Add tests

Prevent public clients from using the client_credentials grant type

.gitattributes

@@ -1,5 +1,14 @@
-tests/ export-ignore
-phpunit.xml export-ignore
-build.xml export-ignore
-test export-ignore
-.travis.yml export-ignore
+* text=auto
+
+/examples export-ignore
+/tests export-ignore
+/.gitattributes export-ignore
+/.gitignore export-ignore
+/.travis.yml export-ignore
+.travis.yml export-ignore
+.scrutinizer.yml export-ignore
+/phpunit.xml.dist export-ignore
+/CHANGELOG.md export-ignore
+/CONTRIBUTING.md export-ignore
+/README.md export-ignore
+

.gitignore

@@ -1,15 +1,9 @@
 /vendor
 /composer.lock
-/build
-/docs
-/testing
-/examples/relational/vendor
-/examples/relational/config/oauth2.sqlite3
-/examples/nosql/vendor
-/examples/nosql/config/oauth2.sqlite3
-/examples/relational/composer.lock
-/tests/codecept/tests/_log
-oauth2-server.paw
-/output_*/
-/_site
-.idea
+phpunit.xml
+.idea
+/examples/vendor
+examples/public.key
+examples/private.key
+build
+*.orig

.scrutinizer.yml

@@ -2,7 +2,6 @@ filter:
     excluded_paths:
         - tests/*
         - vendor/*
-        - examples/*
 checks:
     php:
         code_rating: true

.styleci.yml

@@ -0,0 +1,52 @@
+preset: psr2
+
+enabled:
+  - binary_operator_spaces
+  - blank_line_before_return
+  - concat_with_spaces
+  - fully_qualified_strict_types
+  - function_typehint_space
+  - hash_to_slash_comment
+  - include
+  - lowercase_cast
+  - method_separation
+  - native_function_casing
+  - no_blank_lines_after_class_opening
+  - no_blank_lines_between_uses
+  - no_duplicate_semicolons
+  - no_leading_import_slash
+  - no_leading_namespace_whitespace
+  - no_multiline_whitespace_before_semicolons
+  - no_php4_constructor
+  - no_short_bool_cast
+  - no_singleline_whitespace_before_semicolons
+  - no_trailing_comma_in_singleline_array
+  - no_unreachable_default_argument_value
+  - no_unused_imports
+  - no_whitespace_before_comma_in_array
+  - ordered_imports
+  - phpdoc_align
+  - phpdoc_indent
+  - phpdoc_inline_tag
+  - phpdoc_no_access
+  - phpdoc_no_simplified_null_return
+  - phpdoc_property
+  - phpdoc_scalar
+  - phpdoc_separation
+  - phpdoc_to_comment
+  - phpdoc_trim
+  - phpdoc_type_to_var
+  - phpdoc_types
+  - phpdoc_var_without_name
+  - print_to_echo
+  - short_array_syntax
+  - short_scalar_cast
+  - single_quote
+  - spaces_cast
+  - standardize_not_equal
+  - ternary_operator_spaces
+  - trailing_comma_in_multiline_array
+  - trim_array_spaces
+  - unary_operator_spaces
+  - whitespace_after_comma_in_array
+  - whitespacy_lines

.travis.yml

@@ -1,56 +1,32 @@
 language: php
 
+dist: trusty
 sudo: false
 
 cache:
   directories:
-  - vendor
+    - vendor
+
+env:
+  - DEPENDENCIES=""
+  - DEPENDENCIES="--prefer-lowest --prefer-stable"
 
 php:
-  - 5.4
-  - 5.5
-  - 5.6
-  - 7.0
-  - hhvm
-  
-matrix:
-  allow_failures:
-    - php: 7.0
-  fast_finish: true
+  - 7.1
+  - 7.2
+  - 7.3
 
 install:
-  - travis_retry composer install --no-interaction --prefer-source
+  - composer update --no-interaction --prefer-dist $DEPENDENCIES
 
 script:
-  - mkdir -p build/logs
-  - phpunit --coverage-text --verbose --coverage-clover=coverage.clover --coverage-html coverage
+  - vendor/bin/phpunit --coverage-clover=coverage.clover
+  - vendor/bin/phpstan analyse -l 7 -c phpstan.neon src tests
 
 after_script:
-  - bash -c 'if [ "$TRAVIS_PHP_VERSION" == "5.6" ]; then wget https://scrutinizer-ci.com/ocular.phar; fi;
-  - bash -c 'if [ "$TRAVIS_PHP_VERSION" == "5.6" ]; then php ocular.phar code-coverage:upload --format=php-clover coverage.clover; fi;
-  - git config --global user.email "travis@travis-ci.org"
-  - git config --global user.name "TravisCI"
-  - cp -R coverage ${HOME}/coverage
-  - cd ${HOME}
-  - git clone --quiet --branch=gh-pages https://${GITHUBTOKEN}@github.com/thephpleague/oauth2-server.git gh-pages > /dev/null
-  - cd gh-pages
-  - mkdir ${TRAVIS_BRANCH}
-  - cd ${TRAVIS_BRANCH}
-  - cp -Rf $HOME/coverage/* .
-  - git add -f .
-  - git commit -m "Travis pushed coverage of ${TRAVIS_COMMIT}@${TRAVIS_BRANCH} to gh-pages"
-  - git push -fq origin gh-pages > /dev/null
+    - wget https://scrutinizer-ci.com/ocular.phar
+    - php ocular.phar code-coverage:upload --format=php-clover coverage.clover
+
 branches:
   only:
     - master
-env:
-  global:
-    secure: "C4wD/BQefKSu9W594iyLp+IBCjlM8kKlmp+nXKXnZGi0L8IkV3m4mmNOb8PExxGMhZ3mlev5DnU4Uoh4oJaUxnkR1FpX4dSEpyzU3VknUzSE2yZOlL+bdCw3o85TGoCcp/+ReJCOw5sncxTskJKHlW1YMa33FznaXwLNoImpjTg="
-
-notifications:
-  webhooks:
-    urls:
-      - https://webhooks.gitter.im/e/7de0ca12596cd5268f30
-    on_success: always  # options: [always|never|change] default: always
-    on_failure: always  # options: [always|never|change] default: always
-    on_start: false     # default: false

CHANGELOG.md

@@ -1,201 +1,535 @@
 # Changelog
+All notable changes to this project will be documented in this file.
 
-## 4.1.5 (released 2016-01-04)
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-* Enable Symfony 3.0 support (#412)
+## [Unreleased]
 
-## 4.1.4 (released 2015-11-13)
+### Fixed
+- Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
+ with the OAuth2 spec (PR #1035)
 
-* Fix for determining access token in header (Issue #328)
-* Refresh tokens are now returned for MAC responses (Issue #356)
-* Added integration list to readme (Issue #341)
-* Expose parameter passed to exceptions (Issue #345)
-* Removed duplicate routing setup code (Issue #346)
-* Docs fix (Issues #347, #360, #380)
-* Examples fix (Issues #348, #358)
-* Fix typo in docblock (Issue #352)
-* Improved timeouts for MAC tokens (Issue #364)
-* `hash_hmac()` should output raw binary data, not hexits (Issue #370)
-* Improved regex for matching all Base64 characters (Issue #371)
-* Fix incorrect signature parameter (Issue #372)
-* AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
-* Added priority argument to event listener (Issue #388)
+## [8.0.0] - released 2019-07-13
 
-## 4.1.3 (released 2015-03-22)
+### Added
+- Flag, `requireCodeChallengeForPublicClients`, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
+- Public clients can now use the Auth Code Grant (PR #938)
+- `isConfidential` getter added to `ClientEntity` to identify type of client (PR #938)
+- Function `validateClient()` added to validate clients which was previously performed by the `getClientEntity()` function (PR #938)
+- Add a new function to the AbstractGrant class called `getClientEntityOrFail()`. This is a wrapper around the `getClientEntity()` function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)
 
-* Docblock, namespace and inconsistency fixes (Issue #303)
-* Docblock type fix (Issue #310)
-* Example bug fix (Issue #300)
-* Updated league/event to ~2.1 (Issue #311)
-* Fixed missing session scope (Issue #319)
-* Updated interface docs (Issue #323)
-* `.travis.yml` updates
+### Changed
+- Replace `convertToJWT()` interface with a more generic `__toString()` to improve extensibility; AccessTokenEntityInterface now requires `setPrivateKey(CryptKey $privateKey)` so `__toString()` has everything it needs to work (PR #874)
+- The `invalidClient()` function accepts a PSR-7 compliant `$serverRequest` argument to avoid accessing the `$_SERVER` global variable and improve testing (PR #899)
+- `issueAccessToken()` in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling `getNewToken()` (PR #919)
+- No longer need to enable PKCE with `enableCodeExchangeProof` flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
+- Function `getClientEntity()` no longer performs client validation (PR #938)
+- Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
+- Use `DateTimeImmutable()` instead of `DateTime()`, `time()` instead of `(new DateTime())->getTimeStamp()`, and `DateTime::getTimeStamp()` instead of `DateTime::format('U')` (PR #963)
 
-## 4.1.2 (released 2015-01-01)
+### Removed
+- `enableCodeExchangeProof` flag (PR #938)
+- Support for PHP 7.0 (PR #1014)
+- Remove JTI claim from JWT header (PR #1031)
 
-* Remove side-effects in hash_equals() implementation (Issue #290)
+## [7.4.0] - released 2019-05-05
 
-## 4.1.1 (released 2014-12-31)
+### Changed
+- RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)
 
-* Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
+## [7.3.3] - released 2019-03-29
 
-## 4.1.0 (released 2014-12-27)
+### Added
+- Added `error_description` to the error payload to improve standards compliance. The contents of this are copied from the existing `message` value. (PR #1006)
 
-* Added MAC token support (Issue #158)
-* Fixed example init code (Issue #280)
-* Toggle refresh token rotation (Issue #286)
-* Docblock fixes
+### Deprecated
+- Error payload will not issue `message` value in the next major release (PR #1006)
 
-## 4.0.5 (released 2014-12-15)
+## [7.3.2] - released 2018-11-21
 
-* Prevent duplicate session in auth code grant (Issue #282)
+### Fixed
+- Revert setting keys on response type to be inside `getResponseType()` function instead of AuthorizationServer constructor (PR #969)
 
-## 4.0.4 (released 2014-12-03)
+## [7.3.1] - released 2018-11-15
 
-* Ensure refresh token hasn't expired (Issue #270)
+### Fixed
+- Fix issue with previous release where interface had changed for the AuthorizationServer. Reverted to the previous interface while maintaining functionality changes (PR #970)
 
-## 4.0.3 (released 2014-12-02)
+## [7.3.0] - released 2018-11-13
 
-* Fix bad type hintings (Issue #267)
-* Do not forget to set the expire time (Issue #268)
+### Changed
+- Moved  the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923)
 
-## 4.0.2 (released 2014-11-21)
+### Added
+- Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
+- Ability to nest exceptions (PR #965)
 
-* Improved interfaces (Issue #255)
-* Learnt how to spell delimiter and so `getScopeDelimiter()` and `setScopeDelimiter()` methods have been renamed
-* Docblock improvements (Issue #254)
+### Fixed
+- Fix issue where AuthorizationServer is not stateless as ResponseType could store state of a previous request (PR #960)
 
-## 4.0.1 (released 2014-11-09)
+## [7.2.0] - released 2018-06-23
 
-* Alias the master branch in composer.json (Issue #243)
-* Numerous PHP CodeSniffer fixes (Issue #244)
-* .travis.yml update (Issue #245)
-* The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
+### Changed
+- Added new`validateRedirectUri` method AbstractGrant to remove three instances of code duplication (PR #912)
+- Allow 640 as a crypt key file permission (PR #917)
 
-## 4.0.0 (released 2014-11-08)
+### Added
+- Function `hasRedirect()` added to `OAuthServerException` (PR #703)
 
-* Complete rewrite
-* Check out the documentation - [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com)
+### Fixed
+- Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904)
 
-## 3.2.0 (released 2014-04-16)
+## [4.1.7] - released 2018-06-23
 
-* Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
+### Fixed
+- Ensure `empty()` function call only contains variable to be compatible with PHP 5.4 (PR #918)
 
-## 3.1.2 (released 2014-02-26)
+## [7.1.1] - released 2018-05-21
 
-* Support Authorization being an environment variable. [See more](http://fortrabbit.com/docs/essentials/quirks-and-constraints#authorization-header)
+### Fixed
+- No longer set a WWW-Authenticate header for invalid clients if the client did not send an Authorization header in the original request (PR #902)
 
-## 3.1.1 (released 2013-12-05)
+## [7.1.0] - released 2018-04-22
 
-* Normalize headers when `getallheaders()` is available (Issues #108 and #114)
+### Changed
+- Changed hint for unsupportedGrantType exception so it no longer references the grant type parameter which isn't always expected (PR #893)
+- Upgrade PHPStan checks to level 7 (PR #856)
 
-## 3.1.0 (released 2013-12-05)
+### Added
+- Added event emitters for issued access and refresh tokens (PR #860)
+- Can now use Defuse\Crypto\Key for encryption/decryption of keys which is faster than the Cryto class (PR #812)
 
-* No longer necessary to inject the authorisation server into a grant, the server will inject itself
-* Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
+### Removed
+- Remove paragone/random_compat from dependencies
 
-## 3.0.1 (released 2013-12-02)
+## [7.0.0] - released 2018-02-18
 
-* Forgot to tell TravisCI from testing PHP 5.3
+### Added
+- Use PHPStan for static analysis of code (PR #848)
+- Enforce stricter static analysis checks and upgrade library dependencies (PR #852)
+- Provide PHPStan coverage for tests and update PHPUnit (PR #849)
+- Get and set methods for OAuth Server Exception payloads. Allow implementer to specify the JSON encode options (PR #719)
 
-## 3.0.0 (released 2013-12-02)
+### Changed
+- ClientRepository interface will now accept null for the Grant type to improve extensibility options (PR #607)
+- Do not issue an error if key file permissions are 400 or 440 (PR #839)
+- Skip key file creation if the file already exists (PR #845)
+- Change changelog format and update readme
 
-* Fixed spelling of Implicit grant class (Issue #84)
-* Travis CI now tests for PHP 5.5
-* Fixes for checking headers for resource server (Issues #79 and #)
-* The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
-* All grants no longer remove old sessions by default
-* All grants now support custom access token TTL (Issue #92)
-* All methods which didn't before return a value now return `$this` to support method chaining
-* Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
-* Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
-* Moved some grant related functions into a trait to reduce duplicate code
+### Removed
+- Support for PHP 5.6
+- Support for version 5.x and 6.x of the library
 
-## 2.1.1 (released 2013-06-02)
+### Fixed
+- PKCE implementation (PR #744)
+- Set correct redirect URI when validating scopes (PR #840)
+- S256 code challenege method (PR #842)
+- Accept RSA key with CRLF line endings (PR #805)
 
-* Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
-* Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
-* Updated some duff docblocks
-* Corrected array key call in Resource.php (Issue #63)
+## [6.1.1] - 2017-12-23
 
-## 2.1 (released 2013-05-10)
+- Removed check on empty scopes
 
-* Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
-* New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
-* Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
-* The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
-* You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
-* The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
-* Scopes associated to authorization codes are not held in their own table (Issue #44)
-* Database schema updates.
+## [6.1.0] - 2017-12-23
 
-## 2.0.5 (released 2013-05-09)
+- Changed the token type issued by the Implicit Grant to be Bearer instead of bearer. (PR #724)
+- Replaced call to array_key_exists() with the faster isset() on the Implicit Grant. (PR #749)
+- Allow specification of query delimiter character in the Password Grant (PR #801)
+- Add Zend Diactoros library dependency to examples (PR #678)
+- Can set default scope for the authorization endpoint. If no scope is passed during an authorization request, the default scope will be used if set. If not, the server will issue an invalid scope exception (PR #811)
+- Added validation for redirect URIs on the authorization end point to ensure exactly one redirection URI has been passed (PR #573)
 
-* Fixed `oauth_session_token_scopes` table primary key
-* Removed `DEFAULT ''` that has slipped into some tables
-* Fixed docblock for `SessionInterface::associateRefreshToken()`
+## [6.0.2] - 2017-08-03
 
-## 2.0.4 (released 2013-05-09)
+- An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
+- Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
+- Fixes invalid code challenge method payload key name (Issue #777)
 
-* Renamed primary key in oauth_client_endpoints table
-* Adding missing column to oauth_session_authcodes
-* SECURITY FIX: A refresh token should be bound to a client ID
+## [6.0.1] - 2017-07-19
 
-## 2.0.3 (released 2013-05-08)
+To address feedback from the security release the following change has been made:
 
-* Fixed a link to code in composer.json
+- If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
 
-## 2.0.2 (released 2013-05-08)
+## [6.0.0] - 2017-07-01
 
-* Updated README with wiki guides
-* Removed `null` as default parameters in some methods in the storage interfaces
-* Fixed license copyright
+- Breaking change: The `AuthorizationServer` constructor now expects an encryption key string instead of a public key
+- Remove support for HHVM
+- Remove support for PHP 5.5
 
-## 2.0.0 (released 2013-05-08)
+## [5.1.4] - 2017-07-01
+
+- Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
+	- It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples.
+- TravisCI now tests PHP 7.1 (Issue #671)
+- Fix middleware example fatal error (Issue #682)
+- Fix typo in the first README sentence (Issue #690)
+- Corrected DateInterval from 1 min to 1 month (Issue #709)
+
+## [5.1.3] - 2016-10-12
+
+- Fixed WWW-Authenticate header (Issue #669)
+- Increase the recommended RSA key length from 1024 to 2048 bits (Issue #668)
+
+## [5.1.2] - 2016-09-19
+
+- Fixed `finalizeScopes` call (Issue #650)
+
+## [4.1.6] - 2016-09-13
+
+- Less restrictive on Authorization header check (Issue #652)
+
+## [5.1.1] - 2016-07-26
+
+- Improved test suite (Issue #614)
+- Updated docblocks (Issue #616)
+- Replace `array_shift` with `foreach` loop (Issue #621)
+- Allow easy addition of custom fields to Bearer token response (Issue #624)
+- Key file auto-generation from string (Issue #625)
+
+## [5.1.0] - 2016-06-28
+
+- Implemented RFC7636 (Issue #574)
+- Unify middleware exception responses (Issue #578)
+- Updated examples (Issue #589)
+- Ensure state is in access denied redirect (Issue #597)
+- Remove redundant `isExpired()` method from entity interfaces and traits (Issue #600)
+- Added a check for unique access token constraint violation (Issue #601)
+- Look at Authorization header directly for HTTP Basic auth checks (Issue #604)
+- Added catch Runtime exception when parsing JWT string (Issue #605)
+- Allow `paragonie/random_compat` 2.x (Issue #606)
+- Added `indigophp/hash-compat` to Composer suggestions and `require-dev` for PHP 5.5 support
+
+## [5.0.3] - 2016-05-04
+
+- Fix hints in PasswordGrant (Issue #560)
+- Add meaning of `Resource owner` to terminology.md (Issue #561)
+- Use constant for event name instead of explicit string (Issue #563)
+- Remove unused request property (Issue #564)
+- Correct wrong phpdoc (Issue #569)
+- Fixed typo in exception string (Issue #570)
+
+## [5.0.2] - 2016-04-18
+
+- `state` parameter is now correctly returned after implicit grant authorization
+- Small code and docblock improvements
+
+## [5.0.1] - 2016-04-18
+
+- Fixes an issue (#550) whereby it was unclear whether or not to validate a client's secret during a request.
+
+## [5.0.0] - 2016-04-17
+
+Version 5 is a complete code rewrite.
+
+- Renamed Server class to AuthorizationServer
+- Added ResourceServer class
+- Run unit tests again PHP 5.5.9 as it's the minimum supported version
+- Enable PHPUnit 5.0 support
+- Improved examples and documentation
+- Make it clearer that the implicit grant doesn't support refresh tokens
+- Improved refresh token validation errors
+- Fixed refresh token expiry date
+
+## [5.0.0-RC2] - 2016-04-10
+
+- Allow multiple client redirect URIs (Issue #511)
+- Remove unused mac token interface (Issue #503)
+- Handle RSA key passphrase (Issue #502)
+- Remove access token repository from response types (Issue #501)
+- Remove unnecessary methods from entity interfaces (Issue #490)
+- Ensure incoming JWT hasn't expired (Issue #509)
+- Fix client identifier passed where user identifier is expected (Issue #498)
+- Removed built-in entities; added traits to for quick re-use (Issue #504)
+- Redirect uri is required only if the "redirect_uri" parameter was included in the authorization request (Issue #514)
+- Removed templating for auth code and implicit grants (Issue #499)
+
+## [5.0.0-RC1] - 2016-03-24
+
+Version 5 is a complete code rewrite.
+
+- JWT support
+- PSR-7 support
+- Improved exception errors
+- Replace all occurrences of the term "Storage" with "Repository"
+- Simplify repositories
+- Entities conform to interfaces and use traits
+- Auth code grant updated
+  - Allow support for public clients
+  - Add support for #439
+- Client credentials grant updated
+- Password grant updated
+  - Allow support for public clients
+- Refresh token grant updated
+- Implement Implicit grant
+- Bearer token output type
+- Remove MAC token output type
+- Authorization server rewrite
+- Resource server class moved to PSR-7 middleware
+- Tests
+- Much much better documentation
+
+## [4.1.5] - 2016-01-04
+
+- Enable Symfony 3.0 support (#412)
+
+## [4.1.4] - 2015-11-13
+
+- Fix for determining access token in header (Issue #328)
+- Refresh tokens are now returned for MAC responses (Issue #356)
+- Added integration list to readme (Issue #341)
+- Expose parameter passed to exceptions (Issue #345)
+- Removed duplicate routing setup code (Issue #346)
+- Docs fix (Issues #347, #360, #380)
+- Examples fix (Issues #348, #358)
+- Fix typo in docblock (Issue #352)
+- Improved timeouts for MAC tokens (Issue #364)
+- `hash_hmac()` should output raw binary data, not hexits (Issue #370)
+- Improved regex for matching all Base64 characters (Issue #371)
+- Fix incorrect signature parameter (Issue #372)
+- AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
+- Added priority argument to event listener (Issue #388)
+
+## [4.1.3] - 2015-03-22
+
+- Docblock, namespace and inconsistency fixes (Issue #303)
+- Docblock type fix (Issue #310)
+- Example bug fix (Issue #300)
+- Updated league/event to ~2.1 (Issue #311)
+- Fixed missing session scope (Issue #319)
+- Updated interface docs (Issue #323)
+- `.travis.yml` updates
+
+## [4.1.2] - 2015-01-01
+
+- Remove side-effects in hash_equals() implementation (Issue #290)
+
+## [4.1.1] - 2014-12-31
+
+- Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
+
+## [4.1.0] - 2014-12-27
+
+- Added MAC token support (Issue #158)
+- Fixed example init code (Issue #280)
+- Toggle refresh token rotation (Issue #286)
+- Docblock fixes
+
+## [4.0.5] - 2014-12-15
+
+- Prevent duplicate session in auth code grant (Issue #282)
+
+## [4.0.4] - 2014-12-03
+
+- Ensure refresh token hasn't expired (Issue #270)
+
+## [4.0.3] - 2014-12-02
+
+- Fix bad type hintings (Issue #267)
+- Do not forget to set the expire time (Issue #268)
+
+## [4.0.2] - 2014-11-21
+
+- Improved interfaces (Issue #255)
+- Learnt how to spell delimiter and so `getScopeDelimiter()` and `setScopeDelimiter()` methods have been renamed
+- Docblock improvements (Issue #254)
+
+## [4.0.1] - 2014-11-09
+
+- Alias the master branch in composer.json (Issue #243)
+- Numerous PHP CodeSniffer fixes (Issue #244)
+- .travis.yml update (Issue #245)
+- The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
+
+## [4.0.0] - 2014-11-08
+
+- Complete rewrite
+- Check out the documentation - [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com)
+
+## [3.2.0] - 2014-04-16
+
+- Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
+
+## [3.1.2] - 2014-02-26
+
+- Support Authorization being an environment variable. [See more](http://fortrabbit.com/docs/essentials/quirks-and-constraints#authorization-header)
+
+## [3.1.1] - 2013-12-05
+
+- Normalize headers when `getallheaders()` is available (Issues #108 and #114)
+
+## [3.1.0] - 2013-12-05
+
+- No longer necessary to inject the authorisation server into a grant, the server will inject itself
+- Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
+
+## [3.0.1] - 2013-12-02
+
+- Forgot to tell TravisCI from testing PHP 5.3
+
+## [3.0.0] - 2013-12-02
+
+- Fixed spelling of Implicit grant class (Issue #84)
+- Travis CI now tests for PHP 5.5
+- Fixes for checking headers for resource server (Issues #79 and #)
+- The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
+- All grants no longer remove old sessions by default
+- All grants now support custom access token TTL (Issue #92)
+- All methods which didn't before return a value now return `$this` to support method chaining
+- Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
+- Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
+- Moved some grant related functions into a trait to reduce duplicate code
+
+## [2.1.1] - 2013-06-02
+
+- Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
+- Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
+- Updated some duff docblocks
+- Corrected array key call in Resource.php (Issue #63)
+
+## [2.1.0] - 2013-05-10
+
+- Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
+- New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
+- Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
+- The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
+- You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
+- The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
+- Scopes associated to authorization codes are not held in their own table (Issue #44)
+- Database schema updates.
+
+## [2.0.5] - 2013-05-09
+
+- Fixed `oauth_session_token_scopes` table primary key
+- Removed `DEFAULT ''` that has slipped into some tables
+- Fixed docblock for `SessionInterface::associateRefreshToken()`
+
+## [2.0.4] - 2013-05-09
+
+- Renamed primary key in oauth_client_endpoints table
+- Adding missing column to oauth_session_authcodes
+
+### Security
+- A refresh token should be bound to a client ID
+
+## [2.0.3] - 2013-05-08
+
+- Fixed a link to code in composer.json
+
+## [2.0.2] - 2013-05-08
+
+- Updated README with wiki guides
+- Removed `null` as default parameters in some methods in the storage interfaces
+- Fixed license copyright
+
+## [2.0.0] - 2013-05-08
 
 **If you're upgrading from v1.0.8 there are lots of breaking changes**
 
-* Rewrote the session storage interface from scratch so methods are more obvious
-* Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
-* Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
-* A session can have multiple associated access tokens
-* Induvidual grants can have custom expire times for access tokens
-* Authorization codes now have a TTL of 10 minutes by default (can be manually set)
-* Refresh tokens now have a TTL of one week by default (can be manually set)
-* The client credentials grant will no longer gives out refresh tokens as per the specification
+- Rewrote the session storage interface from scratch so methods are more obvious
+- Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
+- Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
+- A session can have multiple associated access tokens
+- Individual grants can have custom expire times for access tokens
+- Authorization codes now have a TTL of 10 minutes by default (can be manually set)
+- Refresh tokens now have a TTL of one week by default (can be manually set)
+- The client credentials grant will no longer gives out refresh tokens as per the specification
 
-## 1.0.8 (released 2013-03-18)
+## [1.0.8] - 2013-03-18
 
-* Fixed check for required state parameter
-* Fixed check that user's credentials are correct in Password grant
+- Fixed check for required state parameter
+- Fixed check that user's credentials are correct in Password grant
 
-## 1.0.7 (released 2013-03-04)
+## [1.0.7] - 2013-03-04
 
-* Added method `requireStateParam()`
-* Added method `requireScopeParam()`
+- Added method `requireStateParam()`
+- Added method `requireScopeParam()`
 
-## 1.0.6 (released 2013-02-22)
+## [1.0.6] - 2013-02-22
 
-* Added links to tutorials in the README
-* Added missing `state` parameter request to the `checkAuthoriseParams()` method.
+- Added links to tutorials in the README
+- Added missing `state` parameter request to the `checkAuthoriseParams()` method.
 
-## 1.0.5 (released 2013-02-21)
+## [1.0.5] - 2013-02-21
 
-* Fixed the SQL example for SessionInterface::getScopes()
+- Fixed the SQL example for SessionInterface::getScopes()
 
-## 1.0.3 (released 2013-02-20)
+## [1.0.3] - 2013-02-20
 
-* Changed all instances of the "authentication server" to "authorization server"
+- Changed all instances of the "authentication server" to "authorization server"
 
-## 1.0.2 (released 2013-02-20)
+## [1.0.2] - 2013-02-20
 
-* Fixed MySQL create table order
-* Fixed version number in composer.json
+- Fixed MySQL create table order
+- Fixed version number in composer.json
 
-## 1.0.1 (released 2013-02-19)
+## [1.0.1] - 2013-02-19
 
-* Updated AuthServer.php to use `self::getParam()`
+- Updated AuthServer.php to use `self::getParam()`
 
-## 1.0.0 (released 2013-02-15)
+## 1.0.0 - 2013-02-15
 
-* First major release
+- First major release
+
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.0.0...HEAD
+[8.0.0]: https://github.com/thephpleague/oauth2-server/compare/7.4.0...8.0.0
+[7.4.0]: https://github.com/thephpleague/oauth2-server/compare/7.3.3...7.4.0
+[7.3.3]: https://github.com/thephpleague/oauth2-server/compare/7.3.2...7.3.3
+[7.3.2]: https://github.com/thephpleague/oauth2-server/compare/7.3.1...7.3.2
+[7.3.1]: https://github.com/thephpleague/oauth2-server/compare/7.3.0...7.3.1
+[7.3.0]: https://github.com/thephpleague/oauth2-server/compare/7.2.0...7.3.0
+[7.2.0]: https://github.com/thephpleague/oauth2-server/compare/7.1.1...7.2.0
+[7.1.1]: https://github.com/thephpleague/oauth2-server/compare/7.1.0...7.1.1
+[7.1.0]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...7.1.0
+[7.0.0]: https://github.com/thephpleague/oauth2-server/compare/6.1.1...7.0.0
+[6.1.1]: https://github.com/thephpleague/oauth2-server/compare/6.0.0...6.1.1
+[6.1.0]: https://github.com/thephpleague/oauth2-server/compare/6.0.2...6.1.0
+[6.0.2]: https://github.com/thephpleague/oauth2-server/compare/6.0.1...6.0.2
+[6.0.1]: https://github.com/thephpleague/oauth2-server/compare/6.0.0...6.0.1
+[6.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.1.4...6.0.0
+[5.1.4]: https://github.com/thephpleague/oauth2-server/compare/5.1.3...5.1.4
+[5.1.3]: https://github.com/thephpleague/oauth2-server/compare/5.1.2...5.1.3
+[5.1.2]: https://github.com/thephpleague/oauth2-server/compare/5.1.1...5.1.2
+[5.1.1]: https://github.com/thephpleague/oauth2-server/compare/5.1.0...5.1.1
+[5.1.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.2...5.1.0
+[5.0.3]: https://github.com/thephpleague/oauth2-server/compare/5.0.3...5.0.2
+[5.0.2]: https://github.com/thephpleague/oauth2-server/compare/5.0.1...5.0.2
+[5.0.1]: https://github.com/thephpleague/oauth2-server/compare/5.0.0...5.0.1
+[5.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC2...5.0.0
+[5.0.0-RC2]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC1...5.0.0-RC2
+[5.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...5.0.0-RC1
+[4.1.7]: https://github.com/thephpleague/oauth2-server/compare/4.1.6...4.1.7
+[4.1.6]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...4.1.6
+[4.1.5]: https://github.com/thephpleague/oauth2-server/compare/4.1.4...4.1.5
+[4.1.4]: https://github.com/thephpleague/oauth2-server/compare/4.1.3...4.1.4
+[4.1.3]: https://github.com/thephpleague/oauth2-server/compare/4.1.2...4.1.3
+[4.1.2]: https://github.com/thephpleague/oauth2-server/compare/4.1.1...4.1.2
+[4.1.1]: https://github.com/thephpleague/oauth2-server/compare/4.0.0...4.1.1
+[4.1.0]: https://github.com/thephpleague/oauth2-server/compare/4.0.5...4.1.0
+[4.0.5]: https://github.com/thephpleague/oauth2-server/compare/4.0.4...4.0.5
+[4.0.4]: https://github.com/thephpleague/oauth2-server/compare/4.0.3...4.0.4
+[4.0.3]: https://github.com/thephpleague/oauth2-server/compare/4.0.2...4.0.3
+[4.0.2]: https://github.com/thephpleague/oauth2-server/compare/4.0.1...4.0.2
+[4.0.1]: https://github.com/thephpleague/oauth2-server/compare/4.0.0...4.0.1
+[4.0.0]: https://github.com/thephpleague/oauth2-server/compare/3.2.0...4.0.0
+[3.2.0]: https://github.com/thephpleague/oauth2-server/compare/3.1.2...3.2.0
+[3.1.2]: https://github.com/thephpleague/oauth2-server/compare/3.1.1...3.1.2
+[3.1.1]: https://github.com/thephpleague/oauth2-server/compare/3.1.0...3.1.1
+[3.1.0]: https://github.com/thephpleague/oauth2-server/compare/3.0.1...3.1.0
+[3.0.1]: https://github.com/thephpleague/oauth2-server/compare/3.0.0...3.0.1
+[3.0.0]: https://github.com/thephpleague/oauth2-server/compare/2.1.1...3.0.0
+[2.1.1]: https://github.com/thephpleague/oauth2-server/compare/2.1.0...2.1.1
+[2.1.0]: https://github.com/thephpleague/oauth2-server/compare/2.0.5...2.1.0
+[2.0.5]: https://github.com/thephpleague/oauth2-server/compare/2.0.4...2.0.5
+[2.0.4]: https://github.com/thephpleague/oauth2-server/compare/2.0.3...2.0.4
+[2.0.3]: https://github.com/thephpleague/oauth2-server/compare/2.0.2...2.0.3
+[2.0.2]: https://github.com/thephpleague/oauth2-server/compare/2.0.0...2.0.2
+[2.0.0]: https://github.com/thephpleague/oauth2-server/compare/1.0.8...2.0.0
+[1.0.8]: https://github.com/thephpleague/oauth2-server/compare/1.0.7...1.0.8
+[1.0.7]: https://github.com/thephpleague/oauth2-server/compare/1.0.6...1.0.7
+[1.0.6]: https://github.com/thephpleague/oauth2-server/compare/1.0.5...1.0.6
+[1.0.5]: https://github.com/thephpleague/oauth2-server/compare/1.0.3...1.0.5
+[1.0.3]: https://github.com/thephpleague/oauth2-server/compare/1.0.2...1.0.3
+[1.0.2]: https://github.com/thephpleague/oauth2-server/compare/1.0.1...1.0.2
+[1.0.1]: https://github.com/thephpleague/oauth2-server/compare/1.0.0...1.0.1

CODE_OF_CONDUCT.md

@@ -0,0 +1,73 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at andrew@noexceptions.io. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

CONTRIBUTING.md

@@ -1,7 +1,7 @@
 Thanks for contributing to this project.
 
 
-**Please submit your pull request against the `develop` branch only.**
+**Please submit your pull request against the `master` branch only.**
 
 
 Please ensure that you run `phpunit` from the project root after you've made any changes.

README.md

@@ -1,68 +1,93 @@
-# PHP OAuth 2.0 Server by [@alexbilbie](https://twitter.com/alexbilbie)
+# PHP OAuth 2.0 Server
 
 [![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
 [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
 [![Build Status](https://img.shields.io/travis/thephpleague/oauth2-server/master.svg?style=flat-square)](https://travis-ci.org/thephpleague/oauth2-server)
 [![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server/code-structure)
 [![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
-[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/thephpleague/oauth2-server?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
+[![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)
+[![PHPStan](https://img.shields.io/badge/PHPStan-enabled-brightgreen.svg?style=flat-square)](https://github.com/phpstan/phpstan)
 
+`league/oauth2-server` is a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
 
-A standards compliant [OAuth 2.0](http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2/) authorization server and resource server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
-
-It supports out of the box the following grants:
+Out of the box it supports the following grants:
 
 * Authorization code grant
+* Implicit grant
 * Client credentials grant
 * Resource owner password credentials grant
 * Refresh grant
 
-You can also define your own grants.
+The following RFCs are implemented:
 
-In addition it supports the following token types:
-
-* Bearer tokens
-* MAC tokens
-* JSON web tokens (coming soon)
-
-You can also create you own tokens.
+* [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
+* [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
+* [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
+* [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
 
+This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 
 ## Requirements
 
 The following versions of PHP are supported:
 
-* PHP 5.4
-* PHP 5.5
-* PHP 5.6
-* HHVM
+* PHP 7.1
+* PHP 7.2
+* PHP 7.3
+
+The `openssl` and `json` extensions are also required.
+
+All HTTP messages passed to the server should be [PSR-7 compliant](https://www.php-fig.org/psr/psr-7/). This ensures interoperability with other packages and frameworks.
+
+## Installation
+
+```
+composer require league/oauth2-server
+```
 
 ## Documentation
 
-This library has [full documentation](http://oauth2.thephpleague.com), powered by [Jekyll](http://jekyllrb.com/).
+The library documentation can be found at [https://oauth2.thephpleague.com](https://oauth2.thephpleague.com).
+You can contribute to the documentation in the [gh-pages branch](https://github.com/thephpleague/oauth2-server/tree/gh-pages/).
 
-Contribute to this documentation in the [gh-pages branch](https://github.com/thephpleague/oauth2-server/tree/gh-pages/).
+## Testing
+
+The library uses [PHPUnit](https://phpunit.de/) for unit tests and [PHPStan](https://github.com/phpstan/phpstan) for static analysis of the code.
+
+```
+vendor/bin/phpunit
+vendor/bin/phpstan analyse -l 7 -c phpstan.neon src tests
+```
+
+## Continous Integration
+
+We use [Travis CI](https://travis-ci.org/), [Scrutinizer](https://scrutinizer-ci.com/), and [StyleCI](https://styleci.io/) for continuous integration. Check out [our](https://github.com/thephpleague/oauth2-server/blob/master/.travis.yml) [configuration](https://github.com/thephpleague/oauth2-server/blob/master/.scrutinizer.yml) [files](https://github.com/thephpleague/oauth2-server/blob/master/.styleci.yml) if you'd like to know more.
+
+## Community Integrations
+
+* [Drupal](https://www.drupal.org/project/simple_oauth)
+* [Laravel Passport](https://github.com/laravel/passport)
+* [OAuth 2 Server for CakePHP 3](https://github.com/uafrica/oauth-server)
+* [OAuth 2 Server for Expressive](https://github.com/zendframework/zend-expressive-authentication-oauth2)
+* [Trikoder OAuth 2 Bundle (Symfony)](https://github.com/trikoder/oauth2-bundle)
 
 ## Changelog
 
-[See the project releases page](https://github.com/thephpleague/oauth2-server/releases)
+See the [project changelog](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md)
 
 ## Contributing
 
-Please see [CONTRIBUTING](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) for details.
-
-## Integration
-
-- [CakePHP 3](https://github.com/uafrica/oauth-server)
-- [Laravel](https://github.com/lucadegasperi/oauth2-server-laravel)
+Contributions are always welcome. Please see [CONTRIBUTING.md](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](https://github.com/thephpleague/oauth2-server/blob/master/CODE_OF_CONDUCT.md) for details.
 
 ## Support
 
-Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague/oauth2-server/issues)
+Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague/oauth2-server/issues).
+
+If you have any questions about OAuth _please_ open a ticket here; please **don't** email the address below.
 
 ## Security
 
-If you discover any security related issues, please email hello@alexbilbie.com instead of using the issue tracker.
+If you discover any security related issues, please email `andrew@noexceptions.io` instead of using the issue tracker.
 
 ## License
 
@@ -70,14 +95,14 @@ This package is released under the MIT License. See the bundled [LICENSE](https:
 
 ## Credits
 
-This code is principally developed and maintained by [Alex Bilbie](https://twitter.com/alexbilbie).
+This code is principally developed and maintained by [Andy Millington](https://twitter.com/Sephster).
 
-Special thanks to:
+Between 2012 and 2017 this library was developed and maintained by [Alex Bilbie](https://alexbilbie.com/).
 
-* [Dan Horrigan](https://github.com/dandoescode)
-* [Nick Jackson](https://github.com/jacksonj04)
-* [Michael Gooden](https://github.com/MichaelGooden)
-* [Phil Sturgeon](https://github.com/philsturgeon)
-* [and all the other contributors](https://github.com/thephpleague/oauth2-server/contributors)
+PHP OAuth 2.0 Server is one of many packages provided by The PHP League. To find out more, please visit [our website](https://thephpleague.com).
+
+Special thanks to [all of these awesome contributors](https://github.com/thephpleague/oauth2-server/contributors).
+
+Additional thanks go to the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source) for funding a security audit of this library.
 
 The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.

composer.json

@@ -1,59 +1,72 @@
 {
-	"name": "league/oauth2-server",
-	"description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
-	"homepage": "http://oauth2.thephpleague.com/",
-	"license": "MIT",
-	"require": {
-		"php": ">=5.4.0",
-		"symfony/http-foundation": "~2.4|~3.0",
-		"league/event": "~2.1"
-	},
-	"require-dev": {
-		"phpunit/phpunit": "4.3.*",
-		"mockery/mockery": "0.9.*"
-	},
-	"repositories": [
-		{
-			"type": "git",
-			"url": "https://github.com/thephpleague/oauth2-server.git"
-		}
-	],
-	"keywords": [
-		"oauth",
-		"oauth2",
-		"oauth 2",
-		"oauth 2.0",
-		"server",
-		"auth",
-		"authorization",
-		"authorisation",
-		"authentication",
-		"resource",
-		"api",
-		"auth",
-		"protect",
-		"secure"
-	],
-	"authors": [
-		{
-			"name": "Alex Bilbie",
-			"email": "hello@alexbilbie.com",
-			"homepage": "http://www.alexbilbie.com",
-			"role": "Developer"
-		}
-	],
-	"replace": {
-		"lncd/oauth2": "*",
-		"league/oauth2server": "*"
-	},
-	"autoload": {
-		"psr-4": {
-			"League\\OAuth2\\Server\\": "src/"
-		}
-	},
-	"autoload-dev": {
-		"psr-4": {
-			"LeagueTests\\": "tests/unit/"
-		}
-	}
+    "name": "league/oauth2-server",
+    "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
+    "homepage": "https://oauth2.thephpleague.com/",
+    "license": "MIT",
+    "require": {
+        "php": ">=7.1.0",
+        "ext-openssl": "*",
+        "league/event": "^2.2",
+        "lcobucci/jwt": "^3.3.1",
+        "psr/http-message": "^1.0.1",
+        "defuse/php-encryption": "^2.2.1",
+        "ext-json": "*"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "^7.5.13 || ^8.2.3",
+        "zendframework/zend-diactoros": "^2.1.2",
+        "phpstan/phpstan": "^0.11.8",
+        "phpstan/phpstan-phpunit": "^0.11.2",
+        "roave/security-advisories": "dev-master"
+    },
+    "repositories": [
+        {
+            "type": "git",
+            "url": "https://github.com/thephpleague/oauth2-server.git"
+        }
+    ],
+    "keywords": [
+        "oauth",
+        "oauth2",
+        "oauth 2",
+        "oauth 2.0",
+        "server",
+        "auth",
+        "authorization",
+        "authorisation",
+        "authentication",
+        "resource",
+        "api",
+        "auth",
+        "protect",
+        "secure"
+    ],
+    "authors": [
+        {
+            "name": "Alex Bilbie",
+            "email": "hello@alexbilbie.com",
+            "homepage": "http://www.alexbilbie.com",
+            "role": "Developer"
+        },
+        {
+            "name": "Andy Millington",
+            "email": "andrew@noexceptions.io",
+            "homepage": "https://www.noexceptions.io",
+            "role": "Developer"
+        }
+    ],
+    "replace": {
+        "lncd/oauth2": "*",
+        "league/oauth2server": "*"
+    },
+    "autoload": {
+        "psr-4": {
+            "League\\OAuth2\\Server\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "LeagueTests\\": "tests/"
+        }
+    }
 }

examples/README.md

@@ -0,0 +1,53 @@
+# Example implementations
+
+## Installation
+
+0. Run `composer install` in this directory to install dependencies
+0. Create a private key `openssl genrsa -out private.key 2048`
+0. Create a public key `openssl rsa -in private.key -pubout > public.key`
+0. `cd` into the public directory
+0. Start a PHP server `php -S localhost:4444`
+
+## Testing the client credentials grant example
+
+Send the following cURL request:
+
+```
+curl -X "POST" "http://localhost:4444/client_credentials.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=client_credentials" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "scope=basic email"
+```
+
+## Testing the password grant example
+
+Send the following cURL request:
+
+```
+curl -X "POST" "http://localhost:4444/password.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=password" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "username=alex" \
+	--data-urlencode "password=whisky" \
+	--data-urlencode "scope=basic email"
+```
+
+## Testing the refresh token grant example
+
+Send the following cURL request. Replace `{{REFRESH_TOKEN}}` with a refresh token from another grant above:
+
+```
+curl -X "POST" "http://localhost:4444/refresh_token.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=refresh_token" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "refresh_token={{REFRESH_TOKEN}}"
+```

examples/composer.json

@@ -0,0 +1,18 @@
+{
+    "require": {
+        "slim/slim": "^3.0.0"
+    },
+    "require-dev": {
+        "league/event": "^2.2",
+        "lcobucci/jwt": "^3.3",
+        "psr/http-message": "^1.0",
+        "defuse/php-encryption": "^2.2",
+        "zendframework/zend-diactoros": "^2.1.0"
+    },
+    "autoload": {
+        "psr-4": {
+            "OAuth2ServerExamples\\": "src/",
+            "League\\OAuth2\\Server\\": "../src/"
+        }
+    }
+}

examples/composer.lock

@@ -0,0 +1,647 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+        "This file is @generated automatically"
+    ],
+    "content-hash": "a7f5c3fdcadb17399bbd97f15e1b11f1",
+    "packages": [
+        {
+            "name": "container-interop/container-interop",
+            "version": "1.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/container-interop/container-interop.git",
+                "reference": "79cbf1341c22ec75643d841642dd5d6acd83bdb8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/container-interop/container-interop/zipball/79cbf1341c22ec75643d841642dd5d6acd83bdb8",
+                "reference": "79cbf1341c22ec75643d841642dd5d6acd83bdb8",
+                "shasum": ""
+            },
+            "require": {
+                "psr/container": "^1.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Interop\\Container\\": "src/Interop/Container/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "description": "Promoting the interoperability of container objects (DIC, SL, etc.)",
+            "homepage": "https://github.com/container-interop/container-interop",
+            "time": "2017-02-14T19:40:03+00:00"
+        },
+        {
+            "name": "nikic/fast-route",
+            "version": "v1.3.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/nikic/FastRoute.git",
+                "reference": "181d480e08d9476e61381e04a71b34dc0432e812"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/nikic/FastRoute/zipball/181d480e08d9476e61381e04a71b34dc0432e812",
+                "reference": "181d480e08d9476e61381e04a71b34dc0432e812",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.4.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.8.35|~5.7"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "FastRoute\\": "src/"
+                },
+                "files": [
+                    "src/functions.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Nikita Popov",
+                    "email": "nikic@php.net"
+                }
+            ],
+            "description": "Fast request router for PHP",
+            "keywords": [
+                "router",
+                "routing"
+            ],
+            "time": "2018-02-13T20:26:39+00:00"
+        },
+        {
+            "name": "pimple/pimple",
+            "version": "v3.2.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/silexphp/Pimple.git",
+                "reference": "9e403941ef9d65d20cba7d54e29fe906db42cf32"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/silexphp/Pimple/zipball/9e403941ef9d65d20cba7d54e29fe906db42cf32",
+                "reference": "9e403941ef9d65d20cba7d54e29fe906db42cf32",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0",
+                "psr/container": "^1.0"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^3.2"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.2.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-0": {
+                    "Pimple": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                }
+            ],
+            "description": "Pimple, a simple Dependency Injection Container",
+            "homepage": "http://pimple.sensiolabs.org",
+            "keywords": [
+                "container",
+                "dependency injection"
+            ],
+            "time": "2018-01-21T07:42:36+00:00"
+        },
+        {
+            "name": "psr/container",
+            "version": "1.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/container.git",
+                "reference": "b7ce3b176482dbbc1245ebf52b181af44c2cf55f"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/container/zipball/b7ce3b176482dbbc1245ebf52b181af44c2cf55f",
+                "reference": "b7ce3b176482dbbc1245ebf52b181af44c2cf55f",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Container\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common Container Interface (PHP FIG PSR-11)",
+            "homepage": "https://github.com/php-fig/container",
+            "keywords": [
+                "PSR-11",
+                "container",
+                "container-interface",
+                "container-interop",
+                "psr"
+            ],
+            "time": "2017-02-14T16:28:37+00:00"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "homepage": "https://github.com/php-fig/http-message",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "time": "2016-08-06T14:39:51+00:00"
+        },
+        {
+            "name": "slim/slim",
+            "version": "3.12.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/slimphp/Slim.git",
+                "reference": "eaee12ef8d0750db62b8c548016d82fb33addb6b"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/eaee12ef8d0750db62b8c548016d82fb33addb6b",
+                "reference": "eaee12ef8d0750db62b8c548016d82fb33addb6b",
+                "shasum": ""
+            },
+            "require": {
+                "container-interop/container-interop": "^1.2",
+                "nikic/fast-route": "^1.0",
+                "php": ">=5.5.0",
+                "pimple/pimple": "^3.0",
+                "psr/container": "^1.0",
+                "psr/http-message": "^1.0"
+            },
+            "provide": {
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.0",
+                "squizlabs/php_codesniffer": "^2.5"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Slim\\": "Slim"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Rob Allen",
+                    "email": "rob@akrabat.com",
+                    "homepage": "http://akrabat.com"
+                },
+                {
+                    "name": "Josh Lockhart",
+                    "email": "hello@joshlockhart.com",
+                    "homepage": "https://joshlockhart.com"
+                },
+                {
+                    "name": "Gabriel Manricks",
+                    "email": "gmanricks@me.com",
+                    "homepage": "http://gabrielmanricks.com"
+                },
+                {
+                    "name": "Andrew Smith",
+                    "email": "a.smith@silentworks.co.uk",
+                    "homepage": "http://silentworks.co.uk"
+                }
+            ],
+            "description": "Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs",
+            "homepage": "https://slimframework.com",
+            "keywords": [
+                "api",
+                "framework",
+                "micro",
+                "router"
+            ],
+            "time": "2019-04-16T16:47:29+00:00"
+        }
+    ],
+    "packages-dev": [
+        {
+            "name": "defuse/php-encryption",
+            "version": "v2.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/defuse/php-encryption.git",
+                "reference": "0f407c43b953d571421e0020ba92082ed5fb7620"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/defuse/php-encryption/zipball/0f407c43b953d571421e0020ba92082ed5fb7620",
+                "reference": "0f407c43b953d571421e0020ba92082ed5fb7620",
+                "shasum": ""
+            },
+            "require": {
+                "ext-openssl": "*",
+                "paragonie/random_compat": ">= 2",
+                "php": ">=5.4.0"
+            },
+            "require-dev": {
+                "nikic/php-parser": "^2.0|^3.0|^4.0",
+                "phpunit/phpunit": "^4|^5"
+            },
+            "bin": [
+                "bin/generate-defuse-key"
+            ],
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Defuse\\Crypto\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Hornby",
+                    "email": "taylor@defuse.ca",
+                    "homepage": "https://defuse.ca/"
+                },
+                {
+                    "name": "Scott Arciszewski",
+                    "email": "info@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "Secure PHP Encryption Library",
+            "keywords": [
+                "aes",
+                "authenticated encryption",
+                "cipher",
+                "crypto",
+                "cryptography",
+                "encrypt",
+                "encryption",
+                "openssl",
+                "security",
+                "symmetric key cryptography"
+            ],
+            "time": "2018-07-24T23:27:56+00:00"
+        },
+        {
+            "name": "lcobucci/jwt",
+            "version": "3.3.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/lcobucci/jwt.git",
+                "reference": "a11ec5f4b4d75d1fcd04e133dede4c317aac9e18"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/a11ec5f4b4d75d1fcd04e133dede4c317aac9e18",
+                "reference": "a11ec5f4b4d75d1fcd04e133dede4c317aac9e18",
+                "shasum": ""
+            },
+            "require": {
+                "ext-mbstring": "*",
+                "ext-openssl": "*",
+                "php": "^5.6 || ^7.0"
+            },
+            "require-dev": {
+                "mikey179/vfsstream": "~1.5",
+                "phpmd/phpmd": "~2.2",
+                "phpunit/php-invoker": "~1.1",
+                "phpunit/phpunit": "^5.7 || ^7.3",
+                "squizlabs/php_codesniffer": "~2.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.1-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Lcobucci\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Luís Otávio Cobucci Oblonczyk",
+                    "email": "lcobucci@gmail.com",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to work with JSON Web Token and JSON Web Signature",
+            "keywords": [
+                "JWS",
+                "jwt"
+            ],
+            "time": "2019-05-24T18:30:49+00:00"
+        },
+        {
+            "name": "league/event",
+            "version": "2.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thephpleague/event.git",
+                "reference": "d2cc124cf9a3fab2bb4ff963307f60361ce4d119"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thephpleague/event/zipball/d2cc124cf9a3fab2bb4ff963307f60361ce4d119",
+                "reference": "d2cc124cf9a3fab2bb4ff963307f60361ce4d119",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.4.0"
+            },
+            "require-dev": {
+                "henrikbjorn/phpspec-code-coverage": "~1.0.1",
+                "phpspec/phpspec": "^2.2"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.2-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "League\\Event\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Frank de Jonge",
+                    "email": "info@frenky.net"
+                }
+            ],
+            "description": "Event package",
+            "keywords": [
+                "emitter",
+                "event",
+                "listener"
+            ],
+            "time": "2018-11-26T11:52:41+00:00"
+        },
+        {
+            "name": "paragonie/random_compat",
+            "version": "v9.99.99",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/paragonie/random_compat.git",
+                "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95",
+                "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "4.*|5.*",
+                "vimeo/psalm": "^1"
+            },
+            "suggest": {
+                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
+            },
+            "type": "library",
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Paragon Initiative Enterprises",
+                    "email": "security@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
+            "keywords": [
+                "csprng",
+                "polyfill",
+                "pseudorandom",
+                "random"
+            ],
+            "time": "2018-07-02T15:55:56+00:00"
+        },
+        {
+            "name": "psr/http-factory",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "keywords": [
+                "factory",
+                "http",
+                "message",
+                "psr",
+                "psr-17",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "time": "2019-04-30T12:38:16+00:00"
+        },
+        {
+            "name": "zendframework/zend-diactoros",
+            "version": "2.1.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/zendframework/zend-diactoros.git",
+                "reference": "279723778c40164bcf984a2df12ff2c6ec5e61c1"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/zendframework/zend-diactoros/zipball/279723778c40164bcf984a2df12ff2c6ec5e61c1",
+                "reference": "279723778c40164bcf984a2df12ff2c6ec5e61c1",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.1",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "ext-dom": "*",
+                "ext-libxml": "*",
+                "http-interop/http-factory-tests": "^0.5.0",
+                "php-http/psr7-integration-tests": "dev-master",
+                "phpunit/phpunit": "^7.0.2",
+                "zendframework/zend-coding-standard": "~1.0.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.1.x-dev",
+                    "dev-develop": "2.2.x-dev",
+                    "dev-release-1.8": "1.8.x-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "src/functions/create_uploaded_file.php",
+                    "src/functions/marshal_headers_from_sapi.php",
+                    "src/functions/marshal_method_from_sapi.php",
+                    "src/functions/marshal_protocol_version_from_sapi.php",
+                    "src/functions/marshal_uri_from_sapi.php",
+                    "src/functions/normalize_server.php",
+                    "src/functions/normalize_uploaded_files.php",
+                    "src/functions/parse_cookie_header.php"
+                ],
+                "psr-4": {
+                    "Zend\\Diactoros\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "description": "PSR HTTP Message implementations",
+            "keywords": [
+                "http",
+                "psr",
+                "psr-7"
+            ],
+            "time": "2019-07-10T16:13:25+00:00"
+        }
+    ],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": [],
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": [],
+    "platform-dev": []
+}

examples/public/api.php

@@ -0,0 +1,74 @@
+<?php
+
+use League\OAuth2\Server\ResourceServer;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    // Add the resource server to the DI container
+    ResourceServer::class => function () {
+        $server = new ResourceServer(
+            new AccessTokenRepository(),            // instance of AccessTokenRepositoryInterface
+            'file://' . __DIR__ . '/../public.key'  // the authorization server's public key
+        );
+
+        return $server;
+    },
+]);
+
+// Add the resource server middleware which will intercept and validate requests
+$app->add(
+    new \League\OAuth2\Server\Middleware\ResourceServerMiddleware(
+        $app->getContainer()->get(ResourceServer::class)
+    )
+);
+
+// An example endpoint secured with OAuth 2.0
+$app->get(
+    '/users',
+    function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+        $users = [
+            [
+                'id'    => 123,
+                'name'  => 'Alex',
+                'email' => 'alex@thephpleague.com',
+            ],
+            [
+                'id'    => 124,
+                'name'  => 'Frank',
+                'email' => 'frank@thephpleague.com',
+            ],
+            [
+                'id'    => 125,
+                'name'  => 'Phil',
+                'email' => 'phil@thephpleague.com',
+            ],
+        ];
+
+        $totalUsers = count($users);
+
+        // If the access token doesn't have the `basic` scope hide users' names
+        if (in_array('basic', $request->getAttribute('oauth_scopes')) === false) {
+            for ($i = 0; $i < $totalUsers; $i++) {
+                unset($users[$i]['name']);
+            }
+        }
+
+        // If the access token doesn't have the `email` scope hide users' email addresses
+        if (in_array('email', $request->getAttribute('oauth_scopes')) === false) {
+            for ($i = 0; $i < $totalUsers; $i++) {
+                unset($users[$i]['email']);
+            }
+        }
+
+        $response->getBody()->write(json_encode($users));
+
+        return $response->withStatus(200);
+    }
+);
+
+$app->run();

examples/public/auth_code.php

@@ -0,0 +1,107 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use OAuth2ServerExamples\Entities\UserEntity;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\AuthCodeRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    AuthorizationServer::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $scopeRepository = new ScopeRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $authCodeRepository = new AuthCodeRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+
+        // Setup the authorization server
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
+        );
+
+        // Enable the authentication code grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new AuthCodeGrant(
+                $authCodeRepository,
+                $refreshTokenRepository,
+                new \DateInterval('PT10M')
+            ),
+            new \DateInterval('PT1H')
+        );
+
+        return $server;
+    },
+]);
+
+$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
+
+    try {
+        // Validate the HTTP request and return an AuthorizationRequest object.
+        // The auth request object can be serialized into a user's session
+        $authRequest = $server->validateAuthorizationRequest($request);
+
+        // Once the user has logged in set the user on the AuthorizationRequest
+        $authRequest->setUser(new UserEntity());
+
+        // Once the user has approved or denied the client update the status
+        // (true = approved, false = denied)
+        $authRequest->setAuthorizationApproved(true);
+
+        // Return the HTTP redirect response
+        return $server->completeAuthorizationRequest($authRequest, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
+
+    try {
+        return $server->respondToAccessTokenRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/client_credentials.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'                 => [
+        'displayErrorDetails' => true,
+    ],
+    AuthorizationServer::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository(); // instance of ClientRepositoryInterface
+        $scopeRepository = new ScopeRepository(); // instance of ScopeRepositoryInterface
+        $accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface
+
+        // Path to public and private keys
+        $privateKey = 'file://' . __DIR__ . '/../private.key';
+        //$privateKey = new CryptKey('file://path/to/private.key', 'passphrase'); // if private key has a pass phrase
+
+        // Setup the authorization server
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKey,
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
+        );
+
+        // Enable the client credentials grant on the server
+        $server->enableGrantType(
+            new \League\OAuth2\Server\Grant\ClientCredentialsGrant(),
+            new \DateInterval('PT1H') // access tokens will expire after 1 hour
+        );
+
+        return $server;
+    },
+]);
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
+
+    try {
+
+        // Try to respond to the request
+        return $server->respondToAccessTokenRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+
+        // All instances of OAuthServerException can be formatted into a HTTP response
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+
+        // Unknown exception
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/implicit.php

@@ -0,0 +1,80 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\ImplicitGrant;
+use OAuth2ServerExamples\Entities\UserEntity;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    AuthorizationServer::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $scopeRepository = new ScopeRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+
+        // Setup the authorization server
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
+        );
+
+        // Enable the implicit grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(new ImplicitGrant(new \DateInterval('PT1H')));
+
+        return $server;
+    },
+]);
+
+$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
+
+    try {
+        // Validate the HTTP request and return an AuthorizationRequest object.
+        // The auth request object can be serialized into a user's session
+        $authRequest = $server->validateAuthorizationRequest($request);
+
+        // Once the user has logged in set the user on the AuthorizationRequest
+        $authRequest->setUser(new UserEntity());
+
+        // Once the user has approved or denied the client update the status
+        // (true = approved, false = denied)
+        $authRequest->setAuthorizationApproved(true);
+
+        // Return the HTTP redirect response
+        return $server->completeAuthorizationRequest($authRequest, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $body = new Stream('php://temp', 'r+');
+        $body->write($exception->getMessage());
+
+        return $response->withStatus(500)->withBody($body);
+    }
+});
+
+$app->run();

examples/public/middleware_use.php

@@ -0,0 +1,109 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use League\OAuth2\Server\Grant\RefreshTokenGrant;
+use League\OAuth2\Server\Middleware\AuthorizationServerMiddleware;
+use League\OAuth2\Server\Middleware\ResourceServerMiddleware;
+use League\OAuth2\Server\ResourceServer;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\AuthCodeRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+use Zend\Diactoros\Stream;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'                 => [
+        'displayErrorDetails' => true,
+    ],
+    AuthorizationServer::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $scopeRepository = new ScopeRepository();
+        $authCodeRepository = new AuthCodeRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+
+        // Setup the authorization server
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
+        );
+
+        // Enable the authentication code grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            new AuthCodeGrant(
+                $authCodeRepository,
+                $refreshTokenRepository,
+                new \DateInterval('PT10M')
+            ),
+            new \DateInterval('PT1H')
+        );
+
+        // Enable the refresh token grant on the server with a token TTL of 1 month
+        $server->enableGrantType(
+            new RefreshTokenGrant($refreshTokenRepository),
+            new \DateInterval('P1M')
+        );
+
+        return $server;
+    },
+    ResourceServer::class => function () {
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        $server = new ResourceServer(
+            new AccessTokenRepository(),
+            $publicKeyPath
+        );
+
+        return $server;
+    },
+]);
+
+// Access token issuer
+$app->post('/access_token', function () {
+})->add(new AuthorizationServerMiddleware($app->getContainer()->get(AuthorizationServer::class)));
+
+// Secured API
+$app->group('/api', function () {
+    $this->get('/user', function (ServerRequestInterface $request, ResponseInterface $response) {
+        $params = [];
+
+        if (in_array('basic', $request->getAttribute('oauth_scopes', []))) {
+            $params = [
+                'id'   => 1,
+                'name' => 'Alex',
+                'city' => 'London',
+            ];
+        }
+
+        if (in_array('email', $request->getAttribute('oauth_scopes', []))) {
+            $params['email'] = 'alex@example.com';
+        }
+
+        $body = new Stream('php://temp', 'r+');
+        $body->write(json_encode($params));
+
+        return $response->withBody($body);
+    });
+})->add(new ResourceServerMiddleware($app->getContainer()->get(ResourceServer::class)));
+
+$app->run();

examples/public/password.php

@@ -0,0 +1,72 @@
+<?php
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\PasswordGrant;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use OAuth2ServerExamples\Repositories\UserRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    // Add the authorization server to the DI container
+    AuthorizationServer::class => function () {
+
+        // Setup the authorization server
+        $server = new AuthorizationServer(
+            new ClientRepository(),                 // instance of ClientRepositoryInterface
+            new AccessTokenRepository(),            // instance of AccessTokenRepositoryInterface
+            new ScopeRepository(),                  // instance of ScopeRepositoryInterface
+            'file://' . __DIR__ . '/../private.key',    // path to private key
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'      // encryption key
+        );
+
+        $grant = new PasswordGrant(
+            new UserRepository(),           // instance of UserRepositoryInterface
+            new RefreshTokenRepository()    // instance of RefreshTokenRepositoryInterface
+        );
+        $grant->setRefreshTokenTTL(new \DateInterval('P1M')); // refresh tokens will expire after 1 month
+
+        // Enable the password grant on the server with a token TTL of 1 hour
+        $server->enableGrantType(
+            $grant,
+            new \DateInterval('PT1H') // access tokens will expire after 1 hour
+        );
+
+        return $server;
+    },
+]);
+
+$app->post(
+    '/access_token',
+    function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+
+        /* @var \League\OAuth2\Server\AuthorizationServer $server */
+        $server = $app->getContainer()->get(AuthorizationServer::class);
+
+        try {
+
+            // Try to respond to the access token request
+            return $server->respondToAccessTokenRequest($request, $response);
+        } catch (OAuthServerException $exception) {
+
+            // All instances of OAuthServerException can be converted to a PSR-7 response
+            return $exception->generateHttpResponse($response);
+        } catch (\Exception $exception) {
+
+            // Catch unexpected exceptions
+            $body = $response->getBody();
+            $body->write($exception->getMessage());
+
+            return $response->withStatus(500)->withBody($body);
+        }
+    }
+);
+
+$app->run();

examples/public/refresh_token.php

@@ -0,0 +1,73 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\RefreshTokenGrant;
+use OAuth2ServerExamples\Repositories\AccessTokenRepository;
+use OAuth2ServerExamples\Repositories\ClientRepository;
+use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
+use OAuth2ServerExamples\Repositories\ScopeRepository;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Slim\App;
+
+include __DIR__ . '/../vendor/autoload.php';
+
+$app = new App([
+    'settings'    => [
+        'displayErrorDetails' => true,
+    ],
+    AuthorizationServer::class => function () {
+        // Init our repositories
+        $clientRepository = new ClientRepository();
+        $accessTokenRepository = new AccessTokenRepository();
+        $scopeRepository = new ScopeRepository();
+        $refreshTokenRepository = new RefreshTokenRepository();
+
+        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
+
+        // Setup the authorization server
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $accessTokenRepository,
+            $scopeRepository,
+            $privateKeyPath,
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
+        );
+
+        // Enable the refresh token grant on the server
+        $grant = new RefreshTokenGrant($refreshTokenRepository);
+        $grant->setRefreshTokenTTL(new \DateInterval('P1M')); // The refresh token will expire in 1 month
+
+        $server->enableGrantType(
+            $grant,
+            new \DateInterval('PT1H') // The new access token will expire after 1 hour
+        );
+
+        return $server;
+    },
+]);
+
+$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
+
+    try {
+        return $server->respondToAccessTokenRequest($request, $response);
+    } catch (OAuthServerException $exception) {
+        return $exception->generateHttpResponse($response);
+    } catch (\Exception $exception) {
+        $response->getBody()->write($exception->getMessage());
+
+        return $response->withStatus(500);
+    }
+});
+
+$app->run();

examples/relational/Model/Users.php

@@ -1,25 +0,0 @@
-<?php
-
-namespace RelationalExample\Model;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-
-class Users
-{
-    public function get($username = null)
-    {
-        $query = Capsule::table('users')->select(['username', 'password', 'name', 'email', 'photo']);
-
-        if ($username !== null) {
-            $query->where('username', '=', $username);
-        }
-
-        $result = $query->get();
-
-        if (count($result) > 0) {
-            return $result;
-        }
-
-        return;
-    }
-}

examples/relational/Storage/AccessTokenStorage.php

@@ -1,93 +0,0 @@
-<?php
-
-namespace RelationalExample\Storage;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\AccessTokenEntity;
-use League\OAuth2\Server\Entity\ScopeEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\AccessTokenInterface;
-
-class AccessTokenStorage extends AbstractStorage implements AccessTokenInterface
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function get($token)
-    {
-        $result = Capsule::table('oauth_access_tokens')
-                            ->where('access_token', $token)
-                            ->get();
-
-        if (count($result) === 1) {
-            $token = (new AccessTokenEntity($this->server))
-                        ->setId($result[0]['access_token'])
-                        ->setExpireTime($result[0]['expire_time']);
-
-            return $token;
-        }
-
-        return;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function getScopes(AccessTokenEntity $token)
-    {
-        $result = Capsule::table('oauth_access_token_scopes')
-                                    ->select(['oauth_scopes.id', 'oauth_scopes.description'])
-                                    ->join('oauth_scopes', 'oauth_access_token_scopes.scope', '=', 'oauth_scopes.id')
-                                    ->where('access_token', $token->getId())
-                                    ->get();
-
-        $response = [];
-
-        if (count($result) > 0) {
-            foreach ($result as $row) {
-                $scope = (new ScopeEntity($this->server))->hydrate([
-                    'id'            =>  $row['id'],
-                    'description'   =>  $row['description'],
-                ]);
-                $response[] = $scope;
-            }
-        }
-
-        return $response;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function create($token, $expireTime, $sessionId)
-    {
-        Capsule::table('oauth_access_tokens')
-                    ->insert([
-                        'access_token'     =>  $token,
-                        'session_id'    =>  $sessionId,
-                        'expire_time'   =>  $expireTime,
-                    ]);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function associateScope(AccessTokenEntity $token, ScopeEntity $scope)
-    {
-        Capsule::table('oauth_access_token_scopes')
-                    ->insert([
-                        'access_token'  =>  $token->getId(),
-                        'scope' =>  $scope->getId(),
-                    ]);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function delete(AccessTokenEntity $token)
-    {
-        Capsule::table('oauth_access_tokens')
-                    ->where('access_token', $token->getId())
-                    ->delete();
-    }
-}

examples/relational/Storage/AuthCodeStorage.php

@@ -1,93 +0,0 @@
-<?php
-
-namespace RelationalExample\Storage;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\AuthCodeEntity;
-use League\OAuth2\Server\Entity\ScopeEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\AuthCodeInterface;
-
-class AuthCodeStorage extends AbstractStorage implements AuthCodeInterface
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function get($code)
-    {
-        $result = Capsule::table('oauth_auth_codes')
-                            ->where('auth_code', $code)
-                            ->where('expire_time', '>=', time())
-                            ->get();
-
-        if (count($result) === 1) {
-            $token = new AuthCodeEntity($this->server);
-            $token->setId($result[0]['auth_code']);
-            $token->setRedirectUri($result[0]['client_redirect_uri']);
-            $token->setExpireTime($result[0]['expire_time']);
-
-            return $token;
-        }
-
-        return;
-    }
-
-    public function create($token, $expireTime, $sessionId, $redirectUri)
-    {
-        Capsule::table('oauth_auth_codes')
-                    ->insert([
-                        'auth_code'     =>  $token,
-                        'client_redirect_uri'  =>  $redirectUri,
-                        'session_id'    =>  $sessionId,
-                        'expire_time'   =>  $expireTime,
-                    ]);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function getScopes(AuthCodeEntity $token)
-    {
-        $result = Capsule::table('oauth_auth_code_scopes')
-                                    ->select(['oauth_scopes.id', 'oauth_scopes.description'])
-                                    ->join('oauth_scopes', 'oauth_auth_code_scopes.scope', '=', 'oauth_scopes.id')
-                                    ->where('auth_code', $token->getId())
-                                    ->get();
-
-        $response = [];
-
-        if (count($result) > 0) {
-            foreach ($result as $row) {
-                $scope = (new ScopeEntity($this->server))->hydrate([
-                    'id'            =>  $row['id'],
-                    'description'   =>  $row['description'],
-                ]);
-                $response[] = $scope;
-            }
-        }
-
-        return $response;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function associateScope(AuthCodeEntity $token, ScopeEntity $scope)
-    {
-        Capsule::table('oauth_auth_code_scopes')
-                    ->insert([
-                        'auth_code' =>  $token->getId(),
-                        'scope'     =>  $scope->getId(),
-                    ]);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function delete(AuthCodeEntity $token)
-    {
-        Capsule::table('oauth_auth_codes')
-                    ->where('auth_code', $token->getId())
-                    ->delete();
-    }
-}

examples/relational/Storage/ClientStorage.php

@@ -1,70 +0,0 @@
-<?php
-
-namespace RelationalExample\Storage;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\ClientEntity;
-use League\OAuth2\Server\Entity\SessionEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\ClientInterface;
-
-class ClientStorage extends AbstractStorage implements ClientInterface
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function get($clientId, $clientSecret = null, $redirectUri = null, $grantType = null)
-    {
-        $query = Capsule::table('oauth_clients')
-                          ->select('oauth_clients.*')
-                          ->where('oauth_clients.id', $clientId);
-
-        if ($clientSecret !== null) {
-            $query->where('oauth_clients.secret', $clientSecret);
-        }
-
-        if ($redirectUri) {
-            $query->join('oauth_client_redirect_uris', 'oauth_clients.id', '=', 'oauth_client_redirect_uris.client_id')
-                  ->select(['oauth_clients.*', 'oauth_client_redirect_uris.*'])
-                  ->where('oauth_client_redirect_uris.redirect_uri', $redirectUri);
-        }
-
-        $result = $query->get();
-
-        if (count($result) === 1) {
-            $client = new ClientEntity($this->server);
-            $client->hydrate([
-                'id'    =>  $result[0]['id'],
-                'name'  =>  $result[0]['name'],
-            ]);
-
-            return $client;
-        }
-
-        return;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function getBySession(SessionEntity $session)
-    {
-        $result = Capsule::table('oauth_clients')
-                            ->select(['oauth_clients.id', 'oauth_clients.name'])
-                            ->join('oauth_sessions', 'oauth_clients.id', '=', 'oauth_sessions.client_id')
-                            ->where('oauth_sessions.id', $session->getId())
-                            ->get();
-
-        if (count($result) === 1) {
-            $client = new ClientEntity($this->server);
-            $client->hydrate([
-                'id'    =>  $result[0]['id'],
-                'name'  =>  $result[0]['name'],
-            ]);
-
-            return $client;
-        }
-
-        return;
-    }
-}

examples/relational/Storage/RefreshTokenStorage.php

@@ -1,55 +0,0 @@
-<?php
-
-namespace RelationalExample\Storage;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\RefreshTokenEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\RefreshTokenInterface;
-
-class RefreshTokenStorage extends AbstractStorage implements RefreshTokenInterface
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function get($token)
-    {
-        $result = Capsule::table('oauth_refresh_tokens')
-                            ->where('refresh_token', $token)
-                            ->get();
-
-        if (count($result) === 1) {
-            $token = (new RefreshTokenEntity($this->server))
-                        ->setId($result[0]['refresh_token'])
-                        ->setExpireTime($result[0]['expire_time'])
-                        ->setAccessTokenId($result[0]['access_token']);
-
-            return $token;
-        }
-
-        return;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function create($token, $expireTime, $accessToken)
-    {
-        Capsule::table('oauth_refresh_tokens')
-                    ->insert([
-                        'refresh_token'     =>  $token,
-                        'access_token'    =>  $accessToken,
-                        'expire_time'   =>  $expireTime,
-                    ]);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function delete(RefreshTokenEntity $token)
-    {
-        Capsule::table('oauth_refresh_tokens')
-                            ->where('refresh_token', $token->getId())
-                            ->delete();
-    }
-}

examples/relational/Storage/ScopeStorage.php

@@ -1,30 +0,0 @@
-<?php
-
-namespace RelationalExample\Storage;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\ScopeEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\ScopeInterface;
-
-class ScopeStorage extends AbstractStorage implements ScopeInterface
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function get($scope, $grantType = null, $clientId = null)
-    {
-        $result = Capsule::table('oauth_scopes')
-                                ->where('id', $scope)
-                                ->get();
-
-        if (count($result) === 0) {
-            return;
-        }
-
-        return (new ScopeEntity($this->server))->hydrate([
-            'id'            =>  $result[0]['id'],
-            'description'   =>  $result[0]['description'],
-        ]);
-    }
-}

examples/relational/Storage/SessionStorage.php

@@ -1,109 +0,0 @@
-<?php
-
-namespace RelationalExample\Storage;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-use League\OAuth2\Server\Entity\AccessTokenEntity;
-use League\OAuth2\Server\Entity\AuthCodeEntity;
-use League\OAuth2\Server\Entity\ScopeEntity;
-use League\OAuth2\Server\Entity\SessionEntity;
-use League\OAuth2\Server\Storage\AbstractStorage;
-use League\OAuth2\Server\Storage\SessionInterface;
-
-class SessionStorage extends AbstractStorage implements SessionInterface
-{
-    /**
-     * {@inheritdoc}
-     */
-    public function getByAccessToken(AccessTokenEntity $accessToken)
-    {
-        $result = Capsule::table('oauth_sessions')
-                            ->select(['oauth_sessions.id', 'oauth_sessions.owner_type', 'oauth_sessions.owner_id', 'oauth_sessions.client_id', 'oauth_sessions.client_redirect_uri'])
-                            ->join('oauth_access_tokens', 'oauth_access_tokens.session_id', '=', 'oauth_sessions.id')
-                            ->where('oauth_access_tokens.access_token', $accessToken->getId())
-                            ->get();
-
-        if (count($result) === 1) {
-            $session = new SessionEntity($this->server);
-            $session->setId($result[0]['id']);
-            $session->setOwner($result[0]['owner_type'], $result[0]['owner_id']);
-
-            return $session;
-        }
-
-        return;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function getByAuthCode(AuthCodeEntity $authCode)
-    {
-        $result = Capsule::table('oauth_sessions')
-                            ->select(['oauth_sessions.id', 'oauth_sessions.owner_type', 'oauth_sessions.owner_id', 'oauth_sessions.client_id', 'oauth_sessions.client_redirect_uri'])
-                            ->join('oauth_auth_codes', 'oauth_auth_codes.session_id', '=', 'oauth_sessions.id')
-                            ->where('oauth_auth_codes.auth_code', $authCode->getId())
-                            ->get();
-
-        if (count($result) === 1) {
-            $session = new SessionEntity($this->server);
-            $session->setId($result[0]['id']);
-            $session->setOwner($result[0]['owner_type'], $result[0]['owner_id']);
-
-            return $session;
-        }
-
-        return;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function getScopes(SessionEntity $session)
-    {
-        $result = Capsule::table('oauth_sessions')
-                            ->select('oauth_scopes.*')
-                            ->join('oauth_session_scopes', 'oauth_sessions.id', '=', 'oauth_session_scopes.session_id')
-                            ->join('oauth_scopes', 'oauth_scopes.id', '=', 'oauth_session_scopes.scope')
-                            ->where('oauth_sessions.id', $session->getId())
-                            ->get();
-
-        $scopes = [];
-
-        foreach ($result as $scope) {
-            $scopes[] = (new ScopeEntity($this->server))->hydrate([
-                'id'            =>  $scope['id'],
-                'description'   =>  $scope['description'],
-            ]);
-        }
-
-        return $scopes;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function create($ownerType, $ownerId, $clientId, $clientRedirectUri = null)
-    {
-        $id = Capsule::table('oauth_sessions')
-                        ->insertGetId([
-                            'owner_type'  =>    $ownerType,
-                            'owner_id'    =>    $ownerId,
-                            'client_id'   =>    $clientId,
-                        ]);
-
-        return $id;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function associateScope(SessionEntity $session, ScopeEntity $scope)
-    {
-        Capsule::table('oauth_session_scopes')
-                            ->insert([
-                                'session_id'    =>  $session->getId(),
-                                'scope'         =>  $scope->getId(),
-                            ]);
-    }
-}

examples/relational/api.php

@@ -1,130 +0,0 @@
-<?php
-
-use League\OAuth2\Server\ResourceServer;
-use Orno\Http\Exception\NotFoundException;
-use Orno\Http\Request;
-use Orno\Http\Response;
-use RelationalExample\Model;
-use RelationalExample\Storage;
-
-include __DIR__.'/vendor/autoload.php';
-
-// Set up the OAuth 2.0 resource server
-$sessionStorage = new Storage\SessionStorage();
-$accessTokenStorage = new Storage\AccessTokenStorage();
-$clientStorage = new Storage\ClientStorage();
-$scopeStorage = new Storage\ScopeStorage();
-
-$server = new ResourceServer(
-    $sessionStorage,
-    $accessTokenStorage,
-    $clientStorage,
-    $scopeStorage
-);
-
-// Routing setup
-$request = (new Request())->createFromGlobals();
-$router = new \Orno\Route\RouteCollection();
-
-// GET /tokeninfo
-$router->get('/tokeninfo', function (Request $request) use ($server) {
-
-    $accessToken = $server->getAccessToken();
-    $session = $server->getSessionStorage()->getByAccessToken($accessToken);
-    $token = [
-        'owner_id' => $session->getOwnerId(),
-        'owner_type' => $session->getOwnerType(),
-        'access_token' => $accessToken,
-        'client_id' => $session->getClient()->getId(),
-        'scopes' => $accessToken->getScopes(),
-    ];
-
-    return new Response(json_encode($token));
-
-});
-
-// GET /users
-$router->get('/users', function (Request $request) use ($server) {
-
-    $results = (new Model\Users())->get();
-
-    $users = [];
-
-    foreach ($results as $result) {
-        $user = [
-            'username'  =>  $result['username'],
-            'name'      =>  $result['name'],
-        ];
-
-        if ($server->getAccessToken()->hasScope('email')) {
-            $user['email'] = $result['email'];
-        }
-
-        if ($server->getAccessToken()->hasScope('photo')) {
-            $user['photo'] = $result['photo'];
-        }
-
-        $users[] = $user;
-    }
-
-    return new Response(json_encode($users));
-});
-
-// GET /users/{username}
-$router->get('/users/{username}', function (Request $request, Response $response, array $args) use ($server) {
-
-    $result = (new Model\Users())->get($args['username']);
-
-    if (count($result) === 0) {
-        throw new NotFoundException();
-    }
-
-    $user = [
-        'username'  =>  $result[0]['username'],
-        'name'      =>  $result[0]['name'],
-    ];
-
-    if ($server->getAccessToken()->hasScope('email')) {
-        $user['email'] = $result[0]['email'];
-    }
-
-    if ($server->getAccessToken()->hasScope('photo')) {
-        $user['photo'] = $result[0]['photo'];
-    }
-
-    return new Response(json_encode($user));
-});
-
-$dispatcher = $router->getDispatcher();
-
-try {
-    // Check that access token is present
-    $server->isValidRequest(false);
-
-    // A successful response
-    $response = $dispatcher->dispatch(
-        $request->getMethod(),
-        $request->getPathInfo()
-    );
-} catch (\Orno\Http\Exception $e) {
-    // A failed response
-    $response = $e->getJsonResponse();
-    $response->setContent(json_encode(['status_code' => $e->getStatusCode(), 'message' => $e->getMessage()]));
-} catch (\League\OAuth2\Server\Exception\OAuthException $e) {
-    $response = new Response(json_encode([
-        'error'     =>  $e->errorType,
-        'message'   =>  $e->getMessage(),
-    ]), $e->httpStatusCode);
-
-    foreach ($e->getHttpHeaders() as $header) {
-        $response->headers($header);
-    }
-} catch (\Exception $e) {
-    $response = new Orno\Http\Response();
-    $response->setStatusCode(500);
-    $response->setContent(json_encode(['status_code' => 500, 'message' => $e->getMessage()]));
-} finally {
-    // Return the response
-    $response->headers->set('Content-type', 'application/json');
-    $response->send();
-}

examples/relational/authcode_grant.php

@@ -1,117 +0,0 @@
-<?php
-
-use Orno\Http\Request;
-use Orno\Http\Response;
-use RelationalExample\Storage;
-
-include __DIR__.'/vendor/autoload.php';
-
-// Routing setup
-$request = (new Request())->createFromGlobals();
-$router = new \Orno\Route\RouteCollection();
-$router->setStrategy(\Orno\Route\RouteStrategyInterface::RESTFUL_STRATEGY);
-
-// Set up the OAuth 2.0 authorization server
-$server = new \League\OAuth2\Server\AuthorizationServer();
-$server->setSessionStorage(new Storage\SessionStorage());
-$server->setAccessTokenStorage(new Storage\AccessTokenStorage());
-$server->setRefreshTokenStorage(new Storage\RefreshTokenStorage());
-$server->setClientStorage(new Storage\ClientStorage());
-$server->setScopeStorage(new Storage\ScopeStorage());
-$server->setAuthCodeStorage(new Storage\AuthCodeStorage());
-
-$authCodeGrant = new \League\OAuth2\Server\Grant\AuthCodeGrant();
-$server->addGrantType($authCodeGrant);
-
-$refrehTokenGrant = new \League\OAuth2\Server\Grant\RefreshTokenGrant();
-$server->addGrantType($refrehTokenGrant);
-
-// Routing setup
-$request = (new Request())->createFromGlobals();
-$router = new \Orno\Route\RouteCollection();
-
-$router->get('/authorize', function (Request $request) use ($server) {
-
-    // First ensure the parameters in the query string are correct
-
-    try {
-        $authParams = $server->getGrantType('authorization_code')->checkAuthorizeParams();
-    } catch (\Exception $e) {
-        return new Response(
-            json_encode([
-                'error'     =>  $e->errorType,
-                'message'   =>  $e->getMessage(),
-            ]),
-            $e->httpStatusCode,
-            $e->getHttpHeaders()
-        );
-    }
-
-    // Normally at this point you would show the user a sign-in screen and ask them to authorize the requested scopes
-
-    // ...
-
-    // ...
-
-    // ...
-
-    // Create a new authorize request which will respond with a redirect URI that the user will be redirected to
-
-    $redirectUri = $server->getGrantType('authorization_code')->newAuthorizeRequest('user', 1, $authParams);
-
-    $response = new Response('', 200, [
-        'Location'  =>  $redirectUri
-    ]);
-
-    return $response;
-});
-
-$router->post('/access_token', function (Request $request) use ($server) {
-
-    try {
-        $response = $server->issueAccessToken();
-
-        return new Response(json_encode($response), 200);
-    } catch (\Exception $e) {
-        return new Response(
-            json_encode([
-                'error'     =>  $e->errorType,
-                'message'   =>  $e->getMessage(),
-            ]),
-            $e->httpStatusCode,
-            $e->getHttpHeaders()
-        );
-    }
-
-});
-
-$dispatcher = $router->getDispatcher();
-
-try {
-    // A successful response
-    $response = $dispatcher->dispatch(
-        $request->getMethod(),
-        $request->getPathInfo()
-    );
-} catch (\Orno\Http\Exception $e) {
-    // A failed response
-    $response = $e->getJsonResponse();
-    $response->setContent(json_encode(['status_code' => $e->getStatusCode(), 'message' => $e->getMessage()]));
-} catch (\League\OAuth2\Server\Exception\OAuthException $e) {
-    $response = new Response(json_encode([
-        'error'     =>  $e->errorType,
-        'message'   =>  $e->getMessage(),
-    ]), $e->httpStatusCode);
-
-    foreach ($e->getHttpHeaders() as $header) {
-        $response->headers($header);
-    }
-} catch (\Exception $e) {
-    $response = new Orno\Http\Response();
-    $response->setStatusCode(500);
-    $response->setContent(json_encode(['status_code' => 500, 'message' => $e->getMessage()]));
-} finally {
-    // Return the response
-    $response->headers->set('Content-type', 'application/json');
-    $response->send();
-}

examples/relational/composer.json

@@ -1,17 +0,0 @@
-{
-    "require": {
-        "illuminate/database": "4.1.*",
-        "orno/route": "1.*",
-        "ircmaxell/password-compat": "1.0.2",
-        "league/event": "0.2.0"
-    },
-    "autoload": {
-        "psr-4": {
-            "League\\OAuth2\\Server\\": "../../src/",
-            "RelationalExample\\": "."
-        },
-        "files": [
-            "config/db.php"
-        ]
-    }
-}

examples/relational/config/db.php

@@ -1,18 +0,0 @@
-<?php
-
-namespace RelationalExample\Config;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-
-include __DIR__.'/../vendor/autoload.php';
-
-$capsule = new Capsule();
-
-$capsule->addConnection([
-    'driver'    => 'sqlite',
-    'database'  => __DIR__.'/oauth2.sqlite3',
-    'charset'   => 'utf8',
-    'collation' => 'utf8_unicode_ci',
-]);
-
-$capsule->setAsGlobal();

examples/relational/config/init.php

@@ -1,249 +0,0 @@
-<?php
-
-namespace RelationalExample\Config;
-
-use Illuminate\Database\Capsule\Manager as Capsule;
-
-include __DIR__.'/../vendor/autoload.php';
-
-@unlink(__DIR__.'/oauth2.sqlite3');
-touch(__DIR__.'/oauth2.sqlite3');
-
-Capsule::statement('PRAGMA foreign_keys = ON');
-
-/******************************************************************************/
-
-print 'Creating users table'.PHP_EOL;
-
-Capsule::schema()->create('users', function ($table) {
-    $table->increments('id');
-    $table->string('username');
-    $table->string('password');
-    $table->string('name');
-    $table->string('email');
-    $table->string('photo');
-});
-
-Capsule::table('users')->insert([
-    'username'  =>  'alexbilbie',
-    'password'  =>  password_hash('whisky', PASSWORD_DEFAULT),
-    'name'      =>  'Alex Bilbie',
-    'email'     =>  'hello@alexbilbie.com',
-    'photo'     =>  'https://s.gravatar.com/avatar/14902eb1dac66b8458ebbb481d80f0a3',
-]);
-
-Capsule::table('users')->insert([
-    'username'  =>  'philsturgeon',
-    'password'  =>  password_hash('cider', PASSWORD_DEFAULT),
-    'name'      =>  'Phil Sturgeon',
-    'email'     =>  'email@philsturgeon.co.uk',
-    'photo'     =>  'https://s.gravatar.com/avatar/14df293d6c5cd6f05996dfc606a6a951',
-]);
-
-/******************************************************************************/
-
-print 'Creating clients table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_clients', function ($table) {
-    $table->string('id');
-    $table->string('secret');
-    $table->string('name');
-    $table->primary('id');
-});
-
-Capsule::table('oauth_clients')->insert([
-    'id'        =>  'testclient',
-    'secret'    =>  'secret',
-    'name'      =>  'Test Client',
-]);
-
-/******************************************************************************/
-
-print 'Creating client redirect uris table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_client_redirect_uris', function ($table) {
-    $table->increments('id');
-    $table->string('client_id');
-    $table->string('redirect_uri');
-});
-
-Capsule::table('oauth_client_redirect_uris')->insert([
-    'client_id'     =>  'testclient',
-    'redirect_uri'  =>  'http://example.com/redirect',
-]);
-
-/******************************************************************************/
-
-print 'Creating scopes table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_scopes', function ($table) {
-    $table->string('id');
-    $table->string('description');
-    $table->primary('id');
-});
-
-Capsule::table('oauth_scopes')->insert([
-    'id'            =>  'basic',
-    'description'   =>  'Basic details about your account',
-]);
-
-Capsule::table('oauth_scopes')->insert([
-    'id'            =>  'email',
-    'description'   =>  'Your email address',
-]);
-
-Capsule::table('oauth_scopes')->insert([
-    'id'            =>  'photo',
-    'description'   =>  'Your photo',
-]);
-
-/******************************************************************************/
-
-print 'Creating sessions table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_sessions', function ($table) {
-    $table->increments('id')->unsigned();
-    $table->string('owner_type');
-    $table->string('owner_id');
-    $table->string('client_id');
-    $table->string('client_redirect_uri')->nullable();
-
-    $table->foreign('client_id')->references('id')->on('oauth_clients')->onDelete('cascade');
-});
-
-Capsule::table('oauth_sessions')->insert([
-    'owner_type'    =>  'client',
-    'owner_id'      =>  'testclient',
-    'client_id'     =>  'testclient',
-]);
-
-Capsule::table('oauth_sessions')->insert([
-    'owner_type'    =>  'user',
-    'owner_id'      =>  '1',
-    'client_id'     =>  'testclient',
-]);
-
-Capsule::table('oauth_sessions')->insert([
-    'owner_type'    =>  'user',
-    'owner_id'      =>  '2',
-    'client_id'     =>  'testclient',
-]);
-
-/******************************************************************************/
-
-print 'Creating access tokens table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_access_tokens', function ($table) {
-    $table->string('access_token')->primary();
-    $table->integer('session_id')->unsigned();
-    $table->integer('expire_time');
-
-    $table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
-});
-
-Capsule::table('oauth_access_tokens')->insert([
-    'access_token'  =>  'iamgod',
-    'session_id'    =>  '1',
-    'expire_time'   =>  time() + 86400,
-]);
-
-Capsule::table('oauth_access_tokens')->insert([
-    'access_token'  =>  'iamalex',
-    'session_id'    =>  '2',
-    'expire_time'   =>  time() + 86400,
-]);
-
-Capsule::table('oauth_access_tokens')->insert([
-    'access_token'  =>  'iamphil',
-    'session_id'    =>  '3',
-    'expire_time'   =>  time() + 86400,
-]);
-
-/******************************************************************************/
-
-print 'Creating refresh tokens table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_refresh_tokens', function ($table) {
-    $table->string('refresh_token')->primary();
-    $table->integer('expire_time');
-    $table->string('access_token');
-
-    $table->foreign('access_token')->references('access_token')->on('oauth_access_tokens')->onDelete('cascade');
-});
-
-/******************************************************************************/
-
-print 'Creating auth codes table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_auth_codes', function ($table) {
-    $table->string('auth_code')->primary();
-    $table->integer('session_id')->unsigned();
-    $table->integer('expire_time');
-    $table->string('client_redirect_uri');
-
-    $table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
-});
-
-/******************************************************************************/
-
-print 'Creating oauth access token scopes table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_access_token_scopes', function ($table) {
-    $table->increments('id')->unsigned();
-    $table->string('access_token');
-    $table->string('scope');
-
-    $table->foreign('access_token')->references('access_token')->on('oauth_access_tokens')->onDelete('cascade');
-    $table->foreign('scope')->references('id')->on('oauth_scopes')->onDelete('cascade');
-});
-
-Capsule::table('oauth_access_token_scopes')->insert([
-    'access_token'  =>  'iamgod',
-    'scope'         =>  'basic',
-]);
-
-Capsule::table('oauth_access_token_scopes')->insert([
-    'access_token'  =>  'iamgod',
-    'scope'         =>  'email',
-]);
-
-Capsule::table('oauth_access_token_scopes')->insert([
-    'access_token'  =>  'iamgod',
-    'scope'         =>  'photo',
-]);
-
-Capsule::table('oauth_access_token_scopes')->insert([
-    'access_token'  =>  'iamphil',
-    'scope'         =>  'email',
-]);
-
-Capsule::table('oauth_access_token_scopes')->insert([
-    'access_token'  =>  'iamalex',
-    'scope'         =>  'photo',
-]);
-
-/******************************************************************************/
-
-print 'Creating oauth auth code scopes table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_auth_code_scopes', function ($table) {
-    $table->increments('id');
-    $table->string('auth_code');
-    $table->string('scope');
-
-    $table->foreign('auth_code')->references('auth_code')->on('oauth_auth_codes')->onDelete('cascade');
-    $table->foreign('scope')->references('id')->on('oauth_scopes')->onDelete('cascade');
-});
-
-/******************************************************************************/
-
-print 'Creating oauth session scopes table'.PHP_EOL;
-
-Capsule::schema()->create('oauth_session_scopes', function ($table) {
-    $table->increments('id')->unsigned();
-    $table->integer('session_id')->unsigned();
-    $table->string('scope');
-
-    $table->foreign('session_id')->references('id')->on('oauth_sessions')->onDelete('cascade');
-    $table->foreign('scope')->references('id')->on('oauth_scopes')->onDelete('cascade');
-});

examples/relational/other_grants.php

@@ -1,97 +0,0 @@
-<?php
-
-use Orno\Http\Request;
-use Orno\Http\Response;
-use RelationalExample\Model;
-use RelationalExample\Storage;
-
-include __DIR__.'/vendor/autoload.php';
-
-// Routing setup
-$request = (new Request())->createFromGlobals();
-$router = new \Orno\Route\RouteCollection();
-$router->setStrategy(\Orno\Route\RouteStrategyInterface::RESTFUL_STRATEGY);
-
-// Set up the OAuth 2.0 authorization server
-$server = new \League\OAuth2\Server\AuthorizationServer();
-$server->setSessionStorage(new Storage\SessionStorage());
-$server->setAccessTokenStorage(new Storage\AccessTokenStorage());
-$server->setRefreshTokenStorage(new Storage\RefreshTokenStorage());
-$server->setClientStorage(new Storage\ClientStorage());
-$server->setScopeStorage(new Storage\ScopeStorage());
-$server->setAuthCodeStorage(new Storage\AuthCodeStorage());
-
-$clientCredentials = new \League\OAuth2\Server\Grant\ClientCredentialsGrant();
-$server->addGrantType($clientCredentials);
-
-$passwordGrant = new \League\OAuth2\Server\Grant\PasswordGrant();
-$passwordGrant->setVerifyCredentialsCallback(function ($username, $password) {
-    $result = (new Model\Users())->get($username);
-    if (count($result) !== 1) {
-        return false;
-    }
-
-    if (password_verify($password, $result[0]['password'])) {
-        return $username;
-    }
-
-    return false;
-});
-$server->addGrantType($passwordGrant);
-
-$refrehTokenGrant = new \League\OAuth2\Server\Grant\RefreshTokenGrant();
-$server->addGrantType($refrehTokenGrant);
-
-// Routing setup
-$request = (new Request())->createFromGlobals();
-$router = new \Orno\Route\RouteCollection();
-
-$router->post('/access_token', function (Request $request) use ($server) {
-
-    try {
-        $response = $server->issueAccessToken();
-
-        return new Response(json_encode($response), 200);
-    } catch (\Exception $e) {
-        return new Response(
-            json_encode([
-                'error'     =>  $e->errorType,
-                'message'   =>  $e->getMessage(),
-            ]),
-            $e->httpStatusCode,
-            $e->getHttpHeaders()
-        );
-    }
-
-});
-
-$dispatcher = $router->getDispatcher();
-
-try {
-    // A successful response
-    $response = $dispatcher->dispatch(
-        $request->getMethod(),
-        $request->getPathInfo()
-    );
-} catch (\Orno\Http\Exception $e) {
-    // A failed response
-    $response = $e->getJsonResponse();
-    $response->setContent(json_encode(['status_code' => $e->getStatusCode(), 'message' => $e->getMessage()]));
-} catch (\League\OAuth2\Server\Exception\OAuthException $e) {
-    $response = new Response(json_encode([
-        'error'     =>  $e->errorType,
-        'message'   =>  $e->getMessage(),
-    ]), $e->httpStatusCode);
-
-    foreach ($e->getHttpHeaders() as $header) {
-        $response->headers($header);
-    }
-} catch (\Exception $e) {
-    $response = new Orno\Http\Response();
-    $response->setStatusCode(500);
-    $response->setContent(json_encode(['status_code' => 500, 'message' => $e->getMessage()]));
-} finally {
-    // Return the response
-    $response->headers->set('Content-type', 'application/json');
-    $response->send();
-}

examples/src/Entities/AccessTokenEntity.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AccessTokenEntity implements AccessTokenEntityInterface
+{
+    use AccessTokenTrait, TokenEntityTrait, EntityTrait;
+}

examples/src/Entities/AuthCodeEntity.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\AuthCodeTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AuthCodeEntity implements AuthCodeEntityInterface
+{
+    use EntityTrait, TokenEntityTrait, AuthCodeTrait;
+}

examples/src/Entities/ClientEntity.php

@@ -0,0 +1,29 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Traits\ClientTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+
+class ClientEntity implements ClientEntityInterface
+{
+    use EntityTrait, ClientTrait;
+
+    public function setName($name)
+    {
+        $this->name = $name;
+    }
+
+    public function setRedirectUri($uri)
+    {
+        $this->redirectUri = $uri;
+    }
+}

examples/src/Entities/RefreshTokenEntity.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\RefreshTokenTrait;
+
+class RefreshTokenEntity implements RefreshTokenEntityInterface
+{
+    use RefreshTokenTrait, EntityTrait;
+}

examples/src/Entities/ScopeEntity.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\ScopeTrait;
+
+class ScopeEntity implements ScopeEntityInterface
+{
+    use EntityTrait, ScopeTrait;
+}

examples/src/Entities/UserEntity.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\UserEntityInterface;
+
+class UserEntity implements UserEntityInterface
+{
+    /**
+     * Return the user's identifier.
+     *
+     * @return mixed
+     */
+    public function getIdentifier()
+    {
+        return 1;
+    }
+}

examples/src/Repositories/AccessTokenRepository.php

@@ -0,0 +1,57 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use OAuth2ServerExamples\Entities\AccessTokenEntity;
+
+class AccessTokenRepository implements AccessTokenRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
+    {
+        // Some logic here to save the access token to a database
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function revokeAccessToken($tokenId)
+    {
+        // Some logic here to revoke the access token
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isAccessTokenRevoked($tokenId)
+    {
+        return false; // Access token hasn't been revoked
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null)
+    {
+        $accessToken = new AccessTokenEntity();
+        $accessToken->setClient($clientEntity);
+        foreach ($scopes as $scope) {
+            $accessToken->addScope($scope);
+        }
+        $accessToken->setUserIdentifier($userIdentifier);
+
+        return $accessToken;
+    }
+}

examples/src/Repositories/AuthCodeRepository.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use OAuth2ServerExamples\Entities\AuthCodeEntity;
+
+class AuthCodeRepository implements AuthCodeRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    {
+        // Some logic to persist the auth code to a database
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function revokeAuthCode($codeId)
+    {
+        // Some logic to revoke the auth code in a database
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isAuthCodeRevoked($codeId)
+    {
+        return false; // The auth code has not been revoked
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewAuthCode()
+    {
+        return new AuthCodeEntity();
+    }
+}

examples/src/Repositories/ClientRepository.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use OAuth2ServerExamples\Entities\ClientEntity;
+
+class ClientRepository implements ClientRepositoryInterface
+{
+    const CLIENT_NAME = 'My Awesome App';
+    const REDIRECT_URI = 'http://foo/bar';
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getClientEntity($clientIdentifier)
+    {
+        $client = new ClientEntity();
+
+        $client->setIdentifier($clientIdentifier);
+        $client->setName(self::CLIENT_NAME);
+        $client->setRedirectUri(self::REDIRECT_URI);
+
+        return $client;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateClient($clientIdentifier, $clientSecret, $grantType)
+    {
+        $clients = [
+            'myawesomeapp' => [
+                'secret'          => password_hash('abc123', PASSWORD_BCRYPT),
+                'name'            => self::CLIENT_NAME,
+                'redirect_uri'    => self::REDIRECT_URI,
+                'is_confidential' => true,
+            ],
+        ];
+
+        // Check if client is registered
+        if (array_key_exists($clientIdentifier, $clients) === false) {
+            return;
+        }
+
+        if (
+            $clients[$clientIdentifier]['is_confidential'] === true
+            && password_verify($clientSecret, $clients[$clientIdentifier]['secret']) === false
+        ) {
+            return;
+        }
+    }
+}

examples/src/Repositories/RefreshTokenRepository.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use OAuth2ServerExamples\Entities\RefreshTokenEntity;
+
+class RefreshTokenRepository implements RefreshTokenRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity)
+    {
+        // Some logic to persist the refresh token in a database
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function revokeRefreshToken($tokenId)
+    {
+        // Some logic to revoke the refresh token in a database
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isRefreshTokenRevoked($tokenId)
+    {
+        return false; // The refresh token has not been revoked
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewRefreshToken()
+    {
+        return new RefreshTokenEntity();
+    }
+}

examples/src/Repositories/ScopeRepository.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use OAuth2ServerExamples\Entities\ScopeEntity;
+
+class ScopeRepository implements ScopeRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getScopeEntityByIdentifier($scopeIdentifier)
+    {
+        $scopes = [
+            'basic' => [
+                'description' => 'Basic details about you',
+            ],
+            'email' => [
+                'description' => 'Your email address',
+            ],
+        ];
+
+        if (array_key_exists($scopeIdentifier, $scopes) === false) {
+            return;
+        }
+
+        $scope = new ScopeEntity();
+        $scope->setIdentifier($scopeIdentifier);
+
+        return $scope;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function finalizeScopes(
+        array $scopes,
+        $grantType,
+        ClientEntityInterface $clientEntity,
+        $userIdentifier = null
+    ) {
+        // Example of programatically modifying the final scope of the access token
+        if ((int) $userIdentifier === 1) {
+            $scope = new ScopeEntity();
+            $scope->setIdentifier('email');
+            $scopes[] = $scope;
+        }
+
+        return $scopes;
+    }
+}

examples/src/Repositories/UserRepository.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Repositories;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use OAuth2ServerExamples\Entities\UserEntity;
+
+class UserRepository implements UserRepositoryInterface
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getUserEntityByUserCredentials(
+        $username,
+        $password,
+        $grantType,
+        ClientEntityInterface $clientEntity
+    ) {
+        if ($username === 'alex' && $password === 'whisky') {
+            return new UserEntity();
+        }
+
+        return;
+    }
+}

phpstan.neon

@@ -0,0 +1,8 @@
+includes:
+	- vendor/phpstan/phpstan-phpunit/extension.neon
+	- vendor/phpstan/phpstan-phpunit/rules.neon
+services:
+	-
+		class: LeagueTests\PHPStan\AbstractGrantExtension
+		tags:
+			- phpstan.broker.dynamicMethodReturnTypeExtension

phpunit.xml

@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="true" stopOnFailure="true" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/unit/Bootstrap.php">
-	<testsuites>
-		<testsuite name="Tests">
-		   <directory>./tests/unit/</directory>
-	   </testsuite>
-	</testsuites>
-	<filter>
-		<whitelist addUncoveredFilesFromWhitelist="true">
-			<directory suffix=".php">src</directory>
-		</whitelist>
-	</filter>
-	<logging>
-		<!-- <log type="coverage-text" target="php://stdout" title="thephpleague/oauth2-server" charset="UTF-8" yui="true" highlight="true" lowUpperBound="60" highLowerBound="90"/> -->
-		<log type="coverage-html" target="build/coverage" title="thephpleague/oauth2-server" charset="UTF-8" yui="true" highlight="true" lowUpperBound="60" highLowerBound="90"/>
-	</logging>
-</phpunit>

phpunit.xml.dist

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="true"
+         stopOnFailure="true" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
+    <testsuites>
+        <testsuite name="Tests">
+            <directory>./tests/</directory>
+        </testsuite>
+    </testsuites>
+    <filter>
+        <whitelist addUncoveredFilesFromWhitelist="true">
+            <directory suffix=".php">src</directory>
+            <exclude>
+                <directory suffix=".php">src/ResponseTypes/DefaultTemplates</directory>
+                <directory suffix=".php">src/TemplateRenderer</directory>
+            </exclude>
+        </whitelist>
+    </filter>
+    <logging>
+        <log type="coverage-text" target="php://stdout" title="thephpleague/oauth2-server" charset="UTF-8" yui="true"
+             highlight="true" lowUpperBound="60" highLowerBound="90"/>
+        <log type="coverage-html" target="build/coverage" title="thephpleague/oauth2-server" charset="UTF-8" yui="true"
+             highlight="true" lowUpperBound="60" highLowerBound="90"/>
+    </logging>
+</phpunit>

src/AbstractServer.php

@@ -1,358 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Abstract Server
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server;
-
-use League\Event\Emitter;
-use League\OAuth2\Server\Storage\AccessTokenInterface;
-use League\OAuth2\Server\Storage\AuthCodeInterface;
-use League\OAuth2\Server\Storage\ClientInterface;
-use League\OAuth2\Server\Storage\MacTokenInterface;
-use League\OAuth2\Server\Storage\RefreshTokenInterface;
-use League\OAuth2\Server\Storage\ScopeInterface;
-use League\OAuth2\Server\Storage\SessionInterface;
-use League\OAuth2\Server\TokenType\TokenTypeInterface;
-use Symfony\Component\HttpFoundation\Request;
-
-/**
- * OAuth 2.0 Resource Server
- */
-abstract class AbstractServer
-{
-    /**
-     * The request object
-     *
-     * @var \Symfony\Component\HttpFoundation\Request
-     */
-    protected $request;
-
-    /**
-     * Session storage
-     *
-     * @var \League\OAuth2\Server\Storage\SessionInterface
-     */
-    protected $sessionStorage;
-
-    /**
-     * Access token storage
-     *
-     * @var \League\OAuth2\Server\Storage\AccessTokenInterface
-     */
-    protected $accessTokenStorage;
-
-    /**
-     * Refresh token storage
-     *
-     * @var \League\OAuth2\Server\Storage\RefreshTokenInterface
-     */
-    protected $refreshTokenStorage;
-
-    /**
-     * Auth code storage
-     *
-     * @var \League\OAuth2\Server\Storage\AuthCodeInterface
-     */
-    protected $authCodeStorage;
-
-    /**
-     * Scope storage
-     *
-     * @var \League\OAuth2\Server\Storage\ScopeInterface
-     */
-    protected $scopeStorage;
-
-    /**
-     * Client storage
-     *
-     * @var \League\OAuth2\Server\Storage\ClientInterface
-     */
-    protected $clientStorage;
-
-    /**
-     * @var \League\OAuth2\Server\Storage\MacTokenInterface
-     */
-    protected $macStorage;
-
-    /**
-     * Token type
-     *
-     * @var \League\OAuth2\Server\TokenType\TokenTypeInterface
-     */
-    protected $tokenType;
-
-    /**
-     * Event emitter
-     *
-     * @var \League\Event\Emitter
-     */
-    protected $eventEmitter;
-
-    /**
-     * Abstract server constructor
-     */
-    public function __construct()
-    {
-        $this->setEventEmitter();
-    }
-
-    /**
-     * Set an event emitter
-     *
-     * @param object $emitter Event emitter object
-     */
-    public function setEventEmitter($emitter = null)
-    {
-        if ($emitter === null) {
-            $this->eventEmitter = new Emitter();
-        } else {
-            $this->eventEmitter = $emitter;
-        }
-    }
-
-    /**
-     * Add an event listener to the event emitter
-     *
-     * @param string   $eventName Event name
-     * @param callable $listener  Callable function or method
-     * @param int      $priority  Priority of event listener
-     */
-    public function addEventListener($eventName, callable $listener, $priority = Emitter::P_NORMAL)
-    {
-        $this->eventEmitter->addListener($eventName, $listener, $priority);
-    }
-
-    /**
-     * Returns the event emitter
-     *
-     * @return \League\Event\Emitter
-     */
-    public function getEventEmitter()
-    {
-        return $this->eventEmitter;
-    }
-
-    /**
-     * Sets the Request Object
-     *
-     * @param \Symfony\Component\HttpFoundation\Request The Request Object
-     *
-     * @return self
-     */
-    public function setRequest($request)
-    {
-        $this->request = $request;
-
-        return $this;
-    }
-
-    /**
-     * Gets the Request object. It will create one from the globals if one is not set.
-     *
-     * @return \Symfony\Component\HttpFoundation\Request
-     */
-    public function getRequest()
-    {
-        if ($this->request === null) {
-            $this->request = Request::createFromGlobals();
-        }
-
-        return $this->request;
-    }
-
-    /**
-     * Set the client storage
-     *
-     * @param \League\OAuth2\Server\Storage\ClientInterface $storage
-     *
-     * @return self
-     */
-    public function setClientStorage(ClientInterface $storage)
-    {
-        $storage->setServer($this);
-        $this->clientStorage = $storage;
-
-        return $this;
-    }
-
-    /**
-     * Set the session storage
-     *
-     * @param \League\OAuth2\Server\Storage\SessionInterface $storage
-     *
-     * @return self
-     */
-    public function setSessionStorage(SessionInterface $storage)
-    {
-        $storage->setServer($this);
-        $this->sessionStorage = $storage;
-
-        return $this;
-    }
-
-    /**
-     * Set the access token storage
-     *
-     * @param \League\OAuth2\Server\Storage\AccessTokenInterface $storage
-     *
-     * @return self
-     */
-    public function setAccessTokenStorage(AccessTokenInterface $storage)
-    {
-        $storage->setServer($this);
-        $this->accessTokenStorage = $storage;
-
-        return $this;
-    }
-
-    /**
-     * Set the refresh token storage
-     *
-     * @param \League\OAuth2\Server\Storage\RefreshTokenInterface $storage
-     *
-     * @return self
-     */
-    public function setRefreshTokenStorage(RefreshTokenInterface $storage)
-    {
-        $storage->setServer($this);
-        $this->refreshTokenStorage = $storage;
-
-        return $this;
-    }
-
-    /**
-     * Set the auth code storage
-     *
-     * @param \League\OAuth2\Server\Storage\AuthCodeInterface $storage
-     *
-     * @return self
-     */
-    public function setAuthCodeStorage(AuthCodeInterface $storage)
-    {
-        $storage->setServer($this);
-        $this->authCodeStorage = $storage;
-
-        return $this;
-    }
-
-    /**
-     * Set the scope storage
-     *
-     * @param \League\OAuth2\Server\Storage\ScopeInterface $storage
-     *
-     * @return self
-     */
-    public function setScopeStorage(ScopeInterface $storage)
-    {
-        $storage->setServer($this);
-        $this->scopeStorage = $storage;
-
-        return $this;
-    }
-
-    /**
-     * Return the client storage
-     *
-     * @return \League\OAuth2\Server\Storage\ClientInterface
-     */
-    public function getClientStorage()
-    {
-        return $this->clientStorage;
-    }
-
-    /**
-     * Return the scope storage
-     *
-     * @return \League\OAuth2\Server\Storage\ScopeInterface
-     */
-    public function getScopeStorage()
-    {
-        return $this->scopeStorage;
-    }
-
-    /**
-     * Return the session storage
-     *
-     * @return \League\OAuth2\Server\Storage\SessionInterface
-     */
-    public function getSessionStorage()
-    {
-        return $this->sessionStorage;
-    }
-
-    /**
-     * Return the refresh token storage
-     *
-     * @return \League\OAuth2\Server\Storage\RefreshTokenInterface
-     */
-    public function getRefreshTokenStorage()
-    {
-        return $this->refreshTokenStorage;
-    }
-
-    /**
-     * Return the access token storage
-     *
-     * @return \League\OAuth2\Server\Storage\AccessTokenInterface
-     */
-    public function getAccessTokenStorage()
-    {
-        return $this->accessTokenStorage;
-    }
-
-    /**
-     * Return the auth code storage
-     *
-     * @return \League\OAuth2\Server\Storage\AuthCodeInterface
-     */
-    public function getAuthCodeStorage()
-    {
-        return $this->authCodeStorage;
-    }
-
-    /**
-     * Set the access token type
-     *
-     * @param TokenTypeInterface $tokenType The token type
-     *
-     * @return void
-     */
-    public function setTokenType(TokenTypeInterface $tokenType)
-    {
-        $tokenType->setServer($this);
-        $this->tokenType = $tokenType;
-    }
-
-    /**
-     * Get the access token type
-     *
-     * @return TokenTypeInterface
-     */
-    public function getTokenType()
-    {
-        return $this->tokenType;
-    }
-
-    /**
-     * @return MacTokenInterface
-     */
-    public function getMacStorage()
-    {
-        return $this->macStorage;
-    }
-
-    /**
-     * @param MacTokenInterface $macStorage
-     */
-    public function setMacStorage(MacTokenInterface $macStorage)
-    {
-        $this->macStorage = $macStorage;
-    }
-}

src/AuthorizationServer.php

@@ -1,295 +1,236 @@
 <?php
 /**
- * OAuth 2.0 Authorization Server
- *
- * @package     league/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
+ *
  * @link        https://github.com/thephpleague/oauth2-server
  */
 
 namespace League\OAuth2\Server;
 
+use DateInterval;
+use Defuse\Crypto\Key;
+use League\Event\EmitterAwareInterface;
+use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
-use League\OAuth2\Server\TokenType\Bearer;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use League\OAuth2\Server\ResponseTypes\AbstractResponseType;
+use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
 
-/**
- * OAuth 2.0 authorization server class
- */
-class AuthorizationServer extends AbstractServer
+class AuthorizationServer implements EmitterAwareInterface
 {
+    use EmitterAwareTrait;
+
+    /**
+     * @var GrantTypeInterface[]
+     */
+    protected $enabledGrantTypes = [];
+
+    /**
+     * @var DateInterval[]
+     */
+    protected $grantTypeAccessTokenTTL = [];
+
+    /**
+     * @var CryptKey
+     */
+    protected $privateKey;
+
+    /**
+     * @var CryptKey
+     */
+    protected $publicKey;
+
+    /**
+     * @var ResponseTypeInterface
+     */
+    protected $responseType;
+
+    /**
+     * @var ClientRepositoryInterface
+     */
+    private $clientRepository;
+
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var ScopeRepositoryInterface
+     */
+    private $scopeRepository;
+
+    /**
+     * @var string|Key
+     */
+    private $encryptionKey;
+
     /**
-     * The delimiter between scopes specified in the scope query string parameter
-     * The OAuth 2 specification states it should be a space but most use a comma
-     *
      * @var string
      */
-    protected $scopeDelimiter = ' ';
+    private $defaultScope = '';
 
     /**
-     * The TTL (time to live) of an access token in seconds (default: 3600)
+     * New server instance.
      *
-     * @var integer
+     * @param ClientRepositoryInterface      $clientRepository
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     * @param ScopeRepositoryInterface       $scopeRepository
+     * @param CryptKey|string                $privateKey
+     * @param string|Key                     $encryptionKey
+     * @param null|ResponseTypeInterface     $responseType
      */
-    protected $accessTokenTTL = 3600;
+    public function __construct(
+        ClientRepositoryInterface $clientRepository,
+        AccessTokenRepositoryInterface $accessTokenRepository,
+        ScopeRepositoryInterface $scopeRepository,
+        $privateKey,
+        $encryptionKey,
+        ResponseTypeInterface $responseType = null
+    ) {
+        $this->clientRepository = $clientRepository;
+        $this->accessTokenRepository = $accessTokenRepository;
+        $this->scopeRepository = $scopeRepository;
 
-    /**
-     * The registered grant response types
-     *
-     * @var array
-     */
-    protected $responseTypes = [];
-
-    /**
-     * The registered grant types
-     *
-     * @var array
-     */
-    protected $grantTypes = [];
-
-    /**
-     * Require the "scope" parameter to be in checkAuthoriseParams()
-     *
-     * @var boolean
-     */
-    protected $requireScopeParam = false;
-
-    /**
-     * Default scope(s) to be used if none is provided
-     *
-     * @var string|array
-     */
-    protected $defaultScope;
-
-    /**
-     * Require the "state" parameter to be in checkAuthoriseParams()
-     *
-     * @var boolean
-     */
-    protected $requireStateParam = false;
-
-    /**
-     * Create a new OAuth2 authorization server
-     *
-     * @return self
-     */
-    public function __construct()
-    {
-        // Set Bearer as the default token type
-        $this->setTokenType(new Bearer());
-
-        parent::__construct();
-
-        return $this;
-    }
-
-    /**
-     * Enable support for a grant
-     *
-     * @param GrantTypeInterface $grantType  A grant class which conforms to Interface/GrantTypeInterface
-     * @param null|string        $identifier An identifier for the grant (autodetected if not passed)
-     *
-     * @return self
-     */
-    public function addGrantType(GrantTypeInterface $grantType, $identifier = null)
-    {
-        if (is_null($identifier)) {
-            $identifier = $grantType->getIdentifier();
+        if ($privateKey instanceof CryptKey === false) {
+            $privateKey = new CryptKey($privateKey);
         }
 
-        // Inject server into grant
-        $grantType->setAuthorizationServer($this);
+        $this->privateKey = $privateKey;
+        $this->encryptionKey = $encryptionKey;
 
-        $this->grantTypes[$identifier] = $grantType;
-
-        if (!is_null($grantType->getResponseType())) {
-            $this->responseTypes[] = $grantType->getResponseType();
+        if ($responseType === null) {
+            $responseType = new BearerTokenResponse();
+        } else {
+            $responseType = clone $responseType;
         }
 
-        return $this;
+        $this->responseType = $responseType;
     }
 
     /**
-     * Check if a grant type has been enabled
+     * Enable a grant type on the server.
      *
-     * @param string $identifier The grant type identifier
-     *
-     * @return boolean Returns "true" if enabled, "false" if not
+     * @param GrantTypeInterface $grantType
+     * @param null|DateInterval  $accessTokenTTL
      */
-    public function hasGrantType($identifier)
+    public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL = null)
     {
-        return (array_key_exists($identifier, $this->grantTypes));
-    }
-
-    /**
-     * Returns response types
-     *
-     * @return array
-     */
-    public function getResponseTypes()
-    {
-        return $this->responseTypes;
-    }
-
-    /**
-     * Require the "scope" parameter in checkAuthoriseParams()
-     *
-     * @param boolean $require
-     *
-     * @return self
-     */
-    public function requireScopeParam($require = true)
-    {
-        $this->requireScopeParam = $require;
-
-        return $this;
-    }
-
-    /**
-     * Is the scope parameter required?
-     *
-     * @return bool
-     */
-    public function scopeParamRequired()
-    {
-        return $this->requireScopeParam;
-    }
-
-    /**
-     * Default scope to be used if none is provided and requireScopeParam() is false
-     *
-     * @param string $default Name of the default scope
-     *
-     * @return self
-     */
-    public function setDefaultScope($default = null)
-    {
-        $this->defaultScope = $default;
-
-        return $this;
-    }
-
-    /**
-     * Default scope to be used if none is provided and requireScopeParam is false
-     *
-     * @return string|null
-     */
-    public function getDefaultScope()
-    {
-        return $this->defaultScope;
-    }
-
-    /**
-     * Require the "state" parameter in checkAuthoriseParams()
-     *
-     * @return bool
-     */
-    public function stateParamRequired()
-    {
-        return $this->requireStateParam;
-    }
-
-    /**
-     * Require the "state" parameter in checkAuthoriseParams()
-     *
-     * @param boolean $require
-     *
-     * @return self
-     */
-    public function requireStateParam($require = true)
-    {
-        $this->requireStateParam = $require;
-
-        return $this;
-    }
-
-    /**
-     * Get the scope delimiter
-     *
-     * @return string The scope delimiter (default: ",")
-     */
-    public function getScopeDelimiter()
-    {
-        return $this->scopeDelimiter;
-    }
-
-    /**
-     * Set the scope delimiter
-     *
-     * @param string $scopeDelimiter
-     *
-     * @return self
-     */
-    public function setScopeDelimiter($scopeDelimiter = ' ')
-    {
-        $this->scopeDelimiter = $scopeDelimiter;
-
-        return $this;
-    }
-
-    /**
-     * Get the TTL for an access token
-     *
-     * @return int The TTL
-     */
-    public function getAccessTokenTTL()
-    {
-        return $this->accessTokenTTL;
-    }
-
-    /**
-     * Set the TTL for an access token
-     *
-     * @param int $accessTokenTTL The new TTL
-     *
-     * @return self
-     */
-    public function setAccessTokenTTL($accessTokenTTL = 3600)
-    {
-        $this->accessTokenTTL = $accessTokenTTL;
-
-        return $this;
-    }
-
-    /**
-     * Issue an access token
-     *
-     * @return array Authorise request parameters
-     *
-     * @throws
-     */
-    public function issueAccessToken()
-    {
-        $grantType = $this->getRequest()->request->get('grant_type');
-        if (is_null($grantType)) {
-            throw new Exception\InvalidRequestException('grant_type');
+        if ($accessTokenTTL === null) {
+            $accessTokenTTL = new DateInterval('PT1H');
         }
 
-        // Ensure grant type is one that is recognised and is enabled
-        if (!in_array($grantType, array_keys($this->grantTypes))) {
-            throw new Exception\UnsupportedGrantTypeException($grantType);
-        }
+        $grantType->setAccessTokenRepository($this->accessTokenRepository);
+        $grantType->setClientRepository($this->clientRepository);
+        $grantType->setScopeRepository($this->scopeRepository);
+        $grantType->setDefaultScope($this->defaultScope);
+        $grantType->setPrivateKey($this->privateKey);
+        $grantType->setEmitter($this->getEmitter());
+        $grantType->setEncryptionKey($this->encryptionKey);
 
-        // Complete the flow
-        return $this->getGrantType($grantType)->completeFlow();
+        $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
+        $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
     }
 
     /**
-     * Return a grant type class
+     * Validate an authorization request
      *
-     * @param string $grantType The grant type identifier
+     * @param ServerRequestInterface $request
      *
-     * @return Grant\GrantTypeInterface
+     * @throws OAuthServerException
      *
-     * @throws
+     * @return AuthorizationRequest
      */
-    public function getGrantType($grantType)
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
     {
-        if (isset($this->grantTypes[$grantType])) {
-            return $this->grantTypes[$grantType];
+        foreach ($this->enabledGrantTypes as $grantType) {
+            if ($grantType->canRespondToAuthorizationRequest($request)) {
+                return $grantType->validateAuthorizationRequest($request);
+            }
         }
 
-        throw new Exception\InvalidGrantException($grantType);
+        throw OAuthServerException::unsupportedGrantType();
+    }
+
+    /**
+     * Complete an authorization request
+     *
+     * @param AuthorizationRequest $authRequest
+     * @param ResponseInterface    $response
+     *
+     * @return ResponseInterface
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authRequest, ResponseInterface $response)
+    {
+        return $this->enabledGrantTypes[$authRequest->getGrantTypeId()]
+            ->completeAuthorizationRequest($authRequest)
+            ->generateHttpResponse($response);
+    }
+
+    /**
+     * Return an access token response.
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface      $response
+     *
+     * @throws OAuthServerException
+     *
+     * @return ResponseInterface
+     */
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseInterface $response)
+    {
+        foreach ($this->enabledGrantTypes as $grantType) {
+            if (!$grantType->canRespondToAccessTokenRequest($request)) {
+                continue;
+            }
+            $tokenResponse = $grantType->respondToAccessTokenRequest(
+                $request,
+                $this->getResponseType(),
+                $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
+            );
+
+            if ($tokenResponse instanceof ResponseTypeInterface) {
+                return $tokenResponse->generateHttpResponse($response);
+            }
+        }
+
+        throw OAuthServerException::unsupportedGrantType();
+    }
+
+    /**
+     * Get the token type that grants will return in the HTTP response.
+     *
+     * @return ResponseTypeInterface
+     */
+    protected function getResponseType()
+    {
+        $responseType = clone $this->responseType;
+
+        if ($responseType instanceof AbstractResponseType) {
+            $responseType->setPrivateKey($this->privateKey);
+        }
+
+        $responseType->setEncryptionKey($this->encryptionKey);
+
+        return $responseType;
+    }
+
+    /**
+     * Set the default scope for the authorization server.
+     *
+     * @param string $defaultScope
+     */
+    public function setDefaultScope($defaultScope)
+    {
+        $this->defaultScope = $defaultScope;
     }
 }

src/AuthorizationValidators/AuthorizationValidatorInterface.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\AuthorizationValidators;
+
+use Psr\Http\Message\ServerRequestInterface;
+
+interface AuthorizationValidatorInterface
+{
+    /**
+     * Determine the access token in the authorization header and append OAUth properties to the request
+     *  as attributes.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return ServerRequestInterface
+     */
+    public function validateAuthorization(ServerRequestInterface $request);
+}

src/AuthorizationValidators/BearerTokenValidator.php

@@ -0,0 +1,106 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\AuthorizationValidators;
+
+use BadMethodCallException;
+use InvalidArgumentException;
+use Lcobucci\JWT\Parser;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\ValidationData;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\CryptTrait;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use RuntimeException;
+
+class BearerTokenValidator implements AuthorizationValidatorInterface
+{
+    use CryptTrait;
+
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var CryptKey
+     */
+    protected $publicKey;
+
+    /**
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
+    {
+        $this->accessTokenRepository = $accessTokenRepository;
+    }
+
+    /**
+     * Set the public key
+     *
+     * @param CryptKey $key
+     */
+    public function setPublicKey(CryptKey $key)
+    {
+        $this->publicKey = $key;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorization(ServerRequestInterface $request)
+    {
+        if ($request->hasHeader('authorization') === false) {
+            throw OAuthServerException::accessDenied('Missing "Authorization" header');
+        }
+
+        $header = $request->getHeader('authorization');
+        $jwt = trim((string) preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]));
+
+        try {
+            // Attempt to parse and validate the JWT
+            $token = (new Parser())->parse($jwt);
+            try {
+                if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
+                    throw OAuthServerException::accessDenied('Access token could not be verified');
+                }
+            } catch (BadMethodCallException $exception) {
+                throw OAuthServerException::accessDenied('Access token is not signed', null, $exception);
+            }
+
+            // Ensure access token hasn't expired
+            $data = new ValidationData();
+            $data->setCurrentTime(time());
+
+            if ($token->validate($data) === false) {
+                throw OAuthServerException::accessDenied('Access token is invalid');
+            }
+
+            // Check if token has been revoked
+            if ($this->accessTokenRepository->isAccessTokenRevoked($token->getClaim('jti'))) {
+                throw OAuthServerException::accessDenied('Access token has been revoked');
+            }
+
+            // Return the request with additional attributes
+            return $request
+                ->withAttribute('oauth_access_token_id', $token->getClaim('jti'))
+                ->withAttribute('oauth_client_id', $token->getClaim('aud'))
+                ->withAttribute('oauth_user_id', $token->getClaim('sub'))
+                ->withAttribute('oauth_scopes', $token->getClaim('scopes'));
+        } catch (InvalidArgumentException $exception) {
+            // JWT couldn't be parsed so return the request as is
+            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
+        } catch (RuntimeException $exception) {
+            //JWR couldn't be parsed so return the request as is
+            throw OAuthServerException::accessDenied('Error while decoding to JSON', null, $exception);
+        }
+    }
+}

src/CodeChallengeVerifiers/CodeChallengeVerifierInterface.php

@@ -0,0 +1,30 @@
+<?php
+/**
+ * @author      Lukáš Unger <lookymsc@gmail.com>
+ * @copyright   Copyright (c) Lukáš Unger
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\CodeChallengeVerifiers;
+
+interface CodeChallengeVerifierInterface
+{
+    /**
+     * Return code challenge method.
+     *
+     * @return string
+     */
+    public function getMethod();
+
+    /**
+     * Verify the code challenge.
+     *
+     * @param string $codeVerifier
+     * @param string $codeChallenge
+     *
+     * @return bool
+     */
+    public function verifyCodeChallenge($codeVerifier, $codeChallenge);
+}

src/CodeChallengeVerifiers/PlainVerifier.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ * @author      Lukáš Unger <lookymsc@gmail.com>
+ * @copyright   Copyright (c) Lukáš Unger
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\CodeChallengeVerifiers;
+
+class PlainVerifier implements CodeChallengeVerifierInterface
+{
+    /**
+     * Return code challenge method.
+     *
+     * @return string
+     */
+    public function getMethod()
+    {
+        return 'plain';
+    }
+
+    /**
+     * Verify the code challenge.
+     *
+     * @param string $codeVerifier
+     * @param string $codeChallenge
+     *
+     * @return bool
+     */
+    public function verifyCodeChallenge($codeVerifier, $codeChallenge)
+    {
+        return hash_equals($codeVerifier, $codeChallenge);
+    }
+}

src/CodeChallengeVerifiers/S256Verifier.php

@@ -0,0 +1,39 @@
+<?php
+/**
+ * @author      Lukáš Unger <lookymsc@gmail.com>
+ * @copyright   Copyright (c) Lukáš Unger
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\CodeChallengeVerifiers;
+
+class S256Verifier implements CodeChallengeVerifierInterface
+{
+    /**
+     * Return code challenge method.
+     *
+     * @return string
+     */
+    public function getMethod()
+    {
+        return 'S256';
+    }
+
+    /**
+     * Verify the code challenge.
+     *
+     * @param string $codeVerifier
+     * @param string $codeChallenge
+     *
+     * @return bool
+     */
+    public function verifyCodeChallenge($codeVerifier, $codeChallenge)
+    {
+        return hash_equals(
+            strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
+            $codeChallenge
+        );
+    }
+}

src/CryptKey.php

@@ -0,0 +1,123 @@
+<?php
+/**
+ * Cryptography key holder.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use LogicException;
+use RuntimeException;
+
+class CryptKey
+{
+    const RSA_KEY_PATTERN =
+        '/^(-----BEGIN (RSA )?(PUBLIC|PRIVATE) KEY-----)\R.*(-----END (RSA )?(PUBLIC|PRIVATE) KEY-----)\R?$/s';
+
+    /**
+     * @var string
+     */
+    protected $keyPath;
+
+    /**
+     * @var null|string
+     */
+    protected $passPhrase;
+
+    /**
+     * @param string      $keyPath
+     * @param null|string $passPhrase
+     * @param bool        $keyPermissionsCheck
+     */
+    public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = true)
+    {
+        if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
+            $keyPath = $this->saveKeyToFile($keyPath);
+        }
+
+        if (strpos($keyPath, 'file://') !== 0) {
+            $keyPath = 'file://' . $keyPath;
+        }
+
+        if (!file_exists($keyPath) || !is_readable($keyPath)) {
+            throw new LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
+        }
+
+        if ($keyPermissionsCheck === true) {
+            // Verify the permissions of the key
+            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
+            if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) {
+                trigger_error(sprintf(
+                    'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s',
+                    $keyPath,
+                    $keyPathPerms
+                ), E_USER_NOTICE);
+            }
+        }
+
+        $this->keyPath = $keyPath;
+        $this->passPhrase = $passPhrase;
+    }
+
+    /**
+     * @param string $key
+     *
+     * @throws RuntimeException
+     *
+     * @return string
+     */
+    private function saveKeyToFile($key)
+    {
+        $tmpDir = sys_get_temp_dir();
+        $keyPath = $tmpDir . '/' . sha1($key) . '.key';
+
+        if (file_exists($keyPath)) {
+            return 'file://' . $keyPath;
+        }
+
+        if (!touch($keyPath)) {
+            // @codeCoverageIgnoreStart
+            throw new RuntimeException(sprintf('"%s" key file could not be created', $keyPath));
+            // @codeCoverageIgnoreEnd
+        }
+
+        if (file_put_contents($keyPath, $key) === false) {
+            // @codeCoverageIgnoreStart
+            throw new RuntimeException(sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
+            // @codeCoverageIgnoreEnd
+        }
+
+        if (chmod($keyPath, 0600) === false) {
+            // @codeCoverageIgnoreStart
+            throw new RuntimeException(sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
+            // @codeCoverageIgnoreEnd
+        }
+
+        return 'file://' . $keyPath;
+    }
+
+    /**
+     * Retrieve key path.
+     *
+     * @return string
+     */
+    public function getKeyPath()
+    {
+        return $this->keyPath;
+    }
+
+    /**
+     * Retrieve key pass phrase.
+     *
+     * @return null|string
+     */
+    public function getPassPhrase()
+    {
+        return $this->passPhrase;
+    }
+}

src/CryptTrait.php

@@ -0,0 +1,87 @@
+<?php
+/**
+ * Encrypt/decrypt with encryptionKey.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use Defuse\Crypto\Crypto;
+use Defuse\Crypto\Key;
+use Exception;
+use LogicException;
+
+trait CryptTrait
+{
+    /**
+     * @var string|Key|null
+     */
+    protected $encryptionKey;
+
+    /**
+     * Encrypt data with encryptionKey.
+     *
+     * @param string $unencryptedData
+     *
+     * @throws LogicException
+     *
+     * @return string
+     */
+    protected function encrypt($unencryptedData)
+    {
+        try {
+            if ($this->encryptionKey instanceof Key) {
+                return Crypto::encrypt($unencryptedData, $this->encryptionKey);
+            }
+
+            if (is_string($this->encryptionKey)) {
+                return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
+            }
+
+            throw new LogicException('Encryption key not set when attempting to encrypt');
+        } catch (Exception $e) {
+            throw new LogicException($e->getMessage(), 0, $e);
+        }
+    }
+
+    /**
+     * Decrypt data with encryptionKey.
+     *
+     * @param string $encryptedData
+     *
+     * @throws LogicException
+     *
+     * @return string
+     */
+    protected function decrypt($encryptedData)
+    {
+        try {
+            if ($this->encryptionKey instanceof Key) {
+                return Crypto::decrypt($encryptedData, $this->encryptionKey);
+            }
+
+            if (is_string($this->encryptionKey)) {
+                return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
+            }
+
+            throw new LogicException('Encryption key not set when attempting to decrypt');
+        } catch (Exception $e) {
+            throw new LogicException($e->getMessage(), 0, $e);
+        }
+    }
+
+    /**
+     * Set the encryption key
+     *
+     * @param string|Key $key
+     */
+    public function setEncryptionKey($key = null)
+    {
+        $this->encryptionKey = $key;
+    }
+}

src/Entities/AccessTokenEntityInterface.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+use League\OAuth2\Server\CryptKey;
+
+interface AccessTokenEntityInterface extends TokenInterface
+{
+    /**
+     * Set a private key used to encrypt the access token.
+     */
+    public function setPrivateKey(CryptKey $privateKey);
+
+    /**
+     * Generate a string representation of the access token.
+     */
+    public function __toString();
+}

src/Entities/AuthCodeEntityInterface.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface AuthCodeEntityInterface extends TokenInterface
+{
+    /**
+     * @return string|null
+     */
+    public function getRedirectUri();
+
+    /**
+     * @param string $uri
+     */
+    public function setRedirectUri($uri);
+}

src/Entities/ClientEntityInterface.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface ClientEntityInterface
+{
+    /**
+     * Get the client's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Get the client's name.
+     *
+     * @return string
+     */
+    public function getName();
+
+    /**
+     * Returns the registered redirect URI (as a string).
+     *
+     * Alternatively return an indexed array of redirect URIs.
+     *
+     * @return string|string[]
+     */
+    public function getRedirectUri();
+
+    /**
+     * Returns true if the client is confidential.
+     *
+     * @return bool
+     */
+    public function isConfidential();
+}

src/Entities/RefreshTokenEntityInterface.php

@@ -0,0 +1,57 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+use DateTimeImmutable;
+
+interface RefreshTokenEntityInterface
+{
+    /**
+     * Get the token's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Set the token's identifier.
+     *
+     * @param mixed $identifier
+     */
+    public function setIdentifier($identifier);
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return DateTimeImmutable
+     */
+    public function getExpiryDateTime();
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param DateTimeImmutable $dateTime
+     */
+    public function setExpiryDateTime(DateTimeImmutable $dateTime);
+
+    /**
+     * Set the access token that the refresh token was associated with.
+     *
+     * @param AccessTokenEntityInterface $accessToken
+     */
+    public function setAccessToken(AccessTokenEntityInterface $accessToken);
+
+    /**
+     * Get the access token that the refresh token was originally associated with.
+     *
+     * @return AccessTokenEntityInterface
+     */
+    public function getAccessToken();
+}

src/Entities/ScopeEntityInterface.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+use JsonSerializable;
+
+interface ScopeEntityInterface extends JsonSerializable
+{
+    /**
+     * Get the scope's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+}

src/Entities/TokenInterface.php

@@ -0,0 +1,85 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+use DateTimeImmutable;
+
+interface TokenInterface
+{
+    /**
+     * Get the token's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Set the token's identifier.
+     *
+     * @param mixed $identifier
+     */
+    public function setIdentifier($identifier);
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return DateTimeImmutable
+     */
+    public function getExpiryDateTime();
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param DateTimeImmutable $dateTime
+     */
+    public function setExpiryDateTime(DateTimeImmutable $dateTime);
+
+    /**
+     * Set the identifier of the user associated with the token.
+     *
+     * @param string|int|null $identifier The identifier of the user
+     */
+    public function setUserIdentifier($identifier);
+
+    /**
+     * Get the token user's identifier.
+     *
+     * @return string|int|null
+     */
+    public function getUserIdentifier();
+
+    /**
+     * Get the client that the token was issued to.
+     *
+     * @return ClientEntityInterface
+     */
+    public function getClient();
+
+    /**
+     * Set the client that the token was issued to.
+     *
+     * @param ClientEntityInterface $client
+     */
+    public function setClient(ClientEntityInterface $client);
+
+    /**
+     * Associate a scope with the token.
+     *
+     * @param ScopeEntityInterface $scope
+     */
+    public function addScope(ScopeEntityInterface $scope);
+
+    /**
+     * Return an array of scopes associated with the token.
+     *
+     * @return ScopeEntityInterface[]
+     */
+    public function getScopes();
+}

src/Entities/Traits/AccessTokenTrait.php

@@ -0,0 +1,84 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+use DateTimeImmutable;
+use Lcobucci\JWT\Builder;
+use Lcobucci\JWT\Signer\Key;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Token;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+
+trait AccessTokenTrait
+{
+    /**
+     * @var CryptKey
+     */
+    private $privateKey;
+
+    /**
+     * Set the private key used to encrypt this access token.
+     */
+    public function setPrivateKey(CryptKey $privateKey)
+    {
+        $this->privateKey = $privateKey;
+    }
+
+    /**
+     * Generate a JWT from the access token
+     *
+     * @param CryptKey $privateKey
+     *
+     * @return Token
+     */
+    private function convertToJWT(CryptKey $privateKey)
+    {
+        return (new Builder())
+            ->setAudience($this->getClient()->getIdentifier())
+            ->setId($this->getIdentifier())
+            ->setIssuedAt(time())
+            ->setNotBefore(time())
+            ->setExpiration($this->getExpiryDateTime()->getTimestamp())
+            ->setSubject((string) $this->getUserIdentifier())
+            ->set('scopes', $this->getScopes())
+            ->sign(new Sha256(), new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase()))
+            ->getToken();
+    }
+
+    /**
+     * Generate a string representation from the access token
+     */
+    public function __toString()
+    {
+        return (string) $this->convertToJWT($this->privateKey);
+    }
+
+    /**
+     * @return ClientEntityInterface
+     */
+    abstract public function getClient();
+
+    /**
+     * @return DateTimeImmutable
+     */
+    abstract public function getExpiryDateTime();
+
+    /**
+     * @return string|int
+     */
+    abstract public function getUserIdentifier();
+
+    /**
+     * @return ScopeEntityInterface[]
+     */
+    abstract public function getScopes();
+}

src/Entities/Traits/AuthCodeTrait.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait AuthCodeTrait
+{
+    /**
+     * @var null|string
+     */
+    protected $redirectUri;
+
+    /**
+     * @return string|null
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+
+    /**
+     * @param string $uri
+     */
+    public function setRedirectUri($uri)
+    {
+        $this->redirectUri = $uri;
+    }
+}

src/Entities/Traits/ClientTrait.php

@@ -0,0 +1,61 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ClientTrait
+{
+    /**
+     * @var string
+     */
+    protected $name;
+
+    /**
+     * @var string|string[]
+     */
+    protected $redirectUri;
+
+    /**
+     * @var bool
+     */
+    protected $isConfidential = false;
+
+    /**
+     * Get the client's name.
+     *
+     * @return string
+     * @codeCoverageIgnore
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Returns the registered redirect URI (as a string).
+     *
+     * Alternatively return an indexed array of redirect URIs.
+     *
+     * @return string|string[]
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+
+    /**
+     * Returns true if the client is confidential.
+     *
+     * @return bool
+     */
+    public function isConfidential()
+    {
+        return $this->isConfidential;
+    }
+}

src/Entities/Traits/EntityTrait.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait EntityTrait
+{
+    /**
+     * @var string
+     */
+    protected $identifier;
+
+    /**
+     * @return mixed
+     */
+    public function getIdentifier()
+    {
+        return $this->identifier;
+    }
+
+    /**
+     * @param mixed $identifier
+     */
+    public function setIdentifier($identifier)
+    {
+        $this->identifier = $identifier;
+    }
+}

src/Entities/Traits/RefreshTokenTrait.php

@@ -0,0 +1,62 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+use DateTimeImmutable;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+
+trait RefreshTokenTrait
+{
+    /**
+     * @var AccessTokenEntityInterface
+     */
+    protected $accessToken;
+
+    /**
+     * @var DateTimeImmutable
+     */
+    protected $expiryDateTime;
+
+    /**
+     * {@inheritdoc}
+     */
+    public function setAccessToken(AccessTokenEntityInterface $accessToken)
+    {
+        $this->accessToken = $accessToken;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getAccessToken()
+    {
+        return $this->accessToken;
+    }
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return DateTimeImmutable
+     */
+    public function getExpiryDateTime()
+    {
+        return $this->expiryDateTime;
+    }
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param DateTimeImmutable $dateTime
+     */
+    public function setExpiryDateTime(DateTimeImmutable $dateTime)
+    {
+        $this->expiryDateTime = $dateTime;
+    }
+}

src/Entities/Traits/ScopeTrait.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * @author    Andrew Millington <andrew@noexceptions.io>
+ * @copyright Copyright (c) Andrew Millington
+ * @license   http://mit-license.org
+ *
+ * @link      https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ScopeTrait
+{
+    /**
+     * Serialize the object to the scopes string identifier when using json_encode().
+     *
+     * @return string
+     */
+    public function jsonSerialize()
+    {
+        return $this->getIdentifier();
+    }
+
+    /**
+     * @return string
+     */
+    abstract public function getIdentifier();
+}

src/Entities/Traits/TokenEntityTrait.php

@@ -0,0 +1,117 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+use DateTimeImmutable;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+
+trait TokenEntityTrait
+{
+    /**
+     * @var ScopeEntityInterface[]
+     */
+    protected $scopes = [];
+
+    /**
+     * @var DateTimeImmutable
+     */
+    protected $expiryDateTime;
+
+    /**
+     * @var string|int|null
+     */
+    protected $userIdentifier;
+
+    /**
+     * @var ClientEntityInterface
+     */
+    protected $client;
+
+    /**
+     * Associate a scope with the token.
+     *
+     * @param ScopeEntityInterface $scope
+     */
+    public function addScope(ScopeEntityInterface $scope)
+    {
+        $this->scopes[$scope->getIdentifier()] = $scope;
+    }
+
+    /**
+     * Return an array of scopes associated with the token.
+     *
+     * @return ScopeEntityInterface[]
+     */
+    public function getScopes()
+    {
+        return array_values($this->scopes);
+    }
+
+    /**
+     * Get the token's expiry date time.
+     *
+     * @return DateTimeImmutable
+     */
+    public function getExpiryDateTime()
+    {
+        return $this->expiryDateTime;
+    }
+
+    /**
+     * Set the date time when the token expires.
+     *
+     * @param DateTimeImmutable $dateTime
+     */
+    public function setExpiryDateTime(DateTimeImmutable $dateTime)
+    {
+        $this->expiryDateTime = $dateTime;
+    }
+
+    /**
+     * Set the identifier of the user associated with the token.
+     *
+     * @param string|int|null $identifier The identifier of the user
+     */
+    public function setUserIdentifier($identifier)
+    {
+        $this->userIdentifier = $identifier;
+    }
+
+    /**
+     * Get the token user's identifier.
+     *
+     * @return string|int|null
+     */
+    public function getUserIdentifier()
+    {
+        return $this->userIdentifier;
+    }
+
+    /**
+     * Get the client that the token was issued to.
+     *
+     * @return ClientEntityInterface
+     */
+    public function getClient()
+    {
+        return $this->client;
+    }
+
+    /**
+     * Set the client that the token was issued to.
+     *
+     * @param ClientEntityInterface $client
+     */
+    public function setClient(ClientEntityInterface $client)
+    {
+        $this->client = $client;
+    }
+}

src/Entities/UserEntityInterface.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface UserEntityInterface
+{
+    /**
+     * Return the user's identifier.
+     *
+     * @return mixed
+     */
+    public function getIdentifier();
+}

src/Entity/AbstractTokenEntity.php

@@ -1,209 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Abstract token
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-use League\OAuth2\Server\AbstractServer;
-use League\OAuth2\Server\Util\SecureKey;
-
-/**
- * Abstract token class
- */
-abstract class AbstractTokenEntity
-{
-    /**
-     * Token identifier
-     *
-     * @var string
-     */
-    protected $id;
-
-    /**
-     * Associated session
-     *
-     * @var \League\OAuth2\Server\Entity\SessionEntity
-     */
-    protected $session;
-
-    /**
-     * Session scopes
-     *
-     * @var \League\OAuth2\Server\Entity\ScopeEntity[]
-     */
-    protected $scopes;
-
-    /**
-     * Token expire time
-     *
-     * @var int
-     */
-    protected $expireTime = 0;
-
-    /**
-     * Authorization or resource server
-     *
-     * @var \League\OAuth2\Server\AbstractServer
-     */
-    protected $server;
-
-    /**
-     * __construct
-     *
-     * @param \League\OAuth2\Server\AbstractServer $server
-     *
-     * @return self
-     */
-    public function __construct(AbstractServer $server)
-    {
-        $this->server = $server;
-
-        return $this;
-    }
-
-    /**
-     * Set session
-     *
-     * @param \League\OAuth2\Server\Entity\SessionEntity $session
-     *
-     * @return self
-     */
-    public function setSession(SessionEntity $session)
-    {
-        $this->session = $session;
-
-        return $this;
-    }
-
-    /**
-     * Set the expire time of the token
-     *
-     * @param integer $expireTime Unix time stamp
-     *
-     * @return self
-     */
-    public function setExpireTime($expireTime)
-    {
-        $this->expireTime = $expireTime;
-
-        return $this;
-    }
-
-    /**
-     * Return token expire time
-     *
-     * @return int
-     */
-    public function getExpireTime()
-    {
-        return $this->expireTime;
-    }
-
-    /**
-     * Is the token expired?
-     *
-     * @return bool
-     */
-    public function isExpired()
-    {
-        return ((time() - $this->expireTime) > 0);
-    }
-
-    /**
-     * Set token ID
-     *
-     * @param string $id Token ID
-     *
-     * @return self
-     */
-    public function setId($id = null)
-    {
-        $this->id = ($id !== null) ? $id : SecureKey::generate();
-
-        return $this;
-    }
-
-    /**
-     * Get the token ID
-     *
-     * @return string
-     */
-    public function getId()
-    {
-        return $this->id;
-    }
-
-    /**
-     * Associate a scope
-     *
-     * @param \League\OAuth2\Server\Entity\ScopeEntity $scope
-     *
-     * @return self
-     */
-    public function associateScope(ScopeEntity $scope)
-    {
-        if (!isset($this->scopes[$scope->getId()])) {
-            $this->scopes[$scope->getId()] = $scope;
-        }
-
-        return $this;
-    }
-
-    /**
-     * Format the local scopes array
-     *
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity[]
-     *
-     * @return array
-     */
-    protected function formatScopes($unformatted = [])
-    {
-        if (is_null($unformatted)) {
-            return [];
-        }
-
-        $scopes = [];
-        foreach ($unformatted as $scope) {
-            if ($scope instanceof ScopeEntity) {
-                $scopes[$scope->getId()] = $scope;
-            }
-        }
-
-        return $scopes;
-    }
-
-    /**
-     * Returns the token as a string if the object is cast as a string
-     *
-     * @return string
-     */
-    public function __toString()
-    {
-        if ($this->id === null) {
-            return '';
-        }
-
-        return $this->id;
-    }
-
-    /**
-     * Expire the token
-     *
-     * @return void
-     */
-    abstract public function expire();
-
-    /**
-     * Save the token
-     *
-     * @return void
-     */
-    abstract public function save();
-}

src/Entity/AccessTokenEntity.php

@@ -1,93 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Access token entity
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-/**
- * Access token entity class
- */
-class AccessTokenEntity extends AbstractTokenEntity
-{
-    /**
-     * Get session
-     *
-     * @return \League\OAuth2\Server\Entity\SessionEntity
-     */
-    public function getSession()
-    {
-        if ($this->session instanceof SessionEntity) {
-            return $this->session;
-        }
-
-        $this->session = $this->server->getSessionStorage()->getByAccessToken($this);
-
-        return $this->session;
-    }
-
-    /**
-     * Check if access token has an associated scope
-     *
-     * @param string $scope Scope to check
-     *
-     * @return bool
-     */
-    public function hasScope($scope)
-    {
-        if ($this->scopes === null) {
-            $this->getScopes();
-        }
-
-        return isset($this->scopes[$scope]);
-    }
-
-    /**
-     * Return all scopes associated with the access token
-     *
-     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
-     */
-    public function getScopes()
-    {
-        if ($this->scopes === null) {
-            $this->scopes = $this->formatScopes(
-                $this->server->getAccessTokenStorage()->getScopes($this)
-            );
-        }
-
-        return $this->scopes;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function save()
-    {
-        $this->server->getAccessTokenStorage()->create(
-            $this->getId(),
-            $this->getExpireTime(),
-            $this->getSession()->getId()
-        );
-
-        // Associate the scope with the token
-        foreach ($this->getScopes() as $scope) {
-            $this->server->getAccessTokenStorage()->associateScope($this, $scope);
-        }
-
-        return $this;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function expire()
-    {
-        $this->server->getAccessTokenStorage()->delete($this);
-    }
-}

src/Entity/AuthCodeEntity.php

@@ -1,128 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Auth code entity
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-/**
- * Auth Code entity class
- */
-class AuthCodeEntity extends AbstractTokenEntity
-{
-    /**
-     * Redirect URI
-     *
-     * @var string
-     */
-    protected $redirectUri = '';
-
-    /**
-     * Set the redirect URI for the authorization request
-     *
-     * @param string $redirectUri
-     *
-     * @return self
-     */
-    public function setRedirectUri($redirectUri)
-    {
-        $this->redirectUri = $redirectUri;
-
-        return $this;
-    }
-
-    /**
-     * Get the redirect URI
-     *
-     * @return string
-     */
-    public function getRedirectUri()
-    {
-        return $this->redirectUri;
-    }
-
-    /**
-     * Generate a redirect URI
-     *
-     * @param string $state          The state parameter if set by the client
-     * @param string $queryDelimeter The query delimiter ('?' for auth code grant, '#' for implicit grant)
-     *
-     * @return string
-     */
-    public function generateRedirectUri($state = null, $queryDelimeter = '?')
-    {
-        $uri = $this->getRedirectUri();
-        $uri .= (strstr($this->getRedirectUri(), $queryDelimeter) === false) ? $queryDelimeter : '&';
-
-        return $uri.http_build_query([
-            'code'  =>  $this->getId(),
-            'state' =>  $state,
-        ]);
-    }
-
-    /**
-     * Get session
-     *
-     * @return \League\OAuth2\Server\Entity\SessionEntity
-     */
-    public function getSession()
-    {
-        if ($this->session instanceof SessionEntity) {
-            return $this->session;
-        }
-
-        $this->session = $this->server->getSessionStorage()->getByAuthCode($this);
-
-        return $this->session;
-    }
-
-    /**
-     * Return all scopes associated with the session
-     *
-     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
-     */
-    public function getScopes()
-    {
-        if ($this->scopes === null) {
-            $this->scopes = $this->formatScopes(
-                $this->server->getAuthCodeStorage()->getScopes($this)
-            );
-        }
-
-        return $this->scopes;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function save()
-    {
-        $this->server->getAuthCodeStorage()->create(
-            $this->getId(),
-            $this->getExpireTime(),
-            $this->getSession()->getId(),
-            $this->getRedirectUri()
-        );
-
-        // Associate the scope with the token
-        foreach ($this->getScopes() as $scope) {
-            $this->server->getAuthCodeStorage()->associateScope($this, $scope);
-        }
-
-        return $this;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function expire()
-    {
-        $this->server->getAuthCodeStorage()->delete($this);
-    }
-}

src/Entity/ClientEntity.php

@@ -1,111 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Client entity
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-use League\OAuth2\Server\AbstractServer;
-
-/**
- * Client entity class
- */
-class ClientEntity
-{
-    use EntityTrait;
-
-    /**
-     * Client identifier
-     *
-     * @var string
-     */
-    protected $id = null;
-
-    /**
-     * Client secret
-     *
-     * @var string
-     */
-    protected $secret = null;
-
-    /**
-     * Client name
-     *
-     * @var string
-     */
-    protected $name = null;
-
-    /**
-     * Client redirect URI
-     *
-     * @var string
-     */
-    protected $redirectUri = null;
-
-    /**
-     * Authorization or resource server
-     *
-     * @var \League\OAuth2\Server\AbstractServer
-     */
-    protected $server;
-
-    /**
-     * __construct
-     *
-     * @param \League\OAuth2\Server\AbstractServer $server
-     *
-     * @return self
-     */
-    public function __construct(AbstractServer $server)
-    {
-        $this->server = $server;
-
-        return $this;
-    }
-
-    /**
-     * Return the client identifier
-     *
-     * @return string
-     */
-    public function getId()
-    {
-        return $this->id;
-    }
-
-    /**
-     * Return the client secret
-     *
-     * @return string
-     */
-    public function getSecret()
-    {
-        return $this->secret;
-    }
-
-    /**
-     * Get the client name
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return $this->name;
-    }
-
-    /**
-     * Returnt the client redirect URI
-     *
-     * @return string
-     */
-    public function getRedirectUri()
-    {
-        return $this->redirectUri;
-    }
-}

src/Entity/EntityTrait.php

@@ -1,33 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Entity trait
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-trait EntityTrait
-{
-    /**
-     * Hydrate an entity with properites
-     *
-     * @param array $properties
-     *
-     * @return self
-     */
-    public function hydrate(array $properties)
-    {
-        foreach ($properties as $prop => $val) {
-            if (property_exists($this, $prop)) {
-                $this->{$prop} = $val;
-            }
-        }
-
-        return $this;
-    }
-}

src/Entity/RefreshTokenEntity.php

@@ -1,94 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Refresh token entity
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-/**
- * Refresh token entity class
- */
-class RefreshTokenEntity extends AbstractTokenEntity
-{
-    /**
-     * Access token associated to refresh token
-     *
-     * @var \League\OAuth2\Server\Entity\AccessTokenEntity
-     */
-    protected $accessTokenEntity;
-
-    /**
-     * Id of the access token
-     *
-     * @var string
-     */
-    protected $accessTokenId;
-
-    /**
-     * Set the ID of the associated access token
-     *
-     * @param string $accessTokenId
-     *
-     * @return self
-     */
-    public function setAccessTokenId($accessTokenId)
-    {
-        $this->accessTokenId = $accessTokenId;
-
-        return $this;
-    }
-
-    /**
-     * Associate an access token
-     *
-     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $accessTokenEntity
-     *
-     * @return self
-     */
-    public function setAccessToken(AccessTokenEntity $accessTokenEntity)
-    {
-        $this->accessTokenEntity = $accessTokenEntity;
-
-        return $this;
-    }
-
-    /**
-     * Return access token
-     *
-     * @return AccessTokenEntity
-     */
-    public function getAccessToken()
-    {
-        if (! $this->accessTokenEntity instanceof AccessTokenEntity) {
-            $this->accessTokenEntity = $this->server->getAccessTokenStorage()->get($this->accessTokenId);
-        }
-
-        return $this->accessTokenEntity;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function save()
-    {
-        $this->server->getRefreshTokenStorage()->create(
-            $this->getId(),
-            $this->getExpireTime(),
-            $this->getAccessToken()->getId()
-        );
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function expire()
-    {
-        $this->server->getRefreshTokenStorage()->delete($this);
-    }
-}

src/Entity/ScopeEntity.php

@@ -1,90 +0,0 @@
-<?php
-/**
- * OAuth 2.0 scope entity
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-use League\OAuth2\Server\AbstractServer;
-
-/**
- * Scope entity class
- */
-class ScopeEntity implements \JsonSerializable
-{
-    use EntityTrait;
-
-    /**
-     * Scope identifier
-     *
-     * @var string
-     */
-    protected $id;
-
-    /**
-     * Scope description
-     *
-     * @var string
-     */
-    protected $description;
-
-    /**
-     * Authorization or resource server
-     *
-     * @var \League\OAuth2\Server\AbstractServer
-     */
-    protected $server;
-
-    /**
-     * __construct
-     *
-     * @param \League\OAuth2\Server\AbstractServer $server
-     *
-     * @return self
-     */
-    public function __construct(AbstractServer $server)
-    {
-        $this->server = $server;
-
-        return $this;
-    }
-
-    /**
-     * Return the scope identifer
-     *
-     * @return string
-     */
-    public function getId()
-    {
-        return $this->id;
-    }
-
-    /**
-     * Return the scope's description
-     *
-     * @return string
-     */
-    public function getDescription()
-    {
-        return $this->description;
-    }
-
-    /**
-     * Returns a JSON object when entity is passed into json_encode
-     *
-     * @return array
-     */
-    public function jsonSerialize()
-    {
-        return [
-            'id'    =>  $this->getId(),
-            'description'   =>  $this->getDescription()
-        ];
-    }
-}

src/Entity/SessionEntity.php

@@ -1,308 +0,0 @@
-<?php
-/**
- * OAuth 2.0 session entity
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Entity;
-
-use League\OAuth2\Server\AbstractServer;
-use League\OAuth2\Server\Event\SessionOwnerEvent;
-
-/**
- * Session entity grant
- */
-class SessionEntity
-{
-    /**
-     * Session identifier
-     *
-     * @var string
-     */
-    protected $id;
-
-    /**
-     * Client identifier
-     *
-     * @var \League\OAuth2\Server\Entity\ClientEntity
-     */
-    protected $client;
-
-    /**
-     * Session owner identifier
-     *
-     * @var string
-     */
-    protected $ownerId;
-
-    /**
-     * Session owner type (e.g. "user")
-     *
-     * @var string
-     */
-    protected $ownerType;
-
-    /**
-     * Auth code
-     *
-     * @var \League\OAuth2\Server\Entity\AuthCodeEntity
-     */
-    protected $authCode;
-
-    /**
-     * Access token
-     *
-     * @var \League\OAuth2\Server\Entity\AccessTokenEntity
-     */
-    protected $accessToken;
-
-    /**
-     * Refresh token
-     *
-     * @var \League\OAuth2\Server\Entity\RefreshTokenEntity
-     */
-    protected $refreshToken;
-
-    /**
-     * Session scopes
-     *
-     * @var \Symfony\Component\HttpFoundation\ParameterBag
-     */
-    protected $scopes;
-
-    /**
-     * Authorization or resource server
-     *
-     * @var \League\OAuth2\Server\AuthorizationServer|\League\OAuth2\Server\ResourceServer
-     */
-    protected $server;
-
-    /**
-     * __construct
-     *
-     * @param \League\OAuth2\Server\AbstractServer $server
-     *
-     * @return self
-     */
-    public function __construct(AbstractServer $server)
-    {
-        $this->server = $server;
-
-        return $this;
-    }
-
-    /**
-     * Set the session identifier
-     *
-     * @param string $id
-     *
-     * @return self
-     */
-    public function setId($id)
-    {
-        $this->id = $id;
-
-        return $this;
-    }
-
-    /**
-     * Return the session identifier
-     *
-     * @return string
-     */
-    public function getId()
-    {
-        return $this->id;
-    }
-
-    /**
-     * Associate a scope
-     *
-     * @param \League\OAuth2\Server\Entity\ScopeEntity $scope
-     *
-     * @return self
-     */
-    public function associateScope(ScopeEntity $scope)
-    {
-        if (!isset($this->scopes[$scope->getId()])) {
-            $this->scopes[$scope->getId()] = $scope;
-        }
-
-        return $this;
-    }
-
-    /**
-     * Check if access token has an associated scope
-     *
-     * @param string $scope Scope to check
-     *
-     * @return bool
-     */
-    public function hasScope($scope)
-    {
-        if ($this->scopes === null) {
-            $this->getScopes();
-        }
-
-        return isset($this->scopes[$scope]);
-    }
-
-    /**
-     * Return all scopes associated with the session
-     *
-     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
-     */
-    public function getScopes()
-    {
-        if ($this->scopes === null) {
-            $this->scopes = $this->formatScopes($this->server->getSessionStorage()->getScopes($this));
-        }
-
-        return $this->scopes;
-    }
-
-    /**
-     * Format the local scopes array
-     *
-     * @param  \League\OAuth2\Server\Entity\Scope[]
-     *
-     * @return array
-     */
-    private function formatScopes($unformatted = [])
-    {
-        $scopes = [];
-        if (is_array($unformatted)) {
-            foreach ($unformatted as $scope) {
-                if ($scope instanceof ScopeEntity) {
-                    $scopes[$scope->getId()] = $scope;
-                }
-            }
-        }
-
-        return $scopes;
-    }
-
-    /**
-     * Associate an access token with the session
-     *
-     * @param \League\OAuth2\Server\Entity\AccessTokenEntity $accessToken
-     *
-     * @return self
-     */
-    public function associateAccessToken(AccessTokenEntity $accessToken)
-    {
-        $this->accessToken = $accessToken;
-
-        return $this;
-    }
-
-    /**
-     * Associate a refresh token with the session
-     *
-     * @param \League\OAuth2\Server\Entity\RefreshTokenEntity $refreshToken
-     *
-     * @return self
-     */
-    public function associateRefreshToken(RefreshTokenEntity $refreshToken)
-    {
-        $this->refreshToken = $refreshToken;
-
-        return $this;
-    }
-
-    /**
-     * Associate a client with the session
-     *
-     * @param \League\OAuth2\Server\Entity\ClientEntity $client The client
-     *
-     * @return self
-     */
-    public function associateClient(ClientEntity $client)
-    {
-        $this->client = $client;
-
-        return $this;
-    }
-
-    /**
-     * Return the session client
-     *
-     * @return \League\OAuth2\Server\Entity\ClientEntity
-     */
-    public function getClient()
-    {
-        if ($this->client instanceof ClientEntity) {
-            return $this->client;
-        }
-
-        $this->client = $this->server->getClientStorage()->getBySession($this);
-
-        return $this->client;
-    }
-
-    /**
-     * Set the session owner
-     *
-     * @param string $type The type of the owner (e.g. user, app)
-     * @param string $id   The identifier of the owner
-     *
-     * @return self
-     */
-    public function setOwner($type, $id)
-    {
-        $this->ownerType = $type;
-        $this->ownerId = $id;
-
-        $this->server->getEventEmitter()->emit(new SessionOwnerEvent($this));
-
-        return $this;
-    }
-
-    /**
-     * Return session owner identifier
-     *
-     * @return string
-     */
-    public function getOwnerId()
-    {
-        return $this->ownerId;
-    }
-
-    /**
-     * Return session owner type
-     *
-     * @return string
-     */
-    public function getOwnerType()
-    {
-        return $this->ownerType;
-    }
-
-    /**
-     * Save the session
-     *
-     * @return void
-     */
-    public function save()
-    {
-        // Save the session and get an identifier
-        $id = $this->server->getSessionStorage()->create(
-            $this->getOwnerType(),
-            $this->getOwnerId(),
-            $this->getClient()->getId(),
-            $this->getClient()->getRedirectUri()
-        );
-
-        $this->setId($id);
-
-        // Associate the scope with the session
-        foreach ($this->getScopes() as $scope) {
-            $this->server->getSessionStorage()->associateScope($this, $scope);
-        }
-    }
-}

src/Event/ClientAuthenticationFailedEvent.php

@@ -1,55 +0,0 @@
-<?php
-/**
- * OAuth 2.0 client authentication failed event
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Event;
-
-use League\Event\AbstractEvent;
-use Symfony\Component\HttpFoundation\Request;
-
-class ClientAuthenticationFailedEvent extends AbstractEvent
-{
-    /**
-     * Request
-     *
-     * @var \Symfony\Component\HttpFoundation\Request
-     */
-    private $request;
-
-    /**
-     * Init the event with a request
-     *
-     * @param \Symfony\Component\HttpFoundation\Request $request
-     */
-    public function __construct(Request $request)
-    {
-        $this->request = $request;
-    }
-
-    /**
-     * The name of the event
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return 'error.auth.client';
-    }
-
-    /**
-     * Return request
-     *
-     * @return \Symfony\Component\HttpFoundation\Request
-     */
-    public function getRequest()
-    {
-        return $this->request;
-    }
-}

src/Event/SessionOwnerEvent.php

@@ -1,55 +0,0 @@
-<?php
-/**
- * OAuth 2.0 session owner event
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Event;
-
-use League\Event\AbstractEvent;
-use League\OAuth2\Server\Entity\SessionEntity;
-
-class SessionOwnerEvent extends AbstractEvent
-{
-    /**
-     * Session entity
-     *
-     * @var \League\OAuth2\Server\Entity\SessionEntity
-     */
-    private $session;
-
-    /**
-     * Init the event with a session
-     *
-     * @param \League\OAuth2\Server\Entity\SessionEntity $session
-     */
-    public function __construct(SessionEntity $session)
-    {
-        $this->session = $session;
-    }
-
-    /**
-     * The name of the event
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return 'session.owner';
-    }
-
-    /**
-     * Return session
-     *
-     * @return \League\OAuth2\Server\Entity\SessionEntity
-     */
-    public function getSession()
-    {
-        return $this->session;
-    }
-}

src/Event/UserAuthenticationFailedEvent.php

@@ -1,55 +0,0 @@
-<?php
-/**
- * OAuth 2.0 user authentication failed event
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Event;
-
-use League\Event\AbstractEvent;
-use Symfony\Component\HttpFoundation\Request;
-
-class UserAuthenticationFailedEvent extends AbstractEvent
-{
-    /**
-     * Request
-     *
-     * @var \Symfony\Component\HttpFoundation\Request
-     */
-    private $request;
-
-    /**
-     * Init the event with a request
-     *
-     * @param \Symfony\Component\HttpFoundation\Request $request
-     */
-    public function __construct(Request $request)
-    {
-        $this->request = $request;
-    }
-
-    /**
-     * The name of the event
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return 'error.auth.user';
-    }
-
-    /**
-     * Return request
-     *
-     * @return \Symfony\Component\HttpFoundation\Request
-     */
-    public function getRequest()
-    {
-        return $this->request;
-    }
-}

src/Exception/AccessDeniedException.php

@@ -1,36 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Access Denied Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class AccessDeniedException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 401;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'access_denied';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct()
-    {
-        parent::__construct('The resource owner or authorization server denied the request.');
-    }
-}

src/Exception/InvalidClientException.php

@@ -1,36 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Client Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class InvalidClientException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 401;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'invalid_client';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct()
-    {
-        parent::__construct('Client authentication failed.');
-    }
-}

src/Exception/InvalidCredentialsException.php

@@ -1,36 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Credentials Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class InvalidCredentialsException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 401;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'invalid_credentials';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct()
-    {
-        parent::__construct('The user credentials were incorrect.');
-    }
-}

src/Exception/InvalidGrantException.php

@@ -1,43 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Grant Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class InvalidGrantException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'invalid_grant';
-
-    /**
-     * {@inheritdoc}
-     */
-
-    public function __construct($parameter)
-    {
-        $this->parameter = $parameter;
-        parent::__construct(
-            sprintf(
-                'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. Check the "%s" parameter.',
-                $parameter
-            )
-        );
-    }
-}

src/Exception/InvalidRefreshException.php

@@ -1,36 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Refresh Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class InvalidRefreshException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'invalid_request';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct()
-    {
-        parent::__construct('The refresh token is invalid.');
-    }
-}

src/Exception/InvalidRequestException.php

@@ -1,45 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Request Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class InvalidRequestException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'invalid_request';
-
-    /**
-     * {@inheritdoc}
-     */
-
-    public function __construct($parameter, $redirectUri = null)
-    {
-        $this->parameter = $parameter;
-        parent::__construct(
-            sprintf(
-                'The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the "%s" parameter.',
-                $parameter
-            )
-        );
-
-        $this->redirectUri = $redirectUri;
-    }
-}

src/Exception/InvalidScopeException.php

@@ -1,45 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Scope Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class InvalidScopeException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'invalid_scope';
-
-    /**
-     * {@inheritdoc}
-     */
-
-    public function __construct($parameter, $redirectUri = null)
-    {
-        $this->parameter = $parameter;
-        parent::__construct(
-            sprintf(
-                'The requested scope is invalid, unknown, or malformed. Check the "%s" scope.',
-                $parameter
-            )
-        );
-
-        $this->redirectUri = $redirectUri;
-    }
-}

src/Exception/OAuthException.php

@@ -1,145 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Base Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-use League\OAuth2\Server\Util\RedirectUri;
-use Symfony\Component\HttpFoundation\Request;
-
-/**
- * Exception class
- */
-class OAuthException extends \Exception
-{
-    /**
-     * The HTTP status code for this exception that should be sent in the response
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * Redirect URI if the server should redirect back to the client
-     *
-     * @var string|null
-     */
-    public $redirectUri = null;
-
-    /**
-     * The exception type
-     */
-    public $errorType = '';
-
-    /**
-     * Parameter eventually passed to Exception
-     */
-    public $parameter = '';
-
-    /**
-     * Throw a new exception
-     *
-     * @param string $msg Exception Message
-     */
-    public function __construct($msg = 'An error occured')
-    {
-        parent::__construct($msg);
-    }
-
-    /**
-     * Should the server redirect back to the client?
-     *
-     * @return bool
-     */
-    public function shouldRedirect()
-    {
-        return is_null($this->redirectUri) ? false : true;
-    }
-
-    /**
-     * Return redirect URI if set
-     *
-     * @return string|null
-     */
-    public function getRedirectUri()
-    {
-        return RedirectUri::make(
-            $this->redirectUri,
-            [
-                'error' =>  $this->errorType,
-                'message' =>  $this->getMessage(),
-            ]
-        );
-    }
-
-    /**
-     * Return parameter if set
-     *
-     * @return string
-     */
-    public function getParameter()
-    {
-        return $this->parameter;
-    }
-
-    /**
-     * Get all headers that have to be send with the error response
-     *
-     * @return array Array with header values
-     */
-    public function getHttpHeaders()
-    {
-        $headers = [];
-        switch ($this->httpStatusCode) {
-            case 401:
-                $headers[] = 'HTTP/1.1 401 Unauthorized';
-                break;
-            case 500:
-                $headers[] = 'HTTP/1.1 500 Internal Server Error';
-                break;
-            case 501:
-                $headers[] = 'HTTP/1.1 501 Not Implemented';
-                break;
-            case 400:
-            default:
-                $headers[] = 'HTTP/1.1 400 Bad Request';
-                break;
-        }
-
-        // Add "WWW-Authenticate" header
-        //
-        // RFC 6749, section 5.2.:
-        // "If the client attempted to authenticate via the 'Authorization'
-        // request header field, the authorization server MUST
-        // respond with an HTTP 401 (Unauthorized) status code and
-        // include the "WWW-Authenticate" response header field
-        // matching the authentication scheme used by the client.
-        // @codeCoverageIgnoreStart
-        if ($this->errorType === 'invalid_client') {
-            $authScheme = null;
-            $request = new Request();
-            if ($request->getUser() !== null) {
-                $authScheme = 'Basic';
-            } else {
-                $authHeader = $request->headers->get('Authorization');
-                if ($authHeader !== null) {
-                    if (strpos($authHeader, 'Bearer') === 0) {
-                        $authScheme = 'Bearer';
-                    } elseif (strpos($authHeader, 'Basic') === 0) {
-                        $authScheme = 'Basic';
-                    }
-                }
-            }
-            if ($authScheme !== null) {
-                $headers[] = 'WWW-Authenticate: '.$authScheme.' realm=""';
-            }
-        }
-        // @codeCoverageIgnoreEnd
-        return $headers;
-    }
-}

src/Exception/OAuthServerException.php

@@ -0,0 +1,399 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+use Exception;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Throwable;
+
+class OAuthServerException extends Exception
+{
+    /**
+     * @var int
+     */
+    private $httpStatusCode;
+
+    /**
+     * @var string
+     */
+    private $errorType;
+
+    /**
+     * @var null|string
+     */
+    private $hint;
+
+    /**
+     * @var null|string
+     */
+    private $redirectUri;
+
+    /**
+     * @var array
+     */
+    private $payload;
+
+    /**
+     * @var ServerRequestInterface
+     */
+    private $serverRequest;
+
+    /**
+     * Throw a new exception.
+     *
+     * @param string      $message        Error message
+     * @param int         $code           Error code
+     * @param string      $errorType      Error type
+     * @param int         $httpStatusCode HTTP status code to send (default = 400)
+     * @param null|string $hint           A helper hint
+     * @param null|string $redirectUri    A HTTP URI to redirect the user back to
+     * @param Throwable   $previous       Previous exception
+     */
+    public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null, Throwable $previous = null)
+    {
+        parent::__construct($message, $code, $previous);
+        $this->httpStatusCode = $httpStatusCode;
+        $this->errorType = $errorType;
+        $this->hint = $hint;
+        $this->redirectUri = $redirectUri;
+        $this->payload = [
+            'error'             => $errorType,
+            'error_description' => $message,
+        ];
+        if ($hint !== null) {
+            $this->payload['hint'] = $hint;
+        }
+    }
+
+    /**
+     * Returns the current payload.
+     *
+     * @return array
+     */
+    public function getPayload()
+    {
+        $payload = $this->payload;
+
+        // The "message" property is deprecated and replaced by "error_description"
+        // TODO: remove "message" property
+        if (isset($payload['error_description']) && !isset($payload['message'])) {
+            $payload['message'] = $payload['error_description'];
+        }
+
+        return $payload;
+    }
+
+    /**
+     * Updates the current payload.
+     *
+     * @param array $payload
+     */
+    public function setPayload(array $payload)
+    {
+        $this->payload = $payload;
+    }
+
+    /**
+     * Set the server request that is responsible for generating the exception
+     *
+     * @param ServerRequestInterface $serverRequest
+     */
+    public function setServerRequest(ServerRequestInterface $serverRequest)
+    {
+        $this->serverRequest = $serverRequest;
+    }
+
+    /**
+     * Unsupported grant type error.
+     *
+     * @return static
+     */
+    public static function unsupportedGrantType()
+    {
+        $errorMessage = 'The authorization grant type is not supported by the authorization server.';
+        $hint = 'Check that all required parameters have been provided';
+
+        return new static($errorMessage, 2, 'unsupported_grant_type', 400, $hint);
+    }
+
+    /**
+     * Invalid request error.
+     *
+     * @param string      $parameter The invalid parameter
+     * @param null|string $hint
+     * @param Throwable   $previous  Previous exception
+     *
+     * @return static
+     */
+    public static function invalidRequest($parameter, $hint = null, Throwable $previous = null)
+    {
+        $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' .
+            'includes a parameter more than once, or is otherwise malformed.';
+        $hint = ($hint === null) ? sprintf('Check the `%s` parameter', $parameter) : $hint;
+
+        return new static($errorMessage, 3, 'invalid_request', 400, $hint, null, $previous);
+    }
+
+    /**
+     * Invalid client error.
+     *
+     * @param ServerRequestInterface $serverRequest
+     *
+     * @return static
+     */
+    public static function invalidClient(ServerRequestInterface $serverRequest)
+    {
+        $exception = new static('Client authentication failed', 4, 'invalid_client', 401);
+
+        $exception->setServerRequest($serverRequest);
+
+        return $exception;
+    }
+
+    /**
+     * Invalid scope error.
+     *
+     * @param string      $scope       The bad scope
+     * @param null|string $redirectUri A HTTP URI to redirect the user back to
+     *
+     * @return static
+     */
+    public static function invalidScope($scope, $redirectUri = null)
+    {
+        $errorMessage = 'The requested scope is invalid, unknown, or malformed';
+
+        if (empty($scope)) {
+            $hint = 'Specify a scope in the request or set a default scope';
+        } else {
+            $hint = sprintf(
+                'Check the `%s` scope',
+                htmlspecialchars($scope, ENT_QUOTES, 'UTF-8', false)
+            );
+        }
+
+        return new static($errorMessage, 5, 'invalid_scope', 400, $hint, $redirectUri);
+    }
+
+    /**
+     * Invalid credentials error.
+     *
+     * @return static
+     */
+    public static function invalidCredentials()
+    {
+        return new static('The user credentials were incorrect.', 6, 'invalid_credentials', 401);
+    }
+
+    /**
+     * Server error.
+     *
+     * @param string    $hint
+     * @param Throwable $previous
+     *
+     * @return static
+     *
+     * @codeCoverageIgnore
+     */
+    public static function serverError($hint, Throwable $previous = null)
+    {
+        return new static(
+            'The authorization server encountered an unexpected condition which prevented it from fulfilling'
+            . ' the request: ' . $hint,
+            7,
+            'server_error',
+            500,
+            null,
+            null,
+            $previous
+        );
+    }
+
+    /**
+     * Invalid refresh token.
+     *
+     * @param null|string $hint
+     * @param Throwable   $previous
+     *
+     * @return static
+     */
+    public static function invalidRefreshToken($hint = null, Throwable $previous = null)
+    {
+        return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint, null, $previous);
+    }
+
+    /**
+     * Access denied.
+     *
+     * @param null|string $hint
+     * @param null|string $redirectUri
+     * @param Throwable   $previous
+     *
+     * @return static
+     */
+    public static function accessDenied($hint = null, $redirectUri = null, Throwable $previous = null)
+    {
+        return new static(
+            'The resource owner or authorization server denied the request.',
+            9,
+            'access_denied',
+            401,
+            $hint,
+            $redirectUri,
+            $previous
+        );
+    }
+
+    /**
+     * Invalid grant.
+     *
+     * @param string $hint
+     *
+     * @return static
+     */
+    public static function invalidGrant($hint = '')
+    {
+        return new static(
+            'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token '
+                . 'is invalid, expired, revoked, does not match the redirection URI used in the authorization request, '
+                . 'or was issued to another client.',
+            10,
+            'invalid_grant',
+            400,
+            $hint
+        );
+    }
+
+    /**
+     * @return string
+     */
+    public function getErrorType()
+    {
+        return $this->errorType;
+    }
+
+    /**
+     * Generate a HTTP response.
+     *
+     * @param ResponseInterface $response
+     * @param bool              $useFragment True if errors should be in the URI fragment instead of query string
+     * @param int               $jsonOptions options passed to json_encode
+     *
+     * @return ResponseInterface
+     */
+    public function generateHttpResponse(ResponseInterface $response, $useFragment = false, $jsonOptions = 0)
+    {
+        $headers = $this->getHttpHeaders();
+
+        $payload = $this->getPayload();
+
+        $redirectUri = $this->getRedirectUri($useFragment);
+        if ($redirectUri !== null) {
+            return $response->withStatus(302)->withHeader('Location', $redirectUri);
+        }
+
+        foreach ($headers as $header => $content) {
+            $response = $response->withHeader($header, $content);
+        }
+
+        $responseBody = json_encode($payload, $jsonOptions) ?: 'JSON encoding of payload failed';
+
+        $response->getBody()->write($responseBody);
+
+        return $response->withStatus($this->getHttpStatusCode());
+    }
+
+    /**
+     * Get all headers that have to be send with the error response.
+     *
+     * @return array Array with header values
+     */
+    public function getHttpHeaders()
+    {
+        $headers = [
+            'Content-type' => 'application/json',
+        ];
+
+        // Add "WWW-Authenticate" header
+        //
+        // RFC 6749, section 5.2.:
+        // "If the client attempted to authenticate via the 'Authorization'
+        // request header field, the authorization server MUST
+        // respond with an HTTP 401 (Unauthorized) status code and
+        // include the "WWW-Authenticate" response header field
+        // matching the authentication scheme used by the client.
+        // @codeCoverageIgnoreStart
+        if ($this->errorType === 'invalid_client' && $this->serverRequest->hasHeader('Authorization') === true) {
+            $authScheme = strpos($this->serverRequest->getHeader('Authorization')[0], 'Bearer') === 0 ? 'Bearer' : 'Basic';
+
+            $headers['WWW-Authenticate'] = $authScheme . ' realm="OAuth"';
+        }
+        // @codeCoverageIgnoreEnd
+        return $headers;
+    }
+
+    /**
+     * Check if the exception has an associated redirect URI.
+     *
+     * Returns whether the exception includes a redirect, since
+     * getHttpStatusCode() doesn't return a 302 when there's a
+     * redirect enabled. This helps when you want to override local
+     * error pages but want to let redirects through.
+     *
+     * @return bool
+     */
+    public function hasRedirect()
+    {
+        return $this->redirectUri !== null;
+    }
+
+    /**
+     * Returns the redirectUri with all necessary args.
+     *
+     * Null will be returned if the exception doesn't contain the redirectUri.
+     *
+     * @param bool $useFragment True if errors should be in the URI fragment instead of query string
+     *
+     * @return string|null
+     */
+    public function getRedirectUri(bool $useFragment = false): ?string
+    {
+        if ($this->redirectUri === null) {
+            return null;
+        }
+
+        $redirectUri = $this->redirectUri;
+        if ($useFragment) {
+            $redirectUri .= strpos($this->redirectUri, '#') === false ? '#' : '&';
+        } else {
+            $redirectUri .= strpos($this->redirectUri, '?') === false ? '?' : '&';
+        }
+
+        return $redirectUri . http_build_query($this->getPayload());
+    }
+
+    /**
+     * Returns the HTTP status code to send when the exceptions is output.
+     *
+     * @return int
+     */
+    public function getHttpStatusCode()
+    {
+        return $this->httpStatusCode;
+    }
+
+    /**
+     * @return null|string
+     */
+    public function getHint()
+    {
+        return $this->hint;
+    }
+}

src/Exception/ServerErrorException.php

@@ -1,39 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Server Error Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class ServerErrorException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 500;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'server_error';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct($parameter = null)
-    {
-        $this->parameter = $parameter;
-        $parameter = is_null($parameter) ? 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.' : $parameter;
-        parent::__construct($parameter);
-
-    }
-}

src/Exception/UnauthorizedClientException.php

@@ -1,36 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Unauthorized Client Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class UnauthorizedClientException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'unauthorized_client';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct()
-    {
-        parent::__construct('The client is not authorized to request an access token using this method.');
-    }
-}

src/Exception/UniqueTokenIdentifierConstraintViolationException.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * @author      Ivan Kurnosov <zerkms@zerkms.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+class UniqueTokenIdentifierConstraintViolationException extends OAuthServerException
+{
+    /**
+     * @return UniqueTokenIdentifierConstraintViolationException
+     */
+    public static function create()
+    {
+        $errorMessage = 'Could not create unique access token identifier';
+
+        return new static($errorMessage, 100, 'access_token_duplicate', 500);
+    }
+}

src/Exception/UnsupportedGrantTypeException.php

@@ -1,43 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Invalid Request Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class UnsupportedGrantTypeException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'unsupported_grant_type';
-
-    /**
-     * {@inheritdoc}
-     */
-
-    public function __construct($parameter)
-    {
-        $this->parameter = $parameter;
-        parent::__construct(
-            sprintf(
-                'The authorization grant type "%s" is not supported by the authorization server.',
-                $parameter
-            )
-        );
-    }
-}

src/Exception/UnsupportedResponseTypeException.php

@@ -1,38 +0,0 @@
-<?php
-/**
- * OAuth 2.0 Unsupported Response Type Exception
- *
- * @package     league/oauth2-server
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- * @link        https://github.com/thephpleague/oauth2-server
- */
-
-namespace League\OAuth2\Server\Exception;
-
-/**
- * Exception class
- */
-class UnsupportedResponseTypeException extends OAuthException
-{
-    /**
-     * {@inheritdoc}
-     */
-    public $httpStatusCode = 400;
-
-    /**
-     * {@inheritdoc}
-     */
-    public $errorType = 'unsupported_response_type';
-
-    /**
-     * {@inheritdoc}
-     */
-    public function __construct($parameter, $redirectUri = null)
-    {
-        $this->parameter = $parameter;
-        parent::__construct('The authorization server does not support obtaining an access token using this method.');
-        $this->redirectUri = $redirectUri;
-    }
-}

src/Grant/AbstractAuthorizeGrant.php

@@ -0,0 +1,29 @@
+<?php
+/**
+ * Abstract authorization grant.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Grant;
+
+abstract class AbstractAuthorizeGrant extends AbstractGrant
+{
+    /**
+     * @param string $uri
+     * @param array  $params
+     * @param string $queryDelimiter
+     *
+     * @return string
+     */
+    public function makeRedirectUri($uri, $params = [], $queryDelimiter = '?')
+    {
+        $uri .= (strstr($uri, $queryDelimiter) === false) ? $queryDelimiter : '&';
+
+        return $uri . http_build_query($params);
+    }
+}

src/Grant/AbstractGrant.php

@@ -1,197 +1,599 @@
 <?php
 /**
- * OAuth 2.0 Abstract grant
+ * OAuth 2.0 Abstract grant.
  *
- * @package     league/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
+ *
  * @link        https://github.com/thephpleague/oauth2-server
  */
-
 namespace League\OAuth2\Server\Grant;
 
-use League\OAuth2\Server\AuthorizationServer;
-use League\OAuth2\Server\Entity\ClientEntity;
-use League\OAuth2\Server\Entity\ScopeEntity;
-use League\OAuth2\Server\Exception;
+use DateInterval;
+use DateTimeImmutable;
+use Error;
+use Exception;
+use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\CryptTrait;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use LogicException;
+use Psr\Http\Message\ServerRequestInterface;
+use TypeError;
 
 /**
- * Abstract grant class
+ * Abstract grant class.
  */
 abstract class AbstractGrant implements GrantTypeInterface
 {
-    /**
-     * Grant identifier
-     *
-     * @var string
-     */
-    protected $identifier = '';
+    use EmitterAwareTrait, CryptTrait;
+
+    const SCOPE_DELIMITER_STRING = ' ';
+
+    const MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS = 10;
 
     /**
-     * Response type
-     *
-     * @var string
+     * @var ClientRepositoryInterface
      */
-    protected $responseType;
+    protected $clientRepository;
 
     /**
-     * Callback to authenticate a user's name and password
-     *
-     * @var callable
+     * @var AccessTokenRepositoryInterface
      */
-    protected $callback;
+    protected $accessTokenRepository;
 
     /**
-     * AuthServer instance
-     *
-     * @var \League\OAuth2\Server\AuthorizationServer
+     * @var ScopeRepositoryInterface
      */
-    protected $server;
+    protected $scopeRepository;
 
     /**
-     * Access token expires in override
-     *
-     * @var int
+     * @var AuthCodeRepositoryInterface
      */
-    protected $accessTokenTTL;
+    protected $authCodeRepository;
 
     /**
-     * {@inheritdoc}
+     * @var RefreshTokenRepositoryInterface
      */
-    public function getIdentifier()
+    protected $refreshTokenRepository;
+
+    /**
+     * @var UserRepositoryInterface
+     */
+    protected $userRepository;
+
+    /**
+     * @var DateInterval
+     */
+    protected $refreshTokenTTL;
+
+    /**
+     * @var CryptKey
+     */
+    protected $privateKey;
+
+    /**
+     * @string
+     */
+    protected $defaultScope;
+
+    /**
+     * @param ClientRepositoryInterface $clientRepository
+     */
+    public function setClientRepository(ClientRepositoryInterface $clientRepository)
     {
-        return $this->identifier;
+        $this->clientRepository = $clientRepository;
+    }
+
+    /**
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     */
+    public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessTokenRepository)
+    {
+        $this->accessTokenRepository = $accessTokenRepository;
+    }
+
+    /**
+     * @param ScopeRepositoryInterface $scopeRepository
+     */
+    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository)
+    {
+        $this->scopeRepository = $scopeRepository;
+    }
+
+    /**
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
+     */
+    public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository)
+    {
+        $this->refreshTokenRepository = $refreshTokenRepository;
+    }
+
+    /**
+     * @param AuthCodeRepositoryInterface $authCodeRepository
+     */
+    public function setAuthCodeRepository(AuthCodeRepositoryInterface $authCodeRepository)
+    {
+        $this->authCodeRepository = $authCodeRepository;
+    }
+
+    /**
+     * @param UserRepositoryInterface $userRepository
+     */
+    public function setUserRepository(UserRepositoryInterface $userRepository)
+    {
+        $this->userRepository = $userRepository;
     }
 
     /**
      * {@inheritdoc}
      */
-    public function setIdentifier($identifier)
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL)
     {
-        $this->identifier = $identifier;
-
-        return $this;
+        $this->refreshTokenTTL = $refreshTokenTTL;
     }
 
     /**
-     * {@inheritdoc}
-     */
-    public function getResponseType()
-    {
-        return $this->responseType;
-    }
-
-    /**
-     * Get the TTL for an access token
+     * Set the private key
      *
-     * @return int The TTL
+     * @param CryptKey $key
      */
-    public function getAccessTokenTTL()
+    public function setPrivateKey(CryptKey $key)
     {
-        if ($this->accessTokenTTL) {
-            return $this->accessTokenTTL;
+        $this->privateKey = $key;
+    }
+
+    /**
+     * @param string $scope
+     */
+    public function setDefaultScope($scope)
+    {
+        $this->defaultScope = $scope;
+    }
+
+    /**
+     * Validate the client.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     *
+     * @return ClientEntityInterface
+     */
+    protected function validateClient(ServerRequestInterface $request)
+    {
+        list($clientId, $clientSecret) = $this->getClientCredentials($request);
+
+        if ($this->clientRepository->validateClient($clientId, $clientSecret, $this->getIdentifier()) === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+
+            throw OAuthServerException::invalidClient($request);
         }
 
-        return $this->server->getAccessTokenTTL();
-    }
+        $client = $this->getClientEntityOrFail($clientId, $request);
 
-    /**
-     * Override the default access token expire time
-     *
-     * @param int $accessTokenTTL
-     *
-     * @return self
-     */
-    public function setAccessTokenTTL($accessTokenTTL)
-    {
-        $this->accessTokenTTL = $accessTokenTTL;
+        // If a redirect URI is provided ensure it matches what is pre-registered
+        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
 
-        return $this;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function setAuthorizationServer(AuthorizationServer $server)
-    {
-        $this->server = $server;
-
-        return $this;
-    }
-
-    /**
-     * Given a list of scopes, validate them and return an array of Scope entities
-     *
-     * @param string                                    $scopeParam  A string of scopes (e.g. "profile email birthday")
-     * @param \League\OAuth2\Server\Entity\ClientEntity $client      Client entity
-     * @param string|null                               $redirectUri The redirect URI to return the user to
-     *
-     * @return \League\OAuth2\Server\Entity\ScopeEntity[]
-     *
-     * @throws \League\OAuth2\Server\Exception\InvalidScopeException If scope is invalid, or no scopes passed when required
-     * @throws
-     */
-    public function validateScopes($scopeParam = '', ClientEntity $client, $redirectUri = null)
-    {
-        $scopesList = explode($this->server->getScopeDelimiter(), $scopeParam);
-
-        for ($i = 0; $i < count($scopesList); $i++) {
-            $scopesList[$i] = trim($scopesList[$i]);
-            if ($scopesList[$i] === '') {
-                unset($scopesList[$i]); // Remove any junk scopes
-            }
+        if ($redirectUri !== null) {
+            $this->validateRedirectUri($redirectUri, $client, $request);
         }
 
-        if (
-            $this->server->scopeParamRequired() === true
-            && $this->server->getDefaultScope() === null
-            && count($scopesList) === 0
-        ) {
-            throw new Exception\InvalidRequestException('scope');
-        } elseif (count($scopesList) === 0 && $this->server->getDefaultScope() !== null) {
-            if (is_array($this->server->getDefaultScope())) {
-                $scopesList = $this->server->getDefaultScope();
-            } else {
-                $scopesList = [0 => $this->server->getDefaultScope()];
-            }
-        }
-
-        $scopes = [];
-
-        foreach ($scopesList as $scopeItem) {
-            $scope = $this->server->getScopeStorage()->get(
-                $scopeItem,
-                $this->getIdentifier(),
-                $client->getId()
-            );
-
-            if (($scope instanceof ScopeEntity) === false) {
-                throw new Exception\InvalidScopeException($scopeItem, $redirectUri);
-            }
-
-            $scopes[$scope->getId()] = $scope;
-        }
-
-        return $scopes;
+        return $client;
     }
 
     /**
-     * Format the local scopes array
+     * Wrapper around ClientRepository::getClientEntity() that ensures we emit
+     * an event and throw an exception if the repo doesn't return a client
+     * entity.
      *
-     * @param  \League\OAuth2\Server\Entity\ScopeEntity[]
+     * This is a bit of defensive coding because the interface contract
+     * doesn't actually enforce non-null returns/exception-on-no-client so
+     * getClientEntity might return null. By contrast, this method will
+     * always either return a ClientEntityInterface or throw.
+     *
+     * @param string                 $clientId
+     * @param ServerRequestInterface $request
+     *
+     * @return ClientEntityInterface
+     */
+    protected function getClientEntityOrFail($clientId, ServerRequestInterface $request)
+    {
+        $client = $this->clientRepository->getClientEntity($clientId);
+
+        if ($client instanceof ClientEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        }
+
+        return $client;
+    }
+
+    /**
+     * Gets the client credentials from the request from the request body or
+     * the Http Basic Authorization header
+     *
+     * @param ServerRequestInterface $request
      *
      * @return array
      */
-    protected function formatScopes($unformated = [])
+    protected function getClientCredentials(ServerRequestInterface $request)
     {
-        $scopes = [];
-        foreach ($unformated as $scope) {
-            if ($scope instanceof ScopeEntity) {
-                $scopes[$scope->getId()] = $scope;
-            }
+        list($basicAuthUser, $basicAuthPassword) = $this->getBasicAuthCredentials($request);
+
+        $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
+
+        if (is_null($clientId)) {
+            throw OAuthServerException::invalidRequest('client_id');
         }
 
-        return $scopes;
+        $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
+
+        return [$clientId, $clientSecret];
+    }
+
+    /**
+     * Validate redirectUri from the request.
+     * If a redirect URI is provided ensure it matches what is pre-registered
+     *
+     * @param string                 $redirectUri
+     * @param ClientEntityInterface  $client
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     */
+    protected function validateRedirectUri(
+        string $redirectUri,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request
+    ) {
+        if (\is_string($client->getRedirectUri())
+            && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        } elseif (\is_array($client->getRedirectUri())
+            && \in_array($redirectUri, $client->getRedirectUri(), true) === false
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        }
+    }
+
+    /**
+     * Validate scopes in the request.
+     *
+     * @param string|array $scopes
+     * @param string       $redirectUri
+     *
+     * @throws OAuthServerException
+     *
+     * @return ScopeEntityInterface[]
+     */
+    public function validateScopes($scopes, $redirectUri = null)
+    {
+        if (!\is_array($scopes)) {
+            $scopes = $this->convertScopesQueryStringToArray($scopes);
+        }
+
+        $validScopes = [];
+
+        foreach ($scopes as $scopeItem) {
+            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
+
+            if ($scope instanceof ScopeEntityInterface === false) {
+                throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
+            }
+
+            $validScopes[] = $scope;
+        }
+
+        return $validScopes;
+    }
+
+    /**
+     * Converts a scopes query string to an array to easily iterate for validation.
+     *
+     * @param string $scopes
+     *
+     * @return array
+     */
+    private function convertScopesQueryStringToArray($scopes)
+    {
+        return array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
+            return !empty($scope);
+        });
+    }
+
+    /**
+     * Retrieve request parameter.
+     *
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
+     *
+     * @return null|string
+     */
+    protected function getRequestParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        $requestParameters = (array) $request->getParsedBody();
+
+        return $requestParameters[$parameter] ?? $default;
+    }
+
+    /**
+     * Retrieve HTTP Basic Auth credentials with the Authorization header
+     * of a request. First index of the returned array is the username,
+     * second is the password (so list() will work). If the header does
+     * not exist, or is otherwise an invalid HTTP Basic header, return
+     * [null, null].
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return string[]|null[]
+     */
+    protected function getBasicAuthCredentials(ServerRequestInterface $request)
+    {
+        if (!$request->hasHeader('Authorization')) {
+            return [null, null];
+        }
+
+        $header = $request->getHeader('Authorization')[0];
+        if (strpos($header, 'Basic ') !== 0) {
+            return [null, null];
+        }
+
+        if (!($decoded = base64_decode(substr($header, 6)))) {
+            return [null, null];
+        }
+
+        if (strpos($decoded, ':') === false) {
+            return [null, null]; // HTTP Basic header without colon isn't valid
+        }
+
+        return explode(':', $decoded, 2);
+    }
+
+    /**
+     * Retrieve query string parameter.
+     *
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
+     *
+     * @return null|string
+     */
+    protected function getQueryStringParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        return isset($request->getQueryParams()[$parameter]) ? $request->getQueryParams()[$parameter] : $default;
+    }
+
+    /**
+     * Retrieve cookie parameter.
+     *
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
+     *
+     * @return null|string
+     */
+    protected function getCookieParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        return isset($request->getCookieParams()[$parameter]) ? $request->getCookieParams()[$parameter] : $default;
+    }
+
+    /**
+     * Retrieve server parameter.
+     *
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
+     *
+     * @return null|string
+     */
+    protected function getServerParameter($parameter, ServerRequestInterface $request, $default = null)
+    {
+        return isset($request->getServerParams()[$parameter]) ? $request->getServerParams()[$parameter] : $default;
+    }
+
+    /**
+     * Issue an access token.
+     *
+     * @param DateInterval           $accessTokenTTL
+     * @param ClientEntityInterface  $client
+     * @param string|null            $userIdentifier
+     * @param ScopeEntityInterface[] $scopes
+     *
+     * @throws OAuthServerException
+     * @throws UniqueTokenIdentifierConstraintViolationException
+     *
+     * @return AccessTokenEntityInterface
+     */
+    protected function issueAccessToken(
+        DateInterval $accessTokenTTL,
+        ClientEntityInterface $client,
+        $userIdentifier,
+        array $scopes = []
+    ) {
+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
+
+        $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add($accessTokenTTL));
+        $accessToken->setPrivateKey($this->privateKey);
+
+        while ($maxGenerationAttempts-- > 0) {
+            $accessToken->setIdentifier($this->generateUniqueIdentifier());
+            try {
+                $this->accessTokenRepository->persistNewAccessToken($accessToken);
+
+                return $accessToken;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    throw $e;
+                }
+            }
+        }
+    }
+
+    /**
+     * Issue an auth code.
+     *
+     * @param DateInterval           $authCodeTTL
+     * @param ClientEntityInterface  $client
+     * @param string                 $userIdentifier
+     * @param string|null            $redirectUri
+     * @param ScopeEntityInterface[] $scopes
+     *
+     * @throws OAuthServerException
+     * @throws UniqueTokenIdentifierConstraintViolationException
+     *
+     * @return AuthCodeEntityInterface
+     */
+    protected function issueAuthCode(
+        DateInterval $authCodeTTL,
+        ClientEntityInterface $client,
+        $userIdentifier,
+        $redirectUri,
+        array $scopes = []
+    ) {
+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
+
+        $authCode = $this->authCodeRepository->getNewAuthCode();
+        $authCode->setExpiryDateTime((new DateTimeImmutable())->add($authCodeTTL));
+        $authCode->setClient($client);
+        $authCode->setUserIdentifier($userIdentifier);
+
+        if ($redirectUri !== null) {
+            $authCode->setRedirectUri($redirectUri);
+        }
+
+        foreach ($scopes as $scope) {
+            $authCode->addScope($scope);
+        }
+
+        while ($maxGenerationAttempts-- > 0) {
+            $authCode->setIdentifier($this->generateUniqueIdentifier());
+            try {
+                $this->authCodeRepository->persistNewAuthCode($authCode);
+
+                return $authCode;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    throw $e;
+                }
+            }
+        }
+    }
+
+    /**
+     * @param AccessTokenEntityInterface $accessToken
+     *
+     * @throws OAuthServerException
+     * @throws UniqueTokenIdentifierConstraintViolationException
+     *
+     * @return RefreshTokenEntityInterface|null
+     */
+    protected function issueRefreshToken(AccessTokenEntityInterface $accessToken)
+    {
+        $refreshToken = $this->refreshTokenRepository->getNewRefreshToken();
+
+        if ($refreshToken === null) {
+            return null;
+        }
+
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add($this->refreshTokenTTL));
+        $refreshToken->setAccessToken($accessToken);
+
+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
+
+        while ($maxGenerationAttempts-- > 0) {
+            $refreshToken->setIdentifier($this->generateUniqueIdentifier());
+            try {
+                $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
+
+                return $refreshToken;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    throw $e;
+                }
+            }
+        }
+    }
+
+    /**
+     * Generate a new unique identifier.
+     *
+     * @param int $length
+     *
+     * @throws OAuthServerException
+     *
+     * @return string
+     */
+    protected function generateUniqueIdentifier($length = 40)
+    {
+        try {
+            return bin2hex(random_bytes($length));
+            // @codeCoverageIgnoreStart
+        } catch (TypeError $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred', $e);
+        } catch (Error $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred', $e);
+        } catch (Exception $e) {
+            // If you get this message, the CSPRNG failed hard.
+            throw OAuthServerException::serverError('Could not generate a random string', $e);
+        }
+        // @codeCoverageIgnoreEnd
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToAccessTokenRequest(ServerRequestInterface $request)
+    {
+        $requestParameters = (array) $request->getParsedBody();
+
+        return (
+            array_key_exists('grant_type', $requestParameters)
+            && $requestParameters['grant_type'] === $this->getIdentifier()
+        );
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
+        throw new LogicException('This grant cannot validate an authorization request');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
+    {
+        throw new LogicException('This grant cannot complete an authorization request');
     }
 }

src/Grant/AuthCodeGrant.php

@@ -1,303 +1,401 @@
 <?php
 /**
- * OAuth 2.0 Auth code grant
- *
- * @package     league/oauth2-server
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
+ *
  * @link        https://github.com/thephpleague/oauth2-server
  */
 
 namespace League\OAuth2\Server\Grant;
 
-use League\OAuth2\Server\Entity\AccessTokenEntity;
-use League\OAuth2\Server\Entity\AuthCodeEntity;
-use League\OAuth2\Server\Entity\ClientEntity;
-use League\OAuth2\Server\Entity\RefreshTokenEntity;
-use League\OAuth2\Server\Entity\SessionEntity;
-use League\OAuth2\Server\Event;
-use League\OAuth2\Server\Exception;
-use League\OAuth2\Server\Util\SecureKey;
+use DateInterval;
+use DateTimeImmutable;
+use Exception;
+use League\OAuth2\Server\CodeChallengeVerifiers\CodeChallengeVerifierInterface;
+use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier;
+use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use League\OAuth2\Server\ResponseTypes\RedirectResponse;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use LogicException;
+use Psr\Http\Message\ServerRequestInterface;
+use stdClass;
 
-/**
- * Auth code grant class
- */
-class AuthCodeGrant extends AbstractGrant
+class AuthCodeGrant extends AbstractAuthorizeGrant
 {
     /**
-     * Grant identifier
-     *
-     * @var string
+     * @var DateInterval
      */
-    protected $identifier = 'authorization_code';
+    private $authCodeTTL;
 
     /**
-     * Response type
-     *
-     * @var string
+     * @var bool
      */
-    protected $responseType = 'code';
+    private $requireCodeChallengeForPublicClients = true;
 
     /**
-     * AuthServer instance
-     *
-     * @var \League\OAuth2\Server\AuthorizationServer
+     * @var CodeChallengeVerifierInterface[]
      */
-    protected $server = null;
+    private $codeChallengeVerifiers = [];
 
     /**
-     * Access token expires in override
+     * @param AuthCodeRepositoryInterface     $authCodeRepository
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param DateInterval                    $authCodeTTL
      *
-     * @var int
+     * @throws Exception
      */
-    protected $accessTokenTTL = null;
+    public function __construct(
+        AuthCodeRepositoryInterface $authCodeRepository,
+        RefreshTokenRepositoryInterface $refreshTokenRepository,
+        DateInterval $authCodeTTL
+    ) {
+        $this->setAuthCodeRepository($authCodeRepository);
+        $this->setRefreshTokenRepository($refreshTokenRepository);
+        $this->authCodeTTL = $authCodeTTL;
+        $this->refreshTokenTTL = new DateInterval('P1M');
 
-    /**
-     * The TTL of the auth token
-     *
-     * @var integer
-     */
-    protected $authTokenTTL = 600;
-
-    /**
-     * Whether to require the client secret when
-     * completing the flow.
-     *
-     * @var boolean
-     */
-    protected $requireClientSecret = true;
-
-    /**
-     * Override the default access token expire time
-     *
-     * @param int $authTokenTTL
-     *
-     * @return void
-     */
-    public function setAuthTokenTTL($authTokenTTL)
-    {
-        $this->authTokenTTL = $authTokenTTL;
-    }
-
-    /**
-     *
-     * @param bool $required True to require client secret during access
-     *                       token request. False if not. Default = true
-     */
-    public function setRequireClientSecret($required)
-    {
-        $this->requireClientSecret = $required;
-    }
-
-    /**
-     * True if client secret is required during
-     * access token request. False if it isn't.
-     *
-     * @return bool
-     */
-    public function shouldRequireClientSecret()
-    {
-        return $this->requireClientSecret;
-    }
-
-    /**
-     * Check authorize parameters
-     *
-     * @return array Authorize request parameters
-     *
-     * @throws
-     */
-    public function checkAuthorizeParams()
-    {
-        // Get required params
-        $clientId = $this->server->getRequest()->query->get('client_id', null);
-        if (is_null($clientId)) {
-            throw new Exception\InvalidRequestException('client_id');
+        if (in_array('sha256', hash_algos(), true)) {
+            $s256Verifier = new S256Verifier();
+            $this->codeChallengeVerifiers[$s256Verifier->getMethod()] = $s256Verifier;
         }
 
-        $redirectUri = $this->server->getRequest()->query->get('redirect_uri', null);
-        if (is_null($redirectUri)) {
-            throw new Exception\InvalidRequestException('redirect_uri');
+        $plainVerifier = new PlainVerifier();
+        $this->codeChallengeVerifiers[$plainVerifier->getMethod()] = $plainVerifier;
+    }
+
+    /**
+     * Disable the requirement for a code challenge for public clients.
+     */
+    public function disableRequireCodeChallengeForPublicClients()
+    {
+        $this->requireCodeChallengeForPublicClients = false;
+    }
+
+    /**
+     * Respond to an access token request.
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseTypeInterface  $responseType
+     * @param DateInterval           $accessTokenTTL
+     *
+     * @throws OAuthServerException
+     *
+     * @return ResponseTypeInterface
+     */
+    public function respondToAccessTokenRequest(
+        ServerRequestInterface $request,
+        ResponseTypeInterface $responseType,
+        DateInterval $accessTokenTTL
+    ) {
+        list($clientId) = $this->getClientCredentials($request);
+
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        // Only validate the client if it is confidential
+        if ($client->isConfidential()) {
+            $this->validateClient($request);
         }
 
-        // Validate client ID and redirect URI
-        $client = $this->server->getClientStorage()->get(
-            $clientId,
-            null,
-            $redirectUri,
-            $this->getIdentifier()
+        $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
+
+        if ($encryptedAuthCode === null) {
+            throw OAuthServerException::invalidRequest('code');
+        }
+
+        try {
+            $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
+
+            $this->validateAuthorizationCode($authCodePayload, $client, $request);
+
+            $scopes = $this->scopeRepository->finalizeScopes(
+                $this->validateScopes($authCodePayload->scopes),
+                $this->getIdentifier(),
+                $client,
+                $authCodePayload->user_id
+            );
+        } catch (LogicException $e) {
+            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e);
+        }
+
+        // Validate code challenge
+        if (!empty($authCodePayload->code_challenge)) {
+            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+
+            if ($codeVerifier === null) {
+                throw OAuthServerException::invalidRequest('code_verifier');
+            }
+
+            // Validate code_verifier according to RFC-7636
+            // @see: https://tools.ietf.org/html/rfc7636#section-4.1
+            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeVerifier) !== 1) {
+                throw OAuthServerException::invalidRequest(
+                    'code_verifier',
+                    'Code Verifier must follow the specifications of RFC-7636.'
+                );
+            }
+
+            if (property_exists($authCodePayload, 'code_challenge_method')) {
+                if (isset($this->codeChallengeVerifiers[$authCodePayload->code_challenge_method])) {
+                    $codeChallengeVerifier = $this->codeChallengeVerifiers[$authCodePayload->code_challenge_method];
+
+                    if ($codeChallengeVerifier->verifyCodeChallenge($codeVerifier, $authCodePayload->code_challenge) === false) {
+                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
+                    }
+                } else {
+                    throw OAuthServerException::serverError(
+                        sprintf(
+                            'Unsupported code challenge method `%s`',
+                            $authCodePayload->code_challenge_method
+                        )
+                    );
+                }
+            }
+        }
+
+        // Issue and persist new access token
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
+        $refreshToken = $this->issueRefreshToken($accessToken);
+
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }
+
+        // Revoke used auth code
+        $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);
+
+        return $responseType;
+    }
+
+    /**
+     * Validate the authorization code.
+     *
+     * @param stdClass               $authCodePayload
+     * @param ClientEntityInterface  $client
+     * @param ServerRequestInterface $request
+     */
+    private function validateAuthorizationCode(
+        $authCodePayload,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request
+    ) {
+        if (time() > $authCodePayload->expire_time) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
+        }
+
+        if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
+        }
+
+        if ($authCodePayload->client_id !== $client->getIdentifier()) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
+        }
+
+        // The redirect URI is required in this request
+        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
+        if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
+            throw OAuthServerException::invalidRequest('redirect_uri');
+        }
+
+        if ($authCodePayload->redirect_uri !== $redirectUri) {
+            throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
+        }
+    }
+
+    /**
+     * Return the grant identifier that can be used in matching up requests.
+     *
+     * @return string
+     */
+    public function getIdentifier()
+    {
+        return 'authorization_code';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
+    {
+        return (
+            array_key_exists('response_type', $request->getQueryParams())
+            && $request->getQueryParams()['response_type'] === 'code'
+            && isset($request->getQueryParams()['client_id'])
+        );
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
+        $clientId = $this->getQueryStringParameter(
+            'client_id',
+            $request,
+            $this->getServerParameter('PHP_AUTH_USER', $request)
         );
 
-        if (($client instanceof ClientEntity) === false) {
-            $this->server->getEventEmitter()->emit(new Event\ClientAuthenticationFailedEvent($this->server->getRequest()));
-            throw new Exception\InvalidClientException();
+        if ($clientId === null) {
+            throw OAuthServerException::invalidRequest('client_id');
         }
 
-        $state = $this->server->getRequest()->query->get('state', null);
-        if ($this->server->stateParamRequired() === true && is_null($state)) {
-            throw new Exception\InvalidRequestException('state', $redirectUri);
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
+
+        if ($redirectUri !== null) {
+            $this->validateRedirectUri($redirectUri, $client, $request);
+        } elseif (empty($client->getRedirectUri()) ||
+            (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        } else {
+            $redirectUri = \is_array($client->getRedirectUri())
+                ? $client->getRedirectUri()[0]
+                : $client->getRedirectUri();
         }
 
-        $responseType = $this->server->getRequest()->query->get('response_type', null);
-        if (is_null($responseType)) {
-            throw new Exception\InvalidRequestException('response_type', $redirectUri);
-        }
-
-        // Ensure response type is one that is recognised
-        if (!in_array($responseType, $this->server->getResponseTypes())) {
-            throw new Exception\UnsupportedResponseTypeException($responseType, $redirectUri);
-        }
-
-        // Validate any scopes that are in the request
-        $scopeParam = $this->server->getRequest()->query->get('scope', '');
-        $scopes = $this->validateScopes($scopeParam, $client, $redirectUri);
-
-        return [
-            'client'        => $client,
-            'redirect_uri'  => $redirectUri,
-            'state'         => $state,
-            'response_type' => $responseType,
-            'scopes'        => $scopes
-        ];
-    }
-
-    /**
-     * Parse a new authorize request
-     *
-     * @param string $type       The session owner's type
-     * @param string $typeId     The session owner's ID
-     * @param array  $authParams The authorize request $_GET parameters
-     *
-     * @return string An authorisation code
-     */
-    public function newAuthorizeRequest($type, $typeId, $authParams = [])
-    {
-        // Create a new session
-        $session = new SessionEntity($this->server);
-        $session->setOwner($type, $typeId);
-        $session->associateClient($authParams['client']);
-
-        // Create a new auth code
-        $authCode = new AuthCodeEntity($this->server);
-        $authCode->setId(SecureKey::generate());
-        $authCode->setRedirectUri($authParams['redirect_uri']);
-        $authCode->setExpireTime(time() + $this->authTokenTTL);
-
-        foreach ($authParams['scopes'] as $scope) {
-            $authCode->associateScope($scope);
-            $session->associateScope($scope);
-        }
-
-        $session->save();
-        $authCode->setSession($session);
-        $authCode->save();
-
-        return $authCode->generateRedirectUri($authParams['state']);
-    }
-
-    /**
-     * Complete the auth code grant
-     *
-     * @return array
-     *
-     * @throws
-     */
-    public function completeFlow()
-    {
-        // Get the required params
-        $clientId = $this->server->getRequest()->request->get('client_id', $this->server->getRequest()->getUser());
-        if (is_null($clientId)) {
-            throw new Exception\InvalidRequestException('client_id');
-        }
-
-        $clientSecret = $this->server->getRequest()->request->get('client_secret',
-            $this->server->getRequest()->getPassword());
-        if ($this->shouldRequireClientSecret() && is_null($clientSecret)) {
-            throw new Exception\InvalidRequestException('client_secret');
-        }
-
-        $redirectUri = $this->server->getRequest()->request->get('redirect_uri', null);
-        if (is_null($redirectUri)) {
-            throw new Exception\InvalidRequestException('redirect_uri');
-        }
-
-        // Validate client ID and client secret
-        $client = $this->server->getClientStorage()->get(
-            $clientId,
-            $clientSecret,
-            $redirectUri,
-            $this->getIdentifier()
+        $scopes = $this->validateScopes(
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
+            $redirectUri
         );
 
-        if (($client instanceof ClientEntity) === false) {
-            $this->server->getEventEmitter()->emit(new Event\ClientAuthenticationFailedEvent($this->server->getRequest()));
-            throw new Exception\InvalidClientException();
+        $stateParameter = $this->getQueryStringParameter('state', $request);
+
+        $authorizationRequest = new AuthorizationRequest();
+        $authorizationRequest->setGrantTypeId($this->getIdentifier());
+        $authorizationRequest->setClient($client);
+        $authorizationRequest->setRedirectUri($redirectUri);
+
+        if ($stateParameter !== null) {
+            $authorizationRequest->setState($stateParameter);
         }
 
-        // Validate the auth code
-        $authCode = $this->server->getRequest()->request->get('code', null);
-        if (is_null($authCode)) {
-            throw new Exception\InvalidRequestException('code');
+        $authorizationRequest->setScopes($scopes);
+
+        $codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
+
+        if ($codeChallenge !== null) {
+            $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
+
+            if (array_key_exists($codeChallengeMethod, $this->codeChallengeVerifiers) === false) {
+                throw OAuthServerException::invalidRequest(
+                    'code_challenge_method',
+                    'Code challenge method must be one of ' . implode(', ', array_map(
+                        function ($method) {
+                            return '`' . $method . '`';
+                        },
+                        array_keys($this->codeChallengeVerifiers)
+                    ))
+                );
+            }
+
+            // Validate code_challenge according to RFC-7636
+            // @see: https://tools.ietf.org/html/rfc7636#section-4.2
+            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeChallenge) !== 1) {
+                throw OAuthServerException::invalidRequest(
+                    'code_challenged',
+                    'Code challenge must follow the specifications of RFC-7636.'
+                );
+            }
+
+            $authorizationRequest->setCodeChallenge($codeChallenge);
+            $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
+        } elseif ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
+            throw OAuthServerException::invalidRequest('code_challenge', 'Code challenge must be provided for public clients');
         }
 
-        $code = $this->server->getAuthCodeStorage()->get($authCode);
-        if (($code instanceof AuthCodeEntity) === false) {
-            throw new Exception\InvalidRequestException('code');
-        }
-
-        // Ensure the auth code hasn't expired
-        if ($code->isExpired() === true) {
-            throw new Exception\InvalidRequestException('code');
-        }
-
-        // Check redirect URI presented matches redirect URI originally used in authorize request
-        if ($code->getRedirectUri() !== $redirectUri) {
-            throw new Exception\InvalidRequestException('redirect_uri');
-        }
-
-        $session = $code->getSession();
-        $session->associateClient($client);
-
-        $authCodeScopes = $code->getScopes();
-
-        // Generate the access token
-        $accessToken = new AccessTokenEntity($this->server);
-        $accessToken->setId(SecureKey::generate());
-        $accessToken->setExpireTime($this->getAccessTokenTTL() + time());
-
-        foreach ($authCodeScopes as $authCodeScope) {
-            $session->associateScope($authCodeScope);
-        }
-
-        foreach ($session->getScopes() as $scope) {
-            $accessToken->associateScope($scope);
-        }
-
-        $this->server->getTokenType()->setSession($session);
-        $this->server->getTokenType()->setParam('access_token', $accessToken->getId());
-        $this->server->getTokenType()->setParam('expires_in', $this->getAccessTokenTTL());
-
-        // Associate a refresh token if set
-        if ($this->server->hasGrantType('refresh_token')) {
-            $refreshToken = new RefreshTokenEntity($this->server);
-            $refreshToken->setId(SecureKey::generate());
-            $refreshToken->setExpireTime($this->server->getGrantType('refresh_token')->getRefreshTokenTTL() + time());
-            $this->server->getTokenType()->setParam('refresh_token', $refreshToken->getId());
-        }
-
-        // Expire the auth code
-        $code->expire();
-
-        // Save all the things
-        $accessToken->setSession($session);
-        $accessToken->save();
-
-        if (isset($refreshToken) && $this->server->hasGrantType('refresh_token')) {
-            $refreshToken->setAccessToken($accessToken);
-            $refreshToken->save();
-        }
-
-        return $this->server->getTokenType()->generateResponse();
+        return $authorizationRequest;
     }
-}
+
+    /**
+     * {@inheritdoc}
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
+    {
+        if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
+            throw new LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
+        }
+
+        $finalRedirectUri = $authorizationRequest->getRedirectUri()
+                          ?? $this->getClientRedirectUri($authorizationRequest);
+
+        // The user approved the client, redirect them back with an auth code
+        if ($authorizationRequest->isAuthorizationApproved() === true) {
+            $authCode = $this->issueAuthCode(
+                $this->authCodeTTL,
+                $authorizationRequest->getClient(),
+                $authorizationRequest->getUser()->getIdentifier(),
+                $authorizationRequest->getRedirectUri(),
+                $authorizationRequest->getScopes()
+            );
+
+            $payload = [
+                'client_id'             => $authCode->getClient()->getIdentifier(),
+                'redirect_uri'          => $authCode->getRedirectUri(),
+                'auth_code_id'          => $authCode->getIdentifier(),
+                'scopes'                => $authCode->getScopes(),
+                'user_id'               => $authCode->getUserIdentifier(),
+                'expire_time'           => (new DateTimeImmutable())->add($this->authCodeTTL)->getTimestamp(),
+                'code_challenge'        => $authorizationRequest->getCodeChallenge(),
+                'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
+            ];
+
+            $jsonPayload = json_encode($payload);
+
+            if ($jsonPayload === false) {
+                throw new LogicException('An error was encountered when JSON encoding the authorization request response');
+            }
+
+            $response = new RedirectResponse();
+            $response->setRedirectUri(
+                $this->makeRedirectUri(
+                    $finalRedirectUri,
+                    [
+                        'code'  => $this->encrypt($jsonPayload),
+                        'state' => $authorizationRequest->getState(),
+                    ]
+                )
+            );
+
+            return $response;
+        }
+
+        // The user denied the client, redirect them back with an error
+        throw OAuthServerException::accessDenied(
+            'The user denied the request',
+            $this->makeRedirectUri(
+                $finalRedirectUri,
+                [
+                    'state' => $authorizationRequest->getState(),
+                ]
+            )
+        );
+    }
+
+    /**
+     * Get the client redirect URI if not set in the request.
+     *
+     * @param AuthorizationRequest $authorizationRequest
+     *
+     * @return string
+     */
+    private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
+    {
+        return \is_array($authorizationRequest->getClient()->getRedirectUri())
+                ? $authorizationRequest->getClient()->getRedirectUri()[0]
+                : $authorizationRequest->getClient()->getRedirectUri();
+    }
+}