Changelog update

Lowered symfony/http-foundation to ~2.4 so Laravel can use it
Version bump
2025-05-31 14:12:07 +05:30 · 2014-12-31 16:03:26 +00:00 · 2014-12-31 15:51:52 +00:00 · 2014-12-27 23:01:11 +00:00 · 2014-12-27 23:00:17 +00:00 · 2014-12-27 23:00:11 +00:00
55 changed files with 982 additions and 155 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -11,4 +11,5 @@
 /tests/codecept/tests/_log
 oauth2-server.paw
 /output_*/
-/_site
+/_site
+.idea
--- a/.travis.yml
+++ b/.travis.yml
@@ -11,8 +11,34 @@ install:

 script:
  - mkdir -p build/logs
-  - phpunit --coverage-text --verbose --coverage-clover=coverage.clover
+  - phpunit --coverage-text --verbose --coverage-clover=coverage.clover --coverage-html coverage

 after_script:
  - wget https://scrutinizer-ci.com/ocular.phar
  - php ocular.phar code-coverage:upload --format=php-clover coverage.clover
+  - git config --global user.email "travis@travis-ci.org"
+  - git config --global user.name "TravisCI"
+  - cp -R coverage ${HOME}/coverage
+  - cd ${HOME}
+  - git clone --quiet --branch=gh-pages https://${GITHUBTOKEN}@github.com/thephpleague/oauth2-server.git gh-pages > /dev/null
+  - cd gh-pages
+  - mkdir ${TRAVIS_BRANCH}
+  - cd ${TRAVIS_BRANCH}
+  - cp -Rf $HOME/coverage/* .
+  - git add -f .
+  - git commit -m "Travis pushed coverage of ${TRAVIS_COMMIT}@${TRAVIS_BRANCH} to gh-pages"
+  - git push -fq origin gh-pages > /dev/null
+branches:
+  only:
+    - master
+env:
+  global:
+    secure: "C4wD/BQefKSu9W594iyLp+IBCjlM8kKlmp+nXKXnZGi0L8IkV3m4mmNOb8PExxGMhZ3mlev5DnU4Uoh4oJaUxnkR1FpX4dSEpyzU3VknUzSE2yZOlL+bdCw3o85TGoCcp/+ReJCOw5sncxTskJKHlW1YMa33FznaXwLNoImpjTg="
+
+notifications:
+  webhooks:
+    urls:
+      - https://webhooks.gitter.im/e/7de0ca12596cd5268f30
+    on_success: always  # options: [always|never|change] default: always
+    on_failure: always  # options: [always|never|change] default: always
+    on_start: false     # default: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog

+## 4.1.1 (released 2014-12-31)
+
+* Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
+
+## 4.1.0 (released 2014-12-27)
+
+* Added MAC token support (Issue #158)
+* Fixed example init code (Issue #280)
+* Toggle refresh token rotation (Issue #286)
+* Docblock fixes
+
+## 4.0.5 (released 2014-12-15)
+
+* Prevent duplicate session in auth code grant (Issue #282)
+
 ## 4.0.4 (released 2014-12-03)

 * Ensure refresh token hasn't expired (Issue #270)
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 [![Build Status](https://img.shields.io/travis/thephpleague/oauth2-server/master.svg?style=flat-square)](https://travis-ci.org/thephpleague/oauth2-server)
 [![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server/code-structure)
 [![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
-[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)
+[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/thephpleague/oauth2-server?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)


 A standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
@@ -22,9 +22,11 @@ You can also define your own grants.
 In addition it supports the following token types:

 * Bearer tokens
-* MAC tokens (coming soon)
+* MAC tokens
 * JSON web tokens (coming soon)

+You can also create you own tokens.
+

 ## Requirements

--- a/composer.json
+++ b/composer.json
@@ -5,7 +5,7 @@
 	"license": "MIT",
 	"require": {
 		"php": ">=5.4.0",
-		"symfony/http-foundation": "~2.5",
+		"symfony/http-foundation": "~2.4",
 		"league/event": "1.0.*"
 	},
 	"require-dev": {
--- a/examples/relational/Model/Users.php
+++ b/examples/relational/Model/Users.php
@@ -20,6 +20,6 @@ class Users
            return $result;
        }

-        return null;
+        return;
    }
 }
--- a/examples/relational/Storage/AccessTokenStorage.php
+++ b/examples/relational/Storage/AccessTokenStorage.php
@@ -3,7 +3,6 @@
 namespace RelationalExample\Storage;

 use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\AbstractTokenEntity;
 use League\OAuth2\Server\Entity\AccessTokenEntity;
 use League\OAuth2\Server\Entity\ScopeEntity;
 use League\OAuth2\Server\Storage\AbstractStorage;
@@ -28,7 +27,7 @@ class AccessTokenStorage extends AbstractStorage implements AccessTokenInterface
            return $token;
        }

-        return null;
+        return;
    }

    /**
--- a/examples/relational/Storage/AuthCodeStorage.php
+++ b/examples/relational/Storage/AuthCodeStorage.php
@@ -29,7 +29,7 @@ class AuthCodeStorage extends AbstractStorage implements AuthCodeInterface
            return $token;
        }

-        return null;
+        return;
    }

    public function create($token, $expireTime, $sessionId, $redirectUri)
--- a/examples/relational/Storage/ClientStorage.php
+++ b/examples/relational/Storage/ClientStorage.php
@@ -41,7 +41,7 @@ class ClientStorage extends AbstractStorage implements ClientInterface
            return $client;
        }

-        return null;
+        return;
    }

    /**
@@ -65,6 +65,6 @@ class ClientStorage extends AbstractStorage implements ClientInterface
            return $client;
        }

-        return null;
+        return;
    }
 }
--- a/examples/relational/Storage/RefreshTokenStorage.php
+++ b/examples/relational/Storage/RefreshTokenStorage.php
@@ -27,7 +27,7 @@ class RefreshTokenStorage extends AbstractStorage implements RefreshTokenInterfa
            return $token;
        }

-        return null;
+        return;
    }

    /**
--- a/examples/relational/Storage/ScopeStorage.php
+++ b/examples/relational/Storage/ScopeStorage.php
@@ -19,7 +19,7 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface
                                ->get();

        if (count($result) === 0) {
-            return null;
+            return;
        }

        return (new ScopeEntity($this->server))->hydrate([
--- a/examples/relational/Storage/SessionStorage.php
+++ b/examples/relational/Storage/SessionStorage.php
@@ -31,7 +31,7 @@ class SessionStorage extends AbstractStorage implements SessionInterface
            return $session;
        }

-        return null;
+        return;
    }

    /**
@@ -53,7 +53,7 @@ class SessionStorage extends AbstractStorage implements SessionInterface
            return $session;
        }

-        return null;
+        return;
    }

    /**
--- a/examples/relational/api.php
+++ b/examples/relational/api.php
@@ -34,12 +34,14 @@ $router = new \Orno\Route\RouteCollection();
 // GET /tokeninfo
 $router->get('/tokeninfo', function (Request $request) use ($server) {

+    $accessToken = $server->getAccessToken();
+    $session = $server->getSessionStorage()->getByAccessToken($accessToken);
    $token = [
-        'owner_id'  =>  $server->getOwnerId(),
-        'owner_type'  =>  $server->getOwnerType(),
-        'access_token'  =>  $server->getAccessToken(),
-        'client_id'  =>  $server->getClientId(),
-        'scopes'  =>  $server->getScopes(),
+        'owner_id' => $session->getOwnerId(),
+        'owner_type' => $session->getOwnerType(),
+        'access_token' => $accessToken,
+        'client_id' => $session->getClient()->getId(),
+        'scopes' => $accessToken->getScopes(),
    ];

    return new Response(json_encode($token));
@@ -59,11 +61,11 @@ $router->get('/users', function (Request $request) use ($server) {
            'name'      =>  $result['name'],
        ];

-        if ($server->hasScope('email')) {
+        if ($server->getAccessToken()->hasScope('email')) {
            $user['email'] = $result['email'];
        }

-        if ($server->hasScope('photo')) {
+        if ($server->getAccessToken()->hasScope('photo')) {
            $user['photo'] = $result['photo'];
        }

@@ -74,7 +76,7 @@ $router->get('/users', function (Request $request) use ($server) {
 });

 // GET /users/{username}
-$router->get('/users/{username}', function (Request $request, $args) use ($server) {
+$router->get('/users/{username}', function (Request $request, Response $response, array $args) use ($server) {

    $result = (new Model\Users())->get($args['username']);

@@ -87,11 +89,11 @@ $router->get('/users/{username}', function (Request $request, $args) use ($serve
        'name'      =>  $result[0]['name'],
    ];

-    if ($server->hasScope('email')) {
+    if ($server->getAccessToken()->hasScope('email')) {
        $user['email'] = $result[0]['email'];
    }

-    if ($server->hasScope('photo')) {
+    if ($server->getAccessToken()->hasScope('photo')) {
        $user['photo'] = $result[0]['photo'];
    }

--- a/examples/relational/config/init.php
+++ b/examples/relational/config/init.php
@@ -102,7 +102,7 @@ Capsule::table('oauth_scopes')->insert([
 print 'Creating sessions table'.PHP_EOL;

 Capsule::schema()->create('oauth_sessions', function ($table) {
-    $table->increments('id');
+    $table->increments('id')->unsigned();
    $table->string('owner_type');
    $table->string('owner_id');
    $table->string('client_id');
@@ -135,7 +135,7 @@ print 'Creating access tokens table'.PHP_EOL;

 Capsule::schema()->create('oauth_access_tokens', function ($table) {
    $table->string('access_token')->primary();
-    $table->integer('session_id');
+    $table->integer('session_id')->unsigned();
    $table->integer('expire_time');

    $table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
@@ -168,7 +168,7 @@ Capsule::schema()->create('oauth_refresh_tokens', function ($table) {
    $table->integer('expire_time');
    $table->string('access_token');

-    $table->foreign('access_token')->references('id')->on('oauth_access_tokens')->onDelete('cascade');
+    $table->foreign('access_token')->references('access_token')->on('oauth_access_tokens')->onDelete('cascade');
 });

 /******************************************************************************/
@@ -177,7 +177,7 @@ print 'Creating auth codes table'.PHP_EOL;

 Capsule::schema()->create('oauth_auth_codes', function ($table) {
    $table->string('auth_code')->primary();
-    $table->integer('session_id');
+    $table->integer('session_id')->unsigned();
    $table->integer('expire_time');
    $table->string('client_redirect_uri');

@@ -189,7 +189,7 @@ Capsule::schema()->create('oauth_auth_codes', function ($table) {
 print 'Creating oauth access token scopes table'.PHP_EOL;

 Capsule::schema()->create('oauth_access_token_scopes', function ($table) {
-    $table->increments('id');
+    $table->increments('id')->unsigned();
    $table->string('access_token');
    $table->string('scope');

@@ -240,8 +240,8 @@ Capsule::schema()->create('oauth_auth_code_scopes', function ($table) {
 print 'Creating oauth session scopes table'.PHP_EOL;

 Capsule::schema()->create('oauth_session_scopes', function ($table) {
-    $table->increments('id');
-    $table->string('session_id');
+    $table->increments('id')->unsigned();
+    $table->integer('session_id')->unsigned();
    $table->string('scope');

    $table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
--- a/src/AbstractServer.php
+++ b/src/AbstractServer.php
@@ -15,6 +15,7 @@ use League\Event\Emitter;
 use League\OAuth2\Server\Storage\AccessTokenInterface;
 use League\OAuth2\Server\Storage\AuthCodeInterface;
 use League\OAuth2\Server\Storage\ClientInterface;
+use League\OAuth2\Server\Storage\MacTokenInterface;
 use League\OAuth2\Server\Storage\RefreshTokenInterface;
 use League\OAuth2\Server\Storage\ScopeInterface;
 use League\OAuth2\Server\Storage\SessionInterface;
@@ -24,7 +25,6 @@ use Symfony\Component\HttpFoundation\Request;
 /**
 * OAuth 2.0 Resource Server
 */
-
 abstract class AbstractServer
 {
    /**
@@ -36,48 +36,61 @@ abstract class AbstractServer

    /**
     * Session storage
+     *
     * @var \League\OAuth2\Server\Storage\SessionInterface
     */
    protected $sessionStorage;

    /**
     * Access token storage
+     *
     * @var \League\OAuth2\Server\Storage\AccessTokenInterface
     */
    protected $accessTokenStorage;

    /**
     * Refresh token storage
+     *
     * @var \League\OAuth2\Server\Storage\RefreshTokenInterface
     */
    protected $refreshTokenStorage;

    /**
     * Auth code storage
+     *
     * @var \League\OAuth2\Server\Storage\AuthCodeInterface
     */
    protected $authCodeStorage;

    /**
     * Scope storage
+     *
     * @var \League\OAuth2\Server\Storage\ScopeInterface
     */
    protected $scopeStorage;

    /**
     * Client storage
+     *
     * @var \League\OAuth2\Server\Storage\ClientInterface
     */
    protected $clientStorage;

+    /**
+     * @var \League\OAuth2\Server\Storage\MacTokenInterface
+     */
+    protected $macStorage;
+
    /**
     * Token type
+     *
     * @var \League\OAuth2\Server\TokenType\TokenTypeInterface
     */
    protected $tokenType;

    /**
     * Event emitter
+     *
     * @var \League\Event\Emitter
     */
    protected $eventEmitter;
@@ -92,6 +105,7 @@ abstract class AbstractServer

    /**
     * Set an event emitter
+     *
     * @param object $emitter Event emitter object
     */
    public function setEventEmitter($emitter = null)
@@ -105,6 +119,7 @@ abstract class AbstractServer

    /**
     * Add an event listener to the event emitter
+     *
     * @param string   $eventName Event name
     * @param callable $listener  Callable function or method
     */
@@ -115,6 +130,7 @@ abstract class AbstractServer

    /**
     * Returns the event emitter
+     *
     * @return \League\Event\Emitter
     */
    public function getEventEmitter()
@@ -124,7 +140,9 @@ abstract class AbstractServer

    /**
     * Sets the Request Object
+     *
     * @param \Symfony\Component\HttpFoundation\Request The Request Object
+     *
     * @return self
     */
    public function setRequest($request)
@@ -136,6 +154,7 @@ abstract class AbstractServer

    /**
     * Gets the Request object. It will create one from the globals if one is not set.
+     *
     * @return \Symfony\Component\HttpFoundation\Request
     */
    public function getRequest()
@@ -149,7 +168,9 @@ abstract class AbstractServer

    /**
     * Set the client storage
-     * @param  \League\OAuth2\Server\Storage\ClientInterface $storage
+     *
+     * @param \League\OAuth2\Server\Storage\ClientInterface $storage
+     *
     * @return self
     */
    public function setClientStorage(ClientInterface $storage)
@@ -162,7 +183,9 @@ abstract class AbstractServer

    /**
     * Set the session storage
-     * @param  \League\OAuth2\Server\Storage\SessionInterface $storage
+     *
+     * @param \League\OAuth2\Server\Storage\SessionInterface $storage
+     *
     * @return self
     */
    public function setSessionStorage(SessionInterface $storage)
@@ -175,7 +198,9 @@ abstract class AbstractServer

    /**
     * Set the access token storage
-     * @param  \League\OAuth2\Server\Storage\AccessTokenInterface $storage
+     *
+     * @param \League\OAuth2\Server\Storage\AccessTokenInterface $storage
+     *
     * @return self
     */
    public function setAccessTokenStorage(AccessTokenInterface $storage)
@@ -188,7 +213,9 @@ abstract class AbstractServer

    /**
     * Set the refresh token storage
-     * @param  \League\OAuth2\Server\Storage\RefreshTokenInterface $storage
+     *
+     * @param \League\OAuth2\Server\Storage\RefreshTokenInterface $storage
+     *
     * @return self
     */
    public function setRefreshTokenStorage(RefreshTokenInterface $storage)
@@ -201,7 +228,9 @@ abstract class AbstractServer

    /**
     * Set the auth code storage
-     * @param  \League\OAuth2\Server\Storage\AuthCodeInterface $storage
+     *
+     * @param \League\OAuth2\Server\Storage\AuthCodeInterface $storage
+     *
     * @return self
     */
    public function setAuthCodeStorage(AuthCodeInterface $storage)
@@ -214,7 +243,9 @@ abstract class AbstractServer

    /**
     * Set the scope storage
-     * @param  \League\OAuth2\Server\Storage\ScopeInterface $storage
+     *
+     * @param \League\OAuth2\Server\Storage\ScopeInterface $storage
+     *
     * @return self
     */
    public function setScopeStorage(ScopeInterface $storage)
@@ -227,6 +258,7 @@ abstract class AbstractServer

    /**
     * Return the client storage
+     *
     * @return \League\OAuth2\Server\Storage\ClientInterface
     */
    public function getClientStorage()
@@ -236,6 +268,7 @@ abstract class AbstractServer

    /**
     * Return the scope storage
+     *
     * @return \League\OAuth2\Server\Storage\ScopeInterface
     */
    public function getScopeStorage()
@@ -245,6 +278,7 @@ abstract class AbstractServer

    /**
     * Return the session storage
+     *
     * @return \League\OAuth2\Server\Storage\SessionInterface
     */
    public function getSessionStorage()
@@ -254,6 +288,7 @@ abstract class AbstractServer

    /**
     * Return the refresh token storage
+     *
     * @return \League\OAuth2\Server\Storage\RefreshTokenInterface
     */
    public function getRefreshTokenStorage()
@@ -263,6 +298,7 @@ abstract class AbstractServer

    /**
     * Return the access token storage
+     *
     * @return \League\OAuth2\Server\Storage\AccessTokenInterface
     */
    public function getAccessTokenStorage()
@@ -272,6 +308,7 @@ abstract class AbstractServer

    /**
     * Return the auth code storage
+     *
     * @return \League\OAuth2\Server\Storage\AuthCodeInterface
     */
    public function getAuthCodeStorage()
@@ -281,7 +318,9 @@ abstract class AbstractServer

    /**
     * Set the access token type
-     * @param  TokenTypeInterface $tokenType The token type
+     *
+     * @param TokenTypeInterface $tokenType The token type
+     *
     * @return void
     */
    public function setTokenType(TokenTypeInterface $tokenType)
@@ -292,10 +331,27 @@ abstract class AbstractServer

    /**
     * Get the access token type
+     *
     * @return TokenTypeInterface
     */
    public function getTokenType()
    {
        return $this->tokenType;
    }
+
+    /**
+     * @return MacTokenInterface
+     */
+    public function getMacStorage()
+    {
+        return $this->macStorage;
+    }
+
+    /**
+     * @param MacTokenInterface $macStorage
+     */
+    public function setMacStorage(MacTokenInterface $macStorage)
+    {
+        $this->macStorage = $macStorage;
+    }
 }
--- a/src/AuthorizationServer.php
+++ b/src/AuthorizationServer.php
@@ -22,48 +22,56 @@ class AuthorizationServer extends AbstractServer
    /**
     * The delimeter between scopes specified in the scope query string parameter
     * The OAuth 2 specification states it should be a space but most use a comma
+     *
     * @var string
     */
    protected $scopeDelimiter = ' ';

    /**
     * The TTL (time to live) of an access token in seconds (default: 3600)
+     *
     * @var integer
     */
    protected $accessTokenTTL = 3600;

    /**
     * The registered grant response types
+     *
     * @var array
     */
    protected $responseTypes = [];

    /**
     * The registered grant types
+     *
     * @var array
     */
    protected $grantTypes = [];

    /**
     * Require the "scope" parameter to be in checkAuthoriseParams()
+     *
     * @var boolean
     */
    protected $requireScopeParam = false;

    /**
     * Default scope(s) to be used if none is provided
+     *
     * @var string|array
     */
    protected $defaultScope;

    /**
     * Require the "state" parameter to be in checkAuthoriseParams()
+     *
     * @var boolean
     */
    protected $requireStateParam = false;

    /**
     * Create a new OAuth2 authorization server
+     *
     * @return self
     */
    public function __construct()
@@ -78,8 +86,10 @@ class AuthorizationServer extends AbstractServer

    /**
     * Enable support for a grant
-     * @param  GrantTypeInterface $grantType  A grant class which conforms to Interface/GrantTypeInterface
-     * @param  null|string        $identifier An identifier for the grant (autodetected if not passed)
+     *
+     * @param GrantTypeInterface $grantType  A grant class which conforms to Interface/GrantTypeInterface
+     * @param null|string        $identifier An identifier for the grant (autodetected if not passed)
+     *
     * @return self
     */
    public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
@@ -102,7 +112,9 @@ class AuthorizationServer extends AbstractServer

    /**
     * Check if a grant type has been enabled
-     * @param  string $identifier The grant type identifier
+     *
+     * @param string $identifier The grant type identifier
+     *
     * @return boolean Returns "true" if enabled, "false" if not
     */
    public function hasGrantType($identifier)
@@ -112,6 +124,7 @@ class AuthorizationServer extends AbstractServer

    /**
     * Returns response types
+     *
     * @return array
     */
    public function getResponseTypes()
@@ -121,7 +134,9 @@ class AuthorizationServer extends AbstractServer

    /**
     * Require the "scope" parameter in checkAuthoriseParams()
-     * @param  boolean $require
+     *
+     * @param boolean $require
+     *
     * @return self
     */
    public function requireScopeParam($require = true)
@@ -133,6 +148,7 @@ class AuthorizationServer extends AbstractServer

    /**
     * Is the scope parameter required?
+     *
     * @return bool
     */
    public function scopeParamRequired()
@@ -142,7 +158,9 @@ class AuthorizationServer extends AbstractServer

    /**
     * Default scope to be used if none is provided and requireScopeParam() is false
+     *
     * @param string $default Name of the default scope
+     *
     * @return self
     */
    public function setDefaultScope($default = null)
@@ -154,6 +172,7 @@ class AuthorizationServer extends AbstractServer

    /**
     * Default scope to be used if none is provided and requireScopeParam is false
+     *
     * @return string|null
     */
    public function getDefaultScope()
@@ -162,7 +181,8 @@ class AuthorizationServer extends AbstractServer
    }

    /**
-     * Require the "state" paremter in checkAuthoriseParams()
+     * Require the "state" parameter in checkAuthoriseParams()
+     *
     * @return bool
     */
    public function stateParamRequired()
@@ -171,8 +191,10 @@ class AuthorizationServer extends AbstractServer
    }

    /**
-     * Require the "state" paremter in checkAuthoriseParams()
-     * @param  boolean $require
+     * Require the "state" parameter in checkAuthoriseParams()
+     *
+     * @param boolean $require
+     *
     * @return self
     */
    public function requireStateParam($require = true)
@@ -184,6 +206,7 @@ class AuthorizationServer extends AbstractServer

    /**
     * Get the scope delimiter
+     *
     * @return string The scope delimiter (default: ",")
     */
    public function getScopeDelimiter()
@@ -193,7 +216,9 @@ class AuthorizationServer extends AbstractServer

    /**
     * Set the scope delimiter
+     *
     * @param string $scopeDelimiter
+     *
     * @return self
     */
    public function setScopeDelimiter($scopeDelimiter = ' ')
@@ -205,6 +230,7 @@ class AuthorizationServer extends AbstractServer

    /**
     * Get the TTL for an access token
+     *
     * @return int The TTL
     */
    public function getAccessTokenTTL()
@@ -214,7 +240,9 @@ class AuthorizationServer extends AbstractServer

    /**
     * Set the TTL for an access token
+     *
     * @param int $accessTokenTTL The new TTL
+     *
     * @return self
     */
    public function setAccessTokenTTL($accessTokenTTL = 3600)
@@ -226,7 +254,9 @@ class AuthorizationServer extends AbstractServer

    /**
     * Issue an access token
+     *
     * @return array Authorise request parameters
+     *
     * @throws
     */
    public function issueAccessToken()
@@ -247,8 +277,11 @@ class AuthorizationServer extends AbstractServer

    /**
     * Return a grant type class
-     * @param  string $grantType The grant type identifier
+     *
+     * @param string $grantType The grant type identifier
+     *
     * @return Grant\GrantTypeInterface
+     *
     * @throws
     */
    public function getGrantType($grantType)
--- a/src/Entity/AbstractTokenEntity.php
+++ b/src/Entity/AbstractTokenEntity.php
@@ -21,37 +21,44 @@ abstract class AbstractTokenEntity
 {
    /**
     * Token identifier
+     *
     * @var string
     */
    protected $id;

    /**
     * Associated session
+     *
     * @var \League\OAuth2\Server\Entity\SessionEntity
     */
    protected $session;

    /**
     * Session scopes
+     *
     * @var \League\OAuth2\Server\Entity\ScopeEntity[]
     */
    protected $scopes;

    /**
     * Token expire time
+     *
     * @var int
     */
    protected $expireTime = 0;

    /**
     * Authorization or resource server
+     *
     * @var \League\OAuth2\Server\AbstractServer
     */
    protected $server;

    /**
     * __construct
-     * @param  \League\OAuth2\Server\AbstractServer $server
+     *
+     * @param \League\OAuth2\Server\AbstractServer $server
+     *
     * @return self
     */
    public function __construct(AbstractServer $server)
@@ -63,7 +70,9 @@ abstract class AbstractTokenEntity

    /**
     * Set session
-     * @param  \League\OAuth2\Server\Entity\SessionEntity $session
+     *
+     * @param \League\OAuth2\Server\Entity\SessionEntity $session
+     *
     * @return self
     */
    public function setSession(SessionEntity $session)
@@ -75,7 +84,9 @@ abstract class AbstractTokenEntity

    /**
     * Set the expire time of the token
-     * @param  integer $expireTime Unix time stamp
+     *
+     * @param integer $expireTime Unix time stamp
+     *
     * @return self
     */
    public function setExpireTime($expireTime)
@@ -87,6 +98,7 @@ abstract class AbstractTokenEntity

    /**
     * Return token expire time
+     *
     * @return int
     */
    public function getExpireTime()
@@ -96,6 +108,7 @@ abstract class AbstractTokenEntity

    /**
     * Is the token expired?
+     *
     * @return bool
     */
    public function isExpired()
@@ -105,7 +118,9 @@ abstract class AbstractTokenEntity

    /**
     * Set token ID
-     * @param  string $id Token ID
+     *
+     * @param string $id Token ID
+     *
     * @return self
     */
    public function setId($id = null)
@@ -117,6 +132,7 @@ abstract class AbstractTokenEntity

    /**
     * Get the token ID
+     *
     * @return string
     */
    public function getId()
@@ -126,7 +142,9 @@ abstract class AbstractTokenEntity

    /**
     * Associate a scope
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity $scope
+     *
+     * @param \League\OAuth2\Server\Entity\ScopeEntity $scope
+     *
     * @return self
     */
    public function associateScope(ScopeEntity $scope)
@@ -140,7 +158,9 @@ abstract class AbstractTokenEntity

    /**
     * Format the local scopes array
+     *
     * @param  \League\OAuth2\Server\Entity\ScopeEntity[]
+     *
     * @return array
     */
    protected function formatScopes($unformatted = [])
@@ -161,6 +181,7 @@ abstract class AbstractTokenEntity

    /**
     * Returns the token as a string if the object is cast as a string
+     *
     * @return string
     */
    public function __toString()
@@ -174,12 +195,14 @@ abstract class AbstractTokenEntity

    /**
     * Expire the token
+     *
     * @return void
     */
    abstract public function expire();

    /**
     * Save the token
+     *
     * @return void
     */
    abstract public function save();
--- a/src/Entity/AccessTokenEntity.php
+++ b/src/Entity/AccessTokenEntity.php
@@ -18,6 +18,7 @@ class AccessTokenEntity extends AbstractTokenEntity
 {
    /**
     * Get session
+     *
     * @return \League\OAuth2\Server\Entity\SessionEntity
     */
    public function getSession()
@@ -33,7 +34,9 @@ class AccessTokenEntity extends AbstractTokenEntity

    /**
     * Check if access token has an associated scope
-     * @param  string $scope Scope to check
+     *
+     * @param string $scope Scope to check
+     *
     * @return bool
     */
    public function hasScope($scope)
@@ -47,6 +50,7 @@ class AccessTokenEntity extends AbstractTokenEntity

    /**
     * Return all scopes associated with the access token
+     *
     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
     */
    public function getScopes()
--- a/src/Entity/AuthCodeEntity.php
+++ b/src/Entity/AuthCodeEntity.php
@@ -18,13 +18,16 @@ class AuthCodeEntity extends AbstractTokenEntity
 {
    /**
     * Redirect URI
+     *
     * @var string
     */
    protected $redirectUri = '';

    /**
     * Set the redirect URI for the authorization request
-     * @param  string $redirectUri
+     *
+     * @param string $redirectUri
+     *
     * @return self
     */
    public function setRedirectUri($redirectUri)
@@ -36,6 +39,7 @@ class AuthCodeEntity extends AbstractTokenEntity

    /**
     * Get the redirect URI
+     *
     * @return string
     */
    public function getRedirectUri()
@@ -45,8 +49,10 @@ class AuthCodeEntity extends AbstractTokenEntity

    /**
     * Generate a redirect URI
-     * @param  string $state          The state parameter if set by the client
-     * @param  string $queryDelimeter The query delimiter ('?' for auth code grant, '#' for implicit grant)
+     *
+     * @param string $state          The state parameter if set by the client
+     * @param string $queryDelimeter The query delimiter ('?' for auth code grant, '#' for implicit grant)
+     *
     * @return string
     */
    public function generateRedirectUri($state = null, $queryDelimeter = '?')
@@ -62,6 +68,7 @@ class AuthCodeEntity extends AbstractTokenEntity

    /**
     * Get session
+     *
     * @return \League\OAuth2\Server\Entity\SessionEntity
     */
    public function getSession()
@@ -77,6 +84,7 @@ class AuthCodeEntity extends AbstractTokenEntity

    /**
     * Return all scopes associated with the session
+     *
     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
     */
    public function getScopes()
--- a/src/Entity/ClientEntity.php
+++ b/src/Entity/ClientEntity.php
@@ -22,37 +22,44 @@ class ClientEntity

    /**
     * Client identifier
+     *
     * @var string
     */
    protected $id = null;

    /**
     * Client secret
+     *
     * @var string
     */
    protected $secret = null;

    /**
     * Client name
+     *
     * @var string
     */
    protected $name = null;

    /**
     * Client redirect URI
+     *
     * @var string
     */
    protected $redirectUri = null;

    /**
     * Authorization or resource server
+     *
     * @var \League\OAuth2\Server\AbstractServer
     */
    protected $server;

    /**
     * __construct
-     * @param  \League\OAuth2\Server\AbstractServer $server
+     *
+     * @param \League\OAuth2\Server\AbstractServer $server
+     *
     * @return self
     */
    public function __construct(AbstractServer $server)
@@ -64,6 +71,7 @@ class ClientEntity

    /**
     * Return the client identifier
+     *
     * @return string
     */
    public function getId()
@@ -73,6 +81,7 @@ class ClientEntity

    /**
     * Return the client secret
+     *
     * @return string
     */
    public function getSecret()
@@ -82,6 +91,7 @@ class ClientEntity

    /**
     * Get the client name
+     *
     * @return string
     */
    public function getName()
@@ -91,6 +101,7 @@ class ClientEntity

    /**
     * Returnt the client redirect URI
+     *
     * @return string
     */
    public function getRedirectUri()
--- a/src/Entity/EntityTrait.php
+++ b/src/Entity/EntityTrait.php
@@ -15,7 +15,9 @@ trait EntityTrait
 {
    /**
     * Hydrate an entity with properites
+     *
     * @param array $properties
+     *
     * @return self
     */
    public function hydrate(array $properties)
--- a/src/Entity/RefreshTokenEntity.php
+++ b/src/Entity/RefreshTokenEntity.php
@@ -18,19 +18,23 @@ class RefreshTokenEntity extends AbstractTokenEntity
 {
    /**
     * Access token associated to refresh token
+     *
     * @var \League\OAuth2\Server\Entity\AccessTokenEntity
     */
    protected $accessTokenEntity;

    /**
     * Id of the access token
+     *
     * @var string
     */
    protected $accessTokenId;

    /**
     * Set the ID of the associated access token
-     * @param  string $accessTokenId
+     *
+     * @param string $accessTokenId
+     *
     * @return self
     */
    public function setAccessTokenId($accessTokenId)
@@ -42,7 +46,9 @@ class RefreshTokenEntity extends AbstractTokenEntity

    /**
     * Associate an access token
-     * @param  \League\OAuth2\Server\Entity\AccessTokenEntity $accessTokenEntity
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $accessTokenEntity
+     *
     * @return self
     */
    public function setAccessToken(AccessTokenEntity $accessTokenEntity)
@@ -54,6 +60,7 @@ class RefreshTokenEntity extends AbstractTokenEntity

    /**
     * Return access token
+     *
     * @return AccessTokenEntity
     */
    public function getAccessToken()
--- a/src/Entity/ScopeEntity.php
+++ b/src/Entity/ScopeEntity.php
@@ -22,25 +22,30 @@ class ScopeEntity implements \JsonSerializable

    /**
     * Scope identifier
+     *
     * @var string
     */
    protected $id;

    /**
     * Scope description
+     *
     * @var string
     */
    protected $description;

    /**
     * Authorization or resource server
+     *
     * @var \League\OAuth2\Server\AbstractServer
     */
    protected $server;

    /**
     * __construct
-     * @param  \League\OAuth2\Server\AbstractServer $server
+     *
+     * @param \League\OAuth2\Server\AbstractServer $server
+     *
     * @return self
     */
    public function __construct(AbstractServer $server)
@@ -52,6 +57,7 @@ class ScopeEntity implements \JsonSerializable

    /**
     * Return the scope identifer
+     *
     * @return string
     */
    public function getId()
@@ -61,6 +67,7 @@ class ScopeEntity implements \JsonSerializable

    /**
     * Return the scope's description
+     *
     * @return string
     */
    public function getDescription()
@@ -70,6 +77,7 @@ class ScopeEntity implements \JsonSerializable

    /**
     * Returns a JSON object when entity is passed into json_encode
+     *
     * @return array
     */
    public function jsonSerialize()
--- a/src/Entity/SessionEntity.php
+++ b/src/Entity/SessionEntity.php
@@ -21,61 +21,72 @@ class SessionEntity
 {
    /**
     * Session identifier
+     *
     * @var string
     */
    protected $id;

    /**
     * Client identifier
+     *
     * @var \League\OAuth2\Server\Entity\ClientEntity
     */
    protected $client;

    /**
     * Session owner identifier
+     *
     * @var string
     */
    protected $ownerId;

    /**
     * Session owner type (e.g. "user")
+     *
     * @var string
     */
    protected $ownerType;

    /**
     * Auth code
+     *
     * @var \League\OAuth2\Server\Entity\AuthCodeEntity
     */
    protected $authCode;

    /**
     * Access token
+     *
     * @var \League\OAuth2\Server\Entity\AccessTokenEntity
     */
    protected $accessToken;

    /**
     * Refresh token
+     *
     * @var \League\OAuth2\Server\Entity\RefreshTokenEntity
     */
    protected $refreshToken;

    /**
     * Session scopes
+     *
     * @var \Symfony\Component\HttpFoundation\ParameterBag
     */
    protected $scopes;

    /**
     * Authorization or resource server
+     *
     * @var \League\OAuth2\Server\AuthorizationServer|\League\OAuth2\Server\ResourceServer
     */
    protected $server;

    /**
     * __construct
-     * @param  \League\OAuth2\Server\AbstractServer $server
+     *
+     * @param \League\OAuth2\Server\AbstractServer $server
+     *
     * @return self
     */
    public function __construct(AbstractServer $server)
@@ -87,7 +98,9 @@ class SessionEntity

    /**
     * Set the session identifier
-     * @param  string $id
+     *
+     * @param string $id
+     *
     * @return self
     */
    public function setId($id)
@@ -99,6 +112,7 @@ class SessionEntity

    /**
     * Return the session identifier
+     *
     * @return string
     */
    public function getId()
@@ -108,7 +122,9 @@ class SessionEntity

    /**
     * Associate a scope
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity $scope
+     *
+     * @param \League\OAuth2\Server\Entity\ScopeEntity $scope
+     *
     * @return self
     */
    public function associateScope(ScopeEntity $scope)
@@ -122,7 +138,9 @@ class SessionEntity

    /**
     * Check if access token has an associated scope
-     * @param  string $scope Scope to check
+     *
+     * @param string $scope Scope to check
+     *
     * @return bool
     */
    public function hasScope($scope)
@@ -136,6 +154,7 @@ class SessionEntity

    /**
     * Return all scopes associated with the session
+     *
     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
     */
    public function getScopes()
@@ -149,7 +168,9 @@ class SessionEntity

    /**
     * Format the local scopes array
+     *
     * @param  \League\OAuth2\Server\Entity\Scope[]
+     *
     * @return array
     */
    private function formatScopes($unformatted = [])
@@ -168,7 +189,9 @@ class SessionEntity

    /**
     * Associate an access token with the session
-     * @param  \League\OAuth2\Server\Entity\AccessTokenEntity $accessToken
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $accessToken
+     *
     * @return self
     */
    public function associateAccessToken(AccessTokenEntity $accessToken)
@@ -180,7 +203,9 @@ class SessionEntity

    /**
     * Associate a refresh token with the session
-     * @param  \League\OAuth2\Server\Entity\RefreshTokenEntity $refreshToken
+     *
+     * @param \League\OAuth2\Server\Entity\RefreshTokenEntity $refreshToken
+     *
     * @return self
     */
    public function associateRefreshToken(RefreshTokenEntity $refreshToken)
@@ -192,7 +217,9 @@ class SessionEntity

    /**
     * Associate a client with the session
-     * @param  \League\OAuth2\Server\Entity\ClientEntity $client The client
+     *
+     * @param \League\OAuth2\Server\Entity\ClientEntity $client The client
+     *
     * @return self
     */
    public function associateClient(ClientEntity $client)
@@ -204,6 +231,7 @@ class SessionEntity

    /**
     * Return the session client
+     *
     * @return \League\OAuth2\Server\Entity\ClientEntity
     */
    public function getClient()
@@ -219,8 +247,10 @@ class SessionEntity

    /**
     * Set the session owner
-     * @param  string $type The type of the owner (e.g. user, app)
-     * @param  string $id   The identifier of the owner
+     *
+     * @param string $type The type of the owner (e.g. user, app)
+     * @param string $id   The identifier of the owner
+     *
     * @return self
     */
    public function setOwner($type, $id)
@@ -235,6 +265,7 @@ class SessionEntity

    /**
     * Return session owner identifier
+     *
     * @return string
     */
    public function getOwnerId()
@@ -244,6 +275,7 @@ class SessionEntity

    /**
     * Return session owner type
+     *
     * @return string
     */
    public function getOwnerType()
@@ -253,6 +285,7 @@ class SessionEntity

    /**
     * Save the session
+     *
     * @return void
     */
    public function save()
--- a/src/Event/ClientAuthenticationFailedEvent.php
+++ b/src/Event/ClientAuthenticationFailedEvent.php
@@ -18,12 +18,14 @@ class ClientAuthenticationFailedEvent extends AbstractEvent
 {
    /**
     * Request
+     *
     * @var \Symfony\Component\HttpFoundation\Request
     */
    private $request;

    /**
     * Init the event with a request
+     *
     * @param \Symfony\Component\HttpFoundation\Request $request
     */
    public function __construct(Request $request)
@@ -33,6 +35,7 @@ class ClientAuthenticationFailedEvent extends AbstractEvent

    /**
     * The name of the event
+     *
     * @return string
     */
    public function getName()
@@ -42,6 +45,7 @@ class ClientAuthenticationFailedEvent extends AbstractEvent

    /**
     * Return request
+     *
     * @return \Symfony\Component\HttpFoundation\Request
     */
    public function getRequest()
--- a/src/Event/SessionOwnerEvent.php
+++ b/src/Event/SessionOwnerEvent.php
@@ -18,12 +18,14 @@ class SessionOwnerEvent extends AbstractEvent
 {
    /**
     * Session entity
+     *
     * @var \League\OAuth2\Server\Entity\SessionEntity
     */
    private $session;

    /**
     * Init the event with a session
+     *
     * @param \League\OAuth2\Server\Entity\SessionEntity $session
     */
    public function __construct(SessionEntity $session)
@@ -33,6 +35,7 @@ class SessionOwnerEvent extends AbstractEvent

    /**
     * The name of the event
+     *
     * @return string
     */
    public function getName()
@@ -42,6 +45,7 @@ class SessionOwnerEvent extends AbstractEvent

    /**
     * Return session
+     *
     * @return \League\OAuth2\Server\Entity\SessionEntity
     */
    public function getSession()
--- a/src/Event/UserAuthenticationFailedEvent.php
+++ b/src/Event/UserAuthenticationFailedEvent.php
@@ -18,12 +18,14 @@ class UserAuthenticationFailedEvent extends AbstractEvent
 {
    /**
     * Request
+     *
     * @var \Symfony\Component\HttpFoundation\Request
     */
    private $request;

    /**
     * Init the event with a request
+     *
     * @param \Symfony\Component\HttpFoundation\Request $request
     */
    public function __construct(Request $request)
@@ -33,6 +35,7 @@ class UserAuthenticationFailedEvent extends AbstractEvent

    /**
     * The name of the event
+     *
     * @return string
     */
    public function getName()
@@ -42,6 +45,7 @@ class UserAuthenticationFailedEvent extends AbstractEvent

    /**
     * Return request
+     *
     * @return \Symfony\Component\HttpFoundation\Request
     */
    public function getRequest()
--- a/src/Exception/OAuthException.php
+++ b/src/Exception/OAuthException.php
@@ -26,6 +26,7 @@ class OAuthException extends \Exception

    /**
     * Redirect URI if the server should redirect back to the client
+     *
     * @var string|null
     */
    public $redirectUri = null;
@@ -37,6 +38,7 @@ class OAuthException extends \Exception

    /**
     * Throw a new exception
+     *
     * @param string $msg Exception Message
     */
    public function __construct($msg = 'An error occured')
@@ -46,6 +48,7 @@ class OAuthException extends \Exception

    /**
     * Should the server redirect back to the client?
+     *
     * @return bool
     */
    public function shouldRedirect()
@@ -55,6 +58,7 @@ class OAuthException extends \Exception

    /**
     * Return redirect URI if set
+     *
     * @return string|null
     */
    public function getRedirectUri()
@@ -70,6 +74,7 @@ class OAuthException extends \Exception

    /**
     * Get all headers that have to be send with the error response
+     *
     * @return array Array with header values
     */
    public function getHttpHeaders()
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@@ -23,30 +23,35 @@ abstract class AbstractGrant implements GrantTypeInterface
 {
    /**
     * Grant identifier
+     *
     * @var string
     */
    protected $identifier = '';

    /**
     * Response type
+     *
     * @var string
     */
    protected $responseType;

    /**
     * Callback to authenticate a user's name and password
+     *
     * @var callable
     */
    protected $callback;

    /**
     * AuthServer instance
+     *
     * @var \League\OAuth2\Server\AuthorizationServer
     */
    protected $server;

    /**
     * Access token expires in override
+     *
     * @var int
     */
    protected $accessTokenTTL;
@@ -79,6 +84,7 @@ abstract class AbstractGrant implements GrantTypeInterface

    /**
     * Get the TTL for an access token
+     *
     * @return int The TTL
     */
    public function getAccessTokenTTL()
@@ -92,7 +98,9 @@ abstract class AbstractGrant implements GrantTypeInterface

    /**
     * Override the default access token expire time
-     * @param  int $accessTokenTTL
+     *
+     * @param int $accessTokenTTL
+     *
     * @return self
     */
    public function setAccessTokenTTL($accessTokenTTL)
@@ -114,10 +122,13 @@ abstract class AbstractGrant implements GrantTypeInterface

    /**
     * Given a list of scopes, validate them and return an array of Scope entities
-     * @param  string                                    $scopeParam  A string of scopes (e.g. "profile email birthday")
-     * @param  \League\OAuth2\Server\Entity\ClientEntity $client      Client entity
-     * @param  string|null                               $redirectUri The redirect URI to return the user to
+     *
+     * @param string                                    $scopeParam  A string of scopes (e.g. "profile email birthday")
+     * @param \League\OAuth2\Server\Entity\ClientEntity $client      Client entity
+     * @param string|null                               $redirectUri The redirect URI to return the user to
+     *
     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
+     *
     * @throws \League\OAuth2\Server\Exception\InvalidScopeException If scope is invalid, or no scopes passed when required
     * @throws
     */
@@ -167,7 +178,9 @@ abstract class AbstractGrant implements GrantTypeInterface

    /**
     * Format the local scopes array
+     *
     * @param  \League\OAuth2\Server\Entity\ScopeEntity[]
+     *
     * @return array
     */
    protected function formatScopes($unformated = [])
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -27,37 +27,44 @@ class AuthCodeGrant extends AbstractGrant
 {
    /**
     * Grant identifier
+     *
     * @var string
     */
    protected $identifier = 'authorization_code';

    /**
     * Response type
+     *
     * @var string
     */
    protected $responseType = 'code';

    /**
     * AuthServer instance
+     *
     * @var \League\OAuth2\Server\AuthorizationServer
     */
    protected $server = null;

    /**
     * Access token expires in override
+     *
     * @var int
     */
    protected $accessTokenTTL = null;

    /**
     * The TTL of the auth token
+     *
     * @var integer
     */
    protected $authTokenTTL = 600;

    /**
     * Override the default access token expire time
-     * @param  int $authTokenTTL
+     *
+     * @param int $authTokenTTL
+     *
     * @return void
     */
    public function setAuthTokenTTL($authTokenTTL)
@@ -129,9 +136,10 @@ class AuthCodeGrant extends AbstractGrant
    /**
     * Parse a new authorize request
     *
-     * @param  string $type       The session owner's type
-     * @param  string $typeId     The session owner's ID
-     * @param  array  $authParams The authorize request $_GET parameters
+     * @param string $type       The session owner's type
+     * @param string $typeId     The session owner's ID
+     * @param array  $authParams The authorize request $_GET parameters
+     *
     * @return string An authorisation code
     */
    public function newAuthorizeRequest($type, $typeId, $authParams = [])
@@ -160,7 +168,9 @@ class AuthCodeGrant extends AbstractGrant

    /**
     * Complete the auth code grant
+     *
     * @return array
+     *
     * @throws
     */
    public function completeFlow()
@@ -250,7 +260,6 @@ class AuthCodeGrant extends AbstractGrant
        $code->expire();

        // Save all the things
-        $session->save();
        $accessToken->setSession($session);
        $accessToken->save();

--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -25,31 +25,37 @@ class ClientCredentialsGrant extends AbstractGrant
 {
    /**
     * Grant identifier
+     *
     * @var string
     */
    protected $identifier = 'client_credentials';

    /**
     * Response type
+     *
     * @var string
     */
    protected $responseType = null;

    /**
     * AuthServer instance
+     *
     * @var \League\OAuth2\Server\AuthorizationServer
     */
    protected $server = null;

    /**
     * Access token expires in override
+     *
     * @var int
     */
    protected $accessTokenTTL = null;

    /**
     * Complete the client credentials grant
+     *
     * @return array
+     *
     * @throws
     */
    public function completeFlow()
--- a/src/Grant/GrantTypeInterface.php
+++ b/src/Grant/GrantTypeInterface.php
@@ -20,32 +20,39 @@ interface GrantTypeInterface
 {
    /**
     * Return the identifier
+     *
     * @return string
     */
    public function getIdentifier();

    /**
     * Return the identifier
-     * @param  string $identifier
+     *
+     * @param string $identifier
+     *
     * @return self
     */
    public function setIdentifier($identifier);

    /**
     * Return the response type
+     *
     * @return string
     */
    public function getResponseType();

    /**
     * Inject the authorization server into the grant
-     * @param  \League\OAuth2\Server\AuthorizationServer $server The authorization server instance
+     *
+     * @param \League\OAuth2\Server\AuthorizationServer $server The authorization server instance
+     *
     * @return self
     */
    public function setAuthorizationServer(AuthorizationServer $server);

    /**
     * Complete the grant flow
+     *
     * @return array
     */
    public function completeFlow();
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -26,31 +26,37 @@ class PasswordGrant extends AbstractGrant
 {
    /**
     * Grant identifier
+     *
     * @var string
     */
    protected $identifier = 'password';

    /**
     * Response type
+     *
     * @var string
     */
    protected $responseType;

    /**
     * Callback to authenticate a user's name and password
+     *
     * @var callable
     */
    protected $callback;

    /**
     * Access token expires in override
+     *
     * @var int
     */
    protected $accessTokenTTL;

    /**
     * Set the callback to verify a user's username and password
-     * @param  callable $callback The callback function
+     *
+     * @param callable $callback The callback function
+     *
     * @return void
     */
    public function setVerifyCredentialsCallback(callable $callback)
@@ -60,7 +66,9 @@ class PasswordGrant extends AbstractGrant

    /**
     * Return the callback function
+     *
     * @return callable
+     *
     * @throws
     */
    protected function getVerifyCredentialsCallback()
@@ -74,7 +82,9 @@ class PasswordGrant extends AbstractGrant

    /**
     * Complete the password grant
+     *
     * @return array
+     *
     * @throws
     */
    public function completeFlow()
--- a/src/Grant/RefreshTokenGrant.php
+++ b/src/Grant/RefreshTokenGrant.php
@@ -30,13 +30,23 @@ class RefreshTokenGrant extends AbstractGrant

    /**
     * Refresh token TTL (default = 604800 | 1 week)
+     *
     * @var integer
     */
    protected $refreshTokenTTL = 604800;

+    /**
+     * Rotate token (default = true)
+     *
+     * @var integer
+     */
+    protected $refreshTokenRotate = true;
+
    /**
     * Set the TTL of the refresh token
-     * @param  int $refreshTokenTTL
+     *
+     * @param int $refreshTokenTTL
+     *
     * @return void
     */
    public function setRefreshTokenTTL($refreshTokenTTL)
@@ -46,6 +56,7 @@ class RefreshTokenGrant extends AbstractGrant

    /**
     * Get the TTL of the refresh token
+     *
     * @return int
     */
    public function getRefreshTokenTTL()
@@ -53,6 +64,25 @@ class RefreshTokenGrant extends AbstractGrant
        return $this->refreshTokenTTL;
    }

+    /**
+     * Set the rotation boolean of the refresh token
+     * @param bool $refreshTokenRotate
+     */
+    public function setRefreshTokenRotation($refreshTokenRotate = true)
+    {
+        $this->refreshTokenRotate = $refreshTokenRotate;
+    }
+
+    /**
+     * Get rotation boolean of the refresh token
+     *
+     * @return bool
+     */
+    public function shouldRotateRefreshTokens()
+    {
+        return $this->refreshTokenRotate;
+    }
+
    /**
     * {@inheritdoc}
     */
@@ -142,17 +172,21 @@ class RefreshTokenGrant extends AbstractGrant
        $this->server->getTokenType()->setParam('access_token', $newAccessToken->getId());
        $this->server->getTokenType()->setParam('expires_in', $this->getAccessTokenTTL());

-        // Expire the old refresh token
-        $oldRefreshToken->expire();
+        if ($this->shouldRotateRefreshTokens()) {
+            // Expire the old refresh token
+            $oldRefreshToken->expire();

-        // Generate a new refresh token
-        $newRefreshToken = new RefreshTokenEntity($this->server);
-        $newRefreshToken->setId(SecureKey::generate());
-        $newRefreshToken->setExpireTime($this->getRefreshTokenTTL() + time());
-        $newRefreshToken->setAccessToken($newAccessToken);
-        $newRefreshToken->save();
+            // Generate a new refresh token
+            $newRefreshToken = new RefreshTokenEntity($this->server);
+            $newRefreshToken->setId(SecureKey::generate());
+            $newRefreshToken->setExpireTime($this->getRefreshTokenTTL() + time());
+            $newRefreshToken->setAccessToken($newAccessToken);
+            $newRefreshToken->save();

-        $this->server->getTokenType()->setParam('refresh_token', $newRefreshToken->getId());
+            $this->server->getTokenType()->setParam('refresh_token', $newRefreshToken->getId());
+        } else {
+            $this->server->getTokenType()->setParam('refresh_token', $oldRefreshToken->getId());
+        }

        return $this->server->getTokenType()->generateResponse();
    }
--- a/src/ResourceServer.php
+++ b/src/ResourceServer.php
@@ -25,22 +25,26 @@ class ResourceServer extends AbstractServer
 {
    /**
     * The access token
+     *
     * @var \League\OAuth2\Server\Entity\AccessTokenEntity
     */
    protected $accessToken;

    /**
     * The query string key which is used by clients to present the access token (default: access_token)
+     *
     * @var string
     */
    protected $tokenKey = 'access_token';

    /**
     * Initialise the resource server
-     * @param  SessionInterface     $sessionStorage
-     * @param  AccessTokenInterface $accessTokenStorage
-     * @param  ClientInterface      $clientStorage
-     * @param  ScopeInterface       $scopeStorage
+     *
+     * @param SessionInterface     $sessionStorage
+     * @param AccessTokenInterface $accessTokenStorage
+     * @param ClientInterface      $clientStorage
+     * @param ScopeInterface       $scopeStorage
+     *
     * @return self
     */
    public function __construct(
@@ -64,7 +68,9 @@ class ResourceServer extends AbstractServer

    /**
     * Sets the query string key for the access token.
+     *
     * @param string $key The new query string key
+     *
     * @return self
     */
    public function setIdKey($key)
@@ -76,6 +82,7 @@ class ResourceServer extends AbstractServer

    /**
     * Gets the access token
+     *
     * @return \League\OAuth2\Server\Entity\AccessTokenEntity
     */
    public function getAccessToken()
@@ -85,7 +92,8 @@ class ResourceServer extends AbstractServer

    /**
     * Checks if the access token is valid or not
-     * @param bool $headersOnly Limit Access Token to Authorization header only
+     *
+     * @param bool                   $headersOnly Limit Access Token to Authorization header only
     * @param AccessTokenEntity|null $accessToken Access Token
     *
     * @return bool
@@ -117,8 +125,11 @@ class ResourceServer extends AbstractServer

    /**
     * Reads in the access token from the headers
+     *
     * @param bool $headersOnly Limit Access Token to Authorization header only
+     *
     * @throws Exception\InvalidRequestException Thrown if there is no access token presented
+     *
     * @return string
     */
    public function determineAccessToken($headersOnly = false)
--- a/src/Storage/AbstractStorage.php
+++ b/src/Storage/AbstractStorage.php
@@ -20,13 +20,16 @@ abstract class AbstractStorage implements StorageInterface
 {
    /**
     * Server
+     *
     * @var \League\OAuth2\Server\AbstractServer $server
     */
    protected $server;

    /**
     * Set the server
+     *
     * @param \League\OAuth2\Server\AbstractServer $server
+     *
     * @return self
     */
    public function setServer(AbstractServer $server)
@@ -38,6 +41,7 @@ abstract class AbstractStorage implements StorageInterface

    /**
     * Return the server
+     *
     * @return \League\OAuth2\Server\AbstractServer
     */
    protected function getServer()
--- a/src/Storage/AccessTokenInterface.php
+++ b/src/Storage/AccessTokenInterface.php
@@ -21,38 +21,48 @@ interface AccessTokenInterface extends StorageInterface
 {
    /**
     * Get an instance of Entity\AccessTokenEntity
-     * @param  string                                         $token The access token
+     *
+     * @param string $token The access token
+     *
     * @return \League\OAuth2\Server\Entity\AccessTokenEntity
     */
    public function get($token);

    /**
     * Get the scopes for an access token
-     * @param  \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token
-     * @return array                                            Array of \League\OAuth2\Server\Entity\ScopeEntity
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token
+     *
+     * @return array Array of \League\OAuth2\Server\Entity\ScopeEntity
     */
    public function getScopes(AccessTokenEntity $token);

    /**
     * Creates a new access token
-     * @param  string                                   $token      The access token
-     * @param  integer                                  $expireTime The expire time expressed as a unix timestamp
-     * @param  string|integer                           $sessionId  The session ID
-     * @return \League\OAuth2\Server\Entity\AccessTokenEntity
+     *
+     * @param string         $token      The access token
+     * @param integer        $expireTime The expire time expressed as a unix timestamp
+     * @param string|integer $sessionId  The session ID
+     *
+     * @return void
     */
    public function create($token, $expireTime, $sessionId);

    /**
     * Associate a scope with an acess token
-     * @param  \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity         $scope The scope
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token
+     * @param \League\OAuth2\Server\Entity\ScopeEntity       $scope The scope
+     *
     * @return void
     */
    public function associateScope(AccessTokenEntity $token, ScopeEntity $scope);

    /**
     * Delete an access token
-     * @param  \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token to delete
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $token The access token to delete
+     *
     * @return void
     */
    public function delete(AccessTokenEntity $token);
--- a/src/Storage/AuthCodeInterface.php
+++ b/src/Storage/AuthCodeInterface.php
@@ -21,13 +21,16 @@ interface AuthCodeInterface extends StorageInterface
 {
    /**
     * Get the auth code
-     * @param  string                                      $code
+     *
+     * @param string $code
+     *
     * @return \League\OAuth2\Server\Entity\AuthCodeEntity
     */
    public function get($code);

    /**
     * Create an auth code.
+     *
     * @param string  $token       The token ID
     * @param integer $expireTime  Token expire time
     * @param integer $sessionId   Session identifier
@@ -39,22 +42,28 @@ interface AuthCodeInterface extends StorageInterface

    /**
     * Get the scopes for an access token
-     * @param  \League\OAuth2\Server\Entity\AuthCodeEntity $token The auth code
-     * @return array                                       Array of \League\OAuth2\Server\Entity\ScopeEntity
+     *
+     * @param \League\OAuth2\Server\Entity\AuthCodeEntity $token The auth code
+     *
+     * @return array Array of \League\OAuth2\Server\Entity\ScopeEntity
     */
    public function getScopes(AuthCodeEntity $token);

    /**
     * Associate a scope with an acess token
-     * @param  \League\OAuth2\Server\Entity\AuthCodeEntity $token The auth code
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity    $scope The scope
+     *
+     * @param \League\OAuth2\Server\Entity\AuthCodeEntity $token The auth code
+     * @param \League\OAuth2\Server\Entity\ScopeEntity    $scope The scope
+     *
     * @return void
     */
    public function associateScope(AuthCodeEntity $token, ScopeEntity $scope);

    /**
     * Delete an access token
-     * @param  \League\OAuth2\Server\Entity\AuthCodeEntity $token The access token to delete
+     *
+     * @param \League\OAuth2\Server\Entity\AuthCodeEntity $token The access token to delete
+     *
     * @return void
     */
    public function delete(AuthCodeEntity $token);
--- a/src/Storage/ClientInterface.php
+++ b/src/Storage/ClientInterface.php
@@ -20,17 +20,21 @@ interface ClientInterface extends StorageInterface
 {
    /**
     * Validate a client
-     * @param  string                                   $clientId     The client's ID
-     * @param  string                                   $clientSecret The client's secret (default = "null")
-     * @param  string                                   $redirectUri  The client's redirect URI (default = "null")
-     * @param  string                                   $grantType    The grant type used (default = "null")
+     *
+     * @param string $clientId     The client's ID
+     * @param string $clientSecret The client's secret (default = "null")
+     * @param string $redirectUri  The client's redirect URI (default = "null")
+     * @param string $grantType    The grant type used (default = "null")
+     *
     * @return \League\OAuth2\Server\Entity\ClientEntity
     */
    public function get($clientId, $clientSecret = null, $redirectUri = null, $grantType = null);

    /**
     * Get the client associated with a session
-     * @param  \League\OAuth2\Server\Entity\SessionEntity $session The session
+     *
+     * @param \League\OAuth2\Server\Entity\SessionEntity $session The session
+     *
     * @return \League\OAuth2\Server\Entity\ClientEntity
     */
    public function getBySession(SessionEntity $session);
--- a/src/Storage/MacTokenInterface.php
+++ b/src/Storage/MacTokenInterface.php
@@ -0,0 +1,34 @@
+<?php
+/**
+ * OAuth 2.0 MAC Token Interface
+ *
+ * @package     league/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Storage;
+
+
+/**
+ * MacTokenInterface
+ */
+interface MacTokenInterface extends StorageInterface
+{
+    /**
+     * Create a MAC key linked to an access token
+     * @param  string $macKey
+     * @param  string $accessToken
+     * @return void
+     */
+    public function create($macKey, $accessToken);
+
+    /**
+     * Get a MAC key by access token
+     * @param  string $accessToken
+     * @return string
+     */
+    public function getByAccessToken($accessToken);
+}
--- a/src/Storage/RefreshTokenInterface.php
+++ b/src/Storage/RefreshTokenInterface.php
@@ -20,23 +20,29 @@ interface RefreshTokenInterface extends StorageInterface
 {
    /**
     * Return a new instance of \League\OAuth2\Server\Entity\RefreshTokenEntity
-     * @param  string                                          $token
+     *
+     * @param string $token
+     *
     * @return \League\OAuth2\Server\Entity\RefreshTokenEntity
     */
    public function get($token);

    /**
     * Create a new refresh token_name
-     * @param  string                                          $token
-     * @param  integer                                         $expireTime
-     * @param  string                                          $accessToken
+     *
+     * @param string  $token
+     * @param integer $expireTime
+     * @param string  $accessToken
+     *
     * @return \League\OAuth2\Server\Entity\RefreshTokenEntity
     */
    public function create($token, $expireTime, $accessToken);

    /**
     * Delete the refresh token
-     * @param  \League\OAuth2\Server\Entity\RefreshTokenEntity $token
+     *
+     * @param \League\OAuth2\Server\Entity\RefreshTokenEntity $token
+     *
     * @return void
     */
    public function delete(RefreshTokenEntity $token);
--- a/src/Storage/ScopeInterface.php
+++ b/src/Storage/ScopeInterface.php
@@ -18,9 +18,11 @@ interface ScopeInterface extends StorageInterface
 {
    /**
     * Return information about a scope
-     * @param  string                                   $scope     The scope
-     * @param  string                                   $grantType The grant type used in the request (default = "null")
-     * @param  string                                   $clientId  The client sending the request (default = "null")
+     *
+     * @param string $scope     The scope
+     * @param string $grantType The grant type used in the request (default = "null")
+     * @param string $clientId  The client sending the request (default = "null")
+     *
     * @return \League\OAuth2\Server\Entity\ScopeEntity
     */
    public function get($scope, $grantType = null, $clientId = null);
--- a/src/Storage/SessionInterface.php
+++ b/src/Storage/SessionInterface.php
@@ -23,39 +23,49 @@ interface SessionInterface extends StorageInterface
 {
    /**
     * Get a session from an access token
-     * @param  \League\OAuth2\Server\Entity\AccessTokenEntity $accessToken The access token
+     *
+     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $accessToken The access token
+     *
     * @return \League\OAuth2\Server\Entity\SessionEntity
     */
    public function getByAccessToken(AccessTokenEntity $accessToken);

    /**
     * Get a session from an auth code
-     * @param  \League\OAuth2\Server\Entity\AuthCodeEntity $authCode The auth code
+     *
+     * @param \League\OAuth2\Server\Entity\AuthCodeEntity $authCode The auth code
+     *
     * @return \League\OAuth2\Server\Entity\SessionEntity
     */
    public function getByAuthCode(AuthCodeEntity $authCode);

    /**
     * Get a session's scopes
+     *
     * @param  \League\OAuth2\Server\Entity\SessionEntity
+     *
     * @return array Array of \League\OAuth2\Server\Entity\ScopeEntity
     */
    public function getScopes(SessionEntity $session);

    /**
     * Create a new session
-     * @param  string  $ownerType         Session owner's type (user, client)
-     * @param  string  $ownerId           Session owner's ID
-     * @param  string  $clientId          Client ID
-     * @param  string  $clientRedirectUri Client redirect URI (default = null)
+     *
+     * @param string $ownerType         Session owner's type (user, client)
+     * @param string $ownerId           Session owner's ID
+     * @param string $clientId          Client ID
+     * @param string $clientRedirectUri Client redirect URI (default = null)
+     *
     * @return integer The session's ID
     */
    public function create($ownerType, $ownerId, $clientId, $clientRedirectUri = null);

    /**
     * Associate a scope with a session
-     * @param  \League\OAuth2\Server\Entity\SessionEntity $session The session
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity   $scope The scope
+     *
+     * @param \League\OAuth2\Server\Entity\SessionEntity $session The session
+     * @param \League\OAuth2\Server\Entity\ScopeEntity   $scope   The scope
+     *
     * @return void
     */
    public function associateScope(SessionEntity $session, ScopeEntity $scope);
--- a/src/Storage/StorageInterface.php
+++ b/src/Storage/StorageInterface.php
@@ -20,6 +20,7 @@ interface StorageInterface
 {
    /**
     * Set the server
+     *
     * @param \League\OAuth2\Server\AbstractServer $server
     */
    public function setServer(AbstractServer $server);
--- a/src/TokenType/AbstractTokenType.php
+++ b/src/TokenType/AbstractTokenType.php
@@ -18,18 +18,21 @@ abstract class AbstractTokenType
 {
    /**
     * Response array
+     *
     * @var array
     */
    protected $response = [];

    /**
     * Server
+     *
     * @var \League\OAuth2\Server\AbstractServer $server
     */
    protected $server;

    /**
     * Server
+     *
     * @var \League\OAuth2\Server\Entity\SessionEntity $session
     */
    protected $session;
--- a/src/TokenType/MAC.php
+++ b/src/TokenType/MAC.php
@@ -0,0 +1,149 @@
+<?php
+/**
+ * OAuth 2.0 MAC Token Type
+ *
+ * @package     league/oauth2-server
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\TokenType;
+
+use League\OAuth2\Server\Util\SecureKey;
+use Symfony\Component\HttpFoundation\ParameterBag;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * MAC Token Type
+ */
+class MAC extends AbstractTokenType implements TokenTypeInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function generateResponse()
+    {
+        $macKey = SecureKey::generate();
+        $this->server->getMacStorage()->create($macKey, $this->getParam('access_token'));
+
+        $response = [
+            'access_token'  =>  $this->getParam('access_token'),
+            'token_type'    =>  'mac',
+            'expires_in'    =>  $this->getParam('expires_in'),
+            'mac_key'       =>  $macKey,
+            'mac_algorithm' =>  'hmac-sha-256',
+        ];
+
+        return $response;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function determineAccessTokenInHeader(Request $request)
+    {
+        if ($request->headers->has('Authorization') === false) {
+            return;
+        }
+
+        $header = $request->headers->get('Authorization');
+
+        if (substr($header, 0, 4) !== 'MAC ') {
+            return;
+        }
+
+        // Find all the parameters expressed in the header
+        $paramsRaw = explode(',', substr($header, 4));
+        $params = new ParameterBag();
+
+        array_map(function ($param) use (&$params) {
+            $param = trim($param);
+
+            preg_match_all('/([a-zA-Z]*)="([\w=]*)"/', $param, $matches);
+
+            // @codeCoverageIgnoreStart
+            if (count($matches) !== 3) {
+                return;
+            }
+            // @codeCoverageIgnoreEnd
+
+            $key = reset($matches[1]);
+            $value = trim(reset($matches[2]));
+
+            if (empty($value)) {
+                return;
+            }
+
+            $params->set($key, $value);
+        }, $paramsRaw);
+
+        // Validate parameters
+        if ($params->has('id') === false || $params->has('ts') === false || $params->has('nonce') === false || $params->has('mac') === false) {
+            return;
+        }
+
+        if ((int) $params->get('ts') !== time()) {
+            return;
+        }
+
+        $accessToken = $params->get('id');
+        $timestamp = (int) $params->get('ts');
+        $nonce = $params->get('nonce');
+        $signature = $params->get('mac');
+
+        // Try to find the MAC key for the access token
+        $macKey = $this->server->getMacStorage()->getByAccessToken($accessToken);
+
+        if ($macKey === null) {
+            return;
+        }
+
+        // Calculate and compare the signature
+        $calculatedSignatureParts = [
+            $timestamp,
+            $nonce,
+            strtoupper($request->getMethod()),
+            $request->getUri(),
+            $request->getHost(),
+            $request->getPort(),
+        ];
+
+        if ($params->has('ext')) {
+            $calculatedSignatureParts[] = $params->get('ext');
+        }
+
+        $calculatedSignature = base64_encode(hash_hmac('sha256', implode("\n", $calculatedSignatureParts), $macKey));
+
+        // Return the access token if the signature matches
+        return ($this->hash_equals($calculatedSignature, $signature)) ? $accessToken : null;
+    }
+
+    /**
+     * Prevent timing attack
+     * @param  string $knownString
+     * @param  string $userString
+     * @return bool
+     */
+    private function hash_equals($knownString, $userString)
+    {
+        if (!function_exists('hash_equals')) {
+            function hash_equals($knownString, $userString)
+            {
+                if (strlen($knownString) !== strlen($userString)) {
+                    return false;
+                }
+                $len = strlen($knownString);
+                $result = 0;
+                for ($i = 0; $i < $len; $i++) {
+                    $result |= (ord($knownString[$i]) ^ ord($userString[$i]));
+                }
+                // They are only identical strings if $result is exactly 0...
+                return 0 === $result;
+            }
+        }
+
+        return hash_equals($knownString, $userString);
+    }
+}
--- a/src/TokenType/TokenTypeInterface.php
+++ b/src/TokenType/TokenTypeInterface.php
@@ -19,19 +19,23 @@ interface TokenTypeInterface
 {
    /**
     * Generate a response
+     *
     * @return array
     */
    public function generateResponse();

    /**
     * Set the server
+     *
     * @param \League\OAuth2\Server\AbstractServer $server
+     *
     * @return self
     */
    public function setServer(AbstractServer $server);

    /**
     * Set a key/value response pair
+     *
     * @param string $key
     * @param mixed  $value
     */
@@ -39,20 +43,25 @@ interface TokenTypeInterface

    /**
     * Get a key from the response array
-     * @param  string $key
+     *
+     * @param string $key
+     *
     * @return mixed
     */
    public function getParam($key);

    /**
     * @param \League\OAuth2\Server\Entity\SessionEntity $session
+     *
     * @return self
     */
    public function setSession(SessionEntity $session);

    /**
     * Determine the access token in the authorization header
-     * @param  \Symfony\Component\HttpFoundation\Request $request
+     *
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     *
     * @return string
     */
    public function determineAccessTokenInHeader(Request $request);
--- a/src/Util/KeyAlgorithm/DefaultAlgorithm.php
+++ b/src/Util/KeyAlgorithm/DefaultAlgorithm.php
@@ -18,18 +18,19 @@ class DefaultAlgorithm implements KeyAlgorithmInterface
     */
    public function generate($len = 40)
    {
-        // We generate twice as many bytes here because we want to ensure we have
-        // enough after we base64 encode it to get the length we need because we
-        // take out the "/", "+", and "=" characters.
-        $bytes = openssl_random_pseudo_bytes($len * 2, $strong);
+        $stripped = '';
+        do {
+            $bytes = openssl_random_pseudo_bytes($len, $strong);

-        // We want to stop execution if the key fails because, well, that is bad.
-        if ($bytes === false || $strong === false) {
-            // @codeCoverageIgnoreStart
-            throw new \Exception('Error Generating Key');
-            // @codeCoverageIgnoreEnd
-        }
+            // We want to stop execution if the key fails because, well, that is bad.
+            if ($bytes === false || $strong === false) {
+                // @codeCoverageIgnoreStart
+                throw new \Exception('Error Generating Key');
+                // @codeCoverageIgnoreEnd
+            }
+            $stripped .= str_replace(['/', '+', '='], '', base64_encode($bytes));
+        } while (strlen($stripped) < $len);

-        return substr(str_replace(['/', '+', '='], '', base64_encode($bytes)), 0, $len);
+        return substr($stripped, 0, $len);
    }
 }
--- a/src/Util/KeyAlgorithm/KeyAlgorithmInterface.php
+++ b/src/Util/KeyAlgorithm/KeyAlgorithmInterface.php
@@ -15,7 +15,9 @@ interface KeyAlgorithmInterface
 {
    /**
     * Generate a new unique code
-     * @param  integer $len Length of the generated code
+     *
+     * @param integer $len Length of the generated code
+     *
     * @return string
     */
    public function generate($len);
--- a/src/Util/RedirectUri.php
+++ b/src/Util/RedirectUri.php
@@ -18,9 +18,11 @@ class RedirectUri
 {
    /**
     * Generate a new redirect uri
-     * @param  string $uri            The base URI
-     * @param  array  $params         The query string parameters
-     * @param  string $queryDelimeter The query string delimeter (default: "?")
+     *
+     * @param string $uri            The base URI
+     * @param array  $params         The query string parameters
+     * @param string $queryDelimeter The query string delimeter (default: "?")
+     *
     * @return string The updated URI
     */
    public static function make($uri, $params = [], $queryDelimeter = '?')
--- a/src/Util/SecureKey.php
+++ b/src/Util/SecureKey.php
@@ -23,7 +23,9 @@ class SecureKey

    /**
     * Generate a new unique code
-     * @param  integer $len Length of the generated code
+     *
+     * @param integer $len Length of the generated code
+     *
     * @return string
     */
    public static function generate($len = 40)
--- a/tests/unit/Entity/AbstractTokenEntityTest.php
+++ b/tests/unit/Entity/AbstractTokenEntityTest.php
@@ -2,10 +2,10 @@

 namespace LeagueTests\Entity;

-use LeagueTests\Stubs\StubAbstractTokenEntity;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Entity\ScopeEntity;
 use League\OAuth2\Server\Entity\SessionEntity;
+use LeagueTests\Stubs\StubAbstractTokenEntity;
 use Mockery as M;

 class AbstractTokenEntityTest extends \PHPUnit_Framework_TestCase
--- a/tests/unit/Grant/AbstractGrantTest.php
+++ b/tests/unit/Grant/AbstractGrantTest.php
@@ -2,12 +2,12 @@

 namespace LeagueTests\Grant;

-use LeagueTests\Stubs\StubAbstractGrant;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Entity\ClientEntity;
 use League\OAuth2\Server\Entity\ScopeEntity;
 use League\OAuth2\Server\Exception\InvalidRequestException;
 use League\OAuth2\Server\Grant;
+use LeagueTests\Stubs\StubAbstractGrant;
 use Mockery as M;

 class AbstractGrantTest extends \PHPUnit_Framework_TestCase
--- a/tests/unit/Grant/RefreshTokenGrantTest.php
+++ b/tests/unit/Grant/RefreshTokenGrantTest.php
@@ -288,7 +288,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
    public function testCompleteFlowExpiredRefreshToken()
    {
        $this->setExpectedException('League\OAuth2\Server\Exception\InvalidRefreshException');
-        
+
        $_POST = [
            'grant_type'    => 'refresh_token',
            'client_id'     =>  'testapp',
@@ -421,4 +421,81 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase

        $server->issueAccessToken();
    }
+
+    public function testCompleteFlowRotateRefreshToken()
+    {
+        $_POST = [
+            'grant_type'    => 'refresh_token',
+            'client_id'     =>  'testapp',
+            'client_secret' =>  'foobar',
+            'refresh_token' =>  'refresh_token',
+        ];
+
+        $server = new AuthorizationServer();
+        $grant = new RefreshTokenGrant();
+
+        $clientStorage = M::mock('League\OAuth2\Server\Storage\ClientInterface');
+        $clientStorage->shouldReceive('setServer');
+        $clientStorage->shouldReceive('get')->andReturn(
+            (new ClientEntity($server))->hydrate(['id' => 'testapp'])
+        );
+
+        $sessionStorage = M::mock('League\OAuth2\Server\Storage\SessionInterface');
+        $sessionStorage->shouldReceive('setServer');
+        $sessionStorage->shouldReceive('getScopes')->shouldReceive('getScopes')->andReturn([]);
+        $sessionStorage->shouldReceive('associateScope');
+        $sessionStorage->shouldReceive('getByAccessToken')->andReturn(
+            (new SessionEntity($server))
+        );
+
+        $accessTokenStorage = M::mock('League\OAuth2\Server\Storage\AccessTokenInterface');
+        $accessTokenStorage->shouldReceive('setServer');
+        $accessTokenStorage->shouldReceive('get')->andReturn(
+            (new AccessTokenEntity($server))
+        );
+        $accessTokenStorage->shouldReceive('delete');
+        $accessTokenStorage->shouldReceive('create');
+        $accessTokenStorage->shouldReceive('getScopes')->andReturn([
+            (new ScopeEntity($server))->hydrate(['id' => 'foo']),
+        ]);
+        $accessTokenStorage->shouldReceive('associateScope');
+
+        $refreshTokenStorage = M::mock('League\OAuth2\Server\Storage\RefreshTokenInterface');
+        $refreshTokenStorage->shouldReceive('setServer');
+        $refreshTokenStorage->shouldReceive('associateScope');
+        $refreshTokenStorage->shouldReceive('delete');
+        $refreshTokenStorage->shouldReceive('create');
+        $refreshTokenStorage->shouldReceive('get')->andReturn(
+            (new RefreshTokenEntity($server))->setId('refresh_token')->setExpireTime(time() + 86400)
+        );
+
+        $scopeStorage = M::mock('League\OAuth2\Server\Storage\ScopeInterface');
+        $scopeStorage->shouldReceive('setServer');
+        $scopeStorage->shouldReceive('get')->andReturn(
+            (new ScopeEntity($server))->hydrate(['id' => 'foo'])
+        );
+
+        $server->setClientStorage($clientStorage);
+        $server->setScopeStorage($scopeStorage);
+        $server->setSessionStorage($sessionStorage);
+        $server->setAccessTokenStorage($accessTokenStorage);
+        $server->setRefreshTokenStorage($refreshTokenStorage);
+
+        $server->addGrantType($grant);
+
+        $response = $server->issueAccessToken();
+        $this->assertTrue(array_key_exists('access_token', $response));
+        $this->assertTrue(array_key_exists('refresh_token', $response));
+        $this->assertTrue(array_key_exists('token_type', $response));
+        $this->assertTrue(array_key_exists('expires_in', $response));
+        $this->assertNotEquals($response['refresh_token'], $_POST['refresh_token']);
+
+        $grant->setRefreshTokenRotation(false);
+        $response = $server->issueAccessToken();
+        $this->assertTrue(array_key_exists('access_token', $response));
+        $this->assertTrue(array_key_exists('refresh_token', $response));
+        $this->assertTrue(array_key_exists('token_type', $response));
+        $this->assertTrue(array_key_exists('expires_in', $response));
+        $this->assertEquals($response['refresh_token'], $_POST['refresh_token']);
+    }
 }
--- a/tests/unit/TokenType/MacTest.php
+++ b/tests/unit/TokenType/MacTest.php
@@ -0,0 +1,165 @@
+<?php
+
+namespace LeagueTests\TokenType;
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Entity\AccessTokenEntity;
+use League\OAuth2\Server\TokenType\MAC;
+use Mockery as M;
+use Symfony\Component\HttpFoundation\Request;
+
+class MacTest extends \PHPUnit_Framework_TestCase
+{
+    public function testGenerateResponse()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('create');
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $accessToken = new AccessTokenEntity($server);
+        $accessToken->setId(uniqid());
+        $accessToken->setExpireTime(time());
+
+        $tokenType->setParam('access_token', $accessToken->getId());
+        $tokenType->setParam('expires_in', 3600);
+
+        $response = $tokenType->generateResponse();
+
+        $this->assertEquals($accessToken->getId(), $response['access_token']);
+        $this->assertEquals('mac', $response['token_type']);
+        $this->assertEquals(3600, $response['expires_in']);
+        $this->assertEquals('hmac-sha-256', $response['mac_algorithm']);
+        $this->assertArrayHasKey('mac_key', $response);
+    }
+
+    public function testDetermineAccessTokenInHeaderValid()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $ts = time();
+
+        $request = Request::createFromGlobals();
+        $calculatedSignatureParts = [
+            $ts,
+            'foo',
+            strtoupper($request->getMethod()),
+            $request->getUri(),
+            $request->getHost(),
+            $request->getPort(),
+            'ext'
+        ];
+        $calculatedSignature = base64_encode(hash_hmac('sha256', implode("\n", $calculatedSignatureParts), 'abcdef'));
+
+        $request->headers->set('Authorization',  sprintf('MAC id="foo", nonce="foo", ts="%s", mac="%s", ext="ext"', $ts, $calculatedSignature));
+
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $response = $tokenType->determineAccessTokenInHeader($request);
+        $this->assertEquals('foo', $response);
+    }
+
+    public function testDetermineAccessTokenInHeaderMissingHeader()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $request = Request::createFromGlobals();
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $response = $tokenType->determineAccessTokenInHeader($request);
+
+        $this->assertEquals(null, $response);
+    }
+
+    public function testDetermineAccessTokenInHeaderMissingAuthMac()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $request = Request::createFromGlobals();
+        $request->headers->set('Authorization', '');
+
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $response = $tokenType->determineAccessTokenInHeader($request);
+
+        $this->assertEquals(null, $response);
+    }
+
+    public function testDetermineAccessTokenInHeaderInvalidParam()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $request = Request::createFromGlobals();
+        $request->headers->set('Authorization', 'MAC ');
+
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $response = $tokenType->determineAccessTokenInHeader($request);
+
+        $this->assertEquals(null, $response);
+    }
+
+    public function testDetermineAccessTokenInHeaderMismatchTimestamp()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('getByAccessToken')->andReturn('abcdef');
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $ts = time() - 100;
+
+        $request = Request::createFromGlobals();
+        $request->headers->set('Authorization',  sprintf('MAC id="foo", nonce="foo", ts="%s", mac="%s", ext="ext"', $ts, 'foo'));
+
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $response = $tokenType->determineAccessTokenInHeader($request);
+        $this->assertEquals(null, $response);
+    }
+
+    public function testDetermineAccessTokenInHeaderMissingMacKey()
+    {
+        $macStorage = M::mock('\League\OAuth2\Server\Storage\MacTokenInterface');
+        $macStorage->shouldReceive('getByAccessToken')->andReturn(null);
+
+        $server = new AuthorizationServer();
+        $server->setMacStorage($macStorage);
+
+        $ts = time();
+
+        $request = Request::createFromGlobals();
+        $request->headers->set('Authorization',  sprintf('MAC id="foo", nonce="foo", ts="%s", mac="%s", ext="ext"', $ts, 'foo'));
+
+        $tokenType = new MAC();
+        $tokenType->setServer($server);
+
+        $response = $tokenType->determineAccessTokenInHeader($request);
+        $this->assertEquals(null, $response);
+    }
+}
Author	SHA1	Message	Date
Alex Bilbie	740ea24e08	Changelog update	2014-12-31 16:03:26 +00:00
Alex Bilbie	e1c14abf6c	Lowered symfony/http-foundation to ~2.4 so Laravel can use it	2014-12-31 15:51:52 +00:00
Alex Bilbie	d1aae27359	Version bump	2014-12-27 23:01:11 +00:00
Alex Bilbie	80aeaf9200	Merge branch 'Symplicity-master' into release/4.1.0	2014-12-27 23:00:17 +00:00
Alex Bilbie	282bb20cc8	Fix docblocks + method name	2014-12-27 23:00:11 +00:00
Alex Bilbie	b727be55a2	Merge branch 'master' of https://github.com/Symplicity/oauth2-server into Symplicity-master	2014-12-27 22:57:08 +00:00
Alex Bilbie	cf80a2d6ce	README update	2014-12-27 22:55:30 +00:00
Alex Bilbie	72a5c1794a	Remove unused namespace	2014-12-27 22:50:13 +00:00
Alex Bilbie	707c85b0d6	Fixes and tests	2014-12-27 22:26:31 +00:00
Alex Bilbie	c56562b0b8	PSR fixes	2014-12-27 21:38:01 +00:00
Alex Bilbie	d0b2498b43	Ignore PHPStorm	2014-12-27 21:35:45 +00:00
Alex Bilbie	17be6f4549	Added MacTokenInterface	2014-12-27 21:35:45 +00:00
Alex Bilbie	b50fbff1e3	Update docblock	2014-12-27 21:35:45 +00:00
Alex Bilbie	7375a348c6	PHP code fix	2014-12-27 21:35:45 +00:00
Alex Bilbie	ae5dd9ce65	Added MAC TokenType	2014-12-27 21:35:45 +00:00
Alex Bilbie	f9e56ff62a	Added MAC storage getter and setter	2014-12-27 21:35:45 +00:00
Alex Bilbie	1bcf7ee20f	Update .travis.yml	2014-12-26 17:03:35 +00:00
Alex Bilbie	bee9c6a51d	Added Gitter.im	2014-12-26 16:59:09 +00:00
Dave Walker	851c7c0eb1	Per the spec: The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request. This commit allows users to specifiy the time before the Refresh Token expire time to issue a new Refresh Token. alter method names, naming convention(?)	2014-12-21 18:51:52 -05:00
Alex Bilbie	7fff4a8fe8	Merge pull request #280 from danprime/master Fix Example Init Code	2014-12-17 10:10:50 +00:00
Alex Bilbie	44ac01ee0e	Merge pull request #284 from mortenhauberg/fix-misspelling Changed "paremter" to "parameter"	2014-12-16 19:48:40 +00:00
mortenhauberg	60bd334b46	Changed "paremter" to "parameter"	2014-12-16 19:04:03 +01:00
Alex Bilbie	7398bee59e	Version bump	2014-12-15 17:34:38 +00:00
Alex Bilbie	40420f27ed	Merge pull request #282 from maknz/master Prevent duplicate session in auth code grant	2014-12-15 16:27:02 +00:00
Regan	d32bfaa757	Prevent duplicate session in auth code grant The session already exists in the database, so we don't need to save it again. Doing so results in the session used for the auth code hanging around in the database with nothing associated to it, while the access token is associated to a new session caused by the `save()` method creating a duplicate. Fixes #266.	2014-12-15 15:09:36 +13:00
Daniel Tse	2653a174bb	Update init.php	2014-12-12 10:25:52 -07:00
Daniel Tse	676fb4c06a	Fix column declarations and references so that foreign keys and references work.	2014-12-11 15:50:42 -07:00
Alex Bilbie	7f815275d6	Fixes for .travis.yml	2014-12-11 14:25:35 +00:00
Alex Bilbie	a056e2fe03	Adding coverage to ghpages	2014-12-11 14:20:53 +00:00
Alex Bilbie	48d9fde133	Merge pull request #277 from GrahamCampbell/patch-1 Removed an extra new line	2014-12-10 15:19:50 +00:00
Graham Campbell	a12786cbd5	Removed an extra new line	2014-12-10 15:18:49 +00:00
Alex Bilbie	164cc6ddb9	Merge pull request #269 from Hywan/fix_example_api Fix bad accesses and bad arguments	2014-12-10 15:13:10 +00:00
Alex Bilbie	27f51d33e1	Merge pull request #271 from inverse/example-fix Example fix	2014-12-10 15:12:40 +00:00
Alex Bilbie	2108c88dfb	Merge pull request #276 from GrahamCampbell/cs CS Fixes	2014-12-10 15:12:16 +00:00
Graham Campbell	a1726903b5	CS fixes	2014-12-10 13:10:35 +00:00
Alex Bilbie	8075190e0c	Merge pull request #275 from Hywan/cs Fix API CS.	2014-12-10 09:58:06 +00:00
Ivan Enderlin	3b176fe220	Fix API CS.	2014-12-09 14:40:39 +01:00
Ivan Enderlin	986dc59627	The `create` method returns void.	2014-12-09 14:40:39 +01:00
Ivan Enderlin	0878897969	Fix API CS.	2014-12-09 14:15:36 +01:00
Alex Bilbie	0ce7ecb45a	Merge pull request #273 from sarciszewski/patch-1 Make Util/KeyAlgorithm/DefaultAlgorithm guarantee $len bytes of output even in edge cases.	2014-12-09 12:53:04 +00:00
Scott Arciszewski	7a63f42462	Update DefaultAlgorithm.php Prevent edge-case whereby, if the majority of `base64_encode($bytes)` consists of `/` or `+` characters, the resulting key will be shorter and less unpredictable (due to a smaller keyspace) than anticipated. As a result, the `$len * 2` hack has been removed. Although it is highly probable that `$len * 2` will stop most edge cases from occurring, it does not actually guarantee the end result will be at least 40 characters long.	2014-12-08 18:40:31 -05:00
Malachi Soord	774341c346	Fixed tokeninfo	2014-12-05 18:24:24 +01:00
Malachi Soord	c8983b35a0	Fixed example API hasScope reference	2014-12-05 18:12:19 +01:00
Ivan Enderlin	3b17872f10	Fix bad accesses and bad arguments.	2014-12-02 11:54:45 +01:00