fix: add missing options for renewTokens method

[bkotrys]

Changes

This PR adds possibility to provide additional options to renewTokens method. This options (especially scope option) are necessary in situation when we add custom scope to context.accessToken and would like to renew tokens. Without providing proper scope (openid) after calling renewTokens method we got following error:
Token did not refresh correctly. Access or ID token not provided.

Example rule - add custom scope to accessToken

function (user, context, callback) {
  var permissions = [
    'permission1',
    'permission2'
  ];
  
  const requestedScope = (
    (context.request.query && context.request.query.scope) || 
    (context.request.body && context.request.body.scope)
  );

  if(requestedScope) {
    const scopes = requestedScope.split(' ');
    
    if(scopes.indexOf('openid') !== -1) {
      permissions.push('openid');
    }
    
    if(scopes.indexOf('profile') !== -1) {
      permissions.push('profile');
    }
    
    if(scopes.indexOf('email') !== -1) {
      permissions.push('email');
    }
    
    if(scopes.indexOf('offline_access') !== -1) {
      permissions.push('offline_access');
    }
  }

  context.accessToken.scope = (context.accessToken.scope || []).concat(permissions);
  callback(null, user, context);
}

References

Relates to:

• https://github.com/auth0/auth0-PHP/pull/257/files - this PR provides missing part for this implementation

May be somehow related to these issues:

• https://community.auth0.com/t/idtoken-not-returned-when-additional-scopes-are-defined/10780
• https://community.auth0.com/t/id-token-missing-in-oath-token-response-when-rule-adds-custom-scope-to-context-accesstoken/28833/6

**

Testing

• This change adds test coverage

• This change has been tested on the latest version of PHP

Checklist

• I have read the Auth0 general contribution guidelines.

• I have read the Auth0 Code of Conduct.

• All existing and new tests complete without errors.

• The correct base branch is being used.

[joshcanhelp]

@bkotrys - We appreciate the very detailed report and concise PR here! I'm happy to merge this in but we probably want to re-think the documentation provided (see comment). We're gearing up for the last (planned) release for this major and happy to get this PR in before that goes out.

[joshcanhelp]

I would definitely leave these out since the first must be refresh_token (and is added automatically) and the others are added automatically with whatever the Auth0 object was initiated with. The audience is ignored in the refresh case (that info is part of the refresh token record). And, in the case of scope, that's ignored in most cases as well (not yours, of course).

[bkotrys]

@joshcanhelp updated, please let me know if this satisfied you.

[joshcanhelp]

❯ composer test
> SHELL_INTERACTIVE=1 "vendor/bin/phpunit" --coverage-text
PHPUnit 5.7.27 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.1.29 with Xdebug 2.6.1
Configuration: /Users/josh-cunningham/Sites/php-auth0/auth0/phpunit.xml.dist

...S...........................................................  63 / 253 ( 24%)
............................................................... 126 / 253 ( 49%)
............................................................... 189 / 253 ( 74%)
............................................................... 252 / 253 ( 99%)
.                                                               253 / 253 (100%)

Time: 26.51 seconds, Memory: 18.00MB

There was 1 skipped test:

1) Auth0\Tests\API\Authentication\DeprecatedTest::testAuthorizeWithRO
New applications do not provide this grant.

/Users/josh-cunningham/Sites/php-auth0/auth0/tests/API/Authentication/DeprecatedTest.php:12

OK, but incomplete, skipped, or risky tests!
Tests: 253, Assertions: 929, Skipped: 1.

❯ snyk test

Testing /Users/josh-cunningham/Sites/php-auth0/auth0...

Organization:      auth0-sdks
Package manager:   composer
Target file:       composer.lock
Open source:       no
Project path:      /Users/josh-cunningham/Sites/php-auth0/auth0
Licenses:          enabled

✓ Tested 8 dependencies for known issues, no vulnerable paths found.

[joshcanhelp]

@bkotrys - Thank you for the update here! I added a test for the custom options so I think this is good to go. We'll get this released today or tomorrow 👍

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.