RobertMe
commented
1 year ago This was just a stupid oversight in my initial fix (of #16). Dependency injection was obviously the way to go for this. But having the event is still fine, as it allows other customizations as well (like overriding the jti and / or storing it in the database)
As I had to modify the signature of the constructor of the ImplicitGrant this is a BC break so I guess means the version should be bumped to 0.3 (which for composer means it's a backwards incompatible version, as it's a 0. version).
The auth code grant already makes use of the Session service to get information about the session (auth time), which the implicit grant doesn't / didn't properly do. Previously (pre #16) the Session service was resolved using Laraval, while it could/should have been injected as a service into the grant, like the auth code grant does.
This also extracts an interface for the Session service. This as the implementation (most likely) has to be framework aware as it must use the time of the original login, in case the user was already logged in when the authorization endpoint was called (and not "now" / the time of calling the authorization endpoint like the current implementation does).
Also refactored usages of DateTime & DateTimeImmutable to work based on the DateTimeInterface. And where applicable simplified code by "modifying" an immutable instance (which returns a new, updated, instance, instead of modifying the existing instance).