Issuing an access-token based on a refresh-token - Githubissues

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server

https://oauth2.thephpleague.com

MIT License

6.52k stars 1.12k forks source link

Issuing an access-token based on a refresh-token #1205

Closed 11mb closed 3 years ago

11mb commented 3 years ago

Hi,

Regarding issueing a new access-token based on a (valid) refresh-token, I have a question:

The code that issues a new access-token (from the refresh-token grant) is being called here: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/RefreshTokenGrant.php#L69

The user_id is being taken from $oldRefreshToken['user_id'], but how is this user_id being set in the first place?

When issuing a refresh token there is no user id being passed: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L513

unlike when issuing an access token: https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L435

Also the interface of a refresh-taken has no user_id: https://github.com/thephpleague/oauth2-server/blob/master/src/Entities/RefreshTokenEntityInterface.php

How should I issue an access-token from a refresh-token?

Sephster commented 3 years ago

The user ID comes from the auth code payload. It will be enforced when implementing the AuthCodeEntityInterface and is issued via the getNewAuthCode() method in the AuthCodeRepositoryInterface. Hope this helps