Previously, ZfrOAuth2 used to trigger an InvalidAccessTokenException if no token could be found in the request. However, if a token was expired or not found in database, it used to do nothing.
The logic is actually wrong: ZfrOAuth2 should instead throw this exception ONLY if a token is given BUT is expired, does not match scope or does not exist anymore.
Previously, ZfrOAuth2 used to trigger an InvalidAccessTokenException if no token could be found in the request. However, if a token was expired or not found in database, it used to do nothing.
The logic is actually wrong: ZfrOAuth2 should instead throw this exception ONLY if a token is given BUT is expired, does not match scope or does not exist anymore.