refresh_token being granted in Client Credentials Grant

[dsquier]

In testing OAuth2_Storage_RefreshTokenInterface, a refresh_token is being returned when using the Client Credentials Grant. It should probably be removed from this grant type to better adhere to http://tools.ietf.org/html/rfc6749#section-4.4.3

4.4.3.  Access Token Response

   If the access token request is valid and authorized, the
   authorization server issues an access token as described in
   Section 5.1.  A refresh token SHOULD NOT be included.

Code from an example call:

$storage = new PDO('mysql:dbname=account;host=localhost', 'oauth', 'oauth');
$server = new OAuth2_Server($storage);
$server->addGrantType(new OAuth2_GrantType_ClientCredentials($storage));

$request = OAuth2_Request::createFromGlobals();
$token = $server->grantAccessToken($request)

echo json_encode($token);

With the following response:

{"access_token":"ce7f0d2cce0e9dc0e6f4d6ed24c5def1afdea5c6","expires_in":3600,"token_type":"bearer","scope":null,"refresh_token":"a7db8c2b2bdf4319d6233db394979e89c5809ffe"}

[bshaffer]

Thank you for reporting this!

[bshaffer]

Fixed by 81ceb46

• ClientCredentials does not issue refresh token
• Access Token authorize requests do not issue refresh token in fragment
• Refresh Token grant requests can be configured to not issue refresh token