Update composer.json

Resource server errors

.gitattributes

@@ -1,4 +1,5 @@
 tests/ export-ignore
 phpunit.xml export-ignore
 build.xml export-ignore
-test export-ignore
+test export-ignore
+.travis.yml export-ignore

.gitignore

@@ -1,8 +1,6 @@
-/vendor/
+/vendor
 /composer.lock
-/docs/build/
-/build/logs/
-/build/coverage/
-test
-/docs/
-/testing/
+/tests/coverage
+/docs
+/testing
+build/coverage

.travis.yml

@@ -1,8 +1,18 @@
 language: php
 
 php:
-  - 5.3
   - 5.4
+  - 5.5
+  - 5.6
+  - hhvm
+  
+matrix:
+  allow_failures:
+    - php: hhvm
 
-before_script: composer install --dev
-script: phpunit -c build/phpunit.xml
+before_script: composer install --prefer-source
+script: phpunit --configuration phpunit.xml.dist
+
+cache:
+  directories:
+    - vendor

CHANGELOG.md

@@ -1,5 +1,107 @@
 # Changelog
 
+## 3.2 (released 2014-04-16)
+
+* Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
+
+## 3.1.2 (released 2014-02-26)
+
+* Support Authorization being an environment variable. [See more](http://fortrabbit.com/docs/essentials/quirks-and-constraints#authorization-header)
+
+## 3.1.1 (released 2013-12-05)
+
+* Normalize headers when `getallheaders()` is available (Issues #108 and #114)
+
+## 3.1.0 (released 2013-12-05)
+
+* No longer necessary to inject the authorisation server into a grant, the server will inject itself
+* Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
+
+## 3.0.1 (released 2013-12-02)
+
+* Forgot to tell TravisCI from testing PHP 5.3
+
+## 3.0.0 (released 2013-12-02)
+
+* Fixed spelling of Implicit grant class (Issue #84)
+* Travis CI now tests for PHP 5.5
+* Fixes for checking headers for resource server (Issues #79 and #)
+* The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
+* All grants no longer remove old sessions by default
+* All grants now support custom access token TTL (Issue #92)
+* All methods which didn't before return a value now return `$this` to support method chaining
+* Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
+* Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
+* Moved some grant related functions into a trait to reduce duplicate code
+
+## 2.1.1 (released 2013-06-02)
+
+* Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
+* Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
+* Updated some duff docblocks
+* Corrected array key call in Resource.php (Issue #63)
+
+## 2.1 (released 2013-05-10)
+
+* Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
+* New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
+* Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
+* The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
+* You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
+* The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
+* Scopes associated to authorization codes are not held in their own table (Issue #44)
+* Database schema updates.
+
+## 2.0.5 (released 2013-05-09)
+
+* Fixed `oauth_session_token_scopes` table primary key
+* Removed `DEFAULT ''` that has slipped into some tables
+* Fixed docblock for `SessionInterface::associateRefreshToken()`
+
+## 2.0.4 (released 2013-05-09)
+
+* Renamed primary key in oauth_client_endpoints table
+* Adding missing column to oauth_session_authcodes
+* SECURITY FIX: A refresh token should be bound to a client ID
+
+## 2.0.3 (released 2013-05-08)
+
+* Fixed a link to code in composer.json
+
+## 2.0.2 (released 2013-05-08)
+
+* Updated README with wiki guides
+* Removed `null` as default parameters in some methods in the storage interfaces
+* Fixed license copyright
+
+## 2.0.0 (released 2013-05-08)
+
+**If you're upgrading from v1.0.8 there are lots of breaking changes**
+
+* Rewrote the session storage interface from scratch so methods are more obvious
+* Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
+* Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
+* A session can have multiple associated access tokens
+* Induvidual grants can have custom expire times for access tokens
+* Authorization codes now have a TTL of 10 minutes by default (can be manually set)
+* Refresh tokens now have a TTL of one week by default (can be manually set)
+* The client credentials grant will no longer gives out refresh tokens as per the specification
+
+## 1.0.8 (released 2013-03-18)
+
+* Fixed check for required state parameter
+* Fixed check that user's credentials are correct in Password grant
+
+## 1.0.7 (released 2013-03-04)
+
+* Added method `requireStateParam()`
+* Added method `requireScopeParam()`
+
+## 1.0.6 (released 2013-02-22)
+
+* Added links to tutorials in the README
+* Added missing `state` parameter request to the `checkAuthoriseParams()` method.
+
 ## 1.0.5 (released 2013-02-21)
 
 * Fixed the SQL example for SessionInterface::getScopes()
@@ -19,4 +121,4 @@
 
 ## 1.0.0 (released 2013-02-15)
 
-* First release
+* First major release

CONTRIBUTING.md

@@ -0,0 +1,15 @@
+Thanks for contributing to this project.
+
+
+**Please submit your pull request against the `develop` branch only.**
+
+
+Please ensure that you run `phpunit` from the project root after you've made any changes.
+
+If you've added something new please create a new unit test, if you've changed something please update any unit tests as appropritate.
+
+We're trying to ensure there is **100%** test code coverage (including testing PHP errors and exceptions) so please ensure any new/updated tests cover all of your changes.
+
+Thank you,
+
+@alexbilbie

README.md

@@ -1,52 +1,97 @@
-# PHP OAuth Framework
+# PHP OAuth 2.0 Server
 
-The goal of this project is to develop a standards compliant [OAuth 2](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server.
+[![Latest Stable Version](https://poser.pugx.org/league/oauth2-server/v/stable.png)](https://packagist.org/packages/league/oauth2-server) [![Coverage Status](https://coveralls.io/repos/thephpleague/oauth2-server/badge.png?branch=master)](https://coveralls.io/r/thephpleague/oauth2-server?branch=master) [![Total Downloads](https://poser.pugx.org/league/oauth2-server/downloads.png)](https://packagist.org/packages/league/oauth2-server) [![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/thephpleague/oauth2-server/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+
+
+A standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server written in PHP.
 
 ## Package Installation
 
-The framework is provided as a Composer package which can be installed by adding the package to your composer.json file:
+The framework is provided as a Composer package which can be installed by adding the package to your `composer.json` file:
 
 ```javascript
 {
 	"require": {
-		"lncd/OAuth2": "*"
+		"league/oauth2-server": "3.*"
 	}
 }
 ```
 
+### Framework Integrations
+
+* [Laravel Service Provider](https://packagist.org/packages/lucadegasperi/oauth2-server-laravel) by @lucadegasperi
+* [Laravel Eloquent implementation](https://github.com/ScubaClick/scubaclick-oauth2) by @ScubaClick (under development)
+
 ---
 
-The library features 100% unit test code coverage. To run the tests yourself run `phpunit -c build/phpunit.xml`.
+The library features 100% unit test code coverage. To run the tests yourself run `phpunit` from the project root.
+
+[![Build Status](https://travis-ci.org/thephpleague/oauth2-server.png?branch=master)](https://travis-ci.org/thephpleague/oauth2-server) [master]
+
+[![Build Status](https://travis-ci.org/thephpleague/oauth2-server.png?branch=develop)](https://travis-ci.org/thephpleague/oauth2-server) [develop]
+
 
 ## Current Features
 
 ### Authorization Server
 
-The authorization server is a flexible class and following core specification grants are implemented:
+The authorization server is a flexible class and the following core specification grants are implemented:
 
 * authorization code ([section 4.1](http://tools.ietf.org/html/rfc6749#section-4.1))
 * refresh token ([section 6](http://tools.ietf.org/html/rfc6749#section-6))
 * client credentials ([section 2.3.1](http://tools.ietf.org/html/rfc6749#section-2.3.1))
 * password (user credentials) ([section 4.3](http://tools.ietf.org/html/rfc6749#section-4.3))
 
+An [overview of the different OAuth 2.0 grants](https://github.com/thephpleague/oauth2-server/wiki/Which-OAuth-2.0-grant-should-I-use%3F) can be found in the [wiki].
+
 ### Resource Server
 
-The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct permission to access resources.
+The resource server allows you to secure your API endpoints by checking for a valid OAuth access token in the request and ensuring the token has the correct scope(s) (i.e. permissions) to access resources.
 
-## Future Goals
+### Custom grants
 
-### Authorization Server
+Custom grants can be created easily by implementing an interface. Check out the [custom grant guide](https://github.com/thephpleague/oauth2-server/wiki/Creating-custom-grants).
 
-* Support for [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/).
-* Support for [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
+## Tutorials and Documentation
 
----
+* **[Wiki]** - The wiki has lots of guides on how to use this library.
 
-This code will be developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which has been funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
+* **[Developing an OAuth-2.0 Authorization Server]** - A simple tutorial on how to use the authorization server.
 
-This code was principally developed by [Alex Bilbie](http://alexbilbie.com/) ([Twitter](https://twitter.com/alexbilbie)|[Github](https://github.com/alexbilbie)).
+* **[Securing your API with OAuth 2.0]** - A simple tutorial on how to use the resource server to secure an API server.
 
-Valuable contribtions have been made by the following:
+[Wiki]: https://github.com/thephpleague/oauth2-server/wiki
+[Securing your API with OAuth 2.0]: https://github.com/thephpleague/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0
+[Developing an OAuth-2.0 Authorization Server]: https://github.com/thephpleague/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server
 
-* [Dan Horrigan](http://dandoescode.com) ([Twitter](https://twitter.com/dandoescode)|[Github](https://github.com/dandoescode))
-* [Nick Jackson](http://nickjackson.me) ([Twitter](https://twitter.com/jacksonj04)|[Github](https://github.com/jacksonj04))
+## Changelog
+
+[See the project releases page](https://github.com/thephpleague/oauth2-server/releases)
+
+## Contributing
+
+Please see [CONTRIBUTING](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) for details.
+
+## Support
+
+Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague/oauth2-server/issues)
+
+## License
+
+This package is released under the MIT License. See the bundled [LICENSE](https://github.com/thephpleague/oauth2-server/blob/master/LICENSE) file for details.
+
+## Credits
+
+This code is principally developed and maintained by [Alex Bilbie](https://twitter.com/alexbilbie).
+
+Special thanks to:
+
+* [Dan Horrigan](https://github.com/dandoescode)
+* [Nick Jackson](https://github.com/jacksonj04)
+* [Michael Gooden](https://github.com/MichaelGooden)
+* [Phil Sturgeon](https://github.com/philsturgeon)
+* [and all the other contributors](https://github.com/thephpleague/oauth2-server/contributors)
+
+The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
+
+[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/thephpleague/oauth2-server/trend.png)](https://bitdeli.com/free "Bitdeli Badge")

build.xml

@@ -1,142 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project name="PHP OAuth 2.0 Server" default="build">
-
-	<target name="build" depends="prepare,lint,phploc,pdepend,phpmd-ci,phpcs-ci,phpcpd,composer,phpunit,phpdox,phpcb"/>
-	
-	<target name="build-parallel" depends="prepare,lint,tools-parallel,phpcb"/>
-	
-	<target name="minimal" depends="prepare,lint,phploc,pdepend,phpcpd,composer,phpunit,phpdox,phpcb" />
-	
-	<target name="tools-parallel" description="Run tools in parallel">
-		<parallel threadCount="2">
-			<sequential>
-				<antcall target="pdepend"/>
-				<antcall target="phpmd-ci"/>
-			</sequential>
-			<antcall target="phpcpd"/>
-			<antcall target="phpcs-ci"/>
-			<antcall target="phploc"/>
-			<antcall target="phpdox"/>
-		</parallel>
-	</target>
-	
-	<target name="clean" description="Cleanup build artifacts">
-		<delete dir="${basedir}/build/api"/>
-		<delete dir="${basedir}/build/code-browser"/>
-		<delete dir="${basedir}/build/coverage"/>
-		<delete dir="${basedir}/build/logs"/>
-		<delete dir="${basedir}/build/pdepend"/>
-	</target>
-	
-	<target name="prepare" depends="clean" description="Prepare for build">
-		<mkdir dir="${basedir}/build/api"/>
-		<mkdir dir="${basedir}/build/code-browser"/>
-		<mkdir dir="${basedir}/build/coverage"/>
-		<mkdir dir="${basedir}/build/logs"/>
-		<mkdir dir="${basedir}/build/pdepend"/>
-		<mkdir dir="${basedir}/build/phpdox"/>
-	</target>
-	
-	<target name="lint">
-		<apply executable="php" failonerror="true">
-			<arg value="-l" />
-			
-			<fileset dir="${basedir}/src">
-				<include name="**/*.php" />
-				<modified />
-			</fileset>
-		</apply>
-	</target>
-	
-	<target name="phploc" description="Measure project size using PHPLOC">
-		<exec executable="phploc">
-			<arg value="--log-csv" />
-			<arg value="${basedir}/build/logs/phploc.csv" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="pdepend" description="Calculate software metrics using PHP_Depend">
-		<exec executable="pdepend">
-			<arg value="--jdepend-xml=${basedir}/build/logs/jdepend.xml" />
-			<arg value="--jdepend-chart=${basedir}/build/pdepend/dependencies.svg" />
-			<arg value="--overview-pyramid=${basedir}/build/pdepend/overview-pyramid.svg" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpmd" description="Perform project mess detection using PHPMD and print human readable output. Intended for usage on the command line before committing.">
-		<exec executable="phpmd">
-			<arg path="${basedir}/src" />
-			<arg value="text" />
-			<arg value="${basedir}/build/phpmd.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpmd-ci" description="Perform project mess detection using PHPMD creating a log file for the continuous integration server">
-		<exec executable="phpmd">
-			<arg path="${basedir}/src" />
-			<arg value="xml" />
-			<arg value="${basedir}/build/phpmd.xml" />
-			<arg value="--reportfile" />
-			<arg value="${basedir}/build/logs/pmd.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpcs" description="Find coding standard violations using PHP_CodeSniffer and print human readable output. Intended for usage on the command line before committing.">
-		<exec executable="phpcs">
-			<arg value="--standard=${basedir}/build/phpcs.xml" />
-			<arg value="--extensions=php" />
-			<arg value="--ignore=third_party/CIUnit" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpcs-ci" description="Find coding standard violations using PHP_CodeSniffer creating a log file for the continuous integration server">
-		<exec executable="phpcs" output="/dev/null">
-			<arg value="--report=checkstyle" />
-			<arg value="--report-file=${basedir}/build/logs/checkstyle.xml" />
-			<arg value="--standard=${basedir}/build/phpcs.xml" />
-			<arg value="--extensions=php" />
-			<arg value="--ignore=third_party/CIUnit" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpcpd" description="Find duplicate code using PHPCPD">
-		<exec executable="phpcpd">
-			<arg value="--log-pmd" />
-			<arg value="${basedir}/build/logs/pmd-cpd.xml" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-
-	<target name="composer" description="Install Composer requirements">
-		<exec executable="composer.phar" failonerror="true">
-			<arg value="install" />
-			<arg value="--dev" />
-		</exec>
-	</target>
-
-	<target name="phpunit" description="Run unit tests with PHPUnit">
-		<exec executable="${basedir}/vendor/bin/phpunit" failonerror="true">
-			<arg value="--configuration" />
-			<arg value="${basedir}/build/phpunit.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpdox" description="Generate API documentation using phpDox">
-		<exec executable="phpdox"/>
-	</target>
-	
-	<target name="phpcb" description="Aggregate tool output with PHP_CodeBrowser">
-		<exec executable="phpcb">
-			<arg value="--log" />
-			<arg path="${basedir}/build/logs" />
-			<arg value="--source" />
-			<arg path="${basedir}/src" />
-			<arg value="--output" />
-			<arg path="${basedir}/build/code-browser" />
-		</exec>
-	</target>
-</project>

build/phpcs.xml

@@ -1,8 +0,0 @@
-<?xml version="1.0"?>
-<ruleset name="PHP_CodeSniffer">
-
-	<description>PHP_CodeSniffer configuration</description>
-
-	<rule ref="PSR2"/>
-
-</ruleset>

build/phpmd.xml

@@ -1,14 +0,0 @@
-<ruleset name="OAuth 2.0 Server"
-	xmlns="http://pmd.sf.net/ruleset/1.0.0"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://pmd.sf.net/ruleset/1.0.0
-		http://pmd.sf.net/ruleset_xml_schema.xsd"
-	xsi:noNamespaceSchemaLocation="http://pmd.sf.net/ruleset_xml_schema.xsd">
-
-	<description>
-		Ruleset for OAuth 2.0 server
-	</description>
-
-	<!-- Import the entire unused code rule set -->
-	<rule ref="rulesets/unusedcode.xml" />
-</ruleset>

build/phpunit.xml

@@ -1,31 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="../tests/Bootstrap.php">
-	<testsuites>
-		<testsuite name="Authorization Server">
-			<directory suffix="Test.php">../tests/authorization</directory>
-		</testsuite>
-		<testsuite name="Resource Server">
-			<directory suffix="Test.php">../tests/resource</directory>
-		</testsuite>
-		<testsuite name="Utility Methods">
-			<directory suffix="Test.php">../tests/util</directory>
-		</testsuite>
-	</testsuites>
-	<filter>
-		<blacklist>
-			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
-			<directory suffix=".php">PHP_LIBDIR</directory>
-			<directory suffix=".php">../vendor/composer</directory>
-			<directory suffix=".php">../vendor/mockery</directory>
-			<directory suffix=".php">../vendor/phpunit</directory>
-			<directory suffix=".php">../tests</directory>
-			<directory suffix=".php">../testing</directory>
-		</blacklist>
-	</filter>
-	<logging>
-		<log type="coverage-html" target="coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="50" highLowerBound="90"/>
-		<log type="coverage-text" target="php://stdout" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="50" highLowerBound="90"/>
-		<log type="coverage-clover" target="logs/clover.xml"/>
-		<log type="junit" target="logs/junit.xml" logIncompleteSkipped="false"/>
-	</logging>
-</phpunit>

composer.json

@@ -1,20 +1,18 @@
 {
-	"name": "lncd/oauth2",
-	"description": "OAuth 2.0 Framework",
-	"version": "1.0.5",
-	"homepage": "https://github.com/lncd/OAuth2",
+	"name": "league/oauth2-server",
+	"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
 	"license": "MIT",
 	"require": {
-		"php": ">=5.3.0"
+		"php": ">=5.4.0"
 	},
 	"require-dev": {
-		"phpunit/phpunit": "*",
-        "mockery/mockery": ">=0.7.2"
+		"mockery/mockery": ">=0.7.2",
+		"league/phpunit-coverage-listener": "~1.0"
 	},
 	"repositories": [
 		{
 			"type": "git",
-			"url": "https://github.com/lncd/OAuth2"
+			"url": "https://github.com/thephpleague/oauth2-server.git"
 		}
 	],
 	"keywords": [
@@ -24,7 +22,10 @@
 		"authorization",
 		"authentication",
 		"resource",
-		"api"
+		"api",
+		"auth",
+		"protect",
+		"secure"
 	],
 	"authors": [
 		{
@@ -34,10 +35,15 @@
 			"role": "Developer"
 		}
 	],
+	"replace": {
+		"lncd/oauth2": "*"
+	},
 	"autoload": {
 		"psr-0": {
-			"OAuth2": "src/"
+			"League\\OAuth2\\Server": "src/"
 		}
 	},
-	"suggest": {}
+	"suggest": {
+
+	}
 }

license.txt

@@ -1,20 +1,20 @@
 MIT License
 
-Copyright (C) 2012 University of Lincoln
+Copyright (C) 2013 PHP League of Extraordinary Packages
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of 
-this software and associated documentation files (the "Software"), to deal in 
-the Software without restriction, including without limitation the rights to 
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all 
+The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

phpunit.xml.dist

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
+	<testsuites>
+		<testsuite name="Authorization Server">
+			<directory suffix="Test.php">tests/authorization</directory>
+		</testsuite>
+		<testsuite name="Resource Server">
+			<directory suffix="Test.php">tests/resource</directory>
+		</testsuite>
+		<testsuite name="Utility Methods">
+			<directory suffix="Test.php">tests/util</directory>
+		</testsuite>
+	</testsuites>
+	<filter>
+		<blacklist>
+			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
+			<directory suffix=".php">PHP_LIBDIR</directory>
+			<directory suffix=".php">vendor</directory>
+			<directory suffix=".php">tests</directory>
+			<directory suffix=".php">testing</directory>
+		</blacklist>
+	</filter>
+	<logging>
+        <log type="coverage-clover" target="/tmp/coverage.xml"/>
+        <log type="coverage-text" target="php://stdout" showUncoveredFiles="false"/>
+    </logging>
+    <listeners>
+        <listener class="League\PHPUnitCoverageListener\Listener">
+            <arguments>
+                <array>
+                    <element key="printer">
+                      <object class="League\PHPUnitCoverageListener\Printer\StdOut"/>
+                    </element>
+                    <element key="hook">
+                      <object class="League\PHPUnitCoverageListener\Hook\Travis"/>
+                    </element>
+                    <element key="namespace">
+                        <string>League\OAuth2\Server</string>
+                    </element>
+                    <element key="repo_token">
+                        <string>DtNuuOrBh1QBXVyRqmVldC2Au11DVti9n</string>
+                    </element>
+                    <element key="target_url">
+                        <string>https://coveralls.io/api/v1/jobs</string>
+                    </element>
+                    <element key="coverage_dir">
+                        <string>/tmp</string>
+                    </element>
+                </array>
+            </arguments>
+        </listener>
+    </listeners>
+</phpunit>

sql/mysql.sql

@@ -1,53 +1,95 @@
 CREATE TABLE `oauth_clients` (
-  `id` varchar(40) NOT NULL DEFAULT '',
-  `secret` varchar(40) NOT NULL DEFAULT '',
-  `name` varchar(255) NOT NULL DEFAULT '',
-  `auto_approve` tinyint(1) NOT NULL DEFAULT '0',
-  PRIMARY KEY (`id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+  `id` CHAR(40) NOT NULL,
+  `secret` CHAR(40) NOT NULL,
+  `name` VARCHAR(255) NOT NULL,
+  `auto_approve` TINYINT(1) NOT NULL DEFAULT '0',
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `u_oacl_clse_clid` (`secret`,`id`)
+) ENGINE=INNODB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
 
 CREATE TABLE `oauth_client_endpoints` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(40) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(255) DEFAULT NULL,
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `client_id` char(40) NOT NULL,
+  `redirect_uri` varchar(255) NOT NULL,
   PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`),
-  CONSTRAINT `oauth_client_endpoints_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+  KEY `i_oaclen_clid` (`client_id`),
+  CONSTRAINT `f_oaclen_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
 
 CREATE TABLE `oauth_sessions` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `client_id` varchar(40) NOT NULL DEFAULT '',
-  `redirect_uri` varchar(250) DEFAULT '',
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `client_id` char(40) NOT NULL,
   `owner_type` enum('user','client') NOT NULL DEFAULT 'user',
-  `owner_id` varchar(255) DEFAULT '',
-  `auth_code` varchar(40) DEFAULT '',
-  `access_token` varchar(40) DEFAULT '',
-  `refresh_token` varchar(40) DEFAULT '',
-  `access_token_expires` int(10) DEFAULT NULL,
-  `stage` enum('requested','granted') NOT NULL DEFAULT 'requested',
-  `first_requested` int(10) unsigned NOT NULL,
-  `last_updated` int(10) unsigned NOT NULL,
+  `owner_id` varchar(255) NOT NULL,
   PRIMARY KEY (`id`),
-  KEY `client_id` (`client_id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+  KEY `i_uase_clid_owty_owid` (`client_id`,`owner_type`,`owner_id`),
+  CONSTRAINT `f_oase_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
 
-CREATE TABLE `oauth_scopes` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `scope` varchar(255) NOT NULL DEFAULT '',
-  `name` varchar(255) NOT NULL DEFAULT '',
-  `description` varchar(255) DEFAULT '',
+CREATE TABLE `oauth_session_access_tokens` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `session_id` int(10) unsigned NOT NULL,
+  `access_token` char(40) NOT NULL,
+  `access_token_expires` int(10) unsigned NOT NULL,
   PRIMARY KEY (`id`),
-  UNIQUE KEY `scope` (`scope`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+  UNIQUE KEY `u_oaseacto_acto_seid` (`access_token`,`session_id`),
+  KEY `f_oaseto_seid` (`session_id`),
+  CONSTRAINT `f_oaseto_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
 
-CREATE TABLE `oauth_session_scopes` (
-  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
-  `session_id` int(11) unsigned NOT NULL,
-  `scope_id` int(11) unsigned NOT NULL,
+CREATE TABLE `oauth_session_authcodes` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `session_id` int(10) unsigned NOT NULL,
+  `auth_code` char(40) NOT NULL,
+  `auth_code_expires` int(10) unsigned NOT NULL,
   PRIMARY KEY (`id`),
   KEY `session_id` (`session_id`),
+  CONSTRAINT `oauth_session_authcodes_ibfk_1` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
+
+CREATE TABLE `oauth_session_redirects` (
+  `session_id` int(10) unsigned NOT NULL,
+  `redirect_uri` varchar(255) NOT NULL,
+  PRIMARY KEY (`session_id`),
+  CONSTRAINT `f_oasere_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
+
+CREATE TABLE `oauth_session_refresh_tokens` (
+  `session_access_token_id` int(10) unsigned NOT NULL,
+  `refresh_token` char(40) NOT NULL,
+  `refresh_token_expires` int(10) unsigned NOT NULL,
+  `client_id` char(40) NOT NULL,
+  PRIMARY KEY (`session_access_token_id`),
+  KEY `client_id` (`client_id`),
+  CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
+
+CREATE TABLE `oauth_scopes` (
+  `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
+  `scope` varchar(255) NOT NULL,
+  `name` varchar(255) NOT NULL,
+  `description` varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `u_oasc_sc` (`scope`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
+
+CREATE TABLE `oauth_session_token_scopes` (
+  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
+  `session_access_token_id` int(10) unsigned DEFAULT NULL,
+  `scope_id` smallint(5) unsigned NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `u_setosc_setoid_scid` (`session_access_token_id`,`scope_id`),
+  KEY `f_oasetosc_scid` (`scope_id`),
+  CONSTRAINT `f_oasetosc_scid` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
+  CONSTRAINT `f_oasetosc_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;
+
+CREATE TABLE `oauth_session_authcode_scopes` (
+  `oauth_session_authcode_id` int(10) unsigned NOT NULL,
+  `scope_id` smallint(5) unsigned NOT NULL,
+  KEY `oauth_session_authcode_id` (`oauth_session_authcode_id`),
   KEY `scope_id` (`scope_id`),
-  CONSTRAINT `oauth_session_scopes_ibfk_5` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE,
-  CONSTRAINT `oauth_session_scopes_ibfk_4` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+  CONSTRAINT `oauth_session_authcode_scopes_ibfk_2` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `oauth_session_authcode_scopes_ibfk_1` FOREIGN KEY (`oauth_session_authcode_id`) REFERENCES `oauth_session_authcodes` (`id`) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE utf8_unicode_ci;

src/League/OAuth2/Server/Authorization.php

@@ -0,0 +1,479 @@
+<?php
+/**
+ * OAuth 2.0 Authorization Server
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use League\OAuth2\Server\Util\Request;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+
+/**
+ * OAuth 2.0 authorization server class
+ */
+class Authorization
+{
+    /**
+     * The delimeter between scopes specified in the scope query string parameter
+     *
+     * The OAuth 2 specification states it should be a space but most use a comma
+     * @var string
+     */
+    protected $scopeDelimeter = ' ';
+
+    /**
+     * The TTL (time to live) of an access token in seconds (default: 3600)
+     * @var integer
+     */
+    protected $accessTokenTTL = 3600;
+
+    /**
+     * The registered grant response types
+     * @var array
+     */
+    protected $responseTypes = array();
+
+    /**
+     * The client, scope and session storage classes
+     * @var array
+     */
+    protected $storages = array();
+
+    /**
+     * The registered grant types
+     * @var array
+     */
+    protected $grantTypes = array();
+
+    /**
+     * Require the "scope" parameter to be in checkAuthoriseParams()
+     * @var boolean
+     */
+    protected $requireScopeParam = false;
+
+    /**
+     * Default scope(s) to be used if none is provided
+     * @var string|array
+     */
+    protected $defaultScope = null;
+
+    /**
+     * Require the "state" parameter to be in checkAuthoriseParams()
+     * @var boolean
+     */
+    protected $requireStateParam = false;
+
+    /**
+     * The request object
+     * @var Util\RequestInterface
+     */
+    protected $request = null;
+
+    /**
+     * Exception error codes
+     * @var array
+     */
+    protected static $exceptionCodes = array(
+        0   =>  'invalid_request',
+        1   =>  'unauthorized_client',
+        2   =>  'access_denied',
+        3   =>  'unsupported_response_type',
+        4   =>  'invalid_scope',
+        5   =>  'server_error',
+        6   =>  'temporarily_unavailable',
+        7   =>  'unsupported_grant_type',
+        8   =>  'invalid_client',
+        9   =>  'invalid_grant'
+    );
+
+    /**
+     * Exception error messages
+     * @var array
+     */
+    protected static $exceptionMessages = array(
+        'invalid_request'           =>  'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
+        'unauthorized_client'       =>  'The client is not authorized to request an access token using this method.',
+        'access_denied'             =>  'The resource owner or authorization server denied the request.',
+        'unsupported_response_type' =>  'The authorization server does not support obtaining an access token using this method.',
+        'invalid_scope'             =>  'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
+        'server_error'              =>  'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
+        'temporarily_unavailable'   =>  'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.',
+        'unsupported_grant_type'    =>  'The authorization grant type "%s" is not supported by the authorization server',
+        'invalid_client'            =>  'Client authentication failed',
+        'invalid_grant'             =>  'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.',
+        'invalid_credentials'       =>  'The user credentials were incorrect.',
+        'invalid_refresh'           =>  'The refresh token is invalid.',
+    );
+
+    /**
+     * Exception error HTTP status codes
+     * @var array
+     *
+     * RFC 6749, section 4.1.2.1.:
+     * No 503 status code for 'temporarily_unavailable', because
+     * "a 503 Service Unavailable HTTP status code cannot be
+     * returned to the client via an HTTP redirect"
+     */
+    protected static $exceptionHttpStatusCodes = array(
+        'invalid_request'           =>  400,
+        'unauthorized_client'       =>  400,
+        'access_denied'             =>  401,
+        'unsupported_response_type' =>  400,
+        'invalid_scope'             =>  400,
+        'server_error'              =>  500,
+        'temporarily_unavailable'   =>  400,
+        'unsupported_grant_type'    =>  501,
+        'invalid_client'            =>  401,
+        'invalid_grant'             =>  400,
+        'invalid_credentials'       =>  400,
+        'invalid_refresh'           =>  400,
+    );
+
+    /**
+     * Get all headers that have to be send with the error response
+     *
+     * @param  string $error The error message key
+     * @return array         Array with header values
+     */
+    public static function getExceptionHttpHeaders($error)
+    {
+        $headers = array();
+        switch (self::$exceptionHttpStatusCodes[$error]) {
+            case 401:
+                $headers[] = 'HTTP/1.1 401 Unauthorized';
+                break;
+            case 500:
+                $headers[] = 'HTTP/1.1 500 Internal Server Error';
+                break;
+            case 501:
+                $headers[] = 'HTTP/1.1 501 Not Implemented';
+                break;
+            case 400:
+            default:
+                $headers[] = 'HTTP/1.1 400 Bad Request';
+        }
+
+        // Add "WWW-Authenticate" header
+        //
+        // RFC 6749, section 5.2.:
+        // "If the client attempted to authenticate via the 'Authorization'
+        // request header field, the authorization server MUST
+        // respond with an HTTP 401 (Unauthorized) status code and
+        // include the "WWW-Authenticate" response header field
+        // matching the authentication scheme used by the client.
+        // @codeCoverageIgnoreStart
+        if ($error === 'invalid_client') {
+            $authScheme = null;
+            $request = new Request();
+            if ($request->server('PHP_AUTH_USER') !== null) {
+                $authScheme = 'Basic';
+            } else {
+                $authHeader = $request->header('Authorization');
+                if ($authHeader !== null) {
+                    if (strpos($authHeader, 'Bearer') === 0) {
+                        $authScheme = 'Bearer';
+                    } elseif (strpos($authHeader, 'Basic') === 0) {
+                        $authScheme = 'Basic';
+                    }
+                }
+            }
+            if ($authScheme !== null) {
+                $headers[] = 'WWW-Authenticate: '.$authScheme.' realm=""';
+            }
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $headers;
+    }
+
+    /**
+     * Get an exception message
+     *
+     * @param  string $error The error message key
+     * @return string        The error message
+     */
+    public static function getExceptionMessage($error = '')
+    {
+        return self::$exceptionMessages[$error];
+    }
+
+    /**
+     * Get an exception code
+     *
+     * @param  integer $code The exception code
+     * @return string        The exception code type
+     */
+    public static function getExceptionType($code = 0)
+    {
+        return self::$exceptionCodes[$code];
+    }
+
+    /**
+     * Create a new OAuth2 authorization server
+     *
+     * @param ClientInterface  $client  A class which inherits from Storage/ClientInterface
+     * @param SessionInterface $session A class which inherits from Storage/SessionInterface
+     * @param ScopeInterface   $scope   A class which inherits from Storage/ScopeInterface
+     */
+    public function __construct(ClientInterface $client, SessionInterface $session, ScopeInterface $scope)
+    {
+        $this->storages = array(
+            'client'    =>  $client,
+            'session'   =>  $session,
+            'scope' =>  $scope
+        );
+    }
+
+    /**
+     * Enable support for a grant
+     * @param GrantTypeInterface $grantType  A grant class which conforms to Interface/GrantTypeInterface
+     * @param null|string        $identifier An identifier for the grant (autodetected if not passed)
+     */
+    public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
+    {
+        if (is_null($identifier)) {
+            $identifier = $grantType->getIdentifier();
+        }
+
+        // Inject server into grant
+        $grantType->setAuthorizationServer($this);
+
+        $this->grantTypes[$identifier] = $grantType;
+
+        if ( ! is_null($grantType->getResponseType())) {
+            $this->responseTypes[] = $grantType->getResponseType();
+        }
+    }
+
+    /**
+     * Check if a grant type has been enabled
+     * @param  string  $identifier The grant type identifier
+     * @return boolean             Returns "true" if enabled, "false" if not
+     */
+    public function hasGrantType($identifier)
+    {
+        return (array_key_exists($identifier, $this->grantTypes));
+    }
+
+    /**
+     * Returns response types
+     *
+     * @return array
+     */
+    public function getResponseTypes()
+    {
+        return $this->responseTypes;
+    }
+
+    /**
+     * Require the "scope" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function requireScopeParam($require = true)
+    {
+        $this->requireScopeParam = $require;
+    }
+
+    /**
+     * Is the scope parameter required?
+     * @return bool
+     */
+    public function scopeParamRequired()
+    {
+        return $this->requireScopeParam;
+    }
+
+    /**
+     * Default scope to be used if none is provided and requireScopeParam is false
+     * @param string|array $default
+     */
+    public function setDefaultScope($default = null)
+    {
+        $this->defaultScope = $default;
+        return $this;
+    }
+
+    /**
+     * Default scope to be used if none is provided and requireScopeParam is false
+     * @return string|null
+     */
+    public function getDefaultScope()
+    {
+        return $this->defaultScope;
+    }
+
+    /**
+     * Require the "state" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function stateParamRequired()
+    {
+        return $this->requireStateParam;
+    }
+
+    /**
+     * Require the "state" paremter in checkAuthoriseParams()
+     * @param  boolean $require
+     * @return void
+     */
+    public function requireStateParam($require = true)
+    {
+        $this->requireStateParam = $require;
+        return $this;
+    }
+
+    /**
+     * Get the scope delimeter
+     *
+     * @return string The scope delimiter (default: ",")
+     */
+    public function getScopeDelimeter()
+    {
+        return $this->scopeDelimeter;
+    }
+
+    /**
+     * Set the scope delimiter
+     *
+     * @param string $scopeDelimeter
+     */
+    public function setScopeDelimeter($scopeDelimeter = ' ')
+    {
+        $this->scopeDelimeter = $scopeDelimeter;
+        return $this;
+    }
+
+    /**
+     * Get the TTL for an access token
+     * @return int The TTL
+     */
+    public function getAccessTokenTTL()
+    {
+        return $this->accessTokenTTL;
+    }
+
+    /**
+     * Set the TTL for an access token
+     * @param int $accessTokenTTL The new TTL
+     */
+    public function setAccessTokenTTL($accessTokenTTL = 3600)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+        return $this;
+    }
+
+    /**
+     * Sets the Request Object
+     *
+     * @param Util\RequestInterface The Request Object
+     */
+    public function setRequest(Util\RequestInterface $request)
+    {
+        $this->request = $request;
+        return $this;
+    }
+
+    /**
+     * Gets the Request object.  It will create one from the globals if one is not set.
+     *
+     * @return Util\RequestInterface
+     */
+    public function getRequest()
+    {
+        if ($this->request === null) {
+            // @codeCoverageIgnoreStart
+            $this->request = Request::buildFromGlobals();
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $this->request;
+    }
+
+    /**
+     * Return a storage class
+     * @param  string $obj The class required
+     * @return Storage\ClientInterface|Storage\ScopeInterface|Storage\SessionInterface
+     */
+    public function getStorage($obj)
+    {
+        return $this->storages[$obj];
+    }
+
+    /**
+     * Issue an access token
+     *
+     * @param  array $inputParams Optional array of parsed $_POST keys
+     * @return array             Authorise request parameters
+     */
+    public function issueAccessToken($inputParams = array())
+    {
+        $grantType = $this->getParam('grant_type', 'post', $inputParams);
+
+        if (is_null($grantType)) {
+            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'grant_type'), 0);
+        }
+
+        // Ensure grant type is one that is recognised and is enabled
+        if ( ! in_array($grantType, array_keys($this->grantTypes))) {
+            throw new Exception\ClientException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 7);
+        }
+
+        // Complete the flow
+        return $this->getGrantType($grantType)->completeFlow($inputParams);
+    }
+
+    /**
+     * Return a grant type class
+     * @param  string $grantType The grant type identifer
+     * @return Grant\AuthCode|Grant\ClientCredentials|Grant\Implict|Grant\Password|Grant\RefreshToken
+     */
+    public function getGrantType($grantType)
+    {
+        if (isset($this->grantTypes[$grantType])) {
+            return $this->grantTypes[$grantType];
+        }
+
+        throw new Exception\InvalidGrantTypeException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 9);
+        }
+
+    /**
+     * Get a parameter from passed input parameters or the Request class
+     * @param  string|array $param Required parameter
+     * @param  string $method      Get/put/post/delete
+     * @param  array  $inputParams Passed input parameters
+     * @return mixed               'Null' if parameter is missing
+     */
+    public function getParam($param = '', $method = 'get', $inputParams = array(), $default = null)
+    {
+        if (is_string($param)) {
+            if (isset($inputParams[$param])) {
+                return $inputParams[$param];
+            } elseif ($param === 'client_id' && ! is_null($clientId = $this->getRequest()->server('PHP_AUTH_USER'))) {
+                return $clientId;
+            } elseif ($param === 'client_secret' && ! is_null($clientSecret = $this->getRequest()->server('PHP_AUTH_PW'))) {
+                return $clientSecret;
+            } else {
+                return $this->getRequest()->{$method}($param, $default);
+            }
+        } else {
+            $response = array();
+            foreach ($param as $p) {
+                $response[$p] = $this->getParam($p, $method, $inputParams);
+            }
+            return $response;
+        }
+    }
+
+}

src/League/OAuth2/Server/Exception/ClientException.php

@@ -2,14 +2,14 @@
 /**
  * OAuth 2.0 Client Exception
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Exception;
+namespace League\OAuth2\Server\Exception;
 
 /**
  * ClientException Exception

src/League/OAuth2/Server/Exception/InsufficientScopeException.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * OAuth 2.0 Insufficient Scope Exception
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Woody Gilk <woody@shadowhand.me>
+ * @copyright   Copyright (c) 2014 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+/**
+ * InsufficientScope Exception
+ */
+class InsufficientScopeException extends OAuth2Exception
+{
+
+}

src/League/OAuth2/Server/Exception/InvalidAccessTokenException.php

@@ -2,14 +2,14 @@
 /**
  * OAuth 2.0 Invalid Access Token Exception
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Exception;
+namespace League\OAuth2\Server\Exception;
 
 /**
  * InvalidAccessToken Exception

src/League/OAuth2/Server/Exception/InvalidGrantTypeException.php

@@ -2,14 +2,14 @@
 /**
  * OAuth 2.0 Invalid Grant Type Exception
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Exception;
+namespace League\OAuth2\Server\Exception;
 
 /**
  * InvalidGrantTypeException Exception

src/League/OAuth2/Server/Exception/MissingAccessTokenException.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * OAuth 2.0 Missing Access Token Exception
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Woody Gilk <woody@shadowhand.me>
+ * @copyright   Copyright (c) 2014 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+/**
+ * MissingAccessToken Exception
+ */
+class MissingAccessTokenException extends OAuth2Exception
+{
+
+}

src/League/OAuth2/Server/Exception/OAuth2Exception.php

@@ -2,14 +2,14 @@
 /**
  * OAuth 2.0 Base Exception
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Exception;
+namespace League\OAuth2\Server\Exception;
 
 /**
  * Exception class

src/League/OAuth2/Server/Grant/AuthCode.php

@@ -0,0 +1,259 @@
+<?php
+/**
+ * OAuth 2.0 Auth code grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Auth code grant class
+ */
+class AuthCode implements GrantTypeInterface {
+
+    use GrantTrait;
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'authorization_code';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = 'code';
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * The TTL of the auth token
+     * @var integer
+     */
+    protected $authTokenTTL = 600;
+
+    /**
+     * Override the default access token expire time
+     * @param int $authTokenTTL
+     * @return void
+     */
+    public function setAuthTokenTTL($authTokenTTL)
+    {
+        $this->authTokenTTL = $authTokenTTL;
+    }
+
+    /**
+     * Check authorise parameters
+     *
+     * @param  array $inputParams Optional array of parsed $_GET keys
+     * @throws \OAuth2\Exception\ClientException
+     * @return array             Authorise request parameters
+     */
+    public function checkAuthoriseParams($inputParams = array())
+    {
+        // Auth params
+        $authParams = $this->authServer->getParam(array('client_id', 'redirect_uri', 'response_type', 'scope', 'state'), 'get', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['redirect_uri'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
+        }
+
+        if ($this->authServer->stateParamRequired() === true && is_null($authParams['state'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'state'), 0);
+        }
+
+        // Validate client ID and redirect URI
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri'], $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        if (is_null($authParams['response_type'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'response_type'), 0);
+        }
+
+        // Ensure response type is one that is recognised
+        if ( ! in_array($authParams['response_type'], $this->authServer->getResponseTypes())) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('unsupported_response_type'), 3);
+        }
+
+        // Validate scopes
+        $scopes = explode($this->authServer->getScopeDelimeter(), $authParams['scope']);
+
+        for ($i = 0; $i < count($scopes); $i++) {
+            $scopes[$i] = trim($scopes[$i]);
+            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
+        }
+
+        if ($this->authServer->scopeParamRequired() === true && $this->authServer->getDefaultScope() === null && count($scopes) === 0) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope() !== null) {
+            if (is_array($this->authServer->getDefaultScope())) {
+                $scopes = $this->authServer->getDefaultScope();
+            } else {
+                $scopes = array($this->authServer->getDefaultScope());
+            }
+        }
+
+        $authParams['scopes'] = array();
+
+        foreach ($scopes as $scope) {
+            $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
+
+            if ($scopeDetails === false) {
+                throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
+            }
+
+            $authParams['scopes'][] = $scopeDetails;
+        }
+
+        return $authParams;
+    }
+
+    /**
+     * Parse a new authorise request
+     *
+     * @param  string $type        The session owner's type
+     * @param  string $typeId      The session owner's ID
+     * @param  array  $authParams  The authorise request $_GET parameters
+     * @return string              An authorisation code
+     */
+    public function newAuthoriseRequest($type, $typeId, $authParams = array())
+    {
+        // Generate an auth code
+        $authCode = SecureKey::make();
+
+        // Remove any old sessions the user might have
+        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId);
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId);
+
+        // Associate a redirect URI
+        $this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']);
+
+        // Associate the auth code
+        $authCodeId = $this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL);
+
+        // Associate the scopes to the auth code
+        foreach ($authParams['scopes'] as $scope) {
+            $this->authServer->getStorage('session')->associateAuthCodeScope($authCodeId, $scope['id']);
+        }
+
+        return $authCode;
+    }
+
+    /**
+     * Complete the auth code grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+        // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        if (is_null($authParams['redirect_uri'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
+        }
+
+        // Validate client ID and redirect URI
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], $authParams['redirect_uri'], $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        // Validate the authorization code
+        if (is_null($authParams['code'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'code'), 0);
+        }
+
+        // Verify the authorization code matches the client_id and the request_uri
+        $authCodeDetails = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
+
+        if ( ! $authCodeDetails) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9);
+        }
+
+        // Get any associated scopes
+        $scopes = $this->authServer->getStorage('session')->getAuthCodeScopes($authCodeDetails['authcode_id']);
+
+        // A session ID was returned so update it with an access token and remove the authorisation code
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Remove the auth code
+        $this->authServer->getStorage('session')->removeAuthCode($authCodeDetails['session_id']);
+
+        // Create an access token
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($authCodeDetails['session_id'], $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the access token
+        if (count($scopes) > 0) {
+            foreach ($scopes as $scope) {
+                $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['scope_id']);
+            }
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'Bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        // Associate a refresh token if set
+        if ($this->authServer->hasGrantType('refresh_token')) {
+            $refreshToken = SecureKey::make();
+            $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/ClientCredentials.php

@@ -0,0 +1,166 @@
+<?php
+/**
+ * OAuth 2.0 Client credentials grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Client credentials grant class
+ */
+class ClientCredentials implements GrantTypeInterface {
+
+    use GrantTrait;
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'client_credentials';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = null;
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return void
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+    }
+
+    /**
+     * Complete the client credentials grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+         // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf(Authorization::getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf(Authorization::getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        // Validate client ID and client secret
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException(Authorization::getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        // Validate any scopes that are in the request
+        $scope = $this->authServer->getParam('scope', 'post', $inputParams, '');
+        $scopes = explode($this->authServer->getScopeDelimeter(), $scope);
+
+        for ($i = 0; $i < count($scopes); $i++) {
+            $scopes[$i] = trim($scopes[$i]);
+            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
+        }
+
+        if ($this->authServer->scopeParamRequired() === true && $this->authServer->getDefaultScope() === null && count($scopes) === 0) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope() !== null) {
+            if (is_array($this->authServer->getDefaultScope())) {
+                $scopes = $this->authServer->getDefaultScope();
+            } else {
+                $scopes = array($this->authServer->getDefaultScope());
+            }
+        }
+
+        $authParams['scopes'] = array();
+
+        foreach ($scopes as $scope) {
+            $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
+
+            if ($scopeDetails === false) {
+                throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
+            }
+
+            $authParams['scopes'][] = $scopeDetails;
+        }
+
+        // Generate an access token
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'client', $authParams['client_id']);
+
+        // Add the access token
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the new session
+        foreach ($authParams['scopes'] as $scope)
+        {
+            $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'Bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/GrantTrait.php

@@ -0,0 +1,85 @@
+<?php
+/**
+ * OAuth 2.0 Client credentials grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Authorization;
+
+trait GrantTrait {
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer = null)
+    {
+        // @codeCoverageIgnoreStart
+        if ($authServer instanceof Authorization) {
+            trigger_error(
+                'Server is now automatically injected into grant as of v3.1 of this library',
+                E_USER_DEPRECATED
+            );
+        } // @codeCoverageIgnoreEnd
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the identifier
+     * @param string $identifier
+     * @return self
+     */
+    public function setIdentifier($identifier)
+    {
+        $this->identifier = $identifier;
+        return $this;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return self
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+        return $this;
+    }
+
+    /**
+     * Inject the authorization server into the grant
+     * @param Authorization $authServer The authorization server instance
+     * @return  self
+     */
+    public function setAuthorizationServer(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+        return $this;
+    }
+
+}

src/League/OAuth2/Server/Grant/GrantTypeInterface.php

@@ -2,36 +2,30 @@
 /**
  * OAuth 2.0 Grant type interface
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Grant;
+namespace League\OAuth2\Server\Grant;
 
-use OAuth2\Request;
-use OAuth2\AuthServer;
-use OAuth2\Exception;
-use OAuth2\Util\SecureKey;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\ClientInterface;
-use OAuth2\Storage\ScopeInterface;
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
 
 interface GrantTypeInterface
 {
-	/**
-	 * Returns the grant identifier (used to validate grant_type in OAuth2\AuthServer\issueAccessToken())
-	 * @return string
-	 */
-    public function getIdentifier();
-
     /**
-     * Returns the response type (used to validate response_type in OAuth2\AuthServer\checkAuthoriseParams())
-     * @return null|string
+     * Constructor
+     * @return void
      */
-    public function getResponseType();
+    public function __construct(Authorization $authServer = null);
 
     /**
      * Complete the grant flow

src/League/OAuth2/Server/Grant/Implicit.php

@@ -0,0 +1,91 @@
+<?php
+/**
+ * OAuth 2.0 implicit grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Client credentials grant class
+ */
+class Implicit implements GrantTypeInterface {
+
+    use GrantTrait;
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'implicit';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = 'token';
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Complete the client credentials grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($authParams = null)
+    {
+        // Remove any old sessions the user might have
+        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $authParams['user_id']);
+
+        // Generate a new access token
+        $accessToken = SecureKey::make();
+
+        // Compute expiry time
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $authParams['user_id']);
+
+        // Create an access token
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the access token
+        foreach ($authParams['scopes'] as $scope) {
+            $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'Bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn,
+        );
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/Password.php

@@ -0,0 +1,189 @@
+<?php
+/**
+ * OAuth 2.0 Password grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Password grant class
+ */
+class Password implements GrantTypeInterface {
+
+    use GrantTrait;
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'password';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = null;
+
+    /**
+     * Callback to authenticate a user's name and password
+     * @var function
+     */
+    protected $callback = null;
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Set the callback to verify a user's username and password
+     * @param callable $callback The callback function
+     * @return void
+     */
+    public function setVerifyCredentialsCallback($callback)
+    {
+        $this->callback = $callback;
+    }
+
+    /**
+     * Return the callback function
+     * @return callable
+     */
+    protected function getVerifyCredentialsCallback()
+    {
+        if (is_null($this->callback) || ! is_callable($this->callback)) {
+            throw new Exception\InvalidGrantTypeException('Null or non-callable callback set');
+        }
+
+        return $this->callback;
+    }
+
+    /**
+     * Complete the password grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+        // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        // Validate client credentials
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        if (is_null($authParams['username'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'username'), 0);
+        }
+
+        if (is_null($authParams['password'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'password'), 0);
+        }
+
+        // Check if user's username and password are correct
+        $userId = call_user_func($this->getVerifyCredentialsCallback(), $authParams['username'], $authParams['password']);
+
+        if ($userId === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_credentials'), 0);
+        }
+
+        // Validate any scopes that are in the request
+        $scope = $this->authServer->getParam('scope', 'post', $inputParams, '');
+        $scopes = explode($this->authServer->getScopeDelimeter(), $scope);
+
+        for ($i = 0; $i < count($scopes); $i++) {
+            $scopes[$i] = trim($scopes[$i]);
+            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
+        }
+
+        if ($this->authServer->scopeParamRequired() === true && $this->authServer->getDefaultScope() === null && count($scopes) === 0) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope() !== null) {
+            if (is_array($this->authServer->getDefaultScope())) {
+                $scopes = $this->authServer->getDefaultScope();
+            } else {
+                $scopes = array($this->authServer->getDefaultScope());
+            }
+        }
+
+        $authParams['scopes'] = array();
+
+        foreach ($scopes as $scope) {
+            $scopeDetails = $this->authServer->getStorage('scope')->getScope($scope, $authParams['client_id'], $this->identifier);
+
+            if ($scopeDetails === false) {
+                throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_scope'), $scope), 4);
+            }
+
+            $authParams['scopes'][] = $scopeDetails;
+        }
+
+        // Generate an access token
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Create a new session
+        $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $userId);
+
+        // Associate an access token with the session
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($sessionId, $accessToken, $accessTokenExpires);
+
+        // Associate scopes with the access token
+        foreach ($authParams['scopes'] as $scope) {
+            $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['id']);
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'Bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        // Associate a refresh token if set
+        if ($this->authServer->hasGrantType('refresh_token')) {
+            $refreshToken = SecureKey::make();
+            $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Grant/RefreshToken.php

@@ -0,0 +1,207 @@
+<?php
+/**
+ * OAuth 2.0 Refresh token grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Request;
+use League\OAuth2\Server\Authorization;
+use League\OAuth2\Server\Exception;
+use League\OAuth2\Server\Util\SecureKey;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\ScopeInterface;
+
+/**
+ * Referesh token grant
+ */
+class RefreshToken implements GrantTypeInterface {
+
+    use GrantTrait;
+
+    /**
+     * Grant identifier
+     * @var string
+     */
+    protected $identifier = 'refresh_token';
+
+    /**
+     * Response type
+     * @var string
+     */
+    protected $responseType = null;
+
+    /**
+     * AuthServer instance
+     * @var AuthServer
+     */
+    protected $authServer = null;
+
+    /**
+     * Access token expires in override
+     * @var int
+     */
+    protected $accessTokenTTL = null;
+
+    /**
+     * Refresh token TTL
+     * @var integer
+     */
+    protected $refreshTokenTTL = 604800;
+
+    /**
+     * Rotate refresh tokens
+     * @var boolean
+     */
+    protected $rotateRefreshTokens = false;
+
+    /**
+     * Set the TTL of the refresh token
+     * @param int $refreshTokenTTL
+     * @return void
+     */
+    public function setRefreshTokenTTL($refreshTokenTTL)
+    {
+        $this->refreshTokenTTL = $refreshTokenTTL;
+    }
+
+    /**
+     * Get the TTL of the refresh token
+     * @return int
+     */
+    public function getRefreshTokenTTL()
+    {
+        return $this->refreshTokenTTL;
+    }
+
+    /**
+     * When a new access is token, expire the refresh token used and issue a new one.
+     * @param  boolean $rotateRefreshTokens Set to true to enable (default = false)
+     * @return void
+     */
+    public function rotateRefreshTokens($rotateRefreshTokens = false)
+    {
+        $this->rotateRefreshTokens = $rotateRefreshTokens;
+    }
+
+    /**
+     * Complete the refresh token grant
+     * @param  null|array $inputParams
+     * @return array
+     */
+    public function completeFlow($inputParams = null)
+    {
+        // Get the required params
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token', 'scope'), 'post', $inputParams);
+
+        if (is_null($authParams['client_id'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
+        }
+
+        if (is_null($authParams['client_secret'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_secret'), 0);
+        }
+
+        // Validate client ID and client secret
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], null, $this->identifier);
+
+        if ($clientDetails === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
+        }
+
+        $authParams['client_details'] = $clientDetails;
+
+        if (is_null($authParams['refresh_token'])) {
+            throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'refresh_token'), 0);
+        }
+
+        // Validate refresh token
+        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);
+
+        if ($accessTokenId === false) {
+            throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
+        }
+
+        // Get the existing access token
+        $accessTokenDetails = $this->authServer->getStorage('session')->getAccessToken($accessTokenId);
+
+        // Get the scopes for the existing access token
+        $scopes = $this->authServer->getStorage('session')->getScopes($accessTokenDetails['access_token']);
+
+        // Generate new tokens and associate them to the session
+        $accessToken = SecureKey::make();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
+
+        // Associate the new access token with the session
+        $newAccessTokenId = $this->authServer->getStorage('session')->associateAccessToken($accessTokenDetails['session_id'], $accessToken, $accessTokenExpires);
+
+        if ($this->rotateRefreshTokens === true) {
+
+            // Generate a new refresh token
+            $refreshToken = SecureKey::make();
+            $refreshTokenExpires = time() + $this->getRefreshTokenTTL();
+
+            // Revoke the old refresh token
+            $this->authServer->getStorage('session')->removeRefreshToken($authParams['refresh_token']);
+
+            // Associate the new refresh token with the new access token
+            $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);
+        }
+
+        // There isn't a request for reduced scopes so assign the original ones (or we're not rotating scopes)
+        if ( ! isset($authParams['scope'])) {
+
+            foreach ($scopes as $scope) {
+                $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
+            }
+
+        } elseif ( isset($authParams['scope']) && $this->rotateRefreshTokens === true) {
+
+            // The request is asking for reduced scopes and rotate tokens is enabled
+            $reqestedScopes = explode($this->authServer->getScopeDelimeter(), $authParams['scope']);
+
+            for ($i = 0; $i < count($reqestedScopes); $i++) {
+                $reqestedScopes[$i] = trim($reqestedScopes[$i]);
+                if ($reqestedScopes[$i] === '') unset($reqestedScopes[$i]); // Remove any junk scopes
+            }
+
+            // Check that there aren't any new scopes being included
+            $existingScopes = array();
+            foreach ($scopes as $s) {
+                $existingScopes[] = $s['scope'];
+            }
+
+            foreach ($reqestedScopes as $reqScope) {
+                if ( ! in_array($reqScope, $existingScopes)) {
+                    throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+                }
+
+                // Associate with the new access token
+                $scopeDetails = $this->authServer->getStorage('scope')->getScope($reqScope, $authParams['client_id'], $this->identifier);
+                $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scopeDetails['id']);
+            }
+        }
+
+        $response = array(
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'Bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn
+        );
+
+        if ($this->rotateRefreshTokens === true) {
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
+    }
+
+}

src/League/OAuth2/Server/Resource.php

@@ -0,0 +1,395 @@
+<?php
+/**
+ * OAuth 2.0 Resource Server
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @author      Woody Gilk <woody@shadowhand.me>
+ * @copyright   Copyright (c) 2013-2014 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use OutOfBoundsException;
+use League\OAuth2\Server\Storage\SessionInterface;
+use League\OAuth2\Server\Util\RequestInterface;
+use League\OAuth2\Server\Util\Request;
+
+/**
+ * OAuth 2.0 Resource Server
+ */
+class Resource
+{
+    /**
+     * The access token
+     * @var string
+     */
+    protected $accessToken = null;
+
+    /**
+     * The session ID
+     * @var string
+     */
+    protected $sessionId = null;
+
+    /**
+     * The type of the owner of the access token
+     * @var string
+     */
+    protected $ownerType = null;
+
+    /**
+     * The ID of the owner of the access token
+     * @var string
+     */
+    protected $ownerId = null;
+
+    /**
+     * The scopes associated with the access token
+     * @var array
+     */
+    protected $sessionScopes = array();
+
+    /**
+     * The client, scope and session storage classes
+     * @var array
+     */
+    protected $storages = array();
+
+    /**
+     * The request object
+     * @var Util\RequestInterface
+     */
+    protected $request = null;
+
+    /**
+     * The query string key which is used by clients to present the access token (default: access_token)
+     * @var string
+     */
+    protected $tokenKey = 'access_token';
+
+    /**
+     * The client ID
+     * @var string
+     */
+    protected $clientId = null;
+
+    /**
+     * Exception error codes
+     * @var array
+     */
+    protected static $exceptionCodes = array(
+        0   =>  'invalid_request',
+        1   =>  'invalid_token',
+        2   =>  'insufficient_scope',
+    );
+
+    /**
+     * Exception error messages
+     * @var array
+     */
+    protected static $exceptionMessages = array(
+        'invalid_request'    =>  'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
+        'invalid_token'      =>  'The access token provided is expired, revoked, malformed, or invalid for other reasons.',
+        'insufficient_scope' =>  'The request requires higher privileges than provided by the access token. Required scopes are: %s.',
+    );
+
+    /**
+     * Exception error HTTP status codes
+     * @var array
+     *
+     * RFC 6750, section 3.1:
+     * When a request fails, the resource server responds using the
+     * appropriate HTTP status code (typically, 400, 401, 403, or 405) and
+     * includes one of the following error codes in the response:
+     */
+    protected static $exceptionHttpStatusCodes = array(
+        'invalid_request'    =>  400,
+        'invalid_token'      =>  401,
+        'insufficient_scope' =>  403,
+    );
+
+    /**
+     * Get an exception message
+     *
+     * @param  string $error The error message key
+     * @return string        The error message
+     */
+    public static function getExceptionMessage($error = '')
+    {
+        return self::$exceptionMessages[$error];
+    }
+
+    /**
+     * Get an exception code
+     *
+     * @param  integer $code The exception code
+     * @return string        The exception code type
+     */
+    public static function getExceptionType($code = 0)
+    {
+        return self::$exceptionCodes[$code];
+    }
+
+        /**
+     * Get all headers that have to be send with the error response
+     *
+     * @param  string $error The error message key
+     * @return array         Array with header values
+     */
+    public static function getExceptionHttpHeaders($error)
+    {
+        $headers = array();
+        switch (self::$exceptionHttpStatusCodes[$error]) {
+            case 401:
+                $headers[] = 'HTTP/1.1 401 Unauthorized';
+                break;
+            case 403:
+                $headers[] = 'HTTP/1.1 403 Forbidden';
+                break;
+            case 400:
+            default:
+                $headers[] = 'HTTP/1.1 400 Bad Request';
+        }
+
+        // Add "WWW-Authenticate" header
+        //
+        // RFC 6749, section 5.2.:
+        // "If the client attempted to authenticate via the 'Authorization'
+        // request header field, the authorization server MUST
+        // respond with an HTTP 401 (Unauthorized) status code and
+        // include the "WWW-Authenticate" response header field
+        // matching the authentication scheme used by the client.
+        // @codeCoverageIgnoreStart
+        if ($error === 'insufficient_scope') {
+            $authScheme = null;
+            $request = new Request();
+            if ($request->server('PHP_AUTH_USER') !== null) {
+                $authScheme = 'Basic';
+            } else {
+                $authHeader = $request->header('Authorization');
+                if ($authHeader !== null) {
+                    if (strpos($authHeader, 'Bearer') === 0) {
+                        $authScheme = 'Bearer';
+                    } elseif (strpos($authHeader, 'Basic') === 0) {
+                        $authScheme = 'Basic';
+                    }
+                }
+            }
+            if ($authScheme !== null) {
+                $headers[] = 'WWW-Authenticate: '.$authScheme.' realm=""';
+            }
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $headers;
+    }
+
+    /**
+     * Sets up the Resource
+     *
+     * @param SessionInterface  The Session Storage Object
+     */
+    public function __construct(SessionInterface $session)
+    {
+        $this->storages['session'] = $session;
+    }
+
+    /**
+     * Sets the Request Object
+     *
+     * @param  RequestInterface The Request Object
+     */
+    public function setRequest(RequestInterface $request)
+    {
+        $this->request = $request;
+        return $this;
+    }
+
+    /**
+     * Gets the Request object.  It will create one from the globals if one is not set.
+     *
+     * @return Util\RequestInterface
+     */
+    public function getRequest()
+    {
+        if ($this->request === null) {
+            // @codeCoverageIgnoreStart
+            $this->request = Request::buildFromGlobals();
+        }
+        // @codeCoverageIgnoreEnd
+
+        return $this->request;
+    }
+
+    /**
+     * Returns the query string key for the access token.
+     *
+     * @return string
+     */
+    public function getTokenKey()
+    {
+        return $this->tokenKey;
+    }
+
+    /**
+     * Sets the query string key for the access token.
+     *
+     * @param $key The new query string key
+     */
+    public function setTokenKey($key)
+    {
+        $this->tokenKey = $key;
+        return $this;
+    }
+
+    /**
+     * Gets the access token owner ID.
+     *
+     * @return string
+     */
+    public function getOwnerId()
+    {
+        return $this->ownerId;
+    }
+
+    /**
+     * Gets the owner type.
+     *
+     * @return string
+     */
+    public function getOwnerType()
+    {
+        return $this->ownerType;
+    }
+
+    /**
+     * Gets the access token.
+     *
+     * @return string
+     */
+    public function getAccessToken()
+    {
+        return $this->accessToken;
+    }
+
+    /**
+     * Gets the client ID that created the session
+     * @return string
+     */
+    public function getClientId()
+    {
+        return $this->clientId;
+    }
+
+    /**
+     * Checks if the access token is valid or not.
+     *
+     * @param $headersOnly Limit Access Token to Authorization header only
+     * @throws Exception\InvalidAccessTokenException Thrown if the presented access token is not valid
+     * @return bool
+     */
+    public function isValid($headersOnly = false)
+    {
+        $accessToken = $this->determineAccessToken($headersOnly);
+
+        $result = $this->storages['session']->validateAccessToken($accessToken);
+
+        if (! $result) {
+            throw new Exception\InvalidAccessTokenException(self::$exceptionMessages['invalid_token'], 1);
+        }
+
+        $this->accessToken = $accessToken;
+        $this->sessionId = $result['session_id'];
+        $this->clientId = $result['client_id'];
+        $this->ownerType = $result['owner_type'];
+        $this->ownerId = $result['owner_id'];
+
+        $sessionScopes = $this->storages['session']->getScopes($this->accessToken);
+        foreach ($sessionScopes as $scope) {
+            $this->sessionScopes[] = $scope['scope'];
+        }
+
+        return true;
+    }
+
+    /**
+     * Get the session scopes
+     * @return array
+     */
+    public function getScopes()
+    {
+        return $this->sessionScopes;
+    }
+
+    /**
+     * Checks if the presented access token has the given scope(s).
+     *
+     * @param array|string  An array of scopes or a single scope as a string
+     * @param bool          If scopes are required, missing scope will trigger an exception
+     * @throws Exception\InsufficientScopeException Thrown if the any of the given scopes are not in the session
+     * @return bool         Returns bool if all scopes are found, false if any fail
+     */
+    public function hasScope($scopes, $required = false)
+    {
+        if (!is_array($scopes)) {
+            $scopes = array($scopes);
+        }
+
+        $missing = array_diff($scopes, $this->sessionScopes);
+
+        if ($missing) {
+            if ($required) {
+                $missing = implode(', ', $missing);
+                throw new Exception\InsufficientScopeException(sprintf(self::$exceptionMessages['insufficient_scope'], $missing), 3);
+            }
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Reads in the access token from the headers.
+     *
+     * @param $headersOnly Limit Access Token to Authorization header only
+     * @throws Exception\MissingAccessTokenException  Thrown if there is no access token presented
+     * @return string
+     */
+    public function determineAccessToken($headersOnly = false)
+    {
+        // Try to get it directly from a header
+        if (! $header = $this->getRequest()->header('Authorization')) {
+
+            // Failing that try getting it from a server variable
+            $header = $this->getRequest()->server('HTTP_AUTHORIZATION');
+        }
+
+        // One of them worked
+        if ($header) {
+            // Check for special case, because cURL sometimes does an
+            // internal second request and doubles the authorization header,
+            // which always resulted in an error.
+            //
+            // 1st request: Authorization: Bearer XXX
+            // 2nd request: Authorization: Bearer XXX, Bearer XXX
+            if (strpos($header, ',') !== false) {
+                $headerPart = explode(',', $header);
+                $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $headerPart[0]));
+            } else {
+                $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header));
+            }
+            $accessToken = ($accessToken === 'Bearer') ? '' : $accessToken;
+        } elseif ($headersOnly === false) {
+            $method = $this->getRequest()->server('REQUEST_METHOD');
+            $accessToken = $this->getRequest()->{$method}($this->tokenKey);
+        }
+
+        if (empty($accessToken)) {
+            throw new Exception\MissingAccessTokenException(self::$exceptionMessages['invalid_request'], 0);
+        }
+
+        return $accessToken;
+    }
+}

src/League/OAuth2/Server/Storage/ClientInterface.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * OAuth 2.0 Client storage interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Storage;
+
+interface ClientInterface
+{
+    /**
+     * Validate a client
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * # Client ID + redirect URI
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name,
+     * oauth_clients.auto_approve
+     *  FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id
+     *  WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri
+     *
+     * # Client ID + client secret
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name, oauth_clients.auto_approve FROM oauth_clients 
+     * WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret
+     *
+     * # Client ID + client secret + redirect URI
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name,
+     * oauth_clients.auto_approve FROM oauth_clients LEFT JOIN oauth_client_endpoints 
+     * ON oauth_client_endpoints.client_id = oauth_clients.id
+     * WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND
+     * oauth_client_endpoints.redirect_uri = :redirectUri
+     * </code>
+     *
+     * Response:
+     *
+     * <code>
+     * Array
+     * (
+     *     [client_id] => (string) The client ID
+     *     [client secret] => (string) The client secret
+     *     [redirect_uri] => (string) The redirect URI used in this request
+     *     [name] => (string) The name of the client
+     *     [auto_approve] => (bool) Whether the client should auto approve
+     * )
+     * </code>
+     *
+     * @param  string     $clientId     The client's ID
+     * @param  string     $clientSecret The client's secret (default = "null")
+     * @param  string     $redirectUri  The client's redirect URI (default = "null")
+     * @param  string     $grantType    The grant type used in the request (default = "null")
+     * @return bool|array               Returns false if the validation fails, array on success
+     */
+    public function getClient($clientId, $clientSecret = null, $redirectUri = null, $grantType = null);
+}

src/League/OAuth2/Server/Storage/ScopeInterface.php

@@ -2,14 +2,14 @@
 /**
  * OAuth 2.0 Scope storage interface
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Storage;
+namespace League\OAuth2\Server\Storage;
 
 interface ScopeInterface
 {
@@ -19,7 +19,7 @@ interface ScopeInterface
      * Example SQL query:
      *
      * <code>
-     * SELECT * FROM oauth_scopes WHERE scope = $scope
+     * SELECT * FROM oauth_scopes WHERE scope = :scope
      * </code>
      *
      * Response:
@@ -34,8 +34,10 @@ interface ScopeInterface
      * )
      * </code>
      *
-     * @param  string     $scope The scope
+     * @param  string     $scope     The scope
+     * @param  string     $clientId  The client ID (default = "null")
+     * @param  string     $grantType The grant type used in the request (default = "null")
      * @return bool|array If the scope doesn't exist return false
      */
-    public function getScope($scope);
+    public function getScope($scope, $clientId = null, $grantType = null);
 }

src/League/OAuth2/Server/Storage/SessionInterface.php

@@ -0,0 +1,332 @@
+<?php
+/**
+ * OAuth 2.0 Session storage interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Storage;
+
+interface SessionInterface
+{
+    /**
+     * Create a new session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_sessions (client_id, owner_type,  owner_id)
+     *  VALUE (:clientId, :ownerType, :ownerId)
+     * </code>
+     *
+     * @param  string $clientId  The client ID
+     * @param  string $ownerType The type of the session owner (e.g. "user")
+     * @param  string $ownerId   The ID of the session owner (e.g. "123")
+     * @return int               The session ID
+     */
+    public function createSession($clientId, $ownerType, $ownerId);
+
+    /**
+     * Delete a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * DELETE FROM oauth_sessions WHERE client_id = :clientId AND owner_type = :type AND owner_id = :typeId
+     * </code>
+     *
+     * @param  string $clientId  The client ID
+     * @param  string $ownerType The type of the session owner (e.g. "user")
+     * @param  string $ownerId   The ID of the session owner (e.g. "123")
+     * @return void
+     */
+    public function deleteSession($clientId, $ownerType, $ownerId);
+
+    /**
+     * Associate a redirect URI with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_redirects (session_id, redirect_uri) VALUE (:sessionId, :redirectUri)
+     * </code>
+     *
+     * @param  int    $sessionId   The session ID
+     * @param  string $redirectUri The redirect URI
+     * @return void
+     */
+    public function associateRedirectUri($sessionId, $redirectUri);
+
+    /**
+     * Associate an access token with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_access_tokens (session_id, access_token, access_token_expires)
+     *  VALUE (:sessionId, :accessToken, :accessTokenExpire)
+     * </code>
+     *
+     * @param  int    $sessionId   The session ID
+     * @param  string $accessToken The access token
+     * @param  int    $expireTime  Unix timestamp of the access token expiry time
+     * @return int                 The access token ID
+     */
+    public function associateAccessToken($sessionId, $accessToken, $expireTime);
+
+    /**
+     * Associate a refresh token with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires,
+     *  client_id) VALUE (:accessTokenId, :refreshToken, :expireTime, :clientId)
+     * </code>
+     *
+     * @param  int    $accessTokenId The access token ID
+     * @param  string $refreshToken  The refresh token
+     * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
+     * @param  string $clientId      The client ID
+     * @return void
+     */
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);
+
+    /**
+     * Assocate an authorization code with a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires)
+     *  VALUE (:sessionId, :authCode, :authCodeExpires)
+     * </code>
+     *
+     * @param  int    $sessionId  The session ID
+     * @param  string $authCode   The authorization code
+     * @param  int    $expireTime Unix timestamp of the access token expiry time
+     * @return int                The auth code ID
+     */
+    public function associateAuthCode($sessionId, $authCode, $expireTime);
+
+    /**
+     * Remove an associated authorization token from a session
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * DELETE FROM oauth_session_authcodes WHERE session_id = :sessionId
+     * </code>
+     *
+     * @param  int    $sessionId   The session ID
+     * @return void
+     */
+    public function removeAuthCode($sessionId);
+
+    /**
+     * Validate an authorization code
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT oauth_sessions.id AS session_id, oauth_session_authcodes.id AS authcode_id FROM oauth_sessions
+     *  JOIN oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id
+     *  JOIN oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
+     * oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode
+     *  AND `oauth_session_authcodes`.`auth_code_expires` >= :time AND
+     *  `oauth_session_redirects`.`redirect_uri` = :redirectUri
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     'session_id' =>  (int)
+     *     'authcode_id'  =>  (int)
+     * )
+     * </code>
+     *
+     * @param  string     $clientId    The client ID
+     * @param  string     $redirectUri The redirect URI
+     * @param  string     $authCode    The authorization code
+     * @return array|bool              False if invalid or array as above
+     */
+    public function validateAuthCode($clientId, $redirectUri, $authCode);
+
+    /**
+     * Validate an access token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT session_id, oauth_sessions.`client_id`, oauth_sessions.`owner_id`, oauth_sessions.`owner_type`
+     *  FROM `oauth_session_access_tokens` JOIN oauth_sessions ON oauth_sessions.`id` = session_id WHERE
+     *  access_token = :accessToken AND access_token_expires >= UNIX_TIMESTAMP(NOW())
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     'session_id' =>  (int),
+     *     'client_id'  =>  (string),
+     *     'owner_id'   =>  (string),
+     *     'owner_type' =>  (string)
+     * )
+     * </code>
+     *
+     * @param  string     $accessToken The access token
+     * @return array|bool              False if invalid or an array as above
+     */
+    public function validateAccessToken($accessToken);
+
+    /**
+     * Removes a refresh token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * DELETE FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
+     * </code>
+     *
+     * @param  string $refreshToken The refresh token to be removed
+     * @return void
+     */
+    public function removeRefreshToken($refreshToken);
+
+    /**
+     * Validate a refresh token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
+     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
+     * </code>
+     *
+     * @param  string   $refreshToken The refresh token
+     * @param  string   $clientId     The client ID
+     * @return int|bool               The ID of the access token the refresh token is linked to (or false if invalid)
+     */
+    public function validateRefreshToken($refreshToken, $clientId);
+
+    /**
+     * Get an access token by ID
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT * FROM `oauth_session_access_tokens` WHERE `id` = :accessTokenId
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     'id' =>  (int),
+     *     'session_id' =>  (int),
+     *     'access_token'   =>  (string),
+     *     'access_token_expires'   =>  (int)
+     * )
+     * </code>
+     *
+     * @param  int    $accessTokenId The access token ID
+     * @return array
+     */
+    public function getAccessToken($accessTokenId);
+
+    /**
+     * Associate scopes with an auth code (bound to the session)
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO `oauth_session_authcode_scopes` (`oauth_session_authcode_id`, `scope_id`) VALUES
+     *  (:authCodeId, :scopeId)
+     * </code>
+     *
+     * @param  int $authCodeId The auth code ID
+     * @param  int $scopeId    The scope ID
+     * @return void
+     */
+    public function associateAuthCodeScope($authCodeId, $scopeId);
+
+    /**
+     * Get the scopes associated with an auth code
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT scope_id FROM `oauth_session_authcode_scopes` WHERE oauth_session_authcode_id = :authCodeId
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     array(
+     *         'scope_id' => (int)
+     *     ),
+     *     array(
+     *         'scope_id' => (int)
+     *     ),
+     *     ...
+     * )
+     * </code>
+     *
+     * @param  int   $oauthSessionAuthCodeId The session ID
+     * @return array
+     */
+    public function getAuthCodeScopes($oauthSessionAuthCodeId);
+
+    /**
+     * Associate a scope with an access token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO `oauth_session_token_scopes` (`session_access_token_id`, `scope_id`) VALUE (:accessTokenId, :scopeId)
+     * </code>
+     *
+     * @param  int    $accessTokenId The ID of the access token
+     * @param  int    $scopeId       The ID of the scope
+     * @return void
+     */
+    public function associateScope($accessTokenId, $scopeId);
+
+    /**
+     * Get all associated access tokens for an access token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT oauth_scopes.* FROM oauth_session_token_scopes JOIN oauth_session_access_tokens
+     *  ON oauth_session_access_tokens.`id` = `oauth_session_token_scopes`.`session_access_token_id`
+     *  JOIN oauth_scopes ON oauth_scopes.id = `oauth_session_token_scopes`.`scope_id`
+     *  WHERE access_token = :accessToken
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array (
+     *     array(
+     *         'id'     =>  (int),
+     *         'scope'  =>  (string),
+     *         'name'   =>  (string),
+     *         'description'    =>  (string)
+     *     ),
+     *     ...
+     *     ...
+     * )
+     * </code>
+     *
+     * @param  string $accessToken The access token
+     * @return array
+     */
+    public function getScopes($accessToken);
+}

src/League/OAuth2/Server/Util/KeyAlgorithm/DefaultAlgorithm.php

@@ -1,27 +1,25 @@
 <?php
 /**
- * OAuth 2.0 Secure key generator
+ * OAuth 2.0 Secure key default algorithm
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Util;
+namespace League\OAuth2\Server\Util\KeyAlgorithm;
 
-/**
- * SecureKey class
- */
-class SecureKey
+
+class DefaultAlgorithm implements KeyAlgorithmInterface
 {
     /**
-     * Generate a new unique code
-     * @param  integer $len Length of the generated code
+     * @param int $len
      * @return string
+     * @throws \Exception
      */
-    public static function make($len = 40)
+    public function make($len = 40)
     {
         // We generate twice as many bytes here because we want to ensure we have
         // enough after we base64 encode it to get the length we need because we

src/League/OAuth2/Server/Util/KeyAlgorithm/KeyAlgorithmInterface.php

@@ -0,0 +1,18 @@
+<?php
+/**
+ * OAuth 2.0 Key algorithm interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util\KeyAlgorithm;
+
+
+interface KeyAlgorithmInterface
+{
+    public function make($len = 40);
+}

src/League/OAuth2/Server/Util/RedirectUri.php

@@ -2,14 +2,14 @@
 /**
  * OAuth 2.0 Redirect URI generator
  *
- * @package     lncd/oauth2
+ * @package     php-loep/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
  * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
+ * @link        http://github.com/php-loep/oauth2-server
  */
 
-namespace OAuth2\Util;
+namespace League\OAuth2\Server\Util;
 
 /**
  * RedirectUri class

src/League/OAuth2/Server/Util/Request.php

@@ -1,6 +1,15 @@
 <?php
+/**
+ * OAuth 2.0 Request class
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
 
-namespace OAuth2\Util;
+namespace League\OAuth2\Server\Util;
 
 use OutOfBoundsException;
 use InvalidMethodCallException;
@@ -30,6 +39,8 @@ class Request implements RequestInterface
 
         if (empty($headers)) {
             $this->headers = $this->readHeaders();
+        } else {
+            $this->headers = $this->normalizeHeaders($headers);
         }
     }
 
@@ -79,7 +90,7 @@ class Request implements RequestInterface
             }
         }
 
-        return $headers;
+        return $this->normalizeHeaders($headers);
    }
 
     protected function getPropertyValue($property, $index = null, $default = null)
@@ -97,4 +108,39 @@ class Request implements RequestInterface
 
         return $this->{$property}[$index];
     }
+
+    /**
+     * Takes all of the headers and normalizes them in a canonical form.
+     *
+     * @param  array  $headers The request headers.
+     * @return array           An arry of headers with the header name normalized
+     */
+    protected function normalizeHeaders(array $headers)
+    {
+        $normalized = array();
+        foreach ($headers as $key => $value) {
+            $normalized[ucfirst($this->normalizeKey($key))] = $value;
+        }
+
+        return $normalized;
+    }
+
+    /**
+     * Transform header name into canonical form
+     *
+     * Taken from the Slim codebase...
+     *
+     * @param  string $key
+     * @return string
+     */
+    protected function normalizeKey($key)
+    {
+        $key = strtolower($key);
+        $key = str_replace(array('-', '_'), ' ', $key);
+        $key = preg_replace('#^http #', '', $key);
+        $key = ucwords($key);
+        $key = str_replace(' ', '-', $key);
+
+        return $key;
+    }
 }

src/League/OAuth2/Server/Util/RequestInterface.php

@@ -0,0 +1,29 @@
+<?php
+/**
+ * OAuth 2.0 Request class interface
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util;
+
+interface RequestInterface
+{
+
+    public function get($index = null);
+
+    public function post($index = null);
+
+    public function cookie($index = null);
+
+    public function file($index = null);
+
+    public function server($index = null);
+
+    public function header($index = null);
+
+}

src/League/OAuth2/Server/Util/SecureKey.php

@@ -0,0 +1,54 @@
+<?php
+/**
+ * OAuth 2.0 Secure key generator
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Util;
+
+use League\OAuth2\Server\Util\KeyAlgorithm\DefaultAlgorithm;
+use League\OAuth2\Server\Util\KeyAlgorithm\KeyAlgorithmInterface;
+
+/**
+ * SecureKey class
+ */
+class SecureKey
+{
+    protected static $algorithm;
+
+    /**
+     * Generate a new unique code
+     * @param  integer $len Length of the generated code
+     * @return string
+     */
+    public static function make($len = 40)
+    {
+        return self::getAlgorithm()->make($len);
+    }
+
+    /**
+     * @param KeyAlgorithmInterface $algorithm
+     */
+    public static function setAlgorithm(KeyAlgorithmInterface $algorithm)
+    {
+        self::$algorithm = $algorithm;
+    }
+
+    /**
+     * @return KeyAlgorithmInterface
+     */
+    public static function getAlgorithm()
+    {
+        if (!self::$algorithm) {
+
+            self::$algorithm = new DefaultAlgorithm();
+        }
+
+        return self::$algorithm;
+    }
+}

src/OAuth2/AuthServer.php

@@ -1,388 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Authorization Server
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2;
-
-use OAuth2\Util\Request;
-use OAuth2\Util\SecureKey;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\ClientInterface;
-use OAuth2\Storage\ScopeInterface;
-use OAuth2\Grant\GrantTypeInterface;
-
-/**
- * OAuth 2.0 authorization server class
- */
-class AuthServer
-{
-    /**
-     * The delimeter between scopes specified in the scope query string parameter
-     *
-     * The OAuth 2 specification states it should be a space but that is stupid
-     * and everyone excepted Google use a comma instead.
-     *
-     * @var string
-     */
-    protected $scopeDelimeter = ',';
-
-    /**
-     * The TTL (time to live) of an access token in seconds (default: 3600)
-     * @var integer
-     */
-    static protected $expiresIn = 3600;
-
-    /**
-     * The registered grant response types
-     * @var array
-     */
-    protected $responseTypes = array();
-
-    /**
-     * The client, scope and session storage classes
-     * @var array
-     */
-    static protected $storages = array();
-
-    /**
-     * The registered grant types
-     * @var array
-     */
-    static protected $grantTypes = array();
-
-    /**
-     * The request object
-     * @var Util\RequestInterface
-     */
-    static protected $request = null;
-
-    /**
-     * Exception error codes
-     * @var array
-     */
-    protected static $exceptionCodes = array(
-        0   =>  'invalid_request',
-        1   =>  'unauthorized_client',
-        2   =>  'access_denied',
-        3   =>  'unsupported_response_type',
-        4   =>  'invalid_scope',
-        5   =>  'server_error',
-        6   =>  'temporarily_unavailable',
-        7   =>  'unsupported_grant_type',
-        8   =>  'invalid_client',
-        9   =>  'invalid_grant'
-    );
-
-    /**
-     * Exception error messages
-     * @var array
-     */
-    static protected $exceptionMessages = array(
-        'invalid_request'           =>  'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
-        'unauthorized_client'       =>  'The client is not authorized to request an access token using this method.',
-        'access_denied'             =>  'The resource owner or authorization server denied the request.',
-        'unsupported_response_type' =>  'The authorization server does not support obtaining an access token using this method.',
-        'invalid_scope'             =>  'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
-        'server_error'              =>  'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.',
-        'temporarily_unavailable'   =>  'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.',
-        'unsupported_grant_type'    =>  'The authorization grant type "%s" is not supported by the authorization server',
-        'invalid_client'            =>  'Client authentication failed',
-        'invalid_grant'             =>  'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.',
-        'invalid_credentials'       =>  'The user credentials were incorrect.',
-        'invalid_refresh'           =>  'The refresh token is invalid.',
-    );
-
-    /**
-     * Get an exception message
-     *
-     * @param  string $error The error message key
-     * @return string        The error message
-     */
-    public static function getExceptionMessage($error = '')
-    {
-        return self::$exceptionMessages[$error];
-    }
-
-    /**
-     * Get an exception code
-     *
-     * @param  integer $code The exception code
-     * @return string        The exception code type
-     */
-    public static function getExceptionType($code = 0)
-    {
-        return self::$exceptionCodes[$code];
-    }
-
-    /**
-     * Create a new OAuth2 authorization server
-     *
-     * @param ClientInterface  $client  A class which inherits from Storage/ClientInterface
-     * @param SessionInterface $session A class which inherits from Storage/SessionInterface
-     * @param ScopeInterface   $scope   A class which inherits from Storage/ScopeInterface
-     */
-    public function __construct(ClientInterface $client, SessionInterface $session, ScopeInterface $scope)
-    {
-        self::$storages = array(
-            'client'    =>  $client,
-            'session'   =>  $session,
-            'scope' =>  $scope
-        );
-    }
-
-    /**
-     * Enable support for a grant
-     * @param GrantTypeInterface $grantType  A grant class which conforms to Interface/GrantTypeInterface
-     * @param null|string        $identifier An identifier for the grant (autodetected if not passed)
-     */
-    public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
-    {
-        if (is_null($identifier)) {
-            $identifier = $grantType->getIdentifier();
-        }
-        self::$grantTypes[$identifier] = $grantType;
-
-        if ( ! is_null($grantType->getResponseType())) {
-            $this->responseTypes[] = $grantType->getResponseType();
-        }
-    }
-
-    /**
-     * Check if a grant type has been enabled
-     * @param  string  $identifier The grant type identifier
-     * @return boolean             Returns "true" if enabled, "false" if not
-     */
-    public static function hasGrantType($identifier)
-    {
-        return (array_key_exists($identifier, self::$grantTypes));
-    }
-
-    /**
-     * Get the scope delimeter
-     *
-     * @return string The scope delimiter (default: ",")
-     */
-    public function getScopeDelimeter()
-    {
-        return $this->scopeDelimeter;
-    }
-
-    /**
-     * Set the scope delimiter
-     *
-     * @param string $scopeDelimeter
-     */
-    public function setScopeDelimeter($scopeDelimeter)
-    {
-        $this->scopeDelimeter = $scopeDelimeter;
-    }
-
-    /**
-     * Get the TTL for an access token
-     * @return int The TTL
-     */
-    public static function getExpiresIn()
-    {
-        return self::$expiresIn;
-    }
-
-    /**
-     * Set the TTL for an access token
-     * @param int $expiresIn The new TTL
-     */
-    public function setExpiresIn($expiresIn)
-    {
-        self::$expiresIn = $expiresIn;
-    }
-
-    /**
-     * Sets the Request Object
-     *
-     * @param Util\RequestInterface The Request Object
-     */
-    public function setRequest(Util\RequestInterface $request)
-    {
-        self::$request = $request;
-    }
-
-    /**
-     * Gets the Request object.  It will create one from the globals if one is not set.
-     *
-     * @return Util\RequestInterface
-     */
-    public static function getRequest()
-    {
-        if (self::$request === null) {
-            // @codeCoverageIgnoreStart
-            self::$request = Request::buildFromGlobals();
-
-        }
-        // @codeCoverageIgnoreEnd
-
-        return self::$request;
-    }
-
-    /**
-     * Return a storage class
-     * @param  string $obj The class required
-     * @return Storage\ClientInterface|Storage\ScopeInterface|Storage\SessionInterface
-     */
-    public static function getStorage($obj)
-    {
-        return self::$storages[$obj];
-    }
-
-    /**
-     * Check authorise parameters
-     *
-     * @param  array $inputParams Optional array of parsed $_GET keys
-     * @throws \OAuth2\Exception\ClientException
-     * @return array             Authorise request parameters
-     */
-    public function checkAuthoriseParams($inputParams = array())
-    {
-        // Auth params
-        $authParams = self::getParam(array('client_id', 'redirect_uri', 'response_type', 'scope'), 'get', $inputParams);
-
-        if (is_null($authParams['client_id'])) {
-            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'client_id'), 0);
-        }
-
-        if (is_null($authParams['redirect_uri'])) {
-            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'redirect_uri'), 0);
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = self::getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);
-
-        if ($clientDetails === false) {
-            throw new Exception\ClientException(self::$exceptionMessages['invalid_client'], 8);
-        }
-
-        $authParams['client_details'] = $clientDetails;
-
-        if (is_null($authParams['response_type'])) {
-            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'response_type'), 0);
-        }
-
-        // Ensure response type is one that is recognised
-        if ( ! in_array($authParams['response_type'], $this->responseTypes)) {
-            throw new Exception\ClientException(self::$exceptionMessages['unsupported_response_type'], 3);
-        }
-
-        // Validate scopes
-        $scopes = explode($this->scopeDelimeter, $authParams['scope']);
-
-        for ($i = 0; $i < count($scopes); $i++) {
-            $scopes[$i] = trim($scopes[$i]);
-            if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
-        }
-
-        if (count($scopes) === 0) {
-            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'scope'), 0);
-        }
-
-        $authParams['scopes'] = array();
-
-        foreach ($scopes as $scope) {
-            $scopeDetails = self::getStorage('scope')->getScope($scope);
-
-            if ($scopeDetails === false) {
-                throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_scope'], $scope), 4);
-            }
-
-            $authParams['scopes'][] = $scopeDetails;
-        }
-
-        return $authParams;
-    }
-
-    /**
-     * Parse a new authorise request
-     *
-     * @param  string $type        The session owner's type
-     * @param  string $typeId      The session owner's ID
-     * @param  array  $authParams  The authorise request $_GET parameters
-     * @return string              An authorisation code
-     */
-    public function newAuthoriseRequest($type, $typeId, $authParams = array())
-    {
-        // Generate an auth code
-        $authCode = SecureKey::make();
-
-        // Remove any old sessions the user might have
-        self::getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId);
-
-        // Create a new session
-        $sessionId = self::getStorage('session')->createSession($authParams['client_id'], $authParams['redirect_uri'], $type, $typeId, $authCode);
-
-        // Associate scopes with the new session
-        foreach ($authParams['scopes'] as $scope)
-        {
-            self::getStorage('session')->associateScope($sessionId, $scope['id']);
-        }
-
-        return $authCode;
-    }
-
-    /**
-     * Issue an access token
-     *
-     * @param  array $inputParams Optional array of parsed $_POST keys
-     * @return array             Authorise request parameters
-     */
-    public function issueAccessToken($inputParams = array())
-    {
-        $grantType = self::getParam('grant_type', 'post', $inputParams);
-
-        if (is_null($grantType)) {
-            throw new Exception\ClientException(sprintf(self::$exceptionMessages['invalid_request'], 'grant_type'), 0);
-        }
-
-        // Ensure grant type is one that is recognised and is enabled
-        if ( ! in_array($grantType, array_keys(self::$grantTypes))) {
-            throw new Exception\ClientException(sprintf(self::$exceptionMessages['unsupported_grant_type'], $grantType), 7);
-        }
-
-        // Complete the flow
-        return $this->getGrantType($grantType)->completeFlow($inputParams);
-    }
-
-    /**
-     * Return a grant type class
-     * @param  string $grantType The grant type identifer
-     * @return class
-     */
-    protected function getGrantType($grantType)
-    {
-        return self::$grantTypes[$grantType];
-    }
-
-    /**
-     * Get a parameter from passed input parameters or the Request class
-     * @param  string|array $param Requried parameter
-     * @param  string $method      Get/put/post/delete
-     * @param  array  $inputParams Passed input parameters
-     * @return mixed               'Null' if parameter is missing
-     */
-    public static function getParam($param = '', $method = 'get', $inputParams = array())
-    {
-        if (is_string($param)) {
-            return (isset($inputParams[$param])) ? $inputParams[$param] : self::getRequest()->{$method}($param);
-        } else {
-            $response = array();
-            foreach ($param as $p) {
-                $response[$p] = self::getParam($p, $method, $inputParams);
-            }
-            return $response;
-        }
-    }
-
-}

src/OAuth2/Grant/AuthCode.php

@@ -1,132 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Auth code grant
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2\Grant;
-
-use OAuth2\Request;
-use OAuth2\AuthServer;
-use OAuth2\Exception;
-use OAuth2\Util\SecureKey;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\ClientInterface;
-use OAuth2\Storage\ScopeInterface;
-
-/**
- * Auth code grant class
- */
-class AuthCode implements GrantTypeInterface {
-
-    /**
-     * Grant identifier
-     * @var string
-     */
-    protected $identifier = 'authorization_code';
-
-    /**
-     * Response type
-     * @var string
-     */
-    protected $responseType = 'code';
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Complete the auth code grant
-     * @param  null|array $inputParams
-     * @return array
-     */
-    public function completeFlow($inputParams = null)
-    {
-        // Get the required params
-        $authParams = AuthServer::getParam(array('client_id', 'client_secret', 'redirect_uri', 'code'), 'post', $inputParams);
-
-        if (is_null($authParams['client_id'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0);
-        }
-
-        if (is_null($authParams['client_secret'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0);
-        }
-
-        if (is_null($authParams['redirect_uri'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'redirect_uri'), 0);
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret'], $authParams['redirect_uri']);
-
-        if ($clientDetails === false) {
-            throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8);
-        }
-
-        $authParams['client_details'] = $clientDetails;
-
-        // Validate the authorization code
-        if (is_null($authParams['code'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'code'), 0);
-        }
-
-        // Verify the authorization code matches the client_id and the request_uri
-        $session = AuthServer::getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
-
-        if ( ! $session) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_grant'), 'code'), 9);
-        }
-
-        // A session ID was returned so update it with an access token,
-        //  remove the authorisation code, change the stage to 'granted'
-
-        $accessToken = SecureKey::make();
-        $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null;
-
-        $accessTokenExpires = time() + AuthServer::getExpiresIn();
-        $accessTokenExpiresIn = AuthServer::getExpiresIn();
-
-        AuthServer::getStorage('session')->updateSession(
-            $session['id'],
-            null,
-            $accessToken,
-            $refreshToken,
-            $accessTokenExpires,
-            'granted'
-        );
-
-        $response = array(
-            'access_token'  =>  $accessToken,
-            'token_type'    =>  'bearer',
-            'expires'       =>  $accessTokenExpires,
-            'expires_in'    =>  $accessTokenExpiresIn
-        );
-
-        if (AuthServer::hasGrantType('refresh_token')) {
-            $response['refresh_token'] = $refreshToken;
-        }
-
-        return $response;
-    }
-
-}

src/OAuth2/Grant/ClientCredentials.php

@@ -1,121 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Auth code grant
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2\Grant;
-
-use OAuth2\Request;
-use OAuth2\AuthServer;
-use OAuth2\Exception;
-use OAuth2\Util\SecureKey;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\ClientInterface;
-use OAuth2\Storage\ScopeInterface;
-
-/**
- * Client credentials grant class
- */
-class ClientCredentials implements GrantTypeInterface {
-
-    /**
-     * Grant identifier
-     * @var string
-     */
-    protected $identifier = 'client_credentials';
-
-    /**
-     * Response type
-     * @var string
-     */
-    protected $responseType = null;
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Complete the client credentials grant
-     * @param  null|array $inputParams
-     * @return array
-     */
-    public function completeFlow($inputParams = null)
-    {
-         // Get the required params
-        $authParams = AuthServer::getParam(array('client_id', 'client_secret'), 'post', $inputParams);
-
-        if (is_null($authParams['client_id'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0);
-        }
-
-        if (is_null($authParams['client_secret'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0);
-        }
-
-        // Validate client ID and client secret
-        $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret']);
-
-        if ($clientDetails === false) {
-            throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8);
-        }
-
-        $authParams['client_details'] = $clientDetails;
-
-        // Generate an access token
-        $accessToken = SecureKey::make();
-        $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null;
-
-        $accessTokenExpires = time() + AuthServer::getExpiresIn();
-        $accessTokenExpiresIn = AuthServer::getExpiresIn();
-
-        // Delete any existing sessions just to be sure
-        AuthServer::getStorage('session')->deleteSession($authParams['client_id'], 'client', $authParams['client_id']);
-
-        // Create a new session
-        AuthServer::getStorage('session')->createSession(
-            $authParams['client_id'],
-            null,
-            'client',
-            $authParams['client_id'],
-            null,
-            $accessToken,
-            $refreshToken,
-            $accessTokenExpires,
-            'granted'
-        );
-
-        $response = array(
-            'access_token'  =>  $accessToken,
-            'token_type'    =>  'bearer',
-            'expires'       =>  $accessTokenExpires,
-            'expires_in'    =>  $accessTokenExpiresIn
-        );
-
-        if (AuthServer::hasGrantType('refresh_token')) {
-            $response['refresh_token'] = $refreshToken;
-        }
-
-        return $response;
-    }
-
-}

src/OAuth2/Grant/Password.php

@@ -1,164 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Password grant
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2\Grant;
-
-use OAuth2\Request;
-use OAuth2\AuthServer;
-use OAuth2\Exception;
-use OAuth2\Util\SecureKey;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\ClientInterface;
-use OAuth2\Storage\ScopeInterface;
-
-/**
- * Password grant class
- */
-class Password implements GrantTypeInterface {
-
-    /**
-     * Grant identifier
-     * @var string
-     */
-    protected $identifier = 'password';
-
-    /**
-     * Response type
-     * @var string
-     */
-    protected $responseType = null;
-
-    /**
-     * Callback to authenticate a user's name and password
-     * @var function
-     */
-    protected $callback = null;
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Set the callback to verify a user's username and password
-     * @param function $callback The callback function
-     */
-    public function setVerifyCredentialsCallback($callback)
-    {
-        $this->callback = $callback;
-    }
-
-    /**
-     * Return the callback function
-     * @return function
-     */
-    protected function getVerifyCredentialsCallback()
-    {
-        if (is_null($this->callback) || ! is_callable($this->callback)) {
-            throw new Exception\InvalidGrantTypeException('Null or non-callable callback set');
-        }
-
-        return $this->callback;
-    }
-
-    /**
-     * Complete the password grant
-     * @param  null|array $inputParams
-     * @return array
-     */
-    public function completeFlow($inputParams = null)
-    {
-        // Get the required params
-        $authParams = AuthServer::getParam(array('client_id', 'client_secret', 'username', 'password'), 'post', $inputParams);
-
-        if (is_null($authParams['client_id'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0);
-        }
-
-        if (is_null($authParams['client_secret'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0);
-        }
-
-        // Validate client ID and redirect URI
-        $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret']);
-
-        if ($clientDetails === false) {
-            throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8);
-        }
-
-        $authParams['client_details'] = $clientDetails;
-
-        if (is_null($authParams['username'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'username'), 0);
-        }
-
-        if (is_null($authParams['password'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'password'), 0);
-        }
-
-        // Check if user's username and password are correct
-        $userId = call_user_func($this->getVerifyCredentialsCallback(), $authParams['username'], $authParams['password']);
-
-        if ($userId === false) {
-            throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_credentials'), 0);
-        }
-
-        // Generate an access token
-        $accessToken = SecureKey::make();
-        $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null;
-
-        $accessTokenExpires = time() + AuthServer::getExpiresIn();
-        $accessTokenExpiresIn = AuthServer::getExpiresIn();
-
-        // Delete any existing sessions just to be sure
-        AuthServer::getStorage('session')->deleteSession($authParams['client_id'], 'user', $userId);
-
-        // Create a new session
-        AuthServer::getStorage('session')->createSession(
-            $authParams['client_id'],
-            null,
-            'user',
-            $userId,
-            null,
-            $accessToken,
-            $refreshToken,
-            $accessTokenExpires,
-            'granted'
-        );
-
-        $response = array(
-            'access_token'  =>  $accessToken,
-            'token_type'    =>  'bearer',
-            'expires'       =>  $accessTokenExpires,
-            'expires_in'    =>  $accessTokenExpiresIn
-        );
-
-        if (AuthServer::hasGrantType('refresh_token')) {
-            $response['refresh_token'] = $refreshToken;
-        }
-
-        return $response;
-    }
-
-}

src/OAuth2/Grant/RefreshToken.php

@@ -1,116 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Refresh token grant
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2\Grant;
-
-use OAuth2\Request;
-use OAuth2\AuthServer;
-use OAuth2\Exception;
-use OAuth2\Util\SecureKey;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\ClientInterface;
-use OAuth2\Storage\ScopeInterface;
-
-/**
- * Referesh token grant
- */
-class RefreshToken implements GrantTypeInterface {
-
-    /**
-     * Grant identifier
-     * @var string
-     */
-    protected $identifier = 'refresh_token';
-
-    /**
-     * Response type
-     * @var string
-     */
-    protected $responseType = null;
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Complete the refresh token grant
-     * @param  null|array $inputParams
-     * @return array
-     */
-    public function completeFlow($inputParams = null)
-    {
-        // Get the required params
-        $authParams = AuthServer::getParam(array('client_id', 'client_secret', 'refresh_token'), 'post', $inputParams);
-
-        if (is_null($authParams['client_id'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_id'), 0);
-        }
-
-        if (is_null($authParams['client_secret'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'client_secret'), 0);
-        }
-
-        // Validate client ID and client secret
-        $clientDetails = AuthServer::getStorage('client')->getClient($authParams['client_id'], $authParams['client_secret']);
-
-        if ($clientDetails === false) {
-            throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_client'), 8);
-        }
-
-        $authParams['client_details'] = $clientDetails;
-
-        if (is_null($authParams['refresh_token'])) {
-            throw new Exception\ClientException(sprintf(AuthServer::getExceptionMessage('invalid_request'), 'refresh_token'), 0);
-        }
-
-        // Validate refresh token
-        $sessionId = AuthServer::getStorage('client')->validateRefreshToken(
-            $authParams['refresh_token'],
-            $authParams['client_id']
-        );
-
-        if ($sessionId === false) {
-            throw new Exception\ClientException(AuthServer::getExceptionMessage('invalid_refresh'), 0);
-        }
-
-        // Generate new tokens
-        $accessToken = SecureKey::make();
-        $refreshToken = (AuthServer::hasGrantType('refresh_token')) ? SecureKey::make() : null;
-
-        $accessTokenExpires = time() + AuthServer::getExpiresIn();
-        $accessTokenExpiresIn = AuthServer::getExpiresIn();
-
-        AuthServer::getStorage('session')->updateRefreshToken($sessionId, $accessToken, $refreshToken, $accessTokenExpires);
-
-        return array(
-            'access_token'  =>  $accessToken,
-            'refresh_token' =>  $refreshToken,
-            'token_type'    =>  'bearer',
-            'expires'       =>  $accessTokenExpires,
-            'expires_in'    =>  $accessTokenExpiresIn
-        );
-    }
-
-}

src/OAuth2/ResourceServer.php

@@ -1,232 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Resource Server
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2;
-
-use OutOfBoundsException;
-use OAuth2\Storage\SessionInterface;
-use OAuth2\Storage\SessionScopeInterface;
-use OAuth2\Util\RequestInterface;
-use OAuth2\Util\Request;
-
-/**
- * OAuth 2.0 Resource Server
- */
-class ResourceServer
-{
-    /**
-     * The access token
-     * @var string
-     */
-    protected $accessToken = null;
-
-    /**
-     * The session ID
-     * @var string
-     */
-    protected $sessionId = null;
-
-    /**
-     * The type of the owner of the access token
-     * @var string
-     */
-    protected $ownerType = null;
-
-    /**
-     * The ID of the owner of the access token
-     * @var string
-     */
-    protected $ownerId = null;
-
-    /**
-     * The scopes associated with the access token
-     * @var array
-     */
-    protected $sessionScopes = array();
-
-    /**
-     * The client, scope and session storage classes
-     * @var array
-     */
-    protected $storages = array();
-
-    /**
-     * The request object
-     * @var Util\RequestInterface
-     */
-    protected $request = null;
-
-    /**
-     * The query string key which is used by clients to present the access token (default: access_token)
-     * @var string
-     */
-    protected $tokenKey = 'access_token';
-
-    /**
-     * Sets up the Resource
-     *
-     * @param SessionInterface  The Session Storage Object
-     */
-    public function __construct(SessionInterface $session)
-    {
-        $this->storages['session'] = $session;
-    }
-
-    /**
-     * Sets the Request Object
-     *
-     * @param  RequestInterface The Request Object
-     */
-    public function setRequest(RequestInterface $request)
-    {
-        $this->request = $request;
-    }
-
-    /**
-     * Gets the Request object.  It will create one from the globals if one is not set.
-     *
-     * @return Util\RequestInterface
-     */
-    public function getRequest()
-    {
-        if ($this->request === null) {
-            // @codeCoverageIgnoreStart
-            $this->request = Request::buildFromGlobals();
-        }
-        // @codeCoverageIgnoreEnd
-
-        return $this->request;
-    }
-
-    /**
-     * Returns the query string key for the access token.
-     *
-     * @return string
-     */
-    public function getTokenKey()
-    {
-        return $this->tokenKey;
-    }
-
-    /**
-     * Sets the query string key for the access token.
-     *
-     * @param $key The new query string key
-     */
-    public function setTokenKey($key)
-    {
-        $this->tokenKey = $key;
-    }
-
-    /**
-     * Gets the access token owner ID.
-     *
-     * @return string
-     */
-    public function getOwnerId()
-    {
-        return $this->ownerId;
-    }
-
-    /**
-     * Gets the owner type.
-     *
-     * @return string
-     */
-    public function getOwnerType()
-    {
-        return $this->ownerType;
-    }
-
-    /**
-     * Gets the access token.
-     *
-     * @return string
-     */
-    public function getAccessToken()
-    {
-        return $this->accessToken;
-    }
-
-    /**
-     * Checks if the access token is valid or not.
-     *
-     * @throws Exception\InvalidAccessTokenException Thrown if the presented access token is not valid
-     * @return bool
-     */
-    public function isValid()
-    {
-        $access_token = $this->determineAccessToken();
-
-        $result = $this->storages['session']->validateAccessToken($access_token);
-
-        if ( ! $result) {
-            throw new Exception\InvalidAccessTokenException('Access token is not valid');
-        }
-
-        $this->accessToken = $access_token;
-        $this->sessionId = $result['id'];
-        $this->ownerType = $result['owner_type'];
-        $this->ownerId = $result['owner_id'];
-
-        $this->sessionScopes = $this->storages['session']->getScopes($this->sessionId);
-
-        return true;
-    }
-
-    /**
-     * Checks if the presented access token has the given scope(s).
-     *
-     * @param array|string  An array of scopes or a single scope as a string
-     * @return bool         Returns bool if all scopes are found, false if any fail
-     */
-    public function hasScope($scopes)
-    {
-        if (is_string($scopes)) {
-            if (in_array($scopes, $this->sessionScopes)) {
-                return true;
-            }
-            return false;
-        } elseif (is_array($scopes)) {
-            foreach ($scopes as $scope) {
-                if ( ! in_array($scope, $this->sessionScopes)) {
-                    return false;
-                }
-            }
-            return true;
-        }
-
-        return false;
-    }
-
-    /**
-     * Reads in the access token from the headers.
-     *
-     * @throws Exception\MissingAccessTokenException  Thrown if there is no access token presented
-     * @return string
-     */
-    protected function determineAccessToken()
-    {
-        if ($header = $this->getRequest()->header('Authorization')) {
-            $access_token = base64_decode(trim(str_replace('Bearer', '', $header)));
-        } else {
-            $method = $this->getRequest()->server('REQUEST_METHOD');
-            $access_token = $this->getRequest()->{$method}($this->tokenKey);
-        }
-
-        if (empty($access_token)) {
-            throw new Exception\InvalidAccessTokenException('Access token is missing');
-        }
-
-        return $access_token;
-    }
-
-}

src/OAuth2/Storage/ClientInterface.php

@@ -1,54 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Client storage interface
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2\Storage;
-
-interface ClientInterface
-{
-	/**
-	 * Validate a client
-	 *
-	 * Example SQL query:
-	 *
-	 * <code>
-	 * # Client ID + redirect URI
-	 * SELECT oauth_clients.id FROM oauth_clients LEFT JOIN client_endpoints ON client_endpoints.client_id
-	 *  = oauth_clients.id WHERE oauth_clients.id = $clientId AND client_endpoints.redirect_uri = $redirectUri
-	 *
-	 * # Client ID + client secret
-	 * SELECT oauth_clients.id FROM oauth_clients  WHERE oauth_clients.id = $clientId AND
-	 *  oauth_clients.secret = $clientSecret
-	 *
-	 * # Client ID + client secret + redirect URI
-	 * SELECT oauth_clients.id FROM oauth_clients LEFT JOIN client_endpoints ON client_endpoints.client_id
-	 *  = oauth_clients.id WHERE oauth_clients.id = $clientId AND oauth_clients.secret = $clientSecret
-	 *  AND client_endpoints.redirect_uri = $redirectUri
-	 * </code>
-	 *
-	 * Response:
-	 *
-	 * <code>
-	 * Array
-	 * (
-	 *     [client_id] => (string) The client ID
-	 *     [client secret] => (string) The client secret
-	 *     [redirect_uri] => (string) The redirect URI used in this request
-	 *     [name] => (string) The name of the client
-	 * )
-	 * </code>
-	 *
-	 * @param  string     $clientId     The client's ID
-	 * @param  string     $clientSecret The client's secret (default = "null")
-	 * @param  string     $redirectUri  The client's redirect URI (default = "null")
-	 * @return bool|array               Returns false if the validation fails, array on success
-	 */
-    public function getClient($clientId = null, $clientSecret = null, $redirectUri = null);
-}

src/OAuth2/Storage/SessionInterface.php

@@ -1,250 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Session storage interface
- *
- * @package     lncd/oauth2
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) 2013 University of Lincoln
- * @license     http://mit-license.org/
- * @link        http://github.com/lncd/oauth2
- */
-
-namespace OAuth2\Storage;
-
-interface SessionInterface
-{
-	/**
-     * Create a new OAuth session
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * INSERT INTO oauth_sessions (client_id, redirect_uri, owner_type,
-     * owner_id, auth_code, access_token, refresh_token, stage, first_requested,
-     * last_updated) VALUES ($clientId, $redirectUri, $type, $typeId, $authCode,
-     * $accessToken, $stage, UNIX_TIMESTAMP(NOW()), UNIX_TIMESTAMP(NOW()))
-     * </code>
-     *
-     * @param  string $clientId          The client ID
-     * @param  string $redirectUri       The redirect URI
-     * @param  string $type              The session owner's type (default = "user")
-     * @param  string $typeId            The session owner's ID (default = "null")
-     * @param  string $authCode          The authorisation code (default = "null")
-     * @param  string $accessToken       The access token (default = "null")
-     * @param  string $refreshToken      The refresh token (default = "null")
-     * @param  int    $accessTokenExpire The expiry time of an access token as a unix timestamp
-     * @param  string $stage             The stage of the session (default ="request")
-     * @return int                       The session ID
-     */
-    public function createSession(
-        $clientId,
-        $redirectUri,
-        $type = 'user',
-        $typeId = null,
-        $authCode = null,
-        $accessToken = null,
-        $refreshToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    );
-
-    /**
-     * Update an OAuth session
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * UPDATE oauth_sessions SET auth_code = $authCode, access_token =
-     *  $accessToken, stage = $stage, last_updated = UNIX_TIMESTAMP(NOW()) WHERE
-     *  id = $sessionId
-     * </code>
-     *
-     * @param  string $sessionId         The session ID
-     * @param  string $authCode          The authorisation code (default = "null")
-     * @param  string $accessToken       The access token (default = "null")
-     * @param  string $refreshToken      The refresh token (default = "null")
-     * @param  int    $accessTokenExpire The expiry time of an access token as a unix timestamp
-     * @param  string $stage             The stage of the session (default ="request")
-     * @return  void
-     */
-    public function updateSession(
-        $sessionId,
-        $authCode = null,
-        $accessToken = null,
-        $refreshToken = null,
-        $accessTokenExpire = null,
-        $stage = 'requested'
-    );
-
-    /**
-     * Delete an OAuth session
-     *
-     * <code>
-     * DELETE FROM oauth_sessions WHERE client_id = $clientId AND owner_type =
-     *  $type AND owner_id = $typeId
-     * </code>
-     *
-     * @param  string $clientId The client ID
-     * @param  string $type     The session owner's type
-     * @param  string $typeId   The session owner's ID
-     * @return  void
-     */
-    public function deleteSession(
-        $clientId,
-        $type,
-        $typeId
-    );
-
-    /**
-     * Validate that an authorisation code is valid
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * SELECT id FROM oauth_sessions WHERE client_id = $clientID AND
-     *  redirect_uri = $redirectUri AND auth_code = $authCode
-     * </code>
-     *
-     * Response:
-     *
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [client_id] => (string) The client ID
-     *     [redirect_uri] => (string) The redirect URI
-     *     [owner_type] => (string) The session owner type
-     *     [owner_id] => (string) The session owner's ID
-     *     [auth_code] => (string) The authorisation code
-     *     [stage] => (string) The session's stage
-     *     [first_requested] => (int) Unix timestamp of the time the session was
-     *      first generated
-     *     [last_updated] => (int) Unix timestamp of the time the session was
-     *      last updated
-     * )
-     * </code>
-     *
-     * @param  string     $clientId    The client ID
-     * @param  string     $redirectUri The redirect URI
-     * @param  string     $authCode    The authorisation code
-     * @return  int|bool   Returns the session ID if the auth code
-     *  is valid otherwise returns false
-     */
-    public function validateAuthCode(
-        $clientId,
-        $redirectUri,
-        $authCode
-    );
-
-    /**
-     * Validate an access token
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * SELECT id, owner_id, owner_type FROM oauth_sessions WHERE access_token = $accessToken
-     * </code>
-     *
-     * Response:
-     *
-     * <code>
-     * Array
-     * (
-     *     [id] => (int) The session ID
-     *     [owner_type] => (string) The owner type
-     *     [owner_id] => (string) The owner ID
-     * )
-     * </code>
-     *
-     * @param  [type] $accessToken [description]
-     * @return [type]              [description]
-     */
-    public function validateAccessToken($accessToken);
-
-    /**
-     * Return the access token for a given session
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * SELECT access_token FROM oauth_sessions WHERE id = $sessionId
-     * </code>
-     *
-     * @param  int         $sessionId The OAuth session ID
-     * @return string|null            Returns the access token as a string if
-     *  found otherwise returns null
-     */
-    public function getAccessToken($sessionId);
-
-    /**
-     * Validate a refresh token
-     * @param  string $refreshToken The refresh token
-     * @param  string $clientId     The client ID
-     * @return int                  The session ID
-     */
-    public function validateRefreshToken($refreshToken, $clientId);
-
-    /**
-     * Update the refresh token
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * UPDATE oauth_sessions SET access_token = $newAccessToken, refresh_token =
-     *  $newRefreshToken, access_toke_expires = $accessTokenExpires, last_updated = UNIX_TIMESTAMP(NOW()) WHERE
-     *  id = $sessionId
-     * </code>
-     *
-     * @param  string $sessionId             The session ID
-     * @param  string $newAccessToken        The new access token for this session
-     * @param  string $newRefreshToken       The new refresh token for the session
-     * @param  int    $accessTokenExpires    The UNIX timestamp of when the new token expires
-     * @return void
-     */
-    public function updateRefreshToken($sessionId, $newAccessToken, $newRefreshToken, $accessTokenExpires);
-
-    /**
-     * Associates a session with a scope
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * INSERT INTO oauth_session_scopes (session_id, scope_id) VALUE ($sessionId,
-     *  $scopeId)
-     * </code>
-     *
-     * @param int    $sessionId The session ID
-     * @param string $scopeId   The scope ID
-     * @return void
-     */
-    public function associateScope($sessionId, $scopeId);
-
-    /**
-     * Return the scopes associated with an access token
-     *
-     * Example SQL query:
-     *
-     * <code>
-     * SELECT oauth_scopes.scope FROM oauth_session_scopes JOIN oauth_scopes ON
-     *  oauth_session_scopes.scope_id = oauth_scopes.id WHERE
-     *  session_id = $sessionId
-     * </code>
-     *
-     * Response:
-     *
-     * <code>
-     * Array
-     * (
-     *     [0] => (string) The scope
-     *     [1] => (string) The scope
-     *     [2] => (string) The scope
-     *     ...
-     *     ...
-     * )
-     * </code>
-     *
-     * @param  int   $sessionId The session ID
-     * @return array
-     */
-    public function getScopes($sessionId);
-}

src/OAuth2/Util/RequestInterface.php

@@ -1,24 +0,0 @@
-<?php
-
-namespace OAuth2\Util;
-
-interface RequestInterface
-{
-
-    public static function buildFromGlobals();
-
-    public function __construct(array $get = array(), array $post = array(), array $cookies = array(), array $files = array(), array $server = array(), $headers = array());
-
-    public function get($index = null);
-
-    public function post($index = null);
-
-    public function cookie($index = null);
-
-    public function file($index = null);
-
-    public function server($index = null);
-
-    public function header($index = null);
-
-}

tests/authorization/AuthCodeGrantTest.php

@@ -0,0 +1,428 @@
+<?php
+
+use \Mockery as m;
+
+class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
+{
+    private $client;
+    private $session;
+    private $scope;
+
+    public function setUp()
+    {
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+    }
+
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    /**
+    * @expectedException PHPUnit_Framework_Error
+    */
+    public function test__construct()
+    {
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\AuthCode($a);
+    }
+
+    public function test_setIdentifier()
+    {
+        $grant = new League\OAuth2\Server\Grant\AuthCode();
+        $grant->setIdentifier('foobar');
+        $this->assertEquals($grant->getIdentifier(), 'foobar');
+    }
+
+    public function test_setAuthTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\AuthCode();
+        $grant->setAuthTokenTTL(30);
+
+        $reflector = new ReflectionClass($grant);
+        $requestProperty = $reflector->getProperty('authTokenTTL');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($grant);
+
+        $this->assertEquals(30, $v);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_noClientId()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams();
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_noRedirectUri()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_noRequiredState()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->requireStateParam(true);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    8
+     */
+    public function test_checkAuthoriseParams_badClient()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_missingResponseType()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    3
+     */
+    public function test_checkAuthoriseParams_badResponseType()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'foo'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_checkAuthoriseParams_missingScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->requireScopeParam(true);
+
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope' =>  ''
+        ));
+    }
+
+    public function test_checkAuthoriseParams_defaultScope()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->setDefaultScope('test.scope');
+        $a->requireScopeParam(false);
+
+        $params = $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope'    =>  ''
+        ));
+
+        $this->assertArrayHasKey('scopes', $params);
+        $this->assertEquals(1, count($params['scopes']));
+    }
+
+    public function test_checkAuthoriseParams_defaultScopeArray()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->setDefaultScope(array('test.scope', 'test.scope2'));
+        $a->requireScopeParam(false);
+
+        $params = $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope'    =>  ''
+        ));
+
+        $this->assertArrayHasKey('scopes', $params);
+        $this->assertEquals(2, count($params['scopes']));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    4
+     */
+    public function test_checkAuthoriseParams_badScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(false);
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+
+        $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope' =>  'foo'
+        ));
+    }
+
+    public function test_checkAuthoriseParams_passedInput()
+    {
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $v = $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope' =>  'foo',
+            'state' =>  'xyz'
+        ));
+
+        $this->assertEquals(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'client_details' => array(
+                'client_id' => 1234,
+                'client_secret' => 5678,
+                'redirect_uri' => 'http://foo/redirect',
+                'name' => 'Example Client'
+            ),
+            'response_type' =>  'code',
+            'scopes'    =>  array(
+                array(
+                    'id'    =>  1,
+                    'scope' =>  'foo',
+                    'name'  =>  'Foo Name',
+                    'description'   =>  'Foo Name Description'
+                )
+            ),
+            'scope' =>  'foo',
+            'state' =>  'xyz'
+        ), $v);
+    }
+
+    public function test_checkAuthoriseParams()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+
+        $_GET['client_id'] = 1234;
+        $_GET['redirect_uri'] = 'http://foo/redirect';
+        $_GET['response_type'] = 'code';
+        $_GET['scope'] = 'foo';
+        $_GET['state'] = 'xyz';
+
+        $request = new League\OAuth2\Server\Util\Request($_GET);
+        $a->setRequest($request);
+
+        $v = $g->checkAuthoriseParams();
+
+        $this->assertEquals(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'client_details' => array(
+                'client_id' => 1234,
+                'client_secret' => 5678,
+                'redirect_uri' => 'http://foo/redirect',
+                'name' => 'Example Client'
+            ),
+            'response_type' =>  'code',
+            'scopes'    =>  array(
+                array(
+                    'id'    =>  1,
+                    'scope' =>  'foo',
+                    'name'  =>  'Foo Name',
+                    'description'   =>  'Foo Name Description'
+                )
+            ),
+            'scope' =>  'foo',
+            'state' =>  'xyz'
+        ), $v);
+    }
+
+
+    function test_newAuthoriseRequest()
+    {
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateRedirectUri')->andReturn(null);
+        $this->session->shouldReceive('associateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('associateAuthCodeScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+
+        $params = array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'client_details' => array(
+                'client_id' => 1234,
+                'client_secret' => 5678,
+                'redirect_uri' => 'http://foo/redirect',
+                'name' => 'Example Client'
+            ),
+            'response_type' =>  'code',
+            'scopes'    =>  array(
+                array(
+                    'id'    =>  1,
+                    'scope' =>  'foo',
+                    'name'  =>  'Foo Name',
+                    'description'   =>  'Foo Name Description'
+                )
+            )
+        );
+
+        $v = $g->newAuthoriseRequest('user', 123, $params);
+
+        $this->assertEquals(40, strlen($v));
+    }
+
+
+}

tests/authorization/AuthServerTest.php

@@ -10,14 +10,14 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
 
     public function setUp()
     {
-        $this->client = M::mock('OAuth2\Storage\ClientInterface');
-        $this->session = M::mock('OAuth2\Storage\SessionInterface');
-        $this->scope = M::mock('OAuth2\Storage\ScopeInterface');
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
     }
 
     private function returnDefault()
     {
-        return new OAuth2\AuthServer($this->client, $this->session, $this->scope);
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
     }
 
     /**
@@ -25,17 +25,17 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
      */
     public function test__construct_NoStorage()
     {
-        $a = new OAuth2\AuthServer;
+        new League\OAuth2\Server\Authorization;
     }
 
     public function test__contruct_WithStorage()
     {
-        $a = $this->returnDefault();
+        $this->returnDefault();
     }
 
     public function test_getExceptionMessage()
     {
-        $m = OAuth2\AuthServer::getExceptionMessage('access_denied');
+        $m = League\OAuth2\Server\Authorization::getExceptionMessage('access_denied');
 
         $reflector = new ReflectionClass($this->returnDefault());
         $exceptionMessages = $reflector->getProperty('exceptionMessages');
@@ -47,56 +47,121 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
 
     public function test_getExceptionCode()
     {
-        $this->assertEquals('access_denied', OAuth2\AuthServer::getExceptionType(2));
+        $this->assertEquals('access_denied', League\OAuth2\Server\Authorization::getExceptionType(2));
+    }
+
+    public function test_getExceptionHttpHeaders()
+    {
+        $this->assertEquals(array('HTTP/1.1 401 Unauthorized'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('access_denied'));
+        $this->assertEquals(array('HTTP/1.1 500 Internal Server Error'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('server_error'));
+        $this->assertEquals(array('HTTP/1.1 501 Not Implemented'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('unsupported_grant_type'));
+        $this->assertEquals(array('HTTP/1.1 400 Bad Request'), League\OAuth2\Server\Authorization::getExceptionHttpHeaders('invalid_refresh'));
     }
 
     public function test_hasGrantType()
     {
-        $this->assertFalse(OAuth2\AuthServer::hasGrantType('test'));
+        $a = $this->returnDefault();
+        $this->assertFalse($a->hasGrantType('test'));
     }
 
     public function test_addGrantType()
     {
         $a = $this->returnDefault();
-        $grant = M::mock('OAuth2\Grant\GrantTypeInterface');
+        $grant = M::mock('League\OAuth2\Server\Grant\GrantTypeInterface');
         $grant->shouldReceive('getResponseType')->andReturn('test');
+        $grant->shouldReceive('setAuthorizationServer')->andReturn($grant);
         $a->addGrantType($grant, 'test');
 
-        $this->assertTrue(OAuth2\AuthServer::hasGrantType('test'));
+        $this->assertTrue($a->hasGrantType('test'));
     }
 
     public function test_addGrantType_noIdentifier()
     {
         $a = $this->returnDefault();
-        $grant = M::mock('OAuth2\Grant\GrantTypeInterface');
+        $grant = M::mock('League\OAuth2\Server\Grant\GrantTypeInterface');
         $grant->shouldReceive('getIdentifier')->andReturn('test');
         $grant->shouldReceive('getResponseType')->andReturn('test');
+        $grant->shouldReceive('setAuthorizationServer')->andReturn($grant);
         $a->addGrantType($grant);
 
-        $this->assertTrue(OAuth2\AuthServer::hasGrantType('test'));
+        $this->assertTrue($a->hasGrantType('test'));
     }
 
     public function test_getScopeDelimeter()
     {
         $a = $this->returnDefault();
-        $this->assertEquals(',', $a->getScopeDelimeter());
+        $this->assertEquals(' ', $a->getScopeDelimeter());
     }
 
     public function test_setScopeDelimeter()
     {
         $a = $this->returnDefault();
-        $a->setScopeDelimeter(';');
-        $this->assertEquals(';', $a->getScopeDelimeter());
+        $a->setScopeDelimeter(',');
+        $this->assertEquals(',', $a->getScopeDelimeter());
     }
 
-    public function test_getExpiresIn()
+    public function test_requireScopeParam()
     {
         $a = $this->returnDefault();
-        $a->setExpiresIn(7200);
-        $this->assertEquals(7200, $a::getExpiresIn());
+        $a->requireScopeParam(false);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('requireScopeParam');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertFalse($v);
     }
 
-    public function test_setExpiresIn()
+    public function test_scopeParamRequired()
+    {
+        $a = $this->returnDefault();
+        $a->requireScopeParam(false);
+
+        $this->assertFalse($a->scopeParamRequired());
+    }
+
+    public function test_setDefaultScope()
+    {
+        $a = $this->returnDefault();
+        $a->setDefaultScope('test.default');
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('defaultScope');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertEquals('test.default', $v);
+    }
+
+    public function test_getDefaultScope()
+    {
+        $a = $this->returnDefault();
+        $a->setDefaultScope('test.default');
+        $this->assertEquals('test.default', $a->getDefaultScope());
+    }
+
+    public function test_requireStateParam()
+    {
+        $a = $this->returnDefault();
+        $a->requireStateParam(true);
+
+        $reflector = new ReflectionClass($a);
+        $requestProperty = $reflector->getProperty('requireStateParam');
+        $requestProperty->setAccessible(true);
+        $v = $requestProperty->getValue($a);
+
+        $this->assertTrue($v);
+    }
+
+    public function test_getAccessTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $a->setAccessTokenTTL(7200);
+        $this->assertEquals(7200, $a->getAccessTokenTTL());
+    }
+
+    public function test_setAccessTokenTTL()
     {
         $a = $this->returnDefault();
         $a->setScopeDelimeter(';');
@@ -106,297 +171,37 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_setRequest()
     {
         $a = $this->returnDefault();
-        $request = new OAuth2\Util\Request();
+        $request = new League\OAuth2\Server\Util\Request();
         $a->setRequest($request);
 
         $reflector = new ReflectionClass($a);
         $requestProperty = $reflector->getProperty('request');
         $requestProperty->setAccessible(true);
-        $v = $requestProperty->getValue();
+        $v = $requestProperty->getValue($a);
 
-        $this->assertTrue($v instanceof OAuth2\Util\RequestInterface);
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
     }
 
     public function test_getRequest()
     {
         $a = $this->returnDefault();
-        $request = new OAuth2\Util\Request();
+        $request = new League\OAuth2\Server\Util\Request();
         $a->setRequest($request);
-        $v = $a::getRequest();
+        $v = $a->getRequest();
 
-        $this->assertTrue($v instanceof OAuth2\Util\RequestInterface);
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
     }
 
     public function test_getStorage()
     {
         $a = $this->returnDefault();
-        $this->assertTrue($a->getStorage('session') instanceof OAuth2\Storage\SessionInterface);
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    0
-     */
-    public function test_checkAuthoriseParams_noClientId()
-    {
-        $a = $this->returnDefault();
-        $a->checkAuthoriseParams();
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    0
-     */
-    public function test_checkAuthoriseParams_noRedirectUri()
-    {
-        $a = $this->returnDefault();
-        $a->checkAuthoriseParams(array(
-            'client_id' =>  1234
-        ));
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    8
-     */
-    public function test_checkAuthoriseParams_badClient()
-    {
-        $this->client->shouldReceive('getClient')->andReturn(false);
-
-        $a = $this->returnDefault();
-        $a->checkAuthoriseParams(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect'
-        ));
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    0
-     */
-    public function test_checkAuthoriseParams_missingResponseType()
-    {
-        $this->client->shouldReceive('getClient')->andReturn(array(
-            'client_id' =>  1234,
-            'client_secret' =>  5678,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'name'  =>  'Example Client'
-        ));
-
-        $a = $this->returnDefault();
-        $a->checkAuthoriseParams(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect'
-        ));
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    3
-     */
-    public function test_checkAuthoriseParams_badResponseType()
-    {
-        $this->client->shouldReceive('getClient')->andReturn(array(
-            'client_id' =>  1234,
-            'client_secret' =>  5678,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'name'  =>  'Example Client'
-        ));
-
-        $a = $this->returnDefault();
-        $a->checkAuthoriseParams(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'response_type' =>  'foo'
-        ));
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    0
-     */
-    public function test_checkAuthoriseParams_missingScopes()
-    {
-        $this->client->shouldReceive('getClient')->andReturn(array(
-            'client_id' =>  1234,
-            'client_secret' =>  5678,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'name'  =>  'Example Client'
-        ));
-
-        $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
-
-        $a->checkAuthoriseParams(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'response_type' =>  'code',
-            'scope' =>  ''
-        ));
-    }
-
-    /**
-     * @expectedException        OAuth2\Exception\ClientException
-     * @expectedExceptionCode    4
-     */
-    public function test_checkAuthoriseParams_badScopes()
-    {
-        $this->client->shouldReceive('getClient')->andReturn(array(
-            'client_id' =>  1234,
-            'client_secret' =>  5678,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'name'  =>  'Example Client'
-        ));
-
-        $this->scope->shouldReceive('getScope')->andReturn(false);
-
-        $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
-
-        $a->checkAuthoriseParams(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'response_type' =>  'code',
-            'scope' =>  'foo'
-        ));
-    }
-
-    public function test_checkAuthoriseParams_passedInput()
-    {
-        $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
-
-        $this->client->shouldReceive('getClient')->andReturn(array(
-            'client_id' =>  1234,
-            'client_secret' =>  5678,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'name'  =>  'Example Client'
-        ));
-
-        $this->scope->shouldReceive('getScope')->andReturn(array(
-            'id'    =>  1,
-            'scope' =>  'foo',
-            'name'  =>  'Foo Name',
-            'description'   =>  'Foo Name Description'
-        ));
-
-        $v = $a->checkAuthoriseParams(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'response_type' =>  'code',
-            'scope' =>  'foo'
-        ));
-
-        $this->assertEquals(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'client_details' => array(
-                'client_id' => 1234,
-                'client_secret' => 5678,
-                'redirect_uri' => 'http://foo/redirect',
-                'name' => 'Example Client'
-            ),
-            'response_type' =>  'code',
-            'scopes'    =>  array(
-                array(
-                    'id'    =>  1,
-                    'scope' =>  'foo',
-                    'name'  =>  'Foo Name',
-                    'description'   =>  'Foo Name Description'
-                )
-            ),
-            'scope' =>  'foo'
-        ), $v);
-    }
-
-    public function test_checkAuthoriseParams()
-    {
-        $this->client->shouldReceive('getClient')->andReturn(array(
-            'client_id' =>  1234,
-            'client_secret' =>  5678,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'name'  =>  'Example Client'
-        ));
-
-        $this->scope->shouldReceive('getScope')->andReturn(array(
-            'id'    =>  1,
-            'scope' =>  'foo',
-            'name'  =>  'Foo Name',
-            'description'   =>  'Foo Name Description'
-        ));
-
-        $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
-
-        $_GET['client_id'] = 1234;
-        $_GET['redirect_uri'] = 'http://foo/redirect';
-        $_GET['response_type'] = 'code';
-        $_GET['scope'] = 'foo';
-
-        $request = new OAuth2\Util\Request($_GET);
-        $a->setRequest($request);
-
-        $v = $a->checkAuthoriseParams();
-
-        $this->assertEquals(array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'client_details' => array(
-                'client_id' => 1234,
-                'client_secret' => 5678,
-                'redirect_uri' => 'http://foo/redirect',
-                'name' => 'Example Client'
-            ),
-            'response_type' =>  'code',
-            'scopes'    =>  array(
-                array(
-                    'id'    =>  1,
-                    'scope' =>  'foo',
-                    'name'  =>  'Foo Name',
-                    'description'   =>  'Foo Name Description'
-                )
-            ),
-            'scope' =>  'foo'
-        ), $v);
-    }
-
-    function test_newAuthoriseRequest()
-    {
-        $this->session->shouldReceive('deleteSession')->andReturn(null);
-        $this->session->shouldReceive('createSession')->andReturn(1);
-        $this->session->shouldReceive('associateScope')->andReturn(null);
-
-        $a = $this->returnDefault();
-
-        $params = array(
-            'client_id' =>  1234,
-            'redirect_uri'  =>  'http://foo/redirect',
-            'client_details' => array(
-                'client_id' => 1234,
-                'client_secret' => 5678,
-                'redirect_uri' => 'http://foo/redirect',
-                'name' => 'Example Client'
-            ),
-            'response_type' =>  'code',
-            'scopes'    =>  array(
-                array(
-                    'id'    =>  1,
-                    'scope' =>  'foo',
-                    'name'  =>  'Foo Name',
-                    'description'   =>  'Foo Name Description'
-                )
-            )
-        );
-
-        $v = $a->newAuthoriseRequest('user', 123, $params);
-
-        $this->assertEquals(40, strlen($v));
+        $this->assertTrue($a->getStorage('session') instanceof League\OAuth2\Server\Storage\SessionInterface);
     }
 
     public function test_getGrantType()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $reflector = new ReflectionClass($a);
         $method = $reflector->getMethod('getGrantType');
@@ -404,72 +209,82 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
 
         $result = $method->invoke($a, 'authorization_code');
 
-        $this->assertTrue($result instanceof OAuth2\Grant\GrantTypeInterface);
+        $this->assertTrue($result instanceof League\OAuth2\Server\Grant\GrantTypeInterface);
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\InvalidGrantTypeException
+     * @expectedExceptionCode    9
+     */
+    public function test_getGrantType_fail()
+    {
+        $a = $this->returnDefault();
+        $a->getGrantType('blah');
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_missingGrantType()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken();
+        $a->issueAccessToken();
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    7
      */
     public function test_issueAccessToken_badGrantType()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array('grant_type' => 'foo'));
+        $a->issueAccessToken(array('grant_type' => 'foo'));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code'
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_missingClientSecret()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
             'client_id' =>  1234
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_missingRedirectUri()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
             'client_id' =>  1234,
             'client_secret' =>  5678
@@ -477,7 +292,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    8
      */
     public function test_issueAccessToken_badClient()
@@ -485,9 +300,9 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
             'client_id' =>  1234,
             'client_secret' =>  5678,
@@ -496,7 +311,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_missingCode()
@@ -504,9 +319,9 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(array());
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
             'client_id' =>  1234,
             'client_secret' =>  5678,
@@ -515,7 +330,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    9
      */
     public function test_issueAccessToken_badCode()
@@ -524,9 +339,9 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('validateAuthCode')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
             'client_id' =>  1234,
             'client_secret' =>  5678,
@@ -544,11 +359,18 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
             'name'  =>  'Example Client'
         ));
 
-        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(array(
+            'session_id'    =>  1,
+            'authcode_id' =>  1
+        ));
         $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -563,8 +385,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
     public function test_issueAccessToken()
@@ -578,9 +399,13 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
 
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
+        $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $_POST['grant_type'] = 'authorization_code';
         $_POST['client_id'] = 1234;
@@ -588,7 +413,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $_POST['redirect_uri'] = 'http://foo/redirect';
         $_POST['code'] = 'foobar';
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -598,8 +423,88 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+    }
+
+    public function test_issueAccessToken_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\AuthCode();
+        $grant->setAccessTokenTTL(30);
+        $a->addGrantType($grant);
+
+        $_POST['grant_type'] = 'authorization_code';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['redirect_uri'] = 'http://foo/redirect';
+        $_POST['code'] = 'foobar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    public function test_issueAccessToken_HTTP_auth()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+
+        $_POST['grant_type'] = 'authorization_code';
+        $_SERVER['PHP_AUTH_USER'] = 1234;
+        $_SERVER['PHP_AUTH_PW'] = 5678;
+        $_POST['redirect_uri'] = 'http://foo/redirect';
+        $_POST['code'] = 'foobar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST, array(), array(), $_SERVER);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
     public function tearDown() {

tests/authorization/ClientCredentialsGrantTest.php

@@ -10,53 +10,53 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
 
     public function setUp()
     {
-        $this->client = M::mock('OAuth2\Storage\ClientInterface');
-        $this->session = M::mock('OAuth2\Storage\SessionInterface');
-        $this->scope = M::mock('OAuth2\Storage\ScopeInterface');
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
     }
 
     private function returnDefault()
     {
-        return new OAuth2\AuthServer($this->client, $this->session, $this->scope);
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_clientCredentialsGrant_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\ClientCredentials());
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'client_credentials'
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_clientCredentialsGrant_missingClientPassword()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\ClientCredentials());
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'client_credentials',
             'client_id' =>  1234
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    8
      */
     public function test_issueAccessToken_clientCredentialsGrant_badClient()
@@ -64,18 +64,200 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\ClientCredentials());
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'client_credentials',
             'client_id' =>  1234,
             'client_secret' =>  5678
         ));
     }
 
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_missingScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(true);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678
+        ));
+    }
+
+    public function test_issueAccessToken_clientCredentialsGrant_defaultScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'key' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(false);
+        $a->setDefaultScope('foobar');
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    public function test_issueAccessToken_clientCredentialsGrant_defaultScopeArray()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'key' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(false);
+        $a->setDefaultScope(array('foobar', 'barfoo'));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    4
+     */
+    public function test_issueAccessToken_clientCredentialsGrant_badScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(false);
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  'blah'
+        ));
+    }
+
+    public function test_issueAccessToken_clientCredentialsGrant_goodScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'key' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  'blah'
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
     function test_issueAccessToken_clientCredentialsGrant_passedInput()
     {
         $this->client->shouldReceive('getClient')->andReturn(array(
@@ -90,15 +272,16 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('deleteSession')->andReturn(null);
-        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\ClientCredentials());
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(false);
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'client_credentials',
             'client_id' =>  1234,
-            'client_secret' =>  5678
+            'client_secret' =>  5678,
         ));
 
         $this->assertArrayHasKey('access_token', $v);
@@ -106,8 +289,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
     function test_issueAccessToken_clientCredentialsGrant()
@@ -124,16 +306,17 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('deleteSession')->andReturn(null);
-        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\ClientCredentials());
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'client_credentials';
         $_POST['client_id'] = 1234;
         $_POST['client_secret'] = 5678;
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -143,8 +326,49 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+    }
+
+    function test_issueAccessToken_clientCredentialsGrant_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\ClientCredentials();
+        $grant->setAccessTokenTTL(30);
+        $a->addGrantType($grant);
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'client_credentials';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
     }
 
     function test_issueAccessToken_clientCredentialsGrant_withRefreshToken()
@@ -161,17 +385,17 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('deleteSession')->andReturn(null);
-        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\ClientCredentials());
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'client_credentials';
         $_POST['client_id'] = 1234;
         $_POST['client_secret'] = 5678;
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -180,10 +404,8 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('token_type', $v);
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
-        $this->assertArrayHasKey('refresh_token', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
 }

tests/authorization/PasswordGrantTest.php

@@ -10,53 +10,53 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
 
     public function setUp()
     {
-        $this->client = M::mock('OAuth2\Storage\ClientInterface');
-        $this->session = M::mock('OAuth2\Storage\SessionInterface');
-        $this->scope = M::mock('OAuth2\Storage\ScopeInterface');
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
     }
 
     private function returnDefault()
     {
-        return new OAuth2\AuthServer($this->client, $this->session, $this->scope);
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_passwordGrant_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\Password());
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'password'
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_passwordGrant_missingClientPassword()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\Password());
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'password',
             'client_id' =>  1234
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    8
      */
     public function test_issueAccessToken_passwordGrant_badClient()
@@ -64,12 +64,12 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\Password());
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'password',
             'client_id' =>  1234,
             'client_secret' =>  5678
@@ -77,7 +77,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\InvalidGrantTypeException
+     * @expectedException        League\OAuth2\Server\Exception\InvalidGrantTypeException
      */
     function test_issueAccessToken_passwordGrant_invalidCallback()
     {
@@ -98,11 +98,11 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = null;
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'password',
             'client_id' =>  1234,
             'client_secret' =>  5678,
@@ -112,7 +112,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     function test_issueAccessToken_passwordGrant_missingUsername()
@@ -131,14 +131,14 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('deleteSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
 
-        $testCredentials = function($u, $p) { return false; };
+        $testCredentials = function() { return false; };
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'password',
             'client_id' =>  1234,
             'client_secret' =>  5678
@@ -146,7 +146,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     function test_issueAccessToken_passwordGrant_missingPassword()
@@ -165,14 +165,14 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('deleteSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
 
-        $testCredentials = function($u, $p) { return false; };
+        $testCredentials = function() { return false; };
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'password',
             'client_id' =>  1234,
             'client_secret' =>  5678,
@@ -181,7 +181,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     function test_issueAccessToken_passwordGrant_badCredentials()
@@ -200,10 +200,220 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('deleteSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
 
-        $testCredentials = function($u, $p) { return false; };
+        $testCredentials = function() { return false; };
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  => 'foo',
+            'password'  => 'bar'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    4
+     */
+    public function test_issueAccessToken_passwordGrant_badScopes()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(false);
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  'blah'
+        ));
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_passwordGrant_missingScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(true);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar'
+        ));
+    }
+
+    public function test_issueAccessToken_passwordGrant_defaultScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+        $a->setDefaultScope('foobar');
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    public function test_issueAccessToken_passwordGrant_defaultScopeArray()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+        $a->setDefaultScope(array('foobar', 'barfoo'));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
+    public function test_issueAccessToken_passwordGrant_goodScope()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -211,9 +421,15 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
             'grant_type'    =>  'password',
             'client_id' =>  1234,
             'client_secret' =>  5678,
-            'username'  => 'foo',
-            'password'  => 'bar'
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  'blah'
         ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
     }
 
     function test_issueAccessToken_passwordGrant_passedInput()
@@ -231,13 +447,15 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('deleteSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
-        $testCredentials = function($u, $p) { return 1; };
+        $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'password',
@@ -252,8 +470,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
     function test_issueAccessToken_passwordGrant()
@@ -271,13 +488,15 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('deleteSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
-        $testCredentials = function($u, $p) { return 1; };
+        $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'password';
         $_POST['client_id'] = 1234;
@@ -285,7 +504,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $_POST['username'] = 'foo';
         $_POST['password'] = 'bar';
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -295,11 +514,10 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
-    function test_issueAccessToken_passwordGrant_withRefreshToken()
+    function test_issueAccessToken_passwordGrant_customExpiresIn()
     {
         $this->client->shouldReceive('getClient')->andReturn(array(
             'client_id' =>  1234,
@@ -314,14 +532,16 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('deleteSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
-        $testCredentials = function($u, $p) { return 1; };
+        $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new OAuth2\Grant\Password();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $pgrant->setAccessTokenTTL(30);
         $a->addGrantType($pgrant);
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'password';
         $_POST['client_id'] = 1234;
@@ -329,7 +549,55 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $_POST['username'] = 'foo';
         $_POST['password'] = 'bar';
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
+        $a->setRequest($request);
+
+        $v = $a->issueAccessToken();
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    function test_issueAccessToken_passwordGrant_withRefreshToken()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(null);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
+        $a->requireScopeParam(false);
+
+        $_POST['grant_type'] = 'password';
+        $_POST['client_id'] = 1234;
+        $_POST['client_secret'] = 5678;
+        $_POST['username'] = 'foo';
+        $_POST['password'] = 'bar';
+
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -340,8 +608,6 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires_in', $v);
         $this->assertArrayHasKey('refresh_token', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
-
 }

tests/authorization/RefreshTokenTest.php

@@ -10,14 +10,22 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
 
     public function setUp()
     {
-        $this->client = M::mock('OAuth2\Storage\ClientInterface');
-        $this->session = M::mock('OAuth2\Storage\SessionInterface');
-        $this->scope = M::mock('OAuth2\Storage\ScopeInterface');
+        $this->client = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $this->scope = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
     }
 
     private function returnDefault()
     {
-        return new OAuth2\AuthServer($this->client, $this->session, $this->scope);
+        return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
+    }
+
+    public function test_setRefreshTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $rt = new League\OAuth2\Server\Grant\RefreshToken();
+        $rt->setRefreshTokenTTL(30);
+        $this->assertEquals(30, $rt->getRefreshTokenTTL());
     }
 
     public function test_issueAccessToken_with_refresh_token()
@@ -31,10 +39,15 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
 
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('removeAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\AuthCode());
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $_POST['grant_type'] = 'authorization_code';
         $_POST['client_id'] = 1234;
@@ -42,7 +55,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $_POST['redirect_uri'] = 'http://foo/redirect';
         $_POST['code'] = 'foobar';
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -53,47 +66,46 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires_in', $v);
         $this->assertArrayHasKey('refresh_token', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_refreshTokenGrant_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token'
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_refreshTokenGrant_missingClientSecret()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token',
             'client_id' =>  1234
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    8
      */
     public function test_issueAccessToken_refreshTokenGrant_badClient()
@@ -101,12 +113,12 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token',
             'client_id' =>  1234,
             'client_secret' =>  5678
@@ -114,7 +126,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_refreshTokenGrant_missingRefreshToken()
@@ -122,35 +134,34 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(array());
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token',
             'client_id' =>  1234,
-            'client_secret' =>  5678,
-            //'refresh_token' =>
+            'client_secret' =>  5678
         ));
     }
 
     /**
-     * @expectedException        OAuth2\Exception\ClientException
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    0
      */
     public function test_issueAccessToken_refreshTokenGrant_badRefreshToken()
     {
         $this->client->shouldReceive('getClient')->andReturn(array());
-        $this->client->shouldReceive('validateRefreshToken')->andReturn(false);
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
-        $v = $a->issueAccessToken(array(
+        $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token',
             'client_id' =>  1234,
             'client_secret' =>  5678,
@@ -167,21 +178,25 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
             'name'  =>  'Example Client'
         ));
 
-        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
-
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('updateSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array());
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $_POST['grant_type'] = 'refresh_token';
         $_POST['client_id'] = 1234;
         $_POST['client_secret'] = 5678;
         $_POST['refresh_token'] = 'abcdef';
 
-        $request = new OAuth2\Util\Request(array(), $_POST);
+        $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
 
         $v = $a->issueAccessToken();
@@ -190,10 +205,8 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('token_type', $v);
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
-        $this->assertArrayHasKey('refresh_token', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
     }
 
     public function test_issueAccessToken_refreshTokenGrant()
@@ -205,14 +218,60 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
             'name'  =>  'Example Client'
         ));
 
-        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
-
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
         $this->session->shouldReceive('validateAuthCode')->andReturn(1);
         $this->session->shouldReceive('updateSession')->andReturn(null);
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new OAuth2\Grant\RefreshToken());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_rotateTokens()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+
+        $rt = new League\OAuth2\Server\Grant\RefreshToken();
+        $rt->rotateRefreshTokens(true);
+        $a->addGrantType($rt);
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token',
@@ -227,7 +286,136 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires_in', $v);
         $this->assertArrayHasKey('refresh_token', $v);
 
-        $this->assertEquals($a::getExpiresIn(), $v['expires_in']);
-        $this->assertEquals(time()+$a::getExpiresIn(), $v['expires']);
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_customExpiresIn()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\RefreshToken();
+        $grant->setAccessTokenTTL(30);
+        $a->addGrantType($grant);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_newScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array(array('id' => 1, 'scope' => 'foo'), array('id' => 2, 'scope' => 'bar')));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->scope->shouldReceive('getScope')->andReturn(array('id' => 1, 'scope' => 'foo'));
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\RefreshToken();
+        $grant->setAccessTokenTTL(30);
+        $grant->rotateRefreshTokens(true);
+        $a->addGrantType($grant);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+            'scope' =>  'foo'
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+        $this->assertArrayHasKey('refresh_token', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_refreshTokenGrant_badNewScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array(array('id' => 1, 'scope' => 'foo'), array('id' => 2, 'scope' => 'bar')));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->scope->shouldReceive('getScope')->andReturn(array('id' => 1, 'scope' => 'foo'));
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\RefreshToken();
+        $grant->setAccessTokenTTL(30);
+        $grant->rotateRefreshTokens(true);
+        $a->addGrantType($grant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+            'scope' =>  'foobar'
+        ));
     }
 }

tests/resource/ResourceServerTest.php

@@ -4,22 +4,48 @@ use \Mockery as m;
 
 class Resource_Server_test extends PHPUnit_Framework_TestCase
 {
-	private $session;
+    private $session;
 
-	public function setUp()
-	{
-        $this->session = M::mock('OAuth2\Storage\SessionInterface');
-	}
+    public function setUp()
+    {
+        $this->session = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+    }
 
-	private function returnDefault()
-	{
-		return new OAuth2\ResourceServer($this->session);
-	}
+    private function returnDefault()
+    {
+        return new League\OAuth2\Server\Resource($this->session);
+    }
 
-	public function test_setRequest()
+    public function test_getExceptionMessage()
+    {
+        $m = League\OAuth2\Server\Resource::getExceptionMessage('invalid_request');
+
+        $reflector = new ReflectionClass($this->returnDefault());
+        $exceptionMessages = $reflector->getProperty('exceptionMessages');
+        $exceptionMessages->setAccessible(true);
+        $v = $exceptionMessages->getValue();
+
+        $this->assertEquals($v['invalid_request'], $m);
+    }
+
+    public function test_getExceptionCode()
+    {
+        $this->assertEquals('invalid_request', League\OAuth2\Server\Resource::getExceptionType(0));
+        $this->assertEquals('invalid_token', League\OAuth2\Server\Resource::getExceptionType(1));
+        $this->assertEquals('insufficient_scope', League\OAuth2\Server\Resource::getExceptionType(2));
+    }
+
+    public function test_getExceptionHttpHeaders()
+    {
+        $this->assertEquals(array('HTTP/1.1 400 Bad Request'), League\OAuth2\Server\Resource::getExceptionHttpHeaders('invalid_request'));
+        $this->assertEquals(array('HTTP/1.1 401 Unauthorized'), League\OAuth2\Server\Resource::getExceptionHttpHeaders('invalid_token'));
+        $this->assertContains('HTTP/1.1 403 Forbidden', League\OAuth2\Server\Resource::getExceptionHttpHeaders('insufficient_scope'));
+    }
+
+    public function test_setRequest()
     {
         $s = $this->returnDefault();
-        $request = new OAuth2\Util\Request();
+        $request = new League\OAuth2\Server\Util\Request();
         $s->setRequest($request);
 
         $reflector = new ReflectionClass($s);
@@ -27,17 +53,17 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
         $requestProperty->setAccessible(true);
         $v = $requestProperty->getValue($s);
 
-        $this->assertTrue($v instanceof OAuth2\Util\RequestInterface);
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
     }
 
     public function test_getRequest()
     {
         $s = $this->returnDefault();
-        $request = new OAuth2\Util\Request();
+        $request = new League\OAuth2\Server\Util\Request();
         $s->setRequest($request);
         $v = $s->getRequest();
 
-        $this->assertTrue($v instanceof OAuth2\Util\RequestInterface);
+        $this->assertTrue($v instanceof League\OAuth2\Server\Util\RequestInterface);
     }
 
     public function test_getTokenKey()
@@ -49,7 +75,7 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
     public function test_setTokenKey()
     {
         $s = $this->returnDefault();
-       	$s->setTokenKey('oauth_token');
+           $s->setTokenKey('oauth_token');
 
         $reflector = new ReflectionClass($s);
         $requestProperty = $reflector->getProperty('tokenKey');
@@ -59,79 +85,159 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
         $this->assertEquals('oauth_token', $v);
     }
 
+    public function test_getScopes()
+    {
+        $s = $this->returnDefault();
+        $this->assertEquals(array(), $s->getScopes());
+    }
+
     /**
-     * @expectedException OAuth2\Exception\InvalidAccessTokenException
+     * @expectedException League\OAuth2\Server\Exception\MissingAccessTokenException
      */
     public function test_determineAccessToken_missingToken()
     {
-    	$_SERVER['HTTP_AUTHORIZATION'] = 'Bearer';
-   		$request = new OAuth2\Util\Request(array(), array(), array(), array(), $_SERVER);
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer';
+           $request = new League\OAuth2\Server\Util\Request(array(), array(), array(), array(), $_SERVER);
 
-    	$s = $this->returnDefault();
-    	$s->setRequest($request);
+        $s = $this->returnDefault();
+        $s->setRequest($request);
 
-    	$reflector = new ReflectionClass($s);
-	    $method = $reflector->getMethod('determineAccessToken');
-	    $method->setAccessible(true);
+        $reflector = new ReflectionClass($s);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
 
-	    $result = $method->invoke($s);
+        $method->invoke($s);
+    }
+
+    /**
+     * @expectedException League\OAuth2\Server\Exception\MissingAccessTokenException
+     */
+    public function test_determineAccessToken_brokenCurlRequest()
+    {
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer, Bearer abcdef';
+        $request = new League\OAuth2\Server\Util\Request(array(), array(), array(), array(), $_SERVER);
+
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $method->invoke($s);
     }
 
     public function test_determineAccessToken_fromHeader()
     {
-        $request = new OAuth2\Util\Request();
+        $request = new League\OAuth2\Server\Util\Request();
 
         $requestReflector = new ReflectionClass($request);
         $param = $requestReflector->getProperty('headers');
         $param->setAccessible(true);
         $param->setValue($request, array(
-            'Authorization' =>  'Bearer YWJjZGVm'
+            'Authorization' =>  'Bearer abcdef'
         ));
         $s = $this->returnDefault();
         $s->setRequest($request);
 
-    	$reflector = new ReflectionClass($s);
+        $reflector = new ReflectionClass($s);
 
-	    $method = $reflector->getMethod('determineAccessToken');
-	    $method->setAccessible(true);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
 
-	    $result = $method->invoke($s);
+        $result = $method->invoke($s);
 
-	    $this->assertEquals('abcdef', $result);
+        $this->assertEquals('abcdef', $result);
     }
 
-    public function test_determineAccessToken_fromMethod()
+    public function test_determineAccessToken_fromBrokenCurlHeader()
     {
-    	$s = $this->returnDefault();
+        $request = new League\OAuth2\Server\Util\Request();
 
-    	$_GET[$s->getTokenKey()] = 'abcdef';
-    	$_SERVER['REQUEST_METHOD'] = 'get';
-
-   		$request = new OAuth2\Util\Request($_GET, array(), array(), array(), $_SERVER);
-    	$s->setRequest($request);
-
-    	$reflector = new ReflectionClass($s);
-	    $method = $reflector->getMethod('determineAccessToken');
-	    $method->setAccessible(true);
-
-	    $result = $method->invoke($s);
-
-	    $this->assertEquals('abcdef', $result);
-    }
-
-    /**
-     * @expectedException OAuth2\Exception\InvalidAccessTokenException
-     */
-    public function test_isValid_notValid()
-    {
-    	$this->session->shouldReceive('validateAccessToken')->andReturn(false);
-
-    	$request = new OAuth2\Util\Request();
         $requestReflector = new ReflectionClass($request);
         $param = $requestReflector->getProperty('headers');
         $param->setAccessible(true);
         $param->setValue($request, array(
-            'Authorization' =>  'Bearer YWJjZGVm'
+            'Authorization' =>  'Bearer abcdef, Bearer abcdef'
+        ));
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $result = $method->invoke($s);
+
+        $this->assertEquals('abcdef', $result);
+    }
+
+    public function test_determineAccessToken_fromMethod()
+    {
+        $s = $this->returnDefault();
+
+        $_GET[$s->getTokenKey()] = 'abcdef';
+        $_SERVER['REQUEST_METHOD'] = 'get';
+
+           $request = new League\OAuth2\Server\Util\Request($_GET, array(), array(), array(), $_SERVER);
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $result = $method->invoke($s);
+
+        $this->assertEquals('abcdef', $result);
+    }
+
+    public function test_hasScope_isRequired()
+    {
+        $s = $this->returnDefault();
+
+        $reflector = new ReflectionClass($s);
+        $param = $reflector->getProperty('sessionScopes');
+        $param->setAccessible(true);
+        $param->setValue($s, array(
+            'a', 'b', 'c'
+        ));
+
+        $result = $s->hasScope(array('a', 'b'), true);
+
+        $this->assertEquals(true, $result);
+    }
+
+    /**
+     * @expectedException League\OAuth2\Server\Exception\InsufficientScopeException
+     */
+    public function test_hasScope_isRequiredFailure()
+    {
+        $s = $this->returnDefault();
+
+        $reflector = new ReflectionClass($s);
+        $param = $reflector->getProperty('sessionScopes');
+        $param->setAccessible(true);
+        $param->setValue($s, array(
+            'a', 'b', 'c'
+        ));
+
+        $s->hasScope('d', true);
+    }
+
+    /**
+     * @expectedException League\OAuth2\Server\Exception\InvalidAccessTokenException
+     */
+    public function test_isValid_notValid()
+    {
+        $this->session->shouldReceive('validateAccessToken')->andReturn(false);
+
+        $request = new League\OAuth2\Server\Util\Request();
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef'
         ));
         $s = $this->returnDefault();
         $s->setRequest($request);
@@ -141,32 +247,38 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 
     public function test_isValid_valid()
     {
-    	$this->session->shouldReceive('validateAccessToken')->andReturn(array(
-    		'id'	=>	1,
-    		'owner_type'	=>	'user',
-    		'owner_id'	=>	123
-    	));
-    	$this->session->shouldReceive('getScopes')->andReturn(array('foo', 'bar'));
+        $this->session->shouldReceive('validateAccessToken')->andReturn(array(
+            'session_id'  =>    1,
+            'owner_type'  =>    'user',
+            'owner_id'    =>    123,
+            'client_id' =>  'testapp'
+        ));
 
-   		$request = new OAuth2\Util\Request();
+        $this->session->shouldReceive('getScopes')->andReturn(array(
+            array('scope' =>  'foo'),
+            array('scope' =>  'bar')
+        ));
+
+           $request = new League\OAuth2\Server\Util\Request();
         $requestReflector = new ReflectionClass($request);
         $param = $requestReflector->getProperty('headers');
         $param->setAccessible(true);
         $param->setValue($request, array(
-            'Authorization' =>  'Bearer YWJjZGVm'
+            'Authorization' =>  'Bearer abcdef'
         ));
+
         $s = $this->returnDefault();
         $s->setRequest($request);
 
-    	$this->assertTrue($s->isValid());
-    	$this->assertEquals(123, $s->getOwnerId());
-    	$this->assertEquals('user', $s->getOwnerType());
-    	$this->assertEquals('abcdef', $s->getAccessToken());
+        $this->assertTrue($s->isValid());
+        $this->assertEquals(123, $s->getOwnerId());
+        $this->assertEquals('user', $s->getOwnerType());
+        $this->assertEquals('abcdef', $s->getAccessToken());
+        $this->assertEquals('testapp', $s->getClientId());
     	$this->assertTrue($s->hasScope('foo'));
     	$this->assertTrue($s->hasScope('bar'));
     	$this->assertTrue($s->hasScope(array('foo', 'bar')));
     	$this->assertFalse($s->hasScope(array('foobar')));
     	$this->assertFalse($s->hasScope('foobar'));
-    	$this->assertFalse($s->hasScope(new StdClass));
     }
-}
+}

tests/util/RedirectUriTest.php

@@ -2,14 +2,14 @@
 
 class RedirectUri_test extends PHPUnit_Framework_TestCase
 {
-	function test_make()
-	{
-		$v1 = OAuth2\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar'));
-		$v2 = OAuth2\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar'), '#');
-		$v3 = OAuth2\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar', 'bar' => 'foo'));
+    function test_make()
+    {
+        $v1 = League\OAuth2\Server\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar'));
+        $v2 = League\OAuth2\Server\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar'), '#');
+        $v3 = League\OAuth2\Server\Util\RedirectUri::make('https://foobar/', array('foo'=>'bar', 'bar' => 'foo'));
 
-		$this->assertEquals('https://foobar/?foo=bar', $v1);
-		$this->assertEquals('https://foobar/#foo=bar', $v2);
-		$this->assertEquals('https://foobar/?foo=bar&bar=foo', $v3);
-	}
-}
+        $this->assertEquals('https://foobar/?foo=bar', $v1);
+        $this->assertEquals('https://foobar/#foo=bar', $v2);
+        $this->assertEquals('https://foobar/?foo=bar&bar=foo', $v3);
+    }
+}

tests/util/RequestTest.php

@@ -2,72 +2,86 @@
 
 class Request_test extends PHPUnit_Framework_TestCase
 {
-	private $request;
+    private $request;
 
-	function setUp()
-	{
-		$this->request = new OAuth2\Util\Request(
-			array('foo' => 'bar'),
-			array('foo' => 'bar'),
-			array('foo' => 'bar'),
-			array('foo' => 'bar'),
-			array('HTTP_HOST' => 'foobar.com')
-		);
-	}
+    function setUp()
+    {
+        $this->request = new League\OAuth2\Server\Util\Request(
+            array('foo' => 'bar'),
+            array('foo' => 'bar'),
+            array('foo' => 'bar'),
+            array('foo' => 'bar'),
+            array('HTTP_HOST' => 'foobar.com')
+        );
+    }
 
-	function test_buildFromIndex()
-	{
-		$r = new OAuth2\Util\Request();
-		$r->buildFromGlobals();
+    function test_buildFromIndex()
+    {
+        $r = new League\OAuth2\Server\Util\Request();
+        $r->buildFromGlobals();
 
-		$this->assertTrue($r instanceof OAuth2\Util\Request);
-	}
+        $this->assertTrue($r instanceof League\OAuth2\Server\Util\Request);
+    }
 
-	function test_get()
-	{
-		$this->assertEquals('bar', $this->request->get('foo'));
-		$this->assertEquals(array('foo' => 'bar'), $this->request->get());
-	}
+    function test_get()
+    {
+        $this->assertEquals('bar', $this->request->get('foo'));
+        $this->assertEquals(array('foo' => 'bar'), $this->request->get());
+    }
 
-	function test_post()
-	{
-		$this->assertEquals('bar', $this->request->post('foo'));
-		$this->assertEquals(array('foo' => 'bar'), $this->request->post());
-	}
+    function test_post()
+    {
+        $this->assertEquals('bar', $this->request->post('foo'));
+        $this->assertEquals(array('foo' => 'bar'), $this->request->post());
+    }
 
-	function test_file()
-	{
-		$this->assertEquals('bar', $this->request->file('foo'));
-		$this->assertEquals(array('foo' => 'bar'), $this->request->file());
-	}
+    function test_file()
+    {
+        $this->assertEquals('bar', $this->request->file('foo'));
+        $this->assertEquals(array('foo' => 'bar'), $this->request->file());
+    }
 
-	function test_cookie()
-	{
-		$this->assertEquals('bar', $this->request->cookie('foo'));
-		$this->assertEquals(array('foo' => 'bar'), $this->request->cookie());
-	}
+    function test_cookie()
+    {
+        $this->assertEquals('bar', $this->request->cookie('foo'));
+        $this->assertEquals(array('foo' => 'bar'), $this->request->cookie());
+    }
 
-	function test_server()
-	{
-		$this->assertEquals('foobar.com', $this->request->server('HTTP_HOST'));
-		$this->assertEquals(array('HTTP_HOST' => 'foobar.com'), $this->request->server());
-	}
+    function test_server()
+    {
+        $this->assertEquals('foobar.com', $this->request->server('HTTP_HOST'));
+        $this->assertEquals(array('HTTP_HOST' => 'foobar.com'), $this->request->server());
+    }
 
-	function test_header()
-	{
-		$this->assertEquals('foobar.com', $this->request->header('Host'));
-		$this->assertEquals(array('Host' => 'foobar.com'), $this->request->header());
-	}
+    function test_header()
+    {
+        $this->assertEquals('foobar.com', $this->request->header('Host'));
+        $this->assertEquals(array('Host' => 'foobar.com'), $this->request->header());
+    }
 
-	/**
-	 * @expectedException InvalidArgumentException
-	 */
-	function test_unknownProperty()
-	{
-		$reflector = new ReflectionClass($this->request);
-		$method = $reflector->getMethod('getPropertyValue');
-		$method->setAccessible(true);
+    function test_canonical_header()
+    {
+        $request = new League\OAuth2\Server\Util\Request(
+            array('foo' => 'bar'),
+            array('foo' => 'bar'),
+            array('foo' => 'bar'),
+            array('foo' => 'bar'),
+            array('HTTP_HOST' => 'foobar.com'),
+            array('authorization' => 'Bearer ajdfkljadslfjasdlkj')
+        );
 
-		$result = $method->invoke($this->request, 'blah');
-	}
-}
+        $this->assertEquals('Bearer ajdfkljadslfjasdlkj', $request->header('Authorization'));
+    }
+
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    function test_unknownProperty()
+    {
+        $reflector = new ReflectionClass($this->request);
+        $method = $reflector->getMethod('getPropertyValue');
+        $method->setAccessible(true);
+
+        $method->invoke($this->request, 'blah');
+    }
+}

tests/util/SecureKeyTest.php

@@ -2,14 +2,31 @@
 
 class Secure_Key_test extends PHPUnit_Framework_TestCase
 {
-	function test_make()
-	{
-		$v1 = OAuth2\Util\SecureKey::make();
-		$v2 = OAuth2\Util\SecureKey::make();
-		$v3 = OAuth2\Util\SecureKey::make(50);
+    function test_make()
+    {
+        $v1 = League\OAuth2\Server\Util\SecureKey::make();
+        $v2 = League\OAuth2\Server\Util\SecureKey::make();
+        $v3 = League\OAuth2\Server\Util\SecureKey::make(50);
 
-		$this->assertEquals(40, strlen($v1));
-		$this->assertTrue($v1 !== $v2);
-		$this->assertEquals(50, strlen($v3));
-	}
-}
+        $this->assertEquals(40, strlen($v1));
+        $this->assertTrue($v1 !== $v2);
+        $this->assertEquals(50, strlen($v3));
+    }
+
+    public function test_make_with_different_algorithm()
+    {
+        $algorithm = $this->getMock('League\OAuth2\Server\Util\KeyAlgorithm\KeyAlgorithmInterface');
+
+        $result = 'dasdsdsaads';
+        $algorithm
+            ->expects($this->once())
+            ->method('make')
+            ->with(11)
+            ->will($this->returnValue($result))
+        ;
+
+        League\OAuth2\Server\Util\SecureKey::setAlgorithm($algorithm);
+        $this->assertSame($algorithm, League\OAuth2\Server\Util\SecureKey::getAlgorithm());
+        $this->assertEquals($result, League\OAuth2\Server\Util\SecureKey::make(11));
+    }
+}

tests/util/key_algorithm/DefaultAlgorithmTest.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * Created by PhpStorm.
+ * User: jderay
+ * Date: 3/11/14
+ * Time: 12:31 PM
+ */
+
+class Default_Algorithm_test extends PHPUnit_Framework_TestCase
+{
+    public function test_make()
+    {
+        $algorithm = new League\OAuth2\Server\Util\KeyAlgorithm\DefaultAlgorithm();
+        $v1 = $algorithm->make();
+        $v2 = $algorithm->make();
+        $v3 = $algorithm->make(50);
+
+        $this->assertEquals(40, strlen($v1));
+        $this->assertTrue($v1 !== $v2);
+        $this->assertEquals(50, strlen($v3));
+    }
+}