Merge branch 'release/3.1.1'

Conflicts:
	src/League/OAuth2/Server/Grant/GrantTrait.php

.gitattributes

@@ -1,4 +1,5 @@
 tests/ export-ignore
 phpunit.xml export-ignore
 build.xml export-ignore
-test export-ignore
+test export-ignore
+.travis.yml export-ignore

.gitignore

@@ -1,6 +1,5 @@
 /vendor
 /composer.lock
-/build/logs
-/build/coverage
+/tests/coverage
 /docs
 /testing

.travis.yml

@@ -1,8 +1,8 @@
 language: php
 
 php:
-  - 5.3
   - 5.4
+  - 5.5
 
-before_script: composer install --dev
-script: phpunit
+before_script: composer install --prefer-source
+script: phpunit --configuration phpunit.xml.dist

CHANGELOG.md

@@ -1,6 +1,72 @@
 # Changelog
 
-## 2.0.0 (released 2013-05-06)
+## 3.1.1 (released 2013-12-05)
+
+* Normalize headers when `getallheaders()` is available (Issues #108 and #114)
+
+## 3.1.0 (released 2013-12-05)
+
+* No longer necessary to inject the authorisation server into a grant, the server will inject itself
+* Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
+
+## 3.0.1 (released 2013-12-02)
+
+* Forgot to tell TravisCI from testing PHP 5.3
+
+## 3.0.0 (released 2013-12-02)
+
+* Fixed spelling of Implicit grant class (Issue #84)
+* Travis CI now tests for PHP 5.5
+* Fixes for checking headers for resource server (Issues #79 and #)
+* The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
+* All grants no longer remove old sessions by default
+* All grants now support custom access token TTL (Issue #92)
+* All methods which didn't before return a value now return `$this` to support method chaining
+* Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
+* Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
+* Moved some grant related functions into a trait to reduce duplicate code
+
+## 2.1.1 (released 2013-06-02)
+
+* Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
+* Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
+* Updated some duff docblocks
+* Corrected array key call in Resource.php (Issue #63)
+
+## 2.1 (released 2013-05-10)
+
+* Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
+* New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
+* Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
+* The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
+* You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
+* The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
+* Scopes associated to authorization codes are not held in their own table (Issue #44)
+* Database schema updates.
+
+## 2.0.5 (released 2013-05-09)
+
+* Fixed `oauth_session_token_scopes` table primary key
+* Removed `DEFAULT ''` that has slipped into some tables
+* Fixed docblock for `SessionInterface::associateRefreshToken()`
+
+## 2.0.4 (released 2013-05-09)
+
+* Renamed primary key in oauth_client_endpoints table
+* Adding missing column to oauth_session_authcodes
+* SECURITY FIX: A refresh token should be bound to a client ID
+
+## 2.0.3 (released 2013-05-08)
+
+* Fixed a link to code in composer.json
+
+## 2.0.2 (released 2013-05-08)
+
+* Updated README with wiki guides
+* Removed `null` as default parameters in some methods in the storage interfaces
+* Fixed license copyright
+
+## 2.0.0 (released 2013-05-08)
 
 **If you're upgrading from v1.0.8 there are lots of breaking changes**
 

README.md

@@ -1,6 +1,6 @@
-# The League of Extraordinary Packages presents: PHP OAuth 2.0 Server
+# PHP OAuth 2.0 Server
 
-The goal of this project is to develop a standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server.
+A standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server written in PHP.
 
 ## Package Installation
 
@@ -14,6 +14,17 @@ The framework is provided as a Composer package which can be installed by adding
 }
 ```
 
+#### Master branch
+
+Latest stable version - [![Latest Stable Version](https://poser.pugx.org/league/oauth2-server/v/stable.png)](https://packagist.org/packages/league/oauth2-server)
+Code coverage - [![Coverage Status](https://coveralls.io/repos/php-loep/oauth2-server/badge.png?branch=master)](https://coveralls.io/r/php-loep/oauth2-server?branch=master)
+Downloads - [![Total Downloads](https://poser.pugx.org/league/oauth2-server/downloads.png)](https://packagist.org/packages/league/oauth2-server)
+
+#### Develop branch
+
+Latest unstable version - [![Latest Unstable Version](https://poser.pugx.org/league/oauth2-server/v/unstable.png)](https://packagist.org/packages/league/oauth2-server)
+Code coverage - [![Coverage Status](https://coveralls.io/repos/php-loep/oauth2-server/badge.png?branch=develop)](https://coveralls.io/r/php-loep/oauth2-server?branch=develop)
+
 ---
 
 The library features 100% unit test code coverage. To run the tests yourself run `phpunit` from the project root.
@@ -43,23 +54,40 @@ Custom grants can be created easily by implementing an interface. Check out a gu
 
 If you are using MySQL and want to very quickly implement the library then all of the storage interfaces have been implemented with PDO classes. Check out the guide here [https://github.com/php-loep/oauth2-server/wiki/Using-the-PDO-storage-classes](https://github.com/php-loep/oauth2-server/wiki/Using-the-PDO-storage-classes).
 
-## Tutorials
+## Tutorials and documentation
 
-A tutorial on how to use the authorization server can be found at [http://alexbilbie.com/2013/02/developing-an-oauth2-authorization-server/](http://alexbilbie.com/2013/02/developing-an-oauth2-authorization-server/).
+The wiki has lots of guides on how to use this library, check it out - [https://github.com/php-loep/oauth2-server/wiki](https://github.com/php-loep/oauth2-server/wiki).
 
-A tutorial on how to use the resource server to secure an API server can be found at [http://alexbilbie.com/2013/02/securing-your-api-with-oauth-2/](http://alexbilbie.com/2013/02/securing-your-api-with-oauth-2/).
+A simple tutorial on how to use the authorization server can be found at [https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server](https://github.com/php-loep/oauth2-server/wiki/Developing-an-OAuth-2.0-authorization-server).
 
-## Future Goals
+A simple tutorial on how to use the resource server to secure an API server can be found at [https://github.com/php-loep/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0](https://github.com/php-loep/oauth2-server/wiki/Securing-your-API-with-OAuth-2.0).
 
-### Authorization Server
+## Changelog
 
-* Support for [JSON web tokens](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-json-web-token/).
-* Support for [SAML assertions](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-saml2-bearer/).
+[See the project releases page](https://github.com/php-loep/oauth2-server/releases)
 
----
+## Contributing
 
-The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
+Please see [CONTRIBUTING](https://github.com/php-loep/oauth2-server/blob/master/CONTRIBUTING.md) for details.
 
-This code is principally developed and maintained by [@alexbilbie](https://twitter.com/alexbilbie).
+## Support
 
-A list of contributors can be found at [https://github.com/php-loep/oauth2-server/contributors](https://github.com/php-loep/oauth2-server/contributors).
+Bugs and feature request are tracked on [GitHub](https://github.com/php-loep/oauth2-server/issues)
+
+## License
+
+This package is released under the MIT License. See the bundled [LICENSE](https://github.com/php-loep/oauth2-server/blob/master/LICENSE) file for details.
+
+## Credits
+
+This code is principally developed and maintained by [Alex Bilbie](https://twitter.com/alexbilbie).
+
+Special thanks to:
+
+* [Dan Horrigan](https://github.com/dandoescode)
+* [Nick Jackson](https://github.com/jacksonj04)
+* [Michael Gooden](https://github.com/MichaelGooden)
+* [Phil Sturgeon](https://github.com/philsturgeon)
+* [and all the other contributors](https://github.com/php-loep/oauth2-server/contributors)
+
+The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.

build.xml

@@ -1,142 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project name="PHP OAuth 2.0 Server" default="build">
-
-	<target name="build" depends="prepare,lint,phploc,pdepend,phpmd-ci,phpcs-ci,phpcpd,composer,phpunit,phpdox,phpcb"/>
-	
-	<target name="build-parallel" depends="prepare,lint,tools-parallel,phpcb"/>
-	
-	<target name="minimal" depends="prepare,lint,phploc,pdepend,phpcpd,composer,phpunit,phpdox,phpcb" />
-	
-	<target name="tools-parallel" description="Run tools in parallel">
-		<parallel threadCount="2">
-			<sequential>
-				<antcall target="pdepend"/>
-				<antcall target="phpmd-ci"/>
-			</sequential>
-			<antcall target="phpcpd"/>
-			<antcall target="phpcs-ci"/>
-			<antcall target="phploc"/>
-			<antcall target="phpdox"/>
-		</parallel>
-	</target>
-	
-	<target name="clean" description="Cleanup build artifacts">
-		<delete dir="${basedir}/build/api"/>
-		<delete dir="${basedir}/build/code-browser"/>
-		<delete dir="${basedir}/build/coverage"/>
-		<delete dir="${basedir}/build/logs"/>
-		<delete dir="${basedir}/build/pdepend"/>
-	</target>
-	
-	<target name="prepare" depends="clean" description="Prepare for build">
-		<mkdir dir="${basedir}/build/api"/>
-		<mkdir dir="${basedir}/build/code-browser"/>
-		<mkdir dir="${basedir}/build/coverage"/>
-		<mkdir dir="${basedir}/build/logs"/>
-		<mkdir dir="${basedir}/build/pdepend"/>
-		<mkdir dir="${basedir}/build/phpdox"/>
-	</target>
-	
-	<target name="lint">
-		<apply executable="php" failonerror="true">
-			<arg value="-l" />
-			
-			<fileset dir="${basedir}/src">
-				<include name="**/*.php" />
-				<modified />
-			</fileset>
-		</apply>
-	</target>
-	
-	<target name="phploc" description="Measure project size using PHPLOC">
-		<exec executable="phploc">
-			<arg value="--log-csv" />
-			<arg value="${basedir}/build/logs/phploc.csv" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="pdepend" description="Calculate software metrics using PHP_Depend">
-		<exec executable="pdepend">
-			<arg value="--jdepend-xml=${basedir}/build/logs/jdepend.xml" />
-			<arg value="--jdepend-chart=${basedir}/build/pdepend/dependencies.svg" />
-			<arg value="--overview-pyramid=${basedir}/build/pdepend/overview-pyramid.svg" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpmd" description="Perform project mess detection using PHPMD and print human readable output. Intended for usage on the command line before committing.">
-		<exec executable="phpmd">
-			<arg path="${basedir}/src" />
-			<arg value="text" />
-			<arg value="${basedir}/build/phpmd.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpmd-ci" description="Perform project mess detection using PHPMD creating a log file for the continuous integration server">
-		<exec executable="phpmd">
-			<arg path="${basedir}/src" />
-			<arg value="xml" />
-			<arg value="${basedir}/build/phpmd.xml" />
-			<arg value="--reportfile" />
-			<arg value="${basedir}/build/logs/pmd.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpcs" description="Find coding standard violations using PHP_CodeSniffer and print human readable output. Intended for usage on the command line before committing.">
-		<exec executable="phpcs">
-			<arg value="--standard=${basedir}/build/phpcs.xml" />
-			<arg value="--extensions=php" />
-			<arg value="--ignore=third_party/CIUnit" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpcs-ci" description="Find coding standard violations using PHP_CodeSniffer creating a log file for the continuous integration server">
-		<exec executable="phpcs" output="/dev/null">
-			<arg value="--report=checkstyle" />
-			<arg value="--report-file=${basedir}/build/logs/checkstyle.xml" />
-			<arg value="--standard=${basedir}/build/phpcs.xml" />
-			<arg value="--extensions=php" />
-			<arg value="--ignore=third_party/CIUnit" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-	
-	<target name="phpcpd" description="Find duplicate code using PHPCPD">
-		<exec executable="phpcpd">
-			<arg value="--log-pmd" />
-			<arg value="${basedir}/build/logs/pmd-cpd.xml" />
-			<arg path="${basedir}/src" />
-		</exec>
-	</target>
-
-	<target name="composer" description="Install Composer requirements">
-		<exec executable="composer.phar" failonerror="true">
-			<arg value="install" />
-			<arg value="--dev" />
-		</exec>
-	</target>
-
-	<target name="phpunit" description="Run unit tests with PHPUnit">
-		<exec executable="${basedir}/vendor/bin/phpunit" failonerror="true">
-			<arg value="--configuration" />
-			<arg value="${basedir}/build/phpunit.xml" />
-		</exec>
-	</target>
-	
-	<target name="phpdox" description="Generate API documentation using phpDox">
-		<exec executable="phpdox"/>
-	</target>
-	
-	<target name="phpcb" description="Aggregate tool output with PHP_CodeBrowser">
-		<exec executable="phpcb">
-			<arg value="--log" />
-			<arg path="${basedir}/build/logs" />
-			<arg value="--source" />
-			<arg path="${basedir}/src" />
-			<arg value="--output" />
-			<arg path="${basedir}/build/code-browser" />
-		</exec>
-	</target>
-</project>

composer.json

@@ -1,15 +1,15 @@
 {
 	"name": "league/oauth2-server",
 	"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
-	"version": "2.0",
-	"homepage": "https://github.com/php-leop/oauth2-server",
+	"version": "3.1.1",
+	"homepage": "https://github.com/php-loep/oauth2-server",
 	"license": "MIT",
 	"require": {
-		"php": ">=5.3.0",
-		"zetacomponents/database": "dev-master"
+		"php": ">=5.4.0"
 	},
 	"require-dev": {
-		"mockery/mockery": ">=0.7.2"
+		"mockery/mockery": ">=0.7.2",
+		"league/phpunit-coverage-listener": "~1.0"
 	},
 	"repositories": [
 		{
@@ -24,7 +24,10 @@
 		"authorization",
 		"authentication",
 		"resource",
-		"api"
+		"api",
+		"auth",
+		"protect",
+		"secure"
 	],
 	"authors": [
 		{
@@ -35,12 +38,15 @@
 		}
 	],
 	"replace": {
-		"lncd/oauth2": "*"
+		"lncd/oauth2": "*",
+		"league/oauth2server": "*"
 	},
 	"autoload": {
 		"psr-0": {
 			"League\\OAuth2\\Server": "src/"
 		}
 	},
-	"suggest": {}
-}
+	"suggest": {
+
+	}
+}

license.txt

@@ -1,20 +1,20 @@
 MIT License
 
-Copyright (C) 2012 University of Lincoln
+Copyright (C) 2013 PHP League of Extraordinary Packages
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of 
-this software and associated documentation files (the "Software"), to deal in 
-the Software without restriction, including without limitation the rights to 
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
 use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 the Software, and to permit persons to whom the Software is furnished to do so,
 subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all 
+The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

phpunit.xml

@@ -15,17 +15,13 @@
 		<blacklist>
 			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
 			<directory suffix=".php">PHP_LIBDIR</directory>
-			<directory suffix=".php">vendor/composer</directory>
-			<directory suffix=".php">vendor/mockery</directory>
-			<directory suffix=".php">vendor/phpunit</directory>
+			<directory suffix=".php">vendor</directory>
 			<directory suffix=".php">tests</directory>
 			<directory suffix=".php">testing</directory>
 		</blacklist>
 	</filter>
 	<logging>
-		<log type="coverage-html" target="build/coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="50" highLowerBound="90"/>
-		<log type="coverage-text" target="php://stdout" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="50" highLowerBound="90"/>
-		<log type="coverage-clover" target="build/logs/clover.xml"/>
-		<log type="junit" target="build/logs/junit.xml" logIncompleteSkipped="false"/>
+		<log type="coverage-text" target="php://stdout" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="60" highLowerBound="99"/>
+        <log type="coverage-html" target="tests/coverage" title="lncd/OAuth" charset="UTF-8" yui="true" highlight="true" lowUpperBound="60" highLowerBound="99"/>
 	</logging>
-</phpunit>
+</phpunit>

phpunit.xml.dist

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="false" stopOnFailure="false" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
+	<testsuites>
+		<testsuite name="Authorization Server">
+			<directory suffix="Test.php">tests/authorization</directory>
+		</testsuite>
+		<testsuite name="Resource Server">
+			<directory suffix="Test.php">tests/resource</directory>
+		</testsuite>
+		<testsuite name="Utility Methods">
+			<directory suffix="Test.php">tests/util</directory>
+		</testsuite>
+	</testsuites>
+	<filter>
+		<blacklist>
+			<directory suffix=".php">PEAR_INSTALL_DIR</directory>
+			<directory suffix=".php">PHP_LIBDIR</directory>
+			<directory suffix=".php">vendor</directory>
+			<directory suffix=".php">tests</directory>
+			<directory suffix=".php">testing</directory>
+		</blacklist>
+	</filter>
+	<logging>
+        <log type="coverage-clover" target="/tmp/coverage.xml"/>
+        <log type="coverage-text" target="php://stdout" showUncoveredFiles="false"/>
+    </logging>
+    <listeners>
+        <listener class="League\PHPUnitCoverageListener\Listener">
+            <arguments>
+                <array>
+                    <element key="printer">
+                      <object class="League\PHPUnitCoverageListener\Printer\StdOut"/>
+                    </element>
+                    <element key="hook">
+                      <object class="League\PHPUnitCoverageListener\Hook\Travis"/>
+                    </element>
+                    <element key="namespace">
+                        <string>League\OAuth2\Server</string>
+                    </element>
+                    <element key="repo_token">
+                        <string>DtNuuOrBh1QBXVyRqmVldC2Au11DVti9n</string>
+                    </element>
+                    <element key="target_url">
+                        <string>https://coveralls.io/api/v1/jobs</string>
+                    </element>
+                    <element key="coverage_dir">
+                        <string>/tmp</string>
+                    </element>
+                </array>
+            </arguments>
+        </listener>
+    </listeners>
+</phpunit>

sql/mysql.sql

@@ -8,13 +8,13 @@ CREATE TABLE `oauth_clients` (
 ) ENGINE=INNODB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_client_endpoints` (
-  `endpoint_id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
-  `client_id` CHAR(40) NOT NULL,
-  `redirect_uri` VARCHAR(255) NOT NULL,
-  PRIMARY KEY (`endpoint_id`),
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
+  `client_id` char(40) NOT NULL,
+  `redirect_uri` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`),
   KEY `i_oaclen_clid` (`client_id`),
   CONSTRAINT `f_oaclen_clid` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_sessions` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
@@ -29,7 +29,7 @@ CREATE TABLE `oauth_sessions` (
 CREATE TABLE `oauth_session_access_tokens` (
   `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
   `session_id` int(10) unsigned NOT NULL,
-  `access_token` char(40) NOT NULL DEFAULT '',
+  `access_token` char(40) NOT NULL,
   `access_token_expires` int(10) unsigned NOT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `u_oaseacto_acto_seid` (`access_token`,`session_id`),
@@ -38,44 +38,58 @@ CREATE TABLE `oauth_session_access_tokens` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_session_authcodes` (
+  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
   `session_id` int(10) unsigned NOT NULL,
-  `auth_code` char(40) NOT NULL DEFAULT '',
+  `auth_code` char(40) NOT NULL,
   `auth_code_expires` int(10) unsigned NOT NULL,
-  PRIMARY KEY (`session_id`),
-  CONSTRAINT `f_oaseau_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+  PRIMARY KEY (`id`),
+  KEY `session_id` (`session_id`),
+  CONSTRAINT `oauth_session_authcodes_ibfk_1` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_session_redirects` (
   `session_id` int(10) unsigned NOT NULL,
-  `redirect_uri` varchar(255) NOT NULL DEFAULT '',
+  `redirect_uri` varchar(255) NOT NULL,
   PRIMARY KEY (`session_id`),
   CONSTRAINT `f_oasere_seid` FOREIGN KEY (`session_id`) REFERENCES `oauth_sessions` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_session_refresh_tokens` (
   `session_access_token_id` int(10) unsigned NOT NULL,
-  `refresh_token` char(40) NOT NULL DEFAULT '',
+  `refresh_token` char(40) NOT NULL,
   `refresh_token_expires` int(10) unsigned NOT NULL,
+  `client_id` char(40) NOT NULL,
   PRIMARY KEY (`session_access_token_id`),
+  KEY `client_id` (`client_id`),
+  CONSTRAINT `oauth_session_refresh_tokens_ibfk_1` FOREIGN KEY (`client_id`) REFERENCES `oauth_clients` (`id`) ON DELETE CASCADE,
   CONSTRAINT `f_oasetore_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_scopes` (
-  `id` SMALLINT(5) UNSIGNED NOT NULL AUTO_INCREMENT,
-  `key` VARCHAR(255) NOT NULL,
-  `name` VARCHAR(255) NOT NULL,
-  `description` VARCHAR(255) DEFAULT NULL,
+  `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
+  `scope` varchar(255) NOT NULL,
+  `name` varchar(255) NOT NULL,
+  `description` varchar(255) DEFAULT NULL,
   PRIMARY KEY (`id`),
-  UNIQUE KEY `u_oasc_sc` (`key`)
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
+  UNIQUE KEY `u_oasc_sc` (`scope`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 CREATE TABLE `oauth_session_token_scopes` (
-  `session_token_scope_id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
+  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
   `session_access_token_id` int(10) unsigned DEFAULT NULL,
   `scope_id` smallint(5) unsigned NOT NULL,
-  PRIMARY KEY (`session_token_scope_id`),
+  PRIMARY KEY (`id`),
   UNIQUE KEY `u_setosc_setoid_scid` (`session_access_token_id`,`scope_id`),
   KEY `f_oasetosc_scid` (`scope_id`),
   CONSTRAINT `f_oasetosc_scid` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
   CONSTRAINT `f_oasetosc_setoid` FOREIGN KEY (`session_access_token_id`) REFERENCES `oauth_session_access_tokens` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `oauth_session_authcode_scopes` (
+  `oauth_session_authcode_id` int(10) unsigned NOT NULL,
+  `scope_id` smallint(5) unsigned NOT NULL,
+  KEY `oauth_session_authcode_id` (`oauth_session_authcode_id`),
+  KEY `scope_id` (`scope_id`),
+  CONSTRAINT `oauth_session_authcode_scopes_ibfk_2` FOREIGN KEY (`scope_id`) REFERENCES `oauth_scopes` (`id`) ON DELETE CASCADE,
+  CONSTRAINT `oauth_session_authcode_scopes_ibfk_1` FOREIGN KEY (`oauth_session_authcode_id`) REFERENCES `oauth_session_authcodes` (`id`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

src/League/OAuth2/Server/Authorization.php

@@ -59,11 +59,11 @@ class Authorization
      * Require the "scope" parameter to be in checkAuthoriseParams()
      * @var boolean
      */
-    protected $requireScopeParam = true;
+    protected $requireScopeParam = false;
 
     /**
-     * Default scope to be used if none is provided and requireScopeParam is false
-     * @var string
+     * Default scope(s) to be used if none is provided
+     * @var string|array
      */
     protected $defaultScope = null;
 
@@ -244,6 +244,10 @@ class Authorization
         if (is_null($identifier)) {
             $identifier = $grantType->getIdentifier();
         }
+
+        // Inject server into grant
+        $grantType->setAuthorizationServer($this);
+
         $this->grantTypes[$identifier] = $grantType;
 
         if ( ! is_null($grantType->getResponseType())) {
@@ -261,6 +265,11 @@ class Authorization
         return (array_key_exists($identifier, $this->grantTypes));
     }
 
+    /**
+     * Returns response types
+     *
+     * @return array
+     */
     public function getResponseTypes()
     {
         return $this->responseTypes;
@@ -287,11 +296,12 @@ class Authorization
 
     /**
      * Default scope to be used if none is provided and requireScopeParam is false
-     * @var string
+     * @param string|array $default
      */
     public function setDefaultScope($default = null)
     {
         $this->defaultScope = $default;
+        return $this;
     }
 
     /**
@@ -318,9 +328,10 @@ class Authorization
      * @param  boolean $require
      * @return void
      */
-    public function requireStateParam($require = false)
+    public function requireStateParam($require = true)
     {
         $this->requireStateParam = $require;
+        return $this;
     }
 
     /**
@@ -341,6 +352,7 @@ class Authorization
     public function setScopeDelimeter($scopeDelimeter = ' ')
     {
         $this->scopeDelimeter = $scopeDelimeter;
+        return $this;
     }
 
     /**
@@ -359,6 +371,7 @@ class Authorization
     public function setAccessTokenTTL($accessTokenTTL = 3600)
     {
         $this->accessTokenTTL = $accessTokenTTL;
+        return $this;
     }
 
     /**
@@ -369,6 +382,7 @@ class Authorization
     public function setRequest(Util\RequestInterface $request)
     {
         $this->request = $request;
+        return $this;
     }
 
     /**
@@ -381,7 +395,6 @@ class Authorization
         if ($this->request === null) {
             // @codeCoverageIgnoreStart
             $this->request = Request::buildFromGlobals();
-
         }
         // @codeCoverageIgnoreEnd
 

src/League/OAuth2/Server/Grant/AuthCode.php

@@ -24,6 +24,8 @@ use League\OAuth2\Server\Storage\ScopeInterface;
  */
 class AuthCode implements GrantTypeInterface {
 
+    use GrantTrait;
+
     /**
      * Grant identifier
      * @var string
@@ -54,44 +56,6 @@ class AuthCode implements GrantTypeInterface {
      */
     protected $authTokenTTL = 600;
 
-    /**
-     * Constructor
-     * @param Authorization $authServer Authorization server instance
-     * @return void
-     */
-    public function __construct(Authorization $authServer)
-    {
-        $this->authServer = $authServer;
-    }
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Override the default access token expire time
-     * @param int $accessTokenTTL
-     * @return void
-     */
-    public function setAccessTokenTTL($accessTokenTTL)
-    {
-        $this->accessTokenTTL = $accessTokenTTL;
-    }
-
     /**
      * Override the default access token expire time
      * @param int $authTokenTTL
@@ -127,7 +91,7 @@ class AuthCode implements GrantTypeInterface {
         }
 
         // Validate client ID and redirect URI
-        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri']);
+        $clientDetails = $this->authServer->getStorage('client')->getClient($authParams['client_id'], null, $authParams['redirect_uri'], $this->identifier);
 
         if ($clientDetails === false) {
             throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_client'), 8);
@@ -152,10 +116,14 @@ class AuthCode implements GrantTypeInterface {
             if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
         }
 
-        if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
+        if ($this->authServer->scopeParamRequired() === true && $this->authServer->getDefaultScope() === null && count($scopes) === 0) {
             throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
-        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
-            $scopes = array($this->authServer->getDefaultScope());
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope() !== null) {
+            if (is_array($this->authServer->getDefaultScope())) {
+                $scopes = $this->authServer->getDefaultScope();
+            } else {
+                $scopes = array($this->authServer->getDefaultScope());
+            }
         }
 
         $authParams['scopes'] = array();
@@ -189,13 +157,6 @@ class AuthCode implements GrantTypeInterface {
         // Remove any old sessions the user might have
         $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], $type, $typeId);
 
-        // List of scopes IDs
-        $scopeIds = array();
-        foreach ($authParams['scopes'] as $scope)
-        {
-            $scopeIds[] = $scope['id'];
-        }
-
         // Create a new session
         $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], $type, $typeId);
 
@@ -203,7 +164,12 @@ class AuthCode implements GrantTypeInterface {
         $this->authServer->getStorage('session')->associateRedirectUri($sessionId, $authParams['redirect_uri']);
 
         // Associate the auth code
-        $this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL, implode(',', $scopeIds));
+        $authCodeId = $this->authServer->getStorage('session')->associateAuthCode($sessionId, $authCode, time() + $this->authTokenTTL);
+
+        // Associate the scopes to the auth code
+        foreach ($authParams['scopes'] as $scope) {
+            $this->authServer->getStorage('session')->associateAuthCodeScope($authCodeId, $scope['id']);
+        }
 
         return $authCode;
     }
@@ -245,36 +211,36 @@ class AuthCode implements GrantTypeInterface {
         }
 
         // Verify the authorization code matches the client_id and the request_uri
-        $session = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
+        $authCodeDetails = $this->authServer->getStorage('session')->validateAuthCode($authParams['client_id'], $authParams['redirect_uri'], $authParams['code']);
 
-        if ( ! $session) {
+        if ( ! $authCodeDetails) {
             throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_grant'), 'code'), 9);
         }
 
-        // A session ID was returned so update it with an access token and remove the authorisation code
+        // Get any associated scopes
+        $scopes = $this->authServer->getStorage('session')->getAuthCodeScopes($authCodeDetails['authcode_id']);
 
+        // A session ID was returned so update it with an access token and remove the authorisation code
         $accessToken = SecureKey::make();
         $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
         $accessTokenExpires = time() + $accessTokenExpiresIn;
 
         // Remove the auth code
-        $this->authServer->getStorage('session')->removeAuthCode($session['id']);
+        $this->authServer->getStorage('session')->removeAuthCode($authCodeDetails['session_id']);
 
         // Create an access token
-        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($session['id'], $accessToken, $accessTokenExpires);
+        $accessTokenId = $this->authServer->getStorage('session')->associateAccessToken($authCodeDetails['session_id'], $accessToken, $accessTokenExpires);
 
         // Associate scopes with the access token
-        if ( ! is_null($session['scope_ids'])) {
-            $scopeIds = explode(',', $session['scope_ids']);
-
-            foreach ($scopeIds as $scopeId) {
-                $this->authServer->getStorage('session')->associateScope($accessTokenId, $scopeId);
+        if (count($scopes) > 0) {
+            foreach ($scopes as $scope) {
+                $this->authServer->getStorage('session')->associateScope($accessTokenId, $scope['scope_id']);
             }
         }
 
         $response = array(
             'access_token'  =>  $accessToken,
-            'token_type'    =>  'bearer',
+            'token_type'    =>  'Bearer',
             'expires'       =>  $accessTokenExpires,
             'expires_in'    =>  $accessTokenExpiresIn
         );
@@ -283,11 +249,11 @@ class AuthCode implements GrantTypeInterface {
         if ($this->authServer->hasGrantType('refresh_token')) {
             $refreshToken = SecureKey::make();
             $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
-            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
             $response['refresh_token'] = $refreshToken;
         }
 
         return $response;
     }
 
-}
+}

src/League/OAuth2/Server/Grant/ClientCredentials.php

@@ -24,6 +24,8 @@ use League\OAuth2\Server\Storage\ScopeInterface;
  */
 class ClientCredentials implements GrantTypeInterface {
 
+    use GrantTrait;
+
     /**
      * Grant identifier
      * @var string
@@ -48,16 +50,6 @@ class ClientCredentials implements GrantTypeInterface {
      */
     protected $accessTokenTTL = null;
 
-    /**
-     * Constructor
-     * @param Authorization $authServer Authorization server instance
-     * @return void
-     */
-    public function __construct(Authorization $authServer)
-    {
-        $this->authServer = $authServer;
-    }
-
     /**
      * Return the identifier
      * @return string
@@ -122,10 +114,14 @@ class ClientCredentials implements GrantTypeInterface {
             if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
         }
 
-        if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
+        if ($this->authServer->scopeParamRequired() === true && $this->authServer->getDefaultScope() === null && count($scopes) === 0) {
             throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
-        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
-            $scopes = array($this->authServer->getDefaultScope());
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope() !== null) {
+            if (is_array($this->authServer->getDefaultScope())) {
+                $scopes = $this->authServer->getDefaultScope();
+            } else {
+                $scopes = array($this->authServer->getDefaultScope());
+            }
         }
 
         $authParams['scopes'] = array();
@@ -145,9 +141,6 @@ class ClientCredentials implements GrantTypeInterface {
         $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
         $accessTokenExpires = time() + $accessTokenExpiresIn;
 
-        // Delete any existing sessions just to be sure
-        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'client', $authParams['client_id']);
-
         // Create a new session
         $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'client', $authParams['client_id']);
 
@@ -162,7 +155,7 @@ class ClientCredentials implements GrantTypeInterface {
 
         $response = array(
             'access_token'  =>  $accessToken,
-            'token_type'    =>  'bearer',
+            'token_type'    =>  'Bearer',
             'expires'       =>  $accessTokenExpires,
             'expires_in'    =>  $accessTokenExpiresIn
         );

src/League/OAuth2/Server/Grant/GrantTrait.php

@@ -0,0 +1,85 @@
+<?php
+/**
+ * OAuth 2.0 Client credentials grant
+ *
+ * @package     php-loep/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) 2013 PHP League of Extraordinary Packages
+ * @license     http://mit-license.org/
+ * @link        http://github.com/php-loep/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+use League\OAuth2\Server\Authorization;
+
+trait GrantTrait {
+
+    /**
+     * Constructor
+     * @param Authorization $authServer Authorization server instance
+     * @return void
+     */
+    public function __construct(Authorization $authServer = null)
+    {
+        // @codeCoverageIgnoreStart
+        if ($authServer instanceof Authorization) {
+            trigger_error(
+                'Server is now automatically injected into grant as of v3.1 of this library',
+                E_USER_DEPRECATED
+            );
+        } // @codeCoverageIgnoreEnd
+    }
+
+    /**
+     * Return the identifier
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * Return the identifier
+     * @param string $identifier
+     * @return self
+     */
+    public function setIdentifier($identifier)
+    {
+        $this->identifier = $identifier;
+        return $this;
+    }
+
+    /**
+     * Return the response type
+     * @return string
+     */
+    public function getResponseType()
+    {
+        return $this->responseType;
+    }
+
+    /**
+     * Override the default access token expire time
+     * @param int $accessTokenTTL
+     * @return self
+     */
+    public function setAccessTokenTTL($accessTokenTTL)
+    {
+        $this->accessTokenTTL = $accessTokenTTL;
+        return $this;
+    }
+
+    /**
+     * Inject the authorization server into the grant
+     * @param Authorization $authServer The authorization server instance
+     * @return  self
+     */
+    public function setAuthorizationServer(Authorization $authServer)
+    {
+        $this->authServer = $authServer;
+        return $this;
+    }
+
+}

src/League/OAuth2/Server/Grant/GrantTypeInterface.php

@@ -23,22 +23,9 @@ interface GrantTypeInterface
 {
     /**
      * Constructor
-     * @param Authorization $authServer Authorization server instance
      * @return void
      */
-    public function __construct(Authorization $authServer);
-
-    /**
-     * Returns the grant identifier (used to validate grant_type in League\OAuth2\Server\Authorization::issueAccessToken())
-     * @return string
-     */
-    public function getIdentifier();
-
-    /**
-     * Returns the response type (used to validate response_type in League\OAuth2\Server\Grant\AuthCode::checkAuthoriseParams())
-     * @return null|string
-     */
-    public function getResponseType();
+    public function __construct(Authorization $authServer = null);
 
     /**
      * Complete the grant flow

src/League/OAuth2/Server/Grant/Implicit.php

@@ -22,7 +22,9 @@ use League\OAuth2\Server\Storage\ScopeInterface;
 /**
  * Client credentials grant class
  */
-class Implict implements GrantTypeInterface {
+class Implicit implements GrantTypeInterface {
+
+    use GrantTrait;
 
     /**
      * Grant identifier
@@ -43,32 +45,10 @@ class Implict implements GrantTypeInterface {
     protected $authServer = null;
 
     /**
-     * Constructor
-     * @param Authorization $authServer Authorization server instance
-     * @return void
+     * Access token expires in override
+     * @var int
      */
-    public function __construct(Authorization $authServer)
-    {
-        $this->authServer = $authServer;
-    }
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
+    protected $accessTokenTTL = null;
 
     /**
      * Complete the client credentials grant
@@ -84,7 +64,8 @@ class Implict implements GrantTypeInterface {
         $accessToken = SecureKey::make();
 
         // Compute expiry time
-        $accessTokenExpires = time() + $this->authServer->getAccessTokenTTL();
+        $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
+        $accessTokenExpires = time() + $accessTokenExpiresIn;
 
         // Create a new session
         $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $authParams['user_id']);
@@ -98,10 +79,13 @@ class Implict implements GrantTypeInterface {
         }
 
         $response = array(
-            'access_token'  =>  $accessToken
+            'access_token'  =>  $accessToken,
+            'token_type'    =>  'Bearer',
+            'expires'       =>  $accessTokenExpires,
+            'expires_in'    =>  $accessTokenExpiresIn,
         );
 
         return $response;
     }
 
-}
+}

src/League/OAuth2/Server/Grant/Password.php

@@ -24,6 +24,8 @@ use League\OAuth2\Server\Storage\ScopeInterface;
  */
 class Password implements GrantTypeInterface {
 
+    use GrantTrait;
+
     /**
      * Grant identifier
      * @var string
@@ -54,44 +56,6 @@ class Password implements GrantTypeInterface {
      */
     protected $accessTokenTTL = null;
 
-    /**
-     * Constructor
-     * @param Authorization $authServer Authorization server instance
-     * @return void
-     */
-    public function __construct(Authorization $authServer)
-    {
-        $this->authServer = $authServer;
-    }
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Override the default access token expire time
-     * @param int $accessTokenTTL
-     * @return void
-     */
-    public function setAccessTokenTTL($accessTokenTTL)
-    {
-        $this->accessTokenTTL = $accessTokenTTL;
-    }
-
     /**
      * Set the callback to verify a user's username and password
      * @param callable $callback The callback function
@@ -166,10 +130,14 @@ class Password implements GrantTypeInterface {
             if ($scopes[$i] === '') unset($scopes[$i]); // Remove any junk scopes
         }
 
-        if ($this->authServer->scopeParamRequired() === true && count($scopes) === 0) {
+        if ($this->authServer->scopeParamRequired() === true && $this->authServer->getDefaultScope() === null && count($scopes) === 0) {
             throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
-        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope()) {
-            $scopes = array($this->authServer->getDefaultScope());
+        } elseif (count($scopes) === 0 && $this->authServer->getDefaultScope() !== null) {
+            if (is_array($this->authServer->getDefaultScope())) {
+                $scopes = $this->authServer->getDefaultScope();
+            } else {
+                $scopes = array($this->authServer->getDefaultScope());
+            }
         }
 
         $authParams['scopes'] = array();
@@ -189,9 +157,6 @@ class Password implements GrantTypeInterface {
         $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
         $accessTokenExpires = time() + $accessTokenExpiresIn;
 
-        // Delete any existing sessions just to be sure
-        $this->authServer->getStorage('session')->deleteSession($authParams['client_id'], 'user', $userId);
-
         // Create a new session
         $sessionId = $this->authServer->getStorage('session')->createSession($authParams['client_id'], 'user', $userId);
 
@@ -205,7 +170,7 @@ class Password implements GrantTypeInterface {
 
         $response = array(
             'access_token'  =>  $accessToken,
-            'token_type'    =>  'bearer',
+            'token_type'    =>  'Bearer',
             'expires'       =>  $accessTokenExpires,
             'expires_in'    =>  $accessTokenExpiresIn
         );
@@ -214,11 +179,11 @@ class Password implements GrantTypeInterface {
         if ($this->authServer->hasGrantType('refresh_token')) {
             $refreshToken = SecureKey::make();
             $refreshTokenTTL = time() + $this->authServer->getGrantType('refresh_token')->getRefreshTokenTTL();
-            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL);
+            $this->authServer->getStorage('session')->associateRefreshToken($accessTokenId, $refreshToken, $refreshTokenTTL, $authParams['client_id']);
             $response['refresh_token'] = $refreshToken;
         }
 
         return $response;
     }
 
-}
+}

src/League/OAuth2/Server/Grant/RefreshToken.php

@@ -24,6 +24,8 @@ use League\OAuth2\Server\Storage\ScopeInterface;
  */
 class RefreshToken implements GrantTypeInterface {
 
+    use GrantTrait;
+
     /**
      * Grant identifier
      * @var string
@@ -55,42 +57,10 @@ class RefreshToken implements GrantTypeInterface {
     protected $refreshTokenTTL = 604800;
 
     /**
-     * Constructor
-     * @param Authorization $authServer Authorization server instance
-     * @return void
+     * Rotate refresh tokens
+     * @var boolean
      */
-    public function __construct(Authorization $authServer)
-    {
-        $this->authServer = $authServer;
-    }
-
-    /**
-     * Return the identifier
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return $this->identifier;
-    }
-
-    /**
-     * Return the response type
-     * @return string
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Override the default access token expire time
-     * @param int $accessTokenTTL
-     * @return void
-     */
-    public function setAccessTokenTTL($accessTokenTTL)
-    {
-        $this->accessTokenTTL = $accessTokenTTL;
-    }
+    protected $rotateRefreshTokens = false;
 
     /**
      * Set the TTL of the refresh token
@@ -111,6 +81,16 @@ class RefreshToken implements GrantTypeInterface {
         return $this->refreshTokenTTL;
     }
 
+    /**
+     * When a new access is token, expire the refresh token used and issue a new one.
+     * @param  boolean $rotateRefreshTokens Set to true to enable (default = false)
+     * @return void
+     */
+    public function rotateRefreshTokens($rotateRefreshTokens = false)
+    {
+        $this->rotateRefreshTokens = $rotateRefreshTokens;
+    }
+
     /**
      * Complete the refresh token grant
      * @param  null|array $inputParams
@@ -119,7 +99,7 @@ class RefreshToken implements GrantTypeInterface {
     public function completeFlow($inputParams = null)
     {
         // Get the required params
-        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token'), 'post', $inputParams);
+        $authParams = $this->authServer->getParam(array('client_id', 'client_secret', 'refresh_token', 'scope'), 'post', $inputParams);
 
         if (is_null($authParams['client_id'])) {
             throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'client_id'), 0);
@@ -143,7 +123,7 @@ class RefreshToken implements GrantTypeInterface {
         }
 
         // Validate refresh token
-        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token']);
+        $accessTokenId = $this->authServer->getStorage('session')->validateRefreshToken($authParams['refresh_token'], $authParams['client_id']);
 
         if ($accessTokenId === false) {
             throw new Exception\ClientException($this->authServer->getExceptionMessage('invalid_refresh'), 0);
@@ -159,24 +139,69 @@ class RefreshToken implements GrantTypeInterface {
         $accessToken = SecureKey::make();
         $accessTokenExpiresIn = ($this->accessTokenTTL !== null) ? $this->accessTokenTTL : $this->authServer->getAccessTokenTTL();
         $accessTokenExpires = time() + $accessTokenExpiresIn;
-        $refreshToken = SecureKey::make();
-        $refreshTokenExpires = time() + $this->getRefreshTokenTTL();
 
+        // Associate the new access token with the session
         $newAccessTokenId = $this->authServer->getStorage('session')->associateAccessToken($accessTokenDetails['session_id'], $accessToken, $accessTokenExpires);
 
-        foreach ($scopes as $scope) {
-            $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
+        if ($this->rotateRefreshTokens === true) {
+
+            // Generate a new refresh token
+            $refreshToken = SecureKey::make();
+            $refreshTokenExpires = time() + $this->getRefreshTokenTTL();
+
+            // Revoke the old refresh token
+            $this->authServer->getStorage('session')->removeRefreshToken($authParams['refresh_token']);
+
+            // Associate the new refresh token with the new access token
+            $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires, $authParams['client_id']);
         }
 
-        $this->authServer->getStorage('session')->associateRefreshToken($newAccessTokenId, $refreshToken, $refreshTokenExpires);
+        // There isn't a request for reduced scopes so assign the original ones (or we're not rotating scopes)
+        if ( ! isset($authParams['scope'])) {
 
-        return array(
+            foreach ($scopes as $scope) {
+                $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scope['id']);
+            }
+
+        } elseif ( isset($authParams['scope']) && $this->rotateRefreshTokens === true) {
+
+            // The request is asking for reduced scopes and rotate tokens is enabled
+            $reqestedScopes = explode($this->authServer->getScopeDelimeter(), $authParams['scope']);
+
+            for ($i = 0; $i < count($reqestedScopes); $i++) {
+                $reqestedScopes[$i] = trim($reqestedScopes[$i]);
+                if ($reqestedScopes[$i] === '') unset($reqestedScopes[$i]); // Remove any junk scopes
+            }
+
+            // Check that there aren't any new scopes being included
+            $existingScopes = array();
+            foreach ($scopes as $s) {
+                $existingScopes[] = $s['scope'];
+            }
+
+            foreach ($reqestedScopes as $reqScope) {
+                if ( ! in_array($reqScope, $existingScopes)) {
+                    throw new Exception\ClientException(sprintf($this->authServer->getExceptionMessage('invalid_request'), 'scope'), 0);
+                }
+
+                // Associate with the new access token
+                $scopeDetails = $this->authServer->getStorage('scope')->getScope($reqScope, $authParams['client_id'], $this->identifier);
+                $this->authServer->getStorage('session')->associateScope($newAccessTokenId, $scopeDetails['id']);
+            }
+        }
+
+        $response = array(
             'access_token'  =>  $accessToken,
-            'refresh_token' =>  $refreshToken,
             'token_type'    =>  'bearer',
             'expires'       =>  $accessTokenExpires,
             'expires_in'    =>  $accessTokenExpiresIn
         );
+
+        if ($this->rotateRefreshTokens === true) {
+            $response['refresh_token'] = $refreshToken;
+        }
+
+        return $response;
     }
 
 }

src/League/OAuth2/Server/Resource.php

@@ -93,6 +93,7 @@ class Resource
     public function setRequest(RequestInterface $request)
     {
         $this->request = $request;
+        return $this;
     }
 
     /**
@@ -129,6 +130,7 @@ class Resource
     public function setTokenKey($key)
     {
         $this->tokenKey = $key;
+        return $this;
     }
 
     /**
@@ -173,12 +175,13 @@ class Resource
     /**
      * Checks if the access token is valid or not.
      *
+     * @param $headersOnly Limit Access Token to Authorization header only
      * @throws Exception\InvalidAccessTokenException Thrown if the presented access token is not valid
      * @return bool
      */
-    public function isValid()
+    public function isValid($headersOnly = false)
     {
-        $accessToken = $this->determineAccessToken();
+        $accessToken = $this->determineAccessToken($headersOnly);
 
         $result = $this->storages['session']->validateAccessToken($accessToken);
 
@@ -194,7 +197,7 @@ class Resource
 
         $sessionScopes = $this->storages['session']->getScopes($this->accessToken);
         foreach ($sessionScopes as $scope) {
-            $this->sessionScopes[] = $scope['key'];
+            $this->sessionScopes[] = $scope['scope'];
         }
 
         return true;
@@ -237,14 +240,27 @@ class Resource
     /**
      * Reads in the access token from the headers.
      *
+     * @param $headersOnly Limit Access Token to Authorization header only
      * @throws Exception\MissingAccessTokenException  Thrown if there is no access token presented
      * @return string
      */
-    protected function determineAccessToken()
+    public function determineAccessToken($headersOnly = false)
     {
         if ($header = $this->getRequest()->header('Authorization')) {
-            $accessToken = trim(str_replace('Bearer', '', $header));
-        } else {
+            // Check for special case, because cURL sometimes does an
+            // internal second request and doubles the authorization header,
+            // which always resulted in an error.
+            //
+            // 1st request: Authorization: Bearer XXX
+            // 2nd request: Authorization: Bearer XXX, Bearer XXX
+            if (strpos($header, ',') !== false) {
+                $headerPart = explode(',', $header);
+                $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $headerPart[0]));
+            } else {
+                $accessToken = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header));
+            }
+            $accessToken = ($accessToken === 'Bearer') ? '' : $accessToken;
+        } elseif ($headersOnly === false) {
             $method = $this->getRequest()->server('REQUEST_METHOD');
             $accessToken = $this->getRequest()->{$method}($this->tokenKey);
         }

src/League/OAuth2/Server/Storage/ClientInterface.php

@@ -20,19 +20,21 @@ interface ClientInterface
      *
      * <code>
      * # Client ID + redirect URI
-     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name,
+     * oauth_clients.auto_approve
      *  FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id
      *  WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri
      *
      * # Client ID + client secret
-     * SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name FROM oauth_clients WHERE
-     *  oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name, oauth_clients.auto_approve FROM oauth_clients 
+     * WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret
      *
      * # Client ID + client secret + redirect URI
-     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM
-     *  oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id
-     *  WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND
-     *  oauth_client_endpoints.redirect_uri = :redirectUri
+     * SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name,
+     * oauth_clients.auto_approve FROM oauth_clients LEFT JOIN oauth_client_endpoints 
+     * ON oauth_client_endpoints.client_id = oauth_clients.id
+     * WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND
+     * oauth_client_endpoints.redirect_uri = :redirectUri
      * </code>
      *
      * Response:
@@ -44,14 +46,15 @@ interface ClientInterface
      *     [client secret] => (string) The client secret
      *     [redirect_uri] => (string) The redirect URI used in this request
      *     [name] => (string) The name of the client
+     *     [auto_approve] => (bool) Whether the client should auto approve
      * )
      * </code>
      *
      * @param  string     $clientId     The client's ID
      * @param  string     $clientSecret The client's secret (default = "null")
      * @param  string     $redirectUri  The client's redirect URI (default = "null")
-     * @param  string     $grantType    The grant type used in the request
+     * @param  string     $grantType    The grant type used in the request (default = "null")
      * @return bool|array               Returns false if the validation fails, array on success
      */
-    public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null);
-}
+    public function getClient($clientId, $clientSecret = null, $redirectUri = null, $grantType = null);
+}

src/League/OAuth2/Server/Storage/PDO/Client.php

@@ -1,45 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Storage\PDO;
-
-use League\OAuth2\Server\Storage\ClientInterface;
-
-class Client implements ClientInterface
-{
-    public function getClient($clientId = null, $clientSecret = null, $redirectUri = null, $grantType = null)
-    {
-        $db = \ezcDbInstance::get();
-
-        if ( ! is_null($redirectUri) && is_null($clientSecret)) {
-            $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_client_endpoints.redirect_uri = :redirectUri');
-            $stmt->bindValue(':redirectUri', $redirectUri);
-        }
-
-        elseif ( ! is_null($clientSecret) && is_null($redirectUri)) {
-            $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_clients.name FROM oauth_clients  WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret');
-            $stmt->bindValue(':clientSecret', $clientSecret);
-        }
-
-        elseif ( ! is_null($clientSecret) && ! is_null($redirectUri)) {
-            $stmt = $db->prepare('SELECT oauth_clients.id, oauth_clients.secret, oauth_client_endpoints.redirect_uri, oauth_clients.name FROM oauth_clients LEFT JOIN oauth_client_endpoints ON oauth_client_endpoints.client_id = oauth_clients.id WHERE oauth_clients.id = :clientId AND oauth_clients.secret = :clientSecret AND oauth_client_endpoints.redirect_uri = :redirectUri');
-            $stmt->bindValue(':redirectUri', $redirectUri);
-            $stmt->bindValue(':clientSecret', $clientSecret);
-        }
-
-        $stmt->bindValue(':clientId', $clientId);
-        $stmt->execute();
-
-        $row = $stmt->fetchObject();
-
-        if ($row === false) {
-            return false;
-        }
-
-        return array(
-            'client_id' =>  $row->id,
-            'client_secret' =>  $row->secret,
-            'redirect_uri'  =>  (isset($row->redirect_uri)) ? $row->redirect_uri : null,
-            'name'  =>  $row->name
-        );
-    }
-}

src/League/OAuth2/Server/Storage/PDO/Db.php

@@ -1,17 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Storage\PDO;
-
-class Db
-{
-	/**
-	 * Db constructor
-	 * @param array|string $dsn Connection DSN string or array of parameters
-	 * @return void
-	 */
-    public function __construct($dsn = '')
-    {
-        $db = \ezcDbFactory::create($dsn);
-        \ezcDbInstance::set($db);
-    }
-}

src/League/OAuth2/Server/Storage/PDO/Scope.php

@@ -1,31 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Storage\PDO;
-
-use League\OAuth2\Server\Storage\ScopeInterface;
-
-class Scope implements ScopeInterface
-{
-    public function getScope($scope, $clientId = null, $grantType = null)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('SELECT * FROM oauth_scopes WHERE oauth_scopes.key = :scope');
-        $stmt->bindValue(':scope', $scope);
-        $stmt->execute();
-
-        $row = $stmt->fetchObject();
-
-        if ($row === false) {
-            return false;
-        }
-
-        return array(
-            'id' =>  $row->id,
-            'scope' =>  $row->key,
-            'name'  =>  $row->name,
-            'description'  =>  $row->description
-        );
-
-    }
-}

src/League/OAuth2/Server/Storage/PDO/Session.php

@@ -1,253 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Storage\PDO;
-
-use League\OAuth2\Server\Storage\SessionInterface;
-
-class Session implements SessionInterface
-{
-    /**
-     * Create a new session
-     * @param  string $clientId  The client ID
-     * @param  string $ownerType The type of the session owner (e.g. "user")
-     * @param  string $ownerId   The ID of the session owner (e.g. "123")
-     * @return int               The session ID
-     */
-    public function createSession($clientId, $ownerType, $ownerId)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('INSERT INTO oauth_sessions (client_id, owner_type,  owner_id) VALUE
-         (:clientId, :ownerType, :ownerId)');
-        $stmt->bindValue(':clientId', $clientId);
-        $stmt->bindValue(':ownerType', $ownerType);
-        $stmt->bindValue(':ownerId', $ownerId);
-        $stmt->execute();
-
-        return $db->lastInsertId();
-    }
-
-    /**
-     * Delete a session
-     * @param  string $clientId  The client ID
-     * @param  string $ownerType The type of the session owner (e.g. "user")
-     * @param  string $ownerId   The ID of the session owner (e.g. "123")
-     * @return void
-     */
-    public function deleteSession($clientId, $ownerType, $ownerId)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('DELETE FROM oauth_sessions WHERE client_id = :clientId AND
-         owner_type = :type AND owner_id = :typeId');
-        $stmt->bindValue(':clientId', $clientId);
-        $stmt->bindValue(':type', $ownerType);
-        $stmt->bindValue(':typeId', $ownerId);
-        $stmt->execute();
-    }
-
-    /**
-     * Associate a redirect URI with a session
-     * @param  int    $sessionId   The session ID
-     * @param  string $redirectUri The redirect URI
-     * @return void
-     */
-    public function associateRedirectUri($sessionId, $redirectUri)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('INSERT INTO oauth_session_redirects (session_id, redirect_uri)
-         VALUE (:sessionId, :redirectUri)');
-        $stmt->bindValue(':sessionId', $sessionId);
-        $stmt->bindValue(':redirectUri', $redirectUri);
-        $stmt->execute();
-    }
-
-    /**
-     * Associate an access token with a session
-     * @param  int    $sessionId   The session ID
-     * @param  string $accessToken The access token
-     * @param  int    $expireTime  Unix timestamp of the access token expiry time
-     * @return void
-     */
-    public function associateAccessToken($sessionId, $accessToken, $expireTime)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('INSERT INTO oauth_session_access_tokens (session_id, access_token, access_token_expires)
-         VALUE (:sessionId, :accessToken, :accessTokenExpire)');
-        $stmt->bindValue(':sessionId', $sessionId);
-        $stmt->bindValue(':accessToken', $accessToken);
-        $stmt->bindValue(':accessTokenExpire', $expireTime);
-        $stmt->execute();
-
-        return $db->lastInsertId();
-    }
-
-    /**
-     * Associate a refresh token with a session
-     * @param  int    $accessTokenId The access token ID
-     * @param  string $refreshToken  The refresh token
-     * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
-     * @return void
-     */
-    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires) VALUE
-         (:accessTokenId, :refreshToken, :expireTime)');
-        $stmt->bindValue(':accessTokenId', $accessTokenId);
-        $stmt->bindValue(':refreshToken', $refreshToken);
-        $stmt->bindValue(':expireTime', $expireTime);
-        $stmt->execute();
-    }
-
-    /**
-     * Assocate an authorization code with a session
-     * @param  int    $sessionId  The session ID
-     * @param  string $authCode   The authorization code
-     * @param  int    $expireTime Unix timestamp of the access token expiry time
-     * @param  string $scopeIds   Comma seperated list of scope IDs to be later associated (default = null)
-     * @return void
-     */
-    public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids)
-         VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)');
-        $stmt->bindValue(':sessionId', $sessionId);
-        $stmt->bindValue(':authCode', $authCode);
-        $stmt->bindValue(':authCodeExpires', $expireTime);
-        $stmt->bindValue(':scopeIds', $scopeIds);
-        $stmt->execute();
-    }
-
-    /**
-     * Remove an associated authorization token from a session
-     * @param  int    $sessionId   The session ID
-     * @return void
-     */
-    public function removeAuthCode($sessionId)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('DELETE FROM oauth_session_authcodes WHERE session_id = :sessionId');
-        $stmt->bindValue(':sessionId', $sessionId);
-        $stmt->execute();
-    }
-
-    /**
-     * Validate an authorization code
-     * @param  string $clientId    The client ID
-     * @param  string $redirectUri The redirect URI
-     * @param  string $authCode    The authorization code
-     * @return void
-     */
-    public function validateAuthCode($clientId, $redirectUri, $authCode)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions JOIN
-         oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id JOIN
-          oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
-           oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode AND
-            `oauth_session_authcodes`.`auth_code_expires` >= :time AND `oauth_session_redirects`.`redirect_uri`
-             = :redirectUri');
-        $stmt->bindValue(':clientId', $clientId);
-        $stmt->bindValue(':redirectUri', $redirectUri);
-        $stmt->bindValue(':authCode', $authCode);
-        $stmt->bindValue(':time', time());
-        $stmt->execute();
-
-        $result = $stmt->fetchObject();
-
-        return ($result === false) ? false : (array) $result;
-    }
-
-    /**
-     * Validate an access token
-     * @param  string $accessToken The access token to be validated
-     * @return void
-     */
-    public function validateAccessToken($accessToken)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('SELECT session_id, oauth_sessions.`client_id`, oauth_sessions.`owner_id`, oauth_sessions.`owner_type` FROM `oauth_session_access_tokens` JOIN oauth_sessions ON oauth_sessions.`id` = session_id WHERE  access_token = :accessToken AND access_token_expires >= ' . time());
-        $stmt->bindValue(':accessToken', $accessToken);
-        $stmt->execute();
-
-        $result = $stmt->fetchObject();
-        return ($result === false) ? false : (array) $result;
-    }
-
-    /**
-     * Validate a refresh token
-     * @param  string $refreshToken The access token
-     * @return void
-     */
-    public function validateRefreshToken($refreshToken)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE
-         refresh_token = :refreshToken AND refresh_token_expires >= ' . time());
-        $stmt->bindValue(':refreshToken', $refreshToken);
-        $stmt->execute();
-
-        $result = $stmt->fetchObject();
-        return ($result === false) ? false : $result->session_access_token_id;
-    }
-
-    /**
-     * Get an access token by ID
-     * @param  int    $accessTokenId The access token ID
-     * @return array
-     */
-    public function getAccessToken($accessTokenId)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('SELECT * FROM `oauth_session_access_tokens` WHERE `id` = :accessTokenId');
-        $stmt->bindValue(':accessTokenId', $accessTokenId);
-        $stmt->execute();
-
-        $result = $stmt->fetchObject();
-        return ($result === false) ? false : (array) $result;
-    }
-
-    /**
-     * Associate a scope with an access token
-     * @param  int    $accessTokenId The ID of the access token
-     * @param  int    $scopeId       The ID of the scope
-     * @return void
-     */
-    public function associateScope($accessTokenId, $scopeId)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('INSERT INTO `oauth_session_token_scopes` (`session_access_token_id`, `scope_id`)
-         VALUE (:accessTokenId, :scopeId)');
-        $stmt->bindValue(':accessTokenId', $accessTokenId);
-        $stmt->bindValue(':scopeId', $scopeId);
-        $stmt->execute();
-    }
-
-    /**
-     * Get all associated access tokens for an access token
-     * @param  string $accessToken The access token
-     * @return array
-     */
-    public function getScopes($accessToken)
-    {
-        $db = \ezcDbInstance::get();
-
-        $stmt = $db->prepare('SELECT oauth_scopes.* FROM oauth_session_token_scopes JOIN oauth_session_access_tokens ON oauth_session_access_tokens.`id` = `oauth_session_token_scopes`.`session_access_token_id` JOIN oauth_scopes ON oauth_scopes.id = `oauth_session_token_scopes`.`scope_id` WHERE access_token = :accessToken');
-        $stmt->bindValue(':accessToken', $accessToken);
-        $stmt->execute();
-
-        return $stmt->fetchAll();
-    }
-}

src/League/OAuth2/Server/Storage/ScopeInterface.php

@@ -19,7 +19,7 @@ interface ScopeInterface
      * Example SQL query:
      *
      * <code>
-     * SELECT * FROM oauth_scopes WHERE oauth_scopes.key = :scope
+     * SELECT * FROM oauth_scopes WHERE scope = :scope
      * </code>
      *
      * Response:
@@ -28,15 +28,15 @@ interface ScopeInterface
      * Array
      * (
      *     [id] => (int) The scope's ID
-     *     [key] => (string) The scope itself
+     *     [scope] => (string) The scope itself
      *     [name] => (string) The scope's name
      *     [description] => (string) The scope's description
      * )
      * </code>
      *
      * @param  string     $scope     The scope
-     * @param  string     $clientId  The client ID
-     * @param  string     $grantType The grant type used in the request
+     * @param  string     $clientId  The client ID (default = "null")
+     * @param  string     $grantType The grant type used in the request (default = "null")
      * @return bool|array If the scope doesn't exist return false
      */
     public function getScope($scope, $clientId = null, $grantType = null);

src/League/OAuth2/Server/Storage/SessionInterface.php

@@ -74,7 +74,7 @@ interface SessionInterface
      * @param  int    $sessionId   The session ID
      * @param  string $accessToken The access token
      * @param  int    $expireTime  Unix timestamp of the access token expiry time
-     * @return void
+     * @return int                 The access token ID
      */
     public function associateAccessToken($sessionId, $accessToken, $expireTime);
 
@@ -84,16 +84,17 @@ interface SessionInterface
      * Example SQL query:
      *
      * <code>
-     * oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires)
-     *  VALUE (:accessTokenId, :refreshToken, :expireTime)
+     * INSERT INTO oauth_session_refresh_tokens (session_access_token_id, refresh_token, refresh_token_expires,
+     *  client_id) VALUE (:accessTokenId, :refreshToken, :expireTime, :clientId)
      * </code>
      *
      * @param  int    $accessTokenId The access token ID
      * @param  string $refreshToken  The refresh token
      * @param  int    $expireTime    Unix timestamp of the refresh token expiry time
+     * @param  string $clientId      The client ID
      * @return void
      */
-    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime);
+    public function associateRefreshToken($accessTokenId, $refreshToken, $expireTime, $clientId);
 
     /**
      * Assocate an authorization code with a session
@@ -101,17 +102,16 @@ interface SessionInterface
      * Example SQL query:
      *
      * <code>
-     * INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires, scope_ids)
-     *  VALUE (:sessionId, :authCode, :authCodeExpires, :scopeIds)
+     * INSERT INTO oauth_session_authcodes (session_id, auth_code, auth_code_expires)
+     *  VALUE (:sessionId, :authCode, :authCodeExpires)
      * </code>
      *
      * @param  int    $sessionId  The session ID
      * @param  string $authCode   The authorization code
      * @param  int    $expireTime Unix timestamp of the access token expiry time
-     * @param  string $scopeIds   Comma seperated list of scope IDs to be later associated (default = null)
-     * @return void
+     * @return int                The auth code ID
      */
-    public function associateAuthCode($sessionId, $authCode, $expireTime, $scopeIds = null);
+    public function associateAuthCode($sessionId, $authCode, $expireTime);
 
     /**
      * Remove an associated authorization token from a session
@@ -133,7 +133,7 @@ interface SessionInterface
      * Example SQL query:
      *
      * <code>
-     * SELECT oauth_sessions.id, oauth_session_authcodes.scope_ids FROM oauth_sessions
+     * SELECT oauth_sessions.id AS session_id, oauth_session_authcodes.id AS authcode_id FROM oauth_sessions
      *  JOIN oauth_session_authcodes ON oauth_session_authcodes.`session_id` = oauth_sessions.id
      *  JOIN oauth_session_redirects ON oauth_session_redirects.`session_id` = oauth_sessions.id WHERE
      * oauth_sessions.client_id = :clientId AND oauth_session_authcodes.`auth_code` = :authCode
@@ -145,8 +145,8 @@ interface SessionInterface
      *
      * <code>
      * array(
-     *     'id' =>  (int), // the session ID
-     *     'scope_ids'  =>  (string)
+     *     'session_id' =>  (int)
+     *     'authcode_id'  =>  (int)
      * )
      * </code>
      *
@@ -184,6 +184,20 @@ interface SessionInterface
      */
     public function validateAccessToken($accessToken);
 
+    /**
+     * Removes a refresh token
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * DELETE FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
+     * </code>
+     *
+     * @param  string $refreshToken The refresh token to be removed
+     * @return void
+     */
+    public function removeRefreshToken($refreshToken);
+
     /**
      * Validate a refresh token
      *
@@ -191,13 +205,14 @@ interface SessionInterface
      *
      * <code>
      * SELECT session_access_token_id FROM `oauth_session_refresh_tokens` WHERE refresh_token = :refreshToken
-     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW())
+     *  AND refresh_token_expires >= UNIX_TIMESTAMP(NOW()) AND client_id = :clientId
      * </code>
      *
      * @param  string   $refreshToken The access token
+     * @param  string   $clientId     The client ID
      * @return int|bool               The ID of the access token the refresh token is linked to (or false if invalid)
      */
-    public function validateRefreshToken($refreshToken);
+    public function validateRefreshToken($refreshToken, $clientId);
 
     /**
      * Get an access token by ID
@@ -224,6 +239,50 @@ interface SessionInterface
      */
     public function getAccessToken($accessTokenId);
 
+    /**
+     * Associate scopes with an auth code (bound to the session)
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * INSERT INTO `oauth_session_authcode_scopes` (`oauth_session_authcode_id`, `scope_id`) VALUES
+     *  (:authCodeId, :scopeId)
+     * </code>
+     *
+     * @param  int $authCodeId The auth code ID
+     * @param  int $scopeId    The scope ID
+     * @return void
+     */
+    public function associateAuthCodeScope($authCodeId, $scopeId);
+
+    /**
+     * Get the scopes associated with an auth code
+     *
+     * Example SQL query:
+     *
+     * <code>
+     * SELECT scope_id FROM `oauth_session_authcode_scopes` WHERE oauth_session_authcode_id = :authCodeId
+     * </code>
+     *
+     * Expected response:
+     *
+     * <code>
+     * array(
+     *     array(
+     *         'scope_id' => (int)
+     *     ),
+     *     array(
+     *         'scope_id' => (int)
+     *     ),
+     *     ...
+     * )
+     * </code>
+     *
+     * @param  int   $oauthSessionAuthCodeId The session ID
+     * @return array
+     */
+    public function getAuthCodeScopes($oauthSessionAuthCodeId);
+
     /**
      * Associate a scope with an access token
      *
@@ -256,7 +315,8 @@ interface SessionInterface
      * <code>
      * array (
      *     array(
-     *         'key'    =>  (string),
+     *         'id'     =>  (int),
+     *         'scope'  =>  (string),
      *         'name'   =>  (string),
      *         'description'    =>  (string)
      *     ),

src/League/OAuth2/Server/Util/Request.php

@@ -39,6 +39,8 @@ class Request implements RequestInterface
 
         if (empty($headers)) {
             $this->headers = $this->readHeaders();
+        } else {
+            $this->headers = $this->normalizeHeaders($headers);
         }
     }
 
@@ -88,7 +90,7 @@ class Request implements RequestInterface
             }
         }
 
-        return $headers;
+        return $this->normalizeHeaders($headers);
    }
 
     protected function getPropertyValue($property, $index = null, $default = null)
@@ -106,4 +108,39 @@ class Request implements RequestInterface
 
         return $this->{$property}[$index];
     }
+
+    /**
+     * Takes all of the headers and normalizes them in a canonical form.
+     *
+     * @param  array  $headers The request headers.
+     * @return array           An arry of headers with the header name normalized
+     */
+    protected function normalizeHeaders(array $headers)
+    {
+        $normalized = array();
+        foreach ($headers as $key => $value) {
+            $normalized[ucfirst($this->normalizeKey($key))] = $value;
+        }
+
+        return $normalized;
+    }
+
+    /**
+     * Transform header name into canonical form
+     *
+     * Taken from the Slim codebase...
+     *
+     * @param  string $key
+     * @return string
+     */
+    protected function normalizeKey($key)
+    {
+        $key = strtolower($key);
+        $key = str_replace(array('-', '_'), ' ', $key);
+        $key = preg_replace('#^http #', '', $key);
+        $key = ucwords($key);
+        $key = str_replace(' ', '-', $key);
+
+        return $key;
+    }
 }

src/League/OAuth2/Server/Util/RequestInterface.php

@@ -14,10 +14,6 @@ namespace League\OAuth2\Server\Util;
 interface RequestInterface
 {
 
-    public static function buildFromGlobals();
-
-    public function __construct(array $get = array(), array $post = array(), array $cookies = array(), array $files = array(), array $server = array(), $headers = array());
-
     public function get($index = null);
 
     public function post($index = null);

tests/authorization/AuthCodeGrantTest.php

@@ -20,10 +20,26 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         return new League\OAuth2\Server\Authorization($this->client, $this->session, $this->scope);
     }
 
-    public function test_setAuthTokenTTL()
+    /**
+    * @expectedException PHPUnit_Framework_Error
+    */
+    public function test__construct()
     {
         $a = $this->returnDefault();
         $grant = new League\OAuth2\Server\Grant\AuthCode($a);
+    }
+
+    public function test_setIdentifier()
+    {
+        $grant = new League\OAuth2\Server\Grant\AuthCode();
+        $grant->setIdentifier('foobar');
+        $this->assertEquals($grant->getIdentifier(), 'foobar');
+    }
+
+    public function test_setAuthTokenTTL()
+    {
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\AuthCode();
         $grant->setAuthTokenTTL(30);
 
         $reflector = new ReflectionClass($grant);
@@ -41,7 +57,7 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_checkAuthoriseParams_noClientId()
     {
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
         $g->checkAuthoriseParams();
     }
@@ -53,7 +69,7 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_checkAuthoriseParams_noRedirectUri()
     {
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
         $g->checkAuthoriseParams(array(
             'client_id' =>  1234
@@ -67,7 +83,7 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_checkAuthoriseParams_noRequiredState()
     {
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
         $a->requireStateParam(true);
         $g->checkAuthoriseParams(array(
@@ -86,7 +102,7 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
         $g->checkAuthoriseParams(array(
             'client_id' =>  1234,
@@ -108,7 +124,7 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         ));
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
         $g->checkAuthoriseParams(array(
             'client_id' =>  1234,
@@ -130,7 +146,7 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         ));
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
         $g->checkAuthoriseParams(array(
             'client_id' =>  1234,
@@ -153,9 +169,10 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         ));
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->requireScopeParam(true);
 
         $g->checkAuthoriseParams(array(
             'client_id' =>  1234,
@@ -182,9 +199,9 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         ));
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
         $a->setDefaultScope('test.scope');
         $a->requireScopeParam(false);
 
@@ -196,6 +213,41 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         ));
 
         $this->assertArrayHasKey('scopes', $params);
+        $this->assertEquals(1, count($params['scopes']));
+    }
+
+    public function test_checkAuthoriseParams_defaultScopeArray()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $a = $this->returnDefault();
+        $g = new League\OAuth2\Server\Grant\AuthCode();
+        $a->addGrantType($g);
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->setDefaultScope(array('test.scope', 'test.scope2'));
+        $a->requireScopeParam(false);
+
+        $params = $g->checkAuthoriseParams(array(
+            'client_id' =>  1234,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'response_type' =>  'code',
+            'scope'    =>  ''
+        ));
+
+        $this->assertArrayHasKey('scopes', $params);
+        $this->assertEquals(2, count($params['scopes']));
     }
 
     /**
@@ -214,9 +266,9 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         $this->scope->shouldReceive('getScope')->andReturn(false);
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $g->checkAuthoriseParams(array(
             'client_id' =>  1234,
@@ -229,9 +281,9 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_checkAuthoriseParams_passedInput()
     {
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $this->client->shouldReceive('getClient')->andReturn(array(
             'client_id' =>  1234,
@@ -295,9 +347,9 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         ));
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $_GET['client_id'] = 1234;
         $_GET['redirect_uri'] = 'http://foo/redirect';
@@ -340,10 +392,11 @@ class Auth_Code_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('createSession')->andReturn(1);
         $this->session->shouldReceive('associateScope')->andReturn(null);
         $this->session->shouldReceive('associateRedirectUri')->andReturn(null);
-        $this->session->shouldReceive('associateAuthCode')->andReturn(null);
+        $this->session->shouldReceive('associateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('associateAuthCodeScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $g = new League\OAuth2\Server\Grant\AuthCode($a);
+        $g = new League\OAuth2\Server\Grant\AuthCode();
         $a->addGrantType($g);
 
         $params = array(

tests/authorization/AuthServerTest.php

@@ -69,6 +69,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $a = $this->returnDefault();
         $grant = M::mock('League\OAuth2\Server\Grant\GrantTypeInterface');
         $grant->shouldReceive('getResponseType')->andReturn('test');
+        $grant->shouldReceive('setAuthorizationServer')->andReturn($grant);
         $a->addGrantType($grant, 'test');
 
         $this->assertTrue($a->hasGrantType('test'));
@@ -80,6 +81,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $grant = M::mock('League\OAuth2\Server\Grant\GrantTypeInterface');
         $grant->shouldReceive('getIdentifier')->andReturn('test');
         $grant->shouldReceive('getResponseType')->andReturn('test');
+        $grant->shouldReceive('setAuthorizationServer')->andReturn($grant);
         $a->addGrantType($grant);
 
         $this->assertTrue($a->hasGrantType('test'));
@@ -199,7 +201,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_getGrantType()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $reflector = new ReflectionClass($a);
         $method = $reflector->getMethod('getGrantType');
@@ -227,7 +229,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_missingGrantType()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken();
     }
@@ -239,7 +241,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_badGrantType()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array('grant_type' => 'foo'));
     }
@@ -251,7 +253,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code'
@@ -265,7 +267,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_missingClientSecret()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -280,7 +282,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_missingRedirectUri()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -298,7 +300,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -317,7 +319,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(array());
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -337,7 +339,7 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('validateAuthCode')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -358,16 +360,17 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         ));
 
         $this->session->shouldReceive('validateAuthCode')->andReturn(array(
-            'id'    =>  1,
-            'scope_ids' =>  '1'
+            'session_id'    =>  1,
+            'authcode_id' =>  1
         ));
         $this->session->shouldReceive('updateSession')->andReturn(null);
         $this->session->shouldReceive('removeAuthCode')->andReturn(null);
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
         $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'authorization_code',
@@ -399,9 +402,11 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('updateSession')->andReturn(null);
         $this->session->shouldReceive('removeAuthCode')->andReturn(null);
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
+        $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $_POST['grant_type'] = 'authorization_code';
         $_POST['client_id'] = 1234;
@@ -436,9 +441,11 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('updateSession')->andReturn(null);
         $this->session->shouldReceive('removeAuthCode')->andReturn(null);
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
+        $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $grant = new League\OAuth2\Server\Grant\AuthCode($a);
+        $grant = new League\OAuth2\Server\Grant\AuthCode();
         $grant->setAccessTokenTTL(30);
         $a->addGrantType($grant);
 
@@ -477,9 +484,11 @@ class Authorization_Server_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('updateSession')->andReturn(null);
         $this->session->shouldReceive('removeAuthCode')->andReturn(null);
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
+        $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
 
         $_POST['grant_type'] = 'authorization_code';
         $_SERVER['PHP_AUTH_USER'] = 1234;

tests/authorization/ClientCredentialsGrantTest.php

@@ -27,7 +27,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_clientCredentialsGrant_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -44,7 +44,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_clientCredentialsGrant_missingClientPassword()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -64,7 +64,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -95,7 +95,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('deleteSession')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
         $a->requireScopeParam(true);
 
         $a->issueAccessToken(array(
@@ -129,7 +129,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
         $a->requireScopeParam(false);
         $a->setDefaultScope('foobar');
 
@@ -146,6 +146,47 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires_in', $v);
     }
 
+    public function test_issueAccessToken_clientCredentialsGrant_defaultScopeArray()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'key' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $a = $this->returnDefault();
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
+        $a->requireScopeParam(false);
+        $a->setDefaultScope(array('foobar', 'barfoo'));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'client_credentials',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
     /**
      * @expectedException        League\OAuth2\Server\Exception\ClientException
      * @expectedExceptionCode    4
@@ -168,7 +209,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
         $a->issueAccessToken(array(
             'grant_type'    =>  'client_credentials',
@@ -202,7 +243,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'client_credentials',
@@ -234,7 +275,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
         $a->requireScopeParam(false);
 
         $v = $a->issueAccessToken(array(
@@ -269,7 +310,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
         $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'client_credentials';
@@ -307,7 +348,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $grant = new League\OAuth2\Server\Grant\ClientCredentials($a);
+        $grant = new League\OAuth2\Server\Grant\ClientCredentials();
         $grant->setAccessTokenTTL(30);
         $a->addGrantType($grant);
         $a->requireScopeParam(false);
@@ -349,7 +390,7 @@ class Client_Credentials_Grant_Test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\ClientCredentials());
         $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'client_credentials';

tests/authorization/PasswordGrantTest.php

@@ -27,7 +27,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_passwordGrant_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\Password($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -44,7 +44,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_passwordGrant_missingClientPassword()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\Password($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -64,7 +64,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\Password($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\Password());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -98,7 +98,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = null;
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -134,7 +134,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return false; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -168,7 +168,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return false; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -203,7 +203,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return false; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -240,7 +240,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -276,7 +276,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
         $a->requireScopeParam(true);
@@ -317,7 +317,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
         $a->requireScopeParam(false);
@@ -338,6 +338,54 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('expires_in', $v);
     }
 
+    public function test_issueAccessToken_passwordGrant_defaultScopeArray()
+    {
+        $this->scope->shouldReceive('getScope')->andReturn(array(
+            'id'    =>  1,
+            'scope' =>  'foo',
+            'name'  =>  'Foo Name',
+            'description'   =>  'Foo Name Description'
+        ));
+
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->client->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('createSession')->andReturn(1);
+        $this->session->shouldReceive('deleteSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+
+        $testCredentials = function() { return 1; };
+
+        $a = $this->returnDefault();
+        $pgrant = new League\OAuth2\Server\Grant\Password();
+        $pgrant->setVerifyCredentialsCallback($testCredentials);
+        $a->addGrantType($pgrant);
+        $a->requireScopeParam(false);
+        $a->setDefaultScope(array('foobar', 'barfoo'));
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'password',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'username'  =>  'foo',
+            'password'  =>  'bar',
+            'scope' =>  ''
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+    }
+
     public function test_issueAccessToken_passwordGrant_goodScope()
     {
         $this->scope->shouldReceive('getScope')->andReturn(array(
@@ -365,7 +413,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
 
@@ -404,7 +452,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
         $a->requireScopeParam(false);
@@ -446,7 +494,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
         $a->requireScopeParam(false);
@@ -491,7 +539,7 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $pgrant->setAccessTokenTTL(30);
         $a->addGrantType($pgrant);
@@ -539,10 +587,10 @@ class Password_Grant_Test extends PHPUnit_Framework_TestCase
         $testCredentials = function() { return 1; };
 
         $a = $this->returnDefault();
-        $pgrant = new League\OAuth2\Server\Grant\Password($a);
+        $pgrant = new League\OAuth2\Server\Grant\Password();
         $pgrant->setVerifyCredentialsCallback($testCredentials);
         $a->addGrantType($pgrant);
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
         $a->requireScopeParam(false);
 
         $_POST['grant_type'] = 'password';

tests/authorization/RefreshTokenTest.php

@@ -23,7 +23,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
     public function test_setRefreshTokenTTL()
     {
         $a = $this->returnDefault();
-        $rt = new League\OAuth2\Server\Grant\RefreshToken($a);
+        $rt = new League\OAuth2\Server\Grant\RefreshToken();
         $rt->setRefreshTokenTTL(30);
         $this->assertEquals(30, $rt->getRefreshTokenTTL());
     }
@@ -42,10 +42,12 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('removeAuthCode')->andReturn(null);
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
         $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->session->shouldReceive('getAuthCodeScopes')->andReturn(array('scope_id' => 1));
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode($a));
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\AuthCode());
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $_POST['grant_type'] = 'authorization_code';
         $_POST['client_id'] = 1234;
@@ -75,7 +77,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_refreshTokenGrant_missingClientId()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -92,7 +94,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
     public function test_issueAccessToken_refreshTokenGrant_missingClientSecret()
     {
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -112,7 +114,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -133,7 +135,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->client->shouldReceive('getClient')->andReturn(array());
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -155,7 +157,7 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('validateRefreshToken')->andReturn(false);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $request = new League\OAuth2\Server\Util\Request(array(), $_POST);
         $a->setRequest($request);
@@ -183,11 +185,12 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
         $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
         $this->session->shouldReceive('getAccessToken')->andReturn(null);
         $this->session->shouldReceive('getScopes')->andReturn(array());
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
 
         $_POST['grant_type'] = 'refresh_token';
         $_POST['client_id'] = 1234;
@@ -203,7 +206,6 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->assertArrayHasKey('token_type', $v);
         $this->assertArrayHasKey('expires', $v);
         $this->assertArrayHasKey('expires_in', $v);
-        $this->assertArrayHasKey('refresh_token', $v);
 
         $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
         $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
@@ -226,10 +228,53 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
         $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
         $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken($a));
+        $a->addGrantType(new League\OAuth2\Server\Grant\RefreshToken());
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+        ));
+
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_rotateTokens()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+
+        $a = $this->returnDefault();
+
+        $rt = new League\OAuth2\Server\Grant\RefreshToken();
+        $rt->rotateRefreshTokens(true);
+        $a->addGrantType($rt);
 
         $v = $a->issueAccessToken(array(
             'grant_type'    =>  'refresh_token',
@@ -265,10 +310,11 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->session->shouldReceive('getScopes')->andReturn(array('id'    =>  1));
         $this->session->shouldReceive('associateAccessToken')->andReturn(1);
         $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
         $this->session->shouldReceive('associateScope')->andReturn(null);
 
         $a = $this->returnDefault();
-        $grant = new League\OAuth2\Server\Grant\RefreshToken($a);
+        $grant = new League\OAuth2\Server\Grant\RefreshToken();
         $grant->setAccessTokenTTL(30);
         $a->addGrantType($grant);
 
@@ -279,6 +325,52 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
             'refresh_token'  =>  'abcdef',
         ));
 
+        $this->assertArrayHasKey('access_token', $v);
+        $this->assertArrayHasKey('token_type', $v);
+        $this->assertArrayHasKey('expires', $v);
+        $this->assertArrayHasKey('expires_in', $v);
+
+        $this->assertNotEquals($a->getAccessTokenTTL(), $v['expires_in']);
+        $this->assertNotEquals(time()+$a->getAccessTokenTTL(), $v['expires']);
+        $this->assertEquals(30, $v['expires_in']);
+        $this->assertEquals(time()+30, $v['expires']);
+    }
+
+    public function test_issueAccessToken_refreshTokenGrant_newScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array(array('id' => 1, 'scope' => 'foo'), array('id' => 2, 'scope' => 'bar')));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->scope->shouldReceive('getScope')->andReturn(array('id' => 1, 'scope' => 'foo'));
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\RefreshToken();
+        $grant->setAccessTokenTTL(30);
+        $grant->rotateRefreshTokens(true);
+        $a->addGrantType($grant);
+
+        $v = $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+            'scope' =>  'foo'
+        ));
+
         $this->assertArrayHasKey('access_token', $v);
         $this->assertArrayHasKey('token_type', $v);
         $this->assertArrayHasKey('expires', $v);
@@ -290,4 +382,44 @@ class Refresh_Token_test extends PHPUnit_Framework_TestCase
         $this->assertEquals(30, $v['expires_in']);
         $this->assertEquals(time()+30, $v['expires']);
     }
+
+    /**
+     * @expectedException        League\OAuth2\Server\Exception\ClientException
+     * @expectedExceptionCode    0
+     */
+    public function test_issueAccessToken_refreshTokenGrant_badNewScopes()
+    {
+        $this->client->shouldReceive('getClient')->andReturn(array(
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'redirect_uri'  =>  'http://foo/redirect',
+            'name'  =>  'Example Client'
+        ));
+
+        $this->session->shouldReceive('validateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('validateAuthCode')->andReturn(1);
+        $this->session->shouldReceive('updateSession')->andReturn(null);
+        $this->session->shouldReceive('updateRefreshToken')->andReturn(null);
+        $this->session->shouldReceive('getAccessToken')->andReturn(null);
+        $this->session->shouldReceive('getScopes')->andReturn(array(array('id' => 1, 'scope' => 'foo'), array('id' => 2, 'scope' => 'bar')));
+        $this->session->shouldReceive('associateAccessToken')->andReturn(1);
+        $this->session->shouldReceive('associateRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('removeRefreshToken')->andReturn(1);
+        $this->session->shouldReceive('associateScope')->andReturn(null);
+        $this->scope->shouldReceive('getScope')->andReturn(array('id' => 1, 'scope' => 'foo'));
+
+        $a = $this->returnDefault();
+        $grant = new League\OAuth2\Server\Grant\RefreshToken();
+        $grant->setAccessTokenTTL(30);
+        $grant->rotateRefreshTokens(true);
+        $a->addGrantType($grant);
+
+        $a->issueAccessToken(array(
+            'grant_type'    =>  'refresh_token',
+            'client_id' =>  1234,
+            'client_secret' =>  5678,
+            'refresh_token'  =>  'abcdef',
+            'scope' =>  'foobar'
+        ));
+    }
 }

tests/resource/ResourceServerTest.php

@@ -83,6 +83,24 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 	    $method->invoke($s);
     }
 
+    /**
+     * @expectedException League\OAuth2\Server\Exception\InvalidAccessTokenException
+     */
+    public function test_determineAccessToken_brokenCurlRequest()
+    {
+        $_SERVER['HTTP_AUTHORIZATION'] = 'Bearer, Bearer abcdef';
+        $request = new League\OAuth2\Server\Util\Request(array(), array(), array(), array(), $_SERVER);
+
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $method->invoke($s);
+    }
+
     public function test_determineAccessToken_fromHeader()
     {
         $request = new League\OAuth2\Server\Util\Request();
@@ -106,6 +124,29 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
 	    $this->assertEquals('abcdef', $result);
     }
 
+    public function test_determineAccessToken_fromBrokenCurlHeader()
+    {
+        $request = new League\OAuth2\Server\Util\Request();
+
+        $requestReflector = new ReflectionClass($request);
+        $param = $requestReflector->getProperty('headers');
+        $param->setAccessible(true);
+        $param->setValue($request, array(
+            'Authorization' =>  'Bearer abcdef, Bearer abcdef'
+        ));
+        $s = $this->returnDefault();
+        $s->setRequest($request);
+
+        $reflector = new ReflectionClass($s);
+
+        $method = $reflector->getMethod('determineAccessToken');
+        $method->setAccessible(true);
+
+        $result = $method->invoke($s);
+
+        $this->assertEquals('abcdef', $result);
+    }
+
     public function test_determineAccessToken_fromMethod()
     {
     	$s = $this->returnDefault();
@@ -155,8 +196,8 @@ class Resource_Server_test extends PHPUnit_Framework_TestCase
     	));
 
     	$this->session->shouldReceive('getScopes')->andReturn(array(
-            array('key' =>  'foo'),
-            array('key' =>  'bar')
+            array('scope' =>  'foo'),
+            array('scope' =>  'bar')
         ));
 
    		$request = new League\OAuth2\Server\Util\Request();

tests/util/RequestTest.php

@@ -59,6 +59,20 @@ class Request_test extends PHPUnit_Framework_TestCase
 		$this->assertEquals(array('Host' => 'foobar.com'), $this->request->header());
 	}
 
+	function test_canonical_header()
+	{
+		$request = new League\OAuth2\Server\Util\Request(
+			array('foo' => 'bar'),
+			array('foo' => 'bar'),
+			array('foo' => 'bar'),
+			array('foo' => 'bar'),
+			array('HTTP_HOST' => 'foobar.com'),
+			array('authorization' => 'Bearer ajdfkljadslfjasdlkj')
+		);
+
+		$this->assertEquals('Bearer ajdfkljadslfjasdlkj', $request->header('Authorization'));
+	}
+
 	/**
 	 * @expectedException InvalidArgumentException
 	 */