Merge branch 'release/2.0.4'

Conflicts:
	composer.json
	src/OAuth2/AuthServer.php
	src/OAuth2/Grant/Password.php

.gitignore

@@ -1,6 +1,6 @@
-/vendor/
+/vendor
 /composer.lock
-/docs/build/
-/build/logs/
-/build/coverage/
-test
+/build/logs
+/build/coverage
+/docs
+/testing

.travis.yml

@@ -0,0 +1,8 @@
+language: php
+
+php:
+  - 5.3
+  - 5.4
+
+before_script: composer install --dev
+script: phpunit

CHANGELOG.md

@@ -0,0 +1,66 @@
+# Changelog
+
+## 2.0.4 (released 2013-05-09)
+
+* Renamed primary key in oauth_client_endpoints table
+* Adding missing column to oauth_session_authcodes
+* SECURITY FIX: A refresh token should be bound to a client ID
+
+## 2.0.3 (released 2013-05-08)
+
+* Fixed a link to code in composer.json
+
+## 2.0.2 (released 2013-05-08)
+
+* Updated README with wiki guides
+* Removed `null` as default parameters in some methods in the storage interfaces
+* Fixed license copyright
+
+## 2.0.0 (released 2013-05-08)
+
+**If you're upgrading from v1.0.8 there are lots of breaking changes**
+
+* Rewrote the session storage interface from scratch so methods are more obvious
+* Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
+* Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
+* A session can have multiple associated access tokens
+* Induvidual grants can have custom expire times for access tokens
+* Authorization codes now have a TTL of 10 minutes by default (can be manually set)
+* Refresh tokens now have a TTL of one week by default (can be manually set)
+* The client credentials grant will no longer gives out refresh tokens as per the specification
+
+## 1.0.8 (released 2013-03-18)
+
+* Fixed check for required state parameter
+* Fixed check that user's credentials are correct in Password grant
+
+## 1.0.7 (released 2013-03-04)
+
+* Added method `requireStateParam()`
+* Added method `requireScopeParam()`
+
+## 1.0.6 (released 2013-02-22)
+
+* Added links to tutorials in the README
+* Added missing `state` parameter request to the `checkAuthoriseParams()` method.
+
+## 1.0.5 (released 2013-02-21)
+
+* Fixed the SQL example for SessionInterface::getScopes()
+
+## 1.0.3 (released 2013-02-20)
+
+* Changed all instances of the "authentication server" to "authorization server"
+
+## 1.0.2 (released 2013-02-20)
+
+* Fixed MySQL create table order
+* Fixed version number in composer.json
+
+## 1.0.1 (released 2013-02-19)
+
+* Updated AuthServer.php to use `self::getParam()`
+
+## 1.0.0 (released 2013-02-15)
+
+* First major release

README.md

@@ -1,6 +1,6 @@
-# PHP OAuth Framework
+# The League of Extraordinary Packages presents: PHP OAuth 2.0 Server
 
-The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authentication server, resource server and client library with support for a major OAuth 2 providers.
+The goal of this project is to develop a standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server.
 
 ## Package Installation
 
@@ -8,40 +8,60 @@ The framework is provided as a Composer package which can be installed by adding
 
 ```javascript
 {
-	"require": {  
-		"lncd\Oauth2": "*"  
+	"require": {
+		"league/oauth2-server": "2.*"
 	}
 }
 ```
 
-## Package Integration
+---
 
-Check out the [wiki](https://github.com/lncd/OAuth2/wiki)
+The library features 100% unit test code coverage. To run the tests yourself run `phpunit` from the project root.
 
 ## Current Features
 
-### Authentication Server
+### Authorization Server
 
-The authentication server is a flexible class that supports the standard authorization code grant.
+The authorization server is a flexible class and the following core specification grants are implemented:
+
+* authorization code ([section 4.1](http://tools.ietf.org/html/rfc6749#section-4.1))
+* refresh token ([section 6](http://tools.ietf.org/html/rfc6749#section-6))
+* client credentials ([section 2.3.1](http://tools.ietf.org/html/rfc6749#section-2.3.1))
+* password (user credentials) ([section 4.3](http://tools.ietf.org/html/rfc6749#section-4.3))
+
+An overview of the different OAuth 2.0 grants can be found in the wiki [https://github.com/php-loep/oauth2-server/wiki/Which-OAuth-2.0-grant-should-I-use%3F](https://github.com/php-loep/oauth2-server/wiki/Which-OAuth-2.0-grant-should-I-use%3F).
 
 ### Resource Server
 
-The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct permission to access resources.
+The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct scope(s) (i.e. permissions) to access resources.
 
+### Custom grants
 
+Custom grants can be created easily by implementing an interface. Check out a guide here [https://github.com/php-loep/oauth2-server/wiki/Creating-custom-grants](https://github.com/php-loep/oauth2-server/wiki/Creating-custom-grants).
 
+### PDO driver
+
+If you are using MySQL and want to very quickly implement the library then all of the storage interfaces have been implemented with PDO classes. Check out the guide here [https://github.com/php-loep/oauth2-server/wiki/Using-the-PDO-storage-classes](https://github.com/php-loep/oauth2-server/wiki/Using-the-PDO-storage-classes).
+
+## Tutorials and documentation
+
+The wiki has lots of guides on how to use this library, check it out - [https://github.com/php-loep/oauth2-server/wiki](https://github.com/php-loep/oauth2-server/wiki).
+
+A tutorial on how to use the authorization server can be found on the wiki - (https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server)[https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server].
+
+A tutorial on how to use the resource server to secure an API server can be found at [https://github.com/php-loep/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0](https://github.com/php-loep/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0).
 
 ## Future Goals
 
-### Authentication Server
+### Authorization Server
 
 * Support for [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/).
 * Support for [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
 
-### Client support
-
-* Merge in https://github.com/philsturgeon/codeigniter-oauth2
-
 ---
 
-This code will be developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which has been funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
+The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
+
+This code is principally developed and maintained by [@alexbilbie](https://twitter.com/alexbilbie).
+
+A list of contributors can be found at [https://github.com/php-loep/oauth2-server/contributors](https://github.com/php-loep/oauth2-server/contributors).

build/phpcs.xml

@@ -1,8 +0,0 @@
-<?xml version="1.0"?>
-<ruleset name="PHP_CodeSniffer">
-
-	<description>PHP_CodeSniffer configuration</description>
-
-	<rule ref="PSR2"/>
-
-</ruleset>

build/phpmd.xml

@@ -1,14 +0,0 @@
-<ruleset name="OAuth 2.0 Server"
-	xmlns="http://pmd.sf.net/ruleset/1.0.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://pmd.sf.net/ruleset/1.0.0
-		http://pmd.sf.net/ruleset_xml_schema.xsd"
-	xsi:noNamespaceSchemaLocation="http://pmd.sf.net/ruleset_xml_schema.xsd">
-
-	<description>
-		Ruleset for OAuth 2.0 server
-	</description>
-
-	<!-- Import the entire unused code rule set -->
-	<rule ref="rulesets/unusedcode.xml" />
-</ruleset>

build/phpunit.xml

@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false">
-	<testsuites>
-		<testsuite name="Authentication Server">
-			<directory suffix="test.php">../tests/authentication</directory>
-		</testsuite>
-		<testsuite name="Resource Server">
-			<directory suffix="test.php">../tests/resource</directory>
-		</testsuite>
-	</testsuites>
-	<filter>
-		<blacklist>
-			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
-			<directory suffix=".php">PHP_LIBDIR</directory>
-			<directory suffix=".php">../vendor/composer</directory>
-		</blacklist>
-	</filter>
-	<logging>
-		<log type="coverage-html" target="coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="35" highLowerBound="70"/>
-		<log type="coverage-clover" target="logs/clover.xml"/>
-		<log type="junit" target="logs/junit.xml" logIncompleteSkipped="false"/>
-	</logging>
-</phpunit>

composer.json

@@ -1,20 +1,20 @@
 {
-	"name": "lncd/oauth2",
-	"description": "OAuth 2.0 Framework",
-	"version": "0.3.1",
-	"homepage": "https://github.com/lncd/OAuth2",
+	"name": "league/oauth2-server",
+	"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
+	"version": "2.0.4",
+	"homepage": "https://github.com/php-loep/oauth2-server",
 	"license": "MIT",
 	"require": {
 		"php": ">=5.3.0",
-		"guzzle/guzzle": "*"
+		"zetacomponents/database": "dev-master"
 	},
 	"require-dev": {
-		"phpunit/phpunit": "*"
+		"mockery/mockery": ">=0.7.2"
 	},
 	"repositories": [
 		{
 			"type": "git",
-			"url": "https://github.com/lncd/OAuth2"
+			"url": "https://github.com/php-loep/oauth2-server.git"
 		}
 	],
 	"keywords": [
@@ -23,22 +23,25 @@
 		"server",
 		"authorization",
 		"authentication",
-		"resource"
+		"resource",
+		"api"
 	],
 	"authors": [
 		{
 			"name": "Alex Bilbie",
 			"email": "hello@alexbilbie.com",
-			"homepage": "http://www.httpster.org",
+			"homepage": "http://www.alexbilbie.com",
 			"role": "Developer"
 		}
 	],
+	"replace": {
+		"lncd/oauth2": "*",
+		"league/oauth2server": "*"
+	},
 	"autoload": {
 		"psr-0": {
-			"Oauth2": "src/"
+			"League\\OAuth2\\Server": "src/"
 		}
 	},
-	"suggest": {
-		"lncd/oauth2-facebook": "Adds support for Facebook as an IDP"
-	}
-}
+	"suggest": {}
+}

license.txt

@@ -1,20 +1,20 @@
 MIT License
 
-Copyright (C) 2012 University of Lincoln
+Copyright (C) 2013 PHP League of Extraordinary Packages
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of 
-this software and associated documentation files (the "Software"), to deal in 
-the Software without restriction, including without limitation the rights to 
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all 
+The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

phpunit.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
+	<testsuites>
+		<testsuite name="Authorization Server">
+			<directory suffix="Test.php">tests/authorization</directory>
+		</testsuite>
+		<testsuite name="Resource Server">
+			<directory suffix="Test.php">tests/resource</directory>
+		</testsuite>
+		<testsuite name="Utility Methods">
+			<directory suffix="Test.php">tests/util</directory>
+		</testsuite>
+	</testsuites>
+	<filter>
+		<blacklist>
+			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
+			<directory suffix=".php">PHP_LIBDIR</directory>
+			<directory suffix=".php">vendor/composer</directory>
+			<directory suffix=".php">vendor/mockery</directory>
+			<directory suffix=".php">vendor/phpunit</directory>
+			<directory suffix=".php">tests</directory>
+			<directory suffix=".php">testing</directory>
+		</blacklist>
+	</filter>
+	<logging>
+		<log type="coverage-html" target="build/coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="50" highLowerBound="90"/>
+		<log type="coverage-text" target="php://stdout" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="50" highLowerBound="90"/>
+		<log type="coverage-clover" target="build/logs/clover.xml"/>
+		<log type="junit" target="build/logs/junit.xml" logIncompleteSkipped="false"/>
+	</logging>
+</phpunit>

sql/database.sql

@@ -1,59 +0,0 @@
--- Create syntax for TABLE 'clients'
-CREATE TABLE `clients` (
-  `id` varchar(40) NOT NULL DEFAULT '',
-  `secret` varchar(40) NOT NULL DEFAULT '',
-  `name` varchar(255) NOT NULL DEFAULT '',
-  `auto_approve` tinyint(1) NOT NULL DEFAULT '0',
-  PRIMARY KEY (`id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'client_endpoints'
-CREATE TABLE `client_endpoints` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(40) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(255) DEFAULT NULL,
-  PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`),
-  CONSTRAINT `client_endpoints_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'oauth_sessions'
-CREATE TABLE `oauth_sessions` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(32) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(250) NOT NULL DEFAULT '',
-  `owner_type` enum('user','client') NOT NULL DEFAULT 'user',
-  `owner_id` varchar(255) DEFAULT NULL,
-  `auth_code` varchar(40) DEFAULT '',
-  `access_token` varchar(40) DEFAULT '',
-  `access_token_expires` int(10) DEFAULT NULL,
-  `stage` enum('requested','granted') NOT NULL DEFAULT 'requested',
-  `first_requested` int(10) unsigned NOT NULL,
-  `last_updated` int(10) unsigned NOT NULL,
-  PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'scopes'
-CREATE TABLE `scopes` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `scope` varchar(255) NOT NULL DEFAULT '',
-  `name` varchar(255) NOT NULL DEFAULT '',
-  `description` varchar(255) DEFAULT '',
-  PRIMARY KEY (`id`),
-  UNIQUE KEY `scope` (`scope`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
--- Create syntax for TABLE 'oauth_session_scopes'
-CREATE TABLE `oauth_session_scopes` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `session_id` int(11) unsigned NOT NULL,
-  `access_token` varchar(40) NOT NULL DEFAULT '',
-  `scope` varchar(255) NOT NULL DEFAULT '',
-  PRIMARY KEY (`id`),
-  KEY `session_id` (`session_id`),
-  KEY `access_token` (`access_token`),
-  KEY `scope` (`scope`),
-  CONSTRAINT `oauth_session_scopes_ibfk_3` FOREIGN KEY (`scope`) REFERENCES `scopes` (`scope`) ON DELETE CASCADE ON UPDATE CASCADE,
-  CONSTRAINT `oauth_session_scopes_ibfk_4` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;

sql/mysql.sql

@@ -0,0 +1,85 @@
+CREATE TABLE `oauth_clients` (
+  `id` CHAR(40) NOT NULL,
+  `secret` CHAR(40) NOT NULL,
+  `name` VARCHAR(255) NOT NULL,
+  `auto_approve` TINYINT(1) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `u_oacl_clse_clid` (`secret`,`id`)
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_client_endpoints` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `client_id` char(40) NOT NULL,
+  `redirect_uri` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `i_oaclen_clid` (`client_id`),
+  CONSTRAINT `f_oaclen_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_sessions` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `client_id` char(40) NOT NULL,
+  `owner_type` enum('user','client') NOT NULL DEFAULT 'user',
+  `owner_id` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `i_uase_clid_owty_owid` (`client_id`,`owner_type`,`owner_id`),
+  CONSTRAINT `f_oase_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_access_tokens` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `session_id` int(10) unsigned NOT NULL,
+  `access_token` char(40) NOT NULL DEFAULT '',
+  `access_token_expires` int(10) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `u_oaseacto_acto_seid` (`access_token`,`session_id`),
+  KEY `f_oaseto_seid` (`session_id`),
+  CONSTRAINT `f_oaseto_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_authcodes` (
+  `session_id` int(10) unsigned NOT NULL,
+  `auth_code` char(40) NOT NULL DEFAULT '',
+  `auth_code_expires` int(10) unsigned NOT NULL,
+  `scope_ids` char(255) DEFAULT NULL,
+  PRIMARY KEY (`session_id`),
+  CONSTRAINT `f_oaseau_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_redirects` (
+  `session_id` int(10) unsigned NOT NULL,
+  `redirect_uri` varchar(255) NOT NULL DEFAULT '',
+  PRIMARY KEY (`session_id`),
+  CONSTRAINT `f_oasere_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_refresh_tokens` (
+  `session_access_token_id` int(10) unsigned NOT NULL,
+  `refresh_token` char(40) NOT NULL DEFAULT '',
+  `refresh_token_expires` int(10) unsigned NOT NULL,
+  `client_id` char(40) NOT NULL DEFAULT '',
+  PRIMARY KEY (`session_access_token_id`),
+  KEY `client_id` (`client_id`),
+  CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_scopes` (
+  `id` SMALLINT(5) UNSIGNED NOT NULL AUTO_INCREMENT,
+  `key` VARCHAR(255) NOT NULL,
+  `name` VARCHAR(255) NOT NULL,
+  `description` VARCHAR(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `u_oasc_sc` (`key`)
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_token_scopes` (
+  `session_token_scope_id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
+  `session_access_token_id` int(10) unsigned DEFAULT NULL,
+  `scope_id` smallint(5) unsigned NOT NULL,
+  PRIMARY KEY (`session_token_scope_id`),
+  UNIQUE KEY `u_setosc_setoid_scid` (`session_access_token_id`,`scope_id`),
+  KEY `f_oasetosc_scid` (`scope_id`),
+  CONSTRAINT `f_oasetosc_scid` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
+  CONSTRAINT `f_oasetosc_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;

src/League/OAuth2/Server/Authorization.php

@@ -0,0 +1,466 @@
+<?php
+/**
+ * OAuth 2.0 Authorization Server
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use League\OAuth2\Server\Util\Request;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+
+/**
+ * OAuth 2.0 authorization server class
+ */
+class Authorization
+{
+    /**
+     * The delimeter between scopes specified in the scope query string parameter
+     *
+     * The OAuth 2 specification states it should be a space but most use a comma
+     * @var string
+     */
+    protected $scopeDelimeter = ' ';
+
+    /**
+     * The TTL (time to live) of an access token in seconds (default: 3600)
+     * @var integer
+     */
+    protected $accessTokenTTL = 3600;
+
+    /**
+     * The registered grant response types
+     * @var array
+     */
+    protected $responseTypes = array();
+
+    /**
+     * The client, scope and session storage classes
+     * @var array
+     */
+    protected $storages = array();
+
+    /**
+     * The registered grant types
+     * @var array
+     */
+    protected $grantTypes = array();
+
+    /**
+     * Require the "scope" parameter to be in checkAuthoriseParams()
+     * @var boolean
+     */
+    protected $requireScopeParam = true;
+
+    /**
+     * Default scope to be used if none is provided and requireScopeParam is false
+     * @var string
+     */
+    protected $defaultScope = null;
+
+    /**
+     * Require the "state" parameter to be in checkAuthoriseParams()
+     * @var boolean
+     */
+    protected $requireStateParam = false;
+
+    /**
+     * The request object
+     * @var Util\RequestInterface
+     */
+    protected $request = null;
+
+    /**
+     * Exception error codes
+     * @var array
+     */
+    protected static $exceptionCodes = array(
+        0   =>  'invalid_request',
+        1   =>  'unauthorized_client',
+        2   =>  'access_denied',
+        3   =>  'unsupported_response_type',
+        4   =>  'invalid_scope',
+        5   =>  'server_error',
+        6   =>  'temporarily_unavailable',
+        7   =>  'unsupported_grant_type',
+        8   =>  'invalid_client',
+        9   =>  'invalid_grant'
+    );
+
+    /**
+     * Exception error messages
+     * @var array
+     */
+    protected static $exceptionMessages = array(
+        'invalid_request'           =>  'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
+        'unauthorized_client'       =>  'The client is not authorized to request an access token using this method.',
+        'access_denied'             =>  'The resource owner or authorization server denied the request.',
+        'unsupported_response_type' =>  'The authorization server does not support obtaining an access token using this method.',
+        'invalid_scope'             =>  'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
+        'server_error'              =>  'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
+        'temporarily_unavailable'   =>  'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.',
+        'unsupported_grant_type'    =>  'The authorization grant type "%s" is not supported by the authorization server',
+        'invalid_client'            =>  'Client authentication failed',
+        'invalid_grant'             =>  'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.',
+        'invalid_credentials'       =>  'The user credentials were incorrect.',
+        'invalid_refresh'           =>  'The refresh token is invalid.',
+    );
+
+    /**
+     * Exception error HTTP status codes
+     * @var array
+     *
+     * RFC 6749, section 4.1.2.1.:
+     * No 503 status code for 'temporarily_unavailable', because
+     * "a 503 Service Unavailable HTTP status code cannot be
+     * returned to the client via an HTTP redirect"
+     */
+    protected static $exceptionHttpStatusCodes = array(
+        'invalid_request'           =>  400,
+        'unauthorized_client'       =>  400,
+        'access_denied'             =>  401,
+        'unsupported_response_type' =>  400,
+        'invalid_scope'             =>  400,
+        'server_error'              =>  500,
+        'temporarily_unavailable'   =>  400,
+        'unsupported_grant_type'    =>  501,
+        'invalid_client'            =>  401,
+        'invalid_grant'             =>  400,
+        'invalid_credentials'       =>  400,
+        'invalid_refresh'           =>  400,
+    );
+
+    /**
+     * Get all headers that have to be send with the error response
+     *
+     * @param  string $error The error message key
+     * @return array         Array with header values
+     */
+    public static function getExceptionHttpHeaders($error)
+    {
+        $headers = array();
+        switch (self::$exceptionHttpStatusCodes[$error]) {
+            case 401:
+                $headers[] = 'HTTP/1.1 401 Unauthorized';
+                break;
+            case 500:
+                $headers[] = 'HTTP/1.1 500 Internal Server Error';
+                break;
+            case 501:
+                $headers[] = 'HTTP/1.1 501 Not Implemented';
+                break;
+            case 400:
+            default:
+                $headers[] = 'HTTP/1.1 400 Bad Request';
+        }
+
+        // Add "WWW-Authenticate" header
+        //
+        // RFC 6749, section 5.2.:
+        // "If the client attempted to authenticate via the 'Authorization'
+        // request header field, the authorization server MUST
+        // respond with an HTTP 401 (Unauthorized) status code and
+        // include the "WWW-Authenticate" response header field
+        // matching the authentication scheme used by the client.
+        // @codeCoverageIgnoreStart
+        if ($error === 'invalid_client') {
+            $authScheme = null;
+            $request = new Request();
+            if ($request->server('PHP_AUTH_USER') !== null) {
+                $authScheme = 'Basic';
+            } else {
+                $authHeader = $request->header('Authorization');
+                if ($authHeader !== null) {
+                    if (strpos($authHeader, 'Bearer') === 0) {
+                        $authScheme = 'Bearer';
+                    } elseif (strpos($authHeader, 'Basic') === 0) {
+                        $authScheme = 'Basic';
+                    }
+                }
+            }
+            if ($authScheme !== null) {
+                $headers[] = 'WWW-Authenticate: '.$authScheme.' realm=""';
+            }
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $headers;
+    }
+
+    /**
+     * Get an exception message
+     *
+     * @param  string $error The error message key
+     * @return string        The error message
+     */
+    public static function getExceptionMessage($error = '')
+    {
+        return self::$exceptionMessages[$error];
+    }
+
+    /**
+     * Get an exception code
+     *
+     * @param  integer $code The exception code
+     * @return string        The exception code type
+     */
+    public static function getExceptionType($code = 0)
+    {
+        return self::$exceptionCodes[$code];
+    }
+
+    /**
+     * Create a new OAuth2 authorization server
+     *
+     * @param ClientInterface  $client  A class which inherits from Storage/ClientInterface
+     * @param SessionInterface $session A class which inherits from Storage/SessionInterface
+     * @param ScopeInterface   $scope   A class which inherits from Storage/ScopeInterface
+     */
+    public function __construct(ClientInterface $client, SessionInterface $session, ScopeInterface $scope)
+    {
+        $this->storages = array(
+            'client'    =>  $client,
+            'session'   =>  $session,
+            'scope' =>  $scope
+        );
+    }
+
+    /**
+     * Enable support for a grant
+     * @param GrantTypeInterface $grantType  A grant class which conforms to Interface/GrantTypeInterface
+     * @param null|string        $identifier An identifier for the grant (autodetected if not passed)
+     */
+    public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
+    {
+        if (is_null($identifier)) {
+            $identifier = $grantType->getIdentifier();
+        }
+        $this->grantTypes[$identifier] = $grantType;
+
+        if ( ! is_null($grantType->getResponseType())) {
+            $this->responseTypes[] = $grantType->getResponseType();
+        }
+    }
+
+    /**
+     * Check if a grant type has been enabled
+     * @param  string  $identifier The grant type identifier
+     * @return boolean             Returns "true" if enabled, "false" if not
+     */
+    public function hasGrantType($identifier)
+    {
+        return (array_key_exists($identifier, $this->grantTypes));
+    }
+
+    public function getResponseTypes()
+    {
+        return $this->responseTypes;
+    }
+
+    /**
+     * Require the "scope" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function requireScopeParam($require = true)
+    {
+        $this->requireScopeParam = $require;
+    }
+
+    /**
+     * Is the scope parameter required?
+     * @return bool
+     */
+    public function scopeParamRequired()
+    {
+        return $this->requireScopeParam;
+    }
+
+    /**
+     * Default scope to be used if none is provided and requireScopeParam is false
+     * @var string
+     */
+    public function setDefaultScope($default = null)
+    {
+        $this->defaultScope = $default;
+    }
+
+    /**
+     * Default scope to be used if none is provided and requireScopeParam is false
+     * @return string|null
+     */
+    public function getDefaultScope()
+    {
+        return $this->defaultScope;
+    }
+
+    /**
+     * Require the "state" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function stateParamRequired()
+    {
+        return $this->requireStateParam;
+    }
+
+    /**
+     * Require the "state" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function requireStateParam($require = false)
+    {
+        $this->requireStateParam = $require;
+    }
+
+    /**
+     * Get the scope delimeter
+     *
+     * @return string The scope delimiter (default: ",")
+     */
+    public function getScopeDelimeter()
+    {
+        return $this->scopeDelimeter;
+    }
+
+    /**
+     * Set the scope delimiter
+     *
+     * @param string $scopeDelimeter
+     */
+    public function setScopeDelimeter($scopeDelimeter = ' ')
+    {
+        $this->scopeDelimeter = $scopeDelimeter;
+    }
+
+    /**
+     * Get the TTL for an access token
+     * @return int The TTL
+     */
+    public function getAccessTokenTTL()
+    {
+        return $this->accessTokenTTL;
+    }
+
+    /**
+     * Set the TTL for an access token
+     * @param int $accessTokenTTL The new TTL
+     */
+    public function setAccessTokenTTL($accessTokenTTL = 3600)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+    }
+
+    /**
+     * Sets the Request Object
+     *
+     * @param Util\RequestInterface The Request Object
+     */
+    public function setRequest(Util\RequestInterface $request)
+    {
+        $this->request = $request;
+    }
+
+    /**
+     * Gets the Request object.  It will create one from the globals if one is not set.
+     *
+     * @return Util\RequestInterface
+     */
+    public function getRequest()
+    {
+        if ($this->request === null) {
+            // @codeCoverageIgnoreStart
+            $this->request = Request::buildFromGlobals();
+
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $this->request;
+    }
+
+    /**
+     * Return a storage class
+     * @param  string $obj The class required
+     * @return Storage\ClientInterface|Storage\ScopeInterface|Storage\SessionInterface
+     */
+    public function getStorage($obj)
+    {
+        return $this->storages[$obj];
+    }
+
+    /**
+     * Issue an access token
+     *
+     * @param  array $inputParams Optional array of parsed $_POST keys
+     * @return array             Authorise request parameters
+     */
+    public function issueAccessToken($inputParams = array())
+    {
+        $grantType = $this->getParam('grant_type', 'post', $inputParams);
+
+        if (is_null($grantType)) {
+            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'grant_type'), 0);
+        }
+
+        // Ensure grant type is one that is recognised and is enabled
+        if ( ! in_array($grantType, array_keys($this->grantTypes))) {
+            throw new Exception\ClientException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 7);
+        }
+
+        // Complete the flow
+        return $this->getGrantType($grantType)->completeFlow($inputParams);
+    }
+
+    /**
+     * Return a grant type class
+     * @param  string $grantType The grant type identifer
+     * @return Grant\AuthCode|Grant\ClientCredentials|Grant\Implict|Grant\Password|Grant\RefreshToken
+     */
+    public function getGrantType($grantType)
+    {
+        if (isset($this->grantTypes[$grantType])) {
+            return $this->grantTypes[$grantType];
+        }
+
+        throw new Exception\InvalidGrantTypeException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 9);
+        }
+
+    /**
+     * Get a parameter from passed input parameters or the Request class
+     * @param  string|array $param Required parameter
+     * @param  string $method      Get/put/post/delete
+     * @param  array  $inputParams Passed input parameters
+     * @return mixed               'Null' if parameter is missing
+     */
+    public function getParam($param = '', $method = 'get', $inputParams = array(), $default = null)
+    {
+        if (is_string($param)) {
+            if (isset($inputParams[$param])) {
+                return $inputParams[$param];
+            } elseif ($param === 'client_id' && ! is_null($clientId = $this->getRequest()->server('PHP_AUTH_USER'))) {
+                return $clientId;
+            } elseif ($param === 'client_secret' && ! is_null($clientSecret = $this->getRequest()->server('PHP_AUTH_PW'))) {
+                return $clientSecret;
+            } else {
+                return $this->getRequest()->{$method}($param, $default);
+            }
+        } else {
+            $response = array();
+            foreach ($param as $p) {
+                $response[$p] = $this->getParam($p, $method, $inputParams);
+            }
+            return $response;
+        }
+    }
+
+}

src/League/OAuth2/Server/Exception/ClientException.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * OAuth 2.0 Client Exception
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+/**
+ * ClientException Exception
+ */
+class ClientException extends OAuth2Exception
+{
+
+}

src/League/OAuth2/Server/Exception/InvalidAccessTokenException.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * OAuth 2.0 Invalid Access Token Exception
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+/**
+ * InvalidAccessToken Exception
+ */
+class InvalidAccessTokenException extends OAuth2Exception
+{
+
+}

src/League/OAuth2/Server/Exception/InvalidGrantTypeException.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * OAuth 2.0 Invalid Grant Type Exception
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+/**
+ * InvalidGrantTypeException Exception
+ */
+class InvalidGrantTypeException extends OAuth2Exception
+{
+
+}

src/League/OAuth2/Server/Exception/OAuth2Exception.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * OAuth 2.0 Base Exception
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+/**
+ * Exception class
+ */
+class OAuth2Exception extends \Exception
+{
+
+}

src/League/OAuth2/Server/Grant/AuthCode.php

@@ -0,0 +1,293 @@
+<?php
+/**
+ * OAuth 2.0 Auth code grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Auth code grant class
+ */
+class AuthCode implements GrantTypeInterface {
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'authorization_code';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = 'code';
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * The TTL of the auth token
+     * @var integer
+     */
+    protected $authTokenTTL = 600;
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return void
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $authTokenTTL
+     * @return void
+     */
+    public function setAuthTokenTTL($authTokenTTL)
+    {
+        $this->authTokenTTL = $authTokenTTL;
+    }
+
+    /**
+     * Check authorise parameters
+     *
+     * @param  array $inputParams Optional array of parsed $_GET keys
+     * @throws \OAuth2\Exception\ClientException
+     * @return array             Authorise request parameters
+     */
+    public function checkAuthoriseParams($inputParams = array())
+    {
+        // Auth params
+        $authParams = $this->authServer->getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['redirect_uri'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
+        }
+
+        if ($this->authServer->stateParamRequired() === true && is_null($authParams['state'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'state'), 0);
+        }
+
+        // Validate client ID and redirect URI
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri'], $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        if (is_null($authParams['response_type'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'response_type'), 0);
+        }
+
+        // Ensure response type is one that is recognised
+        if ( ! in_array($authParams['response_type'], $this->authServer->getResponseTypes())) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('unsupported_response_type'), 3);
+        }
+
+        // Validate scopes
+        $scopes = explode($this->authServer->getScopeDelimeter(), $authParams['scope']);
+
+        for ($i = 0; $i < count($scopes); $i++) {
+            $scopes[$i] = trim($scopes[$i]);
+            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
+        }
+
+        if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
+            $scopes = array($this->authServer->getDefaultScope());
+        }
+
+        $authParams['scopes'] = array();
+
+        foreach ($scopes as $scope) {
+            $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
+
+            if ($scopeDetails === false) {
+                throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
+            }
+
+            $authParams['scopes'][] = $scopeDetails;
+        }
+
+        return $authParams;
+    }
+
+    /**
+     * Parse a new authorise request
+     *
+     * @param  string $type        The session owner's type
+     * @param  string $typeId      The session owner's ID
+     * @param  array  $authParams  The authorise request $_GET parameters
+     * @return string              An authorisation code
+     */
+    public function newAuthoriseRequest($type, $typeId, $authParams = array())
+    {
+        // Generate an auth code
+        $authCode = SecureKey::make();
+
+        // Remove any old sessions the user might have
+        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId);
+
+        // List of scopes IDs
+        $scopeIds = array();
+        foreach ($authParams['scopes'] as $scope)
+        {
+            $scopeIds[] = $scope['id'];
+        }
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId);
+
+        // Associate a redirect URI
+        $this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']);
+
+        // Associate the auth code
+        $this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL, implode(',', $scopeIds));
+
+        return $authCode;
+    }
+
+    /**
+     * Complete the auth code grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+        // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        if (is_null($authParams['redirect_uri'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
+        }
+
+        // Validate client ID and redirect URI
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], $authParams['redirect_uri'], $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        // Validate the authorization code
+        if (is_null($authParams['code'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'code'), 0);
+        }
+
+        // Verify the authorization code matches the client_id and the request_uri
+        $session = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
+
+        if ( ! $session) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9);
+        }
+
+        // A session ID was returned so update it with an access token and remove the authorisation code
+
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Remove the auth code
+        $this->authServer->getStorage('session')->removeAuthCode($session['id']);
+
+        // Create an access token
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($session['id'], $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the access token
+        if ( ! is_null($session['scope_ids'])) {
+            $scopeIds = explode(',', $session['scope_ids']);
+
+            foreach ($scopeIds as $scopeId) {
+                $this->authServer->getStorage('session')->associateScope($accessTokenId, $scopeId);
+            }
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        // Associate a refresh token if set
+        if ($this->authServer->hasGrantType('refresh_token')) {
+            $refreshToken = SecureKey::make();
+            $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/ClientCredentials.php

@@ -0,0 +1,173 @@
+<?php
+/**
+ * OAuth 2.0 Client credentials grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Client credentials grant class
+ */
+class ClientCredentials implements GrantTypeInterface {
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'client_credentials';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = null;
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return void
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+    }
+
+    /**
+     * Complete the client credentials grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+         // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf(Authorization::getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf(Authorization::getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        // Validate client ID and client secret
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException(Authorization::getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        // Validate any scopes that are in the request
+        $scope = $this->authServer->getParam('scope', 'post', $inputParams, '');
+        $scopes = explode($this->authServer->getScopeDelimeter(), $scope);
+
+        for ($i = 0; $i < count($scopes); $i++) {
+            $scopes[$i] = trim($scopes[$i]);
+            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
+        }
+
+        if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
+            $scopes = array($this->authServer->getDefaultScope());
+        }
+
+        $authParams['scopes'] = array();
+
+        foreach ($scopes as $scope) {
+            $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
+
+            if ($scopeDetails === false) {
+                throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
+            }
+
+            $authParams['scopes'][] = $scopeDetails;
+        }
+
+        // Generate an access token
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Delete any existing sessions just to be sure
+        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'client', $authParams['client_id']);
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'client', $authParams['client_id']);
+
+        // Add the access token
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the new session
+        foreach ($authParams['scopes'] as $scope)
+        {
+            $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/GrantTypeInterface.php

@@ -0,0 +1,61 @@
+<?php
+/**
+ * OAuth 2.0 Grant type interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+interface GrantTypeInterface
+{
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer);
+
+    /**
+     * Returns the grant identifier (used to validate grant_type in League\OAuth2\Server\Authorization::issueAccessToken())
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Returns the response type (used to validate response_type in League\OAuth2\Server\Grant\AuthCode::checkAuthoriseParams())
+     * @return null|string
+     */
+    public function getResponseType();
+
+    /**
+     * Complete the grant flow
+     *
+     * Example response:
+     * <code>
+     * 	array(
+     *  	'access_token'  =>  (string),	// The access token
+     *      'refresh_token' =>  (string),	// The refresh token (only set if the refresh token grant is enabled)
+     *      'token_type'    =>  'bearer',	// Almost always "bearer" (exceptions: JWT, SAML)
+     *      'expires'       =>  (int),		// The timestamp of when the access token will expire
+     *      'expires_in'    =>  (int)		// The number of seconds before the access token will expire
+     *  )
+     * </code>
+     *
+     * @param  null|array $inputParams Null unless the input parameters have been manually set
+     * @return array                   An array of parameters to be passed back to the client
+     */
+    public function completeFlow($inputParams = null);
+}

src/League/OAuth2/Server/Grant/Implicit.php

@@ -0,0 +1,107 @@
+<?php
+/**
+ * OAuth 2.0 implicit grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Client credentials grant class
+ */
+class Implict implements GrantTypeInterface {
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'implicit';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = 'token';
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Complete the client credentials grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($authParams = null)
+    {
+        // Remove any old sessions the user might have
+        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $authParams['user_id']);
+
+        // Generate a new access token
+        $accessToken = SecureKey::make();
+
+        // Compute expiry time
+        $accessTokenExpires = time() + $this->authServer->getAccessTokenTTL();
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $authParams['user_id']);
+
+        // Create an access token
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the access token
+        foreach ($authParams['scopes'] as $scope) {
+            $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken
+        );
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/Password.php

@@ -0,0 +1,224 @@
+<?php
+/**
+ * OAuth 2.0 Password grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Password grant class
+ */
+class Password implements GrantTypeInterface {
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'password';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = null;
+
+    /**
+     * Callback to authenticate a user's name and password
+     * @var function
+     */
+    protected $callback = null;
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return void
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+    }
+
+    /**
+     * Set the callback to verify a user's username and password
+     * @param callable $callback The callback function
+     * @return void
+     */
+    public function setVerifyCredentialsCallback($callback)
+    {
+        $this->callback = $callback;
+    }
+
+    /**
+     * Return the callback function
+     * @return callable
+     */
+    protected function getVerifyCredentialsCallback()
+    {
+        if (is_null($this->callback) || ! is_callable($this->callback)) {
+            throw new Exception\InvalidGrantTypeException('Null or non-callable callback set');
+        }
+
+        return $this->callback;
+    }
+
+    /**
+     * Complete the password grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+        // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        // Validate client credentials
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        if (is_null($authParams['username'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'username'), 0);
+        }
+
+        if (is_null($authParams['password'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'password'), 0);
+        }
+
+        // Check if user's username and password are correct
+        $userId = call_user_func($this->getVerifyCredentialsCallback(), $authParams['username'], $authParams['password']);
+
+        if ($userId === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_credentials'), 0);
+        }
+
+        // Validate any scopes that are in the request
+        $scope = $this->authServer->getParam('scope', 'post', $inputParams, '');
+        $scopes = explode($this->authServer->getScopeDelimeter(), $scope);
+
+        for ($i = 0; $i < count($scopes); $i++) {
+            $scopes[$i] = trim($scopes[$i]);
+            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
+        }
+
+        if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
+            $scopes = array($this->authServer->getDefaultScope());
+        }
+
+        $authParams['scopes'] = array();
+
+        foreach ($scopes as $scope) {
+            $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
+
+            if ($scopeDetails === false) {
+                throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
+            }
+
+            $authParams['scopes'][] = $scopeDetails;
+        }
+
+        // Generate an access token
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Delete any existing sessions just to be sure
+        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $userId);
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $userId);
+
+        // Associate an access token with the session
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the access token
+        foreach ($authParams['scopes'] as $scope) {
+            $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        // Associate a refresh token if set
+        if ($this->authServer->hasGrantType('refresh_token')) {
+            $refreshToken = SecureKey::make();
+            $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/RefreshToken.php

@@ -0,0 +1,182 @@
+<?php
+/**
+ * OAuth 2.0 Refresh token grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Referesh token grant
+ */
+class RefreshToken implements GrantTypeInterface {
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'refresh_token';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = null;
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Refresh token TTL
+     * @var integer
+     */
+    protected $refreshTokenTTL = 604800;
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return void
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+    }
+
+    /**
+     * Set the TTL of the refresh token
+     * @param int $refreshTokenTTL
+     * @return void
+     */
+    public function setRefreshTokenTTL($refreshTokenTTL)
+    {
+        $this->refreshTokenTTL = $refreshTokenTTL;
+    }
+
+    /**
+     * Get the TTL of the refresh token
+     * @return int
+     */
+    public function getRefreshTokenTTL()
+    {
+        return $this->refreshTokenTTL;
+    }
+
+    /**
+     * Complete the refresh token grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+        // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        // Validate client ID and client secret
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        if (is_null($authParams['refresh_token'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'refresh_token'), 0);
+        }
+
+        // Validate refresh token
+        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);
+
+        if ($accessTokenId === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
+        }
+
+        // Get the existing access token
+        $accessTokenDetails = $this->authServer->getStorage('session')->getAccessToken($accessTokenId);
+
+        // Get the scopes for the existing access token
+        $scopes = $this->authServer->getStorage('session')->getScopes($accessTokenDetails['access_token']);
+
+        // Generate new tokens and associate them to the session
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+        $refreshToken = SecureKey::make();
+        $refreshTokenExpires = time() + $this->getRefreshTokenTTL();
+
+        $newAccessTokenId = $this->authServer->getStorage('session')->associateAccessToken($accessTokenDetails['session_id'], $accessToken, $accessTokenExpires);
+
+        foreach ($scopes as $scope) {
+            $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
+        }
+
+        $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);
+
+        return array(
+            'access_token'  =>  $accessToken,
+            'refresh_token' =>  $refreshToken,
+            'token_type'    =>  'bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+    }
+
+}

src/League/OAuth2/Server/Resource.php

@@ -0,0 +1,259 @@
+<?php
+/**
+ * OAuth 2.0 Resource Server
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use OutOfBoundsException;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Util\RequestInterface;
+use League\OAuth2\Server\Util\Request;
+
+/**
+ * OAuth 2.0 Resource Server
+ */
+class Resource
+{
+    /**
+     * The access token
+     * @var string
+     */
+    protected $accessToken = null;
+
+    /**
+     * The session ID
+     * @var string
+     */
+    protected $sessionId = null;
+
+    /**
+     * The type of the owner of the access token
+     * @var string
+     */
+    protected $ownerType = null;
+
+    /**
+     * The ID of the owner of the access token
+     * @var string
+     */
+    protected $ownerId = null;
+
+    /**
+     * The scopes associated with the access token
+     * @var array
+     */
+    protected $sessionScopes = array();
+
+    /**
+     * The client, scope and session storage classes
+     * @var array
+     */
+    protected $storages = array();
+
+    /**
+     * The request object
+     * @var Util\RequestInterface
+     */
+    protected $request = null;
+
+    /**
+     * The query string key which is used by clients to present the access token (default: access_token)
+     * @var string
+     */
+    protected $tokenKey = 'access_token';
+
+    /**
+     * The client ID
+     * @var string
+     */
+    protected $clientId = null;
+
+    /**
+     * Sets up the Resource
+     *
+     * @param SessionInterface  The Session Storage Object
+     */
+    public function __construct(SessionInterface $session)
+    {
+        $this->storages['session'] = $session;
+    }
+
+    /**
+     * Sets the Request Object
+     *
+     * @param  RequestInterface The Request Object
+     */
+    public function setRequest(RequestInterface $request)
+    {
+        $this->request = $request;
+    }
+
+    /**
+     * Gets the Request object.  It will create one from the globals if one is not set.
+     *
+     * @return Util\RequestInterface
+     */
+    public function getRequest()
+    {
+        if ($this->request === null) {
+            // @codeCoverageIgnoreStart
+            $this->request = Request::buildFromGlobals();
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $this->request;
+    }
+
+    /**
+     * Returns the query string key for the access token.
+     *
+     * @return string
+     */
+    public function getTokenKey()
+    {
+        return $this->tokenKey;
+    }
+
+    /**
+     * Sets the query string key for the access token.
+     *
+     * @param $key The new query string key
+     */
+    public function setTokenKey($key)
+    {
+        $this->tokenKey = $key;
+    }
+
+    /**
+     * Gets the access token owner ID.
+     *
+     * @return string
+     */
+    public function getOwnerId()
+    {
+        return $this->ownerId;
+    }
+
+    /**
+     * Gets the owner type.
+     *
+     * @return string
+     */
+    public function getOwnerType()
+    {
+        return $this->ownerType;
+    }
+
+    /**
+     * Gets the access token.
+     *
+     * @return string
+     */
+    public function getAccessToken()
+    {
+        return $this->accessToken;
+    }
+
+    /**
+     * Gets the client ID that created the session
+     * @return string
+     */
+    public function getClientId()
+    {
+        return $this->clientId;
+    }
+
+    /**
+     * Checks if the access token is valid or not.
+     *
+     * @throws Exception\InvalidAccessTokenException Thrown if the presented access token is not valid
+     * @return bool
+     */
+    public function isValid()
+    {
+        $accessToken = $this->determineAccessToken();
+
+        $result = $this->storages['session']->validateAccessToken($accessToken);
+
+        if ( ! $result) {
+            throw new Exception\InvalidAccessTokenException('Access token is not valid');
+        }
+
+        $this->accessToken = $accessToken;
+        $this->sessionId = $result['session_id'];
+        $this->clientId = $result['client_id'];
+        $this->ownerType = $result['owner_type'];
+        $this->ownerId = $result['owner_id'];
+
+        $sessionScopes = $this->storages['session']->getScopes($this->accessToken);
+        foreach ($sessionScopes as $scope) {
+            $this->sessionScopes[] = $scope['key'];
+        }
+
+        return true;
+    }
+
+    /**
+     * Get the session scopes
+     * @return array
+     */
+    public function getScopes()
+    {
+        return $this->sessionScopes;
+    }
+
+    /**
+     * Checks if the presented access token has the given scope(s).
+     *
+     * @param array|string  An array of scopes or a single scope as a string
+     * @return bool         Returns bool if all scopes are found, false if any fail
+     */
+    public function hasScope($scopes)
+    {
+        if (is_string($scopes)) {
+            if (in_array($scopes, $this->sessionScopes)) {
+                return true;
+            }
+            return false;
+        } elseif (is_array($scopes)) {
+            foreach ($scopes as $scope) {
+                if ( ! in_array($scope, $this->sessionScopes)) {
+                    return false;
+                }
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Reads in the access token from the headers.
+     *
+     * @throws Exception\MissingAccessTokenException  Thrown if there is no access token presented
+     * @return string
+     */
+    protected function determineAccessToken()
+    {
+        if ($header = $this->getRequest()->header('Authorization')) {
+            $accessToken = trim(str_replace('Bearer', '', $header));
+        } else {
+            $method = $this->getRequest()->server('REQUEST_METHOD');
+            $accessToken = $this->getRequest()->{$method}($this->tokenKey);
+        }
+
+        if (empty($accessToken)) {
+            throw new Exception\InvalidAccessTokenException('Access token is missing');
+        }
+
+        return $accessToken;
+    }
+
+}

src/League/OAuth2/Server/Storage/ClientInterface.php

@@ -0,0 +1,57 @@
+<?php
+/**
+ * OAuth 2.0 Client storage interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Storage;
+
+interface ClientInterface
+{
+    /**
+     * Validate a client
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * # Client ID + redirect URI
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name
+     *  FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id
+     *  WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri
+     *
+     * # Client ID + client secret
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name FROM oauth_clients WHERE
+     *  oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret
+     *
+     * # Client ID + client secret + redirect URI
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM
+     *  oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id
+     *  WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND
+     *  oauth_client_endpoints.redirect_uri = :redirectUri
+     * </code>
+     *
+     * Response:
+     *
+     * <code>
+     * Array
+     * (
+     *     [client_id] => (string) The client ID
+     *     [client secret] => (string) The client secret
+     *     [redirect_uri] => (string) The redirect URI used in this request
+     *     [name] => (string) The name of the client
+     * )
+     * </code>
+     *
+     * @param  string     $clientId     The client's ID
+     * @param  string     $clientSecret The client's secret (default = "null")
+     * @param  string     $redirectUri  The client's redirect URI (default = "null")
+     * @param  string     $grantType    The grant type used in the request
+     * @return bool|array               Returns false if the validation fails, array on success
+     */
+    public function getClient($clientId, $clientSecret = null, $redirectUri = null, $grantType);
+}

src/League/OAuth2/Server/Storage/PDO/Client.php

@@ -0,0 +1,45 @@
+<?php
+
+namespace League\OAuth2\Server\Storage\PDO;
+
+use League\OAuth2\Server\Storage\ClientInterface;
+
+class Client implements ClientInterface
+{
+    public function getClient($clientId, $clientSecret = null, $redirectUri = null, $grantType)
+    {
+        $db = \ezcDbInstance::get();
+
+        if ( ! is_null($redirectUri) && is_null($clientSecret)) {
+            $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri');
+            $stmt->bindValue(':redirectUri', $redirectUri);
+        }
+
+        elseif ( ! is_null($clientSecret) && is_null($redirectUri)) {
+            $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name FROM oauth_clients  WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret');
+            $stmt->bindValue(':clientSecret', $clientSecret);
+        }
+
+        elseif ( ! is_null($clientSecret) && ! is_null($redirectUri)) {
+            $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND oauth_client_endpoints.redirect_uri = :redirectUri');
+            $stmt->bindValue(':redirectUri', $redirectUri);
+            $stmt->bindValue(':clientSecret', $clientSecret);
+        }
+
+        $stmt->bindValue(':clientId', $clientId);
+        $stmt->execute();
+
+        $row = $stmt->fetchObject();
+
+        if ($row === false) {
+            return false;
+        }
+
+        return array(
+            'client_id' =>  $row->id,
+            'client_secret' =>  $row->secret,
+            'redirect_uri'  =>  (isset($row->redirect_uri)) ? $row->redirect_uri : null,
+            'name'  =>  $row->name
+        );
+    }
+}

src/League/OAuth2/Server/Storage/PDO/Db.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace League\OAuth2\Server\Storage\PDO;
+
+class Db
+{
+	/**
+	 * Db constructor
+	 * @param array|string $dsn Connection DSN string or array of parameters
+	 * @return void
+	 */
+    public function __construct($dsn = '')
+    {
+        $db = \ezcDbFactory::create($dsn);
+        \ezcDbInstance::set($db);
+    }
+}

src/League/OAuth2/Server/Storage/PDO/Scope.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace League\OAuth2\Server\Storage\PDO;
+
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+class Scope implements ScopeInterface
+{
+    public function getScope($scope, $clientId = null, $grantType = null)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('SELECT * FROM oauth_scopes WHERE oauth_scopes.key = :scope');
+        $stmt->bindValue(':scope', $scope);
+        $stmt->execute();
+
+        $row = $stmt->fetchObject();
+
+        if ($row === false) {
+            return false;
+        }
+
+        return array(
+            'id' =>  $row->id,
+            'scope' =>  $row->key,
+            'name'  =>  $row->name,
+            'description'  =>  $row->description
+        );
+
+    }
+}

src/League/OAuth2/Server/Storage/PDO/Session.php

@@ -0,0 +1,175 @@
+<?php
+
+namespace League\OAuth2\Server\Storage\PDO;
+
+use League\OAuth2\Server\Storage\SessionInterface;
+
+class Session implements SessionInterface
+{
+    public function createSession($clientId, $ownerType, $ownerId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('INSERT INTO oauth_sessions (client_id, owner_type,  owner_id) VALUE
+         (:clientId, :ownerType, :ownerId)');
+        $stmt->bindValue(':clientId', $clientId);
+        $stmt->bindValue(':ownerType', $ownerType);
+        $stmt->bindValue(':ownerId', $ownerId);
+        $stmt->execute();
+
+        return $db->lastInsertId();
+    }
+
+    public function deleteSession($clientId, $ownerType, $ownerId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('DELETE FROM oauth_sessions WHERE client_id = :clientId AND
+         owner_type = :type AND owner_id = :typeId');
+        $stmt->bindValue(':clientId', $clientId);
+        $stmt->bindValue(':type', $ownerType);
+        $stmt->bindValue(':typeId', $ownerId);
+        $stmt->execute();
+    }
+
+    public function associateRedirectUri($sessionId, $redirectUri)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('INSERT INTO oauth_session_redirects (session_id, redirect_uri)
+         VALUE (:sessionId, :redirectUri)');
+        $stmt->bindValue(':sessionId', $sessionId);
+        $stmt->bindValue(':redirectUri', $redirectUri);
+        $stmt->execute();
+    }
+
+    public function associateAccessToken($sessionId, $accessToken, $expireTime)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('INSERT INTO oauth_session_access_tokens (session_id, access_token, access_token_expires)
+         VALUE (:sessionId, :accessToken, :accessTokenExpire)');
+        $stmt->bindValue(':sessionId', $sessionId);
+        $stmt->bindValue(':accessToken', $accessToken);
+        $stmt->bindValue(':accessTokenExpire', $expireTime);
+        $stmt->execute();
+
+        return $db->lastInsertId();
+    }
+
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires, client_id) VALUE
+         (:accessTokenId, :refreshToken, :expireTime, :clientId)');
+        $stmt->bindValue(':accessTokenId', $accessTokenId);
+        $stmt->bindValue(':refreshToken', $refreshToken);
+        $stmt->bindValue(':expireTime', $expireTime);
+        $stmt->bindValue(':clientId', $clientId);
+        $stmt->execute();
+    }
+
+    public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids)
+         VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)');
+        $stmt->bindValue(':sessionId', $sessionId);
+        $stmt->bindValue(':authCode', $authCode);
+        $stmt->bindValue(':authCodeExpires', $expireTime);
+        $stmt->bindValue(':scopeIds', $scopeIds);
+        $stmt->execute();
+    }
+
+    public function removeAuthCode($sessionId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('DELETE FROM oauth_session_authcodes WHERE session_id = :sessionId');
+        $stmt->bindValue(':sessionId', $sessionId);
+        $stmt->execute();
+    }
+
+    public function validateAuthCode($clientId, $redirectUri, $authCode)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions JOIN
+         oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id JOIN
+          oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
+           oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode AND
+            `oauth_session_authcodes`.`auth_code_expires` >= :time AND `oauth_session_redirects`.`redirect_uri`
+             = :redirectUri');
+        $stmt->bindValue(':clientId', $clientId);
+        $stmt->bindValue(':redirectUri', $redirectUri);
+        $stmt->bindValue(':authCode', $authCode);
+        $stmt->bindValue(':time', time());
+        $stmt->execute();
+
+        $result = $stmt->fetchObject();
+
+        return ($result === false) ? false : (array) $result;
+    }
+
+    public function validateAccessToken($accessToken)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('SELECT session_id, oauth_sessions.`client_id`, oauth_sessions.`owner_id`, oauth_sessions.`owner_type` FROM `oauth_session_access_tokens` JOIN oauth_sessions ON oauth_sessions.`id` = session_id WHERE  access_token = :accessToken AND access_token_expires >= ' . time());
+        $stmt->bindValue(':accessToken', $accessToken);
+        $stmt->execute();
+
+        $result = $stmt->fetchObject();
+        return ($result === false) ? false : (array) $result;
+    }
+
+    public function validateRefreshToken($refreshToken, $clientId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
+         refresh_token = :refreshToken AND client_id = :clientId AND refresh_token_expires >= ' . time());
+        $stmt->bindValue(':refreshToken', $refreshToken);
+        $stmt->bindValue(':clientId', $clientId);
+        $stmt->execute();
+
+        $result = $stmt->fetchObject();
+        return ($result === false) ? false : $result->session_access_token_id;
+    }
+
+    public function getAccessToken($accessTokenId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('SELECT * FROM `oauth_session_access_tokens` WHERE `id` = :accessTokenId');
+        $stmt->bindValue(':accessTokenId', $accessTokenId);
+        $stmt->execute();
+
+        $result = $stmt->fetchObject();
+        return ($result === false) ? false : (array) $result;
+    }
+
+    public function associateScope($accessTokenId, $scopeId)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('INSERT INTO `oauth_session_token_scopes` (`session_access_token_id`, `scope_id`)
+         VALUE (:accessTokenId, :scopeId)');
+        $stmt->bindValue(':accessTokenId', $accessTokenId);
+        $stmt->bindValue(':scopeId', $scopeId);
+        $stmt->execute();
+    }
+
+    public function getScopes($accessToken)
+    {
+        $db = \ezcDbInstance::get();
+
+        $stmt = $db->prepare('SELECT oauth_scopes.* FROM oauth_session_token_scopes JOIN oauth_session_access_tokens ON oauth_session_access_tokens.`id` = `oauth_session_token_scopes`.`session_access_token_id` JOIN oauth_scopes ON oauth_scopes.id = `oauth_session_token_scopes`.`scope_id` WHERE access_token = :accessToken');
+        $stmt->bindValue(':accessToken', $accessToken);
+        $stmt->execute();
+
+        return $stmt->fetchAll();
+    }
+}

src/League/OAuth2/Server/Storage/ScopeInterface.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * OAuth 2.0 Scope storage interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Storage;
+
+interface ScopeInterface
+{
+    /**
+     * Return information about a scope
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT * FROM oauth_scopes WHERE oauth_scopes.key = :scope
+     * </code>
+     *
+     * Response:
+     *
+     * <code>
+     * Array
+     * (
+     *     [id] => (int) The scope's ID
+     *     [key] => (string) The scope itself
+     *     [name] => (string) The scope's name
+     *     [description] => (string) The scope's description
+     * )
+     * </code>
+     *
+     * @param  string     $scope     The scope
+     * @param  string     $clientId  The client ID
+     * @param  string     $grantType The grant type used in the request
+     * @return bool|array If the scope doesn't exist return false
+     */
+    public function getScope($scope, $clientId = null, $grantType = null);
+}

src/League/OAuth2/Server/Storage/SessionInterface.php

@@ -0,0 +1,274 @@
+<?php
+/**
+ * OAuth 2.0 Session storage interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Storage;
+
+interface SessionInterface
+{
+    /**
+     * Create a new session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_sessions (client_id, owner_type,  owner_id)
+     *  VALUE (:clientId, :ownerType, :ownerId)
+     * </code>
+     *
+     * @param  string $clientId  The client ID
+     * @param  string $ownerType The type of the session owner (e.g. "user")
+     * @param  string $ownerId   The ID of the session owner (e.g. "123")
+     * @return int               The session ID
+     */
+    public function createSession($clientId, $ownerType, $ownerId);
+
+    /**
+     * Delete a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * DELETE FROM oauth_sessions WHERE client_id = :clientId AND owner_type = :type AND owner_id = :typeId
+     * </code>
+     *
+     * @param  string $clientId  The client ID
+     * @param  string $ownerType The type of the session owner (e.g. "user")
+     * @param  string $ownerId   The ID of the session owner (e.g. "123")
+     * @return void
+     */
+    public function deleteSession($clientId, $ownerType, $ownerId);
+
+    /**
+     * Associate a redirect URI with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_redirects (session_id, redirect_uri) VALUE (:sessionId, :redirectUri)
+     * </code>
+     *
+     * @param  int    $sessionId   The session ID
+     * @param  string $redirectUri The redirect URI
+     * @return void
+     */
+    public function associateRedirectUri($sessionId, $redirectUri);
+
+    /**
+     * Associate an access token with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_access_tokens (session_id, access_token, access_token_expires)
+     *  VALUE (:sessionId, :accessToken, :accessTokenExpire)
+     * </code>
+     *
+     * @param  int    $sessionId   The session ID
+     * @param  string $accessToken The access token
+     * @param  int    $expireTime  Unix timestamp of the access token expiry time
+     * @return void
+     */
+    public function associateAccessToken($sessionId, $accessToken, $expireTime);
+
+    /**
+     * Associate a refresh token with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires)
+     *  VALUE (:accessTokenId, :refreshToken, :expireTime)
+     * </code>
+     *
+     * @param  int    $accessTokenId The access token ID
+     * @param  string $refreshToken  The refresh token
+     * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
+     * @param  string $clientId      The client ID
+     * @return void
+     */
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);
+
+    /**
+     * Assocate an authorization code with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids)
+     *  VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)
+     * </code>
+     *
+     * @param  int    $sessionId  The session ID
+     * @param  string $authCode   The authorization code
+     * @param  int    $expireTime Unix timestamp of the access token expiry time
+     * @param  string $scopeIds   Comma seperated list of scope IDs to be later associated (default = null)
+     * @return void
+     */
+    public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null);
+
+    /**
+     * Remove an associated authorization token from a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * DELETE FROM oauth_session_authcodes WHERE session_id = :sessionId
+     * </code>
+     *
+     * @param  int    $sessionId   The session ID
+     * @return void
+     */
+    public function removeAuthCode($sessionId);
+
+    /**
+     * Validate an authorization code
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions
+     *  JOIN oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id
+     *  JOIN oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
+     * oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode
+     *  AND `oauth_session_authcodes`.`auth_code_expires` >= :time AND
+     *  `oauth_session_redirects`.`redirect_uri` = :redirectUri
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     'id' =>  (int), // the session ID
+     *     'scope_ids'  =>  (string)
+     * )
+     * </code>
+     *
+     * @param  string     $clientId    The client ID
+     * @param  string     $redirectUri The redirect URI
+     * @param  string     $authCode    The authorization code
+     * @return array|bool              False if invalid or array as above
+     */
+    public function validateAuthCode($clientId, $redirectUri, $authCode);
+
+    /**
+     * Validate an access token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT session_id, oauth_sessions.`client_id`, oauth_sessions.`owner_id`, oauth_sessions.`owner_type`
+     *  FROM `oauth_session_access_tokens` JOIN oauth_sessions ON oauth_sessions.`id` = session_id WHERE
+     *  access_token = :accessToken AND access_token_expires >= UNIX_TIMESTAMP(NOW())
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     'session_id' =>  (int),
+     *     'client_id'  =>  (string),
+     *     'owner_id'   =>  (string),
+     *     'owner_type' =>  (string)
+     * )
+     * </code>
+     *
+     * @param  string     $accessToken The access token
+     * @return array|bool              False if invalid or an array as above
+     */
+    public function validateAccessToken($accessToken);
+
+    /**
+     * Validate a refresh token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
+     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
+     * </code>
+     *
+     * @param  string   $refreshToken The access token
+     * @param  string   $clientId     The client ID
+     * @return int|bool               The ID of the access token the refresh token is linked to (or false if invalid)
+     */
+    public function validateRefreshToken($refreshToken, $clientId);
+
+    /**
+     * Get an access token by ID
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT * FROM `oauth_session_access_tokens` WHERE `id` = :accessTokenId
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     'id' =>  (int),
+     *     'session_id' =>  (int),
+     *     'access_token'   =>  (string),
+     *     'access_token_expires'   =>  (int)
+     * )
+     * </code>
+     *
+     * @param  int    $accessTokenId The access token ID
+     * @return array
+     */
+    public function getAccessToken($accessTokenId);
+
+    /**
+     * Associate a scope with an access token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO `oauth_session_token_scopes` (`session_access_token_id`, `scope_id`) VALUE (:accessTokenId, :scopeId)
+     * </code>
+     *
+     * @param  int    $accessTokenId The ID of the access token
+     * @param  int    $scopeId       The ID of the scope
+     * @return void
+     */
+    public function associateScope($accessTokenId, $scopeId);
+
+    /**
+     * Get all associated access tokens for an access token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT oauth_scopes.* FROM oauth_session_token_scopes JOIN oauth_session_access_tokens
+     *  ON oauth_session_access_tokens.`id` = `oauth_session_token_scopes`.`session_access_token_id`
+     *  JOIN oauth_scopes ON oauth_scopes.id = `oauth_session_token_scopes`.`scope_id`
+     *  WHERE access_token = :accessToken
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array (
+     *     array(
+     *         'key'    =>  (string),
+     *         'name'   =>  (string),
+     *         'description'    =>  (string)
+     *     ),
+     *     ...
+     *     ...
+     * )
+     * </code>
+     *
+     * @param  string $accessToken The access token
+     * @return array
+     */
+    public function getScopes($accessToken);
+}

src/League/OAuth2/Server/Util/RedirectUri.php

@@ -0,0 +1,31 @@
+<?php
+/**
+ * OAuth 2.0 Redirect URI generator
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util;
+
+/**
+ * RedirectUri class
+ */
+class RedirectUri
+{
+	/**
+	 * Generate a new redirect uri
+	 * @param  string $uri            The base URI
+	 * @param  array  $params         The query string parameters
+	 * @param  string $queryDelimeter The query string delimeter (default: "?")
+	 * @return string                 The updated URI
+	 */
+    public static function make($uri, $params = array(), $queryDelimeter = '?')
+    {
+        $uri .= (strstr($uri, $queryDelimeter) === false) ? $queryDelimeter : '&';
+        return $uri.http_build_query($params);
+    }
+}

src/League/OAuth2/Server/Util/Request.php

@@ -0,0 +1,109 @@
+<?php
+/**
+ * OAuth 2.0 Request class
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util;
+
+use OutOfBoundsException;
+use InvalidMethodCallException;
+use InvalidArgumentException;
+
+class Request implements RequestInterface
+{
+    protected $get = array();
+    protected $post = array();
+    protected $cookies = array();
+    protected $files = array();
+    protected $server = array();
+    protected $headers = array();
+
+    public static function buildFromGlobals()
+    {
+        return new static($_GET, $_POST, $_COOKIE, $_FILES, $_SERVER);
+    }
+
+    public function __construct(array $get = array(), array $post = array(), array $cookies = array(), array $files = array(), array $server = array(), $headers = array())
+    {
+        $this->get = $get;
+        $this->post = $post;
+        $this->cookies = $cookies;
+        $this->files = $files;
+        $this->server = $server;
+
+        if (empty($headers)) {
+            $this->headers = $this->readHeaders();
+        }
+    }
+
+    public function get($index = null, $default = null)
+    {
+        return $this->getPropertyValue('get', $index, $default);
+    }
+
+    public function post($index = null, $default = null)
+    {
+        return $this->getPropertyValue('post', $index, $default);
+    }
+
+    public function file($index = null, $default = null)
+    {
+        return $this->getPropertyValue('files', $index, $default);
+    }
+
+    public function cookie($index = null, $default = null)
+    {
+        return $this->getPropertyValue('cookies', $index, $default);
+    }
+
+    public function server($index = null, $default = null)
+    {
+        return $this->getPropertyValue('server', $index, $default);
+    }
+
+    public function header($index = null, $default = null)
+    {
+        return $this->getPropertyValue('headers', $index, $default);
+    }
+
+    protected function readHeaders()
+    {
+        if (function_exists('getallheaders')) {
+            // @codeCoverageIgnoreStart
+            $headers = getallheaders();
+        } else {
+            // @codeCoverageIgnoreEnd
+            $headers = array();
+            foreach ($this->server() as $name => $value) {
+                if (substr($name, 0, 5) == 'HTTP_') {
+                    $name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))));
+                    $headers[$name] = $value;
+                }
+            }
+        }
+
+        return $headers;
+   }
+
+    protected function getPropertyValue($property, $index = null, $default = null)
+    {
+        if ( ! isset($this->{$property})) {
+            throw new InvalidArgumentException("Property '$property' does not exist.");
+        }
+        if (is_null($index)) {
+            return $this->{$property};
+        }
+
+        if ( ! array_key_exists($index, $this->{$property})) {
+            return $default;
+        }
+
+        return $this->{$property}[$index];
+    }
+}

src/League/OAuth2/Server/Util/RequestInterface.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * OAuth 2.0 Request class interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util;
+
+interface RequestInterface
+{
+
+    public static function buildFromGlobals();
+
+    public function __construct(array $get = array(), array $post = array(), array $cookies = array(), array $files = array(), array $server = array(), $headers = array());
+
+    public function get($index = null);
+
+    public function post($index = null);
+
+    public function cookie($index = null);
+
+    public function file($index = null);
+
+    public function server($index = null);
+
+    public function header($index = null);
+
+}

src/League/OAuth2/Server/Util/SecureKey.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * OAuth 2.0 Secure key generator
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util;
+
+/**
+ * SecureKey class
+ */
+class SecureKey
+{
+    /**
+     * Generate a new unique code
+     * @param  integer $len Length of the generated code
+     * @return string
+     */
+    public static function make($len = 40)
+    {
+        // We generate twice as many bytes here because we want to ensure we have
+        // enough after we base64 encode it to get the length we need because we
+        // take out the "/", "+", and "=" characters.
+        $bytes = openssl_random_pseudo_bytes($len * 2, $strong);
+
+        // We want to stop execution if the key fails because, well, that is bad.
+        if ($bytes === false || $strong === false) {
+            // @codeCoverageIgnoreStart
+            throw new \Exception('Error Generating Key');
+            // @codeCoverageIgnoreEnd
+        }
+
+        return substr(str_replace(array('/', '+', '='), '', base64_encode($bytes)), 0, $len);
+    }
+}

src/Oauth2/Authentication/Database.php

@@ -1,320 +0,0 @@
-<?php
-
-namespace Oauth2\Authentication;
-
-interface Database
-{
-    /**
-     * Validate a client
-     * 
-     * Database query:
-     * 
-     * <code>
-     * # Client ID + redirect URI
-     * SELECT clients.id FROM clients LEFT JOIN client_endpoints ON
-     *  client_endpoints.client_id = clients.id WHERE clients.id = $clientId AND
-     *  client_endpoints.redirect_uri = $redirectUri
-     * 
-     * # Client ID + client secret
-     * SELECT clients.id FROM clients  WHERE clients.id = $clientId AND
-     *  clients.secret = $clientSecret
-     * 
-     * # Client ID + client secret + redirect URI
-     * SELECT clients.id FROM clients LEFT JOIN client_endpoints ON
-     *  client_endpoints.client_id = clients.id WHERE clients.id = $clientId AND
-     *  clients.secret = $clientSecret AND client_endpoints.redirect_uri =
-     *  $redirectUri
-     * </code>
-     * 
-     * @param  string $clientId     The client's ID
-     * @param  string $clientSecret The client's secret (default = "null")
-     * @param  string $redirectUri  The client's redirect URI (default = "null")
-     * @return [type]               [description]
-     */
-    public function validateClient(
-        $clientId,
-        $clientSecret = null,
-        $redirectUri = null
-    );
-
-    /**
-     * Create a new OAuth session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * INSERT INTO oauth_sessions (client_id, redirect_uri, owner_type,
-     *  owner_id, auth_code, access_token, stage, first_requested, last_updated)
-     *  VALUES ($clientId, $redirectUri, $type, $typeId, $authCode,
-     *  $accessToken, $stage, UNIX_TIMESTAMP(NOW()), UNIX_TIMESTAMP(NOW()))
-     * </code>
-     * 
-     * @param  string $clientId    The client ID
-     * @param  string $redirectUri The redirect URI
-     * @param  string $type        The session owner's type (default = "user")
-     * @param  string $typeId      The session owner's ID (default = "null")
-     * @param  string $authCode    The authorisation code (default = "null")
-     * @param  string $accessToken The access token (default = "null")
-     * @param  string $stage       The stage of the session (default ="request")
-     * @return [type]              [description]
-     */
-    public function newSession(
-        $clientId,
-        $redirectUri,
-        $type = 'user',
-        $typeId = null,
-        $authCode = null,
-        $accessToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    );
-
-    /**
-     * Update an OAuth session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_sessions SET auth_code = $authCode, access_token =
-     *  $accessToken, stage = $stage, last_updated = UNIX_TIMESTAMP(NOW()) WHERE
-     *  id = $sessionId
-     * </code>
-     * 
-     * @param  string $sessionId   The session ID
-     * @param  string $authCode    The authorisation code (default = "null")
-     * @param  string $accessToken The access token (default = "null")
-     * @param  string $stage       The stage of the session (default ="request")
-     * @return void
-     */
-    public function updateSession(
-        $sessionId,
-        $authCode = null,
-        $accessToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    );
-
-    /**
-     * Delete an OAuth session
-     * 
-     * <code>
-     * DELETE FROM oauth_sessions WHERE client_id = $clientId AND owner_type =
-     *  $type AND owner_id = $typeId
-     * </code>
-     * 
-     * @param  string $clientId The client ID
-     * @param  string $type     The session owner's type 
-     * @param  string $typeId   The session owner's ID
-     * @return [type]           [description]
-     */
-    public function deleteSession(
-        $clientId,
-        $type,
-        $typeId
-    );
-
-    /**
-     * Validate that an authorisation code is valid
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT id FROM oauth_sessions WHERE client_id = $clientID AND
-     *  redirect_uri = $redirectUri AND auth_code = $authCode
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [client_id] => (string) The client ID
-     *     [redirect_uri] => (string) The redirect URI
-     *     [owner_type] => (string) The session owner type
-     *     [owner_id] => (string) The session owner's ID
-     *     [auth_code] => (string) The authorisation code
-     *     [stage] => (string) The session's stage
-     *     [first_requested] => (int) Unix timestamp of the time the session was
-     *      first generated
-     *     [last_updated] => (int) Unix timestamp of the time the session was
-     *      last updated
-     * )
-     * </code>
-     * 
-     * @param  string     $clientId    The client ID
-     * @param  string     $redirectUri The redirect URI
-     * @param  string     $authCode    The authorisation code
-     * @return int|bool                Returns the session ID if the auth code
-     *  is valid otherwise returns false 
-     */
-    public function validateAuthCode(
-        $clientId,
-        $redirectUri,
-        $authCode
-    );
-
-    /**
-     * Return the session ID for a given session owner and client combination
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT id FROM oauth_sessions WHERE client_id = $clientId
-     *  AND owner_type = $type AND owner_id = $typeId
-     * </code>
-     * 
-     * @param  string      $type     The session owner's type 
-     * @param  string      $typeId   The session owner's ID
-     * @param  string      $clientId The client ID
-     * @return string|null           Return the session ID as an integer if 
-     *  found otherwise returns false
-     */
-    public function hasSession(
-        $type,
-        $typeId,
-        $clientId
-    );
-
-    /**
-     * Return the access token for a given session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT access_token FROM oauth_sessions WHERE id = $sessionId
-     * </code>
-     * 
-     * @param  int         $sessionId The OAuth session ID
-     * @return string|null            Returns the access token as a string if
-     *  found otherwise returns null
-     */
-    public function getAccessToken($sessionId);
-
-    /**
-     * Removes an authorisation code associated with a session
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_sessions SET auth_code = NULL WHERE id = $sessionId
-     * </code>
-     * 
-     * @param  int    $sessionId The OAuth session ID
-     * @return void
-     */
-    public function removeAuthCode($sessionId);
-
-    /**
-     * Sets a sessions access token
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_sessions SET access_token = $accessToken WHERE id = 
-     *  $sessionId
-     * </code>
-     * 
-     * @param int    $sessionId   The OAuth session ID
-     * @param string $accessToken The access token
-     * @return void
-     */
-    public function setAccessToken(
-        $sessionId,
-        $accessToken
-    );
-
-    /**
-     * Associates a session with a scope
-     * 
-     * Database query:
-     * 
-     * <code>
-     * INSERT INTO oauth_session_scopes (session_id, scope) VALUE ($sessionId, 
-     *  $scope)
-     * </code>
-     * 
-     * @param int    $sessionId The session ID
-     * @param string $scope     The scope
-     * @return void
-     */
-    public function addSessionScope(
-        $sessionId,
-        $scope
-    );
-
-    /**
-     * Return information about a scope
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT * FROM scopes WHERE scope = $scope
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The scope's ID
-     *     [scope] => (string) The scope itself
-     *     [name] => (string) The scope's name
-     *     [description] => (string) The scope's description
-     * )
-     * </code>
-     * 
-     * @param  string $scope The scope
-     * @return array         
-     */
-    public function getScope($scope);
-
-    /**
-     * Associate a session's scopes with an access token
-     * 
-     * Database query:
-     * 
-     * <code>
-     * UPDATE oauth_session_scopes SET access_token = $accessToken WHERE 
-     *  session_id = $sessionId
-     * </code>
-     * 
-     * @param  int    $sessionId   The session ID
-     * @param  string $accessToken The access token
-     * @return void
-     */
-    public function updateSessionScopeAccessToken(
-        $sessionId,
-        $accessToken
-    );
-
-    /**
-     * Return the scopes associated with an access token
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT scopes.scope, scopes.name, scopes.description FROM 
-     * oauth_session_scopes JOIN scopes ON oauth_session_scopes.scope = 
-     *  scopes.scope WHERE access_token = $accessToken
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [0] => Array
-     *         (
-     *             [scope] => (string) The scope
-     *             [name] => (string) The scope's name
-     *             [description] => (string) The scope's description
-     *         )
-     * )
-     * </code>
-     * 
-     * @param  string $accessToken The access token
-     * @return array
-     */
-    public function accessTokenScopes($accessToken);
-}

src/Oauth2/Authentication/Server.php

@@ -1,557 +0,0 @@
-<?php
-
-namespace Oauth2\Authentication;
-
-class ClientException extends \Exception
-{
-
-}
-
-class UserException extends \Exception
-{
-
-}
-
-class ServerException extends \Exception
-{
-
-}
-
-class Server
-{
-    /**
-     * Reference to the database abstractor
-     * @var object
-     */
-    private $_db = null;
-
-    /**
-     * Server configuration
-     * @var array
-     */
-    private $_config = array(
-        'scope_delimeter'       =>  ',',
-        'access_token_ttl'   =>  null
-    );
-
-    /**
-     * Supported response types
-     * @var array
-     */
-    private $_responseTypes =   array(
-        'code'
-    );
-    
-    /**
-     * Supported grant types
-     * @var array
-     */
-    private $_grantTypes    =   array(
-        'authorization_code'
-    );
-
-    /**
-     * Exception error codes
-     * @var array
-     */
-    public $exceptionCodes = array(
-        0   =>  'invalid_request',
-        1   =>  'unauthorized_client',
-        2   =>  'access_denied',
-        3   =>  'unsupported_response_type',
-        4   =>  'invalid_scope',
-        5   =>  'server_error',
-        6   =>  'temporarily_unavailable',
-        7   =>  'unsupported_grant_type',
-        8   =>  'invalid_client',
-        9   =>  'invalid_grant'
-    );
-
-    /**
-     * Error codes.
-     * 
-     * To provide i8ln errors just overwrite the keys
-     * 
-     * @var array
-     */
-    public $errors = array(
-        'invalid_request'   =>  'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
-        'unauthorized_client'   =>  'The client is not authorized to request an access token using this method.',
-        'access_denied' =>  'The resource owner or authorization server denied the request.',
-        'unsupported_response_type' =>  'The authorization server does not support obtaining an access token using this method.',
-        'invalid_scope' =>  'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
-        'server_error'  =>  'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
-        'temporarily_unavailable'   =>  'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.',
-        'unsupported_grant_type'    =>  'The authorization grant type is not supported by the authorization server',
-        'invalid_client'    =>  'Client authentication failed',
-        'invalid_grant'     =>  'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.'
-    );
-
-    /**
-     * Constructor
-     * 
-     * @access public
-     * @param  array $options Optional list of options to overwrite the defaults
-     * @return void
-     */
-    public function __construct($options = null)
-    {
-        if ($options !== null) {
-            $this->options = array_merge($this->_config, $options);
-        }
-    }
-
-    /**
-     * Register a database abstrator class
-     * 
-     * @access public
-     * @param  object $db A class that implements OAuth2ServerDatabase
-     * @return void
-     */
-    public function registerDbAbstractor($db)
-    {
-        $this->_db = $db;
-    }
-
-    /**
-     * Check client authorise parameters
-     * 
-     * @access public
-     * @param  array $authParams Optional array of parsed $_GET keys
-     * @return array             Authorise request parameters
-     */
-    public function checkClientAuthoriseParams($authParams = null)
-    {
-        $params = array();
-
-        // Client ID
-        if ( ! isset($authParams['client_id']) && ! isset($_GET['client_id'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
-
-        } else {
-
-            $params['client_id'] = (isset($authParams['client_id'])) ?
-                                            $authParams['client_id'] : 
-                                            $_GET['client_id'];
-
-        }
-
-        // Redirect URI
-        if ( ! isset($authParams['redirect_uri']) && ! isset($_GET['redirect_uri'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
-
-        } else {
-
-            $params['redirect_uri'] = (isset($authParams['redirect_uri'])) ?
-                                                $authParams['redirect_uri'] :
-                                                $_GET['redirect_uri'];
-
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = $this->_dbCall(
-            'validateClient',
-            $params['client_id'],
-            null,
-            $params['redirect_uri']
-        );
-
-        if ($clientDetails === false) {
-
-            throw new ClientException($this->errors['invalid_client'], 8);
-        }
-
-        // Response type
-        if ( ! isset($authParams['response_type']) && ! isset($_GET['response_type'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'response_type'), 0);
-
-        } else {
-
-            $params['response_type'] = (isset($authParams['response_type'])) ?
-                                                $authParams['response_type'] :
-                                                $_GET['response_type'];
-
-            // Ensure response type is one that is recognised
-            if ( ! in_array($params['response_type'], $this->_responseTypes)) {
-
-                throw new ClientException($this->errors['unsupported_response_type'], 3);
-
-            }
-        }
-
-        // Get and validate scopes
-        if (isset($authParams['scope']) || isset($_GET['scope'])) {
-
-            $scopes = (isset($_GET['scope'])) ?
-                                $_GET['scope'] :
-                                $authParams['scope'];
-
-            $scopes = explode($this->_config['scope_delimeter'], $scopes);
-
-            // Remove any junk scopes
-            for ($i = 0; $i < count($scopes); $i++) {
-
-                $scopes[$i] = trim($scopes[$i]);
-
-                if ($scopes[$i] === '') {
-                    unset($scopes[$i]);
-                }
-            }
-
-            if (count($scopes) === 0) {
-
-                throw new ClientException(sprintf($this->errors['invalid_request'], 'scope'), 0);
-            }
-
-            $params['scopes'] = array();
-
-            foreach ($scopes as $scope) {
-
-                $scopeDetails = $this->_dbCall(
-                    'getScope',
-                    $scope
-                );
-                
-                if ($scopeDetails === false) {
-
-                    throw new ClientException(sprintf($this->errors['invalid_scope'], $scope), 4);
-
-                }
-
-                $params['scopes'][] = $scopeDetails;
-
-            }
-        }
-
-        return $params;
-    }
-
-    /**
-     * Parse a new authorise request
-     * 
-     * @param  string $type            The session owner's type
-     * @param  string $typeId          The session owner's ID
-     * @param  array  $authoriseParams The authorise request $_GET parameters
-     * @return string                  An authorisation code
-     */
-    public function newAuthoriseRequest($type, $typeId, $authoriseParams)
-    {
-        // Remove any old sessions the user might have
-        $this->_dbCall(
-            'deleteSession',
-            $authoriseParams['client_id'],
-            $type,
-            $typeId
-        );
-
-        // Create the new auth code
-        $authCode = $this->newAuthCode(
-            $authoriseParams['client_id'], 
-            'user',
-            $typeId,
-            $authoriseParams['redirect_uri'], 
-            $authoriseParams['scopes']
-        );
-
-        return $authCode;
-    }
-
-    /**
-     * Generate a unique code
-     * 
-     * Generate a unique code for an authorisation code, or token
-     * 
-     * @return string A unique code
-     */
-    private function generateCode()
-    {
-        return sha1(uniqid(microtime()));
-    }
-
-    /**
-     * Create a new authorisation code
-     * 
-     * @param  string $clientId    The client ID
-     * @param  string $type        The type of the owner of the session
-     * @param  string $typeId      The session owner's ID
-     * @param  string $redirectUri The redirect URI
-     * @param  array  $scopes      The requested scopes
-     * @param  string $accessToken The access token (default = null)
-     * @return string              An authorisation code
-     */
-    private function newAuthCode($clientId, $type, $typeId, $redirectUri, $scopes = array(), $accessToken = null)
-    {
-        $authCode = $this->generateCode();
-
-        // If an access token exists then update the existing session with the 
-        // new authorisation code otherwise create a new session
-        if ($accessToken !== null) {
-
-            $this->_dbCall(
-                'updateSession',
-                $clientId,
-                $type,
-                $typeId,
-                $authCode,
-                $accessToken,
-                'request'
-            );
-        
-        } else {
-
-            // Delete any existing sessions just to be sure
-            $this->_dbCall('deleteSession', $clientId, $type, $typeId);
-               
-            // Create a new session     
-            $sessionId = $this->_dbCall(
-                'newSession',
-                $clientId,
-                $redirectUri,
-                $type,
-                $typeId,
-                $authCode,
-                null,
-                null,
-                'request'
-            );
-                        
-            // Add the scopes
-            foreach ($scopes as $key => $scope) {
-
-                $this->_dbCall(
-                    'addSessionScope',
-                    $sessionId,
-                    $scope['scope']
-                );
-
-            }
-
-        }
-        
-        return $authCode;
-    }
-
-    /**
-     * Issue an access token
-     * 
-     * @access public
-     * 
-     * @param  array $authParams Optional array of parsed $_POST keys
-     * 
-     * @return array             Authorise request parameters
-     */
-    public function issueAccessToken($authParams = null)
-    {
-        $params = array();
-
-        if ( ! isset($authParams['grant_type']) && ! isset($_POST['grant_type'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'grant_type'), 0);
-
-        } else {
-
-            $params['grant_type'] = (isset($authParams['grant_type'])) ?
-                                                $authParams['grant_type'] :
-                                                $_POST['grant_type'];
-
-            // Ensure grant type is one that is recognised
-            if ( ! in_array($params['grant_type'], $this->_grantTypes)) {
-
-                throw new ClientException($this->errors['unsupported_grant_type'], 7);
-
-            }
-        }
-
-        switch ($params['grant_type'])
-        {
-            
-            case 'authorization_code': // Authorization code grant
-                return $this->completeAuthCodeGrant($authParams, $params);
-                break;  
-
-            case 'refresh_token': // Refresh token
-            case 'password': // Resource owner password credentials grant
-            case 'client_credentials': // Client credentials grant
-            default: // Unsupported
-                throw new ServerException($this->errors['server_error'] . 'Tried to process an unsuppported grant type.', 5);
-                break;
-        }
-    }
-
-    /**
-     * Complete the authorisation code grant
-     * 
-     * @access private
-     * 
-     * @param  array $authParams Array of parsed $_POST keys
-     * @param  array $params     Generated parameters from issueAccessToken()
-     * 
-     * @return array             Authorise request parameters
-     */
-    private function completeAuthCodeGrant($authParams = array(), $params = array())
-    {
-        // Client ID
-        if ( ! isset($authParams['client_id']) && ! isset($_POST['client_id'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'client_id'), 0);
-
-        } else {
-
-            $params['client_id'] = (isset($authParams['client_id'])) ?
-                                            $authParams['client_id'] :
-                                            $_POST['client_id'];
-
-        }
-
-        // Client secret
-        if ( ! isset($authParams['client_secret']) && ! isset($_POST['client_secret'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'client_secret'), 0);
-
-        } else {
-
-            $params['client_secret'] = (isset($authParams['client_secret'])) ?
-                                                $authParams['client_secret'] :
-                                                $_POST['client_secret'];
-
-        }
-
-        // Redirect URI
-        if ( ! isset($authParams['redirect_uri']) && ! isset($_POST['redirect_uri'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'redirect_uri'), 0);
-
-        } else {
-
-            $params['redirect_uri'] = (isset($authParams['redirect_uri'])) ?
-                                                $authParams['redirect_uri'] :
-                                                $_POST['redirect_uri'];
-
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = $this->_dbCall(
-            'validateClient',
-            $params['client_id'],
-            $params['client_secret'], 
-            $params['redirect_uri']
-        );
-
-        if ($clientDetails === false) {
-
-            throw new ClientException($this->errors['invalid_client'], 8);
-        }
-
-        // The authorization code
-        if ( ! isset($authParams['code']) && ! isset($_POST['code'])) {
-
-            throw new ClientException(sprintf($this->errors['invalid_request'], 'code'), 0);
-
-        } else {
-
-            $params['code'] = (isset($authParams['code'])) ?
-                                        $authParams['code'] :
-                                        $_POST['code'];
-
-        }
-
-        // Verify the authorization code matches the client_id and the
-        //  request_uri
-        $session = $this->_dbCall(
-            'validateAuthCode',
-            $params['client_id'],
-            $params['redirect_uri'],
-            $params['code']
-        );
-
-        if ( ! $session) {
-
-            throw new ClientException(sprintf($this->errors['invalid_grant'], 'code'), 9);
-        
-        } else {
-
-            // A session ID was returned so update it with an access token,
-            //  remove the authorisation code, change the stage to 'granted'
-
-            $accessToken = $this->generateCode();
-
-            $accessTokenExpires = ($this->_config['access_token_ttl'] === null) ?
-                                    null :
-                                    time() + $this->_config['access_token_ttl'];
-
-            $this->_dbCall(
-                'updateSession',
-                $session['id'],
-                null,
-                $accessToken,
-                $accessTokenExpires,
-                'granted'
-            );
-
-            // Update the session's scopes to reference the access token
-            $this->_dbCall(
-                'updateSessionScopeAccessToken',
-                $session['id'],
-                $accessToken
-            );
-
-            return array(
-                'access_token'  =>  $accessToken,
-                'token_type'    =>  'bearer',
-                'expires_in'    =>  $this->_config['access_token_ttl']
-            );
-        }
-    }
-
-    /**
-     * Generates the redirect uri with appended params
-     * 
-     * @param  string $redirectUri     The redirect URI
-     * @param  array  $params          The parameters to be appended to the URL
-     * @param  string $query_delimeter The query string delimiter (default: ?)
-     * 
-     * @return string                  The updated redirect URI
-     */
-    public function redirectUri($redirectUri, $params = array(), $queryDelimeter = '?')
-    {
-      
-        if (strstr($redirectUri, $queryDelimeter)) {
-
-            $redirectUri = $redirectUri . '&' . http_build_query($params);
-
-        } else {
-
-            $redirectUri = $redirectUri . $queryDelimeter . http_build_query($params);
-
-        }
-        
-        return $redirectUri;
-
-    }
-
-    /**
-     * Call database methods from the abstractor
-     * 
-     * @return mixed The query result
-     */
-    private function _dbCall()
-    {
-        if ($this->_db === null) {
-            throw new ServerException('No registered database abstractor');
-        }
-
-        if ( ! $this->_db instanceof Database) {
-            throw new ServerException('Registered database abstractor is not an instance of Oauth2\Authentication\Database');
-        }
-
-        $args = func_get_args();
-        $method = $args[0];
-        unset($args[0]);
-        $params = array_values($args);
-
-        return call_user_func_array(array($this->_db, $method), $params);
-    }
-}

src/Oauth2/Client/IDP.php

@@ -1,230 +0,0 @@
-<?php
-
-namespace OAuth2\Client;
-
-use Guzzle\Service\Client as GuzzleClient;
-
-class IDPException extends \Exception
-{
-    protected $result;
-
-    public function __construct($result)
-    {
-        $this->result = $result;
-
-        $code = isset($result['code']) ? $result['code'] : 0;
-
-        if (isset($result['error'])) {
-
-            // OAuth 2.0 Draft 10 style
-            $message = $result['error'];
-
-        } elseif (isset($result['message'])) {
-
-            // cURL style
-            $message = $result['message'];
-
-        } else {
-
-            $message = 'Unknown Error.';
-
-        }
-
-        parent::__construct($message['message'], $message['code']);
-    }
-
-    public function getType()
-    {
-        if (isset($this->result['error'])) {
-
-            $message = $this->result['error'];
-
-            if (is_string($message)) {
-                // OAuth 2.0 Draft 10 style
-                return $message;
-            }
-        }
-
-        return 'Exception';
-    }
-
-    /**
-     * To make debugging easier.
-     *
-     * @returns
-     *   The string representation of the error.
-     */
-    public function __toString()
-    {
-        $str = $this->getType() . ': ';
-
-        if ($this->code != 0) {
-            $str .= $this->code . ': ';
-        }
-
-        return $str . $this->message;
-    }
-
-}
-
-abstract class IDP {
-
-    public $clientId = '';
-
-    public $clientSecret = '';
-
-    public $redirectUri = '';
-
-    public $name;
-
-    public $uidKey = 'uid';
-
-    public $scopes = array();
-
-    public $method = 'post';
-
-    public $scopeSeperator = ',';
-
-    public $responseType = 'json';
-
-    public function __construct($options)
-    {
-        foreach ($options as $option => $value) {
-            if (isset($this->{$option})) {
-                $this->{$option} = $value;
-            }
-        }
-    }
-
-    abstract public function urlAuthorize();
-
-    abstract public function urlAccessToken();
-
-    abstract public function urlUserDetails(\Oauth2\Client\Token\Access $token);
-
-    abstract public function userDetails($response, \Oauth2\Client\Token\Access $token);
-
-    public function authorize($options = array())
-    {
-        $state = md5(uniqid(rand(), TRUE));
-        setcookie($this->name.'_authorize_state', $state);
-
-        $params = array(
-            'client_id'         => $this->clientId,
-            'redirect_uri'      => $this->redirectUri,
-            'state'             => $state,
-            'scope'             => is_array($this->scope) ? implode($this->scopeSeperator, $this->scope) : $this->scope,
-            'response_type'     => isset($options['response_type']) ? $options['response_type'] : 'code',
-            'approval_prompt'   => 'force' // - google force-recheck
-        );
-
-        header('Location: ' . $this->urlAuthorize().'?'.http_build_query($params));
-        exit;
-    }
-
-    public function getAccessToken($code = NULL, $options = array())
-    {
-        if ($code === NULL) {
-            throw new \BadMethodCallException('Missing authorization code');
-        }
-
-        $params = array(
-            'client_id'     => $this->clientId,
-            'client_secret' => $this->clientSecret,
-            'grant_type'    => isset($options['grantType']) ? $options['grantType'] : 'authorization_code',
-        );
-
-        switch ($params['grant_type']) {
-
-            case 'authorization_code':
-                $params['code'] = $code;
-                $params['redirect_uri'] = isset($options['redirectUri']) ? $options['redirectUri'] : $this->redirectUri;
-            break;
-
-            case 'refresh_token':
-                $params['refresh_token'] = $code;
-            break;
-
-        }
-
-        try {
-
-            switch ($this->method) {
-
-                case 'get':
-
-                    $client = new GuzzleClient($this->urlAccessToken() . '?' . http_build_query($params));
-                    $request = $client->send();
-                    $response = $request->getBody();
-
-                    break;
-
-                case 'post':
-
-                    $client = new GuzzleClient($this->urlAccessToken());
-                    $request = $client->post(null, null, $params)->send();
-                    $response = $request->getBody();
-
-                    break;
-
-            }
-
-        }
-
-        catch (\Guzzle\Http\Exception\BadResponseException $e)
-        {
-            $raw_response = explode("\n", $e->getResponse());
-            $response = end($raw_response);
-        }
-
-        switch ($this->responseType) {
-
-            case 'json':
-                $result = json_decode($response, true);
-            break;
-
-            case 'string':
-                parse_str($response, $result);
-            break;
-
-        }
-
-        if (isset($result['error']) && ! empty($result['error'])) {
-
-            throw new \Oauth2\Client\IDPException($result);
-
-        }
-
-        switch ($params['grant_type']) {
-
-            case 'authorization_code':
-                return \Oauth2\Client\Token::factory('access', $result);
-            break;
-
-            case 'refresh_token':
-                return \Oauth2\Client\Token::factory('refresh', $result);
-            break;
-
-        }
-    }
-
-    public function getUserDetails(\Oauth2\Client\Token\Access $token)
-    {
-        $url = $this->urlUserDetails($token);
-
-        try {
-            $client = new GuzzleClient($url);
-            $request = $client->get()->send();
-            $response = $request->getBody();
-
-            return $this->userDetails(json_decode($response), $token);
-        }
-
-        catch (\Guzzle\Http\Exception\BadResponseException $e)
-        {
-            $raw_response = explode("\n", $e->getResponse());
-            throw new \Oauth2\Client\IDPException(end($raw_response));
-        }
-    }
-
-}

src/Oauth2/Client/Provider.php

@@ -1,19 +0,0 @@
-<?php
-
-namespace OAuth2\Client;
-
-class Provider
-{
-	private function __constuct() {}
-
-	public static function factory($name, array $options = null)
-	{
-		if ( ! class_exists($name)) {
-
-			throw new OAuth2\Client\Exception('There is no identity provider called: '.$name);
-
-		}
-
-		return new $name($options);
-	}
-}

src/Oauth2/Client/Provider/Blooie.php

@@ -1,42 +0,0 @@
-<?php
-
-class Blooie extends Oauth2\Client\IDP
-{  
-	public $scope = array('user.profile', 'user.picture');
-
-	public $method = 'POST';
-
-	public function urlAuthorize()
-	{
-		return 'https://bloo.ie/oauth';	
-	}
-
-	public function urlAccessToken()
-	{
-		return 'https://bloo.ie/oauth/access_token';
-	}
-
-	public function getUserInfo(Oauth2\Token\Access $token)
-	{
-		$url = 'https://graph.facebook.com/me?'.http_build_query(array(
-			'access_token' => $token->access_token,
-		));
-
-		$user = json_decode(file_get_contents($url));
-
-		return array(
-			'uid' => $user->id,
-			'nickname' => $user->username,
-			'name' => $user->name,
-			'first_name' => $user->first_name,
-			'last_name' => $user->last_name,
-			'email' => isset($user->email) ? $user->email : null,
-			'location' => isset($user->hometown->name) ? $user->hometown->name : null,
-			'description' => isset($user->bio) ? $user->bio : null,
-			'image' => 'https://graph.facebook.com/me/picture?type=normal&access_token='.$token->access_token,
-			'urls' => array(
-			  'Facebook' => $user->link,
-			),
-		);
-	}
-}

src/Oauth2/Client/Provider/Facebook.php

@@ -1,49 +0,0 @@
-<?php
-/**
- * Facebook OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class Facebook extends Oauth2\Client\IDP
-{
-	protected $scope = array('offline_access', 'email', 'read_stream');
-
-	public function urlAuthorize()
-	{
-		return 'https://www.facebook.com/dialog/oauth';
-	}
-
-	public function urlAccessToken()
-	{
-		return 'https://graph.facebook.com/oauth/access_token';
-	}
-
-	public function getUserInfo(Oauth2\Token\Access $token)
-	{
-		$url = 'https://graph.facebook.com/me?'.http_build_query(array(
-			'access_token' => $token->access_token,
-		));
-
-		$user = json_decode(file_get_contents($url));
-
-		return array(
-			'uid' => $user->id,
-			'nickname' => isset($user->username) ? $user->username : null,
-			'name' => $user->name,
-			'first_name' => $user->first_name,
-			'last_name' => $user->last_name,
-			'email' => isset($user->email) ? $user->email : null,
-			'location' => isset($user->hometown->name) ? $user->hometown->name : null,
-			'description' => isset($user->bio) ? $user->bio : null,
-			'image' => 'https://graph.facebook.com/me/picture?type=normal&access_token='.$token->access_token,
-			'urls' => array(
-			  'Facebook' => $user->link,
-			),
-		);
-	}
-}

src/Oauth2/Client/Provider/Foursquare.php

@@ -1,45 +0,0 @@
-<?php
-/**
- * Foursquare OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class Foursquare extends Oauth2\Client\IDP
-{  
-	public $method = 'POST';
-
-	public function urlAuthorize()
-	{
-		return 'https://foursquare.com/oauth2/authenticate';
-	}
-
-	public function urlAccessToken()
-	{
-		return 'https://foursquare.com/oauth2/access_token';
-	}
-
-	public function getUserInfo(Oauth2\Token\Access $token)
-	{
-		$url = 'https://api.foursquare.com/v2/users/self?'.http_build_query(array(
-			'oauth_token' => $token->access_token,
-		));
-
-		$response = json_decode(file_get_contents($url));
-
-		$user = $response->response->user;
-
-		// Create a response from the request
-		return array(
-			'uid' => $user->id,
-			'name' => sprintf('%s %s', $user->firstName, $user->lastName),
-			'email' => $user->contact->email,
-			'image' => $user->photo,
-			'location' => $user->homeCity,
-		);
-	}
-}

src/Oauth2/Client/Provider/Github.php

@@ -1,43 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * GitHub OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Github extends Oauth2\Client\IDP
-{
-	public function urlAuthorize()
-	{
-		return 'https://github.com/login/oauth/authorize';
-	}
-
-	public function urlAccessToken()
-	{
-		return 'https://github.com/login/oauth/access_token';
-	}
-
-	public function getUserInfo(Oauth\Token\Access $token)
-	{
-		$url = 'https://api.github.com/user?'.http_build_query(array(
-			'access_token' => $token->access_token,
-		));
-
-		$user = json_decode(file_get_contents($url));
-
-		return array(
-			'uid' => $user->id,
-			'nickname' => $user->login,
-			'name' => $user->name,
-			'email' => $user->email,
-			'urls' => array(
-			  'GitHub' => 'http://github.com/'.$user->login,
-			  'Blog' => $user->blog,
-			),
-		);
-	}
-}

src/Oauth2/Client/Provider/Google.php

@@ -1,84 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Google OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Google extends OAuth2_Provider
-{
-	/**
-	 * @var  string  the method to use when requesting tokens
-	 */
-	public $method = 'POST';
-
-	/**
-	 * @var  string  scope separator, most use "," but some like Google are spaces
-	 */
-	public $scope_seperator = ' ';
-
-	public function url_authorize()
-	{
-		return 'https://accounts.google.com/o/oauth2/auth';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://accounts.google.com/o/oauth2/token';
-	}
-
-	public function __construct(array $options = array())
-	{
-		// Now make sure we have the default scope to get user data
-		empty($options['scope']) and $options['scope'] = array(
-			'https://www.googleapis.com/auth/userinfo.profile', 
-			'https://www.googleapis.com/auth/userinfo.email'
-		);
-	
-		// Array it if its string
-		$options['scope'] = (array) $options['scope'];
-		
-		parent::__construct($options);
-	}
-
-	/*
-	* Get access to the API
-	*
-	* @param	string	The access code
-	* @return	object	Success or failure along with the response details
-	*/	
-	public function access($code, $options = array())
-	{
-		if ($code === null)
-		{
-			throw new OAuth2_Exception(array('message' => 'Expected Authorization Code from '.ucfirst($this->name).' is missing'));
-		}
-
-		return parent::access($code, $options);
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		$url = 'https://www.googleapis.com/oauth2/v1/userinfo?alt=json&'.http_build_query(array(
-			'access_token' => $token->access_token,
-		));
-		
-		$user = json_decode(file_get_contents($url), true);
-		return array(
-			'uid' => $user['id'],
-			'nickname' => url_title($user['name'], '_', true),
-			'name' => $user['name'],
-			'first_name' => $user['given_name'],
-			'last_name' => $user['family_name'],
-			'email' => $user['email'],
-			'location' => null,
-			'image' => (isset($user['picture'])) ? $user['picture'] : null,
-			'description' => null,
-			'urls' => array(),
-		);
-	}
-}

src/Oauth2/Client/Provider/Instagram.php

@@ -1,48 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Instagram OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Instagram extends OAuth2_Provider
-{
-	/**
-	 * @var  string  scope separator, most use "," but some like Google are spaces
-	 */
-	public $scope_seperator = '+';
-
-	/**
-	 * @var  string  the method to use when requesting tokens
-	 */
-	public $method = 'POST';
-
-	public function url_authorize()
-	{
-		return 'https://api.instagram.com/oauth/authorize';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://api.instagram.com/oauth/access_token';
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		$user = $token->user;
-
-		return array(
-			'uid' => $user->id,
-			'nickname' => $user->username,
-			'name' => $user->full_name,
-			'image' => $user->profile_picture,
-			'urls' => array(
-			  'website' => $user->website,
-			),
-		);
-	}
-}

src/Oauth2/Client/Provider/Mailchimp.php

@@ -1,36 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Mailchimp OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Mailchimp extends OAuth2_Provider
-{
-	/**
-	 * @var  string  the method to use when requesting tokens
-	 */
-	protected $method = 'POST';
-
-	public function url_authorize()
-	{
-		return 'https://login.mailchimp.com/oauth2/authorize';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://login.mailchimp.com/oauth2/token';
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		// Create a response from the request
-		return array(
-			'uid' => $token->access_token,
-		);
-	}
-}

src/Oauth2/Client/Provider/Mailru.php

@@ -1,73 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Mailru OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Lavr Lyndin
- */
-
-class OAuth2_Provider_Mailru extends OAuth2_Provider
-{
-	public $method = 'POST';
-
-	public function url_authorize()
-	{
-		return 'https://connect.mail.ru/oauth/authorize';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://connect.mail.ru/oauth/token';
-	}
-	
-	protected function sign_server_server(array $request_params, $secret_key)
-	{
-		ksort($request_params);
-		$params = '';
-		foreach ($request_params as $key => $value) {
-			$params .= "$key=$value";
-		}
-		return md5($params . $secret_key);
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		$request_params = array(
-			'app_id' => $this->client_id,
-			'method' => 'users.getInfo',
-			'uids' => $token->uid,
-			'access_token' => $token->access_token,
-			'secure' => 1
-		);
-		
-		$sig = $this->sign_server_server($request_params,$this->client_secret);
-		$url = 'http://www.appsmail.ru/platform/api?'.http_build_query($request_params).'&sig='.$sig;
-
-		$user = json_decode(file_get_contents($url));
-
-		return array(
-			'uid' => $user[0]->uid,
-			'nickname' => $user[0]->nick,
-			'name' => $user[0]->first_name.' '.$user[0]->last_name,
-			'first_name' => $user[0]->first_name,
-			'last_name' => $user[0]->last_name,
-			'email' => isset($user[0]->email) ? $user[0]->email : null,
-			'image' => isset($user[0]->pic_big) ? $user[0]->pic_big : null,
-		);
-	}
-	
-	public function authorize($options = array())
-	{
-		$state = md5(uniqid(rand(), TRUE));
-		get_instance()->session->set_userdata('state', $state);
-
-		$params = array(
-			'client_id' 		=> $this->client_id,
-			'redirect_uri' 		=> isset($options['redirect_uri']) ? $options['redirect_uri'] : $this->redirect_uri,
-			'response_type' 	=> 'code',
-		);
-
-		redirect($this->url_authorize().'?'.http_build_query($params));
-	}
-}

src/Oauth2/Client/Provider/Paypal.php

@@ -1,59 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * PayPal OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Paypal extends OAuth2_Provider
-{
-    /**
-     * @var  string  default scope (useful if a scope is required for user info)
-     */
-    protected $scope = array('https://identity.x.com/xidentity/resources/profile/me');
-
-    /**
-     * @var  string  the method to use when requesting tokens
-     */
-    protected $method = 'POST';
-
-    public function url_authorize()
-    {
-        return 'https://identity.x.com/xidentity/resources/authorize';
-    }
-
-    public function url_access_token()
-    {
-        return 'https://identity.x.com/xidentity/oauthtokenservice';
-    }
-
-    public function get_user_info(OAuth2_Token_Access $token)
-    {
-        $url = 'https://identity.x.com/xidentity/resources/profile/me?' . http_build_query(array(
-            'oauth_token' => $token->access_token
-        ));
-
-        $user = json_decode(file_get_contents($url));
-		$user = $user->identity;
-
-		return array(
-            'uid' => $user['userId'],
-            'nickname' => url_title($user['fullName'], '_', true),
-            'name' => $user['fullName'],
-            'first_name' => $user['firstName'],
-            'last_name' => $user['lastName'],
-            'email' => $user['emails'][0],
-            'location' => $user->addresses[0],
-            'image' => null,
-            'description' => null,
-            'urls' => array(
-				'PayPal' => null
-			)
-        );
-    }
-
-}

src/Oauth2/Client/Provider/Soundcloud.php

@@ -1,51 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Soundcloud OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Soundcloud extends OAuth2_Provider
-{	
-	/**
-	 * @var  string  the method to use when requesting tokens
-	 */
-	protected $method = 'POST';
-
-	public function url_authorize()
-	{
-		return 'https://soundcloud.com/connect';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://api.soundcloud.com/oauth2/token';
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		$url = 'https://api.soundcloud.com/me.json?'.http_build_query(array(
-			'oauth_token' => $token->access_token,
-		));
-
-		$user = json_decode(file_get_contents($url));
-
-		// Create a response from the request
-		return array(
-			'uid' => $user->id,
-			'nickname' => $user->username,
-			'name' => $user->full_name,
-			'location' => $user->country.' ,'.$user->country,
-			'description' => $user->description,
-			'image' => $user->avatar_url,
-			'urls' => array(
-				'MySpace' => $user->myspace_name,
-				'Website' => $user->website,
-			),
-		);
-	}
-}

src/Oauth2/Client/Provider/Vkontakte.php

@@ -1,54 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Vkontakte OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Lavr Lyndin
- */
-
-class OAuth2_Provider_Vkontakte extends OAuth2_Provider
-{
-	protected $method = 'POST';
-	public $uid_key = 'user_id';
-
-	public function url_authorize()
-	{
-		return 'http://oauth.vk.com/authorize';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://oauth.vk.com/access_token';
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		$scope = array('nickname', 'screen_name','photo_big');
-		$url = 'https://api.vk.com/method/users.get?'.http_build_query(array(
-			'uids' => $token->uid,
-			'fields' => implode(",",$scope),
-			'access_token' => $token->access_token,
-		));
-
-		$user = json_decode(file_get_contents($url))->response;
-
-		if(sizeof($user)==0)
-			return null;
-		else
-			$user = $user[0];
-
-		return array(
-			'uid' => $user->uid,
-			'nickname' => isset($user->nickname) ? $user->nickname : null,
-			'name' => isset($user->name) ? $user->name : null,
-			'first_name' => isset($user->first_name) ? $user->first_name : null,
-			'last_name' => isset($user->last_name) ? $user->last_name : null,
-			'email' => null,
-			'location' => null,
-			'description' => null,
-			'image' => isset($user->photo_big) ? $user->photo_big : null,
-			'urls' => array(),
-		);
-	}
-}

src/Oauth2/Client/Provider/Windowslive.php

@@ -1,60 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Windows Live OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Phil Sturgeon
- * @copyright  (c) 2012 HappyNinjas Ltd
- * @license    http://philsturgeon.co.uk/code/dbad-license
- */
-
-class OAuth2_Provider_Windowslive extends OAuth2_Provider
-{	
-	protected $scope = array('wl.basic', 'wl.emails');
-	
-	/**
-	 * @var  string  the method to use when requesting tokens
-	 */
-	protected $method = 'POST';
-	
-	// authorise url
-	public function url_authorize()
-	{
-		return 'https://oauth.live.com/authorize';
-	}
-	
-	// access token url
-	public function url_access_token()
-	{
-		return 'https://oauth.live.com/token';
-	}
-	
-	// get basic user information
-	/********************************
-	** this can be extended through the 
-	** use of scopes, check out the document at
-	** http://msdn.microsoft.com/en-gb/library/hh243648.aspx#user
-	*********************************/
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		// define the get user information token
-		$url = 'https://apis.live.net/v5.0/me?'.http_build_query(array(
-			'access_token' => $token->access_token,
-		));
-		
-		// perform network request
-		$user = json_decode(file_get_contents($url));
-
-		// create a response from the request and return it
-		return array(
-			'uid' 		=> $user->id,
-			'name' 		=> $user->name,
-			'nickname' 	=> url_title($user->name, '_', true),
-//			'location' 	=> $user[''], # scope wl.postal_addresses is required
-										  # but won't be implemented by default
-			'locale' 	=> $user->locale,
-			'urls' 		=> array('Windows Live' => $user->link),
-		);
-	}
-}

src/Oauth2/Client/Provider/Yandex.php

@@ -1,115 +0,0 @@
-<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
-/**
- * Yandex OAuth2 Provider
- *
- * @package    CodeIgniter/OAuth2
- * @category   Provider
- * @author     Lavr Lyndin
- */
-
-class OAuth2_Provider_Yandex extends OAuth2_Provider
-{
-	public $method = 'POST';
-	
-	public function url_authorize()
-	{
-		return 'https://oauth.yandex.ru/authorize';
-	}
-
-	public function url_access_token()
-	{
-		return 'https://oauth.yandex.ru/token';
-	}
-
-	public function get_user_info(OAuth2_Token_Access $token)
-	{
-		$opts = array(
-			'http' => array(
-				'method' => 'GET',
-				'header' => 'Authorization: OAuth '.$token->access_token
-			)
-		);
-		$_default_opts = stream_context_get_params(stream_context_get_default());
-		
-		$opts = array_merge_recursive($_default_opts['options'], $opts);
-		$context = stream_context_create($opts);
-		$url = 'http://api-yaru.yandex.ru/me/?format=json';
-
-		$user = json_decode(file_get_contents($url,false,$context));
-
-		preg_match("/\d+$/",$user->id,$uid);
-		
-		return array(
-			'uid' => $uid[0],
-			'nickname' => isset($user->name) ? $user->name : null,
-			'name' => isset($user->name) ? $user->name : null,
-			'first_name' => isset($user->first_name) ? $user->first_name : null,
-			'last_name' => isset($user->last_name) ? $user->last_name : null,
-			'email' => isset($user->email) ? $user->email : null,
-			'location' => isset($user->hometown->name) ? $user->hometown->name : null,
-			'description' => isset($user->bio) ? $user->bio : null,
-			'image' => $user->links->userpic,
-		);
-	}
-	
-	public function access($code, $options = array())
-	{
-		$params = array(
-			'client_id' 	=> $this->client_id,
-			'client_secret' => $this->client_secret,
-			'grant_type' 	=> isset($options['grant_type']) ? $options['grant_type'] : 'authorization_code',
-		);
-
-		switch ($params['grant_type'])
-		{
-			case 'authorization_code':
-				$params['code'] = $code;
-				$params['redirect_uri'] = isset($options['redirect_uri']) ? $options['redirect_uri'] : $this->redirect_uri;
-			break;
-
-			case 'refresh_token':
-				$params['refresh_token'] = $code;
-			break;
-		}
-
-		$response = null;	
-		$url = $this->url_access_token();
-
-		$curl = curl_init($url);
-
-		$headers[] = 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8;';
-		curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
-
-//		curl_setopt($curl, CURLOPT_USERAGENT, 'yamolib-php');
-		curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
-		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
-		curl_setopt($curl, CURLOPT_TIMEOUT, 80);
-		curl_setopt($curl, CURLOPT_POST, true);
-		curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
-		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
-		//        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
-		//        curl_setopt($curl, CURLOPT_CAINFO, dirname(__FILE__) . '/../data/ca-certificate.crt');
-
-		$response = curl_exec($curl);
-		curl_close($curl);
-
-		$return = json_decode($response, true);
-
-		if ( ! empty($return['error']))
-		{
-			throw new OAuth2_Exception($return);
-		}
-
-		switch ($params['grant_type'])
-		{
-			case 'authorization_code':
-				return OAuth2_Token::factory('access', $return);
-			break;
-
-			case 'refresh_token':
-				return OAuth2_Token::factory('refresh', $return);
-			break;
-		}
-	}
-
-}

src/Oauth2/Client/Token.php

@@ -1,46 +0,0 @@
-<?php
-
-namespace Oauth2\Client;
-
-abstract class Token
-{
-
-	/**
-	 * Create a new token object.
-	 *
-	 * @param   string  token type
-	 * @param   array   token options
-	 * @return  Token
-	 */
-	public static function factory($name = 'access', array $options = null)
-	{
-		include_once 'Token/'.ucfirst(strtolower($name)).'.php';
-
-		$class = 'Oauth2\Client\Token\\'.ucfirst($name);
-
-		return new $class($options);
-	}
-
-	/**
-	 * Return the value of any protected class variable.
-	 *
-	 * @param   string  variable name
-	 * @return  mixed
-	 */
-	public function __get($key)
-	{
-		return $this->$key;
-	}
-
-	/**
-	 * Return a boolean if the property is set
-	 *
-	 * @param   string  variable name
-	 * @return  bool
-	 */
-	public function __isset($key)
-	{
-		return isset($this->$key);
-	}
-
-} // End Token

src/Oauth2/Client/Token/Access.php

@@ -1,79 +0,0 @@
-<?php
-
-namespace Oauth2\Client\Token;
-
-/**
- * OAuth2 Token
- *
- * @package    OAuth2
- * @category   Token
- * @author     Phil Sturgeon
- * @copyright  (c) 2011 HappyNinjas Ltd
- */
-
-class Access extends \Oauth2\Client\Token
-{
-	/**
-	 * @var  string  accessToken
-	 */
-	protected $accessToken;
-
-	/**
-	 * @var  int  expires
-	 */
-	protected $expires;
-
-	/**
-	 * @var  string  refreshToken
-	 */
-	protected $refreshToken;
-
-	/**
-	 * @var  string  uid
-	 */
-	protected $uid;
-
-	/**
-	 * Sets the token, expiry, etc values.
-	 *
-	 * @param   array   token options
-	 * @return  void
-	 */
-	public function __construct(array $options = null)
-	{
-		if ( ! isset($options['access_token'])) {
-			throw new \BadMethodCallException('Required option not passed: access_token'.PHP_EOL.print_r($options, true));
-		}
-
-		$this->accessToken = $options['access_token'];
-
-		// Some providers (not many) give the uid here, so lets take it
-		isset($options['uid']) and $this->uid = $options['uid'];
-
-		//Vkontakte uses user_id instead of uid
-		isset($options['user_id']) and $this->uid = $options['user_id'];
-
-		//Mailru uses x_mailru_vid instead of uid
-		isset($options['x_mailru_vid']) and $this->uid = $options['x_mailru_vid'];
-
-		// We need to know when the token expires, add num. seconds to current time
-		isset($options['expires_in']) and $this->expires = time() + ((int) $options['expires_in']);
-
-		// Facebook is just being a spec ignoring jerk
-		isset($options['expires']) and $this->expires = time() + ((int) $options['expires']);
-
-		// Grab a refresh token so we can update access tokens when they expires
-		isset($options['refresh_token']) and $this->refreshToken = $options['refresh_token'];
-	}
-
-	/**
-	 * Returns the token key.
-	 *
-	 * @return  string
-	 */
-	public function __toString()
-	{
-		return (string) $this->accessToken;
-	}
-
-}

src/Oauth2/Client/Token/Authorize.php

@@ -1,55 +0,0 @@
-<?php
-/**
- * OAuth2 Token
- *
- * @package    OAuth2
- * @category   Token
- * @author     Phil Sturgeon
- * @copyright  (c) 2011 HappyNinjas Ltd
- */
-
-class Authorize extends \Oauth2\Client\Token
-{
-	/**
-	 * @var  string  code
-	 */
-	protected $code;
-
-	/**
-	 * @var  string  redirect_uri
-	 */
-	protected $redirectUri;
-
-	/**
-	 * Sets the token, expiry, etc values.
-	 *
-	 * @param   array   token options
-	 * @return  void
-	 */
-	public function __construct(array $options)
-	{
-		if ( ! isset($options['code'])) {
-
-            throw new Exception('Required option not passed: code');
-
-        } elseif ( ! isset($options['redirect_uri'])) {
-
-            throw new Exception('Required option not passed: redirect_uri');
-
-        }
-
-		$this->code = $options['code'];
-		$this->redirectUri = $options['redirect_uri'];
-	}
-
-	/**
-	 * Returns the token key.
-	 *
-	 * @return  string
-	 */
-	public function __toString()
-	{
-		return (string) $this->code;
-	}
-
-}

src/Oauth2/Resource/Database.php

@@ -1,59 +0,0 @@
-<?php
-
-namespace Oauth2\Resource;
-
-interface Database
-{
-    /**
-     * Validate an access token and return the session details.
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT id, owner_type, owner_id FROM oauth_sessions WHERE access_token =
-     *  $accessToken AND stage = 'granted' AND
-     *  access_token_expires > UNIX_TIMESTAMP(now())
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [owner_type] => (string) The session owner type
-     *     [owner_id] => (string) The session owner's ID
-     * )
-     * </code>
-     * 
-     * @param  string     $accessToken The access token
-     * @return array|bool              Return an array on success or false on failure
-     */
-    public function validateAccessToken($accessToken);
-
-    /**
-     * Returns the scopes that the session is authorised with.
-     * 
-     * Database query:
-     * 
-     * <code>
-     * SELECT scope FROM oauth_session_scopes WHERE access_token =
-     *  '291dca1c74900f5f252de351e0105aa3fc91b90b'
-     * </code>
-     * 
-     * Response:
-     * 
-     * <code>
-     * Array
-     * (
-     *      [0] => (string) A scope
-     *      [1] => (string) Another scope
-     *      ...
-     * )
-     * </code>
-     * 
-     * @param  int   $sessionId The session ID
-     * @return array            A list of scopes
-     */
-    public function sessionScopes($sessionId);
-}

src/Oauth2/Resource/Server.php

@@ -1,253 +0,0 @@
-<?php
-
-namespace Oauth2\Resource;
-
-class ServerException extends \Exception
-{
-
-}
-
-class ClientException extends \Exception
-{
-
-}
-
-class Server
-{
-    /**
-     * Reference to the database abstractor
-     * @var object
-     */
-    private $_db = null;
-
-    /**
-     * The access token.
-     * @access private
-     */
-    private $_accessToken = null;
-
-    /**
-     * The scopes the access token has access to.
-     * @access private
-     */
-    private $_scopes = array();
-
-    /**
-     * The type of owner of the access token.
-     * @access private
-     */
-    private $_type = null;
-
-    /**
-     * The ID of the owner of the access token.
-     * @access private
-     */
-    private $_typeId = null;
-
-    /**
-     * Server configuration
-     * @var array
-     */
-    private $_config = array(
-        'token_key' =>  'oauth_token'
-    );
-
-    /**
-     * Error codes.
-     *
-     * To provide i8ln errors just overwrite the keys
-     *
-     * @var array
-     */
-    public $errors = array(
-        'missing_access_token'  =>  'An access token was not presented with the request',
-        'invalid_access_token'  =>  'The access token is not registered with the resource server',
-        'missing_access_token_details'  =>  'The registered database abstractor did not return a valid access token details response',
-        'invalid_access_token_scopes'   =>  'The registered database abstractor did not return a valid access token scopes response',
-    );
-
-    /**
-     * Constructor
-     *
-     * @access public
-     * @return void
-     */
-    public function __construct($options = null)
-    {
-        if ($options !== null) {
-            $this->config = array_merge($this->config, $options);
-        }
-    }
-
-    /**
-     * Magic method to test if access token represents a particular owner type
-     * @param  string $method     The method name
-     * @param  mixed  $arguements The method arguements
-     * @return bool               If method is valid, and access token is owned by the requested party then true,
-     */
-    public function __call($method, $arguements = null)
-    {
-        if (substr($method, 0, 2) === 'is') {
-
-            if ($this->_type === strtolower(substr($method, 2))) {
-                return $this->_typeId;
-            }
-
-            return false;
-        }
-
-        trigger_error('Call to undefined function ' . $method . '()');
-    }
-
-    /**
-     * Register a database abstrator class
-     *
-     * @access public
-     * @param  object $db A class that implements OAuth2ServerDatabase
-     * @return void
-     */
-    public function registerDbAbstractor($db)
-    {
-        $this->_db = $db;
-    }
-
-    /**
-     * Init function
-     *
-     * @access public
-     * @return void
-     */
-    public function init()
-    {
-        $accessToken = null;
-
-        $_SERVER['REQUEST_METHOD'] = isset($_SERVER['REQUEST_METHOD']) ?
-                                                $_SERVER['REQUEST_METHOD'] :
-                                                null;
-
-        // Try and get the access token via an access_token or oauth_token parameter
-        switch ($_SERVER['REQUEST_METHOD'])
-        {
-            case 'POST':
-                $accessToken = isset($_POST[$this->_config['token_key']]) ?
-                                        $_POST[$this->_config['token_key']] :
-                                        null;
-                break;
-
-            default:
-            $accessToken = isset($_GET[$this->_config['token_key']]) ?
-                                        $_GET[$this->_config['token_key']] :
-                                        null;
-                break;
-        }
-
-        // Try and get an access token from the auth header
-        if (function_exists('getallheaders')) {
-
-            $headers = getallheaders();
-
-            if (isset($headers['Authorization'])) {
-
-                $rawToken = trim(str_replace('Bearer', '', $headers['Authorization']));
-
-                if ( ! empty($rawToken)) {
-                    $accessToken = $rawToken;
-                }
-            }
-        }
-
-        if ($accessToken) {
-
-            $result = $this->_dbCall('validateAccessToken', $accessToken);
-
-            if ($result === false) {
-
-                throw new ClientException($this->errors['invalid_access_token']);
-
-            } else {
-
-                if ( ! array_key_exists('id', $result) ||
-                     ! array_key_exists('owner_id', $result) ||
-                     ! array_key_exists('owner_type', $result)) {
-                    throw new ServerException($this->errors['missing_access_token_details']);
-                }
-
-                $this->_accessToken = $accessToken;
-                $this->_type = $result['owner_type'];
-                $this->_typeId = $result['owner_id'];
-
-                // Get the scopes
-                $scopes = $this->_dbCall('sessionScopes', $result['id']);
-
-                if ( ! is_array($scopes))
-                {
-                    throw new ServerException($this->errors['invalid_access_token_scopes']);
-                }
-
-                $this->_scopes = $scopes;
-            }
-
-        } else {
-
-            throw new ClientException($this->errors['missing_access_token']);
-
-        }
-    }
-
-    /**
-     * Test if the access token has a specific scope
-     *
-     * @param mixed $scopes Scope(s) to check
-     *
-     * @access public
-     * @return string|bool
-     */
-    public function hasScope($scopes)
-    {
-        if (is_string($scopes)) {
-
-            if (in_array($scopes, $this->_scopes)) {
-                return true;
-            }
-
-            return false;
-
-        } elseif (is_array($scopes)) {
-
-            foreach ($scopes as $scope) {
-
-                if ( ! in_array($scope, $this->_scopes)) {
-                    return false;
-                }
-
-            }
-
-            return true;
-        }
-
-        return false;
-    }
-
-    /**
-     * Call database methods from the abstractor
-     *
-     * @return mixed The query result
-     */
-    private function _dbCall()
-    {
-        if ($this->_db === null) {
-            throw new ServerException('No registered database abstractor');
-        }
-
-        if ( ! $this->_db instanceof Database) {
-            throw new ServerException('The registered database abstractor is not an instance of Oauth2\Resource\Database');
-        }
-
-        $args = func_get_args();
-        $method = $args[0];
-        unset($args[0]);
-        $params = array_values($args);
-
-        return call_user_func_array(array($this->_db, $method), $params);
-    }
-}

tests/Bootstrap.php

@@ -0,0 +1,6 @@
+<?php
+
+if ( ! @include_once __DIR__ . '/../vendor/autoload.php')
+{
+    exit("You must set up the project dependencies, run the following commands:\n> wget http://getcomposer.org/composer.phar\n> php composer.phar install\n");
+}

tests/authentication/database_mock.php

@@ -1,191 +0,0 @@
-<?php
-
-use Oauth2\Authentication\Database;
-
-class OAuthdb implements Database
-{
-	private $sessions = array();
-	private $sessions_client_type_id = array();
-	private $sessions_code = array();
-	private $session_scopes = array();
-
-	private $clients = array(0 => array(
-		'client_id'	=>	'test',
-		'client_secret'	=>	'test',
-		'redirect_uri'	=>	'http://example.com/test',
-		'name'	=>	'Test Client'
-	));
-
-	private $scopes = array('test' => array(
-		'id'	=>	1,
-		'scope'	=>	'test',
-		'name'	=>	'test',
-		'description'	=>	'test'
-	));
-
-	public function validateClient(
-        $clientId,
-        $clientSecret = null,
-        $redirectUri = null
-    )
-    {
-    	if ($clientId !== $this->clients[0]['client_id'])
-    	{
-    		return false;
-    	}
-
-    	if ($clientSecret !== null && $clientSecret !== $this->clients[0]['client_secret'])
-    	{
-    		return false;
-    	}
-
-    	if ($redirectUri !== null && $redirectUri !== $this->clients[0]['redirect_uri'])
-    	{
-    		return false;
-    	}
-
-    	return $this->clients[0];
-    }
-
-    public function newSession(
-        $clientId,
-        $redirectUri,
-        $type = 'user',
-        $typeId = null,
-        $authCode = null,
-        $accessToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    )
-    {
-    	$id = count($this->sessions);
-
-    	$this->sessions[$id] = array(
-    		'id'	=>	$id,
-    		'client_id'	=>	$clientId,
-    		'redirect_uri'	=>	$redirectUri,
-    		'owner_type'	=>	$type,
-    		'owner_id'	=>	$typeId,
-    		'auth_code'	=>	$authCode,
-    		'access_token'	=>	$accessToken,
-    		'access_token_expire'	=>	$accessTokenExpire,
-    		'stage'	=>	$stage
-    	);
-
-    	$this->sessions_client_type_id[$clientId . ':' . $type . ':' . $typeId] = $id;
-    	$this->sessions_code[$clientId . ':' . $redirectUri . ':' . $authCode] = $id;
-
-    	return true;
-    }
-
-    public function updateSession(
-        $sessionId,
-        $authCode = null,
-        $accessToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    )
-    {
-    	$this->sessions[$sessionId]['auth_code'] = $authCode;
-    	$this->sessions[$sessionId]['access_token'] = $accessToken;
-    	$this->sessions[$sessionId]['access_token_expire'] = $accessTokenExpire;
-    	$this->sessions[$sessionId]['stage'] = $stage;
-
-    	return true;
-    }
-
-    public function deleteSession(
-        $clientId,
-        $type,
-        $typeId
-    )
-    {
-    	$key = $clientId . ':' . $type . ':' . $typeId;
-    	if (isset($this->sessions_client_type_id[$key]))
-    	{
-    		unset($this->sessions[$this->sessions_client_type_id[$key]]);
-    	}
-    	return true;
-    }
-
-    public function validateAuthCode(
-        $clientId,
-        $redirectUri,
-        $authCode
-    )
-    {
-    	$key = $clientId . ':' . $redirectUri . ':' . $authCode;
-
-    	if (isset($this->sessions_code[$key]))
-    	{
-    		return $this->sessions[$this->sessions_code[$key]];
-    	}
-
-    	return false;
-    }
-
-    public function hasSession(
-        $type,
-        $typeId,
-        $clientId
-    )
-    {
-    	die('not implemented hasSession');
-    }
-
-    public function getAccessToken($sessionId)
-    {
-    	die('not implemented getAccessToken');
-    }
-
-    public function removeAuthCode($sessionId)
-    {
-    	die('not implemented removeAuthCode');
-    }
-
-    public function setAccessToken(
-        $sessionId,
-        $accessToken
-    )
-    {
-    	die('not implemented setAccessToken');
-    }
-
-    public function addSessionScope(
-        $sessionId,
-        $scope
-    )
-    {
-    	if ( ! isset($this->session_scopes[$sessionId]))
-    	{
-    		$this->session_scopes[$sessionId] = array();
-    	}
-
-    	$this->session_scopes[$sessionId][] = $scope;
-
-    	return true;
-    }
-
-    public function getScope($scope)
-    {
-    	if ( ! isset($this->scopes[$scope]))
-    	{
-    		return false;
-    	}
-
-    	return $this->scopes[$scope];
-    }
-
-    public function updateSessionScopeAccessToken(
-        $sessionId,
-        $accessToken
-    )
-    {
-    	return true;
-    }
-
-    public function accessTokenScopes($accessToken)
-    {
-    	die('not implemented accessTokenScopes');
-    }
-}

tests/authentication/server_test.php

@@ -1,398 +0,0 @@
-<?php
-
-class Authentication_Server_test extends PHPUnit_Framework_TestCase {
-
-	function setUp()
-	{
-		$this->oauth = new Oauth2\Authentication\Server();
-
-		require_once('database_mock.php');
-		$this->oauthdb = new OAuthdb();
-		$this->assertInstanceOf('Oauth2\Authentication\Database', $this->oauthdb);
-		$this->oauth->registerDbAbstractor($this->oauthdb);
-	}
-
-	function test_generateCode()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('generateCode');
-		$method->setAccessible(true);
-
-		$result = $method->invoke($this->oauth);
-		$result2 = $method->invoke($this->oauth);
-
-		$this->assertEquals(40, strlen($result));
-		$this->assertNotEquals($result, $result2);
-	}
-
-	function test_redirectUri()
-	{
-		$result1 = $this->oauth->redirectUri('http://example.com/foo');
-		$result2 = $this->oauth->redirectUri('http://example.com/foo', array('foo' => 'bar'));
-		$result3 = $this->oauth->redirectUri('http://example.com/foo', array('foo' => 'bar'), '#');
-
-		$this->assertEquals('http://example.com/foo?', $result1);
-		$this->assertEquals('http://example.com/foo?foo=bar', $result2);
-		$this->assertEquals('http://example.com/foo#foo=bar', $result3);
-	}
-
-	function test_checkClientAuthoriseParams_GET()
-	{
-		$_GET['client_id'] = 'test';
-		$_GET['redirect_uri'] = 'http://example.com/test';
-		$_GET['response_type'] = 'code';
-		$_GET['scope'] = 'test';
-		
-		$expect = array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'response_type'	=>	'code',
-			'scopes'	=>	array(
-					0 => array(
-					'id'	=>	1,
-					'scope'	=>	'test',
-					'name'	=>	'test',
-					'description'	=>	'test'
-				)
-			)
-		);
-
-		$result = $this->oauth->checkClientAuthoriseParams();
-
-		$this->assertEquals($expect, $result);
-	}
-
-	function test_checkClientAuthoriseParams_PassedParams()
-	{
-		unset($_GET['client_id']);
-		unset($_GET['redirect_uri']);
-		unset($_GET['response_type']);
-		unset($_GET['scope']);
-
-		$params = array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'response_type'	=>	'code',
-			'scope'	=>	'test'
-		);
-
-		$this->assertEquals(array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'response_type'	=>	'code',
-			'scopes'	=>	array(0 => array(
-				'id'	=>	1,
-				'scope'	=>	'test',
-				'name'	=>	'test',
-				'description'	=>	'test'
-			))
-		), $this->oauth->checkClientAuthoriseParams($params));
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_checkClientAuthoriseParams_missingClientId()
-	{
-		$this->oauth->checkClientAuthoriseParams();
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_checkClientAuthoriseParams_missingRedirectUri()
-	{
-		$_GET['client_id'] = 'test';
-
-		$this->oauth->checkClientAuthoriseParams();
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_checkClientAuthoriseParams_missingResponseType()
-	{
-		$_GET['client_id'] = 'test';
-		$_GET['redirect_uri'] = 'http://example.com/test';
-
-		$this->oauth->checkClientAuthoriseParams();
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_checkClientAuthoriseParams_missingScopes()
-	{
-		$_GET['client_id'] = 'test';
-		$_GET['redirect_uri'] = 'http://example.com/test';
-		$_GET['response_type'] = 'code';
-		$_GET['scope'] = ' ';
-
-		$this->oauth->checkClientAuthoriseParams();
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    4
-	 */
-	function test_checkClientAuthoriseParams_invalidScopes()
-	{
-		$_GET['client_id'] = 'test';
-		$_GET['redirect_uri'] = 'http://example.com/test';
-		$_GET['response_type'] = 'code';
-		$_GET['scope'] = 'blah';
-
-		$this->oauth->checkClientAuthoriseParams();
-	}
-
-	function test_newAuthoriseRequest()
-	{
-		$result = $this->oauth->newAuthoriseRequest('user', '123', array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'scopes'	=>	array(array(
-				'id'	=>	1,
-				'scope'	=>	'test',
-				'name'	=>	'test',
-				'description'	=>	'test'
-			))
-		));
-
-		$this->assertEquals(40, strlen($result));
-	}
-
-	function test_newAuthoriseRequest_isUnique()
-	{
-		$result1 = $this->oauth->newAuthoriseRequest('user', '123', array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'scopes'	=>	array(array(
-				'id'	=>	1,
-				'scope'	=>	'test',
-				'name'	=>	'test',
-				'description'	=>	'test'
-			))
-		));
-
-		$result2 = $this->oauth->newAuthoriseRequest('user', '123', array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'scopes'	=>	array(array(
-				'id'	=>	1,
-				'scope'	=>	'test',
-				'name'	=>	'test',
-				'description'	=>	'test'
-			))
-		));
-
-		$this->assertNotEquals($result1, $result2);
-	}
-
-	function test_issueAccessToken_POST()
-	{
-		$auth_code = $this->oauth->newAuthoriseRequest('user', '123', array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'scopes'	=>	array(array(
-				'id'	=>	1,
-				'scope'	=>	'test',
-				'name'	=>	'test',
-				'description'	=>	'test'
-			))
-		));
-
-		$_POST['client_id'] = 'test';
-		$_POST['client_secret'] = 'test';
-		$_POST['redirect_uri'] = 'http://example.com/test';
-		$_POST['grant_type'] = 'authorization_code';
-		$_POST['code'] = $auth_code;
-
-		$result = $this->oauth->issueAccessToken();
-
-		$this->assertCount(3, $result);
-		$this->assertArrayHasKey('access_token', $result);
-		$this->assertArrayHasKey('token_type', $result);
-		$this->assertArrayHasKey('expires_in', $result);
-	}
-
-	function test_issueAccessToken_PassedParams()
-	{
-		$auth_code = $this->oauth->newAuthoriseRequest('user', '123', array(
-			'client_id'	=>	'test',
-			'redirect_uri'	=>	'http://example.com/test',
-			'scopes'	=>	array(array(
-				'id'	=>	1,
-				'scope'	=>	'test',
-				'name'	=>	'test',
-				'description'	=>	'test'
-			))
-		));
-
-		$params['client_id'] = 'test';
-		$params['client_secret'] = 'test';
-		$params['redirect_uri'] = 'http://example.com/test';
-		$params['grant_type'] = 'authorization_code';
-		$params['code'] = $auth_code;
-
-		$result = $this->oauth->issueAccessToken($params);
-
-		$this->assertCount(3, $result);
-		$this->assertArrayHasKey('access_token', $result);
-		$this->assertArrayHasKey('token_type', $result);
-		$this->assertArrayHasKey('expires_in', $result);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_issueAccessToken_missingGrantType()
-	{
-		$this->oauth->issueAccessToken();
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    7
-	 */
-	function test_issueAccessToken_unsupportedGrantType()
-	{
-		$params['grant_type'] = 'blah';
-
-		$this->oauth->issueAccessToken($params);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_completeAuthCodeGrant_missingClientId()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('completeAuthCodeGrant');
-		$method->setAccessible(true);
-
-		$method->invoke($this->oauth);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_completeAuthCodeGrant_missingClientSecret()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('completeAuthCodeGrant');
-		$method->setAccessible(true);
-
-		$authParams['client_id'] = 'test';
-
-		$method->invoke($this->oauth, $authParams);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_completeAuthCodeGrant_missingRedirectUri()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('completeAuthCodeGrant');
-		$method->setAccessible(true);
-
-		$authParams['client_id'] = 'test';
-		$authParams['client_secret'] = 'test';
-
-		$method->invoke($this->oauth, $authParams);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    8
-	 */
-	function test_completeAuthCodeGrant_invalidClient()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('completeAuthCodeGrant');
-		$method->setAccessible(true);
-
-		$authParams['client_id'] = 'test';
-		$authParams['client_secret'] = 'test123';
-		$authParams['redirect_uri'] = 'http://example.com/test';
-
-		$method->invoke($this->oauth, $authParams);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    0
-	 */
-	function test_completeAuthCodeGrant_missingCode()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('completeAuthCodeGrant');
-		$method->setAccessible(true);
-
-		$authParams['client_id'] = 'test';
-		$authParams['client_secret'] = 'test';
-		$authParams['redirect_uri'] = 'http://example.com/test';
-
-		$method->invoke($this->oauth, $authParams);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ClientException
-	 * @expectedExceptionCode    9
-	 */
-	function test_completeAuthCodeGrant_invalidCode()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('completeAuthCodeGrant');
-		$method->setAccessible(true);
-
-		$authParams['client_id'] = 'test';
-		$authParams['client_secret'] = 'test';
-		$authParams['redirect_uri'] = 'http://example.com/test';
-		$authParams['code'] = 'blah';
-
-		$method->invoke($this->oauth, $authParams);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ServerException
-	 * @expectedExceptionMessage No registered database abstractor
-	 */
-	function test_noRegisteredDatabaseAbstractor()
-	{
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('_dbCall');
-		$method->setAccessible(true);
-
-		$dbAbstractor = $reflector->getProperty('_db');
-		$dbAbstractor->setAccessible(true);
-		$dbAbstractor->setValue($this->oauth, null);
-
-		$result = $method->invoke($this->oauth);
-	}
-
-	/**
-	 * @expectedException        Oauth2\Authentication\ServerException
-	 * @expectedExceptionMessage Registered database abstractor is not an instance of Oauth2\Authentication\Database
-	 */
-	function test_invalidRegisteredDatabaseAbstractor()
-	{
-		$fake = new stdClass;
-		$this->oauth->registerDbAbstractor($fake);
-
-		$reflector = new ReflectionClass($this->oauth);
-		$method = $reflector->getMethod('_dbCall');
-		$method->setAccessible(true);
-
-		$result = $method->invoke($this->oauth);
-	}
-
-}

tests/authorization/AuthCodeGrantTest.php

@@ -0,0 +1,375 @@
+<?php
+
+use \Mockery as m;
+
+class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
+{
+    private $client;
+    private $session;
+    private $scope;
+
+    public function setUp()
+    {
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+    }
+
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    public function test_setAuthTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\AuthCode($a);
+        $grant->setAuthTokenTTL(30);
+
+        $reflector = new ReflectionClass($grant);
+        $requestProperty = $reflector->getProperty('authTokenTTL');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($grant);
+
+        $this->assertEquals(30, $v);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_noClientId()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams();
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_noRedirectUri()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_noRequiredState()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $a->requireStateParam(true);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    8
+     */
+    public function test_checkAuthoriseParams_badClient()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_missingResponseType()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    3
+     */
+    public function test_checkAuthoriseParams_badResponseType()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'foo'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_missingScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope' =>  ''
+        ));
+    }
+
+    public function test_checkAuthoriseParams_defaultScope()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->setDefaultScope('test.scope');
+        $a->requireScopeParam(false);
+
+        $params = $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope'    =>  ''
+        ));
+
+        $this->assertArrayHasKey('scopes', $params);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    4
+     */
+    public function test_checkAuthoriseParams_badScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope' =>  'foo'
+        ));
+    }
+
+    public function test_checkAuthoriseParams_passedInput()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $v = $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope' =>  'foo',
+            'state' =>  'xyz'
+        ));
+
+        $this->assertEquals(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'client_details' => array(
+                'client_id' => 1234,
+                'client_secret' => 5678,
+                'redirect_uri' => 'http://foo/redirect',
+                'name' => 'Example Client'
+            ),
+            'response_type' =>  'code',
+            'scopes'    =>  array(
+                array(
+                    'id'    =>  1,
+                    'scope' =>  'foo',
+                    'name'  =>  'Foo Name',
+                    'description'   =>  'Foo Name Description'
+                )
+            ),
+            'scope' =>  'foo',
+            'state' =>  'xyz'
+        ), $v);
+    }
+
+    public function test_checkAuthoriseParams()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $_GET['client_id'] = 1234;
+        $_GET['redirect_uri'] = 'http://foo/redirect';
+        $_GET['response_type'] = 'code';
+        $_GET['scope'] = 'foo';
+        $_GET['state'] = 'xyz';
+
+        $request = new League\OAuth2\Server\Util\Request($_GET);
+        $a->setRequest($request);
+
+        $v = $g->checkAuthoriseParams();
+
+        $this->assertEquals(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'client_details' => array(
+                'client_id' => 1234,
+                'client_secret' => 5678,
+                'redirect_uri' => 'http://foo/redirect',
+                'name' => 'Example Client'
+            ),
+            'response_type' =>  'code',
+            'scopes'    =>  array(
+                array(
+                    'id'    =>  1,
+                    'scope' =>  'foo',
+                    'name'  =>  'Foo Name',
+                    'description'   =>  'Foo Name Description'
+                )
+            ),
+            'scope' =>  'foo',
+            'state' =>  'xyz'
+        ), $v);
+    }
+
+
+    function test_newAuthoriseRequest()
+    {
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateRedirectUri')->andReturn(null);
+        $this->session->shouldReceive('associateAuthCode')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $a->addGrantType($g);
+
+        $params = array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'client_details' => array(
+                'client_id' => 1234,
+                'client_secret' => 5678,
+                'redirect_uri' => 'http://foo/redirect',
+                'name' => 'Example Client'
+            ),
+            'response_type' =>  'code',
+            'scopes'    =>  array(
+                array(
+                    'id'    =>  1,
+                    'scope' =>  'foo',
+                    'name'  =>  'Foo Name',
+                    'description'   =>  'Foo Name Description'
+                )
+            )
+        );
+
+        $v = $g->newAuthoriseRequest('user', 123, $params);
+
+        $this->assertEquals(40, strlen($v));
+    }
+
+
+}

tests/authorization/AuthServerTest.php

@@ -0,0 +1,507 @@
+<?php
+
+use \Mockery as m;
+
+class Authorization_Server_test extends PHPUnit_Framework_TestCase
+{
+    private $client;
+    private $session;
+    private $scope;
+
+    public function setUp()
+    {
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+    }
+
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    /**
+     * @expectedException PHPUnit_Framework_Error
+     */
+    public function test__construct_NoStorage()
+    {
+        new League\OAuth2\Server\Authorization;
+    }
+
+    public function test__contruct_WithStorage()
+    {
+        $this->returnDefault();
+    }
+
+    public function test_getExceptionMessage()
+    {
+        $m = League\OAuth2\Server\Authorization::getExceptionMessage('access_denied');
+
+        $reflector = new ReflectionClass($this->returnDefault());
+        $exceptionMessages = $reflector->getProperty('exceptionMessages');
+        $exceptionMessages->setAccessible(true);
+        $v = $exceptionMessages->getValue();
+
+        $this->assertEquals($v['access_denied'], $m);
+    }
+
+    public function test_getExceptionCode()
+    {
+        $this->assertEquals('access_denied', League\OAuth2\Server\Authorization::getExceptionType(2));
+    }
+
+    public function test_getExceptionHttpHeaders()
+    {
+        $this->assertEquals(array('HTTP/1.1 401 Unauthorized'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('access_denied'));
+        $this->assertEquals(array('HTTP/1.1 500 Internal Server Error'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('server_error'));
+        $this->assertEquals(array('HTTP/1.1 501 Not Implemented'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('unsupported_grant_type'));
+        $this->assertEquals(array('HTTP/1.1 400 Bad Request'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('invalid_refresh'));
+    }
+
+    public function test_hasGrantType()
+    {
+        $a = $this->returnDefault();
+        $this->assertFalse($a->hasGrantType('test'));
+    }
+
+    public function test_addGrantType()
+    {
+        $a = $this->returnDefault();
+        $grant = M::mock('League\OAuth2\Server\Grant\GrantTypeInterface');
+        $grant->shouldReceive('getResponseType')->andReturn('test');
+        $a->addGrantType($grant, 'test');
+
+        $this->assertTrue($a->hasGrantType('test'));
+    }
+
+    public function test_addGrantType_noIdentifier()
+    {
+        $a = $this->returnDefault();
+        $grant = M::mock('League\OAuth2\Server\Grant\GrantTypeInterface');
+        $grant->shouldReceive('getIdentifier')->andReturn('test');
+        $grant->shouldReceive('getResponseType')->andReturn('test');
+        $a->addGrantType($grant);
+
+        $this->assertTrue($a->hasGrantType('test'));
+    }
+
+    public function test_getScopeDelimeter()
+    {
+        $a = $this->returnDefault();
+        $this->assertEquals(' ', $a->getScopeDelimeter());
+    }
+
+    public function test_setScopeDelimeter()
+    {
+        $a = $this->returnDefault();
+        $a->setScopeDelimeter(',');
+        $this->assertEquals(',', $a->getScopeDelimeter());
+    }
+
+    public function test_requireScopeParam()
+    {
+        $a = $this->returnDefault();
+        $a->requireScopeParam(false);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('requireScopeParam');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertFalse($v);
+    }
+
+    public function test_scopeParamRequired()
+    {
+        $a = $this->returnDefault();
+        $a->requireScopeParam(false);
+
+        $this->assertFalse($a->scopeParamRequired());
+    }
+
+    public function test_setDefaultScope()
+    {
+        $a = $this->returnDefault();
+        $a->setDefaultScope('test.default');
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('defaultScope');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertEquals('test.default', $v);
+    }
+
+    public function test_getDefaultScope()
+    {
+        $a = $this->returnDefault();
+        $a->setDefaultScope('test.default');
+        $this->assertEquals('test.default', $a->getDefaultScope());
+    }
+
+    public function test_requireStateParam()
+    {
+        $a = $this->returnDefault();
+        $a->requireStateParam(true);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('requireStateParam');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertTrue($v);
+    }
+
+    public function test_getAccessTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $a->setAccessTokenTTL(7200);
+        $this->assertEquals(7200, $a->getAccessTokenTTL());
+    }
+
+    public function test_setAccessTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $a->setScopeDelimeter(';');
+        $this->assertEquals(';', $a->getScopeDelimeter());
+    }
+
+    public function test_setRequest()
+    {
+        $a = $this->returnDefault();
+        $request = new League\OAuth2\Server\Util\Request();
+        $a->setRequest($request);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('request');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
+    }
+
+    public function test_getRequest()
+    {
+        $a = $this->returnDefault();
+        $request = new League\OAuth2\Server\Util\Request();
+        $a->setRequest($request);
+        $v = $a->getRequest();
+
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
+    }
+
+    public function test_getStorage()
+    {
+        $a = $this->returnDefault();
+        $this->assertTrue($a->getStorage('session') instanceof League\OAuth2\Server\Storage\SessionInterface);
+    }
+
+    public function test_getGrantType()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $reflector = new ReflectionClass($a);
+        $method = $reflector->getMethod('getGrantType');
+        $method->setAccessible(true);
+
+        $result = $method->invoke($a, 'authorization_code');
+
+        $this->assertTrue($result instanceof League\OAuth2\Server\Grant\GrantTypeInterface);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\InvalidGrantTypeException
+     * @expectedExceptionCode    9
+     */
+    public function test_getGrantType_fail()
+    {
+        $a = $this->returnDefault();
+        $a->getGrantType('blah');
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_missingGrantType()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken();
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    7
+     */
+    public function test_issueAccessToken_badGrantType()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array('grant_type' => 'foo'));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_missingClientId()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_missingClientSecret()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code',
+            'client_id' =>  1234
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_missingRedirectUri()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    8
+     */
+    public function test_issueAccessToken_badClient()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_missingCode()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array());
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    9
+     */
+    public function test_issueAccessToken_badCode()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array());
+        $this->session->shouldReceive('validateAuthCode')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'code'  =>  'foobar'
+        ));
+    }
+
+    public function test_issueAccessToken_passedInput()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(array(
+            'id'    =>  1,
+            'scope_ids' =>  '1'
+        ));
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'authorization_code',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'code'  =>  'foobar'
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    public function test_issueAccessToken()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $_POST['grant_type'] = 'authorization_code';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['redirect_uri'] = 'http://foo/redirect';
+        $_POST['code'] = 'foobar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    public function test_issueAccessToken_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\AuthCode($a);
+        $grant->setAccessTokenTTL(30);
+        $a->addGrantType($grant);
+
+        $_POST['grant_type'] = 'authorization_code';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['redirect_uri'] = 'http://foo/redirect';
+        $_POST['code'] = 'foobar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    public function test_issueAccessToken_HTTP_auth()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+
+        $_POST['grant_type'] = 'authorization_code';
+        $_SERVER['PHP_AUTH_USER'] = 1234;
+        $_SERVER['PHP_AUTH_PW'] = 5678;
+        $_POST['redirect_uri'] = 'http://foo/redirect';
+        $_POST['code'] = 'foobar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST, array(), array(), $_SERVER);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    public function tearDown() {
+        M::close();
+    }
+}

tests/authorization/ClientCredentialsGrantTest.php

@@ -0,0 +1,373 @@
+<?php
+
+use \Mockery as m;
+
+class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
+{
+    private $client;
+    private $session;
+    private $scope;
+
+    public function setUp()
+    {
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+    }
+
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_missingClientId()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_missingClientPassword()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    8
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_badClient()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_missingScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->requireScopeParam(true);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    public function test_issueAccessToken_clientCredentialsGrant_defaultScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'key' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->requireScopeParam(false);
+        $a->setDefaultScope('foobar');
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    4
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_badScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(false);
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  'blah'
+        ));
+    }
+
+    public function test_issueAccessToken_clientCredentialsGrant_goodScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'key' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  'blah'
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    function test_issueAccessToken_clientCredentialsGrant_passedInput()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->requireScopeParam(false);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    function test_issueAccessToken_clientCredentialsGrant()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'client_credentials';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    function test_issueAccessToken_clientCredentialsGrant_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\ClientCredentials($a);
+        $grant->setAccessTokenTTL(30);
+        $a->addGrantType($grant);
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'client_credentials';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    function test_issueAccessToken_clientCredentialsGrant_withRefreshToken()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'client_credentials';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+}

tests/authorization/PasswordGrantTest.php

@@ -0,0 +1,569 @@
+<?php
+
+use \Mockery as m;
+
+class Password_Grant_Test extends PHPUnit_Framework_TestCase
+{
+    private $client;
+    private $session;
+    private $scope;
+
+    public function setUp()
+    {
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+    }
+
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_passwordGrant_missingClientId()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_passwordGrant_missingClientPassword()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    8
+     */
+    public function test_issueAccessToken_passwordGrant_badClient()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\InvalidGrantTypeException
+     */
+    function test_issueAccessToken_passwordGrant_invalidCallback()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = null;
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  => 'foo',
+            'password'  => 'bar'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    function test_issueAccessToken_passwordGrant_missingUsername()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return false; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    function test_issueAccessToken_passwordGrant_missingPassword()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return false; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    function test_issueAccessToken_passwordGrant_badCredentials()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return false; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  => 'foo',
+            'password'  => 'bar'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    4
+     */
+    public function test_issueAccessToken_passwordGrant_badScopes()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(false);
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  'blah'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_passwordGrant_missingScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(true);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar'
+        ));
+    }
+
+    public function test_issueAccessToken_passwordGrant_defaultScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+        $a->setDefaultScope('foobar');
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    public function test_issueAccessToken_passwordGrant_goodScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  'blah'
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    function test_issueAccessToken_passwordGrant_passedInput()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  => 'foo',
+            'password'  => 'bar'
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    function test_issueAccessToken_passwordGrant()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'password';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['username'] = 'foo';
+        $_POST['password'] = 'bar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    function test_issueAccessToken_passwordGrant_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $pgrant->setAccessTokenTTL(30);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'password';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['username'] = 'foo';
+        $_POST['password'] = 'bar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    function test_issueAccessToken_passwordGrant_withRefreshToken()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'password';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['username'] = 'foo';
+        $_POST['password'] = 'bar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+        $this->assertArrayHasKey('refresh_token', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+}

tests/authorization/RefreshTokenTest.php

@@ -0,0 +1,293 @@
+<?php
+
+use \Mockery as m;
+
+class Refresh_Token_test extends PHPUnit_Framework_TestCase
+{
+    private $client;
+    private $session;
+    private $scope;
+
+    public function setUp()
+    {
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+    }
+
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    public function test_setRefreshTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $rt = new League\OAuth2\Server\Grant\RefreshToken($a);
+        $rt->setRefreshTokenTTL(30);
+        $this->assertEquals(30, $rt->getRefreshTokenTTL());
+    }
+
+    public function test_issueAccessToken_with_refresh_token()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $_POST['grant_type'] = 'authorization_code';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['redirect_uri'] = 'http://foo/redirect';
+        $_POST['code'] = 'foobar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+        $this->assertArrayHasKey('refresh_token', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_refreshTokenGrant_missingClientId()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_refreshTokenGrant_missingClientSecret()
+    {
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    8
+     */
+    public function test_issueAccessToken_refreshTokenGrant_badClient()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_refreshTokenGrant_missingRefreshToken()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array());
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_refreshTokenGrant_badRefreshToken()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array());
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token' =>  'abcdef'
+        ));
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_passedInput()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array());
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $_POST['grant_type'] = 'refresh_token';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['refresh_token'] = 'abcdef';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+        $this->assertArrayHasKey('refresh_token', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+        $this->assertArrayHasKey('refresh_token', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\RefreshToken($a);
+        $grant->setAccessTokenTTL(30);
+        $a->addGrantType($grant);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+        $this->assertArrayHasKey('refresh_token', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+}

tests/resource/ResourceServerTest.php

@@ -0,0 +1,185 @@
+<?php
+
+use \Mockery as m;
+
+class Resource_Server_test extends PHPUnit_Framework_TestCase
+{
+	private $session;
+
+	public function setUp()
+	{
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+	}
+
+	private function returnDefault()
+	{
+		return new League\OAuth2\Server\Resource($this->session);
+	}
+
+	public function test_setRequest()
+    {
+        $s = $this->returnDefault();
+        $request = new League\OAuth2\Server\Util\Request();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+        $requestProperty = $reflector->getProperty('request');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($s);
+
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
+    }
+
+    public function test_getRequest()
+    {
+        $s = $this->returnDefault();
+        $request = new League\OAuth2\Server\Util\Request();
+        $s->setRequest($request);
+        $v = $s->getRequest();
+
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
+    }
+
+    public function test_getTokenKey()
+    {
+        $s = $this->returnDefault();
+        $this->assertEquals('access_token', $s->getTokenKey());
+    }
+
+    public function test_setTokenKey()
+    {
+        $s = $this->returnDefault();
+       	$s->setTokenKey('oauth_token');
+
+        $reflector = new ReflectionClass($s);
+        $requestProperty = $reflector->getProperty('tokenKey');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($s);
+
+        $this->assertEquals('oauth_token', $v);
+    }
+
+    public function test_getScopes()
+    {
+        $s = $this->returnDefault();
+        $this->assertEquals(array(), $s->getScopes());
+    }
+
+    /**
+     * @expectedException League\OAuth2\Server\Exception\InvalidAccessTokenException
+     */
+    public function test_determineAccessToken_missingToken()
+    {
+    	$_SERVER['HTTP_AUTHORIZATION'] = 'Bearer';
+   		$request = new League\OAuth2\Server\Util\Request(array(), array(), array(), array(), $_SERVER);
+
+    	$s = $this->returnDefault();
+    	$s->setRequest($request);
+
+    	$reflector = new ReflectionClass($s);
+	    $method = $reflector->getMethod('determineAccessToken');
+	    $method->setAccessible(true);
+
+	    $method->invoke($s);
+    }
+
+    public function test_determineAccessToken_fromHeader()
+    {
+        $request = new League\OAuth2\Server\Util\Request();
+
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef'
+        ));
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+    	$reflector = new ReflectionClass($s);
+
+	    $method = $reflector->getMethod('determineAccessToken');
+	    $method->setAccessible(true);
+
+	    $result = $method->invoke($s);
+
+	    $this->assertEquals('abcdef', $result);
+    }
+
+    public function test_determineAccessToken_fromMethod()
+    {
+    	$s = $this->returnDefault();
+
+    	$_GET[$s->getTokenKey()] = 'abcdef';
+    	$_SERVER['REQUEST_METHOD'] = 'get';
+
+   		$request = new League\OAuth2\Server\Util\Request($_GET, array(), array(), array(), $_SERVER);
+    	$s->setRequest($request);
+
+    	$reflector = new ReflectionClass($s);
+	    $method = $reflector->getMethod('determineAccessToken');
+	    $method->setAccessible(true);
+
+	    $result = $method->invoke($s);
+
+	    $this->assertEquals('abcdef', $result);
+    }
+
+    /**
+     * @expectedException League\OAuth2\Server\Exception\InvalidAccessTokenException
+     */
+    public function test_isValid_notValid()
+    {
+    	$this->session->shouldReceive('validateAccessToken')->andReturn(false);
+
+    	$request = new League\OAuth2\Server\Util\Request();
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef'
+        ));
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $s->isValid();
+    }
+
+    public function test_isValid_valid()
+    {
+    	$this->session->shouldReceive('validateAccessToken')->andReturn(array(
+    		'session_id'  =>	1,
+    		'owner_type'  =>	'user',
+    		'owner_id'    =>	123,
+            'client_id' =>  'testapp'
+    	));
+
+    	$this->session->shouldReceive('getScopes')->andReturn(array(
+            array('key' =>  'foo'),
+            array('key' =>  'bar')
+        ));
+
+   		$request = new League\OAuth2\Server\Util\Request();
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef'
+        ));
+
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+    	$this->assertTrue($s->isValid());
+    	$this->assertEquals(123, $s->getOwnerId());
+    	$this->assertEquals('user', $s->getOwnerType());
+    	$this->assertEquals('abcdef', $s->getAccessToken());
+        $this->assertEquals('testapp', $s->getClientId());
+    	$this->assertTrue($s->hasScope('foo'));
+    	$this->assertTrue($s->hasScope('bar'));
+    	$this->assertTrue($s->hasScope(array('foo', 'bar')));
+    	$this->assertFalse($s->hasScope(array('foobar')));
+    	$this->assertFalse($s->hasScope('foobar'));
+    	$this->assertFalse($s->hasScope(new StdClass));
+    }
+}

tests/resource/database_mock.php

@@ -1,31 +0,0 @@
-<?php
-
-use Oauth2\Resource\Database;
-
-class ResourceDB implements Database
-{
-	private $accessTokens = array(
-		'test12345' => array(
-			'id'	=>	1,
-			'owner_type'	=>	'user',
-			'owner_id'	=>	123
-		)
-	);
-
-	private $sessionScopes = array(
-		1	=>	array(
-			'foo',
-			'bar'
-		)
-	);
-
-	public function validateAccessToken($accessToken)
-	{
-		return (isset($this->accessTokens[$accessToken])) ? $this->accessTokens[$accessToken] : false;
-	}
-
-	public function sessionScopes($sessionId)
-	{
-		return (isset($this->sessionScopes[$sessionId])) ? $this->sessionScopes[$sessionId] : array();
-	}
-}

tests/resource/server_test.php

@@ -1,121 +0,0 @@
-<?php
-
-class Resource_Server_test extends PHPUnit_Framework_TestCase {
-
-	function setUp()
-	{
-		require_once('database_mock.php');
-		$this->server = new Oauth2\Resource\Server();
-		$this->db = new ResourceDB();
-
-		$this->assertInstanceOf('Oauth2\Resource\Database', $this->db);
-		$this->server->registerDbAbstractor($this->db);
-	}
-
-	function test_init_POST()
-	{
-		$_SERVER['REQUEST_METHOD'] = 'POST';
-		$_POST['oauth_token'] = 'test12345';
-
-		$this->server->init();
-
-		$reflector = new ReflectionClass($this->server);
-
-		$_accessToken = $reflector->getProperty('_accessToken');
-		$_accessToken->setAccessible(true);
-
-		$_type = $reflector->getProperty('_type');
-		$_type->setAccessible(true);
-
-		$_typeId = $reflector->getProperty('_typeId');
-		$_typeId->setAccessible(true);
-
-		$_scopes = $reflector->getProperty('_scopes');
-		$_scopes->setAccessible(true);
-
-		$this->assertEquals($_accessToken->getValue($this->server), $_POST['oauth_token']);
-		$this->assertEquals($_type->getValue($this->server), 'user');
-		$this->assertEquals($_typeId->getValue($this->server), 123);
-		$this->assertEquals($_scopes->getValue($this->server), array('foo', 'bar'));
-	}
-
-	function test_init_GET()
-	{
-		$_GET['oauth_token'] = 'test12345';
-
-		$this->server->init();
-
-		$reflector = new ReflectionClass($this->server);
-
-		$_accessToken = $reflector->getProperty('_accessToken');
-		$_accessToken->setAccessible(true);
-
-		$_type = $reflector->getProperty('_type');
-		$_type->setAccessible(true);
-
-		$_typeId = $reflector->getProperty('_typeId');
-		$_typeId->setAccessible(true);
-
-		$_scopes = $reflector->getProperty('_scopes');
-		$_scopes->setAccessible(true);
-
-		$this->assertEquals($_accessToken->getValue($this->server), $_GET['oauth_token']);
-		$this->assertEquals($_type->getValue($this->server), 'user');
-		$this->assertEquals($_typeId->getValue($this->server), 123);
-		$this->assertEquals($_scopes->getValue($this->server), array('foo', 'bar'));
-	}
-
-	function test_init_header()
-	{
-		// Test with authorisation header
-		$this->markTestIncomplete('Authorisation header test has not been implemented yet.');
-	}
-
-	/**
-	 * @expectedException        \Oauth2\Resource\ClientException
-	 * @expectedExceptionMessage An access token was not presented with the request
-	 */
-	function test_init_missingToken()
-	{
-		$this->server->init();
-	}
-
-	/**
-	 * @expectedException        \Oauth2\Resource\ClientException
-	 * @expectedExceptionMessage The access token is not registered with the resource server
-	 */
-	function test_init_wrongToken()
-	{
-		$_POST['oauth_token'] = 'blah';
-		$_SERVER['REQUEST_METHOD'] = 'POST';
-
-		$this->server->init();
-	}
-
-	function test_hasScope()
-	{
-		$_POST['oauth_token'] = 'test12345';
-		$_SERVER['REQUEST_METHOD'] = 'POST';
-
-		$this->server->init();
-
-		$this->assertEquals(true, $this->server->hasScope('foo'));
-		$this->assertEquals(true, $this->server->hasScope('bar'));
-		$this->assertEquals(true, $this->server->hasScope(array('foo', 'bar')));
-
-		$this->assertEquals(false, $this->server->hasScope('foobar'));
-		$this->assertEquals(false, $this->server->hasScope(array('foobar')));
-	}
-
-	function test___call()
-	{
-		$_POST['oauth_token'] = 'test12345';
-		$_SERVER['REQUEST_METHOD'] = 'POST';
-
-		$this->server->init();
-
-		$this->assertEquals(123, $this->server->isUser());
-		$this->assertEquals(false, $this->server->isMachine());
-	}
-
-}

tests/util/RedirectUriTest.php

@@ -0,0 +1,15 @@
+<?php
+
+class RedirectUri_test extends PHPUnit_Framework_TestCase
+{
+	function test_make()
+	{
+		$v1 = League\OAuth2\Server\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar'));
+		$v2 = League\OAuth2\Server\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar'), '#');
+		$v3 = League\OAuth2\Server\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar', 'bar' => 'foo'));
+
+		$this->assertEquals('https://foobar/?foo=bar', $v1);
+		$this->assertEquals('https://foobar/#foo=bar', $v2);
+		$this->assertEquals('https://foobar/?foo=bar&bar=foo', $v3);
+	}
+}

tests/util/RequestTest.php

@@ -0,0 +1,73 @@
+<?php
+
+class Request_test extends PHPUnit_Framework_TestCase
+{
+	private $request;
+
+	function setUp()
+	{
+		$this->request = new League\OAuth2\Server\Util\Request(
+			array('foo' => 'bar'),
+			array('foo' => 'bar'),
+			array('foo' => 'bar'),
+			array('foo' => 'bar'),
+			array('HTTP_HOST' => 'foobar.com')
+		);
+	}
+
+	function test_buildFromIndex()
+	{
+		$r = new League\OAuth2\Server\Util\Request();
+		$r->buildFromGlobals();
+
+		$this->assertTrue($r instanceof League\OAuth2\Server\Util\Request);
+	}
+
+	function test_get()
+	{
+		$this->assertEquals('bar', $this->request->get('foo'));
+		$this->assertEquals(array('foo' => 'bar'), $this->request->get());
+	}
+
+	function test_post()
+	{
+		$this->assertEquals('bar', $this->request->post('foo'));
+		$this->assertEquals(array('foo' => 'bar'), $this->request->post());
+	}
+
+	function test_file()
+	{
+		$this->assertEquals('bar', $this->request->file('foo'));
+		$this->assertEquals(array('foo' => 'bar'), $this->request->file());
+	}
+
+	function test_cookie()
+	{
+		$this->assertEquals('bar', $this->request->cookie('foo'));
+		$this->assertEquals(array('foo' => 'bar'), $this->request->cookie());
+	}
+
+	function test_server()
+	{
+		$this->assertEquals('foobar.com', $this->request->server('HTTP_HOST'));
+		$this->assertEquals(array('HTTP_HOST' => 'foobar.com'), $this->request->server());
+	}
+
+	function test_header()
+	{
+		$this->assertEquals('foobar.com', $this->request->header('Host'));
+		$this->assertEquals(array('Host' => 'foobar.com'), $this->request->header());
+	}
+
+	/**
+	 * @expectedException InvalidArgumentException
+	 */
+	function test_unknownProperty()
+	{
+		$reflector = new ReflectionClass($this->request);
+		$method = $reflector->getMethod('getPropertyValue');
+		$method->setAccessible(true);
+
+		$method->invoke($this->request, 'blah');
+	}
+}

tests/util/SecureKeyTest.php

@@ -0,0 +1,15 @@
+<?php
+
+class Secure_Key_test extends PHPUnit_Framework_TestCase
+{
+	function test_make()
+	{
+		$v1 = League\OAuth2\Server\Util\SecureKey::make();
+		$v2 = League\OAuth2\Server\Util\SecureKey::make();
+		$v3 = League\OAuth2\Server\Util\SecureKey::make(50);
+
+		$this->assertEquals(40, strlen($v1));
+		$this->assertTrue($v1 !== $v2);
+		$this->assertEquals(50, strlen($v3));
+	}
+}