[13.x] Support OAuth2 Server v9 (#1734)

* support OAuth2 Server 9

* formatting

* formatting

* drop php 8.0

* use fqn

* wip

* wip

* wip

* formatting

* formatting

* wip

* remove redundant attribute

* fix tests

* update upgrade guide

* force re-run tests

* wip

* wip

* add an entry on upgrade guide for oauth2 server

* Update UPGRADE.md

* Update UPGRADE.md

* Update UPGRADE.md

---------

Co-authored-by: Dries Vints <dries@vints.be>
Co-authored-by: Taylor Otwell <taylor@laravel.com>

.github/workflows/tests.yml

@@ -16,13 +16,9 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        php: ['8.0', 8.1, 8.2, 8.3]
+        php: [8.1, 8.2, 8.3]
         laravel: [9, 10, 11]
         exclude:
-          - php: '8.0'
-            laravel: 10
-          - php: '8.0'
-            laravel: 11
           - php: 8.1
             laravel: 11
           - php: 8.3

UPGRADE.md

@@ -2,6 +2,20 @@
 
 ## General Notes
 
+## Upgrading To 13.0 From 12.x
+
+### Minimum PHP Version
+
+PR: https://github.com/laravel/passport/pull/1734
+
+PHP 8.1 is now the minimum required version.
+
+### OAuth2 Server
+
+PR: https://github.com/laravel/passport/pull/1734
+
+The `league/oauth2-server` Composer package which is utilized internally by Passport has been updated to 9.0, which adds additional types to method signatures. To ensure your application is compatible, you should review this package's complete [changelog](https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md#900---released-2024-05-13). 
+
 ## Upgrading To 12.0 From 11.x
 
 ### Migration Changes
@@ -14,6 +28,8 @@ php artisan vendor:publish --tag=passport-migrations
 
 ### Password Grant Type
 
+PR: https://github.com/laravel/passport/pull/1715
+
 The password grant type is disabled by default. You may enable it by calling the `enablePasswordGrant` method in the `boot` method of your application's `App\Providers\AppServiceProvider` class:
 
 ```php

composer.json

@@ -14,8 +14,9 @@
         }
     ],
     "require": {
-        "php": "^8.0",
+        "php": "^8.1",
         "ext-json": "*",
+        "ext-openssl": "*",
         "firebase/php-jwt": "^6.4",
         "illuminate/auth": "^9.21|^10.0|^11.0",
         "illuminate/console": "^9.21|^10.0|^11.0",
@@ -26,18 +27,18 @@
         "illuminate/encryption": "^9.21|^10.0|^11.0",
         "illuminate/http": "^9.21|^10.0|^11.0",
         "illuminate/support": "^9.21|^10.0|^11.0",
-        "lcobucci/jwt": "^4.3|^5.0",
-        "league/oauth2-server": "^8.5.3",
+        "lcobucci/jwt": "^5.0",
+        "league/oauth2-server": "^9.0",
         "nyholm/psr7": "^1.5",
-        "phpseclib/phpseclib": "^2.0|^3.0",
+        "phpseclib/phpseclib": "^3.0",
         "symfony/console": "^6.0|^7.0",
-        "symfony/psr-http-message-bridge": "^2.1|^6.0|^7.0"
+        "symfony/psr-http-message-bridge": "^6.0|^7.0"
     },
     "require-dev": {
         "mockery/mockery": "^1.0",
         "orchestra/testbench": "^7.35|^8.14|^9.0",
         "phpstan/phpstan": "^1.10",
-        "phpunit/phpunit": "^9.3|^10.5"
+        "phpunit/phpunit": "^9.3|^10.5|^11.0"
     },
     "autoload": {
         "psr-4": {
@@ -66,6 +67,6 @@
         "post-autoload-dump": "@prepare",
         "prepare": "@php vendor/bin/testbench package:discover --ansi"
     },
-    "minimum-stability": "dev",
+    "minimum-stability": "stable",
     "prefer-stable": true
 }

database/factories/ClientFactory.php

@@ -4,7 +4,6 @@
 
 use Illuminate\Database\Eloquent\Factories\Factory;
 use Illuminate\Support\Str;
-use Laravel\Passport\Client;
 use Laravel\Passport\Passport;
 
 /**
@@ -13,11 +12,14 @@
 class ClientFactory extends Factory
 {
     /**
-     * The name of the factory's corresponding model.
+     * Get the name of the model that is generated by the factory.
      *
-     * @var string
+     * @return class-string<\Illuminate\Database\Eloquent\Model>
      */
-    protected $model = Client::class;
+    public function modelName()
+    {
+        return $this->model ?? Passport::clientModel();
+    }
 
     /**
      * Define the model's default state.
@@ -46,7 +48,7 @@ public function definition()
     protected function ensurePrimaryKeyIsSet(array $data)
     {
         if (Passport::clientUuids()) {
-            $keyName = (new $this->model)->getKeyName();
+            $keyName = (new ($this->modelName()))->getKeyName();
 
             $data[$keyName] = (string) Str::orderedUuid();
         }

src/Bridge/AccessToken.php

@@ -15,14 +15,13 @@ class AccessToken implements AccessTokenEntityInterface
     /**
      * Create a new token instance.
      *
-     * @param  string  $userIdentifier
-     * @param  array  $scopes
-     * @param  \League\OAuth2\Server\Entities\ClientEntityInterface  $client
-     * @return void
+     * @param  \League\OAuth2\Server\Entities\ScopeEntityInterface[]  $scopes
      */
-    public function __construct($userIdentifier, array $scopes, ClientEntityInterface $client)
+    public function __construct(string|null $userIdentifier, array $scopes, ClientEntityInterface $client)
     {
-        $this->setUserIdentifier($userIdentifier);
+        if (! is_null($userIdentifier)) {
+            $this->setUserIdentifier($userIdentifier);
+        }
 
         foreach ($scopes as $scope) {
             $this->addScope($scope);

src/Bridge/AccessTokenRepository.php

@@ -17,24 +17,16 @@ class AccessTokenRepository implements AccessTokenRepositoryInterface
 
     /**
      * The token repository instance.
-     *
-     * @var \Laravel\Passport\TokenRepository
      */
-    protected $tokenRepository;
+    protected TokenRepository $tokenRepository;
 
     /**
      * The event dispatcher instance.
-     *
-     * @var \Illuminate\Contracts\Events\Dispatcher
      */
-    protected $events;
+    protected Dispatcher $events;
 
     /**
      * Create a new repository instance.
-     *
-     * @param  \Laravel\Passport\TokenRepository  $tokenRepository
-     * @param  \Illuminate\Contracts\Events\Dispatcher  $events
-     * @return void
      */
     public function __construct(TokenRepository $tokenRepository, Dispatcher $events)
     {
@@ -45,46 +37,45 @@ public function __construct(TokenRepository $tokenRepository, Dispatcher $events
     /**
      * {@inheritdoc}
      */
-    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null)
-    {
+    public function getNewToken(
+        ClientEntityInterface $clientEntity,
+        array $scopes,
+        string|null $userIdentifier = null
+    ): AccessTokenEntityInterface {
         return new Passport::$accessTokenEntity($userIdentifier, $scopes, $clientEntity);
     }
 
     /**
      * {@inheritdoc}
      */
-    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity)
+    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity): void
     {
         $this->tokenRepository->create([
-            'id' => $accessTokenEntity->getIdentifier(),
-            'user_id' => $accessTokenEntity->getUserIdentifier(),
-            'client_id' => $accessTokenEntity->getClient()->getIdentifier(),
+            'id' => $id = $accessTokenEntity->getIdentifier(),
+            'user_id' => $userId = $accessTokenEntity->getUserIdentifier(),
+            'client_id' => $clientId = $accessTokenEntity->getClient()->getIdentifier(),
             'scopes' => $this->scopesToArray($accessTokenEntity->getScopes()),
             'revoked' => false,
             'created_at' => new DateTime,
             'updated_at' => new DateTime,
             'expires_at' => $accessTokenEntity->getExpiryDateTime(),
         ]);
 
-        $this->events->dispatch(new AccessTokenCreated(
-            $accessTokenEntity->getIdentifier(),
-            $accessTokenEntity->getUserIdentifier(),
-            $accessTokenEntity->getClient()->getIdentifier()
-        ));
+        $this->events->dispatch(new AccessTokenCreated($id, $userId, $clientId));
     }
 
     /**
      * {@inheritdoc}
      */
-    public function revokeAccessToken($tokenId)
+    public function revokeAccessToken(string $tokenId): void
     {
         $this->tokenRepository->revokeAccessToken($tokenId);
     }
 
     /**
      * {@inheritdoc}
      */
-    public function isAccessTokenRevoked($tokenId)
+    public function isAccessTokenRevoked(string $tokenId): bool
     {
         return $this->tokenRepository->isAccessTokenRevoked($tokenId);
     }

src/Bridge/AuthCodeRepository.php

@@ -13,15 +13,15 @@ class AuthCodeRepository implements AuthCodeRepositoryInterface
     /**
      * {@inheritdoc}
      */
-    public function getNewAuthCode()
+    public function getNewAuthCode(): AuthCodeEntityInterface
     {
         return new AuthCode;
     }
 
     /**
      * {@inheritdoc}
      */
-    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void
     {
         $attributes = [
             'id' => $authCodeEntity->getIdentifier(),
@@ -38,15 +38,15 @@ public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
     /**
      * {@inheritdoc}
      */
-    public function revokeAuthCode($codeId)
+    public function revokeAuthCode(string $codeId): void
     {
         Passport::authCode()->where('id', $codeId)->update(['revoked' => true]);
     }
 
     /**
      * {@inheritdoc}
      */
-    public function isAuthCodeRevoked($codeId)
+    public function isAuthCodeRevoked(string $codeId): bool
     {
         return Passport::authCode()->where('id', $codeId)->where('revoked', 1)->exists();
     }

src/Bridge/Client.php

@@ -4,63 +4,32 @@
 
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\Traits\ClientTrait;
+use League\OAuth2\Server\Entities\Traits\EntityTrait;
 
 class Client implements ClientEntityInterface
 {
-    use ClientTrait;
-
-    /**
-     * The client identifier.
-     *
-     * @var string
-     */
-    protected $identifier;
+    use ClientTrait, EntityTrait;
 
     /**
      * The client's provider.
-     *
-     * @var string
      */
-    public $provider;
+    public ?string $provider;
 
     /**
      * Create a new client instance.
-     *
-     * @param  string  $identifier
-     * @param  string  $name
-     * @param  string  $redirectUri
-     * @param  bool  $isConfidential
-     * @param  string|null  $provider
-     * @return void
      */
-    public function __construct($identifier, $name, $redirectUri, $isConfidential = false, $provider = null)
-    {
-        $this->setIdentifier((string) $identifier);
+    public function __construct(
+        string $identifier,
+        string $name,
+        string $redirectUri,
+        bool $isConfidential = false,
+        ?string $provider = null
+    ) {
+        $this->setIdentifier($identifier);
 
         $this->name = $name;
         $this->isConfidential = $isConfidential;
         $this->redirectUri = explode(',', $redirectUri);
         $this->provider = $provider;
     }
-
-    /**
-     * Get the client's identifier.
-     *
-     * @return string
-     */
-    public function getIdentifier()
-    {
-        return (string) $this->identifier;
-    }
-
-    /**
-     * Set the client's identifier.
-     *
-     * @param  string  $identifier
-     * @return void
-     */
-    public function setIdentifier($identifier)
-    {
-        $this->identifier = $identifier;
-    }
 }