Merge pull request thephpleague#1414 from pl-github/pass-user-id-to-finalize-scopes

Pass user id from old refresh token to finalizeScopes()

Author: Sephster

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Changed
+
+- User ID is now passed to the finalizeScopes method for the Refresh Grant (PR #1414)
+
 ## [9.3.0] - released 2025-11-25
 
 ### Added

src/Grant/RefreshTokenGrant.php

@@ -69,7 +69,12 @@ public function respondToAccessTokenRequest(
             }
         }
 
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
+        $userId = $oldRefreshToken['user_id'];
+        if (is_int($userId)) {
+            $userId = (string) $userId;
+        }
+
+        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
 
         // Expire old tokens
         $this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
@@ -78,10 +83,6 @@ public function respondToAccessTokenRequest(
         }
 
         // Issue and persist new access token
-        $userId = $oldRefreshToken['user_id'];
-        if (is_int($userId)) {
-            $userId = (string) $userId;
-        }
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $userId, $scopes);
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);

tests/Grant/RefreshTokenGrantTest.php

@@ -605,7 +605,7 @@ public function testRespondToRequestFinalizeScopes(): void
         $scopeRepositoryMock
             ->expects(self::once())
             ->method('finalizeScopes')
-            ->with($scopes, $grant->getIdentifier(), $client)
+            ->with($scopes, $grant->getIdentifier(), $client, '123', null)
             ->willReturn($finalizedScopes);
 
         $accessToken = new AccessTokenEntity();