Update changelog for version 7.4.0

Optional Refresh Tokens

.gitattributes

@@ -10,4 +10,5 @@
 /phpunit.xml.dist export-ignore
 /CHANGELOG.md export-ignore
 /CONTRIBUTING.md export-ignore
-/README.md export-ignore
+/README.md export-ignore
+

.scrutinizer.yml

@@ -2,7 +2,6 @@ filter:
     excluded_paths:
         - tests/*
         - vendor/*
-        - examples/*
 checks:
     php:
         code_rating: true
@@ -21,8 +20,7 @@ checks:
         fix_doc_comments: true
 tools:
     external_code_coverage:
-        timeout: 600
-        runs: 3
+        timeout: 1800
     php_code_coverage: false
     php_code_sniffer:
         config:
@@ -34,4 +32,4 @@ tools:
         excluded_dirs: [vendor, tests, examples]
     php_cpd:
         enabled: true
-        excluded_dirs: [vendor, tests, examples]
+        excluded_dirs: [vendor, tests, examples]

.styleci.yml

@@ -4,6 +4,7 @@ enabled:
   - binary_operator_spaces
   - blank_line_before_return
   - concat_with_spaces
+  - fully_qualified_strict_types
   - function_typehint_space
   - hash_to_slash_comment
   - include
@@ -29,7 +30,6 @@ enabled:
   - phpdoc_inline_tag
   - phpdoc_no_access
   - phpdoc_no_simplified_null_return
-  - phpdoc_order
   - phpdoc_property
   - phpdoc_scalar
   - phpdoc_separation
@@ -41,7 +41,6 @@ enabled:
   - print_to_echo
   - short_array_syntax
   - short_scalar_cast
-  - simplified_null_return
   - single_quote
   - spaces_cast
   - standardize_not_equal

.travis.yml

@@ -1,24 +1,33 @@
 language: php
 
+dist: trusty
 sudo: false
 
 cache:
   directories:
-  - vendor
+    - vendor
+
+env:
+  - DEPENDENCIES=""
+  - DEPENDENCIES="--prefer-lowest --prefer-stable"
 
 php:
-  - 5.5
-  - 5.6
   - 7.0
-  - hhvm
+  - 7.1
+  - 7.2
+  - 7.3
 
 install:
-  - travis_retry composer install --no-interaction --prefer-source
+  - composer update --no-interaction --prefer-dist $DEPENDENCIES
 
 script:
-  - vendor/bin/phpunit
+  - vendor/bin/phpunit --coverage-clover=coverage.clover
+  - vendor/bin/phpstan analyse -l 7 -c phpstan.neon src tests
+
+after_script:
+    - wget https://scrutinizer-ci.com/ocular.phar
+    - php ocular.phar code-coverage:upload --format=php-clover coverage.clover
 
 branches:
   only:
     - master
-    - V5-WIP

CHANGELOG.md

@@ -1,226 +1,507 @@
 # Changelog
+All notable changes to this project will be documented in this file.
 
-## 5.0.0-RC1 (release 2016-03-24)
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [7.4.0] - released 2019-05-05
+
+### Changed
+- RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)
+
+## [7.3.3] - released 2019-03-29
+
+### Added
+- Added `error_description` to the error payload to improve standards compliance. The contents of this are copied from the existing `message` value. (PR #1006)
+
+### Deprecated
+- Error payload will not issue `message` value in the next major release (PR #1006)
+
+## [7.3.2] - released 2018-11-21
+
+### Fixed
+- Revert setting keys on response type to be inside `getResponseType()` function instead of AuthorizationServer constructor (PR #969)
+
+## [7.3.1] - released 2018-11-15
+
+### Fixed
+- Fix issue with previous release where interface had changed for the AuthorizationServer. Reverted to the previous interface while maintaining functionality changes (PR #970)
+
+## [7.3.0] - released 2018-11-13
+
+### Changed
+- Moved  the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923)
+
+### Added
+- Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
+- Ability to nest exceptions (PR #965)
+
+### Fixed
+- Fix issue where AuthorizationServer is not stateless as ResponseType could store state of a previous request (PR #960)
+
+## [7.2.0] - released 2018-06-23
+
+### Changed
+- Added new`validateRedirectUri` method AbstractGrant to remove three instances of code duplication (PR #912)
+- Allow 640 as a crypt key file permission (PR #917)
+
+### Added
+- Function `hasRedirect()` added to `OAuthServerException` (PR #703)
+
+### Fixed
+- Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904)
+
+## [4.1.7] - released 2018-06-23
+
+### Fixed
+- Ensure `empty()` function call only contains variable to be compatible with PHP 5.4 (PR #918)
+
+## [7.1.1] - released 2018-05-21
+
+### Fixed
+- No longer set a WWW-Authenticate header for invalid clients if the client did not send an Authorization header in the original request (PR #902)
+
+## [7.1.0] - released 2018-04-22
+
+### Changed
+- Changed hint for unsupportedGrantType exception so it no longer references the grant type parameter which isn't always expected (PR #893)
+- Upgrade PHPStan checks to level 7 (PR #856)
+
+### Added
+- Added event emitters for issued access and refresh tokens (PR #860)
+- Can now use Defuse\Crypto\Key for encryption/decryption of keys which is faster than the Cryto class (PR #812)
+
+### Removed
+- Remove paragone/random_compat from dependencies
+
+## [7.0.0] - released 2018-02-18
+
+### Added
+- Use PHPStan for static analysis of code (PR #848)
+- Enforce stricter static analysis checks and upgrade library dependencies (PR #852)
+- Provide PHPStan coverage for tests and update PHPUnit (PR #849)
+- Get and set methods for OAuth Server Exception payloads. Allow implementer to specify the JSON encode options (PR #719)
+
+### Changed
+- ClientRepository interface will now accept null for the Grant type to improve extensibility options (PR #607)
+- Do not issue an error if key file permissions are 400 or 440 (PR #839)
+- Skip key file creation if the file already exists (PR #845)
+- Change changelog format and update readme
+
+### Removed
+- Support for PHP 5.6
+- Support for version 5.x and 6.x of the library
+
+### Fixed
+- PKCE implementation (PR #744)
+- Set correct redirect URI when validating scopes (PR #840)
+- S256 code challenege method (PR #842)
+- Accept RSA key with CRLF line endings (PR #805)
+
+## [6.1.1] - 2017-12-23
+
+- Removed check on empty scopes
+
+## [6.1.0] - 2017-12-23
+
+- Changed the token type issued by the Implicit Grant to be Bearer instead of bearer. (PR #724)
+- Replaced call to array_key_exists() with the faster isset() on the Implicit Grant. (PR #749)
+- Allow specification of query delimiter character in the Password Grant (PR #801)
+- Add Zend Diactoros library dependency to examples (PR #678)
+- Can set default scope for the authorization endpoint. If no scope is passed during an authorization request, the default scope will be used if set. If not, the server will issue an invalid scope exception (PR #811)
+- Added validation for redirect URIs on the authorization end point to ensure exactly one redirection URI has been passed (PR #573)
+
+## [6.0.2] - 2017-08-03
+
+- An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
+- Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
+- Fixes invalid code challenge method payload key name (Issue #777)
+
+## [6.0.1] - 2017-07-19
+
+To address feedback from the security release the following change has been made:
+
+- If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
+
+## [6.0.0] - 2017-07-01
+
+- Breaking change: The `AuthorizationServer` constructor now expects an encryption key string instead of a public key
+- Remove support for HHVM
+- Remove support for PHP 5.5
+
+## [5.1.4] - 2017-07-01
+
+- Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
+	- It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples.
+- TravisCI now tests PHP 7.1 (Issue #671)
+- Fix middleware example fatal error (Issue #682)
+- Fix typo in the first README sentence (Issue #690)
+- Corrected DateInterval from 1 min to 1 month (Issue #709)
+
+## [5.1.3] - 2016-10-12
+
+- Fixed WWW-Authenticate header (Issue #669)
+- Increase the recommended RSA key length from 1024 to 2048 bits (Issue #668)
+
+## [5.1.2] - 2016-09-19
+
+- Fixed `finalizeScopes` call (Issue #650)
+
+## [4.1.6] - 2016-09-13
+
+- Less restrictive on Authorization header check (Issue #652)
+
+## [5.1.1] - 2016-07-26
+
+- Improved test suite (Issue #614)
+- Updated docblocks (Issue #616)
+- Replace `array_shift` with `foreach` loop (Issue #621)
+- Allow easy addition of custom fields to Bearer token response (Issue #624)
+- Key file auto-generation from string (Issue #625)
+
+## [5.1.0] - 2016-06-28
+
+- Implemented RFC7636 (Issue #574)
+- Unify middleware exception responses (Issue #578)
+- Updated examples (Issue #589)
+- Ensure state is in access denied redirect (Issue #597)
+- Remove redundant `isExpired()` method from entity interfaces and traits (Issue #600)
+- Added a check for unique access token constraint violation (Issue #601)
+- Look at Authorization header directly for HTTP Basic auth checks (Issue #604)
+- Added catch Runtime exception when parsing JWT string (Issue #605)
+- Allow `paragonie/random_compat` 2.x (Issue #606)
+- Added `indigophp/hash-compat` to Composer suggestions and `require-dev` for PHP 5.5 support
+
+## [5.0.3] - 2016-05-04
+
+- Fix hints in PasswordGrant (Issue #560)
+- Add meaning of `Resource owner` to terminology.md (Issue #561)
+- Use constant for event name instead of explicit string (Issue #563)
+- Remove unused request property (Issue #564)
+- Correct wrong phpdoc (Issue #569)
+- Fixed typo in exception string (Issue #570)
+
+## [5.0.2] - 2016-04-18
+
+- `state` parameter is now correctly returned after implicit grant authorization
+- Small code and docblock improvements
+
+## [5.0.1] - 2016-04-18
+
+- Fixes an issue (#550) whereby it was unclear whether or not to validate a client's secret during a request.
+
+## [5.0.0] - 2016-04-17
 
 Version 5 is a complete code rewrite.
 
-* JWT support
-* PSR-7 support
-* Improved exception errors
-* Replace all occurrences of the term "Storage" with "Repository"
-* Simplify repositories
-* Entities conform to interfaces and use traits
-* Auth code grant updated
-    * Allow support for public clients
-    * Add support for #439
-* Client credentials grant updated
-* Password grant updated
-    * Allow support for public clients
-* Refresh token grant updated
-* Implement Implicit grant
-* Bearer token output type
-* Remove MAC token output type
-* Authorization server rewrite
-* Resource server class moved to PSR-7 middleware
-* Tests
-* Much much better documentation
+- Renamed Server class to AuthorizationServer
+- Added ResourceServer class
+- Run unit tests again PHP 5.5.9 as it's the minimum supported version
+- Enable PHPUnit 5.0 support
+- Improved examples and documentation
+- Make it clearer that the implicit grant doesn't support refresh tokens
+- Improved refresh token validation errors
+- Fixed refresh token expiry date
 
-## 4.1.5 (released 2016-01-04)
+## [5.0.0-RC2] - 2016-04-10
 
-* Enable Symfony 3.0 support (#412)
+- Allow multiple client redirect URIs (Issue #511)
+- Remove unused mac token interface (Issue #503)
+- Handle RSA key passphrase (Issue #502)
+- Remove access token repository from response types (Issue #501)
+- Remove unnecessary methods from entity interfaces (Issue #490)
+- Ensure incoming JWT hasn't expired (Issue #509)
+- Fix client identifier passed where user identifier is expected (Issue #498)
+- Removed built-in entities; added traits to for quick re-use (Issue #504)
+- Redirect uri is required only if the "redirect_uri" parameter was included in the authorization request (Issue #514)
+- Removed templating for auth code and implicit grants (Issue #499)
 
-## 4.1.4 (released 2015-11-13)
+## [5.0.0-RC1] - 2016-03-24
 
-* Fix for determining access token in header (Issue #328)
-* Refresh tokens are now returned for MAC responses (Issue #356)
-* Added integration list to readme (Issue #341)
-* Expose parameter passed to exceptions (Issue #345)
-* Removed duplicate routing setup code (Issue #346)
-* Docs fix (Issues #347, #360, #380)
-* Examples fix (Issues #348, #358)
-* Fix typo in docblock (Issue #352)
-* Improved timeouts for MAC tokens (Issue #364)
-* `hash_hmac()` should output raw binary data, not hexits (Issue #370)
-* Improved regex for matching all Base64 characters (Issue #371)
-* Fix incorrect signature parameter (Issue #372)
-* AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
-* Added priority argument to event listener (Issue #388)
+Version 5 is a complete code rewrite.
 
-## 4.1.3 (released 2015-03-22)
+- JWT support
+- PSR-7 support
+- Improved exception errors
+- Replace all occurrences of the term "Storage" with "Repository"
+- Simplify repositories
+- Entities conform to interfaces and use traits
+- Auth code grant updated
+  - Allow support for public clients
+  - Add support for #439
+- Client credentials grant updated
+- Password grant updated
+  - Allow support for public clients
+- Refresh token grant updated
+- Implement Implicit grant
+- Bearer token output type
+- Remove MAC token output type
+- Authorization server rewrite
+- Resource server class moved to PSR-7 middleware
+- Tests
+- Much much better documentation
 
-* Docblock, namespace and inconsistency fixes (Issue #303)
-* Docblock type fix (Issue #310)
-* Example bug fix (Issue #300)
-* Updated league/event to ~2.1 (Issue #311)
-* Fixed missing session scope (Issue #319)
-* Updated interface docs (Issue #323)
-* `.travis.yml` updates
+## [4.1.5] - 2016-01-04
 
-## 4.1.2 (released 2015-01-01)
+- Enable Symfony 3.0 support (#412)
 
-* Remove side-effects in hash_equals() implementation (Issue #290)
+## [4.1.4] - 2015-11-13
 
-## 4.1.1 (released 2014-12-31)
+- Fix for determining access token in header (Issue #328)
+- Refresh tokens are now returned for MAC responses (Issue #356)
+- Added integration list to readme (Issue #341)
+- Expose parameter passed to exceptions (Issue #345)
+- Removed duplicate routing setup code (Issue #346)
+- Docs fix (Issues #347, #360, #380)
+- Examples fix (Issues #348, #358)
+- Fix typo in docblock (Issue #352)
+- Improved timeouts for MAC tokens (Issue #364)
+- `hash_hmac()` should output raw binary data, not hexits (Issue #370)
+- Improved regex for matching all Base64 characters (Issue #371)
+- Fix incorrect signature parameter (Issue #372)
+- AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
+- Added priority argument to event listener (Issue #388)
 
-* Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
+## [4.1.3] - 2015-03-22
 
-## 4.1.0 (released 2014-12-27)
+- Docblock, namespace and inconsistency fixes (Issue #303)
+- Docblock type fix (Issue #310)
+- Example bug fix (Issue #300)
+- Updated league/event to ~2.1 (Issue #311)
+- Fixed missing session scope (Issue #319)
+- Updated interface docs (Issue #323)
+- `.travis.yml` updates
 
-* Added MAC token support (Issue #158)
-* Fixed example init code (Issue #280)
-* Toggle refresh token rotation (Issue #286)
-* Docblock fixes
+## [4.1.2] - 2015-01-01
 
-## 4.0.5 (released 2014-12-15)
+- Remove side-effects in hash_equals() implementation (Issue #290)
 
-* Prevent duplicate session in auth code grant (Issue #282)
+## [4.1.1] - 2014-12-31
 
-## 4.0.4 (released 2014-12-03)
+- Changed `symfony/http-foundation` dependency version to `~2.4` so package can be installed in Laravel `4.1.*`
 
-* Ensure refresh token hasn't expired (Issue #270)
+## [4.1.0] - 2014-12-27
 
-## 4.0.3 (released 2014-12-02)
+- Added MAC token support (Issue #158)
+- Fixed example init code (Issue #280)
+- Toggle refresh token rotation (Issue #286)
+- Docblock fixes
 
-* Fix bad type hintings (Issue #267)
-* Do not forget to set the expire time (Issue #268)
+## [4.0.5] - 2014-12-15
 
-## 4.0.2 (released 2014-11-21)
+- Prevent duplicate session in auth code grant (Issue #282)
 
-* Improved interfaces (Issue #255)
-* Learnt how to spell delimiter and so `getScopeDelimiter()` and `setScopeDelimiter()` methods have been renamed
-* Docblock improvements (Issue #254)
+## [4.0.4] - 2014-12-03
 
-## 4.0.1 (released 2014-11-09)
+- Ensure refresh token hasn't expired (Issue #270)
 
-* Alias the master branch in composer.json (Issue #243)
-* Numerous PHP CodeSniffer fixes (Issue #244)
-* .travis.yml update (Issue #245)
-* The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
+## [4.0.3] - 2014-12-02
 
-## 4.0.0 (released 2014-11-08)
+- Fix bad type hintings (Issue #267)
+- Do not forget to set the expire time (Issue #268)
 
-* Complete rewrite
-* Check out the documentation - [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com)
+## [4.0.2] - 2014-11-21
 
-## 3.2.0 (released 2014-04-16)
+- Improved interfaces (Issue #255)
+- Learnt how to spell delimiter and so `getScopeDelimiter()` and `setScopeDelimiter()` methods have been renamed
+- Docblock improvements (Issue #254)
 
-* Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
+## [4.0.1] - 2014-11-09
 
-## 3.1.2 (released 2014-02-26)
+- Alias the master branch in composer.json (Issue #243)
+- Numerous PHP CodeSniffer fixes (Issue #244)
+- .travis.yml update (Issue #245)
+- The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
 
-* Support Authorization being an environment variable. [See more](http://fortrabbit.com/docs/essentials/quirks-and-constraints#authorization-header)
+## [4.0.0] - 2014-11-08
 
-## 3.1.1 (released 2013-12-05)
+- Complete rewrite
+- Check out the documentation - [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com)
 
-* Normalize headers when `getallheaders()` is available (Issues #108 and #114)
+## [3.2.0] - 2014-04-16
 
-## 3.1.0 (released 2013-12-05)
+- Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
 
-* No longer necessary to inject the authorisation server into a grant, the server will inject itself
-* Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
+## [3.1.2] - 2014-02-26
 
-## 3.0.1 (released 2013-12-02)
+- Support Authorization being an environment variable. [See more](http://fortrabbit.com/docs/essentials/quirks-and-constraints#authorization-header)
 
-* Forgot to tell TravisCI from testing PHP 5.3
+## [3.1.1] - 2013-12-05
 
-## 3.0.0 (released 2013-12-02)
+- Normalize headers when `getallheaders()` is available (Issues #108 and #114)
 
-* Fixed spelling of Implicit grant class (Issue #84)
-* Travis CI now tests for PHP 5.5
-* Fixes for checking headers for resource server (Issues #79 and #)
-* The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
-* All grants no longer remove old sessions by default
-* All grants now support custom access token TTL (Issue #92)
-* All methods which didn't before return a value now return `$this` to support method chaining
-* Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
-* Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
-* Moved some grant related functions into a trait to reduce duplicate code
+## [3.1.0] - 2013-12-05
 
-## 2.1.1 (released 2013-06-02)
+- No longer necessary to inject the authorisation server into a grant, the server will inject itself
+- Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
 
-* Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
-* Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
-* Updated some duff docblocks
-* Corrected array key call in Resource.php (Issue #63)
+## [3.0.1] - 2013-12-02
 
-## 2.1 (released 2013-05-10)
+- Forgot to tell TravisCI from testing PHP 5.3
 
-* Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
-* New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
-* Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
-* The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
-* You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
-* The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
-* Scopes associated to authorization codes are not held in their own table (Issue #44)
-* Database schema updates.
+## [3.0.0] - 2013-12-02
 
-## 2.0.5 (released 2013-05-09)
+- Fixed spelling of Implicit grant class (Issue #84)
+- Travis CI now tests for PHP 5.5
+- Fixes for checking headers for resource server (Issues #79 and #)
+- The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
+- All grants no longer remove old sessions by default
+- All grants now support custom access token TTL (Issue #92)
+- All methods which didn't before return a value now return `$this` to support method chaining
+- Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
+- Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
+- Moved some grant related functions into a trait to reduce duplicate code
 
-* Fixed `oauth_session_token_scopes` table primary key
-* Removed `DEFAULT ''` that has slipped into some tables
-* Fixed docblock for `SessionInterface::associateRefreshToken()`
+## [2.1.1] - 2013-06-02
 
-## 2.0.4 (released 2013-05-09)
+- Added conditional `isValid()` flag to check for Authorization header only (thanks @alexmcroberts)
+- Fixed semantic meaning of `requireScopeParam()` and `requireStateParam()` by changing their default value to true
+- Updated some duff docblocks
+- Corrected array key call in Resource.php (Issue #63)
 
-* Renamed primary key in oauth_client_endpoints table
-* Adding missing column to oauth_session_authcodes
-* SECURITY FIX: A refresh token should be bound to a client ID
+## [2.1.0] - 2013-05-10
 
-## 2.0.3 (released 2013-05-08)
+- Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
+- New method in Refresh grant called `rotateRefreshTokens()`. Pass in `true` to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
+- Rename `key` column in oauth_scopes table to `scope` as `key` is a reserved SQL word. (Issue #45)
+- The `scope` parameter is no longer required by default as per the RFC. (Issue #43)
+- You can now set multiple default scopes by passing an array into `setDefaultScope()`. (Issue #42)
+- The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
+- Scopes associated to authorization codes are not held in their own table (Issue #44)
+- Database schema updates.
 
-* Fixed a link to code in composer.json
+## [2.0.5] - 2013-05-09
 
-## 2.0.2 (released 2013-05-08)
+- Fixed `oauth_session_token_scopes` table primary key
+- Removed `DEFAULT ''` that has slipped into some tables
+- Fixed docblock for `SessionInterface::associateRefreshToken()`
 
-* Updated README with wiki guides
-* Removed `null` as default parameters in some methods in the storage interfaces
-* Fixed license copyright
+## [2.0.4] - 2013-05-09
 
-## 2.0.0 (released 2013-05-08)
+- Renamed primary key in oauth_client_endpoints table
+- Adding missing column to oauth_session_authcodes
+
+### Security
+- A refresh token should be bound to a client ID
+
+## [2.0.3] - 2013-05-08
+
+- Fixed a link to code in composer.json
+
+## [2.0.2] - 2013-05-08
+
+- Updated README with wiki guides
+- Removed `null` as default parameters in some methods in the storage interfaces
+- Fixed license copyright
+
+## [2.0.0] - 2013-05-08
 
 **If you're upgrading from v1.0.8 there are lots of breaking changes**
 
-* Rewrote the session storage interface from scratch so methods are more obvious
-* Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
-* Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
-* A session can have multiple associated access tokens
-* Individual grants can have custom expire times for access tokens
-* Authorization codes now have a TTL of 10 minutes by default (can be manually set)
-* Refresh tokens now have a TTL of one week by default (can be manually set)
-* The client credentials grant will no longer gives out refresh tokens as per the specification
+- Rewrote the session storage interface from scratch so methods are more obvious
+- Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
+- Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
+- A session can have multiple associated access tokens
+- Individual grants can have custom expire times for access tokens
+- Authorization codes now have a TTL of 10 minutes by default (can be manually set)
+- Refresh tokens now have a TTL of one week by default (can be manually set)
+- The client credentials grant will no longer gives out refresh tokens as per the specification
 
-## 1.0.8 (released 2013-03-18)
+## [1.0.8] - 2013-03-18
 
-* Fixed check for required state parameter
-* Fixed check that user's credentials are correct in Password grant
+- Fixed check for required state parameter
+- Fixed check that user's credentials are correct in Password grant
 
-## 1.0.7 (released 2013-03-04)
+## [1.0.7] - 2013-03-04
 
-* Added method `requireStateParam()`
-* Added method `requireScopeParam()`
+- Added method `requireStateParam()`
+- Added method `requireScopeParam()`
 
-## 1.0.6 (released 2013-02-22)
+## [1.0.6] - 2013-02-22
 
-* Added links to tutorials in the README
-* Added missing `state` parameter request to the `checkAuthoriseParams()` method.
+- Added links to tutorials in the README
+- Added missing `state` parameter request to the `checkAuthoriseParams()` method.
 
-## 1.0.5 (released 2013-02-21)
+## [1.0.5] - 2013-02-21
 
-* Fixed the SQL example for SessionInterface::getScopes()
+- Fixed the SQL example for SessionInterface::getScopes()
 
-## 1.0.3 (released 2013-02-20)
+## [1.0.3] - 2013-02-20
 
-* Changed all instances of the "authentication server" to "authorization server"
+- Changed all instances of the "authentication server" to "authorization server"
 
-## 1.0.2 (released 2013-02-20)
+## [1.0.2] - 2013-02-20
 
-* Fixed MySQL create table order
-* Fixed version number in composer.json
+- Fixed MySQL create table order
+- Fixed version number in composer.json
 
-## 1.0.1 (released 2013-02-19)
+## [1.0.1] - 2013-02-19
 
-* Updated AuthServer.php to use `self::getParam()`
+- Updated AuthServer.php to use `self::getParam()`
 
-## 1.0.0 (released 2013-02-15)
+## 1.0.0 - 2013-02-15
 
-* First major release
+- First major release
+
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.4.0...HEAD
+[7.4.0]: https://github.com/thephpleague/oauth2-server/compare/7.3.3...7.4.0
+[7.3.3]: https://github.com/thephpleague/oauth2-server/compare/7.3.2...7.3.3
+[7.3.2]: https://github.com/thephpleague/oauth2-server/compare/7.3.1...7.3.2
+[7.3.1]: https://github.com/thephpleague/oauth2-server/compare/7.3.0...7.3.1
+[7.3.0]: https://github.com/thephpleague/oauth2-server/compare/7.2.0...7.3.0
+[7.2.0]: https://github.com/thephpleague/oauth2-server/compare/7.1.1...7.2.0
+[7.1.1]: https://github.com/thephpleague/oauth2-server/compare/7.1.0...7.1.1
+[7.1.0]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...7.1.0
+[7.0.0]: https://github.com/thephpleague/oauth2-server/compare/6.1.1...7.0.0
+[6.1.1]: https://github.com/thephpleague/oauth2-server/compare/6.0.0...6.1.1
+[6.1.0]: https://github.com/thephpleague/oauth2-server/compare/6.0.2...6.1.0
+[6.0.2]: https://github.com/thephpleague/oauth2-server/compare/6.0.1...6.0.2
+[6.0.1]: https://github.com/thephpleague/oauth2-server/compare/6.0.0...6.0.1
+[6.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.1.4...6.0.0
+[5.1.4]: https://github.com/thephpleague/oauth2-server/compare/5.1.3...5.1.4
+[5.1.3]: https://github.com/thephpleague/oauth2-server/compare/5.1.2...5.1.3
+[5.1.2]: https://github.com/thephpleague/oauth2-server/compare/5.1.1...5.1.2
+[5.1.1]: https://github.com/thephpleague/oauth2-server/compare/5.1.0...5.1.1
+[5.1.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.2...5.1.0
+[5.0.3]: https://github.com/thephpleague/oauth2-server/compare/5.0.3...5.0.2
+[5.0.2]: https://github.com/thephpleague/oauth2-server/compare/5.0.1...5.0.2
+[5.0.1]: https://github.com/thephpleague/oauth2-server/compare/5.0.0...5.0.1
+[5.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC2...5.0.0
+[5.0.0-RC2]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC1...5.0.0-RC2
+[5.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...5.0.0-RC1
+[4.1.7]: https://github.com/thephpleague/oauth2-server/compare/4.1.6...4.1.7
+[4.1.6]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...4.1.6
+[4.1.5]: https://github.com/thephpleague/oauth2-server/compare/4.1.4...4.1.5
+[4.1.4]: https://github.com/thephpleague/oauth2-server/compare/4.1.3...4.1.4
+[4.1.3]: https://github.com/thephpleague/oauth2-server/compare/4.1.2...4.1.3
+[4.1.2]: https://github.com/thephpleague/oauth2-server/compare/4.1.1...4.1.2
+[4.1.1]: https://github.com/thephpleague/oauth2-server/compare/4.0.0...4.1.1
+[4.1.0]: https://github.com/thephpleague/oauth2-server/compare/4.0.5...4.1.0
+[4.0.5]: https://github.com/thephpleague/oauth2-server/compare/4.0.4...4.0.5
+[4.0.4]: https://github.com/thephpleague/oauth2-server/compare/4.0.3...4.0.4
+[4.0.3]: https://github.com/thephpleague/oauth2-server/compare/4.0.2...4.0.3
+[4.0.2]: https://github.com/thephpleague/oauth2-server/compare/4.0.1...4.0.2
+[4.0.1]: https://github.com/thephpleague/oauth2-server/compare/4.0.0...4.0.1
+[4.0.0]: https://github.com/thephpleague/oauth2-server/compare/3.2.0...4.0.0
+[3.2.0]: https://github.com/thephpleague/oauth2-server/compare/3.1.2...3.2.0
+[3.1.2]: https://github.com/thephpleague/oauth2-server/compare/3.1.1...3.1.2
+[3.1.1]: https://github.com/thephpleague/oauth2-server/compare/3.1.0...3.1.1
+[3.1.0]: https://github.com/thephpleague/oauth2-server/compare/3.0.1...3.1.0
+[3.0.1]: https://github.com/thephpleague/oauth2-server/compare/3.0.0...3.0.1
+[3.0.0]: https://github.com/thephpleague/oauth2-server/compare/2.1.1...3.0.0
+[2.1.1]: https://github.com/thephpleague/oauth2-server/compare/2.1.0...2.1.1
+[2.1.0]: https://github.com/thephpleague/oauth2-server/compare/2.0.5...2.1.0
+[2.0.5]: https://github.com/thephpleague/oauth2-server/compare/2.0.4...2.0.5
+[2.0.4]: https://github.com/thephpleague/oauth2-server/compare/2.0.3...2.0.4
+[2.0.3]: https://github.com/thephpleague/oauth2-server/compare/2.0.2...2.0.3
+[2.0.2]: https://github.com/thephpleague/oauth2-server/compare/2.0.0...2.0.2
+[2.0.0]: https://github.com/thephpleague/oauth2-server/compare/1.0.8...2.0.0
+[1.0.8]: https://github.com/thephpleague/oauth2-server/compare/1.0.7...1.0.8
+[1.0.7]: https://github.com/thephpleague/oauth2-server/compare/1.0.6...1.0.7
+[1.0.6]: https://github.com/thephpleague/oauth2-server/compare/1.0.5...1.0.6
+[1.0.5]: https://github.com/thephpleague/oauth2-server/compare/1.0.3...1.0.5
+[1.0.3]: https://github.com/thephpleague/oauth2-server/compare/1.0.2...1.0.3
+[1.0.2]: https://github.com/thephpleague/oauth2-server/compare/1.0.1...1.0.2
+[1.0.1]: https://github.com/thephpleague/oauth2-server/compare/1.0.0...1.0.1

CODE_OF_CONDUCT.md

@@ -0,0 +1,73 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at andrew@noexceptions.io. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

CONDUCT.md

@@ -1,22 +0,0 @@
-# Contributor Code of Conduct
-
-As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
-
-We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery
-* Personal attacks
-* Trolling or insulting/derogatory comments
-* Public or private harassment
-* Publishing other's private information, such as physical or electronic addresses, without explicit permission
-* Other unethical or unprofessional conduct.
-
-Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
-
-This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community in a direct capacity. Personal views, beliefs and values of individuals do not necessarily reflect those of the organisation or affiliated individuals and organisations.
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
-
-This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

CONTRIBUTING.md

@@ -1,7 +1,7 @@
 Thanks for contributing to this project.
 
 
-**Please submit your pull request against the `develop` branch only.**
+**Please submit your pull request against the `master` branch only.**
 
 
 Please ensure that you run `phpunit` from the project root after you've made any changes.

README.md

@@ -1,4 +1,4 @@
-# PHP OAuth 2.0 Server by [@alexbilbie](https://twitter.com/alexbilbie)
+# PHP OAuth 2.0 Server
 
 [![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
 [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
@@ -6,10 +6,11 @@
 [![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server/code-structure)
 [![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
 [![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)
+[![PHPStan](https://img.shields.io/badge/PHPStan-enabled-brightgreen.svg?style=flat-square)](https://github.com/phpstan/phpstan)
 
-`league/oauth2-server` is a a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
+`league/oauth2-server` is a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
 
-It supports out of the box the following grants:
+Out of the box it supports the following grants:
 
 * Authorization code grant
 * Implicit grant
@@ -17,36 +18,67 @@ It supports out of the box the following grants:
 * Resource owner password credentials grant
 * Refresh grant
 
-You can also easily define your own grants.
+The following RFCs are implemented:
 
-In addition it supports the following token response types:
+* [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
+* [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
+* [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
+* [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
 
-* Bearer (JWT) tokens
-* MAC tokens
-
-You can also create you own tokens.
+This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 
 ## Requirements
 
 The following versions of PHP are supported:
 
-* PHP 5.5 (>=5.5.9)
-* PHP 5.6
 * PHP 7.0
-* HHVM
+* PHP 7.1
+* PHP 7.2
+* PHP 7.3
+
+The `openssl` extension is also required.
+
+All HTTP messages passed to the server should be [PSR-7 compliant](https://www.php-fig.org/psr/psr-7/). This ensures interoperability with other packages and frameworks.
+
+## Installation
+
+```
+composer require league/oauth2-server
+```
 
 ## Documentation
 
-The library documentation can be found at [http://oauth2.thephpleague.com](http://oauth2.thephpleague.com). 
-You can contribute to this documentation in the [gh-pages branch](https://github.com/thephpleague/oauth2-server/tree/gh-pages/).
+The library documentation can be found at [https://oauth2.thephpleague.com](https://oauth2.thephpleague.com).
+You can contribute to the documentation in the [gh-pages branch](https://github.com/thephpleague/oauth2-server/tree/gh-pages/).
+
+## Testing
+
+The library uses [PHPUnit](https://phpunit.de/) for unit tests and [PHPStan](https://github.com/phpstan/phpstan) for static analysis of the code.
+
+```
+vendor/bin/phpunit
+vendor/bin/phpstan analyse -l 7 -c phpstan.neon src tests
+```
+
+## Continous Integration
+
+We use [Travis CI](https://travis-ci.org/), [Scrutinizer](https://scrutinizer-ci.com/), and [StyleCI](https://styleci.io/) for continuous integration. Check out [our](https://github.com/thephpleague/oauth2-server/blob/master/.travis.yml) [configuration](https://github.com/thephpleague/oauth2-server/blob/master/.scrutinizer.yml) [files](https://github.com/thephpleague/oauth2-server/blob/master/.styleci.yml) if you'd like to know more.
+
+## Community Integrations
+
+* [Drupal](https://www.drupal.org/project/simple_oauth)
+* [Laravel Passport](https://github.com/laravel/passport)
+* [OAuth 2 Server for CakePHP 3](https://github.com/uafrica/oauth-server)
+* [OAuth 2 Server for Expressive](https://github.com/zendframework/zend-expressive-authentication-oauth2)
+* [Trikoder OAuth 2 Bundle (Symfony)](https://github.com/trikoder/oauth2-bundle)
 
 ## Changelog
 
-[See the project releases page](https://github.com/thephpleague/oauth2-server/releases)
+See the [project changelog](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md)
 
 ## Contributing
 
-Please see [CONTRIBUTING.md](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) and [CONDUCT.md](https://github.com/thephpleague/oauth2-server/blob/master/CONDUCT.md) for details.
+Contributions are always welcome. Please see [CONTRIBUTING.md](https://github.com/thephpleague/oauth2-server/blob/master/CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](https://github.com/thephpleague/oauth2-server/blob/master/CODE_OF_CONDUCT.md) for details.
 
 ## Support
 
@@ -54,9 +86,13 @@ Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague
 
 If you have any questions about OAuth _please_ open a ticket here; please **don't** email the address below.
 
+## Commercial Support
+
+If you would like help implementing this library into your existing platform, or would be interested in OAuth advice or training for you and your team please get in touch with [Glynde Labs](https://glyndelabs.com).
+
 ## Security
 
-If you discover any security related issues, please email hello@alexbilbie.com instead of using the issue tracker.
+If you discover any security related issues, please email `hello@alexbilbie.com` instead of using the issue tracker.
 
 ## License
 
@@ -64,8 +100,14 @@ This package is released under the MIT License. See the bundled [LICENSE](https:
 
 ## Credits
 
-This code is principally developed and maintained by [Alex Bilbie](https://twitter.com/alexbilbie).
+This code is principally developed and maintained by [Andy Millington](https://twitter.com/Sephster) and [Simon Hamp](https://twitter.com/simonhamp).
 
-Special thanks to [all of these awesome contributors](https://github.com/thephpleague/oauth2-server/contributors)
+Between 2012 and 2017 this library was developed and maintained by [Alex Bilbie](https://alexbilbie.com/).
+
+PHP OAuth 2.0 Server is one of many packages provided by The PHP League. To find out more, please visit [our website](https://thephpleague.com).
+
+Special thanks to [all of these awesome contributors](https://github.com/thephpleague/oauth2-server/contributors).
+
+Additional thanks go to the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source) for funding a security audit of this library.
 
 The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.

composer.json

@@ -1,19 +1,23 @@
 {
     "name": "league/oauth2-server",
     "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
-    "homepage": "http://oauth2.thephpleague.com/",
+    "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": ">=5.5.9",
+        "php": ">=7.0.0",
+        "ext-openssl": "*",
         "league/event": "^2.1",
-        "lcobucci/jwt": "^3.1",
-        "paragonie/random_compat": "^1.1",
-        "psr/http-message": "^1.0"
+        "lcobucci/jwt": "^3.2.2",
+        "psr/http-message": "^1.0.1",
+        "defuse/php-encryption": "^2.1"
     },
     "require-dev": {
-        "phpunit/phpunit": "^4.8",
-        "league/plates": "^3.1",
-        "zendframework/zend-diactoros": "^1.0"
+        "phpunit/phpunit": "^6.3 || ^7.0",
+        "zendframework/zend-diactoros": "^1.3.2",
+        "phpstan/phpstan": "^0.9.2",
+        "phpstan/phpstan-phpunit": "^0.9.4",
+        "phpstan/phpstan-strict-rules": "^0.9.0",
+        "roave/security-advisories": "dev-master"
     },
     "repositories": [
         {
@@ -43,6 +47,12 @@
             "email": "hello@alexbilbie.com",
             "homepage": "http://www.alexbilbie.com",
             "role": "Developer"
+        },
+        {
+            "name": "Andy Millington",
+            "email": "andrew@noexceptions.io",
+            "homepage": "https://www.noexceptions.io",
+            "role": "Developer"
         }
     ],
     "replace": {
@@ -58,16 +68,5 @@
         "psr-4": {
             "LeagueTests\\": "tests/"
         }
-    },
-    "extra": {
-        "branch-alias": {
-            "dev-V5-WIP": "5.0-dev"
-        }
-    },
-    "suggest": {
-        "league/plates": "Used for parsing authorization code templates",
-        "twig/twig": "Used for parsing authorization code templates",
-        "smarty/smarty": "Used for parsing authorization code templates",
-        "mustache/mustache": "Used for parsing authorization code templates"
     }
 }

examples/README.md

@@ -2,8 +2,8 @@
 
 ## Installation
 
-0. Run `composer install --no-dev` in this directory to install dependencies
-0. Create a private key `openssl genrsa -out private.key 1024`
+0. Run `composer install` in this directory to install dependencies
+0. Create a private key `openssl genrsa -out private.key 2048`
 0. Create a public key `openssl rsa -in private.key -pubout > public.key`
 0. `cd` into the public directory
 0. Start a PHP server `php -S localhost:4444`

examples/composer.json

@@ -1,18 +1,18 @@
 {
-    "repositories": [
-        {
-            "type": "path",
-            "url": ".."
-        }
-    ],
     "require": {
-        "slim/slim": "3.0.*",
-        "league/oauth2-server": "dev-V5-WIP",
-        "league/plates": "^3.1"
+        "slim/slim": "^3.0.0"
+    },
+    "require-dev": {
+        "league/event": "^2.1",
+        "lcobucci/jwt": "^3.2",
+        "psr/http-message": "^1.0",
+        "defuse/php-encryption": "^2.2",
+        "zendframework/zend-diactoros": "^2.0.0"
     },
     "autoload": {
         "psr-4": {
-            "OAuth2ServerExamples\\": "src/"
+            "OAuth2ServerExamples\\": "src/",
+            "League\\OAuth2\\Server\\": "../src/"
         }
     }
 }

examples/composer.lock

@@ -4,23 +4,25 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "143453cc35e7f499b130b6460222dc5a",
-    "content-hash": "1ea46581fb6db25f323a37a45ef74f95",
+    "content-hash": "97f2878428e37d1d8e5418cc85cbfa3d",
     "packages": [
         {
             "name": "container-interop/container-interop",
-            "version": "1.1.0",
+            "version": "1.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/container-interop/container-interop.git",
-                "reference": "fc08354828f8fd3245f77a66b9e23a6bca48297e"
+                "reference": "79cbf1341c22ec75643d841642dd5d6acd83bdb8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/container-interop/container-interop/zipball/fc08354828f8fd3245f77a66b9e23a6bca48297e",
-                "reference": "fc08354828f8fd3245f77a66b9e23a6bca48297e",
+                "url": "https://api.github.com/repos/container-interop/container-interop/zipball/79cbf1341c22ec75643d841642dd5d6acd83bdb8",
+                "reference": "79cbf1341c22ec75643d841642dd5d6acd83bdb8",
                 "shasum": ""
             },
+            "require": {
+                "psr/container": "^1.0"
+            },
             "type": "library",
             "autoload": {
                 "psr-4": {
@@ -32,20 +34,352 @@
                 "MIT"
             ],
             "description": "Promoting the interoperability of container objects (DIC, SL, etc.)",
-            "time": "2014-12-30 15:22:37"
+            "homepage": "https://github.com/container-interop/container-interop",
+            "time": "2017-02-14T19:40:03+00:00"
         },
         {
-            "name": "lcobucci/jwt",
-            "version": "3.1.0",
+            "name": "nikic/fast-route",
+            "version": "v1.3.0",
             "source": {
                 "type": "git",
-                "url": "https://github.com/lcobucci/jwt.git",
-                "reference": "31499db4e692b343cec7ff345932899f98fde1cf"
+                "url": "https://github.com/nikic/FastRoute.git",
+                "reference": "181d480e08d9476e61381e04a71b34dc0432e812"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/31499db4e692b343cec7ff345932899f98fde1cf",
-                "reference": "31499db4e692b343cec7ff345932899f98fde1cf",
+                "url": "https://api.github.com/repos/nikic/FastRoute/zipball/181d480e08d9476e61381e04a71b34dc0432e812",
+                "reference": "181d480e08d9476e61381e04a71b34dc0432e812",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.4.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.8.35|~5.7"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "FastRoute\\": "src/"
+                },
+                "files": [
+                    "src/functions.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Nikita Popov",
+                    "email": "nikic@php.net"
+                }
+            ],
+            "description": "Fast request router for PHP",
+            "keywords": [
+                "router",
+                "routing"
+            ],
+            "time": "2018-02-13T20:26:39+00:00"
+        },
+        {
+            "name": "pimple/pimple",
+            "version": "v3.2.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/silexphp/Pimple.git",
+                "reference": "9e403941ef9d65d20cba7d54e29fe906db42cf32"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/silexphp/Pimple/zipball/9e403941ef9d65d20cba7d54e29fe906db42cf32",
+                "reference": "9e403941ef9d65d20cba7d54e29fe906db42cf32",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0",
+                "psr/container": "^1.0"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^3.2"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.2.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-0": {
+                    "Pimple": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
+                }
+            ],
+            "description": "Pimple, a simple Dependency Injection Container",
+            "homepage": "http://pimple.sensiolabs.org",
+            "keywords": [
+                "container",
+                "dependency injection"
+            ],
+            "time": "2018-01-21T07:42:36+00:00"
+        },
+        {
+            "name": "psr/container",
+            "version": "1.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/container.git",
+                "reference": "b7ce3b176482dbbc1245ebf52b181af44c2cf55f"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/container/zipball/b7ce3b176482dbbc1245ebf52b181af44c2cf55f",
+                "reference": "b7ce3b176482dbbc1245ebf52b181af44c2cf55f",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Container\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common Container Interface (PHP FIG PSR-11)",
+            "homepage": "https://github.com/php-fig/container",
+            "keywords": [
+                "PSR-11",
+                "container",
+                "container-interface",
+                "container-interop",
+                "psr"
+            ],
+            "time": "2017-02-14T16:28:37+00:00"
+        },
+        {
+            "name": "psr/http-message",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-message.git",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interface for HTTP messages",
+            "homepage": "https://github.com/php-fig/http-message",
+            "keywords": [
+                "http",
+                "http-message",
+                "psr",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "time": "2016-08-06T14:39:51+00:00"
+        },
+        {
+            "name": "slim/slim",
+            "version": "3.11.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/slimphp/Slim.git",
+                "reference": "d378e70431e78ee92ee32ddde61ecc72edf5dc0a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/d378e70431e78ee92ee32ddde61ecc72edf5dc0a",
+                "reference": "d378e70431e78ee92ee32ddde61ecc72edf5dc0a",
+                "shasum": ""
+            },
+            "require": {
+                "container-interop/container-interop": "^1.2",
+                "nikic/fast-route": "^1.0",
+                "php": ">=5.5.0",
+                "pimple/pimple": "^3.0",
+                "psr/container": "^1.0",
+                "psr/http-message": "^1.0"
+            },
+            "provide": {
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.0",
+                "squizlabs/php_codesniffer": "^2.5"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Slim\\": "Slim"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Rob Allen",
+                    "email": "rob@akrabat.com",
+                    "homepage": "http://akrabat.com"
+                },
+                {
+                    "name": "Josh Lockhart",
+                    "email": "hello@joshlockhart.com",
+                    "homepage": "https://joshlockhart.com"
+                },
+                {
+                    "name": "Gabriel Manricks",
+                    "email": "gmanricks@me.com",
+                    "homepage": "http://gabrielmanricks.com"
+                },
+                {
+                    "name": "Andrew Smith",
+                    "email": "a.smith@silentworks.co.uk",
+                    "homepage": "http://silentworks.co.uk"
+                }
+            ],
+            "description": "Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs",
+            "homepage": "https://slimframework.com",
+            "keywords": [
+                "api",
+                "framework",
+                "micro",
+                "router"
+            ],
+            "time": "2018-09-16T10:54:21+00:00"
+        }
+    ],
+    "packages-dev": [
+        {
+            "name": "defuse/php-encryption",
+            "version": "v2.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/defuse/php-encryption.git",
+                "reference": "0f407c43b953d571421e0020ba92082ed5fb7620"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/defuse/php-encryption/zipball/0f407c43b953d571421e0020ba92082ed5fb7620",
+                "reference": "0f407c43b953d571421e0020ba92082ed5fb7620",
+                "shasum": ""
+            },
+            "require": {
+                "ext-openssl": "*",
+                "paragonie/random_compat": ">= 2",
+                "php": ">=5.4.0"
+            },
+            "require-dev": {
+                "nikic/php-parser": "^2.0|^3.0|^4.0",
+                "phpunit/phpunit": "^4|^5"
+            },
+            "bin": [
+                "bin/generate-defuse-key"
+            ],
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Defuse\\Crypto\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Taylor Hornby",
+                    "email": "taylor@defuse.ca",
+                    "homepage": "https://defuse.ca/"
+                },
+                {
+                    "name": "Scott Arciszewski",
+                    "email": "info@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "Secure PHP Encryption Library",
+            "keywords": [
+                "aes",
+                "authenticated encryption",
+                "cipher",
+                "crypto",
+                "cryptography",
+                "encrypt",
+                "encryption",
+                "openssl",
+                "security",
+                "symmetric key cryptography"
+            ],
+            "time": "2018-07-24T23:27:56+00:00"
+        },
+        {
+            "name": "lcobucci/jwt",
+            "version": "3.2.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/lcobucci/jwt.git",
+                "reference": "c9704b751315d21735dc98d78d4f37bd73596da7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/c9704b751315d21735dc98d78d4f37bd73596da7",
+                "reference": "c9704b751315d21735dc98d78d4f37bd73596da7",
                 "shasum": ""
             },
             "require": {
@@ -53,7 +387,7 @@
                 "php": ">=5.5"
             },
             "require-dev": {
-                "mdanter/ecc": "~0.3",
+                "mdanter/ecc": "~0.3.1",
                 "mikey179/vfsstream": "~1.5",
                 "phpmd/phpmd": "~2.2",
                 "phpunit/php-invoker": "~1.1",
@@ -90,7 +424,7 @@
                 "JWS",
                 "jwt"
             ],
-            "time": "2015-11-15 01:42:47"
+            "time": "2018-08-03T11:23:50+00:00"
         },
         {
             "name": "league/event",
@@ -140,209 +474,33 @@
                 "event",
                 "listener"
             ],
-            "time": "2015-05-21 12:24:47"
-        },
-        {
-            "name": "league/oauth2-server",
-            "version": "dev-V5-WIP",
-            "dist": {
-                "type": "path",
-                "url": "../",
-                "reference": "0fbe109e2004c71feac2bd14fd85aff97704b2e5",
-                "shasum": null
-            },
-            "require": {
-                "lcobucci/jwt": "^3.1",
-                "league/event": "^2.1",
-                "paragonie/random_compat": "^1.1",
-                "php": ">=5.5.9",
-                "psr/http-message": "^1.0"
-            },
-            "replace": {
-                "league/oauth2server": "*",
-                "lncd/oauth2": "*"
-            },
-            "require-dev": {
-                "league/plates": "^3.1",
-                "phpunit/phpunit": "^4.8",
-                "zendframework/zend-diactoros": "^1.0"
-            },
-            "suggest": {
-                "league/plates": "Used for parsing authorization code templates",
-                "mustache/mustache": "Used for parsing authorization code templates",
-                "smarty/smarty": "Used for parsing authorization code templates",
-                "twig/twig": "Used for parsing authorization code templates"
-            },
-            "type": "library",
-            "extra": {
-                "branch-alias": {
-                    "dev-V5-WIP": "5.0-dev"
-                }
-            },
-            "autoload": {
-                "psr-4": {
-                    "League\\OAuth2\\Server\\": "src/"
-                }
-            },
-            "autoload-dev": {
-                "psr-4": {
-                    "LeagueTests\\": "tests/"
-                }
-            },
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Alex Bilbie",
-                    "email": "hello@alexbilbie.com",
-                    "homepage": "http://www.alexbilbie.com",
-                    "role": "Developer"
-                }
-            ],
-            "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.",
-            "homepage": "http://oauth2.thephpleague.com/",
-            "keywords": [
-                "api",
-                "auth",
-                "auth",
-                "authentication",
-                "authorisation",
-                "authorization",
-                "oauth",
-                "oauth 2",
-                "oauth 2.0",
-                "oauth2",
-                "protect",
-                "resource",
-                "secure",
-                "server"
-            ]
-        },
-        {
-            "name": "league/plates",
-            "version": "3.1.1",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/thephpleague/plates.git",
-                "reference": "2d8569e9f140a70d6a05db38006926f7547cb802"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/plates/zipball/2d8569e9f140a70d6a05db38006926f7547cb802",
-                "reference": "2d8569e9f140a70d6a05db38006926f7547cb802",
-                "shasum": ""
-            },
-            "require-dev": {
-                "mikey179/vfsstream": "~1.4.0",
-                "phpunit/phpunit": "~4.0",
-                "squizlabs/php_codesniffer": "~1.5"
-            },
-            "type": "library",
-            "extra": {
-                "branch-alias": {
-                    "dev-master": "3.0-dev"
-                }
-            },
-            "autoload": {
-                "psr-4": {
-                    "League\\Plates\\": "src"
-                }
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Jonathan Reinink",
-                    "email": "jonathan@reinink.ca",
-                    "role": "Developer"
-                }
-            ],
-            "description": "Plates, the native PHP template system that's fast, easy to use and easy to extend.",
-            "homepage": "http://platesphp.com",
-            "keywords": [
-                "league",
-                "package",
-                "templates",
-                "templating",
-                "views"
-            ],
-            "time": "2015-07-09 02:14:40"
-        },
-        {
-            "name": "nikic/fast-route",
-            "version": "v0.6.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/nikic/FastRoute.git",
-                "reference": "31fa86924556b80735f98b294a7ffdfb26789f22"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/nikic/FastRoute/zipball/31fa86924556b80735f98b294a7ffdfb26789f22",
-                "reference": "31fa86924556b80735f98b294a7ffdfb26789f22",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.4.0"
-            },
-            "type": "library",
-            "autoload": {
-                "psr-4": {
-                    "FastRoute\\": "src/"
-                },
-                "files": [
-                    "src/functions.php"
-                ]
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "BSD-3-Clause"
-            ],
-            "authors": [
-                {
-                    "name": "Nikita Popov",
-                    "email": "nikic@php.net"
-                }
-            ],
-            "description": "Fast request router for PHP",
-            "keywords": [
-                "router",
-                "routing"
-            ],
-            "time": "2015-06-18 19:15:47"
+            "time": "2015-05-21T12:24:47+00:00"
         },
         {
             "name": "paragonie/random_compat",
-            "version": "v1.4.1",
+            "version": "v9.99.99",
             "source": {
                 "type": "git",
                 "url": "https://github.com/paragonie/random_compat.git",
-                "reference": "c7e26a21ba357863de030f0b9e701c7d04593774"
+                "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/c7e26a21ba357863de030f0b9e701c7d04593774",
-                "reference": "c7e26a21ba357863de030f0b9e701c7d04593774",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95",
+                "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95",
                 "shasum": ""
             },
             "require": {
-                "php": ">=5.2.0"
+                "php": "^7"
             },
             "require-dev": {
-                "phpunit/phpunit": "4.*|5.*"
+                "phpunit/phpunit": "4.*|5.*",
+                "vimeo/psalm": "^1"
             },
             "suggest": {
                 "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
             },
             "type": "library",
-            "autoload": {
-                "files": [
-                    "lib/random.php"
-                ]
-            },
             "notification-url": "https://packagist.org/downloads/",
             "license": [
                 "MIT"
@@ -357,73 +515,29 @@
             "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
             "keywords": [
                 "csprng",
+                "polyfill",
                 "pseudorandom",
                 "random"
             ],
-            "time": "2016-03-18 20:34:03"
+            "time": "2018-07-02T15:55:56+00:00"
         },
         {
-            "name": "pimple/pimple",
-            "version": "v3.0.2",
+            "name": "psr/http-factory",
+            "version": "1.0.0",
             "source": {
                 "type": "git",
-                "url": "https://github.com/silexphp/Pimple.git",
-                "reference": "a30f7d6e57565a2e1a316e1baf2a483f788b258a"
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "378bfe27931ecc54ff824a20d6f6bfc303bbd04c"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/silexphp/Pimple/zipball/a30f7d6e57565a2e1a316e1baf2a483f788b258a",
-                "reference": "a30f7d6e57565a2e1a316e1baf2a483f788b258a",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/378bfe27931ecc54ff824a20d6f6bfc303bbd04c",
+                "reference": "378bfe27931ecc54ff824a20d6f6bfc303bbd04c",
                 "shasum": ""
             },
             "require": {
-                "php": ">=5.3.0"
-            },
-            "type": "library",
-            "extra": {
-                "branch-alias": {
-                    "dev-master": "3.0.x-dev"
-                }
-            },
-            "autoload": {
-                "psr-0": {
-                    "Pimple": "src/"
-                }
-            },
-            "notification-url": "https://packagist.org/downloads/",
-            "license": [
-                "MIT"
-            ],
-            "authors": [
-                {
-                    "name": "Fabien Potencier",
-                    "email": "fabien@symfony.com"
-                }
-            ],
-            "description": "Pimple, a simple Dependency Injection Container",
-            "homepage": "http://pimple.sensiolabs.org",
-            "keywords": [
-                "container",
-                "dependency injection"
-            ],
-            "time": "2015-09-11 15:10:35"
-        },
-        {
-            "name": "psr/http-message",
-            "version": "1.0",
-            "source": {
-                "type": "git",
-                "url": "https://github.com/php-fig/http-message.git",
-                "reference": "85d63699f0dbedb190bbd4b0d2b9dc707ea4c298"
-            },
-            "dist": {
-                "type": "zip",
-                "url": "https://api.github.com/repos/php-fig/http-message/zipball/85d63699f0dbedb190bbd4b0d2b9dc707ea4c298",
-                "reference": "85d63699f0dbedb190bbd4b0d2b9dc707ea4c298",
-                "shasum": ""
-            },
-            "require": {
-                "php": ">=5.3.0"
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
             },
             "type": "library",
             "extra": {
@@ -446,90 +560,89 @@
                     "homepage": "http://www.php-fig.org/"
                 }
             ],
-            "description": "Common interface for HTTP messages",
+            "description": "Common interfaces for PSR-7 HTTP message factories",
             "keywords": [
+                "factory",
                 "http",
-                "http-message",
+                "message",
                 "psr",
+                "psr-17",
                 "psr-7",
                 "request",
                 "response"
             ],
-            "time": "2015-05-04 20:22:00"
+            "time": "2018-07-30T21:54:04+00:00"
         },
         {
-            "name": "slim/slim",
-            "version": "3.0.0",
+            "name": "zendframework/zend-diactoros",
+            "version": "2.0.0",
             "source": {
                 "type": "git",
-                "url": "https://github.com/slimphp/Slim.git",
-                "reference": "3b06f0f2d84dabbe81b6cea46ace46a3e883253e"
+                "url": "https://github.com/zendframework/zend-diactoros.git",
+                "reference": "0bae78192e634774b5584f0210c1232da82cb1ff"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/slimphp/Slim/zipball/3b06f0f2d84dabbe81b6cea46ace46a3e883253e",
-                "reference": "3b06f0f2d84dabbe81b6cea46ace46a3e883253e",
+                "url": "https://api.github.com/repos/zendframework/zend-diactoros/zipball/0bae78192e634774b5584f0210c1232da82cb1ff",
+                "reference": "0bae78192e634774b5584f0210c1232da82cb1ff",
                 "shasum": ""
             },
             "require": {
-                "container-interop/container-interop": "^1.1",
-                "nikic/fast-route": "^0.6",
-                "php": ">=5.5.0",
-                "pimple/pimple": "^3.0",
+                "php": "^7.1",
+                "psr/http-factory": "^1.0",
                 "psr/http-message": "^1.0"
             },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
             "require-dev": {
-                "phpunit/phpunit": "^4.0"
+                "ext-dom": "*",
+                "ext-libxml": "*",
+                "http-interop/http-factory-tests": "^0.5.0",
+                "php-http/psr7-integration-tests": "dev-master",
+                "phpunit/phpunit": "^7.0.2",
+                "zendframework/zend-coding-standard": "~1.0.0"
             },
             "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.0.x-dev",
+                    "dev-develop": "2.1.x-dev",
+                    "dev-release-1.8": "1.8.x-dev"
+                }
+            },
             "autoload": {
+                "files": [
+                    "src/functions/create_uploaded_file.php",
+                    "src/functions/marshal_headers_from_sapi.php",
+                    "src/functions/marshal_method_from_sapi.php",
+                    "src/functions/marshal_protocol_version_from_sapi.php",
+                    "src/functions/marshal_uri_from_sapi.php",
+                    "src/functions/normalize_server.php",
+                    "src/functions/normalize_uploaded_files.php",
+                    "src/functions/parse_cookie_header.php"
+                ],
                 "psr-4": {
-                    "Slim\\": "Slim"
+                    "Zend\\Diactoros\\": "src/"
                 }
             },
             "notification-url": "https://packagist.org/downloads/",
             "license": [
-                "MIT"
+                "BSD-3-Clause"
             ],
-            "authors": [
-                {
-                    "name": "Rob Allen",
-                    "email": "rob@akrabat.com",
-                    "homepage": "http://akrabat.com"
-                },
-                {
-                    "name": "Josh Lockhart",
-                    "email": "hello@joshlockhart.com",
-                    "homepage": "https://joshlockhart.com"
-                },
-                {
-                    "name": "Gabriel Manricks",
-                    "email": "gmanricks@me.com",
-                    "homepage": "http://gabrielmanricks.com"
-                },
-                {
-                    "name": "Andrew Smith",
-                    "email": "a.smith@silentworks.co.uk",
-                    "homepage": "http://silentworks.co.uk"
-                }
-            ],
-            "description": "Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs",
-            "homepage": "http://slimframework.com",
+            "description": "PSR HTTP Message implementations",
             "keywords": [
-                "api",
-                "framework",
-                "micro",
-                "router"
+                "http",
+                "psr",
+                "psr-7"
             ],
-            "time": "2015-12-07 14:11:09"
+            "time": "2018-09-27T19:49:04+00:00"
         }
     ],
-    "packages-dev": [],
     "aliases": [],
     "minimum-stability": "stable",
-    "stability-flags": {
-        "league/oauth2-server": 20
-    },
+    "stability-flags": [],
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": [],

examples/public/api.php

@@ -1,9 +1,7 @@
 <?php
 
-use League\OAuth2\Server\Server;
+use League\OAuth2\Server\ResourceServer;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
-use OAuth2ServerExamples\Repositories\ClientRepository;
-use OAuth2ServerExamples\Repositories\ScopeRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
@@ -11,64 +9,66 @@ use Slim\App;
 include __DIR__ . '/../vendor/autoload.php';
 
 $app = new App([
-    'settings'    => [
-        'displayErrorDetails' => true,
-    ],
-    Server::class => function () {
-        // Setup the authorization server
-        $server = new Server(
-            new ClientRepository(),
-            new AccessTokenRepository(),
-            new ScopeRepository(),
-            'file://' . __DIR__ . '/../private.key',
-            'file://' . __DIR__ . '/../public.key'
+    // Add the resource server to the DI container
+    ResourceServer::class => function () {
+        $server = new ResourceServer(
+            new AccessTokenRepository(),            // instance of AccessTokenRepositoryInterface
+            'file://' . __DIR__ . '/../public.key'  // the authorization server's public key
         );
 
         return $server;
     },
 ]);
 
+// Add the resource server middleware which will intercept and validate requests
 $app->add(
     new \League\OAuth2\Server\Middleware\ResourceServerMiddleware(
-        $app->getContainer()->get(Server::class)
+        $app->getContainer()->get(ResourceServer::class)
     )
 );
 
-$app->get('/users', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+// An example endpoint secured with OAuth 2.0
+$app->get(
+    '/users',
+    function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+        $users = [
+            [
+                'id'    => 123,
+                'name'  => 'Alex',
+                'email' => 'alex@thephpleague.com',
+            ],
+            [
+                'id'    => 124,
+                'name'  => 'Frank',
+                'email' => 'frank@thephpleague.com',
+            ],
+            [
+                'id'    => 125,
+                'name'  => 'Phil',
+                'email' => 'phil@thephpleague.com',
+            ],
+        ];
 
-    $users = [
-        [
-            'id'    => 123,
-            'name'  => 'Alex',
-            'email' => 'alex@thephpleague.com',
-        ],
-        [
-            'id'    => 124,
-            'name'  => 'Frank',
-            'email' => 'frank@thephpleague.com',
-        ],
-        [
-            'id'    => 125,
-            'name'  => 'Phil',
-            'email' => 'phil@thephpleague.com',
-        ],
-    ];
+        $totalUsers = count($users);
 
-    if (in_array('basic', $request->getAttribute('oauth_scopes')) === false) {
-        for ($i = 0; $i < count($users); $i++) {
-            unset($users[$i]['name']);
+        // If the access token doesn't have the `basic` scope hide users' names
+        if (in_array('basic', $request->getAttribute('oauth_scopes')) === false) {
+            for ($i = 0; $i < $totalUsers; $i++) {
+                unset($users[$i]['name']);
+            }
         }
-    }
 
-    if (in_array('email', $request->getAttribute('oauth_scopes')) === false) {
-        for ($i = 0; $i < count($users); $i++) {
-            unset($users[$i]['email']);
+        // If the access token doesn't have the `email` scope hide users' email addresses
+        if (in_array('email', $request->getAttribute('oauth_scopes')) === false) {
+            for ($i = 0; $i < $totalUsers; $i++) {
+                unset($users[$i]['email']);
+            }
         }
+
+        $response->getBody()->write(json_encode($users));
+
+        return $response->withStatus(200);
     }
-
-    $response->getBody()->write(json_encode($users));
-
-    return $response->withStatus(200);
-});
+);
 
 $app->run();

examples/public/auth_code.php

@@ -1,14 +1,21 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
+use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
-use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Entities\UserEntity;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\AuthCodeRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
 use OAuth2ServerExamples\Repositories\ScopeRepository;
-use OAuth2ServerExamples\Repositories\UserRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
@@ -20,25 +27,23 @@ $app = new App([
     'settings'    => [
         'displayErrorDetails' => true,
     ],
-    Server::class => function () {
+    AuthorizationServer::class => function () {
         // Init our repositories
         $clientRepository = new ClientRepository();
         $scopeRepository = new ScopeRepository();
         $accessTokenRepository = new AccessTokenRepository();
         $authCodeRepository = new AuthCodeRepository();
         $refreshTokenRepository = new RefreshTokenRepository();
-        $userRepository = new UserRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
-        $server = new Server(
+        $server = new AuthorizationServer(
             $clientRepository,
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
 
         // Enable the authentication code grant on the server with a token TTL of 1 hour
@@ -46,7 +51,6 @@ $app = new App([
             new AuthCodeGrant(
                 $authCodeRepository,
                 $refreshTokenRepository,
-                $userRepository,
                 new \DateInterval('PT10M')
             ),
             new \DateInterval('PT1H')
@@ -56,12 +60,24 @@ $app = new App([
     },
 ]);
 
-$app->any('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-    /* @var \League\OAuth2\Server\Server $server */
-    $server = $app->getContainer()->get(Server::class);
+$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-        return $server->respondToRequest($request, $response);
+        // Validate the HTTP request and return an AuthorizationRequest object.
+        // The auth request object can be serialized into a user's session
+        $authRequest = $server->validateAuthorizationRequest($request);
+
+        // Once the user has logged in set the user on the AuthorizationRequest
+        $authRequest->setUser(new UserEntity());
+
+        // Once the user has approved or denied the client update the status
+        // (true = approved, false = denied)
+        $authRequest->setAuthorizationApproved(true);
+
+        // Return the HTTP redirect response
+        return $server->completeAuthorizationRequest($authRequest, $response);
     } catch (OAuthServerException $exception) {
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {
@@ -73,11 +89,11 @@ $app->any('/authorize', function (ServerRequestInterface $request, ResponseInter
 });
 
 $app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-    /* @var \League\OAuth2\Server\Server $server */
-    $server = $app->getContainer()->get(Server::class);
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-        return $server->respondToRequest($request, $response);
+        return $server->respondToAccessTokenRequest($request, $response);
     } catch (OAuthServerException $exception) {
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {

examples/public/client_credentials.php

@@ -1,8 +1,14 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
+use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\Grant\ClientCredentialsGrant;
-use League\OAuth2\Server\Server;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\ScopeRepository;
@@ -14,31 +20,32 @@ use Zend\Diactoros\Stream;
 include __DIR__ . '/../vendor/autoload.php';
 
 $app = new App([
-    'settings'    => [
+    'settings'                 => [
         'displayErrorDetails' => true,
     ],
-    Server::class => function () {
+    AuthorizationServer::class => function () {
         // Init our repositories
-        $clientRepository = new ClientRepository();
-        $accessTokenRepository = new AccessTokenRepository();
-        $scopeRepository = new ScopeRepository();
+        $clientRepository = new ClientRepository(); // instance of ClientRepositoryInterface
+        $scopeRepository = new ScopeRepository(); // instance of ScopeRepositoryInterface
+        $accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface
 
-        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+        // Path to public and private keys
+        $privateKey = 'file://' . __DIR__ . '/../private.key';
+        //$privateKey = new CryptKey('file://path/to/private.key', 'passphrase'); // if private key has a pass phrase
 
         // Setup the authorization server
-        $server = new Server(
+        $server = new AuthorizationServer(
             $clientRepository,
             $accessTokenRepository,
             $scopeRepository,
-            $privateKeyPath,
-            $publicKeyPath
+            $privateKey,
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
 
-        // Enable the client credentials grant on the server with a token TTL of 1 hour
+        // Enable the client credentials grant on the server
         $server->enableGrantType(
-            new ClientCredentialsGrant(),
-            new \DateInterval('PT1H')
+            new \League\OAuth2\Server\Grant\ClientCredentialsGrant(),
+            new \DateInterval('PT1H') // access tokens will expire after 1 hour
         );
 
         return $server;
@@ -46,14 +53,21 @@ $app = new App([
 ]);
 
 $app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-    /* @var \League\OAuth2\Server\Server $server */
-    $server = $app->getContainer()->get(Server::class);
+
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-        return $server->respondToRequest($request, $response);
+
+        // Try to respond to the request
+        return $server->respondToAccessTokenRequest($request, $response);
     } catch (OAuthServerException $exception) {
+
+        // All instances of OAuthServerException can be formatted into a HTTP response
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {
+
+        // Unknown exception
         $body = new Stream('php://temp', 'r+');
         $body->write($exception->getMessage());
 

examples/public/implicit.php

@@ -1,12 +1,19 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
+use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\ImplicitGrant;
-use League\OAuth2\Server\Server;
+use OAuth2ServerExamples\Entities\UserEntity;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\ScopeRepository;
-use OAuth2ServerExamples\Repositories\UserRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
@@ -18,41 +25,48 @@ $app = new App([
     'settings'    => [
         'displayErrorDetails' => true,
     ],
-    Server::class => function () {
+    AuthorizationServer::class => function () {
         // Init our repositories
         $clientRepository = new ClientRepository();
         $scopeRepository = new ScopeRepository();
         $accessTokenRepository = new AccessTokenRepository();
-        $userRepository = new UserRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
-        $server = new Server(
+        $server = new AuthorizationServer(
             $clientRepository,
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
 
         // Enable the implicit grant on the server with a token TTL of 1 hour
-        $server->enableGrantType(
-            new ImplicitGrant($userRepository),
-            new \DateInterval('PT1H')
-        );
+        $server->enableGrantType(new ImplicitGrant(new \DateInterval('PT1H')));
 
         return $server;
     },
 ]);
 
-$app->any('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-    /* @var \League\OAuth2\Server\Server $server */
-    $server = $app->getContainer()->get(Server::class);
+$app->get('/authorize', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-        return $server->respondToRequest($request, $response);
+        // Validate the HTTP request and return an AuthorizationRequest object.
+        // The auth request object can be serialized into a user's session
+        $authRequest = $server->validateAuthorizationRequest($request);
+
+        // Once the user has logged in set the user on the AuthorizationRequest
+        $authRequest->setUser(new UserEntity());
+
+        // Once the user has approved or denied the client update the status
+        // (true = approved, false = denied)
+        $authRequest->setAuthorizationApproved(true);
+
+        // Return the HTTP redirect response
+        return $server->completeAuthorizationRequest($authRequest, $response);
     } catch (OAuthServerException $exception) {
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {

examples/public/middleware_use.php

@@ -1,16 +1,23 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
+use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
-use League\OAuth2\Server\Middleware\AuthenticationServerMiddleware;
+use League\OAuth2\Server\Middleware\AuthorizationServerMiddleware;
 use League\OAuth2\Server\Middleware\ResourceServerMiddleware;
-use League\OAuth2\Server\Server;
+use League\OAuth2\Server\ResourceServer;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\AuthCodeRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
 use OAuth2ServerExamples\Repositories\ScopeRepository;
-use OAuth2ServerExamples\Repositories\UserRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
@@ -19,28 +26,26 @@ use Zend\Diactoros\Stream;
 include __DIR__ . '/../vendor/autoload.php';
 
 $app = new App([
-    'settings'    => [
+    'settings'                 => [
         'displayErrorDetails' => true,
     ],
-    Server::class => function () {
+    AuthorizationServer::class => function () {
         // Init our repositories
         $clientRepository = new ClientRepository();
         $accessTokenRepository = new AccessTokenRepository();
         $scopeRepository = new ScopeRepository();
         $authCodeRepository = new AuthCodeRepository();
         $refreshTokenRepository = new RefreshTokenRepository();
-        $userRepository = new UserRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
-        $server = new Server(
+        $server = new AuthorizationServer(
             $clientRepository,
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
 
         // Enable the authentication code grant on the server with a token TTL of 1 hour
@@ -48,7 +53,6 @@ $app = new App([
             new AuthCodeGrant(
                 $authCodeRepository,
                 $refreshTokenRepository,
-                $userRepository,
                 new \DateInterval('PT10M')
             ),
             new \DateInterval('PT1H')
@@ -57,7 +61,17 @@ $app = new App([
         // Enable the refresh token grant on the server with a token TTL of 1 month
         $server->enableGrantType(
             new RefreshTokenGrant($refreshTokenRepository),
-            new \DateInterval('PT1M')
+            new \DateInterval('P1M')
+        );
+
+        return $server;
+    },
+    ResourceServer::class => function () {
+        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+
+        $server = new ResourceServer(
+            new AccessTokenRepository(),
+            $publicKeyPath
         );
 
         return $server;
@@ -66,7 +80,7 @@ $app = new App([
 
 // Access token issuer
 $app->post('/access_token', function () {
-})->add(new AuthenticationServerMiddleware($app->getContainer()->get(Server::class)));
+})->add(new AuthorizationServerMiddleware($app->getContainer()->get(AuthorizationServer::class)));
 
 // Secured API
 $app->group('/api', function () {
@@ -90,6 +104,6 @@ $app->group('/api', function () {
 
         return $response->withBody($body);
     });
-})->add(new ResourceServerMiddleware($app->getContainer()->get(Server::class)));
+})->add(new ResourceServerMiddleware($app->getContainer()->get(ResourceServer::class)));
 
 $app->run();

examples/public/password.php

@@ -1,8 +1,8 @@
 <?php
 
+use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\PasswordGrant;
-use League\OAuth2\Server\Server;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
@@ -11,58 +11,62 @@ use OAuth2ServerExamples\Repositories\UserRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
-use Zend\Diactoros\Stream;
 
 include __DIR__ . '/../vendor/autoload.php';
 
 $app = new App([
-    'settings'    => [
-        'displayErrorDetails' => true,
-    ],
-    Server::class => function () {
-        // Init our repositories
-        $clientRepository = new ClientRepository();
-        $accessTokenRepository = new AccessTokenRepository();
-        $scopeRepository = new ScopeRepository();
-        $userRepository = new UserRepository();
-        $refreshTokenRepository = new RefreshTokenRepository();
-
-        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
+    // Add the authorization server to the DI container
+    AuthorizationServer::class => function () {
 
         // Setup the authorization server
-        $server = new Server(
-            $clientRepository,
-            $accessTokenRepository,
-            $scopeRepository,
-            $privateKeyPath,
-            $publicKeyPath
+        $server = new AuthorizationServer(
+            new ClientRepository(),                 // instance of ClientRepositoryInterface
+            new AccessTokenRepository(),            // instance of AccessTokenRepositoryInterface
+            new ScopeRepository(),                  // instance of ScopeRepositoryInterface
+            'file://' . __DIR__ . '/../private.key',    // path to private key
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'      // encryption key
         );
 
+        $grant = new PasswordGrant(
+            new UserRepository(),           // instance of UserRepositoryInterface
+            new RefreshTokenRepository()    // instance of RefreshTokenRepositoryInterface
+        );
+        $grant->setRefreshTokenTTL(new \DateInterval('P1M')); // refresh tokens will expire after 1 month
+
         // Enable the password grant on the server with a token TTL of 1 hour
         $server->enableGrantType(
-            new PasswordGrant($userRepository, $refreshTokenRepository),
-            new \DateInterval('PT1H')
+            $grant,
+            new \DateInterval('PT1H') // access tokens will expire after 1 hour
         );
 
         return $server;
     },
 ]);
 
-$app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-    /* @var \League\OAuth2\Server\Server $server */
-    $server = $app->getContainer()->get(Server::class);
+$app->post(
+    '/access_token',
+    function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
 
-    try {
-        return $server->respondToRequest($request, $response);
-    } catch (OAuthServerException $exception) {
-        return $exception->generateHttpResponse($response);
-    } catch (\Exception $exception) {
-        $body = new Stream('php://temp', 'r+');
-        $body->write($exception->getMessage());
+        /* @var \League\OAuth2\Server\AuthorizationServer $server */
+        $server = $app->getContainer()->get(AuthorizationServer::class);
 
-        return $response->withStatus(500)->withBody($body);
+        try {
+
+            // Try to respond to the access token request
+            return $server->respondToAccessTokenRequest($request, $response);
+        } catch (OAuthServerException $exception) {
+
+            // All instances of OAuthServerException can be converted to a PSR-7 response
+            return $exception->generateHttpResponse($response);
+        } catch (\Exception $exception) {
+
+            // Catch unexpected exceptions
+            $body = $response->getBody();
+            $body->write($exception->getMessage());
+
+            return $response->withStatus(500)->withBody($body);
+        }
     }
-});
+);
 
 $app->run();

examples/public/refresh_token.php

@@ -1,8 +1,15 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
+use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
-use League\OAuth2\Server\Server;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
 use OAuth2ServerExamples\Repositories\RefreshTokenRepository;
@@ -10,7 +17,6 @@ use OAuth2ServerExamples\Repositories\ScopeRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
-use Zend\Diactoros\Stream;
 
 include __DIR__ . '/../vendor/autoload.php';
 
@@ -18,7 +24,7 @@ $app = new App([
     'settings'    => [
         'displayErrorDetails' => true,
     ],
-    Server::class => function () {
+    AuthorizationServer::class => function () {
         // Init our repositories
         $clientRepository = new ClientRepository();
         $accessTokenRepository = new AccessTokenRepository();
@@ -26,21 +32,23 @@ $app = new App([
         $refreshTokenRepository = new RefreshTokenRepository();
 
         $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
-        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
 
         // Setup the authorization server
-        $server = new Server(
+        $server = new AuthorizationServer(
             $clientRepository,
             $accessTokenRepository,
             $scopeRepository,
             $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
         );
 
-        // Enable the refresh token grant on the server with a token TTL of 1 hour
+        // Enable the refresh token grant on the server
+        $grant = new RefreshTokenGrant($refreshTokenRepository);
+        $grant->setRefreshTokenTTL(new \DateInterval('P1M')); // The refresh token will expire in 1 month
+
         $server->enableGrantType(
-            new RefreshTokenGrant($refreshTokenRepository),
-            new \DateInterval('PT1H')
+            $grant,
+            new \DateInterval('PT1H') // The new access token will expire after 1 hour
         );
 
         return $server;
@@ -48,18 +56,17 @@ $app = new App([
 ]);
 
 $app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-    /* @var \League\OAuth2\Server\Server $server */
-    $server = $app->getContainer()->get(Server::class);
+    /* @var \League\OAuth2\Server\AuthorizationServer $server */
+    $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-        return $server->respondToRequest($request, $response);
+        return $server->respondToAccessTokenRequest($request, $response);
     } catch (OAuthServerException $exception) {
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {
-        $body = new Stream('php://temp', 'r+');
-        $body->write($exception->getMessage());
+        $response->getBody()->write($exception->getMessage());
 
-        return $response->withStatus(500)->withBody($body);
+        return $response->withStatus(500);
     }
 });
 

examples/src/Entities/AccessTokenEntity.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AccessTokenEntity implements AccessTokenEntityInterface
+{
+    use AccessTokenTrait, TokenEntityTrait, EntityTrait;
+}

examples/src/Entities/AuthCodeEntity.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\Traits\AuthCodeTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
+
+class AuthCodeEntity implements AuthCodeEntityInterface
+{
+    use EntityTrait, TokenEntityTrait, AuthCodeTrait;
+}

examples/src/Entities/ClientEntity.php

@@ -1,85 +1,29 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Entities;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\Traits\ClientTrait;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
 
 class ClientEntity implements ClientEntityInterface
 {
-    use EntityTrait;
+    use EntityTrait, ClientTrait;
 
-    private $name;
-
-    private $secret;
-
-    private $redirectUri;
-
-    /**
-     * Get the client's name.
-     *
-     * @return string
-     */
-    public function getName()
-    {
-        return $this->name;
-    }
-
-    /**
-     * Set the client's name.
-     *
-     * @param string $name
-     */
     public function setName($name)
     {
         $this->name = $name;
     }
 
-    /**
-     * @param string $secret
-     */
-    public function setSecret($secret)
+    public function setRedirectUri($uri)
     {
-        $this->secret = $secret;
-    }
-
-    /**
-     * Get the hashed client secret
-     *
-     * @return string
-     */
-    public function getSecret()
-    {
-        return $this->secret;
-    }
-
-    /**
-     * Set the client's redirect uri.
-     *
-     * @param string $redirectUri
-     */
-    public function setRedirectUri($redirectUri)
-    {
-        $this->redirectUri = $redirectUri;
-    }
-
-    /**
-     * Returns the registered redirect URI.
-     *
-     * @return string
-     */
-    public function getRedirectUri()
-    {
-        return $this->redirectUri;
-    }
-
-    /**
-     * Returns true if the client is capable of keeping it's secrets secret.
-     *
-     * @return bool
-     */
-    public function canKeepASecret()
-    {
-        return $this->secret !== null;
+        $this->redirectUri = $uri;
     }
 }

examples/src/Entities/RefreshTokenEntity.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace OAuth2ServerExamples\Entities;
+
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\RefreshTokenTrait;
+
+class RefreshTokenEntity implements RefreshTokenEntityInterface
+{
+    use RefreshTokenTrait, EntityTrait;
+}

examples/src/Entities/ScopeEntity.php

@@ -1,16 +1,19 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Entities;
 
-use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\ScopeTrait;
 
 class ScopeEntity implements ScopeEntityInterface
 {
-    use EntityTrait;
-
-    public function jsonSerialize()
-    {
-        return $this->getIdentifier();
-    }
+    use EntityTrait, ScopeTrait;
 }

examples/src/Entities/UserEntity.php

@@ -1,8 +1,15 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Entities;
 
-use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 
 class UserEntity implements UserEntityInterface
 {

examples/src/Repositories/AccessTokenRepository.php

@@ -1,41 +1,57 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use OAuth2ServerExamples\Entities\AccessTokenEntity;
 
 class AccessTokenRepository implements AccessTokenRepositoryInterface
 {
     /**
-     * Persists a new access token to permanent storage.
-     *
-     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessTokenEntity
+     * {@inheritdoc}
      */
     public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
     {
-        // TODO: Implement persistNewAccessToken() method.
+        // Some logic here to save the access token to a database
     }
 
     /**
-     * Revoke an access token.
-     *
-     * @param string $tokenId
+     * {@inheritdoc}
      */
     public function revokeAccessToken($tokenId)
     {
-        // TODO: Implement revokeAccessToken() method.
+        // Some logic here to revoke the access token
     }
 
     /**
-     * Check if the access token has been revoked.
-     *
-     * @param string $tokenId
-     *
-     * @return bool Return true if this token has been revoked
+     * {@inheritdoc}
      */
     public function isAccessTokenRevoked($tokenId)
     {
-        // TODO: Implement isAccessTokenRevoked() method.
+        return false; // Access token hasn't been revoked
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null)
+    {
+        $accessToken = new AccessTokenEntity();
+        $accessToken->setClient($clientEntity);
+        foreach ($scopes as $scope) {
+            $accessToken->addScope($scope);
+        }
+        $accessToken->setUserIdentifier($userIdentifier);
+
+        return $accessToken;
     }
 }

examples/src/Repositories/AuthCodeRepository.php

@@ -1,41 +1,49 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use OAuth2ServerExamples\Entities\AuthCodeEntity;
 
 class AuthCodeRepository implements AuthCodeRepositoryInterface
 {
     /**
-     * Persists a new auth code to permanent storage.
-     *
-     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntity
+     * {@inheritdoc}
      */
     public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
     {
-        // TODO: Implement persistNewAuthCode() method.
+        // Some logic to persist the auth code to a database
     }
 
     /**
-     * Revoke an auth code.
-     *
-     * @param string $codeId
+     * {@inheritdoc}
      */
     public function revokeAuthCode($codeId)
     {
-        // TODO: Implement revokeAuthCode() method.
+        // Some logic to revoke the auth code in a database
     }
 
     /**
-     * Check if the auth code has been revoked.
-     *
-     * @param string $codeId
-     *
-     * @return bool Return true if this code has been revoked
+     * {@inheritdoc}
      */
     public function isAuthCodeRevoked($codeId)
     {
-        // TODO: Implement isAuthCodeRevoked() method.
+        return false; // The auth code has not been revoked
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewAuthCode()
+    {
+        return new AuthCodeEntity();
     }
 }

examples/src/Repositories/ClientRepository.php

@@ -1,4 +1,11 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Repositories;
 
@@ -10,13 +17,14 @@ class ClientRepository implements ClientRepositoryInterface
     /**
      * {@inheritdoc}
      */
-    public function getClientEntity($clientIdentifier, $clientSecret = null, $redirectUri = null, $grantType = null)
+    public function getClientEntity($clientIdentifier, $grantType = null, $clientSecret = null, $mustValidateSecret = true)
     {
         $clients = [
             'myawesomeapp' => [
-                'secret'       => password_hash('abc123', PASSWORD_BCRYPT),
-                'name'         => 'My Awesome App',
-                'redirect_uri' => 'http://foo/bar',
+                'secret'          => password_hash('abc123', PASSWORD_BCRYPT),
+                'name'            => 'My Awesome App',
+                'redirect_uri'    => 'http://foo/bar',
+                'is_confidential' => true,
             ],
         ];
 
@@ -25,11 +33,18 @@ class ClientRepository implements ClientRepositoryInterface
             return;
         }
 
+        if (
+            $mustValidateSecret === true
+            && $clients[$clientIdentifier]['is_confidential'] === true
+            && password_verify($clientSecret, $clients[$clientIdentifier]['secret']) === false
+        ) {
+            return;
+        }
+
         $client = new ClientEntity();
         $client->setIdentifier($clientIdentifier);
         $client->setName($clients[$clientIdentifier]['name']);
         $client->setRedirectUri($clients[$clientIdentifier]['redirect_uri']);
-        $client->setSecret($clients[$clientIdentifier]['secret']);
 
         return $client;
     }

examples/src/Repositories/RefreshTokenRepository.php

@@ -1,41 +1,49 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use OAuth2ServerExamples\Entities\RefreshTokenEntity;
 
 class RefreshTokenRepository implements RefreshTokenRepositoryInterface
 {
     /**
-     * Create a new refresh token_name.
-     *
-     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshTokenEntityInterface
+     * {@inheritdoc}
      */
-    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntityInterface)
+    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity)
     {
-        // TODO: Implement persistNewRefreshToken() method.
+        // Some logic to persist the refresh token in a database
     }
 
     /**
-     * Revoke the refresh token.
-     *
-     * @param string $tokenId
+     * {@inheritdoc}
      */
     public function revokeRefreshToken($tokenId)
     {
-        // TODO: Implement revokeRefreshToken() method.
+        // Some logic to revoke the refresh token in a database
     }
 
     /**
-     * Check if the refresh token has been revoked.
-     *
-     * @param string $tokenId
-     *
-     * @return bool Return true if this token has been revoked
+     * {@inheritdoc}
      */
     public function isRefreshTokenRevoked($tokenId)
     {
-        // TODO: Implement isRefreshTokenRevoked() method.
+        return false; // The refresh token has not been revoked
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getNewRefreshToken()
+    {
+        return new RefreshTokenEntity();
     }
 }

examples/src/Repositories/ScopeRepository.php

@@ -1,8 +1,15 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use OAuth2ServerExamples\Entities\ScopeEntity;
 
@@ -41,6 +48,13 @@ class ScopeRepository implements ScopeRepositoryInterface
         ClientEntityInterface $clientEntity,
         $userIdentifier = null
     ) {
+        // Example of programatically modifying the final scope of the access token
+        if ((int) $userIdentifier === 1) {
+            $scope = new ScopeEntity();
+            $scope->setIdentifier('email');
+            $scopes[] = $scope;
+        }
+
         return $scopes;
     }
 }

examples/src/Repositories/UserRepository.php

@@ -1,10 +1,16 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace OAuth2ServerExamples\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
-use OAuth2ServerExamples\Entities\ScopeEntity;
 use OAuth2ServerExamples\Entities\UserEntity;
 
 class UserRepository implements UserRepositoryInterface
@@ -19,10 +25,6 @@ class UserRepository implements UserRepositoryInterface
         ClientEntityInterface $clientEntity
     ) {
         if ($username === 'alex' && $password === 'whisky') {
-            $scope = new ScopeEntity();
-            $scope->setIdentifier('email');
-            $scopes[] = $scope;
-
             return new UserEntity();
         }
 

phpstan.neon

@@ -0,0 +1,10 @@
+includes:
+	- vendor/phpstan/phpstan-phpunit/extension.neon
+	- vendor/phpstan/phpstan-phpunit/rules.neon
+	- vendor/phpstan/phpstan-phpunit/strictRules.neon
+	- vendor/phpstan/phpstan-strict-rules/rules.neon
+services:
+	-
+		class: LeagueTests\PHPStan\AbstractGrantExtension
+		tags:
+			- phpstan.broker.dynamicMethodReturnTypeExtension

src/AuthorizationServer.php

@@ -0,0 +1,236 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use DateInterval;
+use Defuse\Crypto\Key;
+use League\Event\EmitterAwareInterface;
+use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use League\OAuth2\Server\ResponseTypes\AbstractResponseType;
+use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
+use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class AuthorizationServer implements EmitterAwareInterface
+{
+    use EmitterAwareTrait;
+
+    /**
+     * @var GrantTypeInterface[]
+     */
+    protected $enabledGrantTypes = [];
+
+    /**
+     * @var DateInterval[]
+     */
+    protected $grantTypeAccessTokenTTL = [];
+
+    /**
+     * @var CryptKey
+     */
+    protected $privateKey;
+
+    /**
+     * @var CryptKey
+     */
+    protected $publicKey;
+
+    /**
+     * @var ResponseTypeInterface
+     */
+    protected $responseType;
+
+    /**
+     * @var ClientRepositoryInterface
+     */
+    private $clientRepository;
+
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var ScopeRepositoryInterface
+     */
+    private $scopeRepository;
+
+    /**
+     * @var string|Key
+     */
+    private $encryptionKey;
+
+    /**
+     * @var string
+     */
+    private $defaultScope = '';
+
+    /**
+     * New server instance.
+     *
+     * @param ClientRepositoryInterface      $clientRepository
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
+     * @param ScopeRepositoryInterface       $scopeRepository
+     * @param CryptKey|string                $privateKey
+     * @param string|Key                     $encryptionKey
+     * @param null|ResponseTypeInterface     $responseType
+     */
+    public function __construct(
+        ClientRepositoryInterface $clientRepository,
+        AccessTokenRepositoryInterface $accessTokenRepository,
+        ScopeRepositoryInterface $scopeRepository,
+        $privateKey,
+        $encryptionKey,
+        ResponseTypeInterface $responseType = null
+    ) {
+        $this->clientRepository = $clientRepository;
+        $this->accessTokenRepository = $accessTokenRepository;
+        $this->scopeRepository = $scopeRepository;
+
+        if ($privateKey instanceof CryptKey === false) {
+            $privateKey = new CryptKey($privateKey);
+        }
+
+        $this->privateKey = $privateKey;
+        $this->encryptionKey = $encryptionKey;
+
+        if ($responseType === null) {
+            $responseType = new BearerTokenResponse();
+        } else {
+            $responseType = clone $responseType;
+        }
+
+        $this->responseType = $responseType;
+    }
+
+    /**
+     * Enable a grant type on the server.
+     *
+     * @param GrantTypeInterface $grantType
+     * @param null|DateInterval  $accessTokenTTL
+     */
+    public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL = null)
+    {
+        if ($accessTokenTTL instanceof DateInterval === false) {
+            $accessTokenTTL = new DateInterval('PT1H');
+        }
+
+        $grantType->setAccessTokenRepository($this->accessTokenRepository);
+        $grantType->setClientRepository($this->clientRepository);
+        $grantType->setScopeRepository($this->scopeRepository);
+        $grantType->setDefaultScope($this->defaultScope);
+        $grantType->setPrivateKey($this->privateKey);
+        $grantType->setEmitter($this->getEmitter());
+        $grantType->setEncryptionKey($this->encryptionKey);
+
+        $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
+        $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
+    }
+
+    /**
+     * Validate an authorization request
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     *
+     * @return AuthorizationRequest
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
+        foreach ($this->enabledGrantTypes as $grantType) {
+            if ($grantType->canRespondToAuthorizationRequest($request)) {
+                return $grantType->validateAuthorizationRequest($request);
+            }
+        }
+
+        throw OAuthServerException::unsupportedGrantType();
+    }
+
+    /**
+     * Complete an authorization request
+     *
+     * @param AuthorizationRequest $authRequest
+     * @param ResponseInterface    $response
+     *
+     * @return ResponseInterface
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authRequest, ResponseInterface $response)
+    {
+        return $this->enabledGrantTypes[$authRequest->getGrantTypeId()]
+            ->completeAuthorizationRequest($authRequest)
+            ->generateHttpResponse($response);
+    }
+
+    /**
+     * Return an access token response.
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface      $response
+     *
+     * @throws OAuthServerException
+     *
+     * @return ResponseInterface
+     */
+    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseInterface $response)
+    {
+        foreach ($this->enabledGrantTypes as $grantType) {
+            if (!$grantType->canRespondToAccessTokenRequest($request)) {
+                continue;
+            }
+            $tokenResponse = $grantType->respondToAccessTokenRequest(
+                $request,
+                $this->getResponseType(),
+                $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
+            );
+
+            if ($tokenResponse instanceof ResponseTypeInterface) {
+                return $tokenResponse->generateHttpResponse($response);
+            }
+        }
+
+        throw OAuthServerException::unsupportedGrantType();
+    }
+
+    /**
+     * Get the token type that grants will return in the HTTP response.
+     *
+     * @return ResponseTypeInterface
+     */
+    protected function getResponseType()
+    {
+        $responseType = clone $this->responseType;
+
+        if ($responseType instanceof AbstractResponseType) {
+            $responseType->setPrivateKey($this->privateKey);
+        }
+
+        $responseType->setEncryptionKey($this->encryptionKey);
+
+        return $responseType;
+    }
+
+    /**
+     * Set the default scope for the authorization server.
+     *
+     * @param string $defaultScope
+     */
+    public function setDefaultScope($defaultScope)
+    {
+        $this->defaultScope = $defaultScope;
+    }
+}

src/AuthorizationValidators/AuthorizationValidatorInterface.php

@@ -1,4 +1,11 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\AuthorizationValidators;
 

src/AuthorizationValidators/BearerTokenValidator.php

@@ -1,33 +1,58 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\AuthorizationValidators;
 
+use BadMethodCallException;
+use InvalidArgumentException;
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\ValidationData;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use RuntimeException;
 
 class BearerTokenValidator implements AuthorizationValidatorInterface
 {
     use CryptTrait;
 
     /**
-     * @var \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface
+     * @var AccessTokenRepositoryInterface
      */
     private $accessTokenRepository;
 
     /**
-     * BearerTokenValidator constructor.
-     *
-     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface $accessTokenRepository
+     * @var CryptKey
+     */
+    protected $publicKey;
+
+    /**
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
      */
     public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
     {
         $this->accessTokenRepository = $accessTokenRepository;
     }
 
+    /**
+     * Set the public key
+     *
+     * @param CryptKey $key
+     */
+    public function setPublicKey(CryptKey $key)
+    {
+        $this->publicKey = $key;
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -43,8 +68,20 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
         try {
             // Attempt to parse and validate the JWT
             $token = (new Parser())->parse($jwt);
-            if ($token->verify(new Sha256(), $this->publicKeyPath) === false) {
-                throw OAuthServerException::accessDenied('Access token could not be verified');
+            try {
+                if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
+                    throw OAuthServerException::accessDenied('Access token could not be verified');
+                }
+            } catch (BadMethodCallException $exception) {
+                throw OAuthServerException::accessDenied('Access token is not signed', null, $exception);
+            }
+
+            // Ensure access token hasn't expired
+            $data = new ValidationData();
+            $data->setCurrentTime(time());
+
+            if ($token->validate($data) === false) {
+                throw OAuthServerException::accessDenied('Access token is invalid');
             }
 
             // Check if token has been revoked
@@ -58,9 +95,12 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
                 ->withAttribute('oauth_client_id', $token->getClaim('aud'))
                 ->withAttribute('oauth_user_id', $token->getClaim('sub'))
                 ->withAttribute('oauth_scopes', $token->getClaim('scopes'));
-        } catch (\InvalidArgumentException $exception) {
+        } catch (InvalidArgumentException $exception) {
             // JWT couldn't be parsed so return the request as is
-            throw OAuthServerException::accessDenied($exception->getMessage());
+            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
+        } catch (RuntimeException $exception) {
+            //JWR couldn't be parsed so return the request as is
+            throw OAuthServerException::accessDenied('Error while decoding to JSON', null, $exception);
         }
     }
 }

src/CryptKey.php

@@ -0,0 +1,123 @@
+<?php
+/**
+ * Cryptography key holder.
+ *
+ * @author      Julián Gutiérrez <juliangut@gmail.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use LogicException;
+use RuntimeException;
+
+class CryptKey
+{
+    const RSA_KEY_PATTERN =
+        '/^(-----BEGIN (RSA )?(PUBLIC|PRIVATE) KEY-----)\R.*(-----END (RSA )?(PUBLIC|PRIVATE) KEY-----)\R?$/s';
+
+    /**
+     * @var string
+     */
+    protected $keyPath;
+
+    /**
+     * @var null|string
+     */
+    protected $passPhrase;
+
+    /**
+     * @param string      $keyPath
+     * @param null|string $passPhrase
+     * @param bool        $keyPermissionsCheck
+     */
+    public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = true)
+    {
+        if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
+            $keyPath = $this->saveKeyToFile($keyPath);
+        }
+
+        if (strpos($keyPath, 'file://') !== 0) {
+            $keyPath = 'file://' . $keyPath;
+        }
+
+        if (!file_exists($keyPath) || !is_readable($keyPath)) {
+            throw new LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
+        }
+
+        if ($keyPermissionsCheck === true) {
+            // Verify the permissions of the key
+            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
+            if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) {
+                trigger_error(sprintf(
+                    'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s',
+                    $keyPath,
+                    $keyPathPerms
+                ), E_USER_NOTICE);
+            }
+        }
+
+        $this->keyPath = $keyPath;
+        $this->passPhrase = $passPhrase;
+    }
+
+    /**
+     * @param string $key
+     *
+     * @throws RuntimeException
+     *
+     * @return string
+     */
+    private function saveKeyToFile($key)
+    {
+        $tmpDir = sys_get_temp_dir();
+        $keyPath = $tmpDir . '/' . sha1($key) . '.key';
+
+        if (file_exists($keyPath)) {
+            return 'file://' . $keyPath;
+        }
+
+        if (!touch($keyPath)) {
+            // @codeCoverageIgnoreStart
+            throw new RuntimeException(sprintf('"%s" key file could not be created', $keyPath));
+            // @codeCoverageIgnoreEnd
+        }
+
+        if (file_put_contents($keyPath, $key) === false) {
+            // @codeCoverageIgnoreStart
+            throw new RuntimeException(sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
+            // @codeCoverageIgnoreEnd
+        }
+
+        if (chmod($keyPath, 0600) === false) {
+            // @codeCoverageIgnoreStart
+            throw new RuntimeException(sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
+            // @codeCoverageIgnoreEnd
+        }
+
+        return 'file://' . $keyPath;
+    }
+
+    /**
+     * Retrieve key path.
+     *
+     * @return string
+     */
+    public function getKeyPath()
+    {
+        return $this->keyPath;
+    }
+
+    /**
+     * Retrieve key pass phrase.
+     *
+     * @return null|string
+     */
+    public function getPassPhrase()
+    {
+        return $this->passPhrase;
+    }
+}

src/CryptTrait.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Public/private key encryption.
+ * Encrypt/decrypt with encryptionKey.
  *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
@@ -8,115 +8,72 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server;
 
+use Defuse\Crypto\Crypto;
+use Defuse\Crypto\Key;
+use Exception;
+use LogicException;
+
 trait CryptTrait
 {
     /**
-     * @var string
+     * @var string|Key
      */
-    protected $privateKeyPath;
+    protected $encryptionKey;
 
     /**
-     * @var string
-     */
-    protected $publicKeyPath;
-
-    /**
-     * Set path to private key.
-     *
-     * @param string $privateKeyPath
-     */
-    public function setPrivateKeyPath($privateKeyPath)
-    {
-        if (strpos($privateKeyPath, 'file://') !== 0) {
-            $privateKeyPath = 'file://' . $privateKeyPath;
-        }
-
-        $this->privateKeyPath = $privateKeyPath;
-    }
-
-    /**
-     * Set path to public key.
-     *
-     * @param string $publicKeyPath
-     */
-    public function setPublicKeyPath($publicKeyPath)
-    {
-        if (strpos($publicKeyPath, 'file://') !== 0) {
-            $publicKeyPath = 'file://' . $publicKeyPath;
-        }
-
-        $this->publicKeyPath = $publicKeyPath;
-    }
-
-    /**
-     * Encrypt data with a private key.
+     * Encrypt data with encryptionKey.
      *
      * @param string $unencryptedData
      *
+     * @throws LogicException
+     *
      * @return string
      */
     protected function encrypt($unencryptedData)
     {
-        $privateKey = openssl_pkey_get_private($this->privateKeyPath);
-        $privateKeyDetails = @openssl_pkey_get_details($privateKey);
-        if ($privateKeyDetails === null) {
-            throw new \LogicException(sprintf('Could not get details of private key: %s', $this->privateKeyPath));
-        }
-
-        $chunkSize = ceil($privateKeyDetails['bits'] / 8) - 11;
-        $output = '';
-
-        while ($unencryptedData) {
-            $chunk = substr($unencryptedData, 0, $chunkSize);
-            $unencryptedData = substr($unencryptedData, $chunkSize);
-            if (openssl_private_encrypt($chunk, $encrypted, $privateKey) === false) {
-                // @codeCoverageIgnoreStart
-                throw new \LogicException('Failed to encrypt data');
-                // @codeCoverageIgnoreEnd
+        try {
+            if ($this->encryptionKey instanceof Key) {
+                return Crypto::encrypt($unencryptedData, $this->encryptionKey);
             }
-            $output .= $encrypted;
-        }
-        openssl_free_key($privateKey);
 
-        return base64_encode($output);
+            return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
+        } catch (Exception $e) {
+            throw new LogicException($e->getMessage(), null, $e);
+        }
     }
 
     /**
-     * Decrypt data with a public key.
+     * Decrypt data with encryptionKey.
      *
      * @param string $encryptedData
      *
-     * @throws \LogicException
+     * @throws LogicException
      *
      * @return string
      */
     protected function decrypt($encryptedData)
     {
-        $publicKey = openssl_pkey_get_public($this->publicKeyPath);
-        $publicKeyDetails = @openssl_pkey_get_details($publicKey);
-        if ($publicKeyDetails === null) {
-            throw new \LogicException(sprintf('Could not get details of public key: %s', $this->publicKeyPath));
-        }
-
-        $chunkSize = ceil($publicKeyDetails['bits'] / 8);
-        $output = '';
-
-        $encryptedData = base64_decode($encryptedData);
-
-        while ($encryptedData) {
-            $chunk = substr($encryptedData, 0, $chunkSize);
-            $encryptedData = substr($encryptedData, $chunkSize);
-            if (openssl_public_decrypt($chunk, $decrypted, $publicKey/*, OPENSSL_PKCS1_OAEP_PADDING*/) === false) {
-                // @codeCoverageIgnoreStart
-                throw new \LogicException('Failed to decrypt data');
-                // @codeCoverageIgnoreEnd
+        try {
+            if ($this->encryptionKey instanceof Key) {
+                return Crypto::decrypt($encryptedData, $this->encryptionKey);
             }
-            $output .= $decrypted;
-        }
-        openssl_free_key($publicKey);
 
-        return $output;
+            return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
+        } catch (Exception $e) {
+            throw new LogicException($e->getMessage(), null, $e);
+        }
+    }
+
+    /**
+     * Set the encryption key
+     *
+     * @param string|Key $key
+     */
+    public function setEncryptionKey($key = null)
+    {
+        $this->encryptionKey = $key;
     }
 }

src/Entities/AccessTokenEntity.php

@@ -1,36 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities;
-
-use Lcobucci\JWT\Builder;
-use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\Signer\Rsa\Sha256;
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
-use League\OAuth2\Server\Entities\Traits\EntityTrait;
-use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
-
-class AccessTokenEntity implements AccessTokenEntityInterface
-{
-    use EntityTrait, TokenEntityTrait;
-
-    /**
-     * Generate a JWT from the access token
-     *
-     * @param string $privateKeyPath
-     *
-     * @return string
-     */
-    public function convertToJWT($privateKeyPath)
-    {
-        return (new Builder())
-            ->setAudience($this->getClient()->getIdentifier())
-            ->setId($this->getIdentifier(), true)
-            ->setIssuedAt(time())
-            ->setNotBefore(time())
-            ->setExpiration($this->getExpiryDateTime()->getTimestamp())
-            ->setSubject($this->getUserIdentifier())
-            ->set('scopes', $this->getScopes())
-            ->sign(new Sha256(), new Key($privateKeyPath))
-            ->getToken();
-    }
-}

src/Entities/AccessTokenEntityInterface.php

@@ -0,0 +1,25 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+use Lcobucci\JWT\Token;
+use League\OAuth2\Server\CryptKey;
+
+interface AccessTokenEntityInterface extends TokenInterface
+{
+    /**
+     * Generate a JWT from the access token
+     *
+     * @param CryptKey $privateKey
+     *
+     * @return Token
+     */
+    public function convertToJWT(CryptKey $privateKey);
+}

src/Entities/AuthCodeEntity.php

@@ -1,33 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities;
-
-use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
-use League\OAuth2\Server\Entities\Traits\EntityTrait;
-use League\OAuth2\Server\Entities\Traits\TokenEntityTrait;
-
-/**
- * Class AuthCodeEntity.
- */
-class AuthCodeEntity implements AuthCodeEntityInterface
-{
-    use EntityTrait, TokenEntityTrait;
-
-    protected $redirectUri;
-
-    /**
-     * @return string
-     */
-    public function getRedirectUri()
-    {
-        return $this->redirectUri;
-    }
-
-    /**
-     * @param string $uri
-     */
-    public function setRedirectUri($uri)
-    {
-        $this->redirectUri = $uri;
-    }
-}

src/Entities/AuthCodeEntityInterface.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface AuthCodeEntityInterface extends TokenInterface
+{
+    /**
+     * @return string|null
+     */
+    public function getRedirectUri();
+
+    /**
+     * @param string $uri
+     */
+    public function setRedirectUri($uri);
+}

src/Entities/ClientEntityInterface.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface ClientEntityInterface
+{
+    /**
+     * Get the client's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+
+    /**
+     * Get the client's name.
+     *
+     * @return string
+     */
+    public function getName();
+
+    /**
+     * Returns the registered redirect URI (as a string).
+     *
+     * Alternatively return an indexed array of redirect URIs.
+     *
+     * @return string|string[]
+     */
+    public function getRedirectUri();
+}

src/Entities/Interfaces/AccessTokenEntityInterface.php

@@ -1,15 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities\Interfaces;
-
-interface AccessTokenEntityInterface extends TokenInterface
-{
-    /**
-     * Generate a JWT from the access token
-     *
-     * @param string $privateKeyPath
-     *
-     * @return string
-     */
-    public function convertToJWT($privateKeyPath);
-}

src/Entities/Interfaces/AuthCodeEntityInterface.php

@@ -1,16 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities\Interfaces;
-
-interface AuthCodeEntityInterface extends TokenInterface
-{
-    /**
-     * @return string
-     */
-    public function getRedirectUri();
-
-    /**
-     * @param string $uri
-     */
-    public function setRedirectUri($uri);
-}

src/Entities/Interfaces/ClientEntityInterface.php

@@ -1,48 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities\Interfaces;
-
-interface ClientEntityInterface
-{
-    /**
-     * Get the client's identifier.
-     *
-     * @return string
-     */
-    public function getIdentifier();
-
-    /**
-     * Set the client's identifier.
-     *
-     * @param $identifier
-     */
-    public function setIdentifier($identifier);
-
-    /**
-     * Get the client's name.
-     *
-     * @return string
-     */
-    public function getName();
-
-    /**
-     * Set the client's name.
-     *
-     * @param string $name
-     */
-    public function setName($name);
-
-    /**
-     * Set the client's redirect uri.
-     *
-     * @param string $redirectUri
-     */
-    public function setRedirectUri($redirectUri);
-
-    /**
-     * Returns the registered redirect URI.
-     *
-     * @return string
-     */
-    public function getRedirectUri();
-}

src/Entities/Interfaces/ScopeEntityInterface.php

@@ -1,20 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities\Interfaces;
-
-interface ScopeEntityInterface extends \JsonSerializable
-{
-    /**
-     * Get the scope's identifier.
-     *
-     * @return string
-     */
-    public function getIdentifier();
-
-    /**
-     * Set the scope's identifier.
-     *
-     * @param $identifier
-     */
-    public function setIdentifier($identifier);
-}

src/Entities/Interfaces/UserEntityInterface.php

@@ -1,13 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities\Interfaces;
-
-interface UserEntityInterface
-{
-    /**
-     * Return the user's identifier.
-     *
-     * @return mixed
-     */
-    public function getIdentifier();
-}

src/Entities/RefreshTokenEntity.php

@@ -1,15 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Entities;
-
-use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
-use League\OAuth2\Server\Entities\Traits\EntityTrait;
-use League\OAuth2\Server\Entities\Traits\RefreshTokenTrait;
-
-/**
- * Class RefreshTokenEntity.
- */
-class RefreshTokenEntity implements RefreshTokenEntityInterface
-{
-    use EntityTrait, RefreshTokenTrait;
-}

src/Entities/RefreshTokenEntityInterface.php

@@ -1,6 +1,15 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
-namespace League\OAuth2\Server\Entities\Interfaces;
+namespace League\OAuth2\Server\Entities;
+
+use DateTime;
 
 interface RefreshTokenEntityInterface
 {
@@ -14,42 +23,35 @@ interface RefreshTokenEntityInterface
     /**
      * Set the token's identifier.
      *
-     * @param $identifier
+     * @param mixed $identifier
      */
     public function setIdentifier($identifier);
 
     /**
      * Get the token's expiry date time.
      *
-     * @return \DateTime
+     * @return DateTime
      */
     public function getExpiryDateTime();
 
     /**
      * Set the date time when the token expires.
      *
-     * @param \DateTime $dateTime
+     * @param DateTime $dateTime
      */
-    public function setExpiryDateTime(\DateTime $dateTime);
+    public function setExpiryDateTime(DateTime $dateTime);
 
     /**
      * Set the access token that the refresh token was associated with.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessToken
+     * @param AccessTokenEntityInterface $accessToken
      */
     public function setAccessToken(AccessTokenEntityInterface $accessToken);
 
     /**
      * Get the access token that the refresh token was originally associated with.
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface
+     * @return AccessTokenEntityInterface
      */
     public function getAccessToken();
-
-    /**
-     * Has the token expired?
-     *
-     * @return bool
-     */
-    public function isExpired();
 }

src/Entities/ScopeEntityInterface.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+use JsonSerializable;
+
+interface ScopeEntityInterface extends JsonSerializable
+{
+    /**
+     * Get the scope's identifier.
+     *
+     * @return string
+     */
+    public function getIdentifier();
+}

src/Entities/TokenInterface.php

@@ -1,6 +1,15 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
-namespace League\OAuth2\Server\Entities\Interfaces;
+namespace League\OAuth2\Server\Entities;
+
+use DateTime;
 
 interface TokenInterface
 {
@@ -14,35 +23,35 @@ interface TokenInterface
     /**
      * Set the token's identifier.
      *
-     * @param $identifier
+     * @param mixed $identifier
      */
     public function setIdentifier($identifier);
 
     /**
      * Get the token's expiry date time.
      *
-     * @return \DateTime
+     * @return DateTime
      */
     public function getExpiryDateTime();
 
     /**
      * Set the date time when the token expires.
      *
-     * @param \DateTime $dateTime
+     * @param DateTime $dateTime
      */
-    public function setExpiryDateTime(\DateTime $dateTime);
+    public function setExpiryDateTime(DateTime $dateTime);
 
     /**
      * Set the identifier of the user associated with the token.
      *
-     * @param string|int $identifier The identifier of the user
+     * @param string|int|null $identifier The identifier of the user
      */
     public function setUserIdentifier($identifier);
 
     /**
      * Get the token user's identifier.
      *
-     * @return string|int
+     * @return string|int|null
      */
     public function getUserIdentifier();
 
@@ -56,14 +65,14 @@ interface TokenInterface
     /**
      * Set the client that the token was issued to.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     * @param ClientEntityInterface $client
      */
     public function setClient(ClientEntityInterface $client);
 
     /**
      * Associate a scope with the token.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface $scope
+     * @param ScopeEntityInterface $scope
      */
     public function addScope(ScopeEntityInterface $scope);
 
@@ -73,11 +82,4 @@ interface TokenInterface
      * @return ScopeEntityInterface[]
      */
     public function getScopes();
-
-    /**
-     * Has the token expired?
-     *
-     * @return bool
-     */
-    public function isExpired();
 }

src/Entities/Traits/AccessTokenTrait.php

@@ -0,0 +1,63 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+use DateTime;
+use Lcobucci\JWT\Builder;
+use Lcobucci\JWT\Signer\Key;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Token;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+
+trait AccessTokenTrait
+{
+    /**
+     * Generate a JWT from the access token
+     *
+     * @param CryptKey $privateKey
+     *
+     * @return Token
+     */
+    public function convertToJWT(CryptKey $privateKey)
+    {
+        return (new Builder())
+            ->setAudience($this->getClient()->getIdentifier())
+            ->setId($this->getIdentifier(), true)
+            ->setIssuedAt(time())
+            ->setNotBefore(time())
+            ->setExpiration($this->getExpiryDateTime()->getTimestamp())
+            ->setSubject($this->getUserIdentifier())
+            ->set('scopes', $this->getScopes())
+            ->sign(new Sha256(), new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase()))
+            ->getToken();
+    }
+
+    /**
+     * @return ClientEntityInterface
+     */
+    abstract public function getClient();
+
+    /**
+     * @return DateTime
+     */
+    abstract public function getExpiryDateTime();
+
+    /**
+     * @return string|int
+     */
+    abstract public function getUserIdentifier();
+
+    /**
+     * @return ScopeEntityInterface[]
+     */
+    abstract public function getScopes();
+}

src/Entities/Traits/AuthCodeTrait.php

@@ -0,0 +1,34 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait AuthCodeTrait
+{
+    /**
+     * @var null|string
+     */
+    protected $redirectUri;
+
+    /**
+     * @return string|null
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+
+    /**
+     * @param string $uri
+     */
+    public function setRedirectUri($uri)
+    {
+        $this->redirectUri = $uri;
+    }
+}

src/Entities/Traits/ClientTrait.php

@@ -0,0 +1,46 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ClientTrait
+{
+    /**
+     * @var string
+     */
+    protected $name;
+
+    /**
+     * @var string|string[]
+     */
+    protected $redirectUri;
+
+    /**
+     * Get the client's name.
+     *
+     * @return string
+     * @codeCoverageIgnore
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Returns the registered redirect URI (as a string).
+     *
+     * Alternatively return an indexed array of redirect URIs.
+     *
+     * @return string|string[]
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+}

src/Entities/Traits/EntityTrait.php

@@ -1,10 +1,17 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Entities\Traits;
 
 trait EntityTrait
 {
-    /*
+    /**
      * @var string
      */
     protected $identifier;

src/Entities/Traits/RefreshTokenTrait.php

@@ -1,9 +1,16 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Entities\Traits;
 
 use DateTime;
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 
 trait RefreshTokenTrait
 {
@@ -52,14 +59,4 @@ trait RefreshTokenTrait
     {
         $this->expiryDateTime = $dateTime;
     }
-
-    /**
-     * Has the token expired?
-     *
-     * @return bool
-     */
-    public function isExpired()
-    {
-        return (new DateTime()) > $this->getExpiryDateTime();
-    }
 }

src/Entities/Traits/ScopeTrait.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * @author    Andrew Millington <andrew@noexceptions.io>
+ * @copyright Copyright (c) Andrew Millington
+ * @license   http://mit-license.org
+ *
+ * @link      https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ScopeTrait
+{
+    /**
+     * Serialize the object to the scopes string identifier when using json_encode().
+     *
+     * @return string
+     */
+    public function jsonSerialize()
+    {
+        return $this->getIdentifier();
+    }
+
+    /**
+     * @return string
+     */
+    abstract public function getIdentifier();
+}

src/Entities/Traits/TokenEntityTrait.php

@@ -1,10 +1,17 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Entities\Traits;
 
 use DateTime;
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
 trait TokenEntityTrait
 {
@@ -19,7 +26,7 @@ trait TokenEntityTrait
     protected $expiryDateTime;
 
     /**
-     * @var string|int
+     * @var string|int|null
      */
     protected $userIdentifier;
 
@@ -31,7 +38,7 @@ trait TokenEntityTrait
     /**
      * Associate a scope with the token.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface $scope
+     * @param ScopeEntityInterface $scope
      */
     public function addScope(ScopeEntityInterface $scope)
     {
@@ -71,7 +78,7 @@ trait TokenEntityTrait
     /**
      * Set the identifier of the user associated with the token.
      *
-     * @param string|int $identifier The identifier of the user
+     * @param string|int|null $identifier The identifier of the user
      */
     public function setUserIdentifier($identifier)
     {
@@ -81,7 +88,7 @@ trait TokenEntityTrait
     /**
      * Get the token user's identifier.
      *
-     * @return string|int
+     * @return string|int|null
      */
     public function getUserIdentifier()
     {
@@ -101,20 +108,10 @@ trait TokenEntityTrait
     /**
      * Set the client that the token was issued to.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     * @param ClientEntityInterface $client
      */
     public function setClient(ClientEntityInterface $client)
     {
         $this->client = $client;
     }
-
-    /**
-     * Has the token expired?
-     *
-     * @return bool
-     */
-    public function isExpired()
-    {
-        return (new DateTime()) > $this->getExpiryDateTime();
-    }
 }

src/Entities/UserEntityInterface.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities;
+
+interface UserEntityInterface
+{
+    /**
+     * Return the user's identifier.
+     *
+     * @return mixed
+     */
+    public function getIdentifier();
+}

src/Exception/OAuthServerException.php

@@ -1,10 +1,19 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Exception;
 
+use Exception;
 use Psr\Http\Message\ResponseInterface;
+use Throwable;
 
-class OAuthServerException extends \Exception
+class OAuthServerException extends Exception
 {
     /**
      * @var int
@@ -26,6 +35,11 @@ class OAuthServerException extends \Exception
      */
     private $redirectUri;
 
+    /**
+     * @var array
+     */
+    private $payload;
+
     /**
      * Throw a new exception.
      *
@@ -35,14 +49,50 @@ class OAuthServerException extends \Exception
      * @param int         $httpStatusCode HTTP status code to send (default = 400)
      * @param null|string $hint           A helper hint
      * @param null|string $redirectUri    A HTTP URI to redirect the user back to
+     * @param Throwable   $previous       Previous exception
      */
-    public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null)
+    public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null, Throwable $previous = null)
     {
-        parent::__construct($message, $code);
+        parent::__construct($message, $code, $previous);
         $this->httpStatusCode = $httpStatusCode;
         $this->errorType = $errorType;
         $this->hint = $hint;
         $this->redirectUri = $redirectUri;
+        $this->payload = [
+            'error'             => $errorType,
+            'error_description' => $message,
+        ];
+        if ($hint !== null) {
+            $this->payload['hint'] = $hint;
+        }
+    }
+
+    /**
+     * Returns the current payload.
+     *
+     * @return array
+     */
+    public function getPayload()
+    {
+        $payload = $this->payload;
+
+        // The "message" property is deprecated and replaced by "error_description"
+        // TODO: remove "message" property
+        if (isset($payload['error_description']) && !isset($payload['message'])) {
+            $payload['message'] = $payload['error_description'];
+        }
+
+        return $payload;
+    }
+
+    /**
+     * Updates the current payload.
+     *
+     * @param array $payload
+     */
+    public function setPayload(array $payload)
+    {
+        $this->payload = $payload;
     }
 
     /**
@@ -53,7 +103,7 @@ class OAuthServerException extends \Exception
     public static function unsupportedGrantType()
     {
         $errorMessage = 'The authorization grant type is not supported by the authorization server.';
-        $hint = 'Check the `grant_type` parameter';
+        $hint = 'Check that all required parameters have been provided';
 
         return new static($errorMessage, 2, 'unsupported_grant_type', 400, $hint);
     }
@@ -62,17 +112,18 @@ class OAuthServerException extends \Exception
      * Invalid request error.
      *
      * @param string      $parameter The invalid parameter
-     * @param string|null $hint
+     * @param null|string $hint
+     * @param Throwable   $previous  Previous exception
      *
      * @return static
      */
-    public static function invalidRequest($parameter, $hint = null)
+    public static function invalidRequest($parameter, $hint = null, Throwable $previous = null)
     {
         $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' .
             'includes a parameter more than once, or is otherwise malformed.';
         $hint = ($hint === null) ? sprintf('Check the `%s` parameter', $parameter) : $hint;
 
-        return new static($errorMessage, 3, 'invalid_request', 400, $hint);
+        return new static($errorMessage, 3, 'invalid_request', 400, $hint, null, $previous);
     }
 
     /**
@@ -98,7 +149,15 @@ class OAuthServerException extends \Exception
     public static function invalidScope($scope, $redirectUri = null)
     {
         $errorMessage = 'The requested scope is invalid, unknown, or malformed';
-        $hint = sprintf('Check the `%s` scope', $scope);
+
+        if (empty($scope)) {
+            $hint = 'Specify a scope in the request or set a default scope';
+        } else {
+            $hint = sprintf(
+                'Check the `%s` scope',
+                htmlspecialchars($scope, ENT_QUOTES, 'UTF-8', false)
+            );
+        }
 
         return new static($errorMessage, 5, 'invalid_scope', 400, $hint, $redirectUri);
     }
@@ -116,42 +175,50 @@ class OAuthServerException extends \Exception
     /**
      * Server error.
      *
-     * @param $hint
+     * @param string    $hint
+     * @param Throwable $previous
      *
      * @return static
+     *
+     * @codeCoverageIgnore
      */
-    public static function serverError($hint)
+    public static function serverError($hint, Throwable $previous = null)
     {
         return new static(
             'The authorization server encountered an unexpected condition which prevented it from fulfilling'
             . ' the request: ' . $hint,
             7,
             'server_error',
-            500
+            500,
+            null,
+            null,
+            $previous
         );
     }
 
     /**
      * Invalid refresh token.
      *
-     * @param string|null $hint
+     * @param null|string $hint
+     * @param Throwable   $previous
      *
      * @return static
      */
-    public static function invalidRefreshToken($hint = null)
+    public static function invalidRefreshToken($hint = null, Throwable $previous = null)
     {
-        return new static('The refresh token is invalid.', 8, 'invalid_request', 400, $hint);
+        return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint, null, $previous);
     }
 
     /**
      * Access denied.
      *
-     * @param string|null $hint
-     * @param string|null $redirectUri
+     * @param null|string $hint
+     * @param null|string $redirectUri
+     * @param Throwable   $previous
      *
      * @return static
      */
-    public static function accessDenied($hint = null, $redirectUri = null)
+    public static function accessDenied($hint = null, $redirectUri = null, Throwable $previous = null)
     {
         return new static(
             'The resource owner or authorization server denied the request.',
@@ -159,7 +226,28 @@ class OAuthServerException extends \Exception
             'access_denied',
             401,
             $hint,
-            $redirectUri
+            $redirectUri,
+            $previous
+        );
+    }
+
+    /**
+     * Invalid grant.
+     *
+     * @param string $hint
+     *
+     * @return static
+     */
+    public static function invalidGrant($hint = '')
+    {
+        return new static(
+            'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token '
+                . 'is invalid, expired, revoked, does not match the redirection URI used in the authorization request, '
+                . 'or was issued to another client.',
+            10,
+            'invalid_grant',
+            400,
+            $hint
         );
     }
 
@@ -174,24 +262,17 @@ class OAuthServerException extends \Exception
     /**
      * Generate a HTTP response.
      *
-     * @param \Psr\Http\Message\ResponseInterface $response
-     * @param bool                                $useFragment True if errors should be in the URI fragment instead of
-     *                                                         query string
+     * @param ResponseInterface $response
+     * @param bool              $useFragment True if errors should be in the URI fragment instead of query string
+     * @param int               $jsonOptions options passed to json_encode
      *
-     * @return \Psr\Http\Message\ResponseInterface
+     * @return ResponseInterface
      */
-    public function generateHttpResponse(ResponseInterface $response, $useFragment = false)
+    public function generateHttpResponse(ResponseInterface $response, $useFragment = false, $jsonOptions = 0)
     {
         $headers = $this->getHttpHeaders();
 
-        $payload = [
-            'error'   => $this->getErrorType(),
-            'message' => $this->getMessage(),
-        ];
-
-        if ($this->hint !== null) {
-            $payload['hint'] = $this->hint;
-        }
+        $payload = $this->getPayload();
 
         if ($this->redirectUri !== null) {
             if ($useFragment === true) {
@@ -207,7 +288,7 @@ class OAuthServerException extends \Exception
             $response = $response->withHeader($header, $content);
         }
 
-        $response->getBody()->write(json_encode($payload));
+        $response->getBody()->write(json_encode($payload, $jsonOptions));
 
         return $response->withStatus($this->getHttpStatusCode());
     }
@@ -232,19 +313,30 @@ class OAuthServerException extends \Exception
         // include the "WWW-Authenticate" response header field
         // matching the authentication scheme used by the client.
         // @codeCoverageIgnoreStart
-        if ($this->errorType === 'invalid_client') {
-            $authScheme = 'Basic';
-            if (array_key_exists('HTTP_AUTHORIZATION', $_SERVER) !== false
-                && strpos($_SERVER['HTTP_AUTHORIZATION'], 'Bearer') === 0
-            ) {
-                $authScheme = 'Bearer';
-            }
-            $headers[] = 'WWW-Authenticate: ' . $authScheme . ' realm="OAuth"';
+        if ($this->errorType === 'invalid_client' && array_key_exists('HTTP_AUTHORIZATION', $_SERVER) !== false) {
+            $authScheme = strpos($_SERVER['HTTP_AUTHORIZATION'], 'Bearer') === 0 ? 'Bearer' : 'Basic';
+
+            $headers['WWW-Authenticate'] = $authScheme . ' realm="OAuth"';
         }
         // @codeCoverageIgnoreEnd
         return $headers;
     }
 
+    /**
+     * Check if the exception has an associated redirect URI.
+     *
+     * Returns whether the exception includes a redirect, since
+     * getHttpStatusCode() doesn't return a 302 when there's a
+     * redirect enabled. This helps when you want to override local
+     * error pages but want to let redirects through.
+     *
+     * @return bool
+     */
+    public function hasRedirect()
+    {
+        return $this->redirectUri !== null;
+    }
+
     /**
      * Returns the HTTP status code to send when the exceptions is output.
      *

src/Exception/UniqueTokenIdentifierConstraintViolationException.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * @author      Ivan Kurnosov <zerkms@zerkms.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Exception;
+
+class UniqueTokenIdentifierConstraintViolationException extends OAuthServerException
+{
+    /**
+     * @return UniqueTokenIdentifierConstraintViolationException
+     */
+    public static function create()
+    {
+        $errorMessage = 'Could not create unique access token identifier';
+
+        return new static($errorMessage, 100, 'access_token_duplicate', 500);
+    }
+}

src/Grant/AbstractAuthorizeGrant.php

@@ -11,45 +11,8 @@
 
 namespace League\OAuth2\Server\Grant;
 
-use League\OAuth2\Server\TemplateRenderer\PlatesRenderer;
-use League\OAuth2\Server\TemplateRenderer\RendererInterface;
-use League\Plates\Engine;
-
 abstract class AbstractAuthorizeGrant extends AbstractGrant
 {
-    /**
-     * @var \League\OAuth2\Server\TemplateRenderer\RendererInterface
-     */
-    protected $templateRenderer;
-
-    /**
-     * Set the template renderer
-     *
-     * @param RendererInterface $templateRenderer
-     */
-    public function setTemplateRenderer(RendererInterface $templateRenderer)
-    {
-        $this->templateRenderer = $templateRenderer;
-    }
-
-    /**
-     * Retrieve template renderer.
-     *
-     * @return \League\OAuth2\Server\TemplateRenderer\RendererInterface
-     */
-    protected function getTemplateRenderer()
-    {
-        if (!$this->templateRenderer instanceof RendererInterface) {
-            $this->templateRenderer = new PlatesRenderer(
-                new Engine(__DIR__ . '/../TemplateRenderer/DefaultTemplates'),
-                'login_user',
-                'authorize_client'
-            );
-        }
-
-        return $this->templateRenderer;
-    }
-
     /**
      * @param string $uri
      * @param array  $params

src/Grant/AbstractGrant.php

@@ -10,15 +10,20 @@
  */
 namespace League\OAuth2\Server\Grant;
 
+use DateInterval;
+use DateTime;
+use Error;
+use Exception;
 use League\Event\EmitterAwareTrait;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
-use League\OAuth2\Server\Entities\AccessTokenEntity;
-use League\OAuth2\Server\Entities\AuthCodeEntity;
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
-use League\OAuth2\Server\Entities\RefreshTokenEntity;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
@@ -26,7 +31,10 @@ use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
+use TypeError;
 
 /**
  * Abstract grant class.
@@ -37,10 +45,7 @@ abstract class AbstractGrant implements GrantTypeInterface
 
     const SCOPE_DELIMITER_STRING = ' ';
 
-    /**
-     * @var ServerRequestInterface
-     */
-    protected $request;
+    const MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS = 10;
 
     /**
      * @var ClientRepositoryInterface
@@ -58,25 +63,35 @@ abstract class AbstractGrant implements GrantTypeInterface
     protected $scopeRepository;
 
     /**
-     * @var \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface
+     * @var AuthCodeRepositoryInterface
      */
     protected $authCodeRepository;
 
     /**
-     * @var \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface
+     * @var RefreshTokenRepositoryInterface
      */
     protected $refreshTokenRepository;
 
     /**
-     * @var \League\OAuth2\Server\Repositories\UserRepositoryInterface
+     * @var UserRepositoryInterface
      */
     protected $userRepository;
 
     /**
-     * @var \DateInterval
+     * @var DateInterval
      */
     protected $refreshTokenTTL;
 
+    /**
+     * @var CryptKey
+     */
+    protected $privateKey;
+
+    /**
+     * @string
+     */
+    protected $defaultScope;
+
     /**
      * @param ClientRepositoryInterface $clientRepository
      */
@@ -102,7 +117,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     }
 
     /**
-     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
      */
     public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository)
     {
@@ -110,7 +125,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     }
 
     /**
-     * @param \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface $authCodeRepository
+     * @param AuthCodeRepositoryInterface $authCodeRepository
      */
     public function setAuthCodeRepository(AuthCodeRepositoryInterface $authCodeRepository)
     {
@@ -118,7 +133,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     }
 
     /**
-     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface $userRepository
+     * @param UserRepositoryInterface $userRepository
      */
     public function setUserRepository(UserRepositoryInterface $userRepository)
     {
@@ -128,101 +143,150 @@ abstract class AbstractGrant implements GrantTypeInterface
     /**
      * {@inheritdoc}
      */
-    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL)
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL)
     {
         $this->refreshTokenTTL = $refreshTokenTTL;
     }
 
+    /**
+     * Set the private key
+     *
+     * @param CryptKey $key
+     */
+    public function setPrivateKey(CryptKey $key)
+    {
+        $this->privateKey = $key;
+    }
+
+    /**
+     * @param string $scope
+     */
+    public function setDefaultScope($scope)
+    {
+        $this->defaultScope = $scope;
+    }
+
     /**
      * Validate the client.
      *
-     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param ServerRequestInterface $request
      *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     * @throws OAuthServerException
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface
+     * @return ClientEntityInterface
      */
     protected function validateClient(ServerRequestInterface $request)
     {
-        $clientId = $this->getRequestParameter(
-            'client_id',
-            $request,
-            $this->getServerParameter('PHP_AUTH_USER', $request)
-        );
-        if (is_null($clientId)) {
-            throw OAuthServerException::invalidRequest('client_id', '`%s` parameter is missing');
+        list($basicAuthUser, $basicAuthPassword) = $this->getBasicAuthCredentials($request);
+
+        $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
+        if ($clientId === null) {
+            throw OAuthServerException::invalidRequest('client_id');
         }
 
         // If the client is confidential require the client secret
-        $clientSecret = $this->getRequestParameter(
-            'client_secret',
-            $request,
-            $this->getServerParameter('PHP_AUTH_PW', $request)
-        );
+        $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
 
         $client = $this->clientRepository->getClientEntity(
             $clientId,
             $this->getIdentifier(),
-            $clientSecret
+            $clientSecret,
+            true
         );
 
-        if (!$client instanceof ClientEntityInterface) {
-            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+        if ($client instanceof ClientEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
             throw OAuthServerException::invalidClient();
         }
 
-        // If a redirect URI is provided ensure it matches what is pre-registered
         $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
-        if ($redirectUri !== null && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)) {
-            throw OAuthServerException::invalidClient();
+
+        if ($redirectUri !== null) {
+            $this->validateRedirectUri($redirectUri, $client, $request);
         }
 
         return $client;
     }
 
+    /**
+     * Validate redirectUri from the request.
+     * If a redirect URI is provided ensure it matches what is pre-registered
+     *
+     * @param string                 $redirectUri
+     * @param ClientEntityInterface  $client
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     */
+    protected function validateRedirectUri(
+        string $redirectUri,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request
+    ) {
+        if (\is_string($client->getRedirectUri())
+            && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient();
+        } elseif (\is_array($client->getRedirectUri())
+            && \in_array($redirectUri, $client->getRedirectUri(), true) === false
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient();
+        }
+    }
+
     /**
      * Validate scopes in the request.
      *
-     * @param string                                                          $scopes
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
-     * @param string                                                          $redirectUri
+     * @param string|array $scopes
+     * @param string       $redirectUri
      *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     * @throws OAuthServerException
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
+     * @return ScopeEntityInterface[]
      */
-    public function validateScopes(
-        $scopes,
-        ClientEntityInterface $client,
-        $redirectUri = null
-    ) {
-        $scopesList = array_filter(
-            explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
-            function ($scope) {
-                return !empty($scope);
-            }
-        );
+    public function validateScopes($scopes, $redirectUri = null)
+    {
+        if (!\is_array($scopes)) {
+            $scopes = $this->convertScopesQueryStringToArray($scopes);
+        }
 
-        $scopes = [];
-        foreach ($scopesList as $scopeItem) {
+        $validScopes = [];
+
+        foreach ($scopes as $scopeItem) {
             $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
 
-            if (($scope instanceof ScopeEntityInterface) === false) {
+            if ($scope instanceof ScopeEntityInterface === false) {
                 throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
             }
 
-            $scopes[] = $scope;
+            $validScopes[] = $scope;
         }
 
-        return $scopes;
+        return $validScopes;
+    }
+
+    /**
+     * Converts a scopes query string to an array to easily iterate for validation.
+     *
+     * @param string $scopes
+     *
+     * @return array
+     */
+    private function convertScopesQueryStringToArray($scopes)
+    {
+        return array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
+            return !empty($scope);
+        });
     }
 
     /**
      * Retrieve request parameter.
      *
-     * @param string                                   $parameter
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param mixed                                    $default
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
      *
      * @return null|string
      */
@@ -230,15 +294,48 @@ abstract class AbstractGrant implements GrantTypeInterface
     {
         $requestParameters = (array) $request->getParsedBody();
 
-        return isset($requestParameters[$parameter]) ? $requestParameters[$parameter] : $default;
+        return $requestParameters[$parameter] ?? $default;
+    }
+
+    /**
+     * Retrieve HTTP Basic Auth credentials with the Authorization header
+     * of a request. First index of the returned array is the username,
+     * second is the password (so list() will work). If the header does
+     * not exist, or is otherwise an invalid HTTP Basic header, return
+     * [null, null].
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return string[]|null[]
+     */
+    protected function getBasicAuthCredentials(ServerRequestInterface $request)
+    {
+        if (!$request->hasHeader('Authorization')) {
+            return [null, null];
+        }
+
+        $header = $request->getHeader('Authorization')[0];
+        if (strpos($header, 'Basic ') !== 0) {
+            return [null, null];
+        }
+
+        if (!($decoded = base64_decode(substr($header, 6)))) {
+            return [null, null];
+        }
+
+        if (strpos($decoded, ':') === false) {
+            return [null, null]; // HTTP Basic header without colon isn't valid
+        }
+
+        return explode(':', $decoded, 2);
     }
 
     /**
      * Retrieve query string parameter.
      *
-     * @param string                                   $parameter
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param mixed                                    $default
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
      *
      * @return null|string
      */
@@ -250,9 +347,9 @@ abstract class AbstractGrant implements GrantTypeInterface
     /**
      * Retrieve cookie parameter.
      *
-     * @param string                                   $parameter
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param mixed                                    $default
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
      *
      * @return null|string
      */
@@ -264,9 +361,9 @@ abstract class AbstractGrant implements GrantTypeInterface
     /**
      * Retrieve server parameter.
      *
-     * @param string                                   $parameter
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param mixed                                    $default
+     * @param string                 $parameter
+     * @param ServerRequestInterface $request
+     * @param mixed                  $default
      *
      * @return null|string
      */
@@ -278,83 +375,130 @@ abstract class AbstractGrant implements GrantTypeInterface
     /**
      * Issue an access token.
      *
-     * @param \DateInterval                                                    $accessTokenTTL
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface  $client
-     * @param string                                                           $userIdentifier
-     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[] $scopes
+     * @param DateInterval           $accessTokenTTL
+     * @param ClientEntityInterface  $client
+     * @param string|null            $userIdentifier
+     * @param ScopeEntityInterface[] $scopes
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface
+     * @throws OAuthServerException
+     * @throws UniqueTokenIdentifierConstraintViolationException
+     *
+     * @return AccessTokenEntityInterface
      */
     protected function issueAccessToken(
-        \DateInterval $accessTokenTTL,
+        DateInterval $accessTokenTTL,
         ClientEntityInterface $client,
         $userIdentifier,
         array $scopes = []
     ) {
-        $accessToken = new AccessTokenEntity();
-        $accessToken->setIdentifier($this->generateUniqueIdentifier());
-        $accessToken->setExpiryDateTime((new \DateTime())->add($accessTokenTTL));
+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
+
+        $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
         $accessToken->setClient($client);
         $accessToken->setUserIdentifier($userIdentifier);
+        $accessToken->setExpiryDateTime((new DateTime())->add($accessTokenTTL));
 
         foreach ($scopes as $scope) {
             $accessToken->addScope($scope);
         }
 
-        $this->accessTokenRepository->persistNewAccessToken($accessToken);
+        while ($maxGenerationAttempts-- > 0) {
+            $accessToken->setIdentifier($this->generateUniqueIdentifier());
+            try {
+                $this->accessTokenRepository->persistNewAccessToken($accessToken);
 
-        return $accessToken;
+                return $accessToken;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    throw $e;
+                }
+            }
+        }
     }
 
     /**
      * Issue an auth code.
      *
-     * @param \DateInterval                                                    $authCodeTTL
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface  $client
-     * @param string                                                           $userIdentifier
-     * @param string                                                           $redirectUri
-     * @param \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[] $scopes
+     * @param DateInterval           $authCodeTTL
+     * @param ClientEntityInterface  $client
+     * @param string                 $userIdentifier
+     * @param string|null            $redirectUri
+     * @param ScopeEntityInterface[] $scopes
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface
+     * @throws OAuthServerException
+     * @throws UniqueTokenIdentifierConstraintViolationException
+     *
+     * @return AuthCodeEntityInterface
      */
     protected function issueAuthCode(
-        \DateInterval $authCodeTTL,
+        DateInterval $authCodeTTL,
         ClientEntityInterface $client,
         $userIdentifier,
         $redirectUri,
         array $scopes = []
     ) {
-        $authCode = new AuthCodeEntity();
-        $authCode->setIdentifier($this->generateUniqueIdentifier());
-        $authCode->setExpiryDateTime((new \DateTime())->add($authCodeTTL));
+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
+
+        $authCode = $this->authCodeRepository->getNewAuthCode();
+        $authCode->setExpiryDateTime((new DateTime())->add($authCodeTTL));
         $authCode->setClient($client);
         $authCode->setUserIdentifier($userIdentifier);
-        $authCode->setRedirectUri($redirectUri);
+
+        if ($redirectUri !== null) {
+            $authCode->setRedirectUri($redirectUri);
+        }
 
         foreach ($scopes as $scope) {
             $authCode->addScope($scope);
         }
 
-        $this->authCodeRepository->persistNewAuthCode($authCode);
+        while ($maxGenerationAttempts-- > 0) {
+            $authCode->setIdentifier($this->generateUniqueIdentifier());
+            try {
+                $this->authCodeRepository->persistNewAuthCode($authCode);
 
-        return $authCode;
+                return $authCode;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    throw $e;
+                }
+            }
+        }
     }
 
     /**
-     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessToken
+     * @param AccessTokenEntityInterface $accessToken
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface
+     * @throws OAuthServerException
+     * @throws UniqueTokenIdentifierConstraintViolationException
+     *
+     * @return RefreshTokenEntityInterface|null
      */
     protected function issueRefreshToken(AccessTokenEntityInterface $accessToken)
     {
-        $refreshToken = new RefreshTokenEntity();
-        $refreshToken->setIdentifier($this->generateUniqueIdentifier());
-        $refreshToken->setExpiryDateTime((new \DateTime())->add($this->refreshTokenTTL));
+        $refreshToken = $this->refreshTokenRepository->getNewRefreshToken();
+
+        if ($refreshToken === null) {
+            return null;
+        }
+
+        $refreshToken->setExpiryDateTime((new DateTime())->add($this->refreshTokenTTL));
         $refreshToken->setAccessToken($accessToken);
 
-        $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
-        return $refreshToken;
+        while ($maxGenerationAttempts-- > 0) {
+            $refreshToken->setIdentifier($this->generateUniqueIdentifier());
+            try {
+                $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
+
+                return $refreshToken;
+            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
+                if ($maxGenerationAttempts === 0) {
+                    throw $e;
+                }
+            }
+        }
     }
 
     /**
@@ -362,7 +506,7 @@ abstract class AbstractGrant implements GrantTypeInterface
      *
      * @param int $length
      *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     * @throws OAuthServerException
      *
      * @return string
      */
@@ -371,13 +515,13 @@ abstract class AbstractGrant implements GrantTypeInterface
         try {
             return bin2hex(random_bytes($length));
             // @codeCoverageIgnoreStart
-        } catch (\TypeError $e) {
-            throw OAuthServerException::serverError('An unexpected error has occurred');
-        } catch (\Error $e) {
-            throw OAuthServerException::serverError('An unexpected error has occurred');
-        } catch (\Exception $e) {
+        } catch (TypeError $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred', $e);
+        } catch (Error $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred', $e);
+        } catch (Exception $e) {
             // If you get this message, the CSPRNG failed hard.
-            throw OAuthServerException::serverError('Could not generate a random string');
+            throw OAuthServerException::serverError('Could not generate a random string', $e);
         }
         // @codeCoverageIgnoreEnd
     }
@@ -385,7 +529,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     /**
      * {@inheritdoc}
      */
-    public function canRespondToRequest(ServerRequestInterface $request)
+    public function canRespondToAccessTokenRequest(ServerRequestInterface $request)
     {
         $requestParameters = (array) $request->getParsedBody();
 
@@ -394,4 +538,28 @@ abstract class AbstractGrant implements GrantTypeInterface
             && $requestParameters['grant_type'] === $this->getIdentifier()
         );
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
+        throw new LogicException('This grant cannot validate an authorization request');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
+    {
+        throw new LogicException('This grant cannot complete an authorization request');
+    }
 }

src/Grant/AuthCodeGrant.php

@@ -1,257 +1,81 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Grant;
 
 use DateInterval;
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use DateTime;
+use Exception;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
-use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
-use League\OAuth2\Server\ResponseTypes\HtmlResponse;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
-use League\OAuth2\Server\TemplateRenderer\RendererInterface;
+use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
+use stdClass;
 
 class AuthCodeGrant extends AbstractAuthorizeGrant
 {
     /**
-     * @var \DateInterval
+     * @var DateInterval
      */
     private $authCodeTTL;
 
     /**
-     * @param \League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface     $authCodeRepository
-     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
-     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface         $userRepository
-     * @param \DateInterval                                                      $authCodeTTL
-     * @param \League\OAuth2\Server\TemplateRenderer\RendererInterface|null      $templateRenderer
+     * @var bool
+     */
+    private $enableCodeExchangeProof = false;
+
+    /**
+     * @param AuthCodeRepositoryInterface     $authCodeRepository
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param DateInterval                    $authCodeTTL
+     *
+     * @throws Exception
      */
     public function __construct(
         AuthCodeRepositoryInterface $authCodeRepository,
         RefreshTokenRepositoryInterface $refreshTokenRepository,
-        UserRepositoryInterface $userRepository,
-        \DateInterval $authCodeTTL,
-        RendererInterface $templateRenderer = null
+        DateInterval $authCodeTTL
     ) {
         $this->setAuthCodeRepository($authCodeRepository);
         $this->setRefreshTokenRepository($refreshTokenRepository);
-        $this->setUserRepository($userRepository);
         $this->authCodeTTL = $authCodeTTL;
-        $this->refreshTokenTTL = new \DateInterval('P1M');
-        $this->templateRenderer = $templateRenderer;
+        $this->refreshTokenTTL = new DateInterval('P1M');
     }
 
-    /**
-     * Respond to an authorization request.
-     *
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
-     *
-     * @return \Psr\Http\Message\ResponseInterface
-     */
-    protected function respondToAuthorizationRequest(
-        ServerRequestInterface $request
-    ) {
-        $clientId = $this->getQueryStringParameter(
-            'client_id',
-            $request,
-            $this->getServerParameter('PHP_AUTH_USER', $request)
-        );
-        if (is_null($clientId)) {
-            throw OAuthServerException::invalidRequest('client_id');
-        }
-
-        $client = $this->clientRepository->getClientEntity(
-            $clientId,
-            $this->getIdentifier()
-        );
-
-        if ($client instanceof ClientEntityInterface === false) {
-            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
-            throw OAuthServerException::invalidClient();
-        }
-
-        $redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
-        if ($redirectUriParameter !== $client->getRedirectUri()) {
-            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
-            throw OAuthServerException::invalidClient();
-        }
-
-        $scopes = $this->validateScopes(
-            $this->getQueryStringParameter('scope', $request),
-            $client,
-            $client->getRedirectUri()
-        );
-
-        $postbackUri = sprintf(
-            '//%s%s',
-            $request->getServerParams()['HTTP_HOST'],
-            $request->getServerParams()['REQUEST_URI']
-        );
-
-        $userId = null;
-        $userHasApprovedClient = null;
-        if ($this->getRequestParameter('action', $request, null) !== null) {
-            $userHasApprovedClient = ($this->getRequestParameter('action', $request) === 'approve');
-        }
-
-        // Check if the user has been authenticated
-        $oauthCookie = $this->getCookieParameter('oauth_authorize_request', $request, null);
-        if ($oauthCookie !== null) {
-            try {
-                $oauthCookiePayload = json_decode($this->decrypt($oauthCookie));
-                if (is_object($oauthCookiePayload)) {
-                    $userId = $oauthCookiePayload->user_id;
-                }
-            } catch (\LogicException $e) {
-                throw OAuthServerException::serverError($e->getMessage());
-            }
-        }
-
-        // The username + password might be available in $_POST
-        $usernameParameter = $this->getRequestParameter('username', $request, null);
-        $passwordParameter = $this->getRequestParameter('password', $request, null);
-
-        $loginError = null;
-
-        // Assert if the user has logged in already
-        if ($userId === null && $usernameParameter !== null && $passwordParameter !== null) {
-            $userEntity = $this->userRepository->getUserEntityByUserCredentials(
-                $usernameParameter,
-                $passwordParameter,
-                $this->getIdentifier(),
-                $client
-            );
-
-            if ($userEntity instanceof UserEntityInterface) {
-                $userId = $userEntity->getIdentifier();
-            } else {
-                $loginError = 'Incorrect username or password';
-            }
-        }
-
-        // The user hasn't logged in yet so show a login form
-        if ($userId === null) {
-            $html = $this->getTemplateRenderer()->renderLogin([
-                'error'        => $loginError,
-                'postback_uri' => $this->makeRedirectUri(
-                    $postbackUri,
-                    $request->getQueryParams()
-                ),
-            ]);
-
-            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
-            $htmlResponse->setStatusCode(403);
-            $htmlResponse->setHtml($html);
-
-            return $htmlResponse;
-        }
-
-        // The user hasn't approved the client yet so show an authorize form
-        if ($userId !== null && $userHasApprovedClient === null) {
-            $html = $this->getTemplateRenderer()->renderAuthorize([
-                'client'       => $client,
-                'scopes'       => $scopes,
-                'postback_uri' => $this->makeRedirectUri(
-                    $postbackUri,
-                    $request->getQueryParams()
-                ),
-            ]);
-
-            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
-            $htmlResponse->setStatusCode(200);
-            $htmlResponse->setHtml($html);
-            $htmlResponse->setHeader('set-cookie', sprintf(
-                'oauth_authorize_request=%s; Expires=%s',
-                urlencode($this->encrypt(
-                    json_encode([
-                        'user_id' => $userId,
-                    ])
-                )),
-                (new \DateTime())->add(new \DateInterval('PT5M'))->format('D, d M Y H:i:s e')
-            ));
-
-            return $htmlResponse;
-        }
-
-        // The user has either approved or denied the client, so redirect them back
-        $redirectUri = $client->getRedirectUri();
-        $redirectPayload = [];
-
-        $stateParameter = $this->getQueryStringParameter('state', $request);
-        if ($stateParameter !== null) {
-            $redirectPayload['state'] = $stateParameter;
-        }
-
-        // THe user approved the client, redirect them back with an auth code
-        if ($userHasApprovedClient === true) {
-
-            // Finalize the requested scopes
-            $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
-
-            $authCode = $this->issueAuthCode(
-                $this->authCodeTTL,
-                $client,
-                $userId,
-                $redirectUri,
-                $scopes
-            );
-
-            $redirectPayload['code'] = $this->encrypt(
-                json_encode(
-                    [
-                        'client_id'    => $authCode->getClient()->getIdentifier(),
-                        'redirect_uri' => $authCode->getRedirectUri(),
-                        'auth_code_id' => $authCode->getIdentifier(),
-                        'scopes'       => $authCode->getScopes(),
-                        'user_id'      => $authCode->getUserIdentifier(),
-                        'expire_time'  => (new \DateTime())->add($this->authCodeTTL)->format('U'),
-                    ]
-                )
-            );
-
-            $response = new RedirectResponse($this->accessTokenRepository);
-            $response->setRedirectUri(
-                $this->makeRedirectUri(
-                    $redirectUri,
-                    $redirectPayload
-                )
-            );
-
-            return $response;
-        }
-
-        // The user denied the client, redirect them back with an error
-        throw OAuthServerException::accessDenied('The user denied the request', (string) $redirectUri);
+    public function enableCodeExchangeProof()
+    {
+        $this->enableCodeExchangeProof = true;
     }
 
     /**
      * Respond to an access token request.
      *
-     * @param \Psr\Http\Message\ServerRequestInterface                  $request
-     * @param \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface $responseType
-     * @param \DateInterval                                             $accessTokenTTL
+     * @param ServerRequestInterface $request
+     * @param ResponseTypeInterface  $responseType
+     * @param DateInterval           $accessTokenTTL
      *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     * @throws OAuthServerException
      *
-     * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface
+     * @return ResponseTypeInterface
      */
-    protected function respondToAccessTokenRequest(
+    public function respondToAccessTokenRequest(
         ServerRequestInterface $request,
         ResponseTypeInterface $responseType,
         DateInterval $accessTokenTTL
     ) {
-        // The redirect URI is required in this request
-        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
-        if (is_null($redirectUri)) {
-            throw OAuthServerException::invalidRequest('redirect_uri');
-        }
-
         // Validate request
         $client = $this->validateClient($request);
         $encryptedAuthCode = $this->getRequestParameter('code', $request, null);
@@ -260,82 +84,119 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
             throw OAuthServerException::invalidRequest('code');
         }
 
-        // Validate the authorization code
         try {
             $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
-            if (time() > $authCodePayload->expire_time) {
-                throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
-            }
 
-            if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
-                throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
-            }
+            $this->validateAuthorizationCode($authCodePayload, $client, $request);
 
-            if ($authCodePayload->client_id !== $client->getIdentifier()) {
-                throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
-            }
-
-            if ($authCodePayload->redirect_uri !== $redirectUri) {
-                throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
-            }
-
-            $scopes = [];
-            foreach ($authCodePayload->scopes as $scopeId) {
-                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
-
-                if (!$scope) {
-                    // @codeCoverageIgnoreStart
-                    throw OAuthServerException::invalidScope($scopeId);
-                    // @codeCoverageIgnoreEnd
-                }
-
-                $scopes[] = $scope;
-            }
-        } catch (\LogicException  $e) {
-            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code');
+            $scopes = $this->scopeRepository->finalizeScopes(
+                $this->validateScopes($authCodePayload->scopes),
+                $this->getIdentifier(),
+                $client,
+                $authCodePayload->user_id
+            );
+        } catch (LogicException $e) {
+            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e);
         }
 
-        // Issue and persist access + refresh tokens
+        // Validate code challenge
+        if ($this->enableCodeExchangeProof === true) {
+            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+
+            if ($codeVerifier === null) {
+                throw OAuthServerException::invalidRequest('code_verifier');
+            }
+
+            // Validate code_verifier according to RFC-7636
+            // @see: https://tools.ietf.org/html/rfc7636#section-4.1
+            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeVerifier) !== 1) {
+                throw OAuthServerException::invalidRequest(
+                    'code_verifier',
+                    'Code Verifier must follow the specifications of RFC-7636.'
+                );
+            }
+
+            switch ($authCodePayload->code_challenge_method) {
+                case 'plain':
+                    if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) {
+                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
+                    }
+
+                    break;
+                case 'S256':
+                    if (
+                        hash_equals(
+                            strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
+                            $authCodePayload->code_challenge
+                        ) === false
+                    ) {
+                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
+                    }
+                    // @codeCoverageIgnoreStart
+                    break;
+                default:
+                    throw OAuthServerException::serverError(
+                        sprintf(
+                            'Unsupported code challenge method `%s`',
+                            $authCodePayload->code_challenge_method
+                        )
+                    );
+                // @codeCoverageIgnoreEnd
+            }
+        }
+
+        // Issue and persist new access token
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
         $refreshToken = $this->issueRefreshToken($accessToken);
 
-        // Inject tokens into response type
-        $responseType->setAccessToken($accessToken);
-        $responseType->setRefreshToken($refreshToken);
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }
+
+        // Revoke used auth code
+        $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);
 
         return $responseType;
     }
 
     /**
-     * {@inheritdoc}
+     * Validate the authorization code.
+     *
+     * @param stdClass               $authCodePayload
+     * @param ClientEntityInterface  $client
+     * @param ServerRequestInterface $request
      */
-    public function respondToRequest(
-        ServerRequestInterface $request,
-        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+    private function validateAuthorizationCode(
+        $authCodePayload,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request
     ) {
-        if (
-            array_key_exists('response_type', $request->getQueryParams())
-            && $request->getQueryParams()['response_type'] === 'code'
-        ) {
-            return $this->respondToAuthorizationRequest($request);
+        if (time() > $authCodePayload->expire_time) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
         }
 
-        return $this->respondToAccessTokenRequest($request, $responseType, $accessTokenTTL);
-    }
+        if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
+        }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function canRespondToRequest(ServerRequestInterface $request)
-    {
-        return
-            (
-                array_key_exists('response_type', $request->getQueryParams())
-                && $request->getQueryParams()['response_type'] === 'code'
-                && isset($request->getQueryParams()['client_id'])
-            )
-            || parent::canRespondToRequest($request);
+        if ($authCodePayload->client_id !== $client->getIdentifier()) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
+        }
+
+        // The redirect URI is required in this request
+        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
+        if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
+            throw OAuthServerException::invalidRequest('redirect_uri');
+        }
+
+        if ($authCodePayload->redirect_uri !== $redirectUri) {
+            throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
+        }
     }
 
     /**
@@ -347,4 +208,183 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
     {
         return 'authorization_code';
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
+    {
+        return (
+            array_key_exists('response_type', $request->getQueryParams())
+            && $request->getQueryParams()['response_type'] === 'code'
+            && isset($request->getQueryParams()['client_id'])
+        );
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
+        $clientId = $this->getQueryStringParameter(
+            'client_id',
+            $request,
+            $this->getServerParameter('PHP_AUTH_USER', $request)
+        );
+
+        if ($clientId === null) {
+            throw OAuthServerException::invalidRequest('client_id');
+        }
+
+        $client = $this->clientRepository->getClientEntity(
+            $clientId,
+            $this->getIdentifier(),
+            null,
+            false
+        );
+
+        if ($client instanceof ClientEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient();
+        }
+
+        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
+
+        if ($redirectUri !== null) {
+            $this->validateRedirectUri($redirectUri, $client, $request);
+        } elseif (empty($client->getRedirectUri()) ||
+            (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient();
+        } else {
+            $redirectUri = \is_array($client->getRedirectUri())
+                ? $client->getRedirectUri()[0]
+                : $client->getRedirectUri();
+        }
+
+        $scopes = $this->validateScopes(
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
+            $redirectUri
+        );
+
+        $stateParameter = $this->getQueryStringParameter('state', $request);
+
+        $authorizationRequest = new AuthorizationRequest();
+        $authorizationRequest->setGrantTypeId($this->getIdentifier());
+        $authorizationRequest->setClient($client);
+        $authorizationRequest->setRedirectUri($redirectUri);
+
+        if ($stateParameter !== null) {
+            $authorizationRequest->setState($stateParameter);
+        }
+
+        $authorizationRequest->setScopes($scopes);
+
+        if ($this->enableCodeExchangeProof === true) {
+            $codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
+            if ($codeChallenge === null) {
+                throw OAuthServerException::invalidRequest('code_challenge');
+            }
+
+            $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
+
+            if (\in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
+                throw OAuthServerException::invalidRequest(
+                    'code_challenge_method',
+                    'Code challenge method must be `plain` or `S256`'
+                );
+            }
+
+            // Validate code_challenge according to RFC-7636
+            // @see: https://tools.ietf.org/html/rfc7636#section-4.2
+            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeChallenge) !== 1) {
+                throw OAuthServerException::invalidRequest(
+                    'code_challenged',
+                    'Code challenge must follow the specifications of RFC-7636.'
+                );
+            }
+
+            $authorizationRequest->setCodeChallenge($codeChallenge);
+            $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
+        }
+
+        return $authorizationRequest;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
+    {
+        if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
+            throw new LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
+        }
+
+        $finalRedirectUri = $authorizationRequest->getRedirectUri()
+                          ?? $this->getClientRedirectUri($authorizationRequest);
+
+        // The user approved the client, redirect them back with an auth code
+        if ($authorizationRequest->isAuthorizationApproved() === true) {
+            $authCode = $this->issueAuthCode(
+                $this->authCodeTTL,
+                $authorizationRequest->getClient(),
+                $authorizationRequest->getUser()->getIdentifier(),
+                $authorizationRequest->getRedirectUri(),
+                $authorizationRequest->getScopes()
+            );
+
+            $payload = [
+                'client_id'             => $authCode->getClient()->getIdentifier(),
+                'redirect_uri'          => $authCode->getRedirectUri(),
+                'auth_code_id'          => $authCode->getIdentifier(),
+                'scopes'                => $authCode->getScopes(),
+                'user_id'               => $authCode->getUserIdentifier(),
+                'expire_time'           => (new DateTime())->add($this->authCodeTTL)->format('U'),
+                'code_challenge'        => $authorizationRequest->getCodeChallenge(),
+                'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
+            ];
+
+            $response = new RedirectResponse();
+            $response->setRedirectUri(
+                $this->makeRedirectUri(
+                    $finalRedirectUri,
+                    [
+                        'code'  => $this->encrypt(
+                            json_encode(
+                                $payload
+                            )
+                        ),
+                        'state' => $authorizationRequest->getState(),
+                    ]
+                )
+            );
+
+            return $response;
+        }
+
+        // The user denied the client, redirect them back with an error
+        throw OAuthServerException::accessDenied(
+            'The user denied the request',
+            $this->makeRedirectUri(
+                $finalRedirectUri,
+                [
+                    'state' => $authorizationRequest->getState(),
+                ]
+            )
+        );
+    }
+
+    /**
+     * Get the client redirect URI if not set in the request.
+     *
+     * @param AuthorizationRequest $authorizationRequest
+     *
+     * @return string
+     */
+    private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
+    {
+        return \is_array($authorizationRequest->getClient()->getRedirectUri())
+                ? $authorizationRequest->getClient()->getRedirectUri()[0]
+                : $authorizationRequest->getClient()->getRedirectUri();
+    }
 }

src/Grant/ClientCredentialsGrant.php

@@ -8,8 +8,11 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Grant;
 
+use DateInterval;
+use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
 
@@ -21,20 +24,23 @@ class ClientCredentialsGrant extends AbstractGrant
     /**
      * {@inheritdoc}
      */
-    public function respondToRequest(
+    public function respondToAccessTokenRequest(
         ServerRequestInterface $request,
         ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
     ) {
         // Validate request
         $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
 
         // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
 
         // Issue and persist access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $client->getIdentifier(), $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
+
+        // Send event to emitter
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
 
         // Inject access token into response type
         $responseType->setAccessToken($accessToken);

src/Grant/GrantTypeInterface.php

@@ -8,12 +8,17 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Grant;
 
+use DateInterval;
+use Defuse\Crypto\Key;
 use League\Event\EmitterAwareInterface;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
 
@@ -25,9 +30,9 @@ interface GrantTypeInterface extends EmitterAwareInterface
     /**
      * Set refresh token TTL.
      *
-     * @param \DateInterval $refreshTokenTTL
+     * @param DateInterval $refreshTokenTTL
      */
-    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL);
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL);
 
     /**
      * Return the grant identifier that can be used in matching up requests.
@@ -39,64 +44,101 @@ interface GrantTypeInterface extends EmitterAwareInterface
     /**
      * Respond to an incoming request.
      *
-     * @param \Psr\Http\Message\ServerRequestInterface                  $request
-     * @param \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface $responseType
-     * @param \DateInterval                                             $accessTokenTTL
+     * @param ServerRequestInterface $request
+     * @param ResponseTypeInterface  $responseType
+     * @param DateInterval           $accessTokenTTL
      *
-     * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface
+     * @return ResponseTypeInterface
      */
-    public function respondToRequest(
+    public function respondToAccessTokenRequest(
         ServerRequestInterface $request,
         ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
     );
 
+    /**
+     * The grant type should return true if it is able to response to an authorization request
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return bool
+     */
+    public function canRespondToAuthorizationRequest(ServerRequestInterface $request);
+
+    /**
+     * If the grant can respond to an authorization request this method should be called to validate the parameters of
+     * the request.
+     *
+     * If the validation is successful an AuthorizationRequest object will be returned. This object can be safely
+     * serialized in a user's session, and can be used during user authentication and authorization.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return AuthorizationRequest
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request);
+
+    /**
+     * Once a user has authenticated and authorized the client the grant can complete the authorization request.
+     * The AuthorizationRequest object's $userId property must be set to the authenticated user and the
+     * $authorizationApproved property must reflect their desire to authorize or deny the client.
+     *
+     * @param AuthorizationRequest $authorizationRequest
+     *
+     * @return ResponseTypeInterface
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest);
+
     /**
      * The grant type should return true if it is able to respond to this request.
      *
      * For example most grant types will check that the $_POST['grant_type'] property matches it's identifier property.
      *
-     * Some grants, such as the authorization code grant can respond to multiple requests
-     *  - i.e. a client requesting an authorization code and requesting an access token
-     *
-     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param ServerRequestInterface $request
      *
      * @return bool
      */
-    public function canRespondToRequest(ServerRequestInterface $request);
+    public function canRespondToAccessTokenRequest(ServerRequestInterface $request);
 
     /**
      * Set the client repository.
      *
-     * @param \League\OAuth2\Server\Repositories\ClientRepositoryInterface $clientRepository
+     * @param ClientRepositoryInterface $clientRepository
      */
     public function setClientRepository(ClientRepositoryInterface $clientRepository);
 
     /**
      * Set the access token repository.
      *
-     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface $accessTokenRepository
+     * @param AccessTokenRepositoryInterface $accessTokenRepository
      */
     public function setAccessTokenRepository(AccessTokenRepositoryInterface $accessTokenRepository);
 
     /**
      * Set the scope repository.
      *
-     * @param \League\OAuth2\Server\Repositories\ScopeRepositoryInterface $scopeRepository
+     * @param ScopeRepositoryInterface $scopeRepository
      */
     public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
 
     /**
-     * Set the path to the private key.
+     * Set the default scope.
      *
-     * @param string $privateKeyPath
+     * @param string $scope
      */
-    public function setPrivateKeyPath($privateKeyPath);
+    public function setDefaultScope($scope);
 
     /**
-     * Set the path to the public key.
+     * Set the path to the private key.
      *
-     * @param string $publicKeyPath
+     * @param CryptKey $privateKey
      */
-    public function setPublicKeyPath($publicKeyPath);
+    public function setPrivateKey(CryptKey $privateKey);
+
+    /**
+     * Set the encryption key
+     *
+     * @param string|Key|null $key
+     */
+    public function setEncryptionKey($key = null);
 }

src/Grant/ImplicitGrant.php

@@ -1,38 +1,75 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Grant;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use DateInterval;
+use DateTime;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
-use League\OAuth2\Server\ResponseTypes\HtmlResponse;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
-use League\OAuth2\Server\TemplateRenderer\RendererInterface;
+use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
 
 class ImplicitGrant extends AbstractAuthorizeGrant
 {
     /**
-     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface    $userRepository
-     * @param \League\OAuth2\Server\TemplateRenderer\RendererInterface|null $templateRenderer
+     * @var DateInterval
      */
-    public function __construct(UserRepositoryInterface $userRepository, RendererInterface $templateRenderer = null)
+    private $accessTokenTTL;
+
+    /**
+     * @var string
+     */
+    private $queryDelimiter;
+
+    /**
+     * @param DateInterval $accessTokenTTL
+     * @param string       $queryDelimiter
+     */
+    public function __construct(DateInterval $accessTokenTTL, $queryDelimiter = '#')
     {
-        $this->setUserRepository($userRepository);
-        $this->refreshTokenTTL = new \DateInterval('P1M');
-        $this->templateRenderer = $templateRenderer;
+        $this->accessTokenTTL = $accessTokenTTL;
+        $this->queryDelimiter = $queryDelimiter;
+    }
+
+    /**
+     * @param DateInterval $refreshTokenTTL
+     *
+     * @throw LogicException
+     */
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL)
+    {
+        throw new LogicException('The Implicit Grant does not return refresh tokens');
+    }
+
+    /**
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
+     *
+     * @throw LogicException
+     */
+    public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository)
+    {
+        throw new LogicException('The Implicit Grant does not return refresh tokens');
     }
 
     /**
      * {@inheritdoc}
      */
-    public function canRespondToRequest(ServerRequestInterface $request)
+    public function canRespondToAccessTokenRequest(ServerRequestInterface $request)
     {
-        return (array_key_exists('response_type', $request->getQueryParams())
-            && $request->getQueryParams()['response_type'] === 'token');
+        return false;
     }
 
     /**
@@ -46,167 +83,139 @@ class ImplicitGrant extends AbstractAuthorizeGrant
     }
 
     /**
-     * {@inheritdoc}
+     * Respond to an incoming request.
+     *
+     * @param ServerRequestInterface $request
+     * @param ResponseTypeInterface  $responseType
+     * @param DateInterval           $accessTokenTTL
+     *
+     * @return ResponseTypeInterface
      */
-    public function respondToRequest(
+    public function respondToAccessTokenRequest(
         ServerRequestInterface $request,
         ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
     ) {
+        throw new LogicException('This grant does not used this method');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
+    {
+        return (
+            isset($request->getQueryParams()['response_type'])
+            && $request->getQueryParams()['response_type'] === 'token'
+            && isset($request->getQueryParams()['client_id'])
+        );
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateAuthorizationRequest(ServerRequestInterface $request)
+    {
         $clientId = $this->getQueryStringParameter(
             'client_id',
             $request,
             $this->getServerParameter('PHP_AUTH_USER', $request)
         );
+
         if (is_null($clientId)) {
             throw OAuthServerException::invalidRequest('client_id');
         }
 
         $client = $this->clientRepository->getClientEntity(
             $clientId,
-            $this->getIdentifier()
+            $this->getIdentifier(),
+            null,
+            false
         );
 
         if ($client instanceof ClientEntityInterface === false) {
-            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
             throw OAuthServerException::invalidClient();
         }
 
-        $redirectUriParameter = $this->getQueryStringParameter('redirect_uri', $request, $client->getRedirectUri());
-        if ($redirectUriParameter !== $client->getRedirectUri()) {
-            $this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
+        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
+
+        if ($redirectUri !== null) {
+            $this->validateRedirectUri($redirectUri, $client, $request);
+        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
+            || empty($client->getRedirectUri())) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
             throw OAuthServerException::invalidClient();
+        } else {
+            $redirectUri = is_array($client->getRedirectUri())
+                ? $client->getRedirectUri()[0]
+                : $client->getRedirectUri();
         }
 
         $scopes = $this->validateScopes(
-            $this->getQueryStringParameter('scope', $request),
-            $client,
-            $client->getRedirectUri()
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
+            $redirectUri
         );
 
-        $postbackUri = sprintf(
-            '//%s%s',
-            $request->getServerParams()['HTTP_HOST'],
-            $request->getServerParams()['REQUEST_URI']
-        );
-
-        $userId = null;
-        $userHasApprovedClient = null;
-        if ($this->getRequestParameter('action', $request, null) !== null) {
-            $userHasApprovedClient = ($this->getRequestParameter('action', $request) === 'approve');
-        }
-
-        // Check if the user has been authenticated
-        $oauthCookie = $this->getCookieParameter('oauth_authorize_request', $request, null);
-        if ($oauthCookie !== null) {
-            try {
-                $oauthCookiePayload = json_decode($this->decrypt($oauthCookie));
-                if (is_object($oauthCookiePayload)) {
-                    $userId = $oauthCookiePayload->user_id;
-                }
-            } catch (\LogicException $e) {
-                throw OAuthServerException::serverError($e->getMessage());
-            }
-        }
-
-        // The username + password might be available in $_POST
-        $usernameParameter = $this->getRequestParameter('username', $request, null);
-        $passwordParameter = $this->getRequestParameter('password', $request, null);
-
-        $loginError = null;
-
-        // Assert if the user has logged in already
-        if ($userId === null && $usernameParameter !== null && $passwordParameter !== null) {
-            $userEntity = $this->userRepository->getUserEntityByUserCredentials(
-                $usernameParameter,
-                $passwordParameter,
-                $this->getIdentifier(),
-                $client
-            );
-
-            if ($userEntity instanceof UserEntityInterface) {
-                $userId = $userEntity->getIdentifier();
-            } else {
-                $loginError = 'Incorrect username or password';
-            }
-        }
-
-        // The user hasn't logged in yet so show a login form
-        if ($userId === null) {
-            $html = $this->getTemplateRenderer()->renderLogin([
-                'error'        => $loginError,
-                'postback_uri' => $this->makeRedirectUri(
-                    $postbackUri,
-                    $request->getQueryParams()
-                ),
-            ]);
-
-            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
-            $htmlResponse->setStatusCode(403);
-            $htmlResponse->setHtml($html);
-
-            return $htmlResponse;
-        }
-
-        // The user hasn't approved the client yet so show an authorize form
-        if ($userId !== null && $userHasApprovedClient === null) {
-            $html = $this->getTemplateRenderer()->renderAuthorize([
-                'client'       => $client,
-                'scopes'       => $scopes,
-                'postback_uri' => $this->makeRedirectUri(
-                    $postbackUri,
-                    $request->getQueryParams()
-                ),
-            ]);
-
-            $htmlResponse = new HtmlResponse($this->accessTokenRepository);
-            $htmlResponse->setStatusCode(200);
-            $htmlResponse->setHtml($html);
-            $htmlResponse->setHeader('set-cookie', sprintf(
-                'oauth_authorize_request=%s; Expires=%s',
-                urlencode($this->encrypt(
-                    json_encode([
-                        'user_id' => $userId,
-                    ])
-                )),
-                (new \DateTime())->add(new \DateInterval('PT5M'))->format('D, d M Y H:i:s e')
-            ));
-
-            return $htmlResponse;
-        }
-
-        // The user has either approved or denied the client, so redirect them back
-        $redirectUri = $client->getRedirectUri();
-        $redirectPayload = [];
-
         $stateParameter = $this->getQueryStringParameter('state', $request);
+
+        $authorizationRequest = new AuthorizationRequest();
+        $authorizationRequest->setGrantTypeId($this->getIdentifier());
+        $authorizationRequest->setClient($client);
+        $authorizationRequest->setRedirectUri($redirectUri);
+
         if ($stateParameter !== null) {
-            $redirectPayload['state'] = $stateParameter;
+            $authorizationRequest->setState($stateParameter);
         }
 
-        // THe user approved the client, redirect them back with an access token
-        if ($userHasApprovedClient === true) {
+        $authorizationRequest->setScopes($scopes);
 
+        return $authorizationRequest;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
+    {
+        if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
+            throw new LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
+        }
+
+        $finalRedirectUri = ($authorizationRequest->getRedirectUri() === null)
+            ? is_array($authorizationRequest->getClient()->getRedirectUri())
+                ? $authorizationRequest->getClient()->getRedirectUri()[0]
+                : $authorizationRequest->getClient()->getRedirectUri()
+            : $authorizationRequest->getRedirectUri();
+
+        // The user approved the client, redirect them back with an access token
+        if ($authorizationRequest->isAuthorizationApproved() === true) {
             // Finalize the requested scopes
-            $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
-
-            $accessToken = $this->issueAccessToken(
-                $accessTokenTTL,
-                $client,
-                $userId,
-                $scopes
+            $finalizedScopes = $this->scopeRepository->finalizeScopes(
+                $authorizationRequest->getScopes(),
+                $this->getIdentifier(),
+                $authorizationRequest->getClient(),
+                $authorizationRequest->getUser()->getIdentifier()
             );
 
-            $redirectPayload['access_token'] = (string) $accessToken->convertToJWT($this->privateKeyPath);
-            $redirectPayload['token_type'] = 'bearer';
-            $redirectPayload['expires_in'] = time() - $accessToken->getExpiryDateTime()->getTimestamp();
+            $accessToken = $this->issueAccessToken(
+                $this->accessTokenTTL,
+                $authorizationRequest->getClient(),
+                $authorizationRequest->getUser()->getIdentifier(),
+                $finalizedScopes
+            );
 
-            $response = new RedirectResponse($this->accessTokenRepository);
+            $response = new RedirectResponse();
             $response->setRedirectUri(
                 $this->makeRedirectUri(
-                    $redirectUri,
-                    $redirectPayload,
-                    '#'
+                    $finalRedirectUri,
+                    [
+                        'access_token' => (string) $accessToken->convertToJWT($this->privateKey),
+                        'token_type'   => 'Bearer',
+                        'expires_in'   => $accessToken->getExpiryDateTime()->getTimestamp() - (new DateTime())->getTimestamp(),
+                        'state'        => $authorizationRequest->getState(),
+                    ],
+                    $this->queryDelimiter
                 )
             );
 
@@ -214,6 +223,14 @@ class ImplicitGrant extends AbstractAuthorizeGrant
         }
 
         // The user denied the client, redirect them back with an error
-        throw OAuthServerException::accessDenied('The user denied the request', (string) $redirectUri);
+        throw OAuthServerException::accessDenied(
+            'The user denied the request',
+            $this->makeRedirectUri(
+                $finalRedirectUri,
+                [
+                    'state' => $authorizationRequest->getState(),
+                ]
+            )
+        );
     }
 }

src/Grant/PasswordGrant.php

@@ -8,10 +8,12 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Grant;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\UserEntityInterface;
+use DateInterval;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
@@ -25,8 +27,8 @@ use Psr\Http\Message\ServerRequestInterface;
 class PasswordGrant extends AbstractGrant
 {
     /**
-     * @param \League\OAuth2\Server\Repositories\UserRepositoryInterface         $userRepository
-     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param UserRepositoryInterface         $userRepository
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
      */
     public function __construct(
         UserRepositoryInterface $userRepository,
@@ -35,54 +37,59 @@ class PasswordGrant extends AbstractGrant
         $this->setUserRepository($userRepository);
         $this->setRefreshTokenRepository($refreshTokenRepository);
 
-        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->refreshTokenTTL = new DateInterval('P1M');
     }
 
     /**
      * {@inheritdoc}
      */
-    public function respondToRequest(
+    public function respondToAccessTokenRequest(
         ServerRequestInterface $request,
         ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
     ) {
         // Validate request
         $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
         $user = $this->validateUser($request, $client);
 
         // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
 
-        // Issue and persist new tokens
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
+        // Issue and persist new access token
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
         $refreshToken = $this->issueRefreshToken($accessToken);
 
-        // Inject tokens into response
-        $responseType->setAccessToken($accessToken);
-        $responseType->setRefreshToken($refreshToken);
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }
 
         return $responseType;
     }
 
     /**
-     * @param \Psr\Http\Message\ServerRequestInterface                        $request
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $client
+     * @param ServerRequestInterface $request
+     * @param ClientEntityInterface  $client
      *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     * @throws OAuthServerException
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
+     * @return UserEntityInterface
      */
     protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client)
     {
         $username = $this->getRequestParameter('username', $request);
         if (is_null($username)) {
-            throw OAuthServerException::invalidRequest('username', '`%s` parameter is missing');
+            throw OAuthServerException::invalidRequest('username');
         }
 
         $password = $this->getRequestParameter('password', $request);
         if (is_null($password)) {
-            throw OAuthServerException::invalidRequest('password', '`%s` parameter is missing');
+            throw OAuthServerException::invalidRequest('password');
         }
 
         $user = $this->userRepository->getUserEntityByUserCredentials(
@@ -91,8 +98,8 @@ class PasswordGrant extends AbstractGrant
             $this->getIdentifier(),
             $client
         );
-        if (!$user instanceof UserEntityInterface) {
-            $this->getEmitter()->emit(new RequestEvent('user.authentication.failed', $request));
+        if ($user instanceof UserEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));
 
             throw OAuthServerException::invalidCredentials();
         }

src/Grant/RefreshTokenGrant.php

@@ -8,8 +8,11 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Grant;
 
+use DateInterval;
+use Exception;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
@@ -22,48 +25,37 @@ use Psr\Http\Message\ServerRequestInterface;
 class RefreshTokenGrant extends AbstractGrant
 {
     /**
-     * @param \League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface $refreshTokenRepository
+     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
      */
     public function __construct(RefreshTokenRepositoryInterface $refreshTokenRepository)
     {
         $this->setRefreshTokenRepository($refreshTokenRepository);
 
-        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->refreshTokenTTL = new DateInterval('P1M');
     }
 
     /**
      * {@inheritdoc}
      */
-    public function respondToRequest(
+    public function respondToAccessTokenRequest(
         ServerRequestInterface $request,
         ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
     ) {
         // Validate request
         $client = $this->validateClient($request);
         $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request), $client);
+        $scopes = $this->validateScopes($this->getRequestParameter(
+            'scope',
+            $request,
+            implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
+        );
 
-        // If no new scopes are requested then give the access token the original session scopes
-        if (count($scopes) === 0) {
-            $scopes = array_map(function ($scopeId) use ($client) {
-                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
-
-                if (!$scope) {
-                    // @codeCoverageIgnoreStart
-                    throw OAuthServerException::invalidScope($scopeId);
-                    // @codeCoverageIgnoreEnd
-                }
-
-                return $scope;
-            }, $oldRefreshToken['scopes']);
-        } else {
-            // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
-            // the request doesn't include any new scopes
-            foreach ($scopes as $scope) {
-                if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
-                    throw OAuthServerException::invalidScope($scope->getIdentifier());
-                }
+        // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
+        // the request doesn't include any new scopes
+        foreach ($scopes as $scope) {
+            if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes'], true) === false) {
+                throw OAuthServerException::invalidScope($scope->getIdentifier());
             }
         }
 
@@ -71,22 +63,27 @@ class RefreshTokenGrant extends AbstractGrant
         $this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
         $this->refreshTokenRepository->revokeRefreshToken($oldRefreshToken['refresh_token_id']);
 
-        // Issue and persist new tokens
+        // Issue and persist new access token
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $oldRefreshToken['user_id'], $scopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
         $refreshToken = $this->issueRefreshToken($accessToken);
 
-        // Inject tokens into response
-        $responseType->setAccessToken($accessToken);
-        $responseType->setRefreshToken($refreshToken);
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }
 
         return $responseType;
     }
 
     /**
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param string                                   $clientId
+     * @param ServerRequestInterface $request
+     * @param string                 $clientId
      *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
+     * @throws OAuthServerException
      *
      * @return array
      */
@@ -100,18 +97,14 @@ class RefreshTokenGrant extends AbstractGrant
         // Validate refresh token
         try {
             $refreshToken = $this->decrypt($encryptedRefreshToken);
-        } catch (\LogicException $e) {
-            throw OAuthServerException::invalidRefreshToken('Cannot parse refresh token: ' . $e->getMessage());
+        } catch (Exception $e) {
+            throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token', $e);
         }
 
         $refreshTokenData = json_decode($refreshToken, true);
         if ($refreshTokenData['client_id'] !== $clientId) {
-            $this->getEmitter()->emit(new RequestEvent('refresh_token.client.failed', $request));
-            throw OAuthServerException::invalidRefreshToken(
-                'Token is not linked to client,' .
-                ' got: ' . $clientId .
-                ' expected: ' . $refreshTokenData['client_id']
-            );
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
+            throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
         }
 
         if ($refreshTokenData['expire_time'] < time()) {

src/Middleware/AuthenticationServerMiddleware.php

@@ -1,51 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\Middleware;
-
-use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\Server;
-use Psr\Http\Message\ResponseInterface;
-use Psr\Http\Message\ServerRequestInterface;
-
-class AuthenticationServerMiddleware
-{
-    /**
-     * @var \League\OAuth2\Server\Server
-     */
-    private $server;
-
-    /**
-     * AuthenticationServerMiddleware constructor.
-     *
-     * @param \League\OAuth2\Server\Server $server
-     */
-    public function __construct(Server $server)
-    {
-        $this->server = $server;
-    }
-
-    /**
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param \Psr\Http\Message\ResponseInterface      $response
-     * @param callable                                 $next
-     *
-     * @return \Psr\Http\Message\ResponseInterface
-     */
-    public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
-    {
-        try {
-            $response = $this->server->respondToRequest($request, $response);
-        } catch (OAuthServerException $exception) {
-            return $exception->generateHttpResponse($response);
-            // @codeCoverageIgnoreStart
-        } catch (\Exception $exception) {
-            $response->getBody()->write($exception->getMessage());
-
-            return $response->withStatus(500);
-            // @codeCoverageIgnoreEnd
-        }
-
-        // Pass the request and response on to the next responder in the chain
-        return $next($request, $response);
-    }
-}

src/Middleware/AuthorizationServerMiddleware.php

@@ -0,0 +1,56 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Middleware;
+
+use Exception;
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class AuthorizationServerMiddleware
+{
+    /**
+     * @var AuthorizationServer
+     */
+    private $server;
+
+    /**
+     * @param AuthorizationServer $server
+     */
+    public function __construct(AuthorizationServer $server)
+    {
+        $this->server = $server;
+    }
+
+    /**
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface      $response
+     * @param callable               $next
+     *
+     * @return ResponseInterface
+     */
+    public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
+    {
+        try {
+            $response = $this->server->respondToAccessTokenRequest($request, $response);
+        } catch (OAuthServerException $exception) {
+            return $exception->generateHttpResponse($response);
+            // @codeCoverageIgnoreStart
+        } catch (Exception $exception) {
+            return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
+                ->generateHttpResponse($response);
+            // @codeCoverageIgnoreEnd
+        }
+
+        // Pass the request and response on to the next responder in the chain
+        return $next($request, $response);
+    }
+}

src/Middleware/ResourceServerMiddleware.php

@@ -1,35 +1,41 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Middleware;
 
+use Exception;
 use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\Server;
+use League\OAuth2\Server\ResourceServer;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 
 class ResourceServerMiddleware
 {
     /**
-     * @var \League\OAuth2\Server\Server
+     * @var ResourceServer
      */
     private $server;
 
     /**
-     * ResourceServerMiddleware constructor.
-     *
-     * @param \League\OAuth2\Server\Server $server
+     * @param ResourceServer $server
      */
-    public function __construct(Server $server)
+    public function __construct(ResourceServer $server)
     {
         $this->server = $server;
     }
 
     /**
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     * @param \Psr\Http\Message\ResponseInterface      $response
-     * @param callable                                 $next
+     * @param ServerRequestInterface $request
+     * @param ResponseInterface      $response
+     * @param callable               $next
      *
-     * @return \Psr\Http\Message\ResponseInterface
+     * @return ResponseInterface
      */
     public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
     {
@@ -38,10 +44,9 @@ class ResourceServerMiddleware
         } catch (OAuthServerException $exception) {
             return $exception->generateHttpResponse($response);
             // @codeCoverageIgnoreStart
-        } catch (\Exception $exception) {
-            $response->getBody()->write($exception->getMessage());
-
-            return $response->withStatus(500);
+        } catch (Exception $exception) {
+            return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
+                ->generateHttpResponse($response);
             // @codeCoverageIgnoreEnd
         }
 

src/Repositories/AccessTokenRepositoryInterface.php

@@ -1,26 +1,41 @@
 <?php
 /**
- * OAuth 2.0 Access token storage interface.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 
 /**
  * Access token interface.
  */
 interface AccessTokenRepositoryInterface extends RepositoryInterface
 {
+    /**
+     * Create a new access token
+     *
+     * @param ClientEntityInterface  $clientEntity
+     * @param ScopeEntityInterface[] $scopes
+     * @param mixed                  $userIdentifier
+     *
+     * @return AccessTokenEntityInterface
+     */
+    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null);
+
     /**
      * Persists a new access token to permanent storage.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessTokenEntity
+     * @param AccessTokenEntityInterface $accessTokenEntity
+     *
+     * @throws UniqueTokenIdentifierConstraintViolationException
      */
     public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity);
 

src/Repositories/AuthCodeRepositoryInterface.php

@@ -1,26 +1,35 @@
 <?php
 /**
- * OAuth 2.0 Auth code storage interface.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface;
+use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 
 /**
  * Auth code storage interface.
  */
 interface AuthCodeRepositoryInterface extends RepositoryInterface
 {
+    /**
+     * Creates a new AuthCode
+     *
+     * @return AuthCodeEntityInterface
+     */
+    public function getNewAuthCode();
+
     /**
      * Persists a new auth code to permanent storage.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\AuthCodeEntityInterface $authCodeEntity
+     * @param AuthCodeEntityInterface $authCodeEntity
+     *
+     * @throws UniqueTokenIdentifierConstraintViolationException
      */
     public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
 

src/Repositories/ClientRepositoryInterface.php

@@ -1,15 +1,16 @@
 <?php
 /**
- * OAuth 2.0 Client storage interface.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Repositories;
 
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+
 /**
  * Client storage interface.
  */
@@ -18,11 +19,13 @@ interface ClientRepositoryInterface extends RepositoryInterface
     /**
      * Get a client.
      *
-     * @param string      $clientIdentifier The client's identifier
-     * @param string      $grantType        The grant type used
-     * @param null|string $clientSecret     The client's secret (if sent)
+     * @param string      $clientIdentifier   The client's identifier
+     * @param null|string $grantType          The grant type used (if sent)
+     * @param null|string $clientSecret       The client's secret (if sent)
+     * @param bool        $mustValidateSecret If true the client must attempt to validate the secret if the client
+     *                                        is confidential
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface
+     * @return ClientEntityInterface
      */
-    public function getClientEntity($clientIdentifier, $grantType, $clientSecret = null);
+    public function getClientEntity($clientIdentifier, $grantType = null, $clientSecret = null, $mustValidateSecret = true);
 }

src/Repositories/MacTokenInterface.php

@@ -1,36 +0,0 @@
-<?php
-/**
- * OAuth 2.0 MAC Token Interface.
- *
- * @author      Alex Bilbie <hello@alexbilbie.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- *
- * @link        https://github.com/thephpleague/oauth2-server
- */
-namespace League\OAuth2\Server\Storage;
-
-use League\OAuth2\Server\Repositories\RepositoryInterface;
-
-/**
- * MacTokenInterface.
- */
-interface MacTokenInterface extends RepositoryInterface
-{
-    /**
-     * Create a MAC key linked to an access token.
-     *
-     * @param string $macKey
-     * @param string $accessToken
-     */
-    public function persistMacTokenEntity($macKey, $accessToken);
-
-    /**
-     * Get a MAC key by access token.
-     *
-     * @param string $accessToken
-     *
-     * @return string
-     */
-    public function getMacKeyByAccessTokenString($accessToken);
-}

src/Repositories/RefreshTokenRepositoryInterface.php

@@ -1,26 +1,35 @@
 <?php
 /**
- * OAuth 2.0 Refresh token storage interface.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 
 /**
  * Refresh token interface.
  */
 interface RefreshTokenRepositoryInterface extends RepositoryInterface
 {
+    /**
+     * Creates a new refresh token
+     *
+     * @return RefreshTokenEntityInterface|null
+     */
+    public function getNewRefreshToken();
+
     /**
      * Create a new refresh token_name.
      *
-     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshTokenEntity
+     * @param RefreshTokenEntityInterface $refreshTokenEntity
+     *
+     * @throws UniqueTokenIdentifierConstraintViolationException
      */
     public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity);
 

src/Repositories/RepositoryInterface.php

@@ -1,13 +1,12 @@
 <?php
 /**
- * OAuth 2.0 Repository interface.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Repositories;
 
 /**

src/Repositories/ScopeRepositoryInterface.php

@@ -1,17 +1,16 @@
 <?php
 /**
- * OAuth 2.0 Scope storage interface.
- *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
  * @license     http://mit-license.org/
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
 /**
  * Scope interface.
@@ -23,7 +22,7 @@ interface ScopeRepositoryInterface extends RepositoryInterface
      *
      * @param string $identifier The scope identifier
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface
+     * @return ScopeEntityInterface
      */
     public function getScopeEntityByIdentifier($identifier);
 
@@ -31,12 +30,12 @@ interface ScopeRepositoryInterface extends RepositoryInterface
      * Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
      * append additional scopes or remove requested scopes.
      *
-     * @param ScopeEntityInterface[]                                          $scopes
-     * @param string                                                          $grantType
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
-     * @param null|string                                                     $userIdentifier
+     * @param ScopeEntityInterface[] $scopes
+     * @param string                 $grantType
+     * @param ClientEntityInterface  $clientEntity
+     * @param null|string            $userIdentifier
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\ScopeEntityInterface[]
+     * @return ScopeEntityInterface[]
      */
     public function finalizeScopes(
         array $scopes,

src/Repositories/UserRepositoryInterface.php

@@ -1,20 +1,28 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\Repositories;
 
-use League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 
 interface UserRepositoryInterface extends RepositoryInterface
 {
     /**
      * Get a user entity.
      *
-     * @param string                                                          $username
-     * @param string                                                          $password
-     * @param string                                                          $grantType    The grant type used
-     * @param \League\OAuth2\Server\Entities\Interfaces\ClientEntityInterface $clientEntity
+     * @param string                $username
+     * @param string                $password
+     * @param string                $grantType    The grant type used
+     * @param ClientEntityInterface $clientEntity
      *
-     * @return \League\OAuth2\Server\Entities\Interfaces\UserEntityInterface
+     * @return UserEntityInterface
      */
     public function getUserEntityByUserCredentials(
         $username,

src/RequestEvent.php

@@ -1,4 +1,11 @@
 <?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server;
 
@@ -7,16 +14,23 @@ use Psr\Http\Message\ServerRequestInterface;
 
 class RequestEvent extends Event
 {
+    const CLIENT_AUTHENTICATION_FAILED = 'client.authentication.failed';
+    const USER_AUTHENTICATION_FAILED = 'user.authentication.failed';
+    const REFRESH_TOKEN_CLIENT_FAILED = 'refresh_token.client.failed';
+
+    const REFRESH_TOKEN_ISSUED = 'refresh_token.issued';
+    const ACCESS_TOKEN_ISSUED = 'access_token.issued';
+
     /**
-     * @var \Psr\Http\Message\ServerRequestInterface
+     * @var ServerRequestInterface
      */
     private $request;
 
     /**
      * RequestEvent constructor.
      *
-     * @param string                                   $name
-     * @param \Psr\Http\Message\ServerRequestInterface $request
+     * @param string                 $name
+     * @param ServerRequestInterface $request
      */
     public function __construct($name, ServerRequestInterface $request)
     {
@@ -26,6 +40,7 @@ class RequestEvent extends Event
 
     /**
      * @return ServerRequestInterface
+     * @codeCoverageIgnore
      */
     public function getRequest()
     {

src/RequestTypes/AuthorizationRequest.php

@@ -0,0 +1,224 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\RequestTypes;
+
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
+
+class AuthorizationRequest
+{
+    /**
+     * The grant type identifier
+     *
+     * @var string
+     */
+    protected $grantTypeId;
+
+    /**
+     * The client identifier
+     *
+     * @var ClientEntityInterface
+     */
+    protected $client;
+
+    /**
+     * The user identifier
+     *
+     * @var UserEntityInterface
+     */
+    protected $user;
+
+    /**
+     * An array of scope identifiers
+     *
+     * @var ScopeEntityInterface[]
+     */
+    protected $scopes = [];
+
+    /**
+     * Has the user authorized the authorization request
+     *
+     * @var bool
+     */
+    protected $authorizationApproved = false;
+
+    /**
+     * The redirect URI used in the request
+     *
+     * @var string|null
+     */
+    protected $redirectUri;
+
+    /**
+     * The state parameter on the authorization request
+     *
+     * @var string|null
+     */
+    protected $state;
+
+    /**
+     * The code challenge (if provided)
+     *
+     * @var string
+     */
+    protected $codeChallenge;
+
+    /**
+     * The code challenge method (if provided)
+     *
+     * @var string
+     */
+    protected $codeChallengeMethod;
+
+    /**
+     * @return string
+     */
+    public function getGrantTypeId()
+    {
+        return $this->grantTypeId;
+    }
+
+    /**
+     * @param string $grantTypeId
+     */
+    public function setGrantTypeId($grantTypeId)
+    {
+        $this->grantTypeId = $grantTypeId;
+    }
+
+    /**
+     * @return ClientEntityInterface
+     */
+    public function getClient()
+    {
+        return $this->client;
+    }
+
+    /**
+     * @param ClientEntityInterface $client
+     */
+    public function setClient(ClientEntityInterface $client)
+    {
+        $this->client = $client;
+    }
+
+    /**
+     * @return UserEntityInterface
+     */
+    public function getUser()
+    {
+        return $this->user;
+    }
+
+    /**
+     * @param UserEntityInterface $user
+     */
+    public function setUser(UserEntityInterface $user)
+    {
+        $this->user = $user;
+    }
+
+    /**
+     * @return ScopeEntityInterface[]
+     */
+    public function getScopes()
+    {
+        return $this->scopes;
+    }
+
+    /**
+     * @param ScopeEntityInterface[] $scopes
+     */
+    public function setScopes(array $scopes)
+    {
+        $this->scopes = $scopes;
+    }
+
+    /**
+     * @return bool
+     */
+    public function isAuthorizationApproved()
+    {
+        return $this->authorizationApproved;
+    }
+
+    /**
+     * @param bool $authorizationApproved
+     */
+    public function setAuthorizationApproved($authorizationApproved)
+    {
+        $this->authorizationApproved = $authorizationApproved;
+    }
+
+    /**
+     * @return string|null
+     */
+    public function getRedirectUri()
+    {
+        return $this->redirectUri;
+    }
+
+    /**
+     * @param string|null $redirectUri
+     */
+    public function setRedirectUri($redirectUri)
+    {
+        $this->redirectUri = $redirectUri;
+    }
+
+    /**
+     * @return string|null
+     */
+    public function getState()
+    {
+        return $this->state;
+    }
+
+    /**
+     * @param string $state
+     */
+    public function setState($state)
+    {
+        $this->state = $state;
+    }
+
+    /**
+     * @return string
+     */
+    public function getCodeChallenge()
+    {
+        return $this->codeChallenge;
+    }
+
+    /**
+     * @param string $codeChallenge
+     */
+    public function setCodeChallenge($codeChallenge)
+    {
+        $this->codeChallenge = $codeChallenge;
+    }
+
+    /**
+     * @return string
+     */
+    public function getCodeChallengeMethod()
+    {
+        return $this->codeChallengeMethod;
+    }
+
+    /**
+     * @param string $codeChallengeMethod
+     */
+    public function setCodeChallengeMethod($codeChallengeMethod)
+    {
+        $this->codeChallengeMethod = $codeChallengeMethod;
+    }
+}

src/ResourceServer.php

@@ -0,0 +1,86 @@
+<?php
+/**
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server;
+
+use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+class ResourceServer
+{
+    /**
+     * @var AccessTokenRepositoryInterface
+     */
+    private $accessTokenRepository;
+
+    /**
+     * @var CryptKey
+     */
+    private $publicKey;
+
+    /**
+     * @var null|AuthorizationValidatorInterface
+     */
+    private $authorizationValidator;
+
+    /**
+     * New server instance.
+     *
+     * @param AccessTokenRepositoryInterface       $accessTokenRepository
+     * @param CryptKey|string                      $publicKey
+     * @param null|AuthorizationValidatorInterface $authorizationValidator
+     */
+    public function __construct(
+        AccessTokenRepositoryInterface $accessTokenRepository,
+        $publicKey,
+        AuthorizationValidatorInterface $authorizationValidator = null
+    ) {
+        $this->accessTokenRepository = $accessTokenRepository;
+
+        if ($publicKey instanceof CryptKey === false) {
+            $publicKey = new CryptKey($publicKey);
+        }
+        $this->publicKey = $publicKey;
+
+        $this->authorizationValidator = $authorizationValidator;
+    }
+
+    /**
+     * @return AuthorizationValidatorInterface
+     */
+    protected function getAuthorizationValidator()
+    {
+        if ($this->authorizationValidator instanceof AuthorizationValidatorInterface === false) {
+            $this->authorizationValidator = new BearerTokenValidator($this->accessTokenRepository);
+        }
+
+        if ($this->authorizationValidator instanceof BearerTokenValidator === true) {
+            $this->authorizationValidator->setPublicKey($this->publicKey);
+        }
+
+        return $this->authorizationValidator;
+    }
+
+    /**
+     * Determine the access token validity.
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     *
+     * @return ServerRequestInterface
+     */
+    public function validateAuthenticatedRequest(ServerRequestInterface $request)
+    {
+        return $this->getAuthorizationValidator()->validateAuthorization($request);
+    }
+}

src/ResponseTypes/AbstractResponseType.php

@@ -8,39 +8,32 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\ResponseTypes;
 
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
-use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 
 abstract class AbstractResponseType implements ResponseTypeInterface
 {
     use CryptTrait;
 
     /**
-     * @var \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface
+     * @var AccessTokenEntityInterface
      */
     protected $accessToken;
 
     /**
-     * @var \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface
+     * @var RefreshTokenEntityInterface
      */
     protected $refreshToken;
 
     /**
-     * @var \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface
+     * @var CryptKey
      */
-    protected $accessTokenRepository;
-
-    /**
-     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface $accessTokenRepository
-     */
-    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
-    {
-        $this->accessTokenRepository = $accessTokenRepository;
-    }
+    protected $privateKey;
 
     /**
      * {@inheritdoc}
@@ -57,4 +50,14 @@ abstract class AbstractResponseType implements ResponseTypeInterface
     {
         $this->refreshToken = $refreshToken;
     }
+
+    /**
+     * Set the private key
+     *
+     * @param CryptKey $key
+     */
+    public function setPrivateKey(CryptKey $key)
+    {
+        $this->privateKey = $key;
+    }
 }

src/ResponseTypes/BearerTokenResponse.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * OAuth 2.0 Bearer Token Type.
+ * OAuth 2.0 Bearer Token Response.
  *
  * @author      Alex Bilbie <hello@alexbilbie.com>
  * @copyright   Copyright (c) Alex Bilbie
@@ -8,9 +8,12 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\ResponseTypes;
 
-use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use DateTime;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use Psr\Http\Message\ResponseInterface;
 
 class BearerTokenResponse extends AbstractResponseType
@@ -22,11 +25,11 @@ class BearerTokenResponse extends AbstractResponseType
     {
         $expireDateTime = $this->accessToken->getExpiryDateTime()->getTimestamp();
 
-        $jwtAccessToken = $this->accessToken->convertToJWT($this->privateKeyPath);
+        $jwtAccessToken = $this->accessToken->convertToJWT($this->privateKey);
 
         $responseParams = [
             'token_type'   => 'Bearer',
-            'expires_in'   => $expireDateTime - (new \DateTime())->getTimestamp(),
+            'expires_in'   => $expireDateTime - (new DateTime())->getTimestamp(),
             'access_token' => (string) $jwtAccessToken,
         ];
 
@@ -39,7 +42,7 @@ class BearerTokenResponse extends AbstractResponseType
                         'access_token_id'  => $this->accessToken->getIdentifier(),
                         'scopes'           => $this->accessToken->getScopes(),
                         'user_id'          => $this->accessToken->getUserIdentifier(),
-                        'expire_time'      => $expireDateTime,
+                        'expire_time'      => $this->refreshToken->getExpiryDateTime()->getTimestamp(),
                     ]
                 )
             );
@@ -47,6 +50,8 @@ class BearerTokenResponse extends AbstractResponseType
             $responseParams['refresh_token'] = $refreshToken;
         }
 
+        $responseParams = array_merge($this->getExtraParams($this->accessToken), $responseParams);
+
         $response = $response
             ->withStatus(200)
             ->withHeader('pragma', 'no-cache')
@@ -57,4 +62,18 @@ class BearerTokenResponse extends AbstractResponseType
 
         return $response;
     }
+
+    /**
+     * Add custom fields to your Bearer Token response here, then override
+     * AuthorizationServer::getResponseType() to pull in your version of
+     * this class rather than the default.
+     *
+     * @param AccessTokenEntityInterface $accessToken
+     *
+     * @return array
+     */
+    protected function getExtraParams(AccessTokenEntityInterface $accessToken)
+    {
+        return [];
+    }
 }

src/ResponseTypes/HtmlResponse.php

@@ -1,66 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\ResponseTypes;
-
-use Psr\Http\Message\ResponseInterface;
-
-class HtmlResponse extends AbstractResponseType
-{
-    /**
-     * @var string
-     */
-    private $html = '';
-
-    /**
-     * @var int
-     */
-    private $statusCode = 200;
-
-    /**
-     * @var array
-     */
-    private $headers = [];
-
-    /**
-     * @param string $html
-     */
-    public function setHtml($html)
-    {
-        $this->html = $html;
-    }
-
-    /**
-     * @param int $statusCode
-     */
-    public function setStatusCode($statusCode = 200)
-    {
-        $this->statusCode = $statusCode;
-    }
-
-    /**
-     * @param ResponseInterface $response
-     *
-     * @return ResponseInterface
-     */
-    public function generateHttpResponse(ResponseInterface $response)
-    {
-        $response->getBody()->write($this->html);
-
-        foreach ($this->headers as $key => $value) {
-            $response = $response->withHeader($key, $value);
-        }
-
-        return $response
-            ->withStatus($this->statusCode)
-            ->withHeader('content-type', 'text/html');
-    }
-
-    /**
-     * @param string $key
-     * @param string $value
-     */
-    public function setHeader($key, $value)
-    {
-        $this->headers[$key] = $value;
-    }
-}

src/ResponseTypes/RedirectResponse.php

@@ -1,4 +1,13 @@
 <?php
+/**
+ * OAuth 2.0 Redirect Response.
+ *
+ * @author      Alex Bilbie <hello@alexbilbie.com>
+ * @copyright   Copyright (c) Alex Bilbie
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
 
 namespace League\OAuth2\Server\ResponseTypes;
 
@@ -26,6 +35,6 @@ class RedirectResponse extends AbstractResponseType
      */
     public function generateHttpResponse(ResponseInterface $response)
     {
-        return $response->withStatus(302)->withHeader('location', $this->redirectUri);
+        return $response->withStatus(302)->withHeader('Location', $this->redirectUri);
     }
 }

src/ResponseTypes/ResponseTypeInterface.php

@@ -8,21 +8,23 @@
  *
  * @link        https://github.com/thephpleague/oauth2-server
  */
+
 namespace League\OAuth2\Server\ResponseTypes;
 
-use League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface;
-use League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface;
+use Defuse\Crypto\Key;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use Psr\Http\Message\ResponseInterface;
 
 interface ResponseTypeInterface
 {
     /**
-     * @param \League\OAuth2\Server\Entities\Interfaces\AccessTokenEntityInterface $accessToken
+     * @param AccessTokenEntityInterface $accessToken
      */
     public function setAccessToken(AccessTokenEntityInterface $accessToken);
 
     /**
-     * @param \League\OAuth2\Server\Entities\Interfaces\RefreshTokenEntityInterface $refreshToken
+     * @param RefreshTokenEntityInterface $refreshToken
      */
     public function setRefreshToken(RefreshTokenEntityInterface $refreshToken);
 
@@ -32,4 +34,11 @@ interface ResponseTypeInterface
      * @return ResponseInterface
      */
     public function generateHttpResponse(ResponseInterface $response);
+
+    /**
+     * Set the encryption key
+     *
+     * @param string|Key|null $key
+     */
+    public function setEncryptionKey($key = null);
 }

src/Server.php

@@ -1,194 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server;
-
-use DateInterval;
-use League\Event\EmitterAwareInterface;
-use League\Event\EmitterAwareTrait;
-use League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface;
-use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
-use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\Grant\GrantTypeInterface;
-use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
-use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
-use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
-use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
-use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
-use Psr\Http\Message\ResponseInterface;
-use Psr\Http\Message\ServerRequestInterface;
-
-class Server implements EmitterAwareInterface
-{
-    use EmitterAwareTrait;
-
-    /**
-     * @var \League\OAuth2\Server\Grant\GrantTypeInterface[]
-     */
-    protected $enabledGrantTypes = [];
-
-    /**
-     * @var \DateInterval[]
-     */
-    protected $grantTypeAccessTokenTTL = [];
-
-    /**
-     * @var string
-     */
-    protected $privateKeyPath;
-
-    /**
-     * @var ResponseTypeInterface
-     */
-    protected $responseType;
-
-    /**
-     * @var string
-     */
-    private $publicKeyPath;
-
-    /**
-     * @var \League\OAuth2\Server\Repositories\ClientRepositoryInterface
-     */
-    private $clientRepository;
-
-    /**
-     * @var \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface
-     */
-    private $accessTokenRepository;
-
-    /**
-     * @var \League\OAuth2\Server\Repositories\ScopeRepositoryInterface
-     */
-    private $scopeRepository;
-
-    /**
-     * @var \League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface
-     */
-    private $authorizationValidator;
-
-    /**
-     * New server instance.
-     *
-     * @param \League\OAuth2\Server\Repositories\ClientRepositoryInterface                       $clientRepository
-     * @param \League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface                  $accessTokenRepository
-     * @param \League\OAuth2\Server\Repositories\ScopeRepositoryInterface                        $scopeRepository
-     * @param string                                                                             $privateKeyPath
-     * @param string                                                                             $publicKeyPath
-     * @param null|\League\OAuth2\Server\ResponseTypes\ResponseTypeInterface                     $responseType
-     * @param null|\League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface $authorizationValidator
-     */
-    public function __construct(
-        ClientRepositoryInterface $clientRepository,
-        AccessTokenRepositoryInterface $accessTokenRepository,
-        ScopeRepositoryInterface $scopeRepository,
-        $privateKeyPath,
-        $publicKeyPath,
-        ResponseTypeInterface $responseType = null,
-        AuthorizationValidatorInterface $authorizationValidator = null
-    ) {
-        $this->clientRepository = $clientRepository;
-        $this->accessTokenRepository = $accessTokenRepository;
-        $this->scopeRepository = $scopeRepository;
-        $this->privateKeyPath = $privateKeyPath;
-        $this->publicKeyPath = $publicKeyPath;
-        $this->responseType = $responseType;
-        $this->authorizationValidator = $authorizationValidator;
-    }
-
-    /**
-     * Enable a grant type on the server.
-     *
-     * @param \League\OAuth2\Server\Grant\GrantTypeInterface $grantType
-     * @param \DateInterval                                  $accessTokenTTL
-     */
-    public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL)
-    {
-        $grantType->setAccessTokenRepository($this->accessTokenRepository);
-        $grantType->setClientRepository($this->clientRepository);
-        $grantType->setScopeRepository($this->scopeRepository);
-        $grantType->setPrivateKeyPath($this->privateKeyPath);
-        $grantType->setPublicKeyPath($this->publicKeyPath);
-        $grantType->setEmitter($this->getEmitter());
-
-        $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
-
-        $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
-    }
-
-    /**
-     * Return an access token response.
-     *
-     * @param \Psr\Http\Message\ServerRequestInterface|null $request
-     * @param \Psr\Http\Message\ResponseInterface|null      $response
-     *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
-     *
-     * @return \Psr\Http\Message\ResponseInterface
-     */
-    public function respondToRequest(ServerRequestInterface $request, ResponseInterface $response)
-    {
-        $tokenResponse = null;
-        while ($tokenResponse === null && $grantType = array_shift($this->enabledGrantTypes)) {
-            /** @var \League\OAuth2\Server\Grant\GrantTypeInterface $grantType */
-            if ($grantType->canRespondToRequest($request)) {
-                $tokenResponse = $grantType->respondToRequest(
-                    $request,
-                    $this->getResponseType(),
-                    $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
-                );
-            }
-        }
-
-        if ($tokenResponse instanceof ResponseTypeInterface) {
-            return $tokenResponse->generateHttpResponse($response);
-        }
-
-        throw OAuthServerException::unsupportedGrantType();
-    }
-
-    /**
-     * Determine the access token validity.
-     *
-     * @param \Psr\Http\Message\ServerRequestInterface $request
-     *
-     * @throws \League\OAuth2\Server\Exception\OAuthServerException
-     *
-     * @return \Psr\Http\Message\ServerRequestInterface
-     */
-    public function validateAuthenticatedRequest(ServerRequestInterface $request)
-    {
-        return $this->getAuthorizationValidator()->validateAuthorization($request);
-    }
-
-    /**
-     * Get the token type that grants will return in the HTTP response.
-     *
-     * @return ResponseTypeInterface
-     */
-    protected function getResponseType()
-    {
-        if (!$this->responseType instanceof ResponseTypeInterface) {
-            $this->responseType = new BearerTokenResponse($this->accessTokenRepository);
-        }
-
-        $this->responseType->setPublicKeyPath($this->publicKeyPath);
-        $this->responseType->setPrivateKeyPath($this->privateKeyPath);
-
-        return $this->responseType;
-    }
-
-    /**
-     * @return \League\OAuth2\Server\AuthorizationValidators\AuthorizationValidatorInterface
-     */
-    protected function getAuthorizationValidator()
-    {
-        if (!$this->authorizationValidator instanceof AuthorizationValidatorInterface) {
-            $this->authorizationValidator = new BearerTokenValidator($this->accessTokenRepository);
-        }
-
-        $this->authorizationValidator->setPublicKeyPath($this->publicKeyPath);
-        $this->authorizationValidator->setPrivateKeyPath($this->privateKeyPath);
-
-        return $this->authorizationValidator;
-    }
-}

src/TemplateRenderer/AbstractRenderer.php

@@ -1,70 +0,0 @@
-<?php
-/**
- * Base template renderer.
- *
- * @author      Julián Gutiérrez <juliangut@gmail.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- *
- * @link        https://github.com/thephpleague/oauth2-server
- */
-namespace League\OAuth2\Server\TemplateRenderer;
-
-abstract class AbstractRenderer implements RendererInterface
-{
-    /**
-     * @var string
-     */
-    protected $loginTemplate;
-
-    /**
-     * @var string
-     */
-    protected $authorizeTemplate;
-
-    /**
-     * PlatesRenderer constructor.
-     *
-     * @param string $loginTemplate
-     * @param string $authorizeTemplate
-     */
-    public function __construct($loginTemplate, $authorizeTemplate)
-    {
-        $this->loginTemplate = $loginTemplate;
-        $this->authorizeTemplate = $authorizeTemplate;
-    }
-
-    /**
-     * Render login template.
-     *
-     * @param array $data
-     *
-     * @return string
-     */
-    public function renderLogin(array $data = [])
-    {
-        return $this->render($this->loginTemplate, $data);
-    }
-
-    /**
-     * Render authorize template.
-     *
-     * @param array $data
-     *
-     * @return string
-     */
-    public function renderAuthorize(array $data = [])
-    {
-        return $this->render($this->authorizeTemplate, $data);
-    }
-
-    /**
-     * Render template.
-     *
-     * @param string $template
-     * @param array  $data
-     *
-     * @return string
-     */
-    abstract protected function render($template, array $data = []);
-}

src/TemplateRenderer/DefaultTemplates/authorize_client.php

@@ -1,35 +0,0 @@
-<!doctype html>
-<html lang="en">
-<head>
-    <meta charset="utf-8">
-    <title>Authorize <?=$this->e($client->getName())?></title>
-</head>
-
-<body>
-
-<h1>
-    Authorize <?=$this->e($client->getName())?>
-</h1>
-
-<p>
-    Do you want to authorize <?=$this->e($client->getName())?> to access the following data?
-</p>
-
-<ul>
-    <?php foreach ($scopes as $scope): ?>
-        <li><?=$scope->getIdentifier()?></li>
-    <?php endforeach; ?>
-</ul>
-
-<form method="POST">
-    <input type="hidden" value="approve" name="action">
-    <button type="submit">Approve</button>
-</form>
-
-<form method="POST">
-    <input type="hidden" value="deny" name="action">
-    <button type="submit">Deny</button>
-</form>
-
-</body>
-</html>

src/TemplateRenderer/DefaultTemplates/login_user.php

@@ -1,35 +0,0 @@
-<!doctype html>
-<html lang="en">
-<head>
-    <meta charset="utf-8">
-    <title>Login</title>
-</head>
-
-<body>
-
-    <h1>Login</h1>
-
-    <?php if ($error !== null): ?>
-    <div style="border:solid 1px red; padding: 1rem; margin-bottom:1rem">
-        <?=$this->e($error)?>
-    </div>
-    <?php endif; ?>
-
-    <form method="POST">
-
-        <label for="username">Username</label>
-        <input type="text" id="username" name="username">
-
-        <br>
-
-        <label for="password">Password</label>
-        <input type="password" id="password" name="password">
-
-        <br>
-
-        <input type="submit" value="Login">
-
-    </form>
-
-</body>
-</html>

src/TemplateRenderer/MustacheRenderer.php

@@ -1,41 +0,0 @@
-<?php
-/**
- * Mustache template renderer bridge.
- *
- * @author      Julián Gutiérrez <juliangut@gmail.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- *
- * @link        https://github.com/thephpleague/oauth2-server
- */
-namespace League\OAuth2\Server\TemplateRenderer;
-
-class MustacheRenderer extends AbstractRenderer
-{
-    /**
-     * @var \Mustache_Engine
-     */
-    private $engine;
-
-    /**
-     * PlatesRenderer constructor.
-     *
-     * @param \Mustache_Engine $engine
-     * @param string           $loginTemplate
-     * @param string           $authorizeTemplate
-     */
-    public function __construct(\Mustache_Engine $engine, $loginTemplate, $authorizeTemplate)
-    {
-        parent::__construct($loginTemplate, $authorizeTemplate);
-
-        $this->engine = $engine;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function render($template, array $data = [])
-    {
-        return $this->engine->render($template, $data);
-    }
-}

src/TemplateRenderer/PlatesRenderer.php

@@ -1,47 +0,0 @@
-<?php
-/**
- * Plates template renderer bridge.
- *
- * @author      Julián Gutiérrez <juliangut@gmail.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- *
- * @link        https://github.com/thephpleague/oauth2-server
- */
-namespace League\OAuth2\Server\TemplateRenderer;
-
-use League\Plates\Engine;
-
-class PlatesRenderer extends AbstractRenderer
-{
-    /**
-     * @var \League\Plates\Engine
-     */
-    private $engine;
-
-    /**
-     * PlatesRenderer constructor.
-     *
-     * @param \League\Plates\Engine $engine
-     * @param string                $loginTemplate
-     * @param string                $authorizeTemplate
-     */
-    public function __construct(Engine $engine, $loginTemplate, $authorizeTemplate)
-    {
-        parent::__construct($loginTemplate, $authorizeTemplate);
-
-        $this->engine = $engine;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function render($template, array $data = [])
-    {
-        if ($this->engine->getFileExtension()) {
-            $template = preg_replace(sprintf('/\.%s$/', $this->engine->getFileExtension()), '', $template);
-        }
-
-        return $this->engine->render($template, $data);
-    }
-}

src/TemplateRenderer/RendererInterface.php

@@ -1,24 +0,0 @@
-<?php
-
-namespace League\OAuth2\Server\TemplateRenderer;
-
-interface RendererInterface
-{
-    /**
-     * Render login template.
-     *
-     * @param array $data
-     *
-     * @return string
-     */
-    public function renderLogin(array $data = []);
-
-    /**
-     * Render authorize template.
-     *
-     * @param array $data
-     *
-     * @return string
-     */
-    public function renderAuthorize(array $data = []);
-}

src/TemplateRenderer/SmartyRenderer.php

@@ -1,49 +0,0 @@
-<?php
-/**
- * Smarty template renderer bridge.
- *
- * @author      Julián Gutiérrez <juliangut@gmail.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- *
- * @link        https://github.com/thephpleague/oauth2-server
- */
-namespace League\OAuth2\Server\TemplateRenderer;
-
-class SmartyRenderer extends AbstractRenderer
-{
-    /**
-     * Smarty class.
-     *
-     * @var \Smarty
-     */
-    private $smarty;
-
-    /**
-     * PlatesRenderer constructor.
-     *
-     * @param \Smarty $smarty
-     * @param string  $loginTemplate
-     * @param string  $authorizeTemplate
-     */
-    public function __construct(\Smarty $smarty, $loginTemplate, $authorizeTemplate)
-    {
-        parent::__construct($loginTemplate, $authorizeTemplate);
-
-        $this->smarty = $smarty;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function render($template, array $data = [])
-    {
-        $this->smarty->assign($data);
-
-        $output = $this->smarty->fetch($template);
-
-        $this->smarty->clear_assign(array_keys($data));
-
-        return $output;
-    }
-}

src/TemplateRenderer/TwigRenderer.php

@@ -1,41 +0,0 @@
-<?php
-/**
- * Twig template renderer bridge.
- *
- * @author      Julián Gutiérrez <juliangut@gmail.com>
- * @copyright   Copyright (c) Alex Bilbie
- * @license     http://mit-license.org/
- *
- * @link        https://github.com/thephpleague/oauth2-server
- */
-namespace League\OAuth2\Server\TemplateRenderer;
-
-class TwigRenderer extends AbstractRenderer
-{
-    /**
-     * @var \Twig_Environment
-     */
-    private $environment;
-
-    /**
-     * PlatesRenderer constructor.
-     *
-     * @param \Twig_Environment $environment
-     * @param string            $loginTemplate
-     * @param string            $authorizeTemplate
-     */
-    public function __construct(\Twig_Environment $environment, $loginTemplate, $authorizeTemplate)
-    {
-        parent::__construct($loginTemplate, $authorizeTemplate);
-
-        $this->environment = $environment;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    protected function render($template, array $data = [])
-    {
-        return $this->environment->loadTemplate($template)->render($data);
-    }
-}

tests/AuthorizationServerTest.php

@@ -0,0 +1,357 @@
+<?php
+
+namespace LeagueTests;
+
+use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\AuthCodeGrant;
+use League\OAuth2\Server\Grant\ClientCredentialsGrant;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
+use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
+use LeagueTests\Stubs\AccessTokenEntity;
+use LeagueTests\Stubs\AuthCodeEntity;
+use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\ScopeEntity;
+use LeagueTests\Stubs\StubResponseType;
+use LeagueTests\Stubs\UserEntity;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ResponseInterface;
+use Zend\Diactoros\Response;
+use Zend\Diactoros\ServerRequest;
+use Zend\Diactoros\ServerRequestFactory;
+
+class AuthorizationServerTest extends TestCase
+{
+    const DEFAULT_SCOPE = 'basic';
+
+    public function setUp()
+    {
+        // Make sure the keys have the correct permissions.
+        chmod(__DIR__ . '/Stubs/private.key', 0600);
+        chmod(__DIR__ . '/Stubs/public.key', 0600);
+        chmod(__DIR__ . '/Stubs/private.key.crlf', 0600);
+    }
+
+    public function testRespondToRequestInvalidGrantType()
+    {
+        $server = new AuthorizationServer(
+            $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            base64_encode(random_bytes(36)),
+            new StubResponseType()
+        );
+
+        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
+
+        try {
+            $server->respondToAccessTokenRequest(ServerRequestFactory::fromGlobals(), new Response);
+        } catch (OAuthServerException $e) {
+            $this->assertEquals('unsupported_grant_type', $e->getErrorType());
+            $this->assertEquals(400, $e->getHttpStatusCode());
+        }
+    }
+
+    public function testRespondToRequest()
+    {
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+
+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $accessTokenRepositoryMock,
+            $scopeRepositoryMock,
+            'file://' . __DIR__ . '/Stubs/private.key',
+            base64_encode(random_bytes(36)),
+            new StubResponseType()
+        );
+
+        $server->setDefaultScope(self::DEFAULT_SCOPE);
+        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
+
+        $_POST['grant_type'] = 'client_credentials';
+        $_POST['client_id'] = 'foo';
+        $_POST['client_secret'] = 'bar';
+        $response = $server->respondToAccessTokenRequest(ServerRequestFactory::fromGlobals(), new Response);
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testGetResponseType()
+    {
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+
+        $abstractGrantReflection = new \ReflectionClass($server);
+        $method = $abstractGrantReflection->getMethod('getResponseType');
+        $method->setAccessible(true);
+
+        $this->assertInstanceOf(BearerTokenResponse::class, $method->invoke($server));
+    }
+
+    public function testGetResponseTypeExtended()
+    {
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $privateKey = 'file://' . __DIR__ . '/Stubs/private.key';
+        $encryptionKey = 'file://' . __DIR__ . '/Stubs/public.key';
+
+        $server = new class($clientRepository, $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(), $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(), $privateKey, $encryptionKey) extends AuthorizationServer {
+            protected function getResponseType()
+            {
+                $this->responseType = new class extends BearerTokenResponse {
+                    /* @return null|CryptKey */
+                    public function getPrivateKey()
+                    {
+                        return $this->privateKey;
+                    }
+
+                    public function getEncryptionKey()
+                    {
+                        return $this->encryptionKey;
+                    }
+                };
+
+                return parent::getResponseType();
+            }
+        };
+
+        $abstractGrantReflection = new \ReflectionClass($server);
+        $method = $abstractGrantReflection->getMethod('getResponseType');
+        $method->setAccessible(true);
+        $responseType = $method->invoke($server);
+
+        $this->assertInstanceOf(BearerTokenResponse::class, $responseType);
+        // generated instances should have keys setup
+        $this->assertSame($privateKey, $responseType->getPrivateKey()->getKeyPath());
+        $this->assertSame($encryptionKey, $responseType->getEncryptionKey());
+    }
+
+    public function testMultipleRequestsGetDifferentResponseTypeInstances()
+    {
+        $privateKey = 'file://' . __DIR__ . '/Stubs/private.key';
+        $encryptionKey = 'file://' . __DIR__ . '/Stubs/public.key';
+
+        $responseTypePrototype = new class extends BearerTokenResponse {
+            /* @return null|CryptKey */
+            public function getPrivateKey()
+            {
+                return $this->privateKey;
+            }
+
+            public function getEncryptionKey()
+            {
+                return $this->encryptionKey;
+            }
+        };
+
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            $privateKey,
+            $encryptionKey,
+            $responseTypePrototype
+        );
+
+        $abstractGrantReflection = new \ReflectionClass($server);
+        $method = $abstractGrantReflection->getMethod('getResponseType');
+        $method->setAccessible(true);
+
+        $responseTypeA = $method->invoke($server);
+        $responseTypeB = $method->invoke($server);
+
+        // prototype should not get changed
+        $this->assertNull($responseTypePrototype->getPrivateKey());
+        $this->assertNull($responseTypePrototype->getEncryptionKey());
+
+        // generated instances should have keys setup
+        $this->assertSame($privateKey, $responseTypeA->getPrivateKey()->getKeyPath());
+        $this->assertSame($encryptionKey, $responseTypeA->getEncryptionKey());
+
+        // all instances should be different but based on the same prototype
+        $this->assertSame(get_class($responseTypePrototype), get_class($responseTypeA));
+        $this->assertSame(get_class($responseTypePrototype), get_class($responseTypeB));
+        $this->assertNotSame($responseTypePrototype, $responseTypeA);
+        $this->assertNotSame($responseTypePrototype, $responseTypeB);
+        $this->assertNotSame($responseTypeA, $responseTypeB);
+    }
+
+    public function testCompleteAuthorizationRequest()
+    {
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+
+        $authCodeRepository = $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock();
+        $authCodeRepository->method('getNewAuthCode')->willReturn(new AuthCodeEntity());
+
+        $grant = new AuthCodeGrant(
+            $authCodeRepository,
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+
+        $server->enableGrantType($grant);
+
+        $authRequest = new AuthorizationRequest();
+        $authRequest->setAuthorizationApproved(true);
+        $authRequest->setClient(new ClientEntity());
+        $authRequest->setGrantTypeId('authorization_code');
+        $authRequest->setUser(new UserEntity());
+
+        $this->assertInstanceOf(
+            ResponseInterface::class,
+            $server->completeAuthorizationRequest($authRequest, new Response)
+        );
+    }
+
+    public function testValidateAuthorizationRequest()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+
+        $server = new AuthorizationServer(
+            $clientRepositoryMock,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $scopeRepositoryMock,
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+
+        $server->setDefaultScope(self::DEFAULT_SCOPE);
+        $server->enableGrantType($grant);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            $headers = [],
+            $cookies = [],
+            $queryParams = [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ]
+        );
+
+        $this->assertInstanceOf(AuthorizationRequest::class, $server->validateAuthorizationRequest($request));
+    }
+
+    public function testValidateAuthorizationRequestWithMissingRedirectUri()
+    {
+        $client = new ClientEntity();
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+
+        $server = new AuthorizationServer(
+            $clientRepositoryMock,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+        $server->enableGrantType($grant);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            $headers = [],
+            $cookies = [],
+            $queryParams = [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ]
+        );
+
+        try {
+            $server->validateAuthorizationRequest($request);
+        } catch (OAuthServerException $e) {
+            $this->assertEquals('invalid_client', $e->getErrorType());
+            $this->assertEquals(401, $e->getHttpStatusCode());
+        }
+    }
+
+    /**
+     * @expectedException  \League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 2
+     */
+    public function testValidateAuthorizationRequestUnregistered()
+    {
+        $server = new AuthorizationServer(
+            $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            $headers = [],
+            $cookies = [],
+            $queryParams = [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ]
+        );
+
+        $server->validateAuthorizationRequest($request);
+    }
+}

tests/AuthorizationValidators/BearerTokenValidatorTest.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace LeagueTests\AuthorizationValidators;
+
+use Lcobucci\JWT\Builder;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use PHPUnit\Framework\TestCase;
+use Zend\Diactoros\ServerRequest;
+
+class BearerTokenValidatorTest extends TestCase
+{
+    /**
+     * @expectedException League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 9
+     */
+    public function testThrowExceptionWhenAccessTokenIsNotSigned()
+    {
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $bearerTokenValidator = new BearerTokenValidator($accessTokenRepositoryMock);
+        $bearerTokenValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+
+        $unsignedJwt = (new Builder())
+            ->setAudience('client-id')
+            ->setId('token-id', true)
+            ->setIssuedAt(time())
+            ->setNotBefore(time())
+            ->setExpiration(time())
+            ->setSubject('user-id')
+            ->set('scopes', 'scope1 scope2 scope3 scope4')
+            ->getToken();
+
+        $request = new ServerRequest();
+        $request = $request->withHeader('authorization', sprintf('Bearer %s', $unsignedJwt));
+
+        $bearerTokenValidator->validateAuthorization($request);
+    }
+}