Closed 11mb closed 3 years ago
Hi,
Regarding issueing a new access-token based on a (valid) refresh-token, I have a question:
The code that issues a new access-token (from the refresh-token grant) is being called here: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/RefreshTokenGrant.php#L69
The user_id is being taken from $oldRefreshToken['user_id'], but how is this user_id being set in the first place?
$oldRefreshToken['user_id']
user_id
When issuing a refresh token there is no user id being passed: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L513
unlike when issuing an access token: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L435
Also the interface of a refresh-taken has no user_id: https://github.com/thephpleague/oauth2-server/blob/master/src/Entities/RefreshTokenEntityInterface.php
How should I issue an access-token from a refresh-token?
The user ID comes from the auth code payload. It will be enforced when implementing the AuthCodeEntityInterface and is issued via the getNewAuthCode() method in the AuthCodeRepositoryInterface. Hope this helps
getNewAuthCode()
AuthCodeRepositoryInterface
Hi,
Regarding issueing a new access-token based on a (valid) refresh-token, I have a question:
The code that issues a new access-token (from the refresh-token grant) is being called here: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/RefreshTokenGrant.php#L69
The user_id is being taken from
$oldRefreshToken['user_id']
, but how is thisuser_id
being set in the first place?When issuing a refresh token there is no user id being passed: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L513
unlike when issuing an access token: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L435
Also the interface of a refresh-taken has no user_id: https://github.com/thephpleague/oauth2-server/blob/master/src/Entities/RefreshTokenEntityInterface.php
How should I issue an access-token from a refresh-token?