Merge branch 'master' into master-token-revocation-introspection

Author: hafezdivandari

.github/workflows/static-analysis.yml

@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        php-version: [8.1, 8.2, 8.3, 8.4]
+        php-version: [8.1, 8.2, 8.3, 8.4, 8.5]
         composer-stability: [prefer-lowest, prefer-stable]
         operating-system:
           - ubuntu-latest

.github/workflows/tests.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: [8.1, 8.2, 8.3, 8.4]
+        php: [8.1, 8.2, 8.3, 8.4, 8.5]
         os: [ubuntu-latest, windows-latest]
         stability: [prefer-lowest, prefer-stable]
 

CHANGELOG.md

@@ -7,9 +7,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Changed
+
+- User ID is now passed to the finalizeScopes method for the Refresh Grant (PR #1414)
+
+## [9.3.0] - released 2025-11-25
+
 ### Added
 
 - Added sensitive parameter to avoid sensitive data being included in stack traces (PR #1483)
+- Support for PHP 8.5 (PR #1492)
 
 ### Fixed
 
@@ -779,7 +786,8 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/9.2.0...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/9.3.0...HEAD
+[9.3.0]: https://github.com/thephpleague/oauth2-server/compare/9.2.0...9.3.0
 [9.2.0]: https://github.com/thephpleague/oauth2-server/compare/9.1.0...9.2.0
 [9.1.0]: https://github.com/thephpleague/oauth2-server/compare/9.0.1...9.1.0
 [9.0.1]: https://github.com/thephpleague/oauth2-server/compare/9.0.0...9.0.1

README.md

@@ -38,6 +38,7 @@ The latest version of this package supports the following versions of PHP:
 * PHP 8.2
 * PHP 8.3
 * PHP 8.4
+* PHP 8.5
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -4,7 +4,7 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0",
+        "php": "~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0  || ~8.5.0",
         "ext-openssl": "*",
         "league/event": "^3.0",
         "league/uri": "^7.0",

src/Grant/RefreshTokenGrant.php

@@ -66,7 +66,12 @@ public function respondToAccessTokenRequest(
             }
         }
 
-        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
+        $userId = $oldRefreshToken['user_id'];
+        if (is_int($userId)) {
+            $userId = (string) $userId;
+        }
+
+        $scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client, $userId);
 
         // Expire old tokens
         $this->accessTokenRepository->revokeAccessToken($oldRefreshToken['access_token_id']);
@@ -75,10 +80,6 @@ public function respondToAccessTokenRequest(
         }
 
         // Issue and persist new access token
-        $userId = $oldRefreshToken['user_id'];
-        if (is_int($userId)) {
-            $userId = (string) $userId;
-        }
         $accessToken = $this->issueAccessToken($accessTokenTTL, $client, $userId, $scopes);
         $this->getEmitter()->emit(new RequestAccessTokenEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request, $accessToken));
         $responseType->setAccessToken($accessToken);

tests/Grant/RefreshTokenGrantTest.php

@@ -605,7 +605,7 @@ public function testRespondToRequestFinalizeScopes(): void
         $scopeRepositoryMock
             ->expects(self::once())
             ->method('finalizeScopes')
-            ->with($scopes, $grant->getIdentifier(), $client)
+            ->with($scopes, $grant->getIdentifier(), $client, '123', null)
             ->willReturn($finalizedScopes);
 
         $accessToken = new AccessTokenEntity();