Update README.md

Updating readme to refer to the latest 5.1.* branch
Merge pull request #828 from Sephster/master
2025-05-31 14:12:07 +05:30 · 2017-12-23 13:20:52 +00:00 · 2017-12-23 02:14:34 +00:00 · 2017-12-23 02:06:18 +00:00 · 2017-12-23 01:52:33 +00:00 · 2017-12-13 21:05:36 +00:00
53 changed files with 1070 additions and 557 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,11 +7,10 @@ cache:
  - vendor
 php:
  - 5.5.9
  - 5.5
  - 5.6
  - 7.0
-  - hhvm
+  - 7.1
  - 7.2
 install:
  - travis_retry composer install --no-interaction --prefer-source
@@ -21,4 +20,4 @@ script:
 branches:
  only:
-    - master
+    - master
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,41 @@
 # Changelog
 ## 6.0.2 (released 2017-08-03)
 * An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
 * Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
 * Fixes invalid code challenge method payload key name (Issue #777)
 ## 6.0.1 (released 2017-07-19)
 To address feedback from the security release the following change has been made:
 * If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
 ## 6.0.0 (released 2017-07-01)
 * Breaking change: The `AuthorizationServer` constructor now expects an encryption key string instead of a public key
 * Remove support for HHVM
 * Remove support for PHP 5.5
 ## 5.1.4 (released 2017-07-01)
 * Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
 	* It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples.
 * TravisCI now tests PHP 7.1 (Issue #671)
 * Fix middleware example fatal error (Issue #682)
 * Fix typo in the first README sentence (Issue #690)
 * Corrected DateInterval from 1 min to 1 month (Issue #709)
 ## 5.1.3 (released 2016-10-12)
 * Fixed WWW-Authenticate header (Issue #669)
 * Increase the recommended RSA key length from 1024 to 2048 bits (Issue #668)
 ## 5.1.2 (released 2016-09-19)
 * Fixed `finalizeScopes` call (Issue #650)
 ## 5.1.1 (released 2016-07-26)
 * Improved test suite (Issue #614)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,7 @@
 Thanks for contributing to this project.
-**Please submit your pull request against the `develop` branch only.**
+**Please submit your pull request against the `master` branch only.**
 Please ensure that you run `phpunit` from the project root after you've made any changes.
--- a/README.md
+++ b/README.md
@@ -1,5 +1,11 @@
 # PHP OAuth 2.0 Server
 ### :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:
 ### Security Notice 
 ### Please upgrade to version `>=5.1.6` (backwards compatible) or `6.x` (one tiny breaking change) to fix some potential security vulnerabilities - [visit this page for more information](https://oauth2.thephpleague.com/v5-security-improvements/)
 ### :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:
 [![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
 [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
 [![Build Status](https://img.shields.io/travis/thephpleague/oauth2-server/master.svg?style=flat-square)](https://travis-ci.org/thephpleague/oauth2-server)
@@ -7,7 +13,7 @@
 [![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
 [![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)
-`league/oauth2-server` is a a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
+`league/oauth2-server` is a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
 It supports out of the box the following grants:
@@ -30,10 +36,10 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht
 The following versions of PHP are supported:
 * PHP 5.5 (>=5.5.9)
 * PHP 5.6
 * PHP 7.0
-* HHVM
+* PHP 7.1
 * PHP 7.2
 The `openssl` extension is also required.
@@ -56,6 +62,10 @@ Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague
 If you have any questions about OAuth _please_ open a ticket here; please **don't** email the address below.
 <a target='_blank' rel='nofollow' href='https://app.codesponsor.io/link/N2YMJcLBppt2Eg9E1jGu4gef/thephpleague/oauth2-server'>
  <img alt='Sponsor' width='888' height='68' src='https://app.codesponsor.io/embed/N2YMJcLBppt2Eg9E1jGu4gef/thephpleague/oauth2-server.svg' />
 </a>
 ## Commercial Support
 If you would like help implementing this library into your existing platform, or would be interested in OAuth advice or training for you and your team please get in touch with [Glynde Labs](https://glyndelabs.com).
@@ -70,8 +80,13 @@ This package is released under the MIT License. See the bundled [LICENSE](https:
 ## Credits
-This code is principally developed and maintained by [Alex Bilbie](https://twitter.com/alexbilbie).
+This code is principally developed and maintained by [Andy Millington](https://twitter.com/Sephster), [Brian 
 Retterer](https://twitter.com/bretterer), and [Simon Hamp](https://twitter.com/simonhamp).
-Special thanks to [all of these awesome contributors](https://github.com/thephpleague/oauth2-server/contributors)
+Between 2012 and 2017 this library was developed and maintained by [Alex Bilbie](https://alexbilbie.com/).
 Special thanks to [all of these awesome contributors](https://github.com/thephpleague/oauth2-server/contributors).
 Additional thanks go to the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source) for funding a security audit of this library.
 The initial code was developed as part of the [Linkey](http://linkey.blogs.lincoln.ac.uk) project which was funded by [JISC](http://jisc.ac.uk) under the Access and Identity Management programme.
--- a/composer.json
+++ b/composer.json
@@ -4,18 +4,17 @@
    "homepage": "https://oauth2.thephpleague.com/",
    "license": "MIT",
    "require": {
-        "php": ">=5.5.9",
+        "php": ">=5.6.0",
        "ext-openssl": "*",
        "league/event": "^2.1",
        "lcobucci/jwt": "^3.1",
-        "paragonie/random_compat": "^1.1 || ^2.0",
+        "paragonie/random_compat": "^2.0",
        "psr/http-message": "^1.0",
-        "league/openid-connect-claims": "^1.1.0"
+        "defuse/php-encryption": "^2.1"
    },
    "require-dev": {
-        "phpunit/phpunit": "^4.8 || ^5.0",
+        "phpunit/phpunit": "^4.8.38 || ^5.7.21",
-        "zendframework/zend-diactoros": "^1.0",
+        "zendframework/zend-diactoros": "^1.0"
        "indigophp/hash-compat": "^1.1"
    },
    "repositories": [
        {
@@ -60,13 +59,5 @@
        "psr-4": {
            "LeagueTests\\": "tests/"
        }
    },
    "extra": {
        "branch-alias": {
            "dev-V5-WIP": "5.0-dev"
        }
    },
    "suggest": {
        "indigophp/hash-compat": "Polyfill for hash_equals function for PHP 5.5"
    }
 }
--- a/examples/README.md
+++ b/examples/README.md
@@ -3,7 +3,7 @@
 ## Installation
 0. Run `composer install` in this directory to install dependencies
-0. Create a private key `openssl genrsa -out private.key 1024`
+0. Create a private key `openssl genrsa -out private.key 2048`
 0. Create a public key `openssl rsa -in private.key -pubout > public.key`
 0. `cd` into the public directory
 0. Start a PHP server `php -S localhost:4444`
--- a/examples/composer.json
+++ b/examples/composer.json
@@ -5,8 +5,10 @@
    "require-dev": {
        "league/event": "^2.1",
        "lcobucci/jwt": "^3.1",
-        "paragonie/random_compat": "^1.1",
+        "paragonie/random_compat": "^2.0",
-        "psr/http-message": "^1.0"
+        "psr/http-message": "^1.0",
        "defuse/php-encryption": "^2.1",
        "zendframework/zend-diactoros": "^1.0"
    },
    "autoload": {
        "psr-4": {
--- a/examples/composer.lock
+++ b/examples/composer.lock
@@ -4,23 +4,25 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
        "This file is @generated automatically"
    ],
-    "hash": "48bcb7a3514d7c7f271c554ba1440124",
+    "content-hash": "9813ed7c3b6dcf107f44df9392935b8f",
    "content-hash": "e41be75973527cb9d63f27ad14ac8624",
    "packages": [
        {
            "name": "container-interop/container-interop",
-            "version": "1.1.0",
+            "version": "1.2.0",
            "source": {
                "type": "git",
                "url": "https://github.com/container-interop/container-interop.git",
-                "reference": "fc08354828f8fd3245f77a66b9e23a6bca48297e"
+                "reference": "79cbf1341c22ec75643d841642dd5d6acd83bdb8"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/container-interop/container-interop/zipball/fc08354828f8fd3245f77a66b9e23a6bca48297e",
+                "url": "https://api.github.com/repos/container-interop/container-interop/zipball/79cbf1341c22ec75643d841642dd5d6acd83bdb8",
-                "reference": "fc08354828f8fd3245f77a66b9e23a6bca48297e",
+                "reference": "79cbf1341c22ec75643d841642dd5d6acd83bdb8",
                "shasum": ""
            },
            "require": {
                "psr/container": "^1.0"
            },
            "type": "library",
            "autoload": {
                "psr-4": {
@@ -32,7 +34,8 @@
                "MIT"
            ],
            "description": "Promoting the interoperability of container objects (DIC, SL, etc.)",
-            "time": "2014-12-30 15:22:37"
+            "homepage": "https://github.com/container-interop/container-interop",
            "time": "2017-02-14T19:40:03+00:00"
        },
        {
            "name": "nikic/fast-route",
@@ -75,7 +78,7 @@
                "router",
                "routing"
            ],
-            "time": "2015-06-18 19:15:47"
+            "time": "2015-06-18T19:15:47+00:00"
        },
        {
            "name": "pimple/pimple",
@@ -121,20 +124,69 @@
                "container",
                "dependency injection"
            ],
-            "time": "2015-09-11 15:10:35"
+            "time": "2015-09-11T15:10:35+00:00"
        },
        {
-            "name": "psr/http-message",
+            "name": "psr/container",
-            "version": "1.0",
+            "version": "1.0.0",
            "source": {
                "type": "git",
-                "url": "https://github.com/php-fig/http-message.git",
+                "url": "https://github.com/php-fig/container.git",
-                "reference": "85d63699f0dbedb190bbd4b0d2b9dc707ea4c298"
+                "reference": "b7ce3b176482dbbc1245ebf52b181af44c2cf55f"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/php-fig/http-message/zipball/85d63699f0dbedb190bbd4b0d2b9dc707ea4c298",
+                "url": "https://api.github.com/repos/php-fig/container/zipball/b7ce3b176482dbbc1245ebf52b181af44c2cf55f",
-                "reference": "85d63699f0dbedb190bbd4b0d2b9dc707ea4c298",
+                "reference": "b7ce3b176482dbbc1245ebf52b181af44c2cf55f",
                "shasum": ""
            },
            "require": {
                "php": ">=5.3.0"
            },
            "type": "library",
            "extra": {
                "branch-alias": {
                    "dev-master": "1.0.x-dev"
                }
            },
            "autoload": {
                "psr-4": {
                    "Psr\\Container\\": "src/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "PHP-FIG",
                    "homepage": "http://www.php-fig.org/"
                }
            ],
            "description": "Common Container Interface (PHP FIG PSR-11)",
            "homepage": "https://github.com/php-fig/container",
            "keywords": [
                "PSR-11",
                "container",
                "container-interface",
                "container-interop",
                "psr"
            ],
            "time": "2017-02-14T16:28:37+00:00"
        },
        {
            "name": "psr/http-message",
            "version": "1.0.1",
            "source": {
                "type": "git",
                "url": "https://github.com/php-fig/http-message.git",
                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363",
                "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363",
                "shasum": ""
            },
            "require": {
@@ -162,6 +214,7 @@
                }
            ],
            "description": "Common interface for HTTP messages",
            "homepage": "https://github.com/php-fig/http-message",
            "keywords": [
                "http",
                "http-message",
@@ -170,7 +223,7 @@
                "request",
                "response"
            ],
-            "time": "2015-05-04 20:22:00"
+            "time": "2016-08-06T14:39:51+00:00"
        },
        {
            "name": "slim/slim",
@@ -236,22 +289,85 @@
                "micro",
                "router"
            ],
-            "time": "2015-12-07 14:11:09"
+            "time": "2015-12-07T14:11:09+00:00"
        }
    ],
    "packages-dev": [
        {
-            "name": "lcobucci/jwt",
+            "name": "defuse/php-encryption",
-            "version": "3.1.1",
+            "version": "v2.1.0",
            "source": {
                "type": "git",
-                "url": "https://github.com/lcobucci/jwt.git",
+                "url": "https://github.com/defuse/php-encryption.git",
-                "reference": "afea8e682e911a21574fd8519321b32522fa25b5"
+                "reference": "5176f5abb38d3ea8a6e3ac6cd3bbb54d8185a689"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/afea8e682e911a21574fd8519321b32522fa25b5",
+                "url": "https://api.github.com/repos/defuse/php-encryption/zipball/5176f5abb38d3ea8a6e3ac6cd3bbb54d8185a689",
-                "reference": "afea8e682e911a21574fd8519321b32522fa25b5",
+                "reference": "5176f5abb38d3ea8a6e3ac6cd3bbb54d8185a689",
                "shasum": ""
            },
            "require": {
                "ext-openssl": "*",
                "paragonie/random_compat": "~2.0",
                "php": ">=5.4.0"
            },
            "require-dev": {
                "nikic/php-parser": "^2.0|^3.0",
                "phpunit/phpunit": "^4|^5"
            },
            "bin": [
                "bin/generate-defuse-key"
            ],
            "type": "library",
            "autoload": {
                "psr-4": {
                    "Defuse\\Crypto\\": "src"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Taylor Hornby",
                    "email": "taylor@defuse.ca",
                    "homepage": "https://defuse.ca/"
                },
                {
                    "name": "Scott Arciszewski",
                    "email": "info@paragonie.com",
                    "homepage": "https://paragonie.com"
                }
            ],
            "description": "Secure PHP Encryption Library",
            "keywords": [
                "aes",
                "authenticated encryption",
                "cipher",
                "crypto",
                "cryptography",
                "encrypt",
                "encryption",
                "openssl",
                "security",
                "symmetric key cryptography"
            ],
            "time": "2017-05-18T21:28:48+00:00"
        },
        {
            "name": "lcobucci/jwt",
            "version": "3.2.1",
            "source": {
                "type": "git",
                "url": "https://github.com/lcobucci/jwt.git",
                "reference": "ddce703826f9c5229781933b1a39069e38e6a0f3"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/ddce703826f9c5229781933b1a39069e38e6a0f3",
                "reference": "ddce703826f9c5229781933b1a39069e38e6a0f3",
                "shasum": ""
            },
            "require": {
@@ -259,7 +375,7 @@
                "php": ">=5.5"
            },
            "require-dev": {
-                "mdanter/ecc": "~0.3",
+                "mdanter/ecc": "~0.3.1",
                "mikey179/vfsstream": "~1.5",
                "phpmd/phpmd": "~2.2",
                "phpunit/php-invoker": "~1.1",
@@ -296,7 +412,7 @@
                "JWS",
                "jwt"
            ],
-            "time": "2016-03-24 22:46:13"
+            "time": "2016-10-31T20:09:32+00:00"
        },
        {
            "name": "league/event",
@@ -346,20 +462,20 @@
                "event",
                "listener"
            ],
-            "time": "2015-05-21 12:24:47"
+            "time": "2015-05-21T12:24:47+00:00"
        },
        {
            "name": "paragonie/random_compat",
-            "version": "v1.4.1",
+            "version": "v2.0.10",
            "source": {
                "type": "git",
                "url": "https://github.com/paragonie/random_compat.git",
-                "reference": "c7e26a21ba357863de030f0b9e701c7d04593774"
+                "reference": "634bae8e911eefa89c1abfbf1b66da679ac8f54d"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/c7e26a21ba357863de030f0b9e701c7d04593774",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/634bae8e911eefa89c1abfbf1b66da679ac8f54d",
-                "reference": "c7e26a21ba357863de030f0b9e701c7d04593774",
+                "reference": "634bae8e911eefa89c1abfbf1b66da679ac8f54d",
                "shasum": ""
            },
            "require": {
@@ -394,7 +510,7 @@
                "pseudorandom",
                "random"
            ],
-            "time": "2016-03-18 20:34:03"
+            "time": "2017-03-13T16:27:32+00:00"
        }
    ],
    "aliases": [],
--- a/examples/public/api.php
+++ b/examples/public/api.php
@@ -31,7 +31,6 @@ $app->add(
 $app->get(
    '/users',
    function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
        $users = [
            [
                'id'    => 123,
@@ -70,4 +69,4 @@ $app->get(
    }
 );
-$app->run();
+$app->run();
--- a/examples/public/auth_code.php
+++ b/examples/public/auth_code.php
@@ -36,7 +36,6 @@ $app = new App([
        $refreshTokenRepository = new RefreshTokenRepository();
        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
        // Setup the authorization server
        $server = new AuthorizationServer(
@@ -44,7 +43,7 @@ $app = new App([
            $accessTokenRepository,
            $scopeRepository,
            $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
        );
        // Enable the authentication code grant on the server with a token TTL of 1 hour
--- a/examples/public/client_credentials.php
+++ b/examples/public/client_credentials.php
@@ -30,9 +30,8 @@ $app = new App([
        $accessTokenRepository = new AccessTokenRepository(); // instance of AccessTokenRepositoryInterface
        // Path to public and private keys
-        $privateKey = 'file://'.__DIR__.'/../private.key';
+        $privateKey = 'file://' . __DIR__ . '/../private.key';
        //$privateKey = new CryptKey('file://path/to/private.key', 'passphrase'); // if private key has a pass phrase
        $publicKey = 'file://'.__DIR__.'/../public.key';
        // Setup the authorization server
        $server = new AuthorizationServer(
@@ -40,7 +39,7 @@ $app = new App([
            $accessTokenRepository,
            $scopeRepository,
            $privateKey,
-            $publicKey
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
        );
        // Enable the client credentials grant on the server
--- a/examples/public/implicit.php
+++ b/examples/public/implicit.php
@@ -32,7 +32,6 @@ $app = new App([
        $accessTokenRepository = new AccessTokenRepository();
        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
        // Setup the authorization server
        $server = new AuthorizationServer(
@@ -40,8 +39,9 @@ $app = new App([
            $accessTokenRepository,
            $scopeRepository,
            $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
        );
        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
        // Enable the implicit grant on the server with a token TTL of 1 hour
        $server->enableGrantType(new ImplicitGrant(new \DateInterval('PT1H')));
--- a/examples/public/middleware_use.php
+++ b/examples/public/middleware_use.php
@@ -12,6 +12,7 @@ use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
 use League\OAuth2\Server\Middleware\AuthorizationServerMiddleware;
 use League\OAuth2\Server\Middleware\ResourceServerMiddleware;
 use League\OAuth2\Server\ResourceServer;
 use OAuth2ServerExamples\Repositories\AccessTokenRepository;
 use OAuth2ServerExamples\Repositories\AuthCodeRepository;
 use OAuth2ServerExamples\Repositories\ClientRepository;
@@ -37,7 +38,6 @@ $app = new App([
        $refreshTokenRepository = new RefreshTokenRepository();
        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
        // Setup the authorization server
        $server = new AuthorizationServer(
@@ -45,7 +45,7 @@ $app = new App([
            $accessTokenRepository,
            $scopeRepository,
            $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
        );
        // Enable the authentication code grant on the server with a token TTL of 1 hour
@@ -61,7 +61,17 @@ $app = new App([
        // Enable the refresh token grant on the server with a token TTL of 1 month
        $server->enableGrantType(
            new RefreshTokenGrant($refreshTokenRepository),
-            new \DateInterval('PT1M')
+            new \DateInterval('P1M')
        );
        return $server;
    },
    ResourceServer::class => function () {
        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
        $server = new ResourceServer(
            new AccessTokenRepository(),
            $publicKeyPath
        );
        return $server;
@@ -94,6 +104,6 @@ $app->group('/api', function () {
        return $response->withBody($body);
    });
-})->add(new ResourceServerMiddleware($app->getContainer()->get(AuthorizationServer::class)));
+})->add(new ResourceServerMiddleware($app->getContainer()->get(ResourceServer::class)));
 $app->run();
--- a/examples/public/password.php
+++ b/examples/public/password.php
@@ -23,8 +23,8 @@ $app = new App([
            new ClientRepository(),                 // instance of ClientRepositoryInterface
            new AccessTokenRepository(),            // instance of AccessTokenRepositoryInterface
            new ScopeRepository(),                  // instance of ScopeRepositoryInterface
-            'file://'.__DIR__.'/../private.key',    // path to private key
+            'file://' . __DIR__ . '/../private.key',    // path to private key
-            'file://'.__DIR__.'/../public.key'      // path to public key
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'      // encryption key
        );
        $grant = new PasswordGrant(
@@ -54,19 +54,17 @@ $app->post(
            // Try to respond to the access token request
            return $server->respondToAccessTokenRequest($request, $response);
        } catch (OAuthServerException $exception) {
            // All instances of OAuthServerException can be converted to a PSR-7 response
            return $exception->generateHttpResponse($response);
        } catch (\Exception $exception) {
            // Catch unexpected exceptions
            $body = $response->getBody();
            $body->write($exception->getMessage());
            return $response->withStatus(500)->withBody($body);
            return $response->withStatus(500)->withBody($body);
        }
    }
 );
--- a/examples/public/refresh_token.php
+++ b/examples/public/refresh_token.php
@@ -17,7 +17,6 @@ use OAuth2ServerExamples\Repositories\ScopeRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
 use Zend\Diactoros\Stream;
 include __DIR__ . '/../vendor/autoload.php';
@@ -33,7 +32,6 @@ $app = new App([
        $refreshTokenRepository = new RefreshTokenRepository();
        $privateKeyPath = 'file://' . __DIR__ . '/../private.key';
        $publicKeyPath = 'file://' . __DIR__ . '/../public.key';
        // Setup the authorization server
        $server = new AuthorizationServer(
@@ -41,7 +39,7 @@ $app = new App([
            $accessTokenRepository,
            $scopeRepository,
            $privateKeyPath,
-            $publicKeyPath
+            'lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen'
        );
        // Enable the refresh token grant on the server
@@ -66,10 +64,9 @@ $app->post('/access_token', function (ServerRequestInterface $request, ResponseI
    } catch (OAuthServerException $exception) {
        return $exception->generateHttpResponse($response);
    } catch (\Exception $exception) {
-        $body = new Stream('php://temp', 'r+');
+        $response->getBody()->write($exception->getMessage());
        $body->write($exception->getMessage());
-        return $response->withStatus(500)->withBody($body);
+        return $response->withStatus(500);
    }
 });
--- a/examples/src/Repositories/ScopeRepository.php
+++ b/examples/src/Repositories/ScopeRepository.php
@@ -54,7 +54,7 @@ class ScopeRepository implements ScopeRepositoryInterface
            $scope->setIdentifier('email');
            $scopes[] = $scope;
        }
-        
+
        return $scopes;
    }
 }
--- a/src/AuthorizationServer.php
+++ b/src/AuthorizationServer.php
@@ -66,6 +66,16 @@ class AuthorizationServer implements EmitterAwareInterface
     */
    private $scopeRepository;
    /**
     * @var string
     */
    private $encryptionKey;
    /**
     * @var string
     */
    private $defaultScope = '';
    /**
     * New server instance.
     *
@@ -73,7 +83,7 @@ class AuthorizationServer implements EmitterAwareInterface
     * @param AccessTokenRepositoryInterface $accessTokenRepository
     * @param ScopeRepositoryInterface       $scopeRepository
     * @param CryptKey|string                $privateKey
-     * @param CryptKey|string                $publicKey
+     * @param string                         $encryptionKey
     * @param null|ResponseTypeInterface     $responseType
     */
    public function __construct(
@@ -81,7 +91,7 @@ class AuthorizationServer implements EmitterAwareInterface
        AccessTokenRepositoryInterface $accessTokenRepository,
        ScopeRepositoryInterface $scopeRepository,
        $privateKey,
-        $publicKey,
+        $encryptionKey,
        ResponseTypeInterface $responseType = null
    ) {
        $this->clientRepository = $clientRepository;
@@ -92,12 +102,7 @@ class AuthorizationServer implements EmitterAwareInterface
            $privateKey = new CryptKey($privateKey);
        }
        $this->privateKey = $privateKey;
-
+        $this->encryptionKey = $encryptionKey;
        if ($publicKey instanceof CryptKey === false) {
            $publicKey = new CryptKey($publicKey);
        }
        $this->publicKey = $publicKey;
        $this->responseType = $responseType;
    }
@@ -116,9 +121,10 @@ class AuthorizationServer implements EmitterAwareInterface
        $grantType->setAccessTokenRepository($this->accessTokenRepository);
        $grantType->setClientRepository($this->clientRepository);
        $grantType->setScopeRepository($this->scopeRepository);
        $grantType->setDefaultScope($this->defaultScope);
        $grantType->setPrivateKey($this->privateKey);
        $grantType->setPublicKey($this->publicKey);
        $grantType->setEmitter($this->getEmitter());
        $grantType->setEncryptionKey($this->encryptionKey);
        $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
        $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
@@ -172,17 +178,19 @@ class AuthorizationServer implements EmitterAwareInterface
    public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseInterface $response)
    {
        foreach ($this->enabledGrantTypes as $grantType) {
-            if ($grantType->canRespondToAccessTokenRequest($request)) {
+            if (!$grantType->canRespondToAccessTokenRequest($request)) {
-                $tokenResponse = $grantType->respondToAccessTokenRequest(
+                continue;
                    $request,
                    $this->getResponseType(),
                    $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
                );
                if ($tokenResponse instanceof ResponseTypeInterface) {
                    return $tokenResponse->generateHttpResponse($response);
                }
            }
            $tokenResponse = $grantType->respondToAccessTokenRequest(
                $request,
                $this->getResponseType(),
                $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()]
            );
            if ($tokenResponse instanceof ResponseTypeInterface) {
                return $tokenResponse->generateHttpResponse($response);
            }
        }
        throw OAuthServerException::unsupportedGrantType();
@@ -200,7 +208,18 @@ class AuthorizationServer implements EmitterAwareInterface
        }
        $this->responseType->setPrivateKey($this->privateKey);
        $this->responseType->setEncryptionKey($this->encryptionKey);
        return $this->responseType;
    }
    /**
     * Set the default scope for the authorization server.
     *
     * @param string $defaultScope
     */
    public function setDefaultScope($defaultScope)
    {
        $this->defaultScope = $defaultScope;
    }
 }
--- a/src/AuthorizationValidators/BearerTokenValidator.php
+++ b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -12,6 +12,7 @@ namespace League\OAuth2\Server\AuthorizationValidators;
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\ValidationData;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
@@ -26,6 +27,11 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
     */
    private $accessTokenRepository;
    /**
     * @var \League\OAuth2\Server\CryptKey
     */
    protected $publicKey;
    /**
     * @param AccessTokenRepositoryInterface $accessTokenRepository
     */
@@ -34,6 +40,16 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
        $this->accessTokenRepository = $accessTokenRepository;
    }
    /**
     * Set the public key
     *
     * @param \League\OAuth2\Server\CryptKey $key
     */
    public function setPublicKey(CryptKey $key)
    {
        $this->publicKey = $key;
    }
    /**
     * {@inheritdoc}
     */
@@ -75,7 +91,7 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
        } catch (\InvalidArgumentException $exception) {
            // JWT couldn't be parsed so return the request as is
            throw OAuthServerException::accessDenied($exception->getMessage());
-        } catch(\RuntimeException $exception){
+        } catch (\RuntimeException $exception) {
            //JWR couldn't be parsed so return the request as is
            throw OAuthServerException::accessDenied('Error while decoding to JSON');
        }
--- a/src/CryptKey.php
+++ b/src/CryptKey.php
@@ -29,8 +29,9 @@ class CryptKey
    /**
     * @param string      $keyPath
     * @param null|string $passPhrase
     * @param bool        $keyPermissionsCheck
     */
-    public function __construct($keyPath, $passPhrase = null)
+    public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = true)
    {
        if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
            $keyPath = $this->saveKeyToFile($keyPath);
@@ -44,6 +45,18 @@ class CryptKey
            throw new \LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
        }
        if ($keyPermissionsCheck === true) {
            // Verify the permissions of the key
            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
            if (in_array($keyPathPerms, ['600', '660'], true) === false) {
                trigger_error(sprintf(
                    'Key file "%s" permissions are not correct, should be 600 or 660 instead of %s',
                    $keyPath,
                    $keyPathPerms
                ), E_USER_NOTICE);
            }
        }
        $this->keyPath = $keyPath;
        $this->passPhrase = $passPhrase;
    }
@@ -57,15 +70,26 @@ class CryptKey
     */
    private function saveKeyToFile($key)
    {
-        $keyPath = sys_get_temp_dir() . '/' . sha1($key) . '.key';
+        $tmpDir = sys_get_temp_dir();
        $keyPath = $tmpDir . '/' . sha1($key) . '.key';
        if (!file_exists($keyPath) && !touch($keyPath)) {
            // @codeCoverageIgnoreStart
-            throw new \RuntimeException('"%s" key file could not be created', $keyPath);
+            throw new \RuntimeException(sprintf('"%s" key file could not be created', $keyPath));
            // @codeCoverageIgnoreEnd
        }
-        file_put_contents($keyPath, $key);
+        if (file_put_contents($keyPath, $key) === false) {
            // @codeCoverageIgnoreStart
            throw new \RuntimeException(sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
            // @codeCoverageIgnoreEnd
        }
        if (chmod($keyPath, 0600) === false) {
            // @codeCoverageIgnoreStart
            throw new \RuntimeException(sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
            // @codeCoverageIgnoreEnd
        }
        return 'file://' . $keyPath;
    }
--- a/src/CryptTrait.php
+++ b/src/CryptTrait.php
@@ -11,37 +11,14 @@
 namespace League\OAuth2\Server;
 use Defuse\Crypto\Crypto;
 trait CryptTrait
 {
    /**
-     * @var CryptKey
+     * @var string
     */
-    protected $privateKey;
+    protected $encryptionKey;
    /**
     * @var CryptKey
     */
    protected $publicKey;
    /**
     * Set path to private key.
     *
     * @param CryptKey $privateKey
     */
    public function setPrivateKey(CryptKey $privateKey)
    {
        $this->privateKey = $privateKey;
    }
    /**
     * Set path to public key.
     *
     * @param CryptKey $publicKey
     */
    public function setPublicKey(CryptKey $publicKey)
    {
        $this->publicKey = $publicKey;
    }
    /**
     * Encrypt data with a private key.
@@ -54,30 +31,11 @@ trait CryptTrait
     */
    protected function encrypt($unencryptedData)
    {
-        $privateKey = openssl_pkey_get_private($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
+        try {
-        $privateKeyDetails = @openssl_pkey_get_details($privateKey);
+            return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
-        if ($privateKeyDetails === null) {
+        } catch (\Exception $e) {
-            throw new \LogicException(
+            throw new \LogicException($e->getMessage());
                sprintf('Could not get details of private key: %s', $this->privateKey->getKeyPath())
            );
        }
        $chunkSize = ceil($privateKeyDetails['bits'] / 8) - 11;
        $output = '';
        while ($unencryptedData) {
            $chunk = substr($unencryptedData, 0, $chunkSize);
            $unencryptedData = substr($unencryptedData, $chunkSize);
            if (openssl_private_encrypt($chunk, $encrypted, $privateKey) === false) {
                // @codeCoverageIgnoreStart
                throw new \LogicException('Failed to encrypt data');
                // @codeCoverageIgnoreEnd
            }
            $output .= $encrypted;
        }
        openssl_pkey_free($privateKey);
        return base64_encode($output);
    }
    /**
@@ -91,31 +49,20 @@ trait CryptTrait
     */
    protected function decrypt($encryptedData)
    {
-        $publicKey = openssl_pkey_get_public($this->publicKey->getKeyPath());
+        try {
-        $publicKeyDetails = @openssl_pkey_get_details($publicKey);
+            return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
-        if ($publicKeyDetails === null) {
+        } catch (\Exception $e) {
-            throw new \LogicException(
+            throw new \LogicException($e->getMessage());
                sprintf('Could not get details of public key: %s', $this->publicKey->getKeyPath())
            );
        }
    }
-        $chunkSize = ceil($publicKeyDetails['bits'] / 8);
+    /**
-        $output = '';
+     * Set the encryption key
-
+     *
-        $encryptedData = base64_decode($encryptedData);
+     * @param string $key
-
+     */
-        while ($encryptedData) {
+    public function setEncryptionKey($key = null)
-            $chunk = substr($encryptedData, 0, $chunkSize);
+    {
-            $encryptedData = substr($encryptedData, $chunkSize);
+        $this->encryptionKey = $key;
            if (openssl_public_decrypt($chunk, $decrypted, $publicKey/*, OPENSSL_PKCS1_OAEP_PADDING*/) === false) {
                // @codeCoverageIgnoreStart
                throw new \LogicException('Failed to decrypt data');
                // @codeCoverageIgnoreEnd
            }
            $output .= $decrypted;
        }
        openssl_pkey_free($publicKey);
        return $output;
    }
 }
--- a/src/Exception/OAuthServerException.php
+++ b/src/Exception/OAuthServerException.php
@@ -105,7 +105,15 @@ class OAuthServerException extends \Exception
    public static function invalidScope($scope, $redirectUri = null)
    {
        $errorMessage = 'The requested scope is invalid, unknown, or malformed';
-        $hint = sprintf('Check the `%s` scope', $scope);
+
        if (empty($scope)) {
            $hint = 'Specify a scope in the request or set a default scope';
        } else {
            $hint = sprintf(
                'Check the `%s` scope',
                htmlspecialchars($scope, ENT_QUOTES, 'UTF-8', false)
            );
        }
        return new static($errorMessage, 5, 'invalid_scope', 400, $hint, $redirectUri);
    }
@@ -149,7 +157,7 @@ class OAuthServerException extends \Exception
     */
    public static function invalidRefreshToken($hint = null)
    {
-        return new static('The refresh token is invalid.', 8, 'invalid_request', 400, $hint);
+        return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint);
    }
    /**
@@ -267,7 +275,7 @@ class OAuthServerException extends \Exception
            ) {
                $authScheme = 'Bearer';
            }
-            $headers[] = 'WWW-Authenticate: ' . $authScheme . ' realm="OAuth"';
+            $headers['WWW-Authenticate'] = $authScheme . ' realm="OAuth"';
        }
        // @codeCoverageIgnoreEnd
        return $headers;
--- a/src/Exception/UniqueTokenIdentifierConstraintViolationException.php
+++ b/src/Exception/UniqueTokenIdentifierConstraintViolationException.php
@@ -9,7 +9,6 @@
 namespace League\OAuth2\Server\Exception;
 class UniqueTokenIdentifierConstraintViolationException extends OAuthServerException
 {
    public static function create()
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@@ -11,6 +11,7 @@
 namespace League\OAuth2\Server\Grant;
 use League\Event\EmitterAwareTrait;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
@@ -75,6 +76,16 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    protected $refreshTokenTTL;
    /**
     * @var \League\OAuth2\Server\CryptKey
     */
    protected $privateKey;
    /**
     * @string
     */
    protected $defaultScope;
    /**
     * @param ClientRepositoryInterface $clientRepository
     */
@@ -131,6 +142,24 @@ abstract class AbstractGrant implements GrantTypeInterface
        $this->refreshTokenTTL = $refreshTokenTTL;
    }
    /**
     * Set the private key
     *
     * @param \League\OAuth2\Server\CryptKey $key
     */
    public function setPrivateKey(CryptKey $key)
    {
        $this->privateKey = $key;
    }
    /**
     * @param string $scope
     */
    public function setDefaultScope($scope)
    {
        $this->defaultScope = $scope;
    }
    /**
     * Validate the client.
     *
@@ -195,18 +224,14 @@ abstract class AbstractGrant implements GrantTypeInterface
     *
     * @return ScopeEntityInterface[]
     */
-    public function validateScopes(
+    public function validateScopes($scopes, $redirectUri = null)
-        $scopes,
+    {
-        $redirectUri = null
+        $scopesList = array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
-    ) {
+            return !empty($scope);
-        $scopesList = array_filter(
+        });
-            explode(self::SCOPE_DELIMITER_STRING, trim($scopes)),
+
-            function ($scope) {
+        $validScopes = [];
                return !empty($scope);
            }
        );
        $scopes = [];
        foreach ($scopesList as $scopeItem) {
            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);
@@ -214,10 +239,14 @@ abstract class AbstractGrant implements GrantTypeInterface
                throw OAuthServerException::invalidScope($scopeItem, $redirectUri);
            }
-            $scopes[] = $scope;
+            $validScopes[] = $scope;
        }
-        return $scopes;
+        if (empty($validScopes)) {
            throw OAuthServerException::invalidScope('', $redirectUri);
        }
        return $validScopes;
    }
    /**
@@ -345,6 +374,7 @@ abstract class AbstractGrant implements GrantTypeInterface
            $accessToken->setIdentifier($this->generateUniqueIdentifier());
            try {
                $this->accessTokenRepository->persistNewAccessToken($accessToken);
                return $accessToken;
            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
                if ($maxGenerationAttempts === 0) {
@@ -391,6 +421,7 @@ abstract class AbstractGrant implements GrantTypeInterface
            $authCode->setIdentifier($this->generateUniqueIdentifier());
            try {
                $this->authCodeRepository->persistNewAuthCode($authCode);
                return $authCode;
            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
                if ($maxGenerationAttempts === 0) {
@@ -420,6 +451,7 @@ abstract class AbstractGrant implements GrantTypeInterface
            $refreshToken->setIdentifier($this->generateUniqueIdentifier());
            try {
                $this->refreshTokenRepository->persistNewRefreshToken($refreshToken);
                return $refreshToken;
            } catch (UniqueTokenIdentifierConstraintViolationException $e) {
                if ($maxGenerationAttempts === 0) {
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -144,7 +144,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                case 'S256':
                    if (
                        hash_equals(
-                            urlencode(base64_encode(hash('sha256', $codeVerifier))),
+                            hash('sha256', strtr(rtrim(base64_encode($codeVerifier), '='), '+/', '-_')),
                            $authCodePayload->code_challenge
                        ) === false
                    ) {
@@ -240,10 +240,15 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
                throw OAuthServerException::invalidClient();
            }
        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
            || empty($client->getRedirectUri())
        ) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
            throw OAuthServerException::invalidClient();
        }
        $scopes = $this->validateScopes(
-            $this->getQueryStringParameter('scope', $request),
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
            is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
                : $client->getRedirectUri()
@@ -264,6 +269,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                throw OAuthServerException::invalidRequest('code_challenge');
            }
            if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $codeChallenge) !== 1) {
                throw OAuthServerException::invalidRequest(
                    'code_challenge',
                    'The code_challenge must be between 43 and 128 characters'
                );
            }
            $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
            if (in_array($codeChallengeMethod, ['plain', 'S256']) === false) {
                throw OAuthServerException::invalidRequest(
@@ -304,6 +316,17 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                $authorizationRequest->getScopes()
            );
            $payload = [
                'client_id'             => $authCode->getClient()->getIdentifier(),
                'redirect_uri'          => $authCode->getRedirectUri(),
                'auth_code_id'          => $authCode->getIdentifier(),
                'scopes'                => $authCode->getScopes(),
                'user_id'               => $authCode->getUserIdentifier(),
                'expire_time'           => (new \DateTime())->add($this->authCodeTTL)->format('U'),
                'code_challenge'        => $authorizationRequest->getCodeChallenge(),
                'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
            ];
            $response = new RedirectResponse();
            $response->setRedirectUri(
                $this->makeRedirectUri(
@@ -311,16 +334,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                    [
                        'code'  => $this->encrypt(
                            json_encode(
-                                [
+                                $payload
                                    'client_id'               => $authCode->getClient()->getIdentifier(),
                                    'redirect_uri'            => $authCode->getRedirectUri(),
                                    'auth_code_id'            => $authCode->getIdentifier(),
                                    'scopes'                  => $authCode->getScopes(),
                                    'user_id'                 => $authCode->getUserIdentifier(),
                                    'expire_time'             => (new \DateTime())->add($this->authCodeTTL)->format('U'),
                                    'code_challenge'          => $authorizationRequest->getCodeChallenge(),
                                    'code_challenge_method  ' => $authorizationRequest->getCodeChallengeMethod(),
                                ]
                            )
                        ),
                        'state' => $authorizationRequest->getState(),
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -29,13 +29,13 @@ class ClientCredentialsGrant extends AbstractGrant
    ) {
        // Validate request
        $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
        // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
        // Issue and persist access token
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, null, $finalizedScopes);
        // Inject access token into response type
        $responseType->setAccessToken($accessToken);
--- a/src/Grant/GrantTypeInterface.php
+++ b/src/Grant/GrantTypeInterface.php
@@ -119,6 +119,13 @@ interface GrantTypeInterface extends EmitterAwareInterface
     */
    public function setScopeRepository(ScopeRepositoryInterface $scopeRepository);
    /**
     * Set the default scope.
     *
     * @param string $scope
     */
    public function setDefaultScope($scope);
    /**
     * Set the path to the private key.
     *
@@ -127,9 +134,9 @@ interface GrantTypeInterface extends EmitterAwareInterface
    public function setPrivateKey(CryptKey $privateKey);
    /**
-     * Set the path to the public key.
+     * Set the encryption key
     *
-     * @param CryptKey $publicKey
+     * @param string|null $key
     */
-    public function setPublicKey(CryptKey $publicKey);
+    public function setEncryptionKey($key = null);
 }
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@@ -27,11 +27,18 @@ class ImplicitGrant extends AbstractAuthorizeGrant
    private $accessTokenTTL;
    /**
-     * @param \DateInterval $accessTokenTTL
+     * @var string
     */
-    public function __construct(\DateInterval $accessTokenTTL)
+    private $queryDelimiter;
    /**
     * @param \DateInterval $accessTokenTTL
     * @param string $queryDelimiter
     */
    public function __construct(\DateInterval $accessTokenTTL, $queryDelimiter = '#')
    {
        $this->accessTokenTTL = $accessTokenTTL;
        $this->queryDelimiter = $queryDelimiter;
    }
    /**
@@ -95,7 +102,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
    public function canRespondToAuthorizationRequest(ServerRequestInterface $request)
    {
        return (
-            array_key_exists('response_type', $request->getQueryParams())
+            isset($request->getQueryParams()['response_type'])
            && $request->getQueryParams()['response_type'] === 'token'
            && isset($request->getQueryParams()['client_id'])
        );
@@ -142,15 +149,27 @@ class ImplicitGrant extends AbstractAuthorizeGrant
                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
                throw OAuthServerException::invalidClient();
            }
        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
            || empty($client->getRedirectUri())
        ) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
            throw OAuthServerException::invalidClient();
        }
        $scopes = $this->validateScopes(
-            $this->getQueryStringParameter('scope', $request),
+            $this->getQueryStringParameter('scope', $request, $this->defaultScope),
            is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
                : $client->getRedirectUri()
        );
        // Finalize the requested scopes
        $finalizedScopes = $this->scopeRepository->finalizeScopes(
            $scopes,
            $this->getIdentifier(),
            $client
        );
        $stateParameter = $this->getQueryStringParameter('state', $request);
        $authorizationRequest = new AuthorizationRequest();
@@ -158,7 +177,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
        $authorizationRequest->setClient($client);
        $authorizationRequest->setRedirectUri($redirectUri);
        $authorizationRequest->setState($stateParameter);
-        $authorizationRequest->setScopes($scopes);
+        $authorizationRequest->setScopes($finalizedScopes);
        return $authorizationRequest;
    }
@@ -193,11 +212,11 @@ class ImplicitGrant extends AbstractAuthorizeGrant
                    $finalRedirectUri,
                    [
                        'access_token' => (string) $accessToken->convertToJWT($this->privateKey),
-                        'token_type'   => 'bearer',
+                        'token_type'   => 'Bearer',
                        'expires_in'   => $accessToken->getExpiryDateTime()->getTimestamp() - (new \DateTime())->getTimestamp(),
                        'state'        => $authorizationRequest->getState(),
                    ],
-                    '#'
+                    $this->queryDelimiter
                )
            );
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -49,14 +49,14 @@ class PasswordGrant extends AbstractGrant
    ) {
        // Validate request
        $client = $this->validateClient($request);
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
        $user = $this->validateUser($request, $client);
        // Finalize the requested scopes
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
+        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());
        // Issue and persist new tokens
-        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $scopes);
+        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
        $refreshToken = $this->issueRefreshToken($accessToken);
        // Inject tokens into response
--- a/src/Grant/RefreshTokenGrant.php
+++ b/src/Grant/RefreshTokenGrant.php
@@ -44,28 +44,17 @@ class RefreshTokenGrant extends AbstractGrant
        // Validate request
        $client = $this->validateClient($request);
        $oldRefreshToken = $this->validateOldRefreshToken($request, $client->getIdentifier());
-        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
+        $scopes = $this->validateScopes($this->getRequestParameter(
            'scope',
            $request,
            implode(self::SCOPE_DELIMITER_STRING, $oldRefreshToken['scopes']))
        );
-        // If no new scopes are requested then give the access token the original session scopes
+        // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
-        if (count($scopes) === 0) {
+        // the request doesn't include any new scopes
-            $scopes = array_map(function ($scopeId) use ($client) {
+        foreach ($scopes as $scope) {
-                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
+            if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
-
+                throw OAuthServerException::invalidScope($scope->getIdentifier());
                if ($scope instanceof ScopeEntityInterface === false) {
                    // @codeCoverageIgnoreStart
                    throw OAuthServerException::invalidScope($scopeId);
                    // @codeCoverageIgnoreEnd
                }
                return $scope;
            }, $oldRefreshToken['scopes']);
        } else {
            // The OAuth spec says that a refreshed access token can have the original scopes or fewer so ensure
            // the request doesn't include any new scopes
            foreach ($scopes as $scope) {
                if (in_array($scope->getIdentifier(), $oldRefreshToken['scopes']) === false) {
                    throw OAuthServerException::invalidScope($scope->getIdentifier());
                }
            }
        }
@@ -102,7 +91,7 @@ class RefreshTokenGrant extends AbstractGrant
        // Validate refresh token
        try {
            $refreshToken = $this->decrypt($encryptedRefreshToken);
-        } catch (\LogicException $e) {
+        } catch (\Exception $e) {
            throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token');
        }
--- a/src/Repositories/AccessTokenRepositoryInterface.php
+++ b/src/Repositories/AccessTokenRepositoryInterface.php
@@ -12,6 +12,7 @@ namespace League\OAuth2\Server\Repositories;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 /**
 * Access token interface.
@@ -33,6 +34,8 @@ interface AccessTokenRepositoryInterface extends RepositoryInterface
     * Persists a new access token to permanent storage.
     *
     * @param AccessTokenEntityInterface $accessTokenEntity
     *
     * @throws UniqueTokenIdentifierConstraintViolationException
     */
    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity);
--- a/src/Repositories/AuthCodeRepositoryInterface.php
+++ b/src/Repositories/AuthCodeRepositoryInterface.php
@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Repositories;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 /**
 * Auth code storage interface.
@@ -27,6 +28,8 @@ interface AuthCodeRepositoryInterface extends RepositoryInterface
     * Persists a new auth code to permanent storage.
     *
     * @param AuthCodeEntityInterface $authCodeEntity
     *
     * @throws UniqueTokenIdentifierConstraintViolationException
     */
    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity);
--- a/src/Repositories/RefreshTokenRepositoryInterface.php
+++ b/src/Repositories/RefreshTokenRepositoryInterface.php
@@ -10,6 +10,7 @@
 namespace League\OAuth2\Server\Repositories;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
 /**
 * Refresh token interface.
@@ -27,6 +28,8 @@ interface RefreshTokenRepositoryInterface extends RepositoryInterface
     * Create a new refresh token_name.
     *
     * @param RefreshTokenEntityInterface $refreshTokenEntity
     *
     * @throws UniqueTokenIdentifierConstraintViolationException
     */
    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity);
--- a/src/RequestTypes/AuthorizationRequest.php
+++ b/src/RequestTypes/AuthorizationRequest.php
@@ -66,12 +66,14 @@ class AuthorizationRequest
    /**
     * The code challenge (if provided)
     *
     * @var string
     */
    protected $codeChallenge;
    /**
     * The code challenge method (if provided)
     *
     * @var string
     */
    protected $codeChallengeMethod;
--- a/src/ResponseTypes/AbstractResponseType.php
+++ b/src/ResponseTypes/AbstractResponseType.php
@@ -11,6 +11,7 @@
 namespace League\OAuth2\Server\ResponseTypes;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
@@ -29,6 +30,11 @@ abstract class AbstractResponseType implements ResponseTypeInterface
     */
    protected $refreshToken;
    /**
     * @var CryptKey
     */
    protected $privateKey;
    /**
     * {@inheritdoc}
     */
@@ -44,4 +50,14 @@ abstract class AbstractResponseType implements ResponseTypeInterface
    {
        $this->refreshToken = $refreshToken;
    }
    /**
     * Set the private key
     *
     * @param \League\OAuth2\Server\CryptKey $key
     */
    public function setPrivateKey(CryptKey $key)
    {
        $this->privateKey = $key;
    }
 }
--- a/src/ResponseTypes/BearerTokenResponse.php
+++ b/src/ResponseTypes/BearerTokenResponse.php
@@ -68,6 +68,7 @@ class BearerTokenResponse extends AbstractResponseType
     * this class rather than the default.
     *
     * @param AccessTokenEntityInterface $accessToken
     *
     * @return array
     */
    protected function getExtraParams(AccessTokenEntityInterface $accessToken)
--- a/src/ResponseTypes/ResponseTypeInterface.php
+++ b/src/ResponseTypes/ResponseTypeInterface.php
@@ -33,4 +33,11 @@ interface ResponseTypeInterface
     * @return ResponseInterface
     */
    public function generateHttpResponse(ResponseInterface $response);
    /**
     * Set the encryption key
     *
     * @param string|null $key
     */
    public function setEncryptionKey($key = null);
 }
--- a/src/TokenSigner/HmacTokenSigner.php
+++ b/src/TokenSigner/HmacTokenSigner.php
@@ -1,46 +0,0 @@
 <?php
 namespace League\OAuth2\Server\TokenSigner;
 use Lcobucci\JWT\Signer;
 class HmacTokenSigner implements TokenSignerInterface
 {
    /**
     * @var \Lcobucci\JWT\Signer
     */
    private $signer;
    /**
     * @var string
     */
    private $key;
    /**
     * TokenSignerInterface constructor.
     *
     * @param \Lcobucci\JWT\Signer $signer
     * @param string               $key
     */
    public function __construct(Signer $signer, $key)
    {
        $this->signer = $signer;
        $this->key = $key;
    }
    /**
     * @return \Lcobucci\JWT\Signer
     */
    public function getSigner()
    {
        return $this->signer;
    }
    /**
     * @return string
     */
    public function getKey()
    {
        return $this->key;
    }
 }
--- a/src/TokenSigner/RsaKeyTokenSigner.php
+++ b/src/TokenSigner/RsaKeyTokenSigner.php
@@ -1,47 +0,0 @@
 <?php
 namespace League\OAuth2\Server\TokenSigner;
 use Lcobucci\JWT\Signer;
 use League\OAuth2\Server\CryptKey;
 class RsaKeyTokenSigner implements TokenSignerInterface
 {
    /**
     * @var \Lcobucci\JWT\Signer
     */
    private $signer;
    /**
     * @var \League\OAuth2\Server\CryptKey
     */
    private $key;
    /**
     * TokenSignerInterface constructor.
     *
     * @param \Lcobucci\JWT\Signer $signer
     * @param CryptKey             $privateKey
     */
    public function __construct(Signer $signer, CryptKey $privateKey)
    {
        $this->signer = $signer;
        $this->key = new Signer\Key($privateKey->getKeyPath(), $privateKey->getPassPhrase());
    }
    /**
     * @return \Lcobucci\JWT\Signer
     */
    public function getSigner()
    {
        return $this->signer;
    }
    /**
     * @return CryptKey
     */
    public function getKey()
    {
        return $this->key;
    }
 }
--- a/src/TokenSigner/TokenSignerInterface.php
+++ b/src/TokenSigner/TokenSignerInterface.php
@@ -1,16 +0,0 @@
 <?php
 namespace League\OAuth2\Server\TokenSigner;
 interface TokenSignerInterface
 {
    /**
     * @return \Lcobucci\JWT\Signer
     */
    public function getSigner();
    /**
     * @return mixed
     */
    public function getKey();
 }
--- a/tests/AuthorizationServerTest.php
+++ b/tests/AuthorizationServerTest.php
@@ -3,7 +3,6 @@
 namespace LeagueTests;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -17,15 +16,27 @@ use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\AuthCodeEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
 use Psr\Http\Message\ResponseInterface;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequest;
 use Zend\Diactoros\ServerRequestFactory;
-class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
+class AuthorizationServerTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';
    public function setUp()
    {
        // Make sure the keys have the correct permissions.
        chmod(__DIR__ . '/Stubs/private.key', 0600);
        chmod(__DIR__ . '/Stubs/public.key', 0600);
    }
    public function testRespondToRequestInvalidGrantType()
    {
        $server = new AuthorizationServer(
@@ -33,7 +44,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
            'file://' . __DIR__ . '/Stubs/private.key',
-            'file://' . __DIR__ . '/Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );
@@ -52,7 +63,9 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
@@ -63,10 +76,11 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            $accessTokenRepositoryMock,
            $scopeRepositoryMock,
            'file://' . __DIR__ . '/Stubs/private.key',
-            'file://' . __DIR__ . '/Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );
        $server->setDefaultScope(self::DEFAULT_SCOPE);
        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
        $_POST['grant_type'] = 'client_credentials';
@@ -92,7 +106,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $method = $abstractGrantReflection->getMethod('getResponseType');
        $method->setAccessible(true);
-        $this->assertTrue($method->invoke($server) instanceof BearerTokenResponse);
+        $this->assertInstanceOf(BearerTokenResponse::class, $method->invoke($server));
    }
    public function testCompleteAuthorizationRequest()
@@ -116,9 +130,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/Stubs/public.key'));
        $server->enableGrantType($grant);
        $authRequest = new AuthorizationRequest();
@@ -127,17 +138,23 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $authRequest->setGrantTypeId('authorization_code');
        $authRequest->setUser(new UserEntity());
-        $this->assertTrue(
+        $this->assertInstanceOf(
-            $server->completeAuthorizationRequest($authRequest, new Response) instanceof ResponseInterface
+            ResponseInterface::class,
            $server->completeAuthorizationRequest($authRequest, new Response)
        );
    }
    public function testValidateAuthorizationRequest()
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -148,7 +165,48 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $server = new AuthorizationServer(
            $clientRepositoryMock,
            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
-            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            $scopeRepositoryMock,
            'file://' . __DIR__ . '/Stubs/private.key',
            'file://' . __DIR__ . '/Stubs/public.key'
        );
        $server->setDefaultScope(self::DEFAULT_SCOPE);
        $server->enableGrantType($grant);
        $request = new ServerRequest(
            [],
            [],
            null,
            null,
            'php://input',
            $headers = [],
            $cookies = [],
            $queryParams = [
                'response_type' => 'code',
                'client_id'     => 'foo',
            ]
        );
        $this->assertInstanceOf(AuthorizationRequest::class, $server->validateAuthorizationRequest($request));
    }
    public function testValidateAuthorizationRequestWithMissingRedirectUri()
    {
        $client = new ClientEntity();
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $grant = new AuthCodeGrant(
            $this->getMock(AuthCodeRepositoryInterface::class),
            $this->getMock(RefreshTokenRepositoryInterface::class),
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
        $server = new AuthorizationServer(
            $clientRepositoryMock,
            $this->getMock(AccessTokenRepositoryInterface::class),
            $this->getMock(ScopeRepositoryInterface::class),
            'file://' . __DIR__ . '/Stubs/private.key',
            'file://' . __DIR__ . '/Stubs/public.key'
        );
@@ -168,7 +226,12 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            ]
        );
-        $this->assertTrue($server->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        try {
            $server->validateAuthorizationRequest($request);
        } catch (OAuthServerException $e) {
            $this->assertEquals('invalid_client', $e->getErrorType());
            $this->assertEquals(401, $e->getHttpStatusCode());
        }
    }
    /**
--- a/tests/CryptKeyTest.php
+++ b/tests/CryptKeyTest.php
@@ -3,8 +3,9 @@
 namespace LeagueTests\Utils;
 use League\OAuth2\Server\CryptKey;
 use PHPUnit\Framework\TestCase;
-class CryptKeyTest extends \PHPUnit_Framework_TestCase
+class CryptKeyTest extends TestCase
 {
    /**
     * @expectedException \LogicException
--- a/tests/CryptTraitTest.php
+++ b/tests/CryptTraitTest.php
@@ -2,13 +2,13 @@
 namespace LeagueTests\Utils;
 use League\OAuth2\Server\CryptKey;
 use LeagueTests\Stubs\CryptTraitStub;
 use PHPUnit\Framework\TestCase;
-class CryptTraitTest extends \PHPUnit_Framework_TestCase
+class CryptTraitTest extends TestCase
 {
    /**
-     * CryptTrait stub
+     * @var \LeagueTests\Stubs\CryptTraitStub
     */
    protected $cryptStub;
@@ -26,30 +26,4 @@ class CryptTraitTest extends \PHPUnit_Framework_TestCase
        $this->assertNotEquals($payload, $encrypted);
        $this->assertEquals($payload, $plainText);
    }
    /**
     * @expectedException \LogicException
     */
    public function testBadPrivateKey()
    {
        $this->cryptStub->setPrivateKey(new CryptKey(__DIR__ . '/Stubs/public.key'));
        $this->cryptStub->doEncrypt('');
    }
    /**
     * @expectedException \LogicException
     */
    public function testBadPublicKey()
    {
        $this->cryptStub->setPublicKey(new CryptKey(__DIR__ . '/Stubs/private.key'));
        $this->cryptStub->doDecrypt('');
    }
    /**
     * @expectedException \LogicException
     */
    public function testNonExistentKey()
    {
        new CryptKey('foo/bar');
    }
 }
--- a/tests/Grant/AbstractGrantTest.php
+++ b/tests/Grant/AbstractGrantTest.php
@@ -3,7 +3,6 @@
 namespace LeagueTests\Grant;
 use League\Event\Emitter;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
@@ -19,16 +18,15 @@ use LeagueTests\Stubs\AuthCodeEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;
-class AbstractGrantTest extends \PHPUnit_Framework_TestCase
+class AbstractGrantTest extends TestCase
 {
    public function testGetSet()
    {
        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $grantMock->setPrivateKey(new CryptKey(__DIR__ . '/../Stubs/private.key'));
        $grantMock->setPublicKey(new CryptKey(__DIR__ . '/../Stubs/public.key'));
        $grantMock->setEmitter(new Emitter());
    }
@@ -344,7 +342,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
        $accessToken = new AccessTokenEntity();
        /** @var RefreshTokenEntityInterface $refreshToken */
        $refreshToken = $issueRefreshTokenMethod->invoke($grantMock, $accessToken);
-        $this->assertTrue($refreshToken instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $refreshToken);
        $this->assertEquals($accessToken, $refreshToken->getAccessToken());
    }
@@ -369,7 +367,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
            123,
            [new ScopeEntity()]
        );
-        $this->assertTrue($accessToken instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $accessToken);
    }
    public function testIssueAuthCode()
@@ -385,7 +383,8 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
        $issueAuthCodeMethod = $abstractGrantReflection->getMethod('issueAuthCode');
        $issueAuthCodeMethod->setAccessible(true);
-        $this->assertTrue(
+        $this->assertInstanceOf(
            AuthCodeEntityInterface::class,
            $issueAuthCodeMethod->invoke(
                $grantMock,
                new \DateInterval('PT1H'),
@@ -393,7 +392,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
                123,
                'http://foo/bar',
                [new ScopeEntity()]
-            ) instanceof AuthCodeEntityInterface
+            )
        );
    }
@@ -469,7 +468,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
        $method = $abstractGrantReflection->getMethod('generateUniqueIdentifier');
        $method->setAccessible(true);
-        $this->assertTrue(is_string($method->invoke($grantMock)));
+        $this->assertInternalType('string', $method->invoke($grantMock));
    }
    public function testCanRespondToAuthorizationRequest()
--- a/tests/Grant/AuthCodeGrantTest.php
+++ b/tests/Grant/AuthCodeGrantTest.php
@@ -2,7 +2,6 @@
 namespace LeagueTests\Grant;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -23,10 +22,13 @@ use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;
-class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
+class AuthCodeGrantTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';
    /**
     * @var CryptTraitStub
     */
@@ -77,15 +79,22 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
@@ -102,7 +111,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );
-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }
    public function testValidateAuthorizationRequestRedirectUriArray()
@@ -112,12 +121,18 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
@@ -134,10 +149,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );
-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }
    public function testValidateAuthorizationRequestCodeChallenge()
    {
        $client = new ClientEntity();
@@ -145,6 +159,49 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
            [],
            null,
            null,
            'php://input',
            [],
            [],
            [
                'response_type'  => 'code',
                'client_id'      => 'foo',
                'redirect_uri'   => 'http://foo/bar',
                'code_challenge' => str_repeat('A', 43),
            ]
        );
        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }
    /**
     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
     */
    public function testValidateAuthorizationRequestCodeChallengeInvalidLengthTooShort()
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -165,11 +222,85 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                'response_type'  => 'code',
                'client_id'      => 'foo',
                'redirect_uri'   => 'http://foo/bar',
-                'code_challenge' => 'FOOBAR',
+                'code_challenge' => str_repeat('A', 42),
            ]
        );
-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $grant->validateAuthorizationRequest($request);
    }
    /**
     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
     */
    public function testValidateAuthorizationRequestCodeChallengeInvalidLengthTooLong()
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
        $request = new ServerRequest(
            [],
            [],
            null,
            null,
            'php://input',
            [],
            [],
            [
                'response_type'  => 'code',
                'client_id'      => 'foo',
                'redirect_uri'   => 'http://foo/bar',
                'code_challenge' => str_repeat('A', 129),
            ]
        );
        $grant->validateAuthorizationRequest($request);
    }
    /**
     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
     */
    public function testValidateAuthorizationRequestCodeChallengeInvalidCharacters()
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
        $request = new ServerRequest(
            [],
            [],
            null,
            null,
            'php://input',
            [],
            [],
            [
                'response_type'  => 'code',
                'client_id'      => 'foo',
                'redirect_uri'   => 'http://foo/bar',
                'code_challenge' => str_repeat('A', 42) . '!',
            ]
        );
        $grant->validateAuthorizationRequest($request);
    }
    /**
@@ -319,6 +450,10 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -326,6 +461,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
@@ -356,6 +493,10 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -363,6 +504,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
@@ -400,11 +543,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
    }
    /**
@@ -427,9 +568,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
-
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->completeAuthorizationRequest($authRequest);
    }
@@ -464,8 +603,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -498,8 +636,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }
    public function testRespondToAccessTokenRequestCodeChallengePlain()
@@ -533,8 +671,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -570,8 +707,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }
    public function testRespondToAccessTokenRequestCodeChallengeS256()
@@ -605,8 +742,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -631,7 +767,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                            'user_id'               => 123,
                            'scopes'                => ['foo'],
                            'redirect_uri'          => 'http://foo/bar',
-                            'code_challenge'        => urlencode(base64_encode(hash('sha256', 'foobar'))),
+                            'code_challenge'        => hash('sha256', strtr(rtrim(base64_encode('foobar'), '='), '+/', '-_')),
                            'code_challenge_method' => 'S256',
                        ]
                    )
@@ -642,8 +778,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }
    /**
@@ -663,7 +799,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $request = new ServerRequest(
            [],
@@ -710,7 +846,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $request = new ServerRequest(
            [],
@@ -763,8 +899,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -809,8 +944,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -873,8 +1007,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -934,8 +1067,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -995,8 +1127,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1054,8 +1185,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1127,8 +1257,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1200,8 +1329,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1260,11 +1388,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
    }
    /**
@@ -1288,11 +1414,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setEncryptionKey($this->cryptStub->getKey());
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
    }
    /**
@@ -1317,10 +1441,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
    }
    public function testRefreshTokenRepositoryUniqueConstraintCheck()
@@ -1354,8 +1475,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1388,8 +1508,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }
    /**
@@ -1426,8 +1546,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1460,8 +1579,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }
    /**
@@ -1498,8 +1617,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $request = new ServerRequest(
            [],
@@ -1532,8 +1650,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }
    /**
@@ -1549,4 +1667,47 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->completeAuthorizationRequest(new AuthorizationRequest());
    }
    /**
     * @expectedException     \League\OAuth2\Server\Exception\OAuthServerException
     * @expectedExceptionCode 5
     */
    public function testValidateAuthorizationRequestFailsWithoutScope()
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $request = new ServerRequest(
            [],
            [],
            null,
            null,
            'php://input',
            [],
            [],
            [
                'response_type' => 'code',
                'client_id'     => 'foo',
                'redirect_uri'  => 'http://foo/bar',
            ]
        );
        $grant->validateAuthorizationRequest($request);
    }
 }
--- a/tests/Grant/ClientCredentialsGrantTest.php
+++ b/tests/Grant/ClientCredentialsGrantTest.php
@@ -9,11 +9,15 @@ use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;
-class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
+class ClientCredentialsGrantTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';
    public function testGetIdentifier()
    {
        $grant = new ClientCredentialsGrant();
@@ -30,7 +34,48 @@ class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new ClientCredentialsGrant();
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $serverRequest = new ServerRequest();
        $serverRequest = $serverRequest->withParsedBody(
            [
                'client_id'     => 'foo',
                'client_secret' => 'bar',
            ]
        );
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
    }
    /**
     * @expectedException     \League\OAuth2\Server\Exception\OAuthServerException
     * @expectedExceptionCode 5
     */
    public function testRespondToRequestFailsWithoutScope()
    {
        $client = new ClientEntity();
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new ClientCredentialsGrant();
@@ -48,7 +93,5 @@ class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
    }
 }
--- a/tests/Grant/ImplicitGrantTest.php
+++ b/tests/Grant/ImplicitGrantTest.php
@@ -9,17 +9,22 @@ use League\OAuth2\Server\Grant\ImplicitGrant;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\CryptTraitStub;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;
-class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
+class ImplicitGrantTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';
    /**
     * CryptTrait stub
     */
@@ -86,8 +91,15 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
@@ -104,7 +116,7 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );
-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }
    public function testValidateAuthorizationRequestRedirectUriArray()
@@ -114,8 +126,15 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $request = new ServerRequest(
            [],
@@ -132,7 +151,7 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );
-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }
    /**
@@ -269,10 +288,9 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }
    /**
@@ -293,7 +311,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->completeAuthorizationRequest($authRequest);
@@ -315,10 +332,9 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }
    /**
@@ -340,7 +356,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->completeAuthorizationRequest($authRequest);
@@ -365,7 +380,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->completeAuthorizationRequest($authRequest);
@@ -398,4 +412,42 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->completeAuthorizationRequest(new AuthorizationRequest());
    }
    /**
     * @expectedException     \League\OAuth2\Server\Exception\OAuthServerException
     * @expectedExceptionCode 5
     */
    public function testValidateAuthorizationRequestFailsWithoutScope()
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $request = new ServerRequest(
            [],
            [],
            null,
            null,
            'php://input',
            $headers = [],
            $cookies = [],
            $queryParams = [
                'response_type' => 'code',
                'client_id'     => 'foo',
                'redirect_uri'  => 'http://foo/bar',
            ]
        );
        $grant->validateAuthorizationRequest($request);
    }
 }
--- a/tests/Grant/PasswordGrantTest.php
+++ b/tests/Grant/PasswordGrantTest.php
@@ -13,12 +13,16 @@ use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;
-class PasswordGrantTest extends \PHPUnit_Framework_TestCase
+class PasswordGrantTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';
    public function testGetIdentifier()
    {
        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
@@ -46,13 +50,16 @@ class PasswordGrantTest extends \PHPUnit_Framework_TestCase
        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
        $serverRequest = new ServerRequest();
        $serverRequest = $serverRequest->withParsedBody(
@@ -67,8 +74,8 @@ class PasswordGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
-        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }
    /**
@@ -167,4 +174,50 @@ class PasswordGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
    }
    /**
     * @expectedException     \League\OAuth2\Server\Exception\OAuthServerException
     * @expectedExceptionCode 5
     */
    public function testRespondToRequestFailsWithoutScope()
    {
        $client = new ClientEntity();
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
        $userEntity = new UserEntity();
        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());
        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $serverRequest = new ServerRequest();
        $serverRequest = $serverRequest->withParsedBody(
            [
                'client_id'     => 'foo',
                'client_secret' => 'bar',
                'username'      => 'foo',
                'password'      => 'bar',
            ]
        );
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
    }
 }
--- a/tests/Grant/RefreshTokenGrantTest.php
+++ b/tests/Grant/RefreshTokenGrantTest.php
@@ -16,12 +16,13 @@ use LeagueTests\Stubs\CryptTraitStub;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;
-class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
+class RefreshTokenGrantTest extends TestCase
 {
    /**
-     * CryptTrait stub
+     * @var CryptTraitStub
     */
    protected $cryptStub;
@@ -45,27 +46,24 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
        $scopeEntity->setIdentifier('foo');
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
-        $accessTokenRepositoryMock
+        $accessTokenRepositoryMock->expects($this->once())->method('persistNewAccessToken')->willReturnSelf();
            ->expects($this->once())
            ->method('persistNewAccessToken')->willReturnSelf();
        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());
-        $refreshTokenRepositoryMock
+        $refreshTokenRepositoryMock->expects($this->once())->method('persistNewRefreshToken')->willReturnSelf();
            ->expects($this->once())
            ->method('persistNewRefreshToken')->willReturnSelf();
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -82,19 +80,18 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        );
        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
+        $serverRequest = $serverRequest->withParsedBody([
-            [
+            'client_id'     => 'foo',
-                'client_id'     => 'foo',
+            'client_secret' => 'bar',
-                'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
-                'refresh_token' => $oldRefreshToken,
+            'scopes'        => ['foo'],
-            ]
+        ]);
        );
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
-        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }
    public function testRespondToReducedScopes()
@@ -121,7 +118,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -150,8 +147,8 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
-        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }
    /**
@@ -180,7 +177,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -227,7 +224,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $serverRequest = new ServerRequest();
@@ -259,7 +256,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = 'foobar';
@@ -291,14 +288,13 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -344,7 +340,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -391,7 +387,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $oldRefreshToken = $this->cryptStub->doEncrypt(
--- a/tests/Middleware/AuthorizationServerMiddlewareTest.php
+++ b/tests/Middleware/AuthorizationServerMiddlewareTest.php
@@ -11,18 +11,24 @@ use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequestFactory;
-class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
+class AuthorizationServerMiddlewareTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';
    public function testValidResponse()
    {
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
        $scopeEntity = new ScopeEntity;
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
        $accessRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
@@ -33,10 +39,11 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
            $accessRepositoryMock,
            $scopeRepositoryMock,
            'file://' . __DIR__ . '/../Stubs/private.key',
-            'file://' . __DIR__ . '/../Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );
        $server->setDefaultScope(self::DEFAULT_SCOPE);
        $server->enableGrantType(new ClientCredentialsGrant());
        $_POST['grant_type'] = 'client_credentials';
@@ -66,7 +73,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
            'file://' . __DIR__ . '/../Stubs/private.key',
-            'file://' . __DIR__ . '/../Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );
@@ -97,7 +104,8 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
        $response = $exception->generateHttpResponse(new Response());
        $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope', $response->getHeader('location')[0]);
+        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
            $response->getHeader('location')[0]);
    }
    public function testOAuthErrorResponseRedirectUriFragment()
@@ -106,6 +114,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
        $response = $exception->generateHttpResponse(new Response(), true);
        $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope', $response->getHeader('location')[0]);
+        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
            $response->getHeader('location')[0]);
    }
 }
--- a/tests/Middleware/ResourceServerMiddlewareTest.php
+++ b/tests/Middleware/ResourceServerMiddlewareTest.php
@@ -8,10 +8,11 @@ use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\ResourceServer;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequest;
-class ResourceServerMiddlewareTest extends \PHPUnit_Framework_TestCase
+class ResourceServerMiddlewareTest extends TestCase
 {
    public function testValidResponse()
    {
--- a/tests/ResourceServerTest.php
+++ b/tests/ResourceServerTest.php
@@ -6,9 +6,10 @@ namespace LeagueTests;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\ResourceServer;
 use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequestFactory;
-class ResourceServerTest extends \PHPUnit_Framework_TestCase
+class ResourceServerTest extends TestCase
 {
    public function testValidateAuthenticatedRequest()
    {
--- a/tests/ResponseTypes/BearerResponseTypeTest.php
+++ b/tests/ResponseTypes/BearerResponseTypeTest.php
@@ -11,11 +11,12 @@ use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\ResponseInterface;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequest;
-class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
+class BearerResponseTypeTest extends TestCase
 {
    public function testGenerateHttpResponse()
    {
@@ -23,7 +24,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -47,7 +48,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $response = $responseType->generateHttpResponse(new Response());
-        $this->assertTrue($response instanceof ResponseInterface);
+        $this->assertInstanceOf(ResponseInterface::class, $response);
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals('no-cache', $response->getHeader('pragma')[0]);
        $this->assertEquals('no-store', $response->getHeader('cache-control')[0]);
@@ -55,10 +56,10 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $response->getBody()->rewind();
        $json = json_decode($response->getBody()->getContents());
-        $this->assertEquals('Bearer', $json->token_type);
+        $this->assertAttributeEquals('Bearer', 'token_type', $json);
-        $this->assertTrue(isset($json->expires_in));
+        $this->assertObjectHasAttribute('expires_in', $json);
-        $this->assertTrue(isset($json->access_token));
+        $this->assertObjectHasAttribute('access_token', $json);
-        $this->assertTrue(isset($json->refresh_token));
+        $this->assertObjectHasAttribute('refresh_token', $json);
    }
    public function testGenerateHttpResponseWithExtraParams()
@@ -67,7 +68,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $responseType = new BearerTokenResponseWithParams($accessTokenRepositoryMock);
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -91,7 +92,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $response = $responseType->generateHttpResponse(new Response());
-        $this->assertTrue($response instanceof ResponseInterface);
+        $this->assertInstanceOf(ResponseInterface::class, $response);
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals('no-cache', $response->getHeader('pragma')[0]);
        $this->assertEquals('no-store', $response->getHeader('cache-control')[0]);
@@ -99,13 +100,13 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $response->getBody()->rewind();
        $json = json_decode($response->getBody()->getContents());
-        $this->assertEquals('Bearer', $json->token_type);
+        $this->assertAttributeEquals('Bearer', 'token_type', $json);
-        $this->assertTrue(isset($json->expires_in));
+        $this->assertObjectHasAttribute('expires_in', $json);
-        $this->assertTrue(isset($json->access_token));
+        $this->assertObjectHasAttribute('access_token', $json);
-        $this->assertTrue(isset($json->refresh_token));
+        $this->assertObjectHasAttribute('refresh_token', $json);
-        $this->assertTrue(isset($json->foo));
+        $this->assertObjectHasAttribute('foo', $json);
-        $this->assertEquals('bar', $json->foo);
+        $this->assertAttributeEquals('bar', 'foo', $json);
    }
    public function testDetermineAccessTokenInHeaderValidToken()
@@ -115,7 +116,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -141,7 +142,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(false);
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $request = new ServerRequest();
@@ -162,7 +162,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -185,7 +185,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $json = json_decode((string) $response->getBody());
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $request = new ServerRequest();
@@ -205,7 +204,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
    {
        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -231,7 +230,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(true);
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $request = new ServerRequest();
@@ -253,12 +251,11 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $request = new ServerRequest();
@@ -280,12 +277,11 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $request = new ServerRequest();
--- a/tests/Stubs/CryptTraitStub.php
+++ b/tests/Stubs/CryptTraitStub.php
@@ -2,7 +2,6 @@
 namespace LeagueTests\Stubs;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
 class CryptTraitStub
@@ -11,8 +10,12 @@ class CryptTraitStub
    public function __construct()
    {
-        $this->setPrivateKey(new CryptKey('file://' . __DIR__ . '/private.key'));
+        $this->setEncryptionKey(base64_encode(random_bytes(36)));
-        $this->setPublicKey(new CryptKey('file://' . __DIR__ . '/public.key'));
+    }
    public function getKey()
    {
        return $this->encryptionKey;
    }
    public function doEncrypt($unencryptedData)
Author	SHA1	Message	Date
Andrew Millington	276d5b655b	Update README.md Updating readme to refer to the latest 5.1.* branch	2017-12-23 13:20:52 +00:00
Andrew Millington	00138446b6	Merge pull request #828 from Sephster/master Fixed ordering so we only hash after base64 encoding	2017-12-23 02:14:34 +00:00
Andrew Millington	1c36b70dab	Fixed ordering so we only hash after base64 encoding	2017-12-23 02:06:18 +00:00
Andrew Millington	f11e4c81cd	Merge pull request #697 from fkooman/fix-s256 Fix PKCE code verifier encoding to match specification	2017-12-23 01:52:33 +00:00
Andrew Millington	f5a1feb67d	Added PHP 7.2 to the supported versions	2017-12-13 21:05:36 +00:00
Andrew Millington	1ad4d2121f	Merge pull request #822 from carusogabriel/patch-1 Test against PHP 7.2	2017-12-13 21:04:25 +00:00
Andrew Millington	1660dd0559	Merge pull request #824 from carusogabriel/refactoring-tests Refactoring tests	2017-12-13 21:02:09 +00:00
Gabriel Caruso	9ceafe5dd3	Refactoring tests	2017-12-06 18:24:42 -02:00
Gabriel Caruso	d1d68242ea	Test against PHP 7.2	2017-11-30 23:52:50 -02:00
Andrew Millington	a53e753b1a	Merge pull request #818 from imanghafoori1/master flatten code	2017-11-23 22:42:26 +00:00
Iman	f88961eddd	flatten code	2017-11-23 21:26:39 +03:30
Andrew Millington	8c93fd74c9	Merge pull request #573 from ismailbaskin/master Include redirect_uri check on authorization endpoint	2017-11-19 20:57:27 +00:00
Andrew Millington	2765481b9f	Handle no scope hint	2017-11-18 18:47:38 +00:00
Andrew Millington	9273936009	Fix bug where not specifying the bad scope	2017-11-18 18:46:03 +00:00
Andrew Millington	5f4ec6a154	Merge pull request #811 from Sephster/master Add default scopes to authentication server	2017-11-16 19:27:41 +00:00
Sephster	b50c7622db	Add in validation for authorization requests. Fixes thephpleague/oauth2-server#677	2017-11-14 00:12:04 +00:00
Sephster	dc9c1a1023	Remove blank line to keep code consistent	2017-11-13 23:59:55 +00:00
Sephster	6e6baf5b75	Remove abstract authorize grant use	2017-11-13 23:57:24 +00:00
Sephster	7878cf9c13	Merge remote-tracking branch 'upstream/master'	2017-11-13 23:52:36 +00:00
Sephster	1bcee9aaba	Add a test for a missing scope for the password grant	2017-11-13 23:16:30 +00:00
Sephster	1e3a84fc85	Add a test to ensure response requests fail without a scope specified	2017-11-13 23:00:27 +00:00
Sephster	a5c5929dc9	Change default scope to be basic	2017-11-13 22:34:12 +00:00
Sephster	c6bf2e1df0	Remove unnecessary white spaces	2017-11-13 22:31:50 +00:00
Sephster	eb645063c7	Reverted the abstract authorise grant to its previous state	2017-11-13 22:25:31 +00:00
Sephster	65789e0f39	Fix tests to support default scopes for authorization requests	2017-11-13 22:20:42 +00:00
Sephster	512d4898e2	Revert previous change	2017-11-13 22:20:16 +00:00
Sephster	c895885700	Modify grants so only auth requests use default scopes	2017-11-13 22:19:44 +00:00
Andrew Millington	661a0994c6	Merge pull request #810 from gabriel-caruso/phpunit Use PHPUnit\Framework\TestCase instead of PHPUnit_Framework_TestCase	2017-11-08 20:03:08 +00:00
Gabriel Caruso	3871aee48c	Bump PHPUnit version for compatibility	2017-11-08 16:20:31 -02:00
Gabriel Caruso	04f3d39b45	Use PHPUnit\Framework\TestCase instead of PHPUnit_Framework_TestCase	2017-11-08 16:07:07 -02:00
Andrew Millington	6bb416ce78	Merge pull request #678 from pcambra/add-zend-diactoros-example Added Zend diactoros library dependency to the examples	2017-11-07 16:27:26 +00:00
Andrew Millington	ce8248c10f	Remove erroneous character	2017-11-06 22:56:54 +00:00
Andrew Millington	13be557825	Re-add the complete testCompleteAuthorizationRequestNoUser()	2017-11-06 22:51:11 +00:00
Andrew Millington	0f08063864	Fixed use of default scope so it is only for authorization requests	2017-11-06 22:33:28 +00:00
Andrew Millington	cc6eb63dd8	Remove default scope from the Refresh Token Grant	2017-11-06 21:23:52 +00:00
Andrew Millington	093c7755fa	Remove default scope from the Password Grant	2017-11-06 21:23:14 +00:00
Andrew Millington	82b81c7f6f	Remove setDefaultScope function from the grant interface	2017-11-06 21:22:09 +00:00
Andrew Millington	9cd86a9154	Remove default scope for the ClientCredentialsGrant	2017-11-06 21:21:14 +00:00
Andrew Millington	42ea0de9fb	Add default scope to the AbstractAuthorizeGrant	2017-11-06 21:19:38 +00:00
Andrew Millington	ab760a805c	Remove default scope from abstract grant This should be added to the AbstractAuthorizeGrant instead as it is only used for an authorization request	2017-11-06 21:19:07 +00:00
Andrew Millington	34cb0ba759	Merge branch 'master' into add-zend-diactoros-example	2017-11-05 14:39:01 +00:00
Andrew Millington	ac48653bb5	Merge pull request #797 from thephpleague/Update-Readme Update readme file to bring in Andy, Brian, and Simon	2017-11-05 11:52:28 +00:00
Andrew Millington	bd2cdaf5da	Change missing scope test to check for invalid_scope exception	2017-10-31 23:01:19 +00:00
Andrew Millington	4806eda45a	Change to throw invalid scope instead of missing scope exception	2017-10-31 22:59:01 +00:00
Andrew Millington	b2fe909a71	Removed the missing scope exception as should be using invalid_scope	2017-10-31 22:58:07 +00:00
Andrew Millington	d0619385b8	Add a basic test to ensure we throw an exception when no scope is given	2017-10-31 21:00:14 +00:00
Andrew Millington	3828f87b19	Fix tests as no longer set the default scope in the constructor Use new setDefaultScope() method instead. Also changed default scope to be a blank string instead of null	2017-10-30 23:48:02 +00:00
Andrew Millington	a49f6ff80d	Remove setting default scope in the constructor	2017-10-30 23:36:19 +00:00
Andrew Millington	1161ceda0d	Fix the authorization server middleware test	2017-10-30 23:26:49 +00:00
Andrew Millington	f9143b5163	Fix the refresh token grant test	2017-10-30 23:26:11 +00:00
Alex Bilbie	cc98b5ec16	Merge pull request #801 from lucasantarella/master Added ability to specify query delimiter character in the implicit grant	2017-10-28 18:35:22 +07:00
Alex Bilbie	4d77aee4a9	Added a reference to myself§	2017-10-28 18:29:55 +07:00
Luca Santarella	b6b0e7c944	Merge remote-tracking branch 'origin/master' # Conflicts: # src/Grant/ImplicitGrant.php	2017-10-25 18:34:02 -04:00
Luca Santarella	a4fc05c31e	Fixed indentation in comment to match code style	2017-10-25 18:33:54 -04:00
Luca Santarella	606f69e6cd	Fixed indentation in comment to match code style	2017-10-25 18:33:26 -04:00
Luca Santarella	825017f27e	Ability to specify query delimiter, such as `?` instead of the hard-coded `#`	2017-10-25 18:30:17 -04:00
Colin O'Dell	37645f3244	Merge pull request #796 from thephpleague/analysis-8mEDjY Apply fixes from StyleCI	2017-10-23 15:44:37 -04:00
Brian Retterer	63c2c21ee6	Update readme file to bring in Andy, Brian, and Simon	2017-10-23 11:26:21 -04:00
Brian Retterer	23c7138d48	Apply fixes from StyleCI	2017-10-23 15:26:10 +00:00
Andrew Millington	63861704b6	Merge pull request #749 from dmelo/issue-748 Replaces array_key_exists by isset, which is faster, on ImplicitGrant.	2017-10-20 18:28:18 +01:00
Diogo Oliveira de Melo	203be5ca20	Revert comparison order, as suggested by @Sephster	2017-10-20 09:23:36 -02:00
Andrew Millington	24f29b6382	Fix more tests to support default scope setting	2017-10-19 22:37:19 +01:00
Andrew Millington	8c788e9fc8	Update tests so they don't trigger missing or invalid scope exceptions	2017-10-18 22:11:13 +01:00
Andrew Millington	4d28eadf93	Update tests so they don't trigger missing or invalid scope exceptions	2017-10-18 22:11:02 +01:00
Andrew Millington	5a28fb8af4	Set a default scope for the authorization server	2017-10-18 22:09:53 +01:00
Andrew Millington	c996b66528	Add means to set default scopes for grants	2017-10-18 22:08:41 +01:00
Andrew Millington	c70451abd5	Add an exception for a missing scope	2017-10-18 22:08:11 +01:00
Andrew Millington	e7ee483d11	Changed function comment to reflect we are setting the public, instead of private key	2017-10-13 23:02:29 +01:00
Alex Bilbie	5b223a9501	Update README.md	2017-10-11 10:33:10 +01:00
Alex Bilbie	3b58ab1df2	Merge pull request #724 from davedevelopment/change-token-type-case Change case for implict grant token_type	2017-08-11 08:16:08 +01:00
Alex Bilbie	925776958f	Updated changelog	2017-08-03 16:09:23 +01:00
Alex Bilbie	c86c7dde70	Fix #759	2017-08-03 16:07:11 +01:00
Alex Bilbie	e184691ded	Merge pull request #776 from yannickl88/fix/perm-key-check Removed chmod from CryptKey and add toggle to disable checking	2017-08-03 16:04:08 +01:00
Alex Bilbie	b2648218f1	Merge pull request #777 from hhamon/hhamon-patch-1 [BC Break] Fixes invalid code challenge method payload key name	2017-08-03 16:03:48 +01:00
Yannick de Lange	2aca909d20	Removed chmod from CryptKey and add toggle to disable checking	2017-08-03 15:57:39 +02:00
Hugo Hamon	79038ced78	[BC Break] Fixes invalid code challenge method payload key name I guess this change might be a BC break for existing and active authorization tokens when they're validated by the server. The good thing is that an authorization token has a very short expiration time and is used once to request an access token.	2017-08-02 17:55:11 +02:00
Alex Bilbie	7c2218fdcc	Merge pull request #773 from kumy/issue-772 Fix #772 - PR should be based on master branch	2017-07-30 08:32:30 +01:00
Alex Bilbie	935fff8308	Merge pull request #770 from benito103e/master Updated PHPDoc about the unicity violation exception throwing	2017-07-30 08:31:50 +01:00
Mathieu Alorent	0f1ddaaacf	Fix #772 - PR should be based on master branch	2017-07-29 17:41:44 +02:00
Benjamin Dieleman	ecc07abb33	Updated PHPDoc about the unicity violation exception throwing UniqueTokenIdentifierConstraintViolationException can be thrown when persisting tokens	2017-07-27 17:31:01 +02:00
Alex Bilbie	a1b8d87b47	Updated changelog	2017-07-19 07:58:56 +01:00
Alex Bilbie	80fc8e654b	Trigger E_USER_NOTICE instead of throwing an exception if key cannot be chmod to 600	2017-07-19 07:57:47 +01:00
Alex Bilbie	317f46b7ae	Merge pull request #754 from Lctrs/fix/missing-sprintf Fix missing sprintf() calls	2017-07-07 16:50:08 +01:00
Jérôme Parmentier	88bf8b2367	Fix missing sprintf	2017-07-03 20:28:28 +02:00
Alex Bilbie	315d079033	Added link to security release information page	2017-07-02 18:44:55 +01:00
Alex Bilbie	2824f7d27e	Fixed examples	2017-07-01 18:46:48 +01:00
Alex Bilbie	0a6a4deca6	5.1.4 not 5.1.14	2017-07-01 18:38:35 +01:00
Alex Bilbie	00c645545a	Updated changelog	2017-07-01 18:33:17 +01:00
Alex Bilbie	417a64ad43	Added security notice	2017-07-01 18:33:03 +01:00
Alex Bilbie	f5c3ba0b24	Removed dead code	2017-07-01 18:22:51 +01:00
Alex Bilbie	e1ef133067	Dropped PHP 5.5 compatability	2017-07-01 18:22:44 +01:00
Alex Bilbie	523434902c	Removed dead code	2017-07-01 18:15:41 +01:00
Alex Bilbie	aac467e616	Fixed broken tests	2017-07-01 18:11:19 +01:00
Alex Bilbie	76c2b6f88c	AuthorizationServer no longer needs to know about the public key	2017-07-01 18:11:10 +01:00
Alex Bilbie	72349ef22f	Encryption key is now always required so remove redundent code	2017-07-01 18:10:53 +01:00
Alex Bilbie	850793ab88	Added missing methods	2017-07-01 18:08:49 +01:00
Alex Bilbie	0f73bf0054	Encryption key just uses Defuse\Crypto now, no key based crypto	2017-07-01 18:07:51 +01:00
Alex Bilbie	7953f27b38	Stop testing HHVM	2017-07-01 18:07:09 +01:00
Alex Bilbie	cc2c3a7044	Removed unnecessary stuff from composer.json	2017-07-01 18:07:01 +01:00
Alex Bilbie	06424fdbe2	Use Trusty for TravisCI	2017-07-01 17:24:11 +01:00
Alex Bilbie	55f93f9400	Merge pull request #752 from thephpleague/analysis-qBDGNm Apply fixes from StyleCI	2017-07-01 17:20:19 +01:00
Alex Bilbie	aee1779432	Apply fixes from StyleCI	2017-07-01 16:19:23 +00:00
Alex Bilbie	09c167ac43	Updated changelog and readme	2017-07-01 17:17:55 +01:00
Alex Bilbie	765a01021b	Updated error message	2017-07-01 16:45:29 +01:00
Alex Bilbie	0706d66c76	Don’t pad and shuffle the payload if an encryption key has been set	2017-07-01 16:45:29 +01:00
Alex Bilbie	e123fe82d0	Ignore error_log messages in code coverage	2017-07-01 16:45:29 +01:00
Alex Bilbie	107cfc3678	Updated examples	2017-07-01 16:45:29 +01:00
Alex Bilbie	1954120c3d	Use catch all exception	2017-07-01 16:45:29 +01:00
Alex Bilbie	dd5eee150d	Ensure response type also has access to the encryption key	2017-07-01 16:45:29 +01:00
Alex Bilbie	76c1349181	Updated random_compat version	2017-07-01 16:45:29 +01:00
Alex Bilbie	1af4012df4	New property on AuthorizationServer to receive an encryption key which is used for future encryption/decryption instead of keybased encryption/decryption	2017-07-01 16:45:29 +01:00
Alex Bilbie	4a717104fa	Shuffle the contents of the authorization code payload	2017-07-01 16:45:29 +01:00
Alex Bilbie	63530443fe	Better error checking when saving a temporary key to ensure file was written successfully and the server is the exclusive mode	2017-07-01 16:44:57 +01:00
Alex Bilbie	2f8de3d230	Ensure the server is the exclusive owner of the key	2017-07-01 16:44:51 +01:00
Alex Bilbie	57d199b889	Stricter validation of code challenge value to match RFC 7636 requirements	2017-07-01 16:44:43 +01:00
Alex Bilbie	6bdd108145	Escape scope parameter to reduce pontential XSS vector	2017-07-01 16:43:31 +01:00
Diogo Oliveira de Melo	170ce2fd2d	Replaces array_key_exists by isset, which is faster, on ImplicitGrant.	2017-06-30 15:42:23 -03:00
Dave Marshall	83228bdcd5	Change case for implict grant token_type	2017-03-27 12:11:25 +01:00
Alex Bilbie	bf7084a147	Merge pull request #709 from toby-griffiths/fix-refresh-token-ttl Corrected DateInterval from 1 min to 1 month	2017-03-02 14:06:27 +00:00
Toby Griffiths	13c608b849	Corrected DateInterval from 1 min to 1 month	2017-03-01 13:08:42 +00:00
Alex Bilbie	ded7c1ed47	Mentioned PHP 7.1 support	2017-02-02 17:29:06 +00:00
François Kooman	6426e597a3	Fix PKCE code verifier encoding to match specification The current implementation of PKCE does not follow the specification correctly regarding the encoding of the code verifier. This patch correctly encodes the hash of the code verifier according to Appenix A of RFC 7636.	2017-01-24 11:36:34 +01:00
Alex Bilbie	0da70c916a	Merge pull request #690 from Jalle19/patch-1 Fix typo in the first README sentence	2016-12-23 07:42:23 +00:00
Sam Stenvall	90cb1bf012	Fix typo in the first README sentence	2016-12-23 00:30:54 +02:00
Alex Bilbie	b32204bd91	Merge pull request #682 from wilsonge/patch-1 Fix middleware example fatal error	2016-11-08 13:18:13 +00:00
George Wilson	518c1fcec5	Fix middleware example fatal error	2016-11-08 12:27:49 +00:00
Pedro Cambra	ee8841fe66	Added Zend diactoros library dependency to the examples	2016-10-31 09:57:44 +09:00
Alex Bilbie	6946592553	Merge pull request #671 from duncan3dc/patch-1 [Travis] Test on PHP 7.1	2016-10-16 16:58:15 +01:00
Craig Duncan	25580b98b7	[Travis] Test on PHP 7.1	2016-10-16 16:48:44 +01:00
Alex Bilbie	f78dc2eca0	Updated README	2016-10-12 15:08:15 +01:00
Alex Bilbie	105b3116dc	Merge pull request #669 from jeremykendall/fix/www-authenticate-header Fix WWW-Authenticate entry in $headers array	2016-10-12 15:05:19 +01:00
jeremykendall	01677a564e	Fix WWW-Authenticate entry in $headers array In this context the header name should be the array key and the header value the array value.	2016-10-11 22:27:24 -05:00
Alex Bilbie	4c4b0633b1	Merge pull request #668 from er0k/increase-ssl-key-length Increase the recommended RSA key length from 1024 to 2048 bits	2016-10-11 14:27:16 +01:00
er0k	c4a75b2880	Increase the recommended RSA key length from 1024 to 2048 bits	2016-10-11 09:24:27 -04:00
Alex Bilbie	e091d48127	Changelog bump	2016-09-19 10:23:42 +01:00
Alex Bilbie	a798cfdc5d	Merge pull request #656 from thephpleague/issue-650-fix Fix for #650	2016-09-19 10:19:05 +01:00
Alex Bilbie	56e8d374fb	Fix broken tests	2016-09-19 10:06:00 +01:00
Alex Bilbie	b1bfff7325	Don't pass in user because we don't know who user is	2016-09-19 10:05:55 +01:00
Alex Bilbie	32cde01ab2	Merge pull request #657 from thephpleague/analysis-86wPg4 Applied fixes from StyleCI	2016-09-13 15:19:56 +01:00
Alex Bilbie	11ccc305d0	Applied fixes from StyleCI	2016-09-13 14:17:09 +00:00
Alex Bilbie	d7df2f7e24	Fix for #650	2016-09-13 15:16:58 +01:00
İsmail BASKIN	9a58bc15f6	Include redirect_uri check on authorization endpoint on implicit grant	2016-05-07 17:44:02 +03:00
İsmail BASKIN	7285ede563	Include redirect_uri check on authorization endpoint	2016-05-04 13:34:37 +03:00