Merge pull request #1035 from matt-allan/prevent-public-client-confidential-grant

Prevent public clients from using the client_credentials grant type
Reword changelog
2025-05-31 14:12:07 +05:30 · 2019-07-25 19:20:11 +01:00 · 2019-07-25 19:14:08 +01:00 · 2019-07-25 19:12:33 +01:00 · 2019-07-25 19:09:47 +01:00 · 2019-07-25 19:04:44 +01:00
64 changed files with 2299 additions and 1256 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ phpunit.xml
 examples/public.key
 examples/private.key
 build
+*.orig
--- a/.styleci.yml
+++ b/.styleci.yml
@@ -4,6 +4,7 @@ enabled:
  - binary_operator_spaces
  - blank_line_before_return
  - concat_with_spaces
+  - fully_qualified_strict_types
  - function_typehint_space
  - hash_to_slash_comment
  - include
@@ -40,7 +41,6 @@ enabled:
  - print_to_echo
  - short_array_syntax
  - short_scalar_cast
-  - simplified_null_return
  - single_quote
  - spaces_cast
  - standardize_not_equal
--- a/.travis.yml
+++ b/.travis.yml
@@ -12,9 +12,9 @@ env:
  - DEPENDENCIES="--prefer-lowest --prefer-stable"

 php:
-  - 7.0
  - 7.1
  - 7.2
+  - 7.3

 install:
  - composer update --no-interaction --prefer-dist $DEPENDENCIES
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,85 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

 ## [Unreleased]

+### Fixed
+- Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
+ with the OAuth2 spec (PR #1035)
+
+## [8.0.0] - released 2019-07-13
+
+### Added
+- Flag, `requireCodeChallengeForPublicClients`, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
+- Public clients can now use the Auth Code Grant (PR #938)
+- `isConfidential` getter added to `ClientEntity` to identify type of client (PR #938)
+- Function `validateClient()` added to validate clients which was previously performed by the `getClientEntity()` function (PR #938)
+- Add a new function to the AbstractGrant class called `getClientEntityOrFail()`. This is a wrapper around the `getClientEntity()` function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)
+
+### Changed
+- Replace `convertToJWT()` interface with a more generic `__toString()` to improve extensibility; AccessTokenEntityInterface now requires `setPrivateKey(CryptKey $privateKey)` so `__toString()` has everything it needs to work (PR #874)
+- The `invalidClient()` function accepts a PSR-7 compliant `$serverRequest` argument to avoid accessing the `$_SERVER` global variable and improve testing (PR #899)
+- `issueAccessToken()` in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling `getNewToken()` (PR #919)
+- No longer need to enable PKCE with `enableCodeExchangeProof` flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
+- Function `getClientEntity()` no longer performs client validation (PR #938)
+- Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
+- Use `DateTimeImmutable()` instead of `DateTime()`, `time()` instead of `(new DateTime())->getTimeStamp()`, and `DateTime::getTimeStamp()` instead of `DateTime::format('U')` (PR #963)
+
+### Removed
+- `enableCodeExchangeProof` flag (PR #938)
+- Support for PHP 7.0 (PR #1014)
+- Remove JTI claim from JWT header (PR #1031)
+
+## [7.4.0] - released 2019-05-05
+
+### Changed
+- RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)
+
+## [7.3.3] - released 2019-03-29
+
+### Added
+- Added `error_description` to the error payload to improve standards compliance. The contents of this are copied from the existing `message` value. (PR #1006)
+
+### Deprecated
+- Error payload will not issue `message` value in the next major release (PR #1006)
+
+## [7.3.2] - released 2018-11-21
+
+### Fixed
+- Revert setting keys on response type to be inside `getResponseType()` function instead of AuthorizationServer constructor (PR #969)
+
+## [7.3.1] - released 2018-11-15
+
+### Fixed
+- Fix issue with previous release where interface had changed for the AuthorizationServer. Reverted to the previous interface while maintaining functionality changes (PR #970)
+
+## [7.3.0] - released 2018-11-13
+
+### Changed
+- Moved  the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923)
+
+### Added
+- Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
+- Ability to nest exceptions (PR #965)
+
+### Fixed
+- Fix issue where AuthorizationServer is not stateless as ResponseType could store state of a previous request (PR #960)
+
+## [7.2.0] - released 2018-06-23
+
+### Changed
+- Added new`validateRedirectUri` method AbstractGrant to remove three instances of code duplication (PR #912)
+- Allow 640 as a crypt key file permission (PR #917)
+
+### Added
+- Function `hasRedirect()` added to `OAuthServerException` (PR #703)
+
+### Fixed
+- Catch and handle `BadMethodCallException` from the `verify()` method of the JWT token in the `validateAuthorization` method (PR #904)
+
+## [4.1.7] - released 2018-06-23
+
+### Fixed
+- Ensure `empty()` function call only contains variable to be compatible with PHP 5.4 (PR #918)
+
 ## [7.1.1] - released 2018-05-21

 ### Fixed
@@ -97,6 +176,10 @@ To address feedback from the security release the following change has been made

 - Fixed `finalizeScopes` call (Issue #650)

+## [4.1.6] - 2016-09-13
+
+- Less restrictive on Authorization header check (Issue #652)
+
 ## [5.1.1] - 2016-07-26

 - Improved test suite (Issue #614)
@@ -389,7 +472,14 @@ Version 5 is a complete code rewrite.

 - First major release

-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.0.0...HEAD
+[8.0.0]: https://github.com/thephpleague/oauth2-server/compare/7.4.0...8.0.0
+[7.4.0]: https://github.com/thephpleague/oauth2-server/compare/7.3.3...7.4.0
+[7.3.3]: https://github.com/thephpleague/oauth2-server/compare/7.3.2...7.3.3
+[7.3.2]: https://github.com/thephpleague/oauth2-server/compare/7.3.1...7.3.2
+[7.3.1]: https://github.com/thephpleague/oauth2-server/compare/7.3.0...7.3.1
+[7.3.0]: https://github.com/thephpleague/oauth2-server/compare/7.2.0...7.3.0
+[7.2.0]: https://github.com/thephpleague/oauth2-server/compare/7.1.1...7.2.0
 [7.1.1]: https://github.com/thephpleague/oauth2-server/compare/7.1.0...7.1.1
 [7.1.0]: https://github.com/thephpleague/oauth2-server/compare/7.0.0...7.1.0
 [7.0.0]: https://github.com/thephpleague/oauth2-server/compare/6.1.1...7.0.0
@@ -409,6 +499,8 @@ Version 5 is a complete code rewrite.
 [5.0.0]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC2...5.0.0
 [5.0.0-RC2]: https://github.com/thephpleague/oauth2-server/compare/5.0.0-RC1...5.0.0-RC2
 [5.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...5.0.0-RC1
+[4.1.7]: https://github.com/thephpleague/oauth2-server/compare/4.1.6...4.1.7
+[4.1.6]: https://github.com/thephpleague/oauth2-server/compare/4.1.5...4.1.6
 [4.1.5]: https://github.com/thephpleague/oauth2-server/compare/4.1.4...4.1.5
 [4.1.4]: https://github.com/thephpleague/oauth2-server/compare/4.1.3...4.1.4
 [4.1.3]: https://github.com/thephpleague/oauth2-server/compare/4.1.2...4.1.3
--- a/README.md
+++ b/README.md
@@ -31,13 +31,13 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht

 The following versions of PHP are supported:

-* PHP 7.0
 * PHP 7.1
 * PHP 7.2
+* PHP 7.3

-The `openssl` extension is also required.
+The `openssl` and `json` extensions are also required.

-All HTTP messages passed to the server should be [PSR-7 compliant](https://www.php-fig.org/psr/psr-7/). This ensures interoperability between other packages and frameworks.
+All HTTP messages passed to the server should be [PSR-7 compliant](https://www.php-fig.org/psr/psr-7/). This ensures interoperability with other packages and frameworks.

 ## Installation

@@ -68,6 +68,8 @@ We use [Travis CI](https://travis-ci.org/), [Scrutinizer](https://scrutinizer-ci
 * [Drupal](https://www.drupal.org/project/simple_oauth)
 * [Laravel Passport](https://github.com/laravel/passport)
 * [OAuth 2 Server for CakePHP 3](https://github.com/uafrica/oauth-server)
+* [OAuth 2 Server for Expressive](https://github.com/zendframework/zend-expressive-authentication-oauth2)
+* [Trikoder OAuth 2 Bundle (Symfony)](https://github.com/trikoder/oauth2-bundle)

 ## Changelog

@@ -83,13 +85,9 @@ Bugs and feature request are tracked on [GitHub](https://github.com/thephpleague

 If you have any questions about OAuth _please_ open a ticket here; please **don't** email the address below.

-## Commercial Support
-
-If you would like help implementing this library into your existing platform, or would be interested in OAuth advice or training for you and your team please get in touch with [Glynde Labs](https://glyndelabs.com).
-
 ## Security

-If you discover any security related issues, please email `hello@alexbilbie.com` instead of using the issue tracker.
+If you discover any security related issues, please email `andrew@noexceptions.io` instead of using the issue tracker.

 ## License

@@ -97,7 +95,7 @@ This package is released under the MIT License. See the bundled [LICENSE](https:

 ## Credits

-This code is principally developed and maintained by [Andy Millington](https://twitter.com/Sephster) and [Simon Hamp](https://twitter.com/simonhamp).
+This code is principally developed and maintained by [Andy Millington](https://twitter.com/Sephster).

 Between 2012 and 2017 this library was developed and maintained by [Alex Bilbie](https://alexbilbie.com/).

--- a/composer.json
+++ b/composer.json
@@ -4,19 +4,20 @@
    "homepage": "https://oauth2.thephpleague.com/",
    "license": "MIT",
    "require": {
-        "php": ">=7.0.0",
+        "php": ">=7.1.0",
        "ext-openssl": "*",
-        "league/event": "^2.1",
-        "lcobucci/jwt": "^3.2.2",
+        "league/event": "^2.2",
+        "lcobucci/jwt": "^3.3.1",
        "psr/http-message": "^1.0.1",
-        "defuse/php-encryption": "^2.1"
+        "defuse/php-encryption": "^2.2.1",
+        "ext-json": "*"
    },
    "require-dev": {
-        "phpunit/phpunit": "^6.3 || ^7.0",
-        "zendframework/zend-diactoros": "^1.3.2",
-        "phpstan/phpstan": "^0.9.2",
-        "phpstan/phpstan-phpunit": "^0.9.4",
-        "phpstan/phpstan-strict-rules": "^0.9.0"
+        "phpunit/phpunit": "^7.5.13 || ^8.2.3",
+        "zendframework/zend-diactoros": "^2.1.2",
+        "phpstan/phpstan": "^0.11.8",
+        "phpstan/phpstan-phpunit": "^0.11.2",
+        "roave/security-advisories": "dev-master"
    },
    "repositories": [
        {
@@ -46,6 +47,12 @@
            "email": "hello@alexbilbie.com",
            "homepage": "http://www.alexbilbie.com",
            "role": "Developer"
+        },
+        {
+            "name": "Andy Millington",
+            "email": "andrew@noexceptions.io",
+            "homepage": "https://www.noexceptions.io",
+            "role": "Developer"
        }
    ],
    "replace": {
--- a/examples/composer.json
+++ b/examples/composer.json
@@ -1,14 +1,13 @@
 {
    "require": {
-        "slim/slim": "3.0.*"
+        "slim/slim": "^3.0.0"
    },
    "require-dev": {
-        "league/event": "^2.1",
-        "lcobucci/jwt": "^3.1",
-        "paragonie/random_compat": "^2.0",
+        "league/event": "^2.2",
+        "lcobucci/jwt": "^3.3",
        "psr/http-message": "^1.0",
-        "defuse/php-encryption": "^2.1",
-        "zendframework/zend-diactoros": "^1.0"
+        "defuse/php-encryption": "^2.2",
+        "zendframework/zend-diactoros": "^2.1.0"
    },
    "autoload": {
        "psr-4": {
--- a/examples/composer.lock
+++ b/examples/composer.lock
@@ -1,10 +1,10 @@
 {
    "_readme": [
        "This file locks the dependencies of your project to a known state",
-        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "9813ed7c3b6dcf107f44df9392935b8f",
+    "content-hash": "a7f5c3fdcadb17399bbd97f15e1b11f1",
    "packages": [
        {
            "name": "container-interop/container-interop",
@@ -39,21 +39,24 @@
        },
        {
            "name": "nikic/fast-route",
-            "version": "v0.6.0",
+            "version": "v1.3.0",
            "source": {
                "type": "git",
                "url": "https://github.com/nikic/FastRoute.git",
-                "reference": "31fa86924556b80735f98b294a7ffdfb26789f22"
+                "reference": "181d480e08d9476e61381e04a71b34dc0432e812"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/nikic/FastRoute/zipball/31fa86924556b80735f98b294a7ffdfb26789f22",
-                "reference": "31fa86924556b80735f98b294a7ffdfb26789f22",
+                "url": "https://api.github.com/repos/nikic/FastRoute/zipball/181d480e08d9476e61381e04a71b34dc0432e812",
+                "reference": "181d480e08d9476e61381e04a71b34dc0432e812",
                "shasum": ""
            },
            "require": {
                "php": ">=5.4.0"
            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.8.35|~5.7"
+            },
            "type": "library",
            "autoload": {
                "psr-4": {
@@ -78,29 +81,33 @@
                "router",
                "routing"
            ],
-            "time": "2015-06-18T19:15:47+00:00"
+            "time": "2018-02-13T20:26:39+00:00"
        },
        {
            "name": "pimple/pimple",
-            "version": "v3.0.2",
+            "version": "v3.2.3",
            "source": {
                "type": "git",
                "url": "https://github.com/silexphp/Pimple.git",
-                "reference": "a30f7d6e57565a2e1a316e1baf2a483f788b258a"
+                "reference": "9e403941ef9d65d20cba7d54e29fe906db42cf32"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/silexphp/Pimple/zipball/a30f7d6e57565a2e1a316e1baf2a483f788b258a",
-                "reference": "a30f7d6e57565a2e1a316e1baf2a483f788b258a",
+                "url": "https://api.github.com/repos/silexphp/Pimple/zipball/9e403941ef9d65d20cba7d54e29fe906db42cf32",
+                "reference": "9e403941ef9d65d20cba7d54e29fe906db42cf32",
                "shasum": ""
            },
            "require": {
-                "php": ">=5.3.0"
+                "php": ">=5.3.0",
+                "psr/container": "^1.0"
+            },
+            "require-dev": {
+                "symfony/phpunit-bridge": "^3.2"
            },
            "type": "library",
            "extra": {
                "branch-alias": {
-                    "dev-master": "3.0.x-dev"
+                    "dev-master": "3.2.x-dev"
                }
            },
            "autoload": {
@@ -124,7 +131,7 @@
                "container",
                "dependency injection"
            ],
-            "time": "2015-09-11T15:10:35+00:00"
+            "time": "2018-01-21T07:42:36+00:00"
        },
        {
            "name": "psr/container",
@@ -227,27 +234,32 @@
        },
        {
            "name": "slim/slim",
-            "version": "3.0.0",
+            "version": "3.12.1",
            "source": {
                "type": "git",
                "url": "https://github.com/slimphp/Slim.git",
-                "reference": "3b06f0f2d84dabbe81b6cea46ace46a3e883253e"
+                "reference": "eaee12ef8d0750db62b8c548016d82fb33addb6b"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/slimphp/Slim/zipball/3b06f0f2d84dabbe81b6cea46ace46a3e883253e",
-                "reference": "3b06f0f2d84dabbe81b6cea46ace46a3e883253e",
+                "url": "https://api.github.com/repos/slimphp/Slim/zipball/eaee12ef8d0750db62b8c548016d82fb33addb6b",
+                "reference": "eaee12ef8d0750db62b8c548016d82fb33addb6b",
                "shasum": ""
            },
            "require": {
-                "container-interop/container-interop": "^1.1",
-                "nikic/fast-route": "^0.6",
+                "container-interop/container-interop": "^1.2",
+                "nikic/fast-route": "^1.0",
                "php": ">=5.5.0",
                "pimple/pimple": "^3.0",
+                "psr/container": "^1.0",
                "psr/http-message": "^1.0"
            },
+            "provide": {
+                "psr/http-message-implementation": "1.0"
+            },
            "require-dev": {
-                "phpunit/phpunit": "^4.0"
+                "phpunit/phpunit": "^4.0",
+                "squizlabs/php_codesniffer": "^2.5"
            },
            "type": "library",
            "autoload": {
@@ -282,38 +294,38 @@
                }
            ],
            "description": "Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs",
-            "homepage": "http://slimframework.com",
+            "homepage": "https://slimframework.com",
            "keywords": [
                "api",
                "framework",
                "micro",
                "router"
            ],
-            "time": "2015-12-07T14:11:09+00:00"
+            "time": "2019-04-16T16:47:29+00:00"
        }
    ],
    "packages-dev": [
        {
            "name": "defuse/php-encryption",
-            "version": "v2.1.0",
+            "version": "v2.2.1",
            "source": {
                "type": "git",
                "url": "https://github.com/defuse/php-encryption.git",
-                "reference": "5176f5abb38d3ea8a6e3ac6cd3bbb54d8185a689"
+                "reference": "0f407c43b953d571421e0020ba92082ed5fb7620"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/defuse/php-encryption/zipball/5176f5abb38d3ea8a6e3ac6cd3bbb54d8185a689",
-                "reference": "5176f5abb38d3ea8a6e3ac6cd3bbb54d8185a689",
+                "url": "https://api.github.com/repos/defuse/php-encryption/zipball/0f407c43b953d571421e0020ba92082ed5fb7620",
+                "reference": "0f407c43b953d571421e0020ba92082ed5fb7620",
                "shasum": ""
            },
            "require": {
                "ext-openssl": "*",
-                "paragonie/random_compat": "~2.0",
+                "paragonie/random_compat": ">= 2",
                "php": ">=5.4.0"
            },
            "require-dev": {
-                "nikic/php-parser": "^2.0|^3.0",
+                "nikic/php-parser": "^2.0|^3.0|^4.0",
                "phpunit/phpunit": "^4|^5"
            },
            "bin": [
@@ -354,37 +366,34 @@
                "security",
                "symmetric key cryptography"
            ],
-            "time": "2017-05-18T21:28:48+00:00"
+            "time": "2018-07-24T23:27:56+00:00"
        },
        {
            "name": "lcobucci/jwt",
-            "version": "3.2.1",
+            "version": "3.3.1",
            "source": {
                "type": "git",
                "url": "https://github.com/lcobucci/jwt.git",
-                "reference": "ddce703826f9c5229781933b1a39069e38e6a0f3"
+                "reference": "a11ec5f4b4d75d1fcd04e133dede4c317aac9e18"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/ddce703826f9c5229781933b1a39069e38e6a0f3",
-                "reference": "ddce703826f9c5229781933b1a39069e38e6a0f3",
+                "url": "https://api.github.com/repos/lcobucci/jwt/zipball/a11ec5f4b4d75d1fcd04e133dede4c317aac9e18",
+                "reference": "a11ec5f4b4d75d1fcd04e133dede4c317aac9e18",
                "shasum": ""
            },
            "require": {
+                "ext-mbstring": "*",
                "ext-openssl": "*",
-                "php": ">=5.5"
+                "php": "^5.6 || ^7.0"
            },
            "require-dev": {
-                "mdanter/ecc": "~0.3.1",
                "mikey179/vfsstream": "~1.5",
                "phpmd/phpmd": "~2.2",
                "phpunit/php-invoker": "~1.1",
-                "phpunit/phpunit": "~4.5",
+                "phpunit/phpunit": "^5.7 || ^7.3",
                "squizlabs/php_codesniffer": "~2.3"
            },
-            "suggest": {
-                "mdanter/ecc": "Required to use Elliptic Curves based algorithms."
-            },
            "type": "library",
            "extra": {
                "branch-alias": {
@@ -412,20 +421,20 @@
                "JWS",
                "jwt"
            ],
-            "time": "2016-10-31T20:09:32+00:00"
+            "time": "2019-05-24T18:30:49+00:00"
        },
        {
            "name": "league/event",
-            "version": "2.1.2",
+            "version": "2.2.0",
            "source": {
                "type": "git",
                "url": "https://github.com/thephpleague/event.git",
-                "reference": "e4bfc88dbcb60c8d8a2939a71f9813e141bbe4cd"
+                "reference": "d2cc124cf9a3fab2bb4ff963307f60361ce4d119"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/thephpleague/event/zipball/e4bfc88dbcb60c8d8a2939a71f9813e141bbe4cd",
-                "reference": "e4bfc88dbcb60c8d8a2939a71f9813e141bbe4cd",
+                "url": "https://api.github.com/repos/thephpleague/event/zipball/d2cc124cf9a3fab2bb4ff963307f60361ce4d119",
+                "reference": "d2cc124cf9a3fab2bb4ff963307f60361ce4d119",
                "shasum": ""
            },
            "require": {
@@ -433,7 +442,7 @@
            },
            "require-dev": {
                "henrikbjorn/phpspec-code-coverage": "~1.0.1",
-                "phpspec/phpspec": "~2.0.0"
+                "phpspec/phpspec": "^2.2"
            },
            "type": "library",
            "extra": {
@@ -462,37 +471,33 @@
                "event",
                "listener"
            ],
-            "time": "2015-05-21T12:24:47+00:00"
+            "time": "2018-11-26T11:52:41+00:00"
        },
        {
            "name": "paragonie/random_compat",
-            "version": "v2.0.10",
+            "version": "v9.99.99",
            "source": {
                "type": "git",
                "url": "https://github.com/paragonie/random_compat.git",
-                "reference": "634bae8e911eefa89c1abfbf1b66da679ac8f54d"
+                "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/634bae8e911eefa89c1abfbf1b66da679ac8f54d",
-                "reference": "634bae8e911eefa89c1abfbf1b66da679ac8f54d",
+                "url": "https://api.github.com/repos/paragonie/random_compat/zipball/84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95",
+                "reference": "84b4dfb120c6f9b4ff7b3685f9b8f1aa365a0c95",
                "shasum": ""
            },
            "require": {
-                "php": ">=5.2.0"
+                "php": "^7"
            },
            "require-dev": {
-                "phpunit/phpunit": "4.*|5.*"
+                "phpunit/phpunit": "4.*|5.*",
+                "vimeo/psalm": "^1"
            },
            "suggest": {
                "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes."
            },
            "type": "library",
-            "autoload": {
-                "files": [
-                    "lib/random.php"
-                ]
-            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
@@ -507,10 +512,129 @@
            "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7",
            "keywords": [
                "csprng",
+                "polyfill",
                "pseudorandom",
                "random"
            ],
-            "time": "2017-03-13T16:27:32+00:00"
+            "time": "2018-07-02T15:55:56+00:00"
+        },
+        {
+            "name": "psr/http-factory",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/php-fig/http-factory.git",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0",
+                "psr/http-message": "^1.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Psr\\Http\\Message\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "PHP-FIG",
+                    "homepage": "http://www.php-fig.org/"
+                }
+            ],
+            "description": "Common interfaces for PSR-7 HTTP message factories",
+            "keywords": [
+                "factory",
+                "http",
+                "message",
+                "psr",
+                "psr-17",
+                "psr-7",
+                "request",
+                "response"
+            ],
+            "time": "2019-04-30T12:38:16+00:00"
+        },
+        {
+            "name": "zendframework/zend-diactoros",
+            "version": "2.1.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/zendframework/zend-diactoros.git",
+                "reference": "279723778c40164bcf984a2df12ff2c6ec5e61c1"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/zendframework/zend-diactoros/zipball/279723778c40164bcf984a2df12ff2c6ec5e61c1",
+                "reference": "279723778c40164bcf984a2df12ff2c6ec5e61c1",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.1",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0"
+            },
+            "provide": {
+                "psr/http-factory-implementation": "1.0",
+                "psr/http-message-implementation": "1.0"
+            },
+            "require-dev": {
+                "ext-dom": "*",
+                "ext-libxml": "*",
+                "http-interop/http-factory-tests": "^0.5.0",
+                "php-http/psr7-integration-tests": "dev-master",
+                "phpunit/phpunit": "^7.0.2",
+                "zendframework/zend-coding-standard": "~1.0.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.1.x-dev",
+                    "dev-develop": "2.2.x-dev",
+                    "dev-release-1.8": "1.8.x-dev"
+                }
+            },
+            "autoload": {
+                "files": [
+                    "src/functions/create_uploaded_file.php",
+                    "src/functions/marshal_headers_from_sapi.php",
+                    "src/functions/marshal_method_from_sapi.php",
+                    "src/functions/marshal_protocol_version_from_sapi.php",
+                    "src/functions/marshal_uri_from_sapi.php",
+                    "src/functions/normalize_server.php",
+                    "src/functions/normalize_uploaded_files.php",
+                    "src/functions/parse_cookie_header.php"
+                ],
+                "psr-4": {
+                    "Zend\\Diactoros\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "description": "PSR HTTP Message implementations",
+            "keywords": [
+                "http",
+                "psr",
+                "psr-7"
+            ],
+            "time": "2019-07-10T16:13:25+00:00"
        }
    ],
    "aliases": [],
--- a/examples/src/Entities/ScopeEntity.php
+++ b/examples/src/Entities/ScopeEntity.php
@@ -11,13 +11,9 @@ namespace OAuth2ServerExamples\Entities;

 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
+use League\OAuth2\Server\Entities\Traits\ScopeTrait;

 class ScopeEntity implements ScopeEntityInterface
 {
-    use EntityTrait;
-
-    public function jsonSerialize()
-    {
-        return $this->getIdentifier();
-    }
+    use EntityTrait, ScopeTrait;
 }
--- a/examples/src/Repositories/ClientRepository.php
+++ b/examples/src/Repositories/ClientRepository.php
@@ -14,16 +14,33 @@ use OAuth2ServerExamples\Entities\ClientEntity;

 class ClientRepository implements ClientRepositoryInterface
 {
+    const CLIENT_NAME = 'My Awesome App';
+    const REDIRECT_URI = 'http://foo/bar';
+
    /**
     * {@inheritdoc}
     */
-    public function getClientEntity($clientIdentifier, $grantType = null, $clientSecret = null, $mustValidateSecret = true)
+    public function getClientEntity($clientIdentifier)
+    {
+        $client = new ClientEntity();
+
+        $client->setIdentifier($clientIdentifier);
+        $client->setName(self::CLIENT_NAME);
+        $client->setRedirectUri(self::REDIRECT_URI);
+
+        return $client;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateClient($clientIdentifier, $clientSecret, $grantType)
    {
        $clients = [
            'myawesomeapp' => [
                'secret'          => password_hash('abc123', PASSWORD_BCRYPT),
-                'name'            => 'My Awesome App',
-                'redirect_uri'    => 'http://foo/bar',
+                'name'            => self::CLIENT_NAME,
+                'redirect_uri'    => self::REDIRECT_URI,
                'is_confidential' => true,
            ],
        ];
@@ -34,18 +51,10 @@ class ClientRepository implements ClientRepositoryInterface
        }

        if (
-            $mustValidateSecret === true
-            && $clients[$clientIdentifier]['is_confidential'] === true
+            $clients[$clientIdentifier]['is_confidential'] === true
            && password_verify($clientSecret, $clients[$clientIdentifier]['secret']) === false
        ) {
            return;
        }
-
-        $client = new ClientEntity();
-        $client->setIdentifier($clientIdentifier);
-        $client->setName($clients[$clientIdentifier]['name']);
-        $client->setRedirectUri($clients[$clientIdentifier]['redirect_uri']);
-
-        return $client;
    }
 }
--- a/examples/src/Repositories/RefreshTokenRepository.php
+++ b/examples/src/Repositories/RefreshTokenRepository.php
@@ -18,7 +18,7 @@ class RefreshTokenRepository implements RefreshTokenRepositoryInterface
    /**
     * {@inheritdoc}
     */
-    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntityInterface)
+    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity)
    {
        // Some logic to persist the refresh token in a database
    }
--- a/phpstan.neon
+++ b/phpstan.neon
@@ -1,8 +1,6 @@
 includes:
 	- vendor/phpstan/phpstan-phpunit/extension.neon
 	- vendor/phpstan/phpstan-phpunit/rules.neon
-	- vendor/phpstan/phpstan-phpunit/strictRules.neon
-	- vendor/phpstan/phpstan-strict-rules/rules.neon
 services:
 	-
 		class: LeagueTests\PHPStan\AbstractGrantExtension
--- a/src/AuthorizationServer.php
+++ b/src/AuthorizationServer.php
@@ -9,6 +9,7 @@

 namespace League\OAuth2\Server;

+use DateInterval;
 use Defuse\Crypto\Key;
 use League\Event\EmitterAwareInterface;
 use League\Event\EmitterAwareTrait;
@@ -34,7 +35,7 @@ class AuthorizationServer implements EmitterAwareInterface
    protected $enabledGrantTypes = [];

    /**
-     * @var \DateInterval[]
+     * @var DateInterval[]
     */
    protected $grantTypeAccessTokenTTL = [];

@@ -49,7 +50,7 @@ class AuthorizationServer implements EmitterAwareInterface
    protected $publicKey;

    /**
-     * @var null|ResponseTypeInterface
+     * @var ResponseTypeInterface
     */
    protected $responseType;

@@ -103,8 +104,16 @@ class AuthorizationServer implements EmitterAwareInterface
        if ($privateKey instanceof CryptKey === false) {
            $privateKey = new CryptKey($privateKey);
        }
+
        $this->privateKey = $privateKey;
        $this->encryptionKey = $encryptionKey;
+
+        if ($responseType === null) {
+            $responseType = new BearerTokenResponse();
+        } else {
+            $responseType = clone $responseType;
+        }
+
        $this->responseType = $responseType;
    }

@@ -112,12 +121,12 @@ class AuthorizationServer implements EmitterAwareInterface
     * Enable a grant type on the server.
     *
     * @param GrantTypeInterface $grantType
-     * @param null|\DateInterval $accessTokenTTL
+     * @param null|DateInterval  $accessTokenTTL
     */
-    public function enableGrantType(GrantTypeInterface $grantType, \DateInterval $accessTokenTTL = null)
+    public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL = null)
    {
-        if ($accessTokenTTL instanceof \DateInterval === false) {
-            $accessTokenTTL = new \DateInterval('PT1H');
+        if ($accessTokenTTL === null) {
+            $accessTokenTTL = new DateInterval('PT1H');
        }

        $grantType->setAccessTokenRepository($this->accessTokenRepository);
@@ -204,16 +213,15 @@ class AuthorizationServer implements EmitterAwareInterface
     */
    protected function getResponseType()
    {
-        if ($this->responseType instanceof ResponseTypeInterface === false) {
-            $this->responseType = new BearerTokenResponse();
+        $responseType = clone $this->responseType;
+
+        if ($responseType instanceof AbstractResponseType) {
+            $responseType->setPrivateKey($this->privateKey);
        }

-        if ($this->responseType instanceof AbstractResponseType === true) {
-            $this->responseType->setPrivateKey($this->privateKey);
-        }
-        $this->responseType->setEncryptionKey($this->encryptionKey);
+        $responseType->setEncryptionKey($this->encryptionKey);

-        return $this->responseType;
+        return $responseType;
    }

    /**
--- a/src/AuthorizationValidators/BearerTokenValidator.php
+++ b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -9,6 +9,8 @@

 namespace League\OAuth2\Server\AuthorizationValidators;

+use BadMethodCallException;
+use InvalidArgumentException;
 use Lcobucci\JWT\Parser;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\ValidationData;
@@ -17,6 +19,7 @@ use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use RuntimeException;

 class BearerTokenValidator implements AuthorizationValidatorInterface
 {
@@ -28,7 +31,7 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
    private $accessTokenRepository;

    /**
-     * @var \League\OAuth2\Server\CryptKey
+     * @var CryptKey
     */
    protected $publicKey;

@@ -43,7 +46,7 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
    /**
     * Set the public key
     *
-     * @param \League\OAuth2\Server\CryptKey $key
+     * @param CryptKey $key
     */
    public function setPublicKey(CryptKey $key)
    {
@@ -60,13 +63,17 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
        }

        $header = $request->getHeader('authorization');
-        $jwt = trim(preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]));
+        $jwt = trim((string) preg_replace('/^(?:\s+)?Bearer\s/', '', $header[0]));

        try {
            // Attempt to parse and validate the JWT
            $token = (new Parser())->parse($jwt);
-            if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
-                throw OAuthServerException::accessDenied('Access token could not be verified');
+            try {
+                if ($token->verify(new Sha256(), $this->publicKey->getKeyPath()) === false) {
+                    throw OAuthServerException::accessDenied('Access token could not be verified');
+                }
+            } catch (BadMethodCallException $exception) {
+                throw OAuthServerException::accessDenied('Access token is not signed', null, $exception);
            }

            // Ensure access token hasn't expired
@@ -88,12 +95,12 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
                ->withAttribute('oauth_client_id', $token->getClaim('aud'))
                ->withAttribute('oauth_user_id', $token->getClaim('sub'))
                ->withAttribute('oauth_scopes', $token->getClaim('scopes'));
-        } catch (\InvalidArgumentException $exception) {
+        } catch (InvalidArgumentException $exception) {
            // JWT couldn't be parsed so return the request as is
-            throw OAuthServerException::accessDenied($exception->getMessage());
-        } catch (\RuntimeException $exception) {
+            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
+        } catch (RuntimeException $exception) {
            //JWR couldn't be parsed so return the request as is
-            throw OAuthServerException::accessDenied('Error while decoding to JSON');
+            throw OAuthServerException::accessDenied('Error while decoding to JSON', null, $exception);
        }
    }
 }
--- a/src/CodeChallengeVerifiers/CodeChallengeVerifierInterface.php
+++ b/src/CodeChallengeVerifiers/CodeChallengeVerifierInterface.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * @author      Lukáš Unger <lookymsc@gmail.com>
+ * @copyright   Copyright (c) Lukáš Unger
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\CodeChallengeVerifiers;
+
+interface CodeChallengeVerifierInterface
+{
+    /**
+     * Return code challenge method.
+     *
+     * @return string
+     */
+    public function getMethod();
+
+    /**
+     * Verify the code challenge.
+     *
+     * @param string $codeVerifier
+     * @param string $codeChallenge
+     *
+     * @return bool
+     */
+    public function verifyCodeChallenge($codeVerifier, $codeChallenge);
+}
--- a/src/CodeChallengeVerifiers/PlainVerifier.php
+++ b/src/CodeChallengeVerifiers/PlainVerifier.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * @author      Lukáš Unger <lookymsc@gmail.com>
+ * @copyright   Copyright (c) Lukáš Unger
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\CodeChallengeVerifiers;
+
+class PlainVerifier implements CodeChallengeVerifierInterface
+{
+    /**
+     * Return code challenge method.
+     *
+     * @return string
+     */
+    public function getMethod()
+    {
+        return 'plain';
+    }
+
+    /**
+     * Verify the code challenge.
+     *
+     * @param string $codeVerifier
+     * @param string $codeChallenge
+     *
+     * @return bool
+     */
+    public function verifyCodeChallenge($codeVerifier, $codeChallenge)
+    {
+        return hash_equals($codeVerifier, $codeChallenge);
+    }
+}
--- a/src/CodeChallengeVerifiers/S256Verifier.php
+++ b/src/CodeChallengeVerifiers/S256Verifier.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * @author      Lukáš Unger <lookymsc@gmail.com>
+ * @copyright   Copyright (c) Lukáš Unger
+ * @license     http://mit-license.org/
+ *
+ * @link        https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\CodeChallengeVerifiers;
+
+class S256Verifier implements CodeChallengeVerifierInterface
+{
+    /**
+     * Return code challenge method.
+     *
+     * @return string
+     */
+    public function getMethod()
+    {
+        return 'S256';
+    }
+
+    /**
+     * Verify the code challenge.
+     *
+     * @param string $codeVerifier
+     * @param string $codeChallenge
+     *
+     * @return bool
+     */
+    public function verifyCodeChallenge($codeVerifier, $codeChallenge)
+    {
+        return hash_equals(
+            strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
+            $codeChallenge
+        );
+    }
+}
--- a/src/CryptKey.php
+++ b/src/CryptKey.php
@@ -11,6 +11,9 @@

 namespace League\OAuth2\Server;

+use LogicException;
+use RuntimeException;
+
 class CryptKey
 {
    const RSA_KEY_PATTERN =
@@ -42,13 +45,13 @@ class CryptKey
        }

        if (!file_exists($keyPath) || !is_readable($keyPath)) {
-            throw new \LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
+            throw new LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
        }

        if ($keyPermissionsCheck === true) {
            // Verify the permissions of the key
            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
-            if (in_array($keyPathPerms, ['400', '440', '600', '660'], true) === false) {
+            if (in_array($keyPathPerms, ['400', '440', '600', '640', '660'], true) === false) {
                trigger_error(sprintf(
                    'Key file "%s" permissions are not correct, recommend changing to 600 or 660 instead of %s',
                    $keyPath,
@@ -64,7 +67,7 @@ class CryptKey
    /**
     * @param string $key
     *
-     * @throws \RuntimeException
+     * @throws RuntimeException
     *
     * @return string
     */
@@ -79,19 +82,19 @@ class CryptKey

        if (!touch($keyPath)) {
            // @codeCoverageIgnoreStart
-            throw new \RuntimeException(sprintf('"%s" key file could not be created', $keyPath));
+            throw new RuntimeException(sprintf('"%s" key file could not be created', $keyPath));
            // @codeCoverageIgnoreEnd
        }

        if (file_put_contents($keyPath, $key) === false) {
            // @codeCoverageIgnoreStart
-            throw new \RuntimeException(sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
+            throw new RuntimeException(sprintf('Unable to write key file to temporary directory "%s"', $tmpDir));
            // @codeCoverageIgnoreEnd
        }

        if (chmod($keyPath, 0600) === false) {
            // @codeCoverageIgnoreStart
-            throw new \RuntimeException(sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
+            throw new RuntimeException(sprintf('The key file "%s" file mode could not be changed with chmod to 600', $keyPath));
            // @codeCoverageIgnoreEnd
        }

--- a/src/CryptTrait.php
+++ b/src/CryptTrait.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * Public/private key encryption.
+ * Encrypt/decrypt with encryptionKey.
 *
 * @author      Alex Bilbie <hello@alexbilbie.com>
 * @copyright   Copyright (c) Alex Bilbie
@@ -13,20 +13,22 @@ namespace League\OAuth2\Server;

 use Defuse\Crypto\Crypto;
 use Defuse\Crypto\Key;
+use Exception;
+use LogicException;

 trait CryptTrait
 {
    /**
-     * @var string|Key
+     * @var string|Key|null
     */
    protected $encryptionKey;

    /**
-     * Encrypt data with a private key.
+     * Encrypt data with encryptionKey.
     *
     * @param string $unencryptedData
     *
-     * @throws \LogicException
+     * @throws LogicException
     *
     * @return string
     */
@@ -37,18 +39,22 @@ trait CryptTrait
                return Crypto::encrypt($unencryptedData, $this->encryptionKey);
            }

-            return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
-        } catch (\Exception $e) {
-            throw new \LogicException($e->getMessage());
+            if (is_string($this->encryptionKey)) {
+                return Crypto::encryptWithPassword($unencryptedData, $this->encryptionKey);
+            }
+
+            throw new LogicException('Encryption key not set when attempting to encrypt');
+        } catch (Exception $e) {
+            throw new LogicException($e->getMessage(), 0, $e);
        }
    }

    /**
-     * Decrypt data with a public key.
+     * Decrypt data with encryptionKey.
     *
     * @param string $encryptedData
     *
-     * @throws \LogicException
+     * @throws LogicException
     *
     * @return string
     */
@@ -59,9 +65,13 @@ trait CryptTrait
                return Crypto::decrypt($encryptedData, $this->encryptionKey);
            }

-            return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
-        } catch (\Exception $e) {
-            throw new \LogicException($e->getMessage());
+            if (is_string($this->encryptionKey)) {
+                return Crypto::decryptWithPassword($encryptedData, $this->encryptionKey);
+            }
+
+            throw new LogicException('Encryption key not set when attempting to decrypt');
+        } catch (Exception $e) {
+            throw new LogicException($e->getMessage(), 0, $e);
        }
    }

--- a/src/Entities/AccessTokenEntityInterface.php
+++ b/src/Entities/AccessTokenEntityInterface.php
@@ -9,17 +9,17 @@

 namespace League\OAuth2\Server\Entities;

-use Lcobucci\JWT\Token;
 use League\OAuth2\Server\CryptKey;

 interface AccessTokenEntityInterface extends TokenInterface
 {
    /**
-     * Generate a JWT from the access token
-     *
-     * @param CryptKey $privateKey
-     *
-     * @return Token
+     * Set a private key used to encrypt the access token.
     */
-    public function convertToJWT(CryptKey $privateKey);
+    public function setPrivateKey(CryptKey $privateKey);
+
+    /**
+     * Generate a string representation of the access token.
+     */
+    public function __toString();
 }
--- a/src/Entities/ClientEntityInterface.php
+++ b/src/Entities/ClientEntityInterface.php
@@ -33,4 +33,11 @@ interface ClientEntityInterface
     * @return string|string[]
     */
    public function getRedirectUri();
+
+    /**
+     * Returns true if the client is confidential.
+     *
+     * @return bool
+     */
+    public function isConfidential();
 }
--- a/src/Entities/RefreshTokenEntityInterface.php
+++ b/src/Entities/RefreshTokenEntityInterface.php
@@ -9,6 +9,8 @@

 namespace League\OAuth2\Server\Entities;

+use DateTimeImmutable;
+
 interface RefreshTokenEntityInterface
 {
    /**
@@ -28,16 +30,16 @@ interface RefreshTokenEntityInterface
    /**
     * Get the token's expiry date time.
     *
-     * @return \DateTime
+     * @return DateTimeImmutable
     */
    public function getExpiryDateTime();

    /**
     * Set the date time when the token expires.
     *
-     * @param \DateTime $dateTime
+     * @param DateTimeImmutable $dateTime
     */
-    public function setExpiryDateTime(\DateTime $dateTime);
+    public function setExpiryDateTime(DateTimeImmutable $dateTime);

    /**
     * Set the access token that the refresh token was associated with.
--- a/src/Entities/ScopeEntityInterface.php
+++ b/src/Entities/ScopeEntityInterface.php
@@ -9,7 +9,9 @@

 namespace League\OAuth2\Server\Entities;

-interface ScopeEntityInterface extends \JsonSerializable
+use JsonSerializable;
+
+interface ScopeEntityInterface extends JsonSerializable
 {
    /**
     * Get the scope's identifier.
--- a/src/Entities/TokenInterface.php
+++ b/src/Entities/TokenInterface.php
@@ -9,6 +9,8 @@

 namespace League\OAuth2\Server\Entities;

+use DateTimeImmutable;
+
 interface TokenInterface
 {
    /**
@@ -28,16 +30,16 @@ interface TokenInterface
    /**
     * Get the token's expiry date time.
     *
-     * @return \DateTime
+     * @return DateTimeImmutable
     */
    public function getExpiryDateTime();

    /**
     * Set the date time when the token expires.
     *
-     * @param \DateTime $dateTime
+     * @param DateTimeImmutable $dateTime
     */
-    public function setExpiryDateTime(\DateTime $dateTime);
+    public function setExpiryDateTime(DateTimeImmutable $dateTime);

    /**
     * Set the identifier of the user associated with the token.
--- a/src/Entities/Traits/AccessTokenTrait.php
+++ b/src/Entities/Traits/AccessTokenTrait.php
@@ -9,6 +9,7 @@

 namespace League\OAuth2\Server\Entities\Traits;

+use DateTimeImmutable;
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Signer\Key;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
@@ -19,6 +20,19 @@ use League\OAuth2\Server\Entities\ScopeEntityInterface;

 trait AccessTokenTrait
 {
+    /**
+     * @var CryptKey
+     */
+    private $privateKey;
+
+    /**
+     * Set the private key used to encrypt this access token.
+     */
+    public function setPrivateKey(CryptKey $privateKey)
+    {
+        $this->privateKey = $privateKey;
+    }
+
    /**
     * Generate a JWT from the access token
     *
@@ -26,27 +40,35 @@ trait AccessTokenTrait
     *
     * @return Token
     */
-    public function convertToJWT(CryptKey $privateKey)
+    private function convertToJWT(CryptKey $privateKey)
    {
        return (new Builder())
            ->setAudience($this->getClient()->getIdentifier())
-            ->setId($this->getIdentifier(), true)
+            ->setId($this->getIdentifier())
            ->setIssuedAt(time())
            ->setNotBefore(time())
            ->setExpiration($this->getExpiryDateTime()->getTimestamp())
-            ->setSubject($this->getUserIdentifier())
+            ->setSubject((string) $this->getUserIdentifier())
            ->set('scopes', $this->getScopes())
            ->sign(new Sha256(), new Key($privateKey->getKeyPath(), $privateKey->getPassPhrase()))
            ->getToken();
    }

+    /**
+     * Generate a string representation from the access token
+     */
+    public function __toString()
+    {
+        return (string) $this->convertToJWT($this->privateKey);
+    }
+
    /**
     * @return ClientEntityInterface
     */
    abstract public function getClient();

    /**
-     * @return \DateTime
+     * @return DateTimeImmutable
     */
    abstract public function getExpiryDateTime();

--- a/src/Entities/Traits/ClientTrait.php
+++ b/src/Entities/Traits/ClientTrait.php
@@ -21,6 +21,11 @@ trait ClientTrait
     */
    protected $redirectUri;

+    /**
+     * @var bool
+     */
+    protected $isConfidential = false;
+
    /**
     * Get the client's name.
     *
@@ -43,4 +48,14 @@ trait ClientTrait
    {
        return $this->redirectUri;
    }
+
+    /**
+     * Returns true if the client is confidential.
+     *
+     * @return bool
+     */
+    public function isConfidential()
+    {
+        return $this->isConfidential;
+    }
 }
--- a/src/Entities/Traits/RefreshTokenTrait.php
+++ b/src/Entities/Traits/RefreshTokenTrait.php
@@ -9,6 +9,7 @@

 namespace League\OAuth2\Server\Entities\Traits;

+use DateTimeImmutable;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;

 trait RefreshTokenTrait
@@ -19,7 +20,7 @@ trait RefreshTokenTrait
    protected $accessToken;

    /**
-     * @var \DateTime
+     * @var DateTimeImmutable
     */
    protected $expiryDateTime;

@@ -42,7 +43,7 @@ trait RefreshTokenTrait
    /**
     * Get the token's expiry date time.
     *
-     * @return \DateTime
+     * @return DateTimeImmutable
     */
    public function getExpiryDateTime()
    {
@@ -52,9 +53,9 @@ trait RefreshTokenTrait
    /**
     * Set the date time when the token expires.
     *
-     * @param \DateTime $dateTime
+     * @param DateTimeImmutable $dateTime
     */
-    public function setExpiryDateTime(\DateTime $dateTime)
+    public function setExpiryDateTime(DateTimeImmutable $dateTime)
    {
        $this->expiryDateTime = $dateTime;
    }
--- a/src/Entities/Traits/ScopeTrait.php
+++ b/src/Entities/Traits/ScopeTrait.php
@@ -0,0 +1,28 @@
+<?php
+/**
+ * @author    Andrew Millington <andrew@noexceptions.io>
+ * @copyright Copyright (c) Andrew Millington
+ * @license   http://mit-license.org
+ *
+ * @link      https://github.com/thephpleague/oauth2-server
+ */
+
+namespace League\OAuth2\Server\Entities\Traits;
+
+trait ScopeTrait
+{
+    /**
+     * Serialize the object to the scopes string identifier when using json_encode().
+     *
+     * @return string
+     */
+    public function jsonSerialize()
+    {
+        return $this->getIdentifier();
+    }
+
+    /**
+     * @return string
+     */
+    abstract public function getIdentifier();
+}
--- a/src/Entities/Traits/TokenEntityTrait.php
+++ b/src/Entities/Traits/TokenEntityTrait.php
@@ -9,6 +9,7 @@

 namespace League\OAuth2\Server\Entities\Traits;

+use DateTimeImmutable;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;

@@ -20,7 +21,7 @@ trait TokenEntityTrait
    protected $scopes = [];

    /**
-     * @var \DateTime
+     * @var DateTimeImmutable
     */
    protected $expiryDateTime;

@@ -57,7 +58,7 @@ trait TokenEntityTrait
    /**
     * Get the token's expiry date time.
     *
-     * @return \DateTime
+     * @return DateTimeImmutable
     */
    public function getExpiryDateTime()
    {
@@ -67,9 +68,9 @@ trait TokenEntityTrait
    /**
     * Set the date time when the token expires.
     *
-     * @param \DateTime $dateTime
+     * @param DateTimeImmutable $dateTime
     */
-    public function setExpiryDateTime(\DateTime $dateTime)
+    public function setExpiryDateTime(DateTimeImmutable $dateTime)
    {
        $this->expiryDateTime = $dateTime;
    }
--- a/src/Exception/OAuthServerException.php
+++ b/src/Exception/OAuthServerException.php
@@ -9,9 +9,12 @@

 namespace League\OAuth2\Server\Exception;

+use Exception;
 use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Throwable;

-class OAuthServerException extends \Exception
+class OAuthServerException extends Exception
 {
    /**
     * @var int
@@ -38,6 +41,11 @@ class OAuthServerException extends \Exception
     */
    private $payload;

+    /**
+     * @var ServerRequestInterface
+     */
+    private $serverRequest;
+
    /**
     * Throw a new exception.
     *
@@ -47,17 +55,18 @@ class OAuthServerException extends \Exception
     * @param int         $httpStatusCode HTTP status code to send (default = 400)
     * @param null|string $hint           A helper hint
     * @param null|string $redirectUri    A HTTP URI to redirect the user back to
+     * @param Throwable   $previous       Previous exception
     */
-    public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null)
+    public function __construct($message, $code, $errorType, $httpStatusCode = 400, $hint = null, $redirectUri = null, Throwable $previous = null)
    {
-        parent::__construct($message, $code);
+        parent::__construct($message, $code, $previous);
        $this->httpStatusCode = $httpStatusCode;
        $this->errorType = $errorType;
        $this->hint = $hint;
        $this->redirectUri = $redirectUri;
        $this->payload = [
-            'error'   => $errorType,
-            'message' => $message,
+            'error'             => $errorType,
+            'error_description' => $message,
        ];
        if ($hint !== null) {
            $this->payload['hint'] = $hint;
@@ -71,7 +80,15 @@ class OAuthServerException extends \Exception
     */
    public function getPayload()
    {
-        return $this->payload;
+        $payload = $this->payload;
+
+        // The "message" property is deprecated and replaced by "error_description"
+        // TODO: remove "message" property
+        if (isset($payload['error_description']) && !isset($payload['message'])) {
+            $payload['message'] = $payload['error_description'];
+        }
+
+        return $payload;
    }

    /**
@@ -84,6 +101,16 @@ class OAuthServerException extends \Exception
        $this->payload = $payload;
    }

+    /**
+     * Set the server request that is responsible for generating the exception
+     *
+     * @param ServerRequestInterface $serverRequest
+     */
+    public function setServerRequest(ServerRequestInterface $serverRequest)
+    {
+        $this->serverRequest = $serverRequest;
+    }
+
    /**
     * Unsupported grant type error.
     *
@@ -102,28 +129,33 @@ class OAuthServerException extends \Exception
     *
     * @param string      $parameter The invalid parameter
     * @param null|string $hint
+     * @param Throwable   $previous  Previous exception
     *
     * @return static
     */
-    public static function invalidRequest($parameter, $hint = null)
+    public static function invalidRequest($parameter, $hint = null, Throwable $previous = null)
    {
        $errorMessage = 'The request is missing a required parameter, includes an invalid parameter value, ' .
            'includes a parameter more than once, or is otherwise malformed.';
        $hint = ($hint === null) ? sprintf('Check the `%s` parameter', $parameter) : $hint;

-        return new static($errorMessage, 3, 'invalid_request', 400, $hint);
+        return new static($errorMessage, 3, 'invalid_request', 400, $hint, null, $previous);
    }

    /**
     * Invalid client error.
     *
+     * @param ServerRequestInterface $serverRequest
+     *
     * @return static
     */
-    public static function invalidClient()
+    public static function invalidClient(ServerRequestInterface $serverRequest)
    {
-        $errorMessage = 'Client authentication failed';
+        $exception = new static('Client authentication failed', 4, 'invalid_client', 401);

-        return new static($errorMessage, 4, 'invalid_client', 401);
+        $exception->setServerRequest($serverRequest);
+
+        return $exception;
    }

    /**
@@ -163,20 +195,24 @@ class OAuthServerException extends \Exception
    /**
     * Server error.
     *
-     * @param string $hint
+     * @param string    $hint
+     * @param Throwable $previous
     *
     * @return static
     *
     * @codeCoverageIgnore
     */
-    public static function serverError($hint)
+    public static function serverError($hint, Throwable $previous = null)
    {
        return new static(
            'The authorization server encountered an unexpected condition which prevented it from fulfilling'
            . ' the request: ' . $hint,
            7,
            'server_error',
-            500
+            500,
+            null,
+            null,
+            $previous
        );
    }

@@ -184,12 +220,13 @@ class OAuthServerException extends \Exception
     * Invalid refresh token.
     *
     * @param null|string $hint
+     * @param Throwable   $previous
     *
     * @return static
     */
-    public static function invalidRefreshToken($hint = null)
+    public static function invalidRefreshToken($hint = null, Throwable $previous = null)
    {
-        return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint);
+        return new static('The refresh token is invalid.', 8, 'invalid_request', 401, $hint, null, $previous);
    }

    /**
@@ -197,10 +234,11 @@ class OAuthServerException extends \Exception
     *
     * @param null|string $hint
     * @param null|string $redirectUri
+     * @param Throwable   $previous
     *
     * @return static
     */
-    public static function accessDenied($hint = null, $redirectUri = null)
+    public static function accessDenied($hint = null, $redirectUri = null, Throwable $previous = null)
    {
        return new static(
            'The resource owner or authorization server denied the request.',
@@ -208,7 +246,8 @@ class OAuthServerException extends \Exception
            'access_denied',
            401,
            $hint,
-            $redirectUri
+            $redirectUri,
+            $previous
        );
    }

@@ -269,7 +308,9 @@ class OAuthServerException extends \Exception
            $response = $response->withHeader($header, $content);
        }

-        $response->getBody()->write(json_encode($payload, $jsonOptions));
+        $responseBody = json_encode($payload, $jsonOptions) ?: 'JSON encoding of payload failed';
+
+        $response->getBody()->write($responseBody);

        return $response->withStatus($this->getHttpStatusCode());
    }
@@ -294,8 +335,8 @@ class OAuthServerException extends \Exception
        // include the "WWW-Authenticate" response header field
        // matching the authentication scheme used by the client.
        // @codeCoverageIgnoreStart
-        if ($this->errorType === 'invalid_client' && array_key_exists('HTTP_AUTHORIZATION', $_SERVER) !== false) {
-            $authScheme = strpos($_SERVER['HTTP_AUTHORIZATION'], 'Bearer') === 0 ? 'Bearer' : 'Basic';
+        if ($this->errorType === 'invalid_client' && $this->serverRequest->hasHeader('Authorization') === true) {
+            $authScheme = strpos($this->serverRequest->getHeader('Authorization')[0], 'Bearer') === 0 ? 'Bearer' : 'Basic';

            $headers['WWW-Authenticate'] = $authScheme . ' realm="OAuth"';
        }
@@ -303,6 +344,21 @@ class OAuthServerException extends \Exception
        return $headers;
    }

+    /**
+     * Check if the exception has an associated redirect URI.
+     *
+     * Returns whether the exception includes a redirect, since
+     * getHttpStatusCode() doesn't return a 302 when there's a
+     * redirect enabled. This helps when you want to override local
+     * error pages but want to let redirects through.
+     *
+     * @return bool
+     */
+    public function hasRedirect()
+    {
+        return $this->redirectUri !== null;
+    }
+
    /**
     * Returns the HTTP status code to send when the exceptions is output.
     *
--- a/src/Exception/UniqueTokenIdentifierConstraintViolationException.php
+++ b/src/Exception/UniqueTokenIdentifierConstraintViolationException.php
@@ -11,6 +11,9 @@ namespace League\OAuth2\Server\Exception;

 class UniqueTokenIdentifierConstraintViolationException extends OAuthServerException
 {
+    /**
+     * @return UniqueTokenIdentifierConstraintViolationException
+     */
    public static function create()
    {
        $errorMessage = 'Could not create unique access token identifier';
--- a/src/Grant/AbstractGrant.php
+++ b/src/Grant/AbstractGrant.php
@@ -10,6 +10,10 @@
 */
 namespace League\OAuth2\Server\Grant;

+use DateInterval;
+use DateTimeImmutable;
+use Error;
+use Exception;
 use League\Event\EmitterAwareTrait;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
@@ -28,7 +32,9 @@ use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
+use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
+use TypeError;

 /**
 * Abstract grant class.
@@ -72,12 +78,12 @@ abstract class AbstractGrant implements GrantTypeInterface
    protected $userRepository;

    /**
-     * @var \DateInterval
+     * @var DateInterval
     */
    protected $refreshTokenTTL;

    /**
-     * @var \League\OAuth2\Server\CryptKey
+     * @var CryptKey
     */
    protected $privateKey;

@@ -137,7 +143,7 @@ abstract class AbstractGrant implements GrantTypeInterface
    /**
     * {@inheritdoc}
     */
-    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL)
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL)
    {
        $this->refreshTokenTTL = $refreshTokenTTL;
    }
@@ -145,7 +151,7 @@ abstract class AbstractGrant implements GrantTypeInterface
    /**
     * Set the private key
     *
-     * @param \League\OAuth2\Server\CryptKey $key
+     * @param CryptKey $key
     */
    public function setPrivateKey(CryptKey $key)
    {
@@ -171,54 +177,109 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    protected function validateClient(ServerRequestInterface $request)
    {
-        list($basicAuthUser, $basicAuthPassword) = $this->getBasicAuthCredentials($request);
+        list($clientId, $clientSecret) = $this->getClientCredentials($request);

-        $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
-        if (is_null($clientId)) {
-            throw OAuthServerException::invalidRequest('client_id');
-        }
-
-        // If the client is confidential require the client secret
-        $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
-
-        $client = $this->clientRepository->getClientEntity(
-            $clientId,
-            $this->getIdentifier(),
-            $clientSecret,
-            true
-        );
-
-        if ($client instanceof ClientEntityInterface === false) {
+        if ($this->clientRepository->validateClient($clientId, $clientSecret, $this->getIdentifier()) === false) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient();
+
+            throw OAuthServerException::invalidClient($request);
        }

+        $client = $this->getClientEntityOrFail($clientId, $request);
+
        // If a redirect URI is provided ensure it matches what is pre-registered
        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
+
        if ($redirectUri !== null) {
-            if (
-                is_string($client->getRedirectUri())
-                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient();
-            } elseif (
-                is_array($client->getRedirectUri())
-                && in_array($redirectUri, $client->getRedirectUri(), true) === false
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient();
-            }
+            $this->validateRedirectUri($redirectUri, $client, $request);
        }

        return $client;
    }

+    /**
+     * Wrapper around ClientRepository::getClientEntity() that ensures we emit
+     * an event and throw an exception if the repo doesn't return a client
+     * entity.
+     *
+     * This is a bit of defensive coding because the interface contract
+     * doesn't actually enforce non-null returns/exception-on-no-client so
+     * getClientEntity might return null. By contrast, this method will
+     * always either return a ClientEntityInterface or throw.
+     *
+     * @param string                 $clientId
+     * @param ServerRequestInterface $request
+     *
+     * @return ClientEntityInterface
+     */
+    protected function getClientEntityOrFail($clientId, ServerRequestInterface $request)
+    {
+        $client = $this->clientRepository->getClientEntity($clientId);
+
+        if ($client instanceof ClientEntityInterface === false) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        }
+
+        return $client;
+    }
+
+    /**
+     * Gets the client credentials from the request from the request body or
+     * the Http Basic Authorization header
+     *
+     * @param ServerRequestInterface $request
+     *
+     * @return array
+     */
+    protected function getClientCredentials(ServerRequestInterface $request)
+    {
+        list($basicAuthUser, $basicAuthPassword) = $this->getBasicAuthCredentials($request);
+
+        $clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
+
+        if (is_null($clientId)) {
+            throw OAuthServerException::invalidRequest('client_id');
+        }
+
+        $clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
+
+        return [$clientId, $clientSecret];
+    }
+
+    /**
+     * Validate redirectUri from the request.
+     * If a redirect URI is provided ensure it matches what is pre-registered
+     *
+     * @param string                 $redirectUri
+     * @param ClientEntityInterface  $client
+     * @param ServerRequestInterface $request
+     *
+     * @throws OAuthServerException
+     */
+    protected function validateRedirectUri(
+        string $redirectUri,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request
+    ) {
+        if (\is_string($client->getRedirectUri())
+            && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        } elseif (\is_array($client->getRedirectUri())
+            && \in_array($redirectUri, $client->getRedirectUri(), true) === false
+        ) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        }
+    }
+
    /**
     * Validate scopes in the request.
     *
-     * @param string $scopes
-     * @param string $redirectUri
+     * @param string|array $scopes
+     * @param string       $redirectUri
     *
     * @throws OAuthServerException
     *
@@ -226,13 +287,13 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    public function validateScopes($scopes, $redirectUri = null)
    {
-        $scopesList = array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
-            return !empty($scope);
-        });
+        if (!\is_array($scopes)) {
+            $scopes = $this->convertScopesQueryStringToArray($scopes);
+        }

        $validScopes = [];

-        foreach ($scopesList as $scopeItem) {
+        foreach ($scopes as $scopeItem) {
            $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeItem);

            if ($scope instanceof ScopeEntityInterface === false) {
@@ -245,6 +306,20 @@ abstract class AbstractGrant implements GrantTypeInterface
        return $validScopes;
    }

+    /**
+     * Converts a scopes query string to an array to easily iterate for validation.
+     *
+     * @param string $scopes
+     *
+     * @return array
+     */
+    private function convertScopesQueryStringToArray($scopes)
+    {
+        return array_filter(explode(self::SCOPE_DELIMITER_STRING, trim($scopes)), function ($scope) {
+            return !empty($scope);
+        });
+    }
+
    /**
     * Retrieve request parameter.
     *
@@ -258,7 +333,7 @@ abstract class AbstractGrant implements GrantTypeInterface
    {
        $requestParameters = (array) $request->getParsedBody();

-        return isset($requestParameters[$parameter]) ? $requestParameters[$parameter] : $default;
+        return $requestParameters[$parameter] ?? $default;
    }

    /**
@@ -339,7 +414,7 @@ abstract class AbstractGrant implements GrantTypeInterface
    /**
     * Issue an access token.
     *
-     * @param \DateInterval          $accessTokenTTL
+     * @param DateInterval           $accessTokenTTL
     * @param ClientEntityInterface  $client
     * @param string|null            $userIdentifier
     * @param ScopeEntityInterface[] $scopes
@@ -350,7 +425,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     * @return AccessTokenEntityInterface
     */
    protected function issueAccessToken(
-        \DateInterval $accessTokenTTL,
+        DateInterval $accessTokenTTL,
        ClientEntityInterface $client,
        $userIdentifier,
        array $scopes = []
@@ -358,13 +433,8 @@ abstract class AbstractGrant implements GrantTypeInterface
        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;

        $accessToken = $this->accessTokenRepository->getNewToken($client, $scopes, $userIdentifier);
-        $accessToken->setClient($client);
-        $accessToken->setUserIdentifier($userIdentifier);
-        $accessToken->setExpiryDateTime((new \DateTime())->add($accessTokenTTL));
-
-        foreach ($scopes as $scope) {
-            $accessToken->addScope($scope);
-        }
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add($accessTokenTTL));
+        $accessToken->setPrivateKey($this->privateKey);

        while ($maxGenerationAttempts-- > 0) {
            $accessToken->setIdentifier($this->generateUniqueIdentifier());
@@ -383,7 +453,7 @@ abstract class AbstractGrant implements GrantTypeInterface
    /**
     * Issue an auth code.
     *
-     * @param \DateInterval          $authCodeTTL
+     * @param DateInterval           $authCodeTTL
     * @param ClientEntityInterface  $client
     * @param string                 $userIdentifier
     * @param string|null            $redirectUri
@@ -395,7 +465,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     * @return AuthCodeEntityInterface
     */
    protected function issueAuthCode(
-        \DateInterval $authCodeTTL,
+        DateInterval $authCodeTTL,
        ClientEntityInterface $client,
        $userIdentifier,
        $redirectUri,
@@ -404,7 +474,7 @@ abstract class AbstractGrant implements GrantTypeInterface
        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;

        $authCode = $this->authCodeRepository->getNewAuthCode();
-        $authCode->setExpiryDateTime((new \DateTime())->add($authCodeTTL));
+        $authCode->setExpiryDateTime((new DateTimeImmutable())->add($authCodeTTL));
        $authCode->setClient($client);
        $authCode->setUserIdentifier($userIdentifier);

@@ -436,16 +506,21 @@ abstract class AbstractGrant implements GrantTypeInterface
     * @throws OAuthServerException
     * @throws UniqueTokenIdentifierConstraintViolationException
     *
-     * @return RefreshTokenEntityInterface
+     * @return RefreshTokenEntityInterface|null
     */
    protected function issueRefreshToken(AccessTokenEntityInterface $accessToken)
    {
-        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
-
        $refreshToken = $this->refreshTokenRepository->getNewRefreshToken();
-        $refreshToken->setExpiryDateTime((new \DateTime())->add($this->refreshTokenTTL));
+
+        if ($refreshToken === null) {
+            return null;
+        }
+
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add($this->refreshTokenTTL));
        $refreshToken->setAccessToken($accessToken);

+        $maxGenerationAttempts = self::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
+
        while ($maxGenerationAttempts-- > 0) {
            $refreshToken->setIdentifier($this->generateUniqueIdentifier());
            try {
@@ -474,13 +549,13 @@ abstract class AbstractGrant implements GrantTypeInterface
        try {
            return bin2hex(random_bytes($length));
            // @codeCoverageIgnoreStart
-        } catch (\TypeError $e) {
-            throw OAuthServerException::serverError('An unexpected error has occurred');
-        } catch (\Error $e) {
-            throw OAuthServerException::serverError('An unexpected error has occurred');
-        } catch (\Exception $e) {
+        } catch (TypeError $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred', $e);
+        } catch (Error $e) {
+            throw OAuthServerException::serverError('An unexpected error has occurred', $e);
+        } catch (Exception $e) {
            // If you get this message, the CSPRNG failed hard.
-            throw OAuthServerException::serverError('Could not generate a random string');
+            throw OAuthServerException::serverError('Could not generate a random string', $e);
        }
        // @codeCoverageIgnoreEnd
    }
@@ -511,7 +586,7 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    public function validateAuthorizationRequest(ServerRequestInterface $request)
    {
-        throw new \LogicException('This grant cannot validate an authorization request');
+        throw new LogicException('This grant cannot validate an authorization request');
    }

    /**
@@ -519,6 +594,6 @@ abstract class AbstractGrant implements GrantTypeInterface
     */
    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
    {
-        throw new \LogicException('This grant cannot complete an authorization request');
+        throw new LogicException('This grant cannot complete an authorization request');
    }
 }
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -9,8 +9,13 @@

 namespace League\OAuth2\Server\Grant;

+use DateInterval;
+use DateTimeImmutable;
+use Exception;
+use League\OAuth2\Server\CodeChallengeVerifiers\CodeChallengeVerifierInterface;
+use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier;
+use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
-use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface;
@@ -19,39 +24,59 @@ use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use LogicException;
 use Psr\Http\Message\ServerRequestInterface;
+use stdClass;

 class AuthCodeGrant extends AbstractAuthorizeGrant
 {
    /**
-     * @var \DateInterval
+     * @var DateInterval
     */
    private $authCodeTTL;

    /**
     * @var bool
     */
-    private $enableCodeExchangeProof = false;
+    private $requireCodeChallengeForPublicClients = true;
+
+    /**
+     * @var CodeChallengeVerifierInterface[]
+     */
+    private $codeChallengeVerifiers = [];

    /**
     * @param AuthCodeRepositoryInterface     $authCodeRepository
     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
-     * @param \DateInterval                   $authCodeTTL
+     * @param DateInterval                    $authCodeTTL
+     *
+     * @throws Exception
     */
    public function __construct(
        AuthCodeRepositoryInterface $authCodeRepository,
        RefreshTokenRepositoryInterface $refreshTokenRepository,
-        \DateInterval $authCodeTTL
+        DateInterval $authCodeTTL
    ) {
        $this->setAuthCodeRepository($authCodeRepository);
        $this->setRefreshTokenRepository($refreshTokenRepository);
        $this->authCodeTTL = $authCodeTTL;
-        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->refreshTokenTTL = new DateInterval('P1M');
+
+        if (in_array('sha256', hash_algos(), true)) {
+            $s256Verifier = new S256Verifier();
+            $this->codeChallengeVerifiers[$s256Verifier->getMethod()] = $s256Verifier;
+        }
+
+        $plainVerifier = new PlainVerifier();
+        $this->codeChallengeVerifiers[$plainVerifier->getMethod()] = $plainVerifier;
    }

-    public function enableCodeExchangeProof()
+    /**
+     * Disable the requirement for a code challenge for public clients.
+     */
+    public function disableRequireCodeChallengeForPublicClients()
    {
-        $this->enableCodeExchangeProof = true;
+        $this->requireCodeChallengeForPublicClients = false;
    }

    /**
@@ -59,7 +84,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
     *
     * @param ServerRequestInterface $request
     * @param ResponseTypeInterface  $responseType
-     * @param \DateInterval          $accessTokenTTL
+     * @param DateInterval           $accessTokenTTL
     *
     * @throws OAuthServerException
     *
@@ -68,68 +93,42 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
    ) {
-        // Validate request
-        $client = $this->validateClient($request);
+        list($clientId) = $this->getClientCredentials($request);
+
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        // Only validate the client if it is confidential
+        if ($client->isConfidential()) {
+            $this->validateClient($request);
+        }
+
        $encryptedAuthCode = $this->getRequestParameter('code', $request, null);

        if ($encryptedAuthCode === null) {
            throw OAuthServerException::invalidRequest('code');
        }

-        // Validate the authorization code
        try {
            $authCodePayload = json_decode($this->decrypt($encryptedAuthCode));
-            if (time() > $authCodePayload->expire_time) {
-                throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
-            }

-            if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
-                throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
-            }
+            $this->validateAuthorizationCode($authCodePayload, $client, $request);

-            if ($authCodePayload->client_id !== $client->getIdentifier()) {
-                throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
-            }
-
-            // The redirect URI is required in this request
-            $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
-            if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
-                throw OAuthServerException::invalidRequest('redirect_uri');
-            }
-
-            if ($authCodePayload->redirect_uri !== $redirectUri) {
-                throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
-            }
-
-            $scopes = [];
-            foreach ($authCodePayload->scopes as $scopeId) {
-                $scope = $this->scopeRepository->getScopeEntityByIdentifier($scopeId);
-
-                if ($scope instanceof ScopeEntityInterface === false) {
-                    // @codeCoverageIgnoreStart
-                    throw OAuthServerException::invalidScope($scopeId);
-                    // @codeCoverageIgnoreEnd
-                }
-
-                $scopes[] = $scope;
-            }
-
-            // Finalize the requested scopes
            $scopes = $this->scopeRepository->finalizeScopes(
-                $scopes,
+                $this->validateScopes($authCodePayload->scopes),
                $this->getIdentifier(),
                $client,
                $authCodePayload->user_id
            );
-        } catch (\LogicException  $e) {
-            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code');
+        } catch (LogicException $e) {
+            throw OAuthServerException::invalidRequest('code', 'Cannot decrypt the authorization code', $e);
        }

        // Validate code challenge
-        if ($this->enableCodeExchangeProof === true) {
+        if (!empty($authCodePayload->code_challenge)) {
            $codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
+
            if ($codeVerifier === null) {
                throw OAuthServerException::invalidRequest('code_verifier');
            }
@@ -143,46 +142,36 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                );
            }

-            switch ($authCodePayload->code_challenge_method) {
-                case 'plain':
-                    if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) {
-                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
-                    }
+            if (property_exists($authCodePayload, 'code_challenge_method')) {
+                if (isset($this->codeChallengeVerifiers[$authCodePayload->code_challenge_method])) {
+                    $codeChallengeVerifier = $this->codeChallengeVerifiers[$authCodePayload->code_challenge_method];

-                    break;
-                case 'S256':
-                    if (
-                        hash_equals(
-                            strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
-                            $authCodePayload->code_challenge
-                        ) === false
-                    ) {
+                    if ($codeChallengeVerifier->verifyCodeChallenge($codeVerifier, $authCodePayload->code_challenge) === false) {
                        throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
                    }
-                    // @codeCoverageIgnoreStart
-                    break;
-                default:
+                } else {
                    throw OAuthServerException::serverError(
                        sprintf(
                            'Unsupported code challenge method `%s`',
                            $authCodePayload->code_challenge_method
                        )
                    );
-                // @codeCoverageIgnoreEnd
+                }
            }
        }

-        // Issue and persist access + refresh tokens
+        // Issue and persist new access token
        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $authCodePayload->user_id, $scopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
        $refreshToken = $this->issueRefreshToken($accessToken);

-        // Send events to emitter
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
-
-        // Inject tokens into response type
-        $responseType->setAccessToken($accessToken);
-        $responseType->setRefreshToken($refreshToken);
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }

        // Revoke used auth code
        $this->authCodeRepository->revokeAuthCode($authCodePayload->auth_code_id);
@@ -190,6 +179,41 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
        return $responseType;
    }

+    /**
+     * Validate the authorization code.
+     *
+     * @param stdClass               $authCodePayload
+     * @param ClientEntityInterface  $client
+     * @param ServerRequestInterface $request
+     */
+    private function validateAuthorizationCode(
+        $authCodePayload,
+        ClientEntityInterface $client,
+        ServerRequestInterface $request
+    ) {
+        if (time() > $authCodePayload->expire_time) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code has expired');
+        }
+
+        if ($this->authCodeRepository->isAuthCodeRevoked($authCodePayload->auth_code_id) === true) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code has been revoked');
+        }
+
+        if ($authCodePayload->client_id !== $client->getIdentifier()) {
+            throw OAuthServerException::invalidRequest('code', 'Authorization code was not issued to this client');
+        }
+
+        // The redirect URI is required in this request
+        $redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
+        if (empty($authCodePayload->redirect_uri) === false && $redirectUri === null) {
+            throw OAuthServerException::invalidRequest('redirect_uri');
+        }
+
+        if ($authCodePayload->redirect_uri !== $redirectUri) {
+            throw OAuthServerException::invalidRequest('redirect_uri', 'Invalid redirect URI');
+        }
+    }
+
    /**
     * Return the grant identifier that can be used in matching up requests.
     *
@@ -223,44 +247,22 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
            $this->getServerParameter('PHP_AUTH_USER', $request)
        );

-        if (is_null($clientId)) {
+        if ($clientId === null) {
            throw OAuthServerException::invalidRequest('client_id');
        }

-        $client = $this->clientRepository->getClientEntity(
-            $clientId,
-            $this->getIdentifier(),
-            null,
-            false
-        );
-
-        if ($client instanceof ClientEntityInterface === false) {
-            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient();
-        }
+        $client = $this->getClientEntityOrFail($clientId, $request);

        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);

        if ($redirectUri !== null) {
-            if (
-                is_string($client->getRedirectUri())
-                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient();
-            } elseif (
-                is_array($client->getRedirectUri())
-                && in_array($redirectUri, $client->getRedirectUri(), true) === false
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient();
-            }
-        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
-            || empty($client->getRedirectUri())) {
+            $this->validateRedirectUri($redirectUri, $client, $request);
+        } elseif (empty($client->getRedirectUri()) ||
+            (\is_array($client->getRedirectUri()) && \count($client->getRedirectUri()) !== 1)) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient();
+            throw OAuthServerException::invalidClient($request);
        } else {
-            $redirectUri = is_array($client->getRedirectUri())
+            $redirectUri = \is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
                : $client->getRedirectUri();
        }
@@ -283,18 +285,20 @@ class AuthCodeGrant extends AbstractAuthorizeGrant

        $authorizationRequest->setScopes($scopes);

-        if ($this->enableCodeExchangeProof === true) {
-            $codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
-            if ($codeChallenge === null) {
-                throw OAuthServerException::invalidRequest('code_challenge');
-            }
+        $codeChallenge = $this->getQueryStringParameter('code_challenge', $request);

+        if ($codeChallenge !== null) {
            $codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');

-            if (in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
+            if (array_key_exists($codeChallengeMethod, $this->codeChallengeVerifiers) === false) {
                throw OAuthServerException::invalidRequest(
                    'code_challenge_method',
-                    'Code challenge method must be `plain` or `S256`'
+                    'Code challenge method must be one of ' . implode(', ', array_map(
+                        function ($method) {
+                            return '`' . $method . '`';
+                        },
+                        array_keys($this->codeChallengeVerifiers)
+                    ))
                );
            }

@@ -309,6 +313,8 @@ class AuthCodeGrant extends AbstractAuthorizeGrant

            $authorizationRequest->setCodeChallenge($codeChallenge);
            $authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
+        } elseif ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
+            throw OAuthServerException::invalidRequest('code_challenge', 'Code challenge must be provided for public clients');
        }

        return $authorizationRequest;
@@ -320,14 +326,11 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
    {
        if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
-            throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
+            throw new LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
        }

-        $finalRedirectUri = ($authorizationRequest->getRedirectUri() === null)
-            ? is_array($authorizationRequest->getClient()->getRedirectUri())
-                ? $authorizationRequest->getClient()->getRedirectUri()[0]
-                : $authorizationRequest->getClient()->getRedirectUri()
-            : $authorizationRequest->getRedirectUri();
+        $finalRedirectUri = $authorizationRequest->getRedirectUri()
+                          ?? $this->getClientRedirectUri($authorizationRequest);

        // The user approved the client, redirect them back with an auth code
        if ($authorizationRequest->isAuthorizationApproved() === true) {
@@ -345,21 +348,23 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
                'auth_code_id'          => $authCode->getIdentifier(),
                'scopes'                => $authCode->getScopes(),
                'user_id'               => $authCode->getUserIdentifier(),
-                'expire_time'           => (new \DateTime())->add($this->authCodeTTL)->format('U'),
+                'expire_time'           => (new DateTimeImmutable())->add($this->authCodeTTL)->getTimestamp(),
                'code_challenge'        => $authorizationRequest->getCodeChallenge(),
                'code_challenge_method' => $authorizationRequest->getCodeChallengeMethod(),
            ];

+            $jsonPayload = json_encode($payload);
+
+            if ($jsonPayload === false) {
+                throw new LogicException('An error was encountered when JSON encoding the authorization request response');
+            }
+
            $response = new RedirectResponse();
            $response->setRedirectUri(
                $this->makeRedirectUri(
                    $finalRedirectUri,
                    [
-                        'code'  => $this->encrypt(
-                            json_encode(
-                                $payload
-                            )
-                        ),
+                        'code'  => $this->encrypt($jsonPayload),
                        'state' => $authorizationRequest->getState(),
                    ]
                )
@@ -379,4 +384,18 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
            )
        );
    }
+
+    /**
+     * Get the client redirect URI if not set in the request.
+     *
+     * @param AuthorizationRequest $authorizationRequest
+     *
+     * @return string
+     */
+    private function getClientRedirectUri(AuthorizationRequest $authorizationRequest)
+    {
+        return \is_array($authorizationRequest->getClient()->getRedirectUri())
+                ? $authorizationRequest->getClient()->getRedirectUri()[0]
+                : $authorizationRequest->getClient()->getRedirectUri();
+    }
 }
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -11,6 +11,8 @@

 namespace League\OAuth2\Server\Grant;

+use DateInterval;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -26,10 +28,21 @@ class ClientCredentialsGrant extends AbstractGrant
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
    ) {
+        list($clientId) = $this->getClientCredentials($request);
+
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        if (!$client->isConfidential()) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+
+            throw OAuthServerException::invalidClient($request);
+        }
+
        // Validate request
-        $client = $this->validateClient($request);
+        $this->validateClient($request);
+
        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));

        // Finalize the requested scopes
--- a/src/Grant/GrantTypeInterface.php
+++ b/src/Grant/GrantTypeInterface.php
@@ -11,6 +11,7 @@

 namespace League\OAuth2\Server\Grant;

+use DateInterval;
 use Defuse\Crypto\Key;
 use League\Event\EmitterAwareInterface;
 use League\OAuth2\Server\CryptKey;
@@ -29,9 +30,9 @@ interface GrantTypeInterface extends EmitterAwareInterface
    /**
     * Set refresh token TTL.
     *
-     * @param \DateInterval $refreshTokenTTL
+     * @param DateInterval $refreshTokenTTL
     */
-    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL);
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL);

    /**
     * Return the grant identifier that can be used in matching up requests.
@@ -45,14 +46,14 @@ interface GrantTypeInterface extends EmitterAwareInterface
     *
     * @param ServerRequestInterface $request
     * @param ResponseTypeInterface  $responseType
-     * @param \DateInterval          $accessTokenTTL
+     * @param DateInterval           $accessTokenTTL
     *
     * @return ResponseTypeInterface
     */
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
    );

    /**
--- a/src/Grant/ImplicitGrant.php
+++ b/src/Grant/ImplicitGrant.php
@@ -9,7 +9,7 @@

 namespace League\OAuth2\Server\Grant;

-use League\OAuth2\Server\Entities\ClientEntityInterface;
+use DateInterval;
 use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
@@ -17,12 +17,13 @@ use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
+use LogicException;
 use Psr\Http\Message\ServerRequestInterface;

 class ImplicitGrant extends AbstractAuthorizeGrant
 {
    /**
-     * @var \DateInterval
+     * @var DateInterval
     */
    private $accessTokenTTL;

@@ -32,33 +33,33 @@ class ImplicitGrant extends AbstractAuthorizeGrant
    private $queryDelimiter;

    /**
-     * @param \DateInterval $accessTokenTTL
-     * @param string        $queryDelimiter
+     * @param DateInterval $accessTokenTTL
+     * @param string       $queryDelimiter
     */
-    public function __construct(\DateInterval $accessTokenTTL, $queryDelimiter = '#')
+    public function __construct(DateInterval $accessTokenTTL, $queryDelimiter = '#')
    {
        $this->accessTokenTTL = $accessTokenTTL;
        $this->queryDelimiter = $queryDelimiter;
    }

    /**
-     * @param \DateInterval $refreshTokenTTL
+     * @param DateInterval $refreshTokenTTL
     *
-     * @throw \LogicException
+     * @throw LogicException
     */
-    public function setRefreshTokenTTL(\DateInterval $refreshTokenTTL)
+    public function setRefreshTokenTTL(DateInterval $refreshTokenTTL)
    {
-        throw new \LogicException('The Implicit Grant does not return refresh tokens');
+        throw new LogicException('The Implicit Grant does not return refresh tokens');
    }

    /**
     * @param RefreshTokenRepositoryInterface $refreshTokenRepository
     *
-     * @throw \LogicException
+     * @throw LogicException
     */
    public function setRefreshTokenRepository(RefreshTokenRepositoryInterface $refreshTokenRepository)
    {
-        throw new \LogicException('The Implicit Grant does not return refresh tokens');
+        throw new LogicException('The Implicit Grant does not return refresh tokens');
    }

    /**
@@ -84,16 +85,16 @@ class ImplicitGrant extends AbstractAuthorizeGrant
     *
     * @param ServerRequestInterface $request
     * @param ResponseTypeInterface  $responseType
-     * @param \DateInterval          $accessTokenTTL
+     * @param DateInterval           $accessTokenTTL
     *
     * @return ResponseTypeInterface
     */
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
    ) {
-        throw new \LogicException('This grant does not used this method');
+        throw new LogicException('This grant does not used this method');
    }

    /**
@@ -118,41 +119,21 @@ class ImplicitGrant extends AbstractAuthorizeGrant
            $request,
            $this->getServerParameter('PHP_AUTH_USER', $request)
        );
+
        if (is_null($clientId)) {
            throw OAuthServerException::invalidRequest('client_id');
        }

-        $client = $this->clientRepository->getClientEntity(
-            $clientId,
-            $this->getIdentifier(),
-            null,
-            false
-        );
-
-        if ($client instanceof ClientEntityInterface === false) {
-            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient();
-        }
+        $client = $this->getClientEntityOrFail($clientId, $request);

        $redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
+
        if ($redirectUri !== null) {
-            if (
-                is_string($client->getRedirectUri())
-                && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient();
-            } elseif (
-                is_array($client->getRedirectUri())
-                && in_array($redirectUri, $client->getRedirectUri(), true) === false
-            ) {
-                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-                throw OAuthServerException::invalidClient();
-            }
+            $this->validateRedirectUri($redirectUri, $client, $request);
        } elseif (is_array($client->getRedirectUri()) && count($client->getRedirectUri()) !== 1
            || empty($client->getRedirectUri())) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-            throw OAuthServerException::invalidClient();
+            throw OAuthServerException::invalidClient($request);
        } else {
            $redirectUri = is_array($client->getRedirectUri())
                ? $client->getRedirectUri()[0]
@@ -164,13 +145,6 @@ class ImplicitGrant extends AbstractAuthorizeGrant
            $redirectUri
        );

-        // Finalize the requested scopes
-        $finalizedScopes = $this->scopeRepository->finalizeScopes(
-            $scopes,
-            $this->getIdentifier(),
-            $client
-        );
-
        $stateParameter = $this->getQueryStringParameter('state', $request);

        $authorizationRequest = new AuthorizationRequest();
@@ -182,7 +156,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
            $authorizationRequest->setState($stateParameter);
        }

-        $authorizationRequest->setScopes($finalizedScopes);
+        $authorizationRequest->setScopes($scopes);

        return $authorizationRequest;
    }
@@ -193,7 +167,7 @@ class ImplicitGrant extends AbstractAuthorizeGrant
    public function completeAuthorizationRequest(AuthorizationRequest $authorizationRequest)
    {
        if ($authorizationRequest->getUser() instanceof UserEntityInterface === false) {
-            throw new \LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
+            throw new LogicException('An instance of UserEntityInterface should be set on the AuthorizationRequest');
        }

        $finalRedirectUri = ($authorizationRequest->getRedirectUri() === null)
@@ -204,11 +178,19 @@ class ImplicitGrant extends AbstractAuthorizeGrant

        // The user approved the client, redirect them back with an access token
        if ($authorizationRequest->isAuthorizationApproved() === true) {
+            // Finalize the requested scopes
+            $finalizedScopes = $this->scopeRepository->finalizeScopes(
+                $authorizationRequest->getScopes(),
+                $this->getIdentifier(),
+                $authorizationRequest->getClient(),
+                $authorizationRequest->getUser()->getIdentifier()
+            );
+
            $accessToken = $this->issueAccessToken(
                $this->accessTokenTTL,
                $authorizationRequest->getClient(),
                $authorizationRequest->getUser()->getIdentifier(),
-                $authorizationRequest->getScopes()
+                $finalizedScopes
            );

            $response = new RedirectResponse();
@@ -216,9 +198,9 @@ class ImplicitGrant extends AbstractAuthorizeGrant
                $this->makeRedirectUri(
                    $finalRedirectUri,
                    [
-                        'access_token' => (string) $accessToken->convertToJWT($this->privateKey),
+                        'access_token' => (string) $accessToken,
                        'token_type'   => 'Bearer',
-                        'expires_in'   => $accessToken->getExpiryDateTime()->getTimestamp() - (new \DateTime())->getTimestamp(),
+                        'expires_in'   => $accessToken->getExpiryDateTime()->getTimestamp() - \time(),
                        'state'        => $authorizationRequest->getState(),
                    ],
                    $this->queryDelimiter
--- a/src/Grant/PasswordGrant.php
+++ b/src/Grant/PasswordGrant.php
@@ -11,6 +11,7 @@

 namespace League\OAuth2\Server\Grant;

+use DateInterval;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -36,7 +37,7 @@ class PasswordGrant extends AbstractGrant
        $this->setUserRepository($userRepository);
        $this->setRefreshTokenRepository($refreshTokenRepository);

-        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->refreshTokenTTL = new DateInterval('P1M');
    }

    /**
@@ -45,7 +46,7 @@ class PasswordGrant extends AbstractGrant
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
    ) {
        // Validate request
        $client = $this->validateClient($request);
@@ -55,17 +56,18 @@ class PasswordGrant extends AbstractGrant
        // Finalize the requested scopes
        $finalizedScopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $user->getIdentifier());

-        // Issue and persist new tokens
+        // Issue and persist new access token
        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $user->getIdentifier(), $finalizedScopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
        $refreshToken = $this->issueRefreshToken($accessToken);

-        // Send events to emitter
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
-
-        // Inject tokens into response
-        $responseType->setAccessToken($accessToken);
-        $responseType->setRefreshToken($refreshToken);
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }

        return $responseType;
    }
@@ -81,11 +83,13 @@ class PasswordGrant extends AbstractGrant
    protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client)
    {
        $username = $this->getRequestParameter('username', $request);
+
        if (is_null($username)) {
            throw OAuthServerException::invalidRequest('username');
        }

        $password = $this->getRequestParameter('password', $request);
+
        if (is_null($password)) {
            throw OAuthServerException::invalidRequest('password');
        }
@@ -96,10 +100,11 @@ class PasswordGrant extends AbstractGrant
            $this->getIdentifier(),
            $client
        );
+
        if ($user instanceof UserEntityInterface === false) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));

-            throw OAuthServerException::invalidCredentials();
+            throw OAuthServerException::invalidGrant();
        }

        return $user;
--- a/src/Grant/RefreshTokenGrant.php
+++ b/src/Grant/RefreshTokenGrant.php
@@ -11,6 +11,8 @@

 namespace League\OAuth2\Server\Grant;

+use DateInterval;
+use Exception;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface;
 use League\OAuth2\Server\RequestEvent;
@@ -29,7 +31,7 @@ class RefreshTokenGrant extends AbstractGrant
    {
        $this->setRefreshTokenRepository($refreshTokenRepository);

-        $this->refreshTokenTTL = new \DateInterval('P1M');
+        $this->refreshTokenTTL = new DateInterval('P1M');
    }

    /**
@@ -38,7 +40,7 @@ class RefreshTokenGrant extends AbstractGrant
    public function respondToAccessTokenRequest(
        ServerRequestInterface $request,
        ResponseTypeInterface $responseType,
-        \DateInterval $accessTokenTTL
+        DateInterval $accessTokenTTL
    ) {
        // Validate request
        $client = $this->validateClient($request);
@@ -61,17 +63,18 @@ class RefreshTokenGrant extends AbstractGrant
        $this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
        $this->refreshTokenRepository->revokeRefreshToken($oldRefreshToken['refresh_token_id']);

-        // Issue and persist new tokens
+        // Issue and persist new access token
        $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $oldRefreshToken['user_id'], $scopes);
+        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
+        $responseType->setAccessToken($accessToken);
+
+        // Issue and persist new refresh token if given
        $refreshToken = $this->issueRefreshToken($accessToken);

-        // Send events to emitter
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
-        $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
-
-        // Inject tokens into response
-        $responseType->setAccessToken($accessToken);
-        $responseType->setRefreshToken($refreshToken);
+        if ($refreshToken !== null) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_ISSUED, $request));
+            $responseType->setRefreshToken($refreshToken);
+        }

        return $responseType;
    }
@@ -94,8 +97,8 @@ class RefreshTokenGrant extends AbstractGrant
        // Validate refresh token
        try {
            $refreshToken = $this->decrypt($encryptedRefreshToken);
-        } catch (\Exception $e) {
-            throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token');
+        } catch (Exception $e) {
+            throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token', $e);
        }

        $refreshTokenData = json_decode($refreshToken, true);
--- a/src/Middleware/AuthorizationServerMiddleware.php
+++ b/src/Middleware/AuthorizationServerMiddleware.php
@@ -9,6 +9,7 @@

 namespace League\OAuth2\Server\Middleware;

+use Exception;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use Psr\Http\Message\ResponseInterface;
@@ -43,7 +44,7 @@ class AuthorizationServerMiddleware
        } catch (OAuthServerException $exception) {
            return $exception->generateHttpResponse($response);
            // @codeCoverageIgnoreStart
-        } catch (\Exception $exception) {
+        } catch (Exception $exception) {
            return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
                ->generateHttpResponse($response);
            // @codeCoverageIgnoreEnd
--- a/src/Middleware/ResourceServerMiddleware.php
+++ b/src/Middleware/ResourceServerMiddleware.php
@@ -9,6 +9,7 @@

 namespace League\OAuth2\Server\Middleware;

+use Exception;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\ResourceServer;
 use Psr\Http\Message\ResponseInterface;
@@ -34,7 +35,7 @@ class ResourceServerMiddleware
     * @param ResponseInterface      $response
     * @param callable               $next
     *
-     * @return \Psr\Http\Message\ResponseInterface
+     * @return ResponseInterface
     */
    public function __invoke(ServerRequestInterface $request, ResponseInterface $response, callable $next)
    {
@@ -43,7 +44,7 @@ class ResourceServerMiddleware
        } catch (OAuthServerException $exception) {
            return $exception->generateHttpResponse($response);
            // @codeCoverageIgnoreStart
-        } catch (\Exception $exception) {
+        } catch (Exception $exception) {
            return (new OAuthServerException($exception->getMessage(), 0, 'unknown_error', 500))
                ->generateHttpResponse($response);
            // @codeCoverageIgnoreEnd
--- a/src/Repositories/ClientRepositoryInterface.php
+++ b/src/Repositories/ClientRepositoryInterface.php
@@ -19,13 +19,20 @@ interface ClientRepositoryInterface extends RepositoryInterface
    /**
     * Get a client.
     *
-     * @param string      $clientIdentifier   The client's identifier
-     * @param null|string $grantType          The grant type used (if sent)
-     * @param null|string $clientSecret       The client's secret (if sent)
-     * @param bool        $mustValidateSecret If true the client must attempt to validate the secret if the client
-     *                                        is confidential
+     * @param string $clientIdentifier The client's identifier
     *
-     * @return ClientEntityInterface
+     * @return ClientEntityInterface|null
     */
-    public function getClientEntity($clientIdentifier, $grantType = null, $clientSecret = null, $mustValidateSecret = true);
+    public function getClientEntity($clientIdentifier);
+
+    /**
+     * Validate a client's secret.
+     *
+     * @param string      $clientIdentifier The client's identifier
+     * @param null|string $clientSecret     The client's secret (if sent)
+     * @param null|string $grantType        The type of grant the client is using (if sent)
+     *
+     * @return bool
+     */
+    public function validateClient($clientIdentifier, $clientSecret, $grantType);
 }
--- a/src/Repositories/RefreshTokenRepositoryInterface.php
+++ b/src/Repositories/RefreshTokenRepositoryInterface.php
@@ -20,7 +20,7 @@ interface RefreshTokenRepositoryInterface extends RepositoryInterface
    /**
     * Creates a new refresh token
     *
-     * @return RefreshTokenEntityInterface
+     * @return RefreshTokenEntityInterface|null
     */
    public function getNewRefreshToken();

--- a/src/Repositories/ScopeRepositoryInterface.php
+++ b/src/Repositories/ScopeRepositoryInterface.php
@@ -22,7 +22,7 @@ interface ScopeRepositoryInterface extends RepositoryInterface
     *
     * @param string $identifier The scope identifier
     *
-     * @return ScopeEntityInterface
+     * @return ScopeEntityInterface|null
     */
    public function getScopeEntityByIdentifier($identifier);

--- a/src/Repositories/UserRepositoryInterface.php
+++ b/src/Repositories/UserRepositoryInterface.php
@@ -22,7 +22,7 @@ interface UserRepositoryInterface extends RepositoryInterface
     * @param string                $grantType    The grant type used
     * @param ClientEntityInterface $clientEntity
     *
-     * @return UserEntityInterface
+     * @return UserEntityInterface|null
     */
    public function getUserEntityByUserCredentials(
        $username,
--- a/src/RequestTypes/AuthorizationRequest.php
+++ b/src/RequestTypes/AuthorizationRequest.php
@@ -111,7 +111,7 @@ class AuthorizationRequest
    }

    /**
-     * @return UserEntityInterface
+     * @return UserEntityInterface|null
     */
    public function getUser()
    {
--- a/src/ResponseTypes/AbstractResponseType.php
+++ b/src/ResponseTypes/AbstractResponseType.php
@@ -54,7 +54,7 @@ abstract class AbstractResponseType implements ResponseTypeInterface
    /**
     * Set the private key
     *
-     * @param \League\OAuth2\Server\CryptKey $key
+     * @param CryptKey $key
     */
    public function setPrivateKey(CryptKey $key)
    {
--- a/src/ResponseTypes/BearerTokenResponse.php
+++ b/src/ResponseTypes/BearerTokenResponse.php
@@ -13,6 +13,7 @@ namespace League\OAuth2\Server\ResponseTypes;

 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use LogicException;
 use Psr\Http\Message\ResponseInterface;

 class BearerTokenResponse extends AbstractResponseType
@@ -24,32 +25,34 @@ class BearerTokenResponse extends AbstractResponseType
    {
        $expireDateTime = $this->accessToken->getExpiryDateTime()->getTimestamp();

-        $jwtAccessToken = $this->accessToken->convertToJWT($this->privateKey);
-
        $responseParams = [
            'token_type'   => 'Bearer',
-            'expires_in'   => $expireDateTime - (new \DateTime())->getTimestamp(),
-            'access_token' => (string) $jwtAccessToken,
+            'expires_in'   => $expireDateTime - \time(),
+            'access_token' => (string) $this->accessToken,
        ];

        if ($this->refreshToken instanceof RefreshTokenEntityInterface) {
-            $refreshToken = $this->encrypt(
-                json_encode(
-                    [
-                        'client_id'        => $this->accessToken->getClient()->getIdentifier(),
-                        'refresh_token_id' => $this->refreshToken->getIdentifier(),
-                        'access_token_id'  => $this->accessToken->getIdentifier(),
-                        'scopes'           => $this->accessToken->getScopes(),
-                        'user_id'          => $this->accessToken->getUserIdentifier(),
-                        'expire_time'      => $this->refreshToken->getExpiryDateTime()->getTimestamp(),
-                    ]
-                )
-            );
+            $refreshTokenPayload = json_encode([
+                'client_id'        => $this->accessToken->getClient()->getIdentifier(),
+                'refresh_token_id' => $this->refreshToken->getIdentifier(),
+                'access_token_id'  => $this->accessToken->getIdentifier(),
+                'scopes'           => $this->accessToken->getScopes(),
+                'user_id'          => $this->accessToken->getUserIdentifier(),
+                'expire_time'      => $this->refreshToken->getExpiryDateTime()->getTimestamp(),
+            ]);

-            $responseParams['refresh_token'] = $refreshToken;
+            if ($refreshTokenPayload === false) {
+                throw new LogicException('Error encountered JSON encoding the refresh token payload');
+            }
+
+            $responseParams['refresh_token'] = $this->encrypt($refreshTokenPayload);
        }

-        $responseParams = array_merge($this->getExtraParams($this->accessToken), $responseParams);
+        $responseParams = json_encode(array_merge($this->getExtraParams($this->accessToken), $responseParams));
+
+        if ($responseParams === false) {
+            throw new LogicException('Error encountered JSON encoding response parameters');
+        }

        $response = $response
            ->withStatus(200)
@@ -57,7 +60,7 @@ class BearerTokenResponse extends AbstractResponseType
            ->withHeader('cache-control', 'no-store')
            ->withHeader('content-type', 'application/json; charset=UTF-8');

-        $response->getBody()->write(json_encode($responseParams));
+        $response->getBody()->write($responseParams);

        return $response;
    }
--- a/tests/AuthorizationServerTest.php
+++ b/tests/AuthorizationServerTest.php
@@ -2,7 +2,9 @@

 namespace LeagueTests;

+use DateInterval;
 use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -29,7 +31,7 @@ class AuthorizationServerTest extends TestCase
 {
    const DEFAULT_SCOPE = 'basic';

-    public function setUp()
+    public function setUp(): void
    {
        // Make sure the keys have the correct permissions.
        chmod(__DIR__ . '/Stubs/private.key', 0600);
@@ -48,7 +50,7 @@ class AuthorizationServerTest extends TestCase
            new StubResponseType()
        );

-        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
+        $server->enableGrantType(new ClientCredentialsGrant(), new DateInterval('PT1M'));

        try {
            $server->respondToAccessTokenRequest(ServerRequestFactory::fromGlobals(), new Response);
@@ -60,8 +62,11 @@ class AuthorizationServerTest extends TestCase

    public function testRespondToRequest()
    {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);

        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
@@ -81,7 +86,7 @@ class AuthorizationServerTest extends TestCase
        );

        $server->setDefaultScope(self::DEFAULT_SCOPE);
-        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
+        $server->enableGrantType(new ClientCredentialsGrant(), new DateInterval('PT1M'));

        $_POST['grant_type'] = 'client_credentials';
        $_POST['client_id'] = 'foo';
@@ -109,6 +114,91 @@ class AuthorizationServerTest extends TestCase
        $this->assertInstanceOf(BearerTokenResponse::class, $method->invoke($server));
    }

+    public function testGetResponseTypeExtended()
+    {
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $privateKey = 'file://' . __DIR__ . '/Stubs/private.key';
+        $encryptionKey = 'file://' . __DIR__ . '/Stubs/public.key';
+
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+
+        $abstractGrantReflection = new \ReflectionClass($server);
+        $method = $abstractGrantReflection->getMethod('getResponseType');
+        $method->setAccessible(true);
+
+        $responseType = $method->invoke($server);
+
+        $responseTypeReflection = new \ReflectionClass($responseType);
+
+        $privateKeyProperty = $responseTypeReflection->getProperty('privateKey');
+        $privateKeyProperty->setAccessible(true);
+
+        $encryptionKeyProperty = $responseTypeReflection->getProperty('encryptionKey');
+        $encryptionKeyProperty->setAccessible(true);
+
+        // generated instances should have keys setup
+        $this->assertSame($privateKey, $privateKeyProperty->getValue($responseType)->getKeyPath());
+        $this->assertSame($encryptionKey, $encryptionKeyProperty->getValue($responseType));
+    }
+
+    public function testMultipleRequestsGetDifferentResponseTypeInstances()
+    {
+        $privateKey = 'file://' . __DIR__ . '/Stubs/private.key';
+        $encryptionKey = 'file://' . __DIR__ . '/Stubs/public.key';
+
+        $responseTypePrototype = new class extends BearerTokenResponse {
+            /* @return null|CryptKey */
+            public function getPrivateKey()
+            {
+                return $this->privateKey;
+            }
+
+            public function getEncryptionKey()
+            {
+                return $this->encryptionKey;
+            }
+        };
+
+        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+
+        $server = new AuthorizationServer(
+            $clientRepository,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
+            $privateKey,
+            $encryptionKey,
+            $responseTypePrototype
+        );
+
+        $abstractGrantReflection = new \ReflectionClass($server);
+        $method = $abstractGrantReflection->getMethod('getResponseType');
+        $method->setAccessible(true);
+
+        $responseTypeA = $method->invoke($server);
+        $responseTypeB = $method->invoke($server);
+
+        // prototype should not get changed
+        $this->assertNull($responseTypePrototype->getPrivateKey());
+        $this->assertNull($responseTypePrototype->getEncryptionKey());
+
+        // generated instances should have keys setup
+        $this->assertSame($privateKey, $responseTypeA->getPrivateKey()->getKeyPath());
+        $this->assertSame($encryptionKey, $responseTypeA->getEncryptionKey());
+
+        // all instances should be different but based on the same prototype
+        $this->assertSame(get_class($responseTypePrototype), get_class($responseTypeA));
+        $this->assertSame(get_class($responseTypePrototype), get_class($responseTypeB));
+        $this->assertNotSame($responseTypePrototype, $responseTypeA);
+        $this->assertNotSame($responseTypePrototype, $responseTypeB);
+        $this->assertNotSame($responseTypeA, $responseTypeB);
+    }
+
    public function testCompleteAuthorizationRequest()
    {
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
@@ -127,7 +217,7 @@ class AuthorizationServerTest extends TestCase
        $grant = new AuthCodeGrant(
            $authCodeRepository,
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
-            new \DateInterval('PT10M')
+            new DateInterval('PT10M')
        );

        $server->enableGrantType($grant);
@@ -148,6 +238,7 @@ class AuthorizationServerTest extends TestCase
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
+        $client->setConfidential();
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

@@ -158,7 +249,7 @@ class AuthorizationServerTest extends TestCase
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
-            new \DateInterval('PT10M')
+            new DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);

@@ -199,7 +290,7 @@ class AuthorizationServerTest extends TestCase
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
-            new \DateInterval('PT10M')
+            new DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);

@@ -234,10 +325,6 @@ class AuthorizationServerTest extends TestCase
        }
    }

-    /**
-     * @expectedException  \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 2
-     */
    public function testValidateAuthorizationRequestUnregistered()
    {
        $server = new AuthorizationServer(
@@ -248,19 +335,13 @@ class AuthorizationServerTest extends TestCase
            'file://' . __DIR__ . '/Stubs/public.key'
        );

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-                'client_id'     => 'foo',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'code',
+            'client_id' => 'foo',
+        ]);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(2);

        $server->validateAuthorizationRequest($request);
    }
--- a/tests/AuthorizationValidators/BearerTokenValidatorTest.php
+++ b/tests/AuthorizationValidators/BearerTokenValidatorTest.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace LeagueTests\AuthorizationValidators;
+
+use Lcobucci\JWT\Builder;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use PHPUnit\Framework\TestCase;
+use Zend\Diactoros\ServerRequest;
+
+class BearerTokenValidatorTest extends TestCase
+{
+    public function testThrowExceptionWhenAccessTokenIsNotSigned()
+    {
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $bearerTokenValidator = new BearerTokenValidator($accessTokenRepositoryMock);
+        $bearerTokenValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+
+        $unsignedJwt = (new Builder())
+            ->setAudience('client-id')
+            ->setId('token-id', true)
+            ->setIssuedAt(time())
+            ->setNotBefore(time())
+            ->setExpiration(time())
+            ->setSubject('user-id')
+            ->set('scopes', 'scope1 scope2 scope3 scope4')
+            ->getToken();
+
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('Bearer %s', $unsignedJwt));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(9);
+
+        $bearerTokenValidator->validateAuthorization($request);
+    }
+}
--- a/tests/CodeChallengeVerifiers/PlainVerifierTest.php
+++ b/tests/CodeChallengeVerifiers/PlainVerifierTest.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace LeagueTests\CodeChallengeVerifiers;
+
+use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier;
+use PHPUnit\Framework\TestCase;
+
+class PlainVerifierTest extends TestCase
+{
+    public function testGetMethod()
+    {
+        $verifier = new PlainVerifier();
+
+        $this->assertEquals('plain', $verifier->getMethod());
+    }
+
+    public function testVerifyCodeChallenge()
+    {
+        $verifier = new PlainVerifier();
+
+        $this->assertTrue($verifier->verifyCodeChallenge('foo', 'foo'));
+        $this->assertFalse($verifier->verifyCodeChallenge('foo', 'bar'));
+    }
+}
--- a/tests/CodeChallengeVerifiers/S256VerifierTest.php
+++ b/tests/CodeChallengeVerifiers/S256VerifierTest.php
@@ -0,0 +1,37 @@
+<?php
+
+namespace LeagueTests\CodeChallengeVerifiers;
+
+use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
+use PHPUnit\Framework\TestCase;
+
+class S256VerifierTest extends TestCase
+{
+    public function testGetMethod()
+    {
+        $verifier = new S256Verifier();
+
+        $this->assertEquals('S256', $verifier->getMethod());
+    }
+
+    public function testVerifyCodeChallengeSucceeds()
+    {
+        $codeChallenge = $this->createCodeChallenge('foo');
+        $verifier = new S256Verifier();
+
+        $this->assertTrue($verifier->verifyCodeChallenge('foo', $codeChallenge));
+    }
+
+    public function testVerifyCodeChallengeFails()
+    {
+        $codeChallenge = $this->createCodeChallenge('bar');
+        $verifier = new S256Verifier();
+
+        $this->assertFalse($verifier->verifyCodeChallenge('foo', $codeChallenge));
+    }
+
+    private function createCodeChallenge($codeVerifier)
+    {
+        return strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_');
+    }
+}
--- a/tests/Exception/OAuthServerExceptionTest.php
+++ b/tests/Exception/OAuthServerExceptionTest.php
@@ -0,0 +1,99 @@
+<?php
+
+namespace LeagueTests\Exception;
+
+use Exception;
+use League\OAuth2\Server\Exception\OAuthServerException;
+use League\OAuth2\Server\Grant\AbstractGrant;
+use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
+use PHPUnit\Framework\TestCase;
+use Zend\Diactoros\Response;
+use Zend\Diactoros\ServerRequest;
+
+class OAuthServerExceptionTest extends TestCase
+{
+    public function testInvalidClientExceptionSetsAuthenticateHeader()
+    {
+        $serverRequest = (new ServerRequest())
+            ->withParsedBody([
+                'client_id' => 'foo',
+            ])
+            ->withAddedHeader('Authorization', 'Basic fakeauthdetails');
+
+        try {
+            $this->issueInvalidClientException($serverRequest);
+        } catch (OAuthServerException $e) {
+            $response = $e->generateHttpResponse(new Response());
+
+            $this->assertTrue($response->hasHeader('WWW-Authenticate'));
+        }
+    }
+
+    public function testInvalidClientExceptionOmitsAuthenticateHeader()
+    {
+        $serverRequest = (new ServerRequest())
+            ->withParsedBody([
+                'client_id' => 'foo',
+            ]);
+
+        try {
+            $this->issueInvalidClientException($serverRequest);
+        } catch (OAuthServerException $e) {
+            $response = $e->generateHttpResponse(new Response());
+
+            $this->assertFalse($response->hasHeader('WWW-Authenticate'));
+        }
+    }
+
+    /**
+     * Issue an invalid client exception
+     *
+     * @throws OAuthServerException
+     */
+    private function issueInvalidClientException($serverRequest)
+    {
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('validateClient')->willReturn(false);
+
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setClientRepository($clientRepositoryMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+
+        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
+        $validateClientMethod->setAccessible(true);
+
+        $validateClientMethod->invoke($grantMock, $serverRequest);
+    }
+
+    public function testHasRedirect()
+    {
+        $exceptionWithRedirect = OAuthServerException::accessDenied('some hint', 'https://example.com/error');
+
+        $this->assertTrue($exceptionWithRedirect->hasRedirect());
+    }
+
+    public function testDoesNotHaveRedirect()
+    {
+        $exceptionWithoutRedirect = OAuthServerException::accessDenied('Some hint');
+
+        $this->assertFalse($exceptionWithoutRedirect->hasRedirect());
+    }
+
+    public function testHasPrevious()
+    {
+        $previous = new Exception('This is the previous');
+        $exceptionWithPrevious = OAuthServerException::accessDenied(null, null, $previous);
+
+        $previousMessage = $exceptionWithPrevious->getPrevious() !== null ? $exceptionWithPrevious->getPrevious()->getMessage() : null;
+
+        $this->assertSame('This is the previous', $previousMessage);
+    }
+
+    public function testDoesNotHavePrevious()
+    {
+        $exceptionWithoutPrevious = OAuthServerException::accessDenied();
+
+        $this->assertNull($exceptionWithoutPrevious->getPrevious());
+    }
+}
--- a/tests/Grant/AbstractGrantTest.php
+++ b/tests/Grant/AbstractGrantTest.php
@@ -2,7 +2,8 @@

 namespace LeagueTests\Grant;

-use League\Event\Emitter;
+use DateInterval;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
@@ -23,21 +24,13 @@ use Zend\Diactoros\ServerRequest;

 class AbstractGrantTest extends TestCase
 {
-    public function testGetSet()
-    {
-        /** @var AbstractGrant $grantMock */
-        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
-        $grantMock->setEmitter(new Emitter());
-    }
-
    public function testHttpBasicWithPassword()
    {
        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withHeader('Authorization', 'Basic ' . base64_encode('Open:Sesame'));
+        $serverRequest = (new ServerRequest())->withHeader('Authorization', 'Basic ' . base64_encode('Open:Sesame'));
        $basicAuthMethod = $abstractGrantReflection->getMethod('getBasicAuthCredentials');
        $basicAuthMethod->setAccessible(true);

@@ -50,8 +43,7 @@ class AbstractGrantTest extends TestCase
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withHeader('Authorization', 'Basic ' . base64_encode('Open:'));
+        $serverRequest = (new ServerRequest())->withHeader('Authorization', 'Basic ' . base64_encode('Open:'));
        $basicAuthMethod = $abstractGrantReflection->getMethod('getBasicAuthCredentials');
        $basicAuthMethod->setAccessible(true);

@@ -64,8 +56,7 @@ class AbstractGrantTest extends TestCase
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withHeader('Authorization', 'Foo ' . base64_encode('Open:Sesame'));
+        $serverRequest = (new ServerRequest())->withHeader('Authorization', 'Foo ' . base64_encode('Open:Sesame'));
        $basicAuthMethod = $abstractGrantReflection->getMethod('getBasicAuthCredentials');
        $basicAuthMethod->setAccessible(true);

@@ -78,8 +69,7 @@ class AbstractGrantTest extends TestCase
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withHeader('Authorization', 'Basic ||');
+        $serverRequest = (new ServerRequest())->withHeader('Authorization', 'Basic ||');
        $basicAuthMethod = $abstractGrantReflection->getMethod('getBasicAuthCredentials');
        $basicAuthMethod->setAccessible(true);

@@ -92,8 +82,7 @@ class AbstractGrantTest extends TestCase
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withHeader('Authorization', 'Basic ' . base64_encode('OpenSesame'));
+        $serverRequest = (new ServerRequest())->withHeader('Authorization', 'Basic ' . base64_encode('OpenSesame'));
        $basicAuthMethod = $abstractGrantReflection->getMethod('getBasicAuthCredentials');
        $basicAuthMethod->setAccessible(true);

@@ -113,16 +102,14 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id' => 'foo',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id' => 'foo',
+        ]);
+
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

-        $result = $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
+        $result = $validateClientMethod->invoke($grantMock, $serverRequest);
        $this->assertEquals($client, $result);
    }

@@ -139,14 +126,12 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'redirect_uri'  => 'http://foo/bar',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'redirect_uri'  => 'http://foo/bar',
+        ]);
+
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

@@ -154,9 +139,6 @@ class AbstractGrantTest extends TestCase
        $this->assertEquals($client, $result);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateClientMissingClientId()
    {
        $client = new ClientEntity();
@@ -173,16 +155,15 @@ class AbstractGrantTest extends TestCase
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateClientMissingClientSecret()
    {
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepositoryMock->method('getClientEntity')->willReturn(null);
+        $clientRepositoryMock->method('validateClient')->willReturn(false);

        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
@@ -190,24 +171,22 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'client_id' => 'foo',
        ]);

        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateClientInvalidClientSecret()
    {
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepositoryMock->method('getClientEntity')->willReturn(null);
+        $clientRepositoryMock->method('validateClient')->willReturn(false);

        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
@@ -215,8 +194,7 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'client_id'     => 'foo',
            'client_secret' => 'foo',
        ]);
@@ -224,12 +202,11 @@ class AbstractGrantTest extends TestCase
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateClientInvalidRedirectUri()
    {
        $client = new ClientEntity();
@@ -243,8 +220,7 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'client_id'    => 'foo',
            'redirect_uri' => 'http://bar/foo',
        ]);
@@ -252,12 +228,11 @@ class AbstractGrantTest extends TestCase
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateClientInvalidRedirectUriArray()
    {
        $client = new ClientEntity();
@@ -271,8 +246,7 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'client_id'    => 'foo',
            'redirect_uri' => 'http://bar/foo',
        ]);
@@ -280,16 +254,15 @@ class AbstractGrantTest extends TestCase
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $validateClientMethod->invoke($grantMock, $serverRequest, true, true);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateClientBadClient()
    {
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepositoryMock->method('getClientEntity')->willReturn(null);
+        $clientRepositoryMock->method('validateClient')->willReturn(false);

        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
@@ -297,8 +270,7 @@ class AbstractGrantTest extends TestCase

        $abstractGrantReflection = new \ReflectionClass($grantMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'client_id'     => 'foo',
            'client_secret' => 'bar',
        ]);
@@ -306,6 +278,8 @@ class AbstractGrantTest extends TestCase
        $validateClientMethod = $abstractGrantReflection->getMethod('validateClient');
        $validateClientMethod->setAccessible(true);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $validateClientMethod->invoke($grantMock, $serverRequest, true);
    }

@@ -314,8 +288,7 @@ class AbstractGrantTest extends TestCase
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $grantMock->method('getIdentifier')->willReturn('foobar');

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'grant_type' => 'foobar',
        ]);

@@ -332,7 +305,7 @@ class AbstractGrantTest extends TestCase

        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
-        $grantMock->setRefreshTokenTTL(new \DateInterval('PT1M'));
+        $grantMock->setRefreshTokenTTL(new DateInterval('PT1M'));
        $grantMock->setRefreshTokenRepository($refreshTokenRepoMock);

        $abstractGrantReflection = new \ReflectionClass($grantMock);
@@ -346,6 +319,27 @@ class AbstractGrantTest extends TestCase
        $this->assertEquals($accessToken, $refreshToken->getAccessToken());
    }

+    public function testIssueNullRefreshToken()
+    {
+        $refreshTokenRepoMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepoMock
+            ->expects($this->once())
+            ->method('getNewRefreshToken')
+            ->willReturn(null);
+
+        /** @var AbstractGrant $grantMock */
+        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setRefreshTokenTTL(new \DateInterval('PT1M'));
+        $grantMock->setRefreshTokenRepository($refreshTokenRepoMock);
+
+        $abstractGrantReflection = new \ReflectionClass($grantMock);
+        $issueRefreshTokenMethod = $abstractGrantReflection->getMethod('issueRefreshToken');
+        $issueRefreshTokenMethod->setAccessible(true);
+
+        $accessToken = new AccessTokenEntity();
+        $this->assertNull($issueRefreshTokenMethod->invoke($grantMock, $accessToken));
+    }
+
    public function testIssueAccessToken()
    {
        $accessTokenRepoMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
@@ -353,6 +347,7 @@ class AbstractGrantTest extends TestCase

        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+        $grantMock->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grantMock->setAccessTokenRepository($accessTokenRepoMock);

        $abstractGrantReflection = new \ReflectionClass($grantMock);
@@ -362,7 +357,7 @@ class AbstractGrantTest extends TestCase
        /** @var AccessTokenEntityInterface $accessToken */
        $accessToken = $issueAccessTokenMethod->invoke(
            $grantMock,
-            new \DateInterval('PT1H'),
+            new DateInterval('PT1H'),
            new ClientEntity(),
            123,
            [new ScopeEntity()]
@@ -387,7 +382,7 @@ class AbstractGrantTest extends TestCase
            AuthCodeEntityInterface::class,
            $issueAuthCodeMethod->invoke(
                $grantMock,
-                new \DateInterval('PT1H'),
+                new DateInterval('PT1H'),
                new ClientEntity(),
                123,
                'http://foo/bar',
@@ -405,8 +400,7 @@ class AbstractGrantTest extends TestCase
        $method = $abstractGrantReflection->getMethod('getCookieParameter');
        $method->setAccessible(true);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withCookieParams([
+        $serverRequest = (new ServerRequest())->withCookieParams([
            'foo' => 'bar',
        ]);

@@ -423,8 +417,7 @@ class AbstractGrantTest extends TestCase
        $method = $abstractGrantReflection->getMethod('getQueryStringParameter');
        $method->setAccessible(true);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withQueryParams([
+        $serverRequest = (new ServerRequest())->withQueryParams([
            'foo' => 'bar',
        ]);

@@ -445,9 +438,6 @@ class AbstractGrantTest extends TestCase
        $this->assertEquals([$scope], $grantMock->validateScopes('basic   '));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testValidateScopesBadScope()
    {
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
@@ -457,6 +447,8 @@ class AbstractGrantTest extends TestCase
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
        $grantMock->setScopeRepository($scopeRepositoryMock);

+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
        $grantMock->validateScopes('basic   ');
    }

@@ -468,7 +460,7 @@ class AbstractGrantTest extends TestCase
        $method = $abstractGrantReflection->getMethod('generateUniqueIdentifier');
        $method->setAccessible(true);

-        $this->assertInternalType('string', $method->invoke($grantMock));
+        $this->assertIsString($method->invoke($grantMock));
    }

    public function testCanRespondToAuthorizationRequest()
@@ -477,21 +469,21 @@ class AbstractGrantTest extends TestCase
        $this->assertFalse($grantMock->canRespondToAuthorizationRequest(new ServerRequest()));
    }

-    /**
-     * @expectedException \LogicException
-     */
    public function testValidateAuthorizationRequest()
    {
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+
+        $this->expectException(\LogicException::class);
+
        $grantMock->validateAuthorizationRequest(new ServerRequest());
    }

-    /**
-     * @expectedException \LogicException
-     */
    public function testCompleteAuthorizationRequest()
    {
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
+
+        $this->expectException(\LogicException::class);
+
        $grantMock->completeAuthorizationRequest(new AuthorizationRequest());
    }
 }
--- a/tests/Grant/AuthCodeGrantTest.php
+++ b/tests/Grant/AuthCodeGrantTest.php
--- a/tests/Grant/ClientCredentialsGrantTest.php
+++ b/tests/Grant/ClientCredentialsGrantTest.php
@@ -2,6 +2,8 @@

 namespace LeagueTests\Grant;

+use DateInterval;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
@@ -27,6 +29,8 @@ class ClientCredentialsGrantTest extends TestCase
    public function testRespondToRequest()
    {
        $client = new ClientEntity();
+        $client->setConfidential();
+
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

@@ -44,17 +48,15 @@ class ClientCredentialsGrantTest extends TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
+        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));

        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
    }
--- a/tests/Grant/ImplicitGrantTest.php
+++ b/tests/Grant/ImplicitGrantTest.php
@@ -2,6 +2,7 @@

 namespace LeagueTests\Grant;

+use DateInterval;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
@@ -30,56 +31,47 @@ class ImplicitGrantTest extends TestCase
     */
    protected $cryptStub;

-    public function setUp()
+    public function setUp(): void
    {
        $this->cryptStub = new CryptTraitStub();
    }

    public function testGetIdentifier()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $this->assertEquals('implicit', $grant->getIdentifier());
    }

    public function testCanRespondToAccessTokenRequest()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));

        $this->assertFalse(
            $grant->canRespondToAccessTokenRequest(new ServerRequest())
        );
    }

-    /**
-     * @expectedException \LogicException
-     */
    public function testRespondToAccessTokenRequest()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
+
+        $this->expectException(\LogicException::class);
+
        $grant->respondToAccessTokenRequest(
            new ServerRequest(),
            new StubResponseType(),
-            new \DateInterval('PT10M')
+            new DateInterval('PT10M')
        );
    }

    public function testCanRespondToAuthorizationRequest()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'token',
-                'client_id'     => 'foo',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'token',
+            'client_id'     => 'foo',
+        ]);

        $this->assertTrue($grant->canRespondToAuthorizationRequest($request));
    }
@@ -94,27 +86,17 @@ class ImplicitGrantTest extends TestCase
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
-        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);

-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-                'client_id'     => 'foo',
-                'redirect_uri'  => 'http://foo/bar',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'code',
+            'client_id'     => 'foo',
+            'redirect_uri'  => 'http://foo/bar',
+        ]);

        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }
@@ -129,91 +111,55 @@ class ImplicitGrantTest extends TestCase
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
-        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);

-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-                'client_id'     => 'foo',
-                'redirect_uri'  => 'http://foo/bar',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'code',
+            'client_id' => 'foo',
+            'redirect_uri' => 'http://foo/bar',
+        ]);

        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 3
-     */
    public function testValidateAuthorizationRequestMissingClientId()
    {
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();

-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams(['response_type' => 'code']);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(3);

        $grant->validateAuthorizationRequest($request);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 4
-     */
    public function testValidateAuthorizationRequestInvalidClientId()
    {
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn(null);

-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-                'client_id'     => 'foo',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'code',
+            'client_id'     => 'foo',
+        ]);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(4);

        $grant->validateAuthorizationRequest($request);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 4
-     */
    public function testValidateAuthorizationRequestBadRedirectUriString()
    {
        $client = new ClientEntity();
@@ -221,31 +167,21 @@ class ImplicitGrantTest extends TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-                'client_id'     => 'foo',
-                'redirect_uri'  => 'http://bar',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'code',
+            'client_id' => 'foo',
+            'redirect_uri' => 'http://bar',
+        ]);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(4);

        $grant->validateAuthorizationRequest($request);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 4
-     */
    public function testValidateAuthorizationRequestBadRedirectUriArray()
    {
        $client = new ClientEntity();
@@ -253,50 +189,50 @@ class ImplicitGrantTest extends TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);

-        $request = new ServerRequest(
-            [],
-            [],
-            null,
-            null,
-            'php://input',
-            $headers = [],
-            $cookies = [],
-            $queryParams = [
-                'response_type' => 'code',
-                'client_id'     => 'foo',
-                'redirect_uri'  => 'http://bar',
-            ]
-        );
+        $request = (new ServerRequest())->withQueryParams([
+            'response_type' => 'code',
+            'client_id'     => 'foo',
+            'redirect_uri'  => 'http://bar',
+        ]);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(4);

        $grant->validateAuthorizationRequest($request);
    }

    public function testCompleteAuthorizationRequest()
    {
+        $client = new ClientEntity();
+        $client->setIdentifier('identifier');
+
        $authRequest = new AuthorizationRequest();
        $authRequest->setAuthorizationApproved(true);
-        $authRequest->setClient(new ClientEntity());
+        $authRequest->setClient($client);
        $authRequest->setGrantTypeId('authorization_code');
        $authRequest->setUser(new UserEntity());

+        $accessToken = new AccessTokenEntity();
+        $accessToken->setClient($client);
+
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn($accessToken);
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();

+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);

        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 9
-     */
    public function testCompleteAuthorizationRequestDenied()
    {
        $authRequest = new AuthorizationRequest();
@@ -309,38 +245,51 @@ class ImplicitGrantTest extends TestCase
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();

+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(9);

        $grant->completeAuthorizationRequest($authRequest);
    }

    public function testAccessTokenRepositoryUniqueConstraintCheck()
    {
+        $client = new ClientEntity();
+        $client->setIdentifier('identifier');
+
        $authRequest = new AuthorizationRequest();
        $authRequest->setAuthorizationApproved(true);
-        $authRequest->setClient(new ClientEntity());
+        $authRequest->setClient($client);
        $authRequest->setGrantTypeId('authorization_code');
        $authRequest->setUser(new UserEntity());

-        /** @var AccessTokenRepositoryInterface|\PHPUnit_Framework_MockObject_MockObject $accessTokenRepositoryMock */
+        $accessToken = new AccessTokenEntity();
+        $accessToken->setClient($client);
+
+        /** @var AccessTokenRepositoryInterface|\PHPUnit\Framework\MockObject\MockObject $accessTokenRepositoryMock */
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn($accessToken);
        $accessTokenRepositoryMock->expects($this->at(0))->method('persistNewAccessToken')->willThrowException(UniqueTokenIdentifierConstraintViolationException::create());
        $accessTokenRepositoryMock->expects($this->at(1))->method('persistNewAccessToken')->willReturnSelf();

+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);

        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 7
-     */
    public function testAccessTokenRepositoryFailToPersist()
    {
        $authRequest = new AuthorizationRequest();
@@ -349,22 +298,25 @@ class ImplicitGrantTest extends TestCase
        $authRequest->setGrantTypeId('authorization_code');
        $authRequest->setUser(new UserEntity());

-        /** @var AccessTokenRepositoryInterface|\PHPUnit_Framework_MockObject_MockObject $accessTokenRepositoryMock */
+        /** @var AccessTokenRepositoryInterface|\PHPUnit\Framework\MockObject\MockObject $accessTokenRepositoryMock */
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willThrowException(OAuthServerException::serverError('something bad happened'));

+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(7);

        $grant->completeAuthorizationRequest($authRequest);
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException
-     * @expectedExceptionCode 100
-     */
    public function testAccessTokenRepositoryFailToPersistUniqueNoInfiniteLoop()
    {
        $authRequest = new AuthorizationRequest();
@@ -373,43 +325,51 @@ class ImplicitGrantTest extends TestCase
        $authRequest->setGrantTypeId('authorization_code');
        $authRequest->setUser(new UserEntity());

-        /** @var AccessTokenRepositoryInterface|\PHPUnit_Framework_MockObject_MockObject $accessTokenRepositoryMock */
+        /** @var AccessTokenRepositoryInterface|\PHPUnit\Framework\MockObject\MockObject $accessTokenRepositoryMock */
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willThrowException(UniqueTokenIdentifierConstraintViolationException::create());

+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+
+        $this->expectException(\League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException::class);
+        $this->expectExceptionCode(100);

        $grant->completeAuthorizationRequest($authRequest);
    }

-    /**
-     * @expectedException \LogicException
-     */
    public function testSetRefreshTokenTTL()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
-        $grant->setRefreshTokenTTL(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
+
+        $this->expectException(\LogicException::class);
+
+        $grant->setRefreshTokenTTL(new DateInterval('PT10M'));
    }

-    /**
-     * @expectedException \LogicException
-     */
    public function testSetRefreshTokenRepository()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
+
        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+
+        $this->expectException(\LogicException::class);
+
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
    }

-    /**
-     * @expectedException \LogicException
-     */
    public function testCompleteAuthorizationRequestNoUser()
    {
-        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
+        $grant = new ImplicitGrant(new DateInterval('PT10M'));
+
+        $this->expectException(\LogicException::class);
+
        $grant->completeAuthorizationRequest(new AuthorizationRequest());
    }
 }
--- a/tests/Grant/PasswordGrantTest.php
+++ b/tests/Grant/PasswordGrantTest.php
@@ -2,6 +2,8 @@

 namespace LeagueTests\Grant;

+use DateInterval;
+use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Grant\PasswordGrant;
@@ -60,27 +62,65 @@ class PasswordGrantTest extends TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setDefaultScope(self::DEFAULT_SCOPE);
+        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'username'      => 'foo',
-                'password'      => 'bar',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'username'      => 'foo',
+            'password'      => 'bar',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));

        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
+    public function testRespondToRequestNullRefreshToken()
+    {
+        $client = new ClientEntity();
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
+        $userEntity = new UserEntity();
+        $userRepositoryMock->method('getUserEntityByUserCredentials')->willReturn($userEntity);
+
+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(null);
+
+        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);
+        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'username'      => 'foo',
+            'password'      => 'bar',
+        ]);
+
+        $responseType = new StubResponseType();
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
+        $this->assertNull($responseType->getRefreshToken());
+    }
+
    public function testRespondToRequestMissingUsername()
    {
        $client = new ClientEntity();
@@ -97,21 +137,18 @@ class PasswordGrantTest extends TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withQueryParams([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testRespondToRequestMissingPassword()
    {
        $client = new ClientEntity();
@@ -128,22 +165,19 @@ class PasswordGrantTest extends TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'username'      => 'alex',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'username'      => 'alex',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     */
    public function testRespondToRequestBadCredentials()
    {
        $client = new ClientEntity();
@@ -161,17 +195,18 @@ class PasswordGrantTest extends TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'username'      => 'alex',
-                'password'      => 'whisky',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id' => 'foo',
+            'client_secret' => 'bar',
+            'username' => 'alex',
+            'password' => 'whisky',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(10);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }
 }
--- a/tests/Grant/RefreshTokenGrantTest.php
+++ b/tests/Grant/RefreshTokenGrantTest.php
@@ -2,6 +2,7 @@

 namespace LeagueTests\Grant;

+use DateInterval;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
@@ -26,7 +27,7 @@ class RefreshTokenGrantTest extends TestCase
     */
    protected $cryptStub;

-    public function setUp()
+    public function setUp(): void
    {
        $this->cryptStub = new CryptTraitStub();
    }
@@ -79,8 +80,63 @@ class RefreshTokenGrantTest extends TestCase
            )
        );

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody([
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+            'scopes'        => ['foo'],
+        ]);
+
+        $responseType = new StubResponseType();
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
+
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
+    }
+
+    public function testRespondToRequestNullRefreshToken()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scopeEntity = new ScopeEntity();
+        $scopeEntity->setIdentifier('foo');
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+        $accessTokenRepositoryMock->expects($this->once())->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(null);
+        $refreshTokenRepositoryMock->expects($this->never())->method('persistNewRefreshToken');
+
+        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setEncryptionKey($this->cryptStub->getKey());
+        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+
+        $oldRefreshToken = $this->cryptStub->doEncrypt(
+            json_encode(
+                [
+                    'client_id'        => 'foo',
+                    'refresh_token_id' => 'zyxwvu',
+                    'access_token_id'  => 'abcdef',
+                    'scopes'           => ['foo'],
+                    'user_id'          => 123,
+                    'expire_time'      => time() + 3600,
+                ]
+            )
+        );
+
+        $serverRequest = (new ServerRequest())->withParsedBody([
            'client_id'     => 'foo',
            'client_secret' => 'bar',
            'refresh_token' => $oldRefreshToken,
@@ -91,7 +147,7 @@ class RefreshTokenGrantTest extends TestCase
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));

        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
-        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
+        $this->assertNull($responseType->getRefreshToken());
    }

    public function testRespondToReducedScopes()
@@ -134,27 +190,20 @@ class RefreshTokenGrantTest extends TestCase
            )
        );

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-                'scope'         => 'foo',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+            'scope'         => 'foo',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));

        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 5
-     */
    public function testRespondToUnexpectedScope()
    {
        $client = new ClientEntity();
@@ -193,24 +242,21 @@ class RefreshTokenGrantTest extends TestCase
            )
        );

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-                'scope'         => 'foobar',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+            'scope'         => 'foobar',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(5);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 3
-     */
    public function testRespondToRequestMissingOldToken()
    {
        $client = new ClientEntity();
@@ -227,22 +273,19 @@ class RefreshTokenGrantTest extends TestCase
        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(3);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 8
-     */
    public function testRespondToRequestInvalidOldToken()
    {
        $client = new ClientEntity();
@@ -261,23 +304,20 @@ class RefreshTokenGrantTest extends TestCase

        $oldRefreshToken = 'foobar';

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(8);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 8
-     */
    public function testRespondToRequestClientMismatch()
    {
        $client = new ClientEntity();
@@ -310,23 +350,20 @@ class RefreshTokenGrantTest extends TestCase
            )
        );

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(8);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 8
-     */
    public function testRespondToRequestExpiredToken()
    {
        $client = new ClientEntity();
@@ -356,23 +393,20 @@ class RefreshTokenGrantTest extends TestCase
            )
        );

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(8);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }

-    /**
-     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
-     * @expectedExceptionCode 8
-     */
    public function testRespondToRequestRevokedToken()
    {
        $client = new ClientEntity();
@@ -403,16 +437,17 @@ class RefreshTokenGrantTest extends TestCase
            )
        );

-        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-            ]
-        );
+        $serverRequest = (new ServerRequest())->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+        ]);

        $responseType = new StubResponseType();
-        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));
+
+        $this->expectException(\League\OAuth2\Server\Exception\OAuthServerException::class);
+        $this->expectExceptionCode(8);
+
+        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new DateInterval('PT5M'));
    }
 }
--- a/tests/Middleware/AuthorizationServerMiddlewareTest.php
+++ b/tests/Middleware/AuthorizationServerMiddlewareTest.php
@@ -2,6 +2,7 @@

 namespace LeagueTests\Middleware;

+use DateInterval;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -23,8 +24,11 @@ class AuthorizationServerMiddlewareTest extends TestCase

    public function testValidResponse()
    {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);

        $scopeEntity = new ScopeEntity;
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
@@ -66,7 +70,7 @@ class AuthorizationServerMiddlewareTest extends TestCase
    public function testOAuthErrorResponse()
    {
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(null);
+        $clientRepository->method('validateClient')->willReturn(false);

        $server = new AuthorizationServer(
            $clientRepository,
@@ -77,7 +81,7 @@ class AuthorizationServerMiddlewareTest extends TestCase
            new StubResponseType()
        );

-        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));
+        $server->enableGrantType(new ClientCredentialsGrant(), new DateInterval('PT1M'));

        $_POST['grant_type'] = 'client_credentials';
        $_POST['client_id'] = 'foo';
@@ -104,7 +108,7 @@ class AuthorizationServerMiddlewareTest extends TestCase
        $response = $exception->generateHttpResponse(new Response());

        $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
+        $this->assertEquals('http://foo/bar?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed',
            $response->getHeader('location')[0]);
    }

@@ -114,7 +118,7 @@ class AuthorizationServerMiddlewareTest extends TestCase
        $response = $exception->generateHttpResponse(new Response(), true);

        $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
+        $this->assertEquals('http://foo/bar#error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed',
            $response->getHeader('location')[0]);
    }
 }
--- a/tests/Middleware/ResourceServerMiddlewareTest.php
+++ b/tests/Middleware/ResourceServerMiddlewareTest.php
@@ -2,6 +2,8 @@

 namespace LeagueTests\Middleware;

+use DateInterval;
+use DateTimeImmutable;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Middleware\ResourceServerMiddleware;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
@@ -27,13 +29,13 @@ class ResourceServerMiddlewareTest extends TestCase
        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('test');
        $accessToken->setUserIdentifier(123);
-        $accessToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));
        $accessToken->setClient($client);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

-        $token = $accessToken->convertToJWT(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $token = (string) $accessToken;

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', sprintf('Bearer %s', $token));
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('Bearer %s', $token));

        $middleware = new ResourceServerMiddleware($server);
        $response = $middleware->__invoke(
@@ -62,13 +64,13 @@ class ResourceServerMiddlewareTest extends TestCase
        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('test');
        $accessToken->setUserIdentifier(123);
-        $accessToken->setExpiryDateTime((new \DateTime())->sub(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->sub(new DateInterval('PT1H')));
        $accessToken->setClient($client);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

-        $token = $accessToken->convertToJWT(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $token = (string) $accessToken;

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', sprintf('Bearer %s', $token));
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('Bearer %s', $token));

        $middleware = new ResourceServerMiddleware($server);
        $response = $middleware->__invoke(
@@ -91,8 +93,7 @@ class ResourceServerMiddlewareTest extends TestCase
            'file://' . __DIR__ . '/../Stubs/public.key'
        );

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', '');
+        $request = (new ServerRequest())->withHeader('authorization', '');

        $middleware = new ResourceServerMiddleware($server);
        $response = $middleware->__invoke(
--- a/tests/ResponseTypes/BearerResponseTypeTest.php
+++ b/tests/ResponseTypes/BearerResponseTypeTest.php
@@ -2,6 +2,8 @@

 namespace LeagueTests\ResponseTypes;

+use DateInterval;
+use DateTimeImmutable;
 use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -32,14 +34,15 @@ class BearerResponseTypeTest extends TestCase

        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('abcdef');
-        $accessToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));
        $accessToken->setClient($client);
        $accessToken->addScope($scope);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $refreshToken = new RefreshTokenEntity();
        $refreshToken->setIdentifier('abcdef');
        $refreshToken->setAccessToken($accessToken);
-        $refreshToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));

        $responseType->setAccessToken($accessToken);
        $responseType->setRefreshToken($refreshToken);
@@ -54,7 +57,7 @@ class BearerResponseTypeTest extends TestCase

        $response->getBody()->rewind();
        $json = json_decode($response->getBody()->getContents());
-        $this->assertAttributeEquals('Bearer', 'token_type', $json);
+        $this->assertEquals('Bearer', $json->token_type);
        $this->assertObjectHasAttribute('expires_in', $json);
        $this->assertObjectHasAttribute('access_token', $json);
        $this->assertObjectHasAttribute('refresh_token', $json);
@@ -74,14 +77,15 @@ class BearerResponseTypeTest extends TestCase

        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('abcdef');
-        $accessToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));
        $accessToken->setClient($client);
        $accessToken->addScope($scope);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $refreshToken = new RefreshTokenEntity();
        $refreshToken->setIdentifier('abcdef');
        $refreshToken->setAccessToken($accessToken);
-        $refreshToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));

        $responseType->setAccessToken($accessToken);
        $responseType->setRefreshToken($refreshToken);
@@ -96,13 +100,13 @@ class BearerResponseTypeTest extends TestCase

        $response->getBody()->rewind();
        $json = json_decode($response->getBody()->getContents());
-        $this->assertAttributeEquals('Bearer', 'token_type', $json);
+        $this->assertEquals('Bearer', $json->token_type);
        $this->assertObjectHasAttribute('expires_in', $json);
        $this->assertObjectHasAttribute('access_token', $json);
        $this->assertObjectHasAttribute('refresh_token', $json);

        $this->assertObjectHasAttribute('foo', $json);
-        $this->assertAttributeEquals('bar', 'foo', $json);
+        $this->assertEquals('bar', $json->foo);
    }

    public function testDetermineAccessTokenInHeaderValidToken()
@@ -117,13 +121,14 @@ class BearerResponseTypeTest extends TestCase
        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('abcdef');
        $accessToken->setUserIdentifier(123);
-        $accessToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));
        $accessToken->setClient($client);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $refreshToken = new RefreshTokenEntity();
        $refreshToken->setIdentifier('abcdef');
        $refreshToken->setAccessToken($accessToken);
-        $refreshToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));

        $responseType->setAccessToken($accessToken);
        $responseType->setRefreshToken($refreshToken);
@@ -137,8 +142,7 @@ class BearerResponseTypeTest extends TestCase
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', sprintf('Bearer %s', $json->access_token));
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('Bearer %s', $json->access_token));

        $request = $authorizationValidator->validateAuthorization($request);

@@ -162,13 +166,14 @@ class BearerResponseTypeTest extends TestCase
        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('abcdef');
        $accessToken->setUserIdentifier(123);
-        $accessToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));
        $accessToken->setClient($client);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $refreshToken = new RefreshTokenEntity();
        $refreshToken->setIdentifier('abcdef');
        $refreshToken->setAccessToken($accessToken);
-        $refreshToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));

        $responseType->setAccessToken($accessToken);
        $responseType->setRefreshToken($refreshToken);
@@ -179,8 +184,7 @@ class BearerResponseTypeTest extends TestCase
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', sprintf('Bearer %s', $json->access_token . 'foo'));
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('Bearer %s', $json->access_token . 'foo'));

        try {
            $authorizationValidator->validateAuthorization($request);
@@ -204,13 +208,14 @@ class BearerResponseTypeTest extends TestCase
        $accessToken = new AccessTokenEntity();
        $accessToken->setIdentifier('abcdef');
        $accessToken->setUserIdentifier(123);
-        $accessToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $accessToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));
        $accessToken->setClient($client);
+        $accessToken->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $refreshToken = new RefreshTokenEntity();
        $refreshToken->setIdentifier('abcdef');
        $refreshToken->setAccessToken($accessToken);
-        $refreshToken->setExpiryDateTime((new \DateTime())->add(new \DateInterval('PT1H')));
+        $refreshToken->setExpiryDateTime((new DateTimeImmutable())->add(new DateInterval('PT1H')));

        $responseType->setAccessToken($accessToken);
        $responseType->setRefreshToken($refreshToken);
@@ -224,8 +229,7 @@ class BearerResponseTypeTest extends TestCase
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', sprintf('Bearer %s', $json->access_token));
+        $request = (new ServerRequest())->withHeader('authorization', sprintf('Bearer %s', $json->access_token));

        try {
            $authorizationValidator->validateAuthorization($request);
@@ -248,8 +252,7 @@ class BearerResponseTypeTest extends TestCase
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', 'Bearer blah');
+        $request = (new ServerRequest())->withHeader('authorization', 'Bearer blah');

        try {
            $authorizationValidator->validateAuthorization($request);
@@ -272,8 +275,7 @@ class BearerResponseTypeTest extends TestCase
        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

-        $request = new ServerRequest();
-        $request = $request->withHeader('authorization', 'Bearer blah.blah.blah');
+        $request = (new ServerRequest())->withHeader('authorization', 'Bearer blah.blah.blah');

        try {
            $authorizationValidator->validateAuthorization($request);
--- a/tests/Stubs/ClientEntity.php
+++ b/tests/Stubs/ClientEntity.php
@@ -15,8 +15,8 @@ class ClientEntity implements ClientEntityInterface
        $this->redirectUri = $uri;
    }

-    public function setName($name)
+    public function setConfidential()
    {
-        $this->name = $name;
+        $this->isConfidential = true;
    }
 }
--- a/tests/Utils/CryptKeyTest.php
+++ b/tests/Utils/CryptKeyTest.php
@@ -7,11 +7,10 @@ use PHPUnit\Framework\TestCase;

 class CryptKeyTest extends TestCase
 {
-    /**
-     * @expectedException \LogicException
-     */
    public function testNoFile()
    {
+        $this->expectException(\LogicException::class);
+
        new CryptKey('undefined file');
    }

@@ -27,6 +26,11 @@ class CryptKeyTest extends TestCase
    public function testKeyFileCreation()
    {
        $keyContent = file_get_contents(__DIR__ . '/../Stubs/public.key');
+
+        if (!is_string($keyContent)) {
+            $this->fail('The public key stub is not a string');
+        }
+
        $key = new CryptKey($keyContent);

        $this->assertEquals(
@@ -35,6 +39,11 @@ class CryptKeyTest extends TestCase
        );

        $keyContent = file_get_contents(__DIR__ . '/../Stubs/private.key.crlf');
+
+        if (!is_string($keyContent)) {
+            $this->fail('The private key (crlf) stub is not a string');
+        }
+
        $key = new CryptKey($keyContent);

        $this->assertEquals(
--- a/tests/Utils/CryptTraitTest.php
+++ b/tests/Utils/CryptTraitTest.php
@@ -10,7 +10,7 @@ class CryptTraitTest extends TestCase
 {
    protected $cryptStub;

-    protected function setUp()
+    protected function setUp(): void
    {
        $this->cryptStub = new CryptTraitStub();
    }