $issueAuthCodeMethod = $abstractGrantReflection->getMethod('issueAuthCode');
+        $issueAuthCodeMethod->setAccessible(true);
+
+        $this->assertTrue(
+            $issueAuthCodeMethod->invoke(
+                $grantMock,
+                new \DateInterval('PT1H'),
+                new ClientEntity(),
+                123,
+                'http://foo/bar',
+                [new ScopeEntity()]
+            ) instanceof AuthCodeEntityInterface
+        );
+    }
+
+    public function testGetCookieParameter()
+    {
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->method('getIdentifier')->willReturn('foobar');
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $method = $abstractGrantReflection->getMethod('getCookieParameter');
+        $method->setAccessible(true);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withCookieParams([
+            'foo' => 'bar',
+        ]);
+
+        $this->assertEquals('bar', $method->invoke($grantMock, 'foo', $serverRequest));
+        $this->assertEquals('foo', $method->invoke($grantMock, 'bar', $serverRequest, 'foo'));
+    }
+
+    public function testGetQueryStringParameter()
+    {
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->method('getIdentifier')->willReturn('foobar');
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $method = $abstractGrantReflection->getMethod('getQueryStringParameter');
+        $method->setAccessible(true);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withQueryParams([
+            'foo' => 'bar',
+        ]);
+
+        $this->assertEquals('bar', $method->invoke($grantMock, 'foo', $serverRequest));
+        $this->assertEquals('foo', $method->invoke($grantMock, 'bar', $serverRequest, 'foo'));
+    }
+
+    public function testValidateScopes()
+    {
+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setScopeRepository($scopeRepositoryMock);
+
+        $this->assertEquals([$scope], $grantMock->validateScopes('basic   ', new ClientEntity()));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateScopesBadScope()
+    {
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn(null);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setScopeRepository($scopeRepositoryMock);
+
+        $grantMock->validateScopes('basic   ', new ClientEntity());
+    }
+
+    public function testGenerateUniqueIdentifier()
+    {
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $method = $abstractGrantReflection->getMethod('generateUniqueIdentifier');
+        $method->setAccessible(true);
+
+        $this->assertTrue(is_string($method->invoke($grantMock)));
+    }
+}

tests/Grant/AuthCodeGrantTest.php

@@ -0,0 +1,993 @@
+<?php
+
+namespace LeagueTests\Grant;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\ResponseTypes\HtmlResponse;
+use League\OAuth2\Server\ResponseTypes\RedirectResponse;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\CryptTraitStub;
+use LeagueTests\Stubs\ScopeEntity;
+use LeagueTests\Stubs\StubResponseType;
+use LeagueTests\Stubs\UserEntity;
+use Psr\Http\Message\ResponseInterface;
+use Zend\Diactoros\Response;
+use Zend\Diactoros\ServerRequest;
+
+class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * CryptTrait stub
+     */
+    protected $cryptStub;
+
+    public function setUp()
+    {
+        $this->cryptStub = new CryptTraitStub;
+    }
+
+    public function testGetIdentifier()
+    {
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $this->getMock(UserRepositoryInterface::class),
+            new \DateInterval('PT10M')
+        );
+
+        $this->assertEquals('authorization_code', $grant->getIdentifier());
+    }
+
+    public function testCanRespondToRequest()
+    {
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $this->getMock(UserRepositoryInterface::class),
+            new \DateInterval('PT10M')
+        );
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            $headers = [],
+            $cookies = [],
+            $queryParams = [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ]
+        );
+
+        $this->assertTrue($grant->canRespondToRequest($request));
+    }
+
+    public function testRespondToAuthorizationRequest()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+                'state'         => 'foobar',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $this->assertTrue($response instanceof RedirectResponse);
+
+        $response = $response->generateHttpResponse(new Response);
+        $this->assertTrue(strstr($response->getHeader('location')[0], 'http://foo/bar') !== false);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 9
+     */
+    public function testRespondToAuthorizationRequestUserDenied()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+                'state'         => 'foobar',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'denied',
+            ]
+        );
+
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 3
+     */
+    public function testRespondToAuthorizationRequestMissingClientId()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    public function testRespondToAuthorizationRequestBadClient()
+    {
+        $client = null;
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getMessage(), 'Client authentication failed');
+        }
+    }
+
+    public function testRespondToAuthorizationRequestBadRedirectUri()
+    {
+        $client = new ClientEntity();
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+                'redirect_uri'  =>  'sdfsdf',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getMessage(), 'Client authentication failed');
+        }
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 7
+     */
+    public function testRespondToAuthorizationRequestBadCookie()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => 'blah',
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    public function testRespondToAuthorizationRequestTryLogin()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => null])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $this->assertTrue($response instanceof RedirectResponse);
+
+        $response = $response->generateHttpResponse(new Response);
+        $this->assertTrue(strstr($response->getHeader('location')[0], 'http://foo/bar') !== false);
+    }
+
+    public function testRespondToAuthorizationRequestShowLoginForm()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = null;
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => null])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $this->assertTrue($response instanceof HtmlResponse);
+
+        $response = $response->generateHttpResponse(new Response);
+        $this->assertTrue(strstr($response->getHeader('content-type')[0], 'text/html') !== false);
+        $this->assertTrue(strstr((string) $response->getBody(), 'Incorrect username or password') !== false);
+    }
+
+    public function testRespondToAuthorizationRequestShowAuthorizeForm()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $client->setName('Test Client');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $response = $response->generateHttpResponse(new Response);
+        $this->assertTrue($response instanceof ResponseInterface);
+        $this->assertTrue(strstr($response->getHeader('set-cookie')[0], 'oauth_authorize_request') !== false);
+    }
+
+    public function testRespondToAccessTokenRequest()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeEntity = new ScopeEntity();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'   => 'authorization_code',
+                'client_id'    => 'foo',
+                'redirect_uri' => 'http://foo/bar',
+                'code'         => $this->cryptStub->doEncrypt(
+                    json_encode(
+                        [
+                            'auth_code_id' => uniqid(),
+                            'expire_time'  => time() + 3600,
+                            'client_id'    => 'foo',
+                            'user_id'      => 123,
+                            'scopes'       => ['foo'],
+                            'redirect_uri' => 'http://foo/bar',
+                        ]
+                    )
+                ),
+            ]
+        );
+
+        /** @var StubResponseType $response */
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 3
+     */
+    public function testRespondToAccessTokenRequestMissingRedirectUri()
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type' => 'authorization_code',
+            ]
+        );
+
+        /* @var StubResponseType $response */
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 3
+     */
+    public function testRespondToAccessTokenRequestMissingCode()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'    => 'authorization_code',
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'redirect_uri'  => 'http://foo/bar',
+            ]
+        );
+
+        /* @var StubResponseType $response */
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    public function testRespondToAccessTokenRequestExpiredCode()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'   => 'authorization_code',
+                'client_id'    => 'foo',
+                'redirect_uri' => 'http://foo/bar',
+                'code'         => $this->cryptStub->doEncrypt(
+                    json_encode(
+                        [
+                            'auth_code_id' => uniqid(),
+                            'expire_time'  => time() - 3600,
+                            'client_id'    => 'foo',
+                            'user_id'      => 123,
+                            'scopes'       => ['foo'],
+                            'redirect_uri' => 'http://foo/bar',
+                        ]
+                    )
+                ),
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getHint(), 'Authorization code has expired');
+        }
+    }
+
+    public function testRespondToAccessTokenRequestRevokedCode()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $authCodeRepositoryMock = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
+        $authCodeRepositoryMock->method('isAuthCodeRevoked')->willReturn(true);
+
+        $grant = new AuthCodeGrant(
+            $authCodeRepositoryMock,
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'   => 'authorization_code',
+                'client_id'    => 'foo',
+                'redirect_uri' => 'http://foo/bar',
+                'code'         => $this->cryptStub->doEncrypt(
+                    json_encode(
+                        [
+                            'auth_code_id' => uniqid(),
+                            'expire_time'  => time() + 3600,
+                            'client_id'    => 'foo',
+                            'user_id'      => 123,
+                            'scopes'       => ['foo'],
+                            'redirect_uri' => 'http://foo/bar',
+                        ]
+                    )
+                ),
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getHint(), 'Authorization code has been revoked');
+        }
+    }
+
+    public function testRespondToAccessTokenRequestClientMismatch()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'   => 'authorization_code',
+                'client_id'    => 'foo',
+                'redirect_uri' => 'http://foo/bar',
+                'code'         => $this->cryptStub->doEncrypt(
+                    json_encode(
+                        [
+                            'auth_code_id' => uniqid(),
+                            'expire_time'  => time() + 3600,
+                            'client_id'    => 'bar',
+                            'user_id'      => 123,
+                            'scopes'       => ['foo'],
+                            'redirect_uri' => 'http://foo/bar',
+                        ]
+                    )
+                ),
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getHint(), 'Authorization code was not issued to this client');
+        }
+    }
+
+    public function testRespondToAccessTokenRequestBadCodeEncryption()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $grant = new AuthCodeGrant(
+            $this->getMock(AuthCodeRepositoryInterface::class),
+            $this->getMock(RefreshTokenRepositoryInterface::class),
+            $userRepositoryMock,
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'   => 'authorization_code',
+                'client_id'    => 'foo',
+                'redirect_uri' => 'http://foo/bar',
+                'code'         => 'sdfsfsd',
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getHint(), 'Cannot decrypt the authorization code');
+        }
+    }
+}

tests/Grant/ClientCredentialsGrantTest.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace LeagueTests\Grant;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Grant\ClientCredentialsGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\StubResponseType;
+use Zend\Diactoros\ServerRequest;
+
+class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
+{
+    public function testGetIdentifier()
+    {
+        $grant = new ClientCredentialsGrant();
+        $this->assertEquals('client_credentials', $grant->getIdentifier());
+    }
+
+    public function testRespondToRequest()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $grant = new ClientCredentialsGrant();
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+    }
+}

tests/Grant/ImplicitGrantTest.php

@@ -0,0 +1,434 @@
+<?php
+
+namespace LeagueTests\Grant;
+
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\ImplicitGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\ResponseTypes\HtmlResponse;
+use League\OAuth2\Server\ResponseTypes\RedirectResponse;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\CryptTraitStub;
+use LeagueTests\Stubs\StubResponseType;
+use LeagueTests\Stubs\UserEntity;
+use Zend\Diactoros\Response;
+use Zend\Diactoros\ServerRequest;
+
+class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * CryptTrait stub
+     */
+    protected $cryptStub;
+
+    public function setUp()
+    {
+        $this->cryptStub = new CryptTraitStub();
+    }
+
+    public function testGetIdentifier()
+    {
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+
+        $this->assertEquals('implicit', $grant->getIdentifier());
+    }
+
+    public function testCanRespondToRequest()
+    {
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            [],
+            [],
+            [
+                'response_type' => 'token',
+            ]
+        );
+
+        $this->assertTrue($grant->canRespondToRequest($request));
+    }
+
+    public function testRespondToAuthorizationRequest()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $grant = new ImplicitGrant($userRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [
+                'response_type' => 'token',
+                'client_id'     => 'foo',
+                'state'         => 'foobar',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $this->assertTrue($response instanceof RedirectResponse);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 3
+     */
+    public function testRespondToAuthorizationRequestMissingClientId()
+    {
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'token',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    public function testRespondToAuthorizationRequestBadClient()
+    {
+        $client = null;
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'token',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getMessage(), 'Client authentication failed');
+        }
+    }
+
+    public function testRespondToAuthorizationRequestBadRedirectUri()
+    {
+        $client = new ClientEntity();
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'token',
+                'client_id'     => 'foo',
+                'redirect_uri'  =>  'sdfsdf',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getMessage(), 'Client authentication failed');
+        }
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 7
+     */
+    public function testRespondToAuthorizationRequestBadCookie()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => 'blah',
+            ],
+            [
+                'response_type' => 'token',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+
+    public function testRespondToAuthorizationRequestTryLogin()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => null])),
+            ],
+            [
+                'response_type' => 'token',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'approve',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        $this->assertTrue($response instanceof HtmlResponse);
+
+        $response = $response->generateHttpResponse(new Response);
+        $this->assertTrue(strstr((string) $response->getBody(), 'Incorrect username or password') !== false);
+    }
+
+    public function testRespondToAuthorizationRequestShowAuthorizeForm()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+            ]
+        );
+
+        $response = $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+
+        $this->assertTrue($response instanceof HtmlResponse);
+
+        $response = $response->generateHttpResponse(new Response);
+        $this->assertTrue(strstr($response->getHeader('set-cookie')[0], 'oauth_authorize_request') !== false);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 9
+     */
+    public function testRespondToAuthorizationRequestUserDenied()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $grant = new ImplicitGrant($this->getMock(UserRepositoryInterface::class));
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $request = new ServerRequest(
+            [
+                'HTTP_HOST'   => 'auth-server.tld',
+                'REQUEST_URI' => '/authorize',
+            ],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [
+                'oauth_authorize_request' => $this->cryptStub->doEncrypt(json_encode(['user_id' => 123])),
+            ],
+            [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+                'state'         => 'foobar',
+            ],
+            [
+                'username' => 'alex',
+                'password' => 'whisky',
+                'action'   => 'denied',
+            ]
+        );
+
+        $grant->respondToRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+    }
+}

tests/Grant/PasswordGrantTest.php

@@ -0,0 +1,170 @@
+<?php
+
+namespace LeagueTests\Grant;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Grant\PasswordGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\StubResponseType;
+use LeagueTests\Stubs\UserEntity;
+use Zend\Diactoros\ServerRequest;
+
+class PasswordGrantTest extends \PHPUnit_Framework_TestCase
+{
+    public function testGetIdentifier()
+    {
+        $userRepositoryMock = $this->getMock(UserRepositoryInterface::class);
+        $refreshTokenRepositoryMock = $this->getMock(RefreshTokenRepositoryInterface::class);
+
+        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
+        $this->assertEquals('password', $grant->getIdentifier());
+    }
+
+    public function testRespondToRequest()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'username'      => 'foo',
+                'password'      => 'bar',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testRespondToRequestMissingUsername()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testRespondToRequestMissingPassword()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'username'      => 'alex',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testRespondToRequestBadCredentials()
+    {
+        $client = new ClientEntity();
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn(null);
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'username'      => 'alex',
+                'password'      => 'whisky',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+}

tests/Grant/RefreshTokenGrantTest.php

@@ -0,0 +1,423 @@
+<?php
+
+namespace LeagueTests\Grant;
+
+use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Grant\RefreshTokenGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\CryptTraitStub;
+use LeagueTests\Stubs\ScopeEntity;
+use LeagueTests\Stubs\StubResponseType;
+use Zend\Diactoros\ServerRequest;
+
+class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * CryptTrait stub
+     */
+    protected $cryptStub;
+
+    public function setUp()
+    {
+        $this->cryptStub = new CryptTraitStub();
+    }
+
+    public function testGetIdentifier()
+    {
+        $refreshTokenRepositoryMock = $this->getMock(RefreshTokenRepositoryInterface::class);
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $this->assertEquals('refresh_token', $grant->getIdentifier());
+    }
+
+    public function testRespondToRequest()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeEntity = new ScopeEntity();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock
+            ->expects($this->once())
+            ->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock
+            ->expects($this->once())
+            ->method('persistNewRefreshToken')->willReturnSelf();
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'foo',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() + 3600,
+                ]
+            )
+        );
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+    }
+
+    public function testRespondToReducedScopes()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $scope = new ScopeEntity();
+        $scope->setIdentifier('foo');
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'foo',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo', 'bar'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() + 3600,
+                ]
+            )
+        );
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+                'scope'         => 'foo',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 5
+     */
+    public function testRespondToUnexpectedScope()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $scope = new ScopeEntity();
+        $scope->setIdentifier('foobar');
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'foo',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo', 'bar'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() + 3600,
+                ]
+            )
+        );
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+                'scope'         => 'foobar',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 3
+     */
+    public function testRespondToRequestMissingOldToken()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 8
+     */
+    public function testRespondToRequestInvalidOldToken()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = 'foobar';
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 8
+     */
+    public function testRespondToRequestClientMismatch()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'bar',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() + 3600,
+                ]
+            )
+        );
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 8
+     */
+    public function testRespondToRequestExpiredToken()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'foo',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() - 3600,
+                ]
+            )
+        );
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 8
+     */
+    public function testRespondToRequestRevokedToken()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setSecret('bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('isRefreshTokenRevoked')->willReturn(true);
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setPublicKeyPath('file://' . __DIR__ . '/../Stubs/public.key');
+        $grant->setPrivateKeyPath('file://' . __DIR__ . '/../Stubs/private.key');
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'foo',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() + 3600,
+                ]
+            )
+        );
+
+        $serverRequest = new ServerRequest();
+        $serverRequest = $serverRequest->withParsedBody(
+            [
+                'client_id'     => 'foo',
+                'client_secret' => 'bar',
+                'refresh_token' => $oldRefreshToken,
+            ]
+        );
+
+        $responseType = new StubResponseType();
+        $grant->respondToRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+    }
+}