Skip to content

TokenFactoryInterface

Raxos\OAuth2\Server\Token\TokenFactoryInterface

The storage layer of the server. It generates, persists, looks up and revokes access tokens, refresh tokens and authorization codes. This is the one contract that touches persistence, and a typical implementation stores its tokens in cache.

Signature

php
interface TokenFactoryInterface
{
    public function generateAccessToken(): string;
    public function generateAuthorizationCode(): string;
    public function generateRefreshToken(): string;

    public function getAccessToken(string $token): ?AccessTokenInterface;
    public function getAccessTokenByAssociatedToken(ClientInterface $client, string $token): ?AccessTokenInterface;
    public function getAuthorizationCode(ClientInterface $client, string $code): ?AuthorizationCodeInterface;
    public function getRefreshToken(ClientInterface $client, string $token): ?RefreshTokenInterface;

    public function saveAccessToken(ClientInterface $client, mixed $owner, string $scope, string $accessToken, int $expiresIn, ?string $refreshToken): void;
    public function saveAuthorizationCode(ClientInterface $client, mixed $owner, string $redirectUri, string $scope, string $authorizationCode, ?string $state = null): void;
    public function saveRefreshToken(ClientInterface $client, mixed $owner, string $scope, string $refreshToken): void;

    public function revokeAccessToken(ClientInterface $client, AccessTokenInterface $accessToken): void;
    public function revokeAuthorizationCode(ClientInterface $client, AuthorizationCodeInterface $authorizationCode): void;
    public function revokeRefreshToken(ClientInterface $client, RefreshTokenInterface $refreshToken): void;
}

Generating values

MethodDescription
generateAccessToken(): stringGenerates a new access token value.
generateAuthorizationCode(): stringGenerates a new authorization code value.
generateRefreshToken(): stringGenerates a new refresh token value.

Looking up tokens

MethodDescription
getAccessToken(string $token): ?AccessTokenInterfaceLooks up an access token by its value, or null.
getAccessTokenByAssociatedToken(ClientInterface $client, string $token): ?AccessTokenInterfaceLooks up the access token associated with a refresh token, used by the refresh flow to revoke the previous access token.
getAuthorizationCode(ClientInterface $client, string $code): ?AuthorizationCodeInterfaceLooks up an authorization code for the client, or null.
getRefreshToken(ClientInterface $client, string $token): ?RefreshTokenInterfaceLooks up a refresh token for the client, or null.

Persisting tokens

MethodDescription
saveAccessToken(...)Persists a new access token for the client and owner with the given scope, lifetime and optional associated refresh token.
saveAuthorizationCode(...)Persists a new authorization code bound to the redirect uri, scope and optional state.
saveRefreshToken(...)Persists a new refresh token for the client and owner with the given scope.

Revoking tokens

MethodDescription
revokeAccessToken(ClientInterface $client, AccessTokenInterface $accessToken): voidRevokes an access token.
revokeAuthorizationCode(ClientInterface $client, AuthorizationCodeInterface $authorizationCode): voidRevokes an authorization code.
revokeRefreshToken(ClientInterface $client, RefreshTokenInterface $refreshToken): voidRevokes a refresh token.

Token value contracts

The lookup methods return small value objects that the host application also implements.

TokenInterface

Raxos\OAuth2\Server\Token\TokenInterface is the base contract for every token.

php
interface TokenInterface
{
    public function getClientId(): string;
    public function getOwner(): mixed;
    public function getScope(): string;
    public function getToken(): string;
    public function isExpired(): bool;
    public function isScopeAllowed(string $scope): bool;
}
MethodDescription
getClientId(): stringReturns the client id the token belongs to.
getOwner(): mixedReturns the resource owner the token was issued for.
getScope(): stringReturns the scope string of the token.
getToken(): stringReturns the raw token value.
isExpired(): boolReturns true when the token has expired.
isScopeAllowed(string $scope): boolReturns true when the token grants the given scope.

AccessTokenInterface and RefreshTokenInterface

AccessTokenInterface and RefreshTokenInterface both extend TokenInterface without adding methods; they exist so the factory can return precise types.

AuthorizationCodeInterface

AuthorizationCodeInterface extends TokenInterface and adds the redirect uri the code is bound to:

php
interface AuthorizationCodeInterface extends TokenInterface
{
    public function getRedirectUri(): string;
}

The authorization code grant compares this value against the redirect_uri sent to the token endpoint.