Merge remote-tracking branch 'upstream/master' into exception-has-redirect

2025-05-31 14:12:07 +05:30 · 2018-05-25 09:49:14 +01:00
parent d8ece093d5 d7ab153500
commit 466e1a639d
68 changed files with 1764 additions and 810 deletions
--- a/tests/AuthorizationServerTest.php
+++ b/tests/AuthorizationServerTest.php
@@ -3,7 +3,6 @@
 namespace LeagueTests;

 use League\OAuth2\Server\AuthorizationServer;
-use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -17,15 +16,27 @@ use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\AuthCodeEntity;
 use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
+use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\ResponseInterface;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequest;
 use Zend\Diactoros\ServerRequestFactory;

-class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
+class AuthorizationServerTest extends TestCase
 {
+    const DEFAULT_SCOPE = 'basic';
+
+    public function setUp()
+    {
+        // Make sure the keys have the correct permissions.
+        chmod(__DIR__ . '/Stubs/private.key', 0600);
+        chmod(__DIR__ . '/Stubs/public.key', 0600);
+        chmod(__DIR__ . '/Stubs/private.key.crlf', 0600);
+    }
+
    public function testRespondToRequestInvalidGrantType()
    {
        $server = new AuthorizationServer(
@@ -33,7 +44,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
            'file://' . __DIR__ . '/Stubs/private.key',
-            'file://' . __DIR__ . '/Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );

@@ -52,7 +63,9 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());

+        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);

        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
@@ -63,10 +76,11 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            $accessTokenRepositoryMock,
            $scopeRepositoryMock,
            'file://' . __DIR__ . '/Stubs/private.key',
-            'file://' . __DIR__ . '/Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );

+        $server->setDefaultScope(self::DEFAULT_SCOPE);
        $server->enableGrantType(new ClientCredentialsGrant(), new \DateInterval('PT1M'));

        $_POST['grant_type'] = 'client_credentials';
@@ -92,7 +106,7 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $method = $abstractGrantReflection->getMethod('getResponseType');
        $method->setAccessible(true);

-        $this->assertTrue($method->invoke($server) instanceof BearerTokenResponse);
+        $this->assertInstanceOf(BearerTokenResponse::class, $method->invoke($server));
    }

    public function testCompleteAuthorizationRequest()
@@ -116,9 +130,6 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );

-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/Stubs/public.key'));
-
        $server->enableGrantType($grant);

        $authRequest = new AuthorizationRequest();
@@ -127,12 +138,59 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
        $authRequest->setGrantTypeId('authorization_code');
        $authRequest->setUser(new UserEntity());

-        $this->assertTrue(
-            $server->completeAuthorizationRequest($authRequest, new Response) instanceof ResponseInterface
+        $this->assertInstanceOf(
+            ResponseInterface::class,
+            $server->completeAuthorizationRequest($authRequest, new Response)
        );
    }

    public function testValidateAuthorizationRequest()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->setClientRepository($clientRepositoryMock);
+
+        $server = new AuthorizationServer(
+            $clientRepositoryMock,
+            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
+            $scopeRepositoryMock,
+            'file://' . __DIR__ . '/Stubs/private.key',
+            'file://' . __DIR__ . '/Stubs/public.key'
+        );
+
+        $server->setDefaultScope(self::DEFAULT_SCOPE);
+        $server->enableGrantType($grant);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            $headers = [],
+            $cookies = [],
+            $queryParams = [
+                'response_type' => 'code',
+                'client_id'     => 'foo',
+            ]
+        );
+
+        $this->assertInstanceOf(AuthorizationRequest::class, $server->validateAuthorizationRequest($request));
+    }
+
+    public function testValidateAuthorizationRequestWithMissingRedirectUri()
    {
        $client = new ClientEntity();
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
@@ -168,7 +226,12 @@ class AuthorizationServerTest extends \PHPUnit_Framework_TestCase
            ]
        );

-        $this->assertTrue($server->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        try {
+            $server->validateAuthorizationRequest($request);
+        } catch (OAuthServerException $e) {
+            $this->assertEquals('invalid_client', $e->getErrorType());
+            $this->assertEquals(401, $e->getHttpStatusCode());
+        }
    }

    /**
--- a/tests/AuthorizationValidators/BearerTokenValidatorTest.php
+++ b/tests/AuthorizationValidators/BearerTokenValidatorTest.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace LeagueTests\AuthorizationValidators;
+
+use Lcobucci\JWT\Builder;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
+use League\OAuth2\Server\CryptKey;
+use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
+use PHPUnit\Framework\TestCase;
+use Zend\Diactoros\ServerRequest;
+
+class BearerTokenValidatorTest extends TestCase
+{
+    /**
+     * @expectedException League\OAuth2\Server\Exception\OAuthServerException
+     * @expectedExceptionCode 9
+     */
+    public function testThrowExceptionWhenAccessTokenIsNotSigned()
+    {
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+
+        $bearerTokenValidator = new BearerTokenValidator($accessTokenRepositoryMock);
+        $bearerTokenValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+
+        $unsignedJwt = (new Builder())
+            ->setAudience('client-id')
+            ->setId('token-id', true)
+            ->setIssuedAt(time())
+            ->setNotBefore(time())
+            ->setExpiration(time())
+            ->setSubject('user-id')
+            ->set('scopes', 'scope1 scope2 scope3 scope4')
+            ->getToken();
+
+        $request = new ServerRequest();
+        $request = $request->withHeader('authorization', sprintf('Bearer %s', $unsignedJwt));
+
+        $bearerTokenValidator->validateAuthorization($request);
+    }
+}
--- a/tests/CryptTraitTest.php
+++ b/tests/CryptTraitTest.php
@@ -1,55 +0,0 @@
-<?php
-
-namespace LeagueTests\Utils;
-
-use League\OAuth2\Server\CryptKey;
-use LeagueTests\Stubs\CryptTraitStub;
-
-class CryptTraitTest extends \PHPUnit_Framework_TestCase
-{
-    /**
-     * CryptTrait stub
-     */
-    protected $cryptStub;
-
-    public function setUp()
-    {
-        $this->cryptStub = new CryptTraitStub;
-    }
-
-    public function testEncryptDecrypt()
-    {
-        $payload = 'alex loves whisky';
-        $encrypted = $this->cryptStub->doEncrypt($payload);
-        $plainText = $this->cryptStub->doDecrypt($encrypted);
-
-        $this->assertNotEquals($payload, $encrypted);
-        $this->assertEquals($payload, $plainText);
-    }
-
-    /**
-     * @expectedException \LogicException
-     */
-    public function testBadPrivateKey()
-    {
-        $this->cryptStub->setPrivateKey(new CryptKey(__DIR__ . '/Stubs/public.key'));
-        $this->cryptStub->doEncrypt('');
-    }
-
-    /**
-     * @expectedException \LogicException
-     */
-    public function testBadPublicKey()
-    {
-        $this->cryptStub->setPublicKey(new CryptKey(__DIR__ . '/Stubs/private.key'));
-        $this->cryptStub->doDecrypt('');
-    }
-
-    /**
-     * @expectedException \LogicException
-     */
-    public function testNonExistentKey()
-    {
-        new CryptKey('foo/bar');
-    }
-}
--- a/tests/Grant/AbstractGrantTest.php
+++ b/tests/Grant/AbstractGrantTest.php
@@ -3,7 +3,6 @@
 namespace LeagueTests\Grant;

 use League\Event\Emitter;
-use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
@@ -19,16 +18,15 @@ use LeagueTests\Stubs\AuthCodeEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;

-class AbstractGrantTest extends \PHPUnit_Framework_TestCase
+class AbstractGrantTest extends TestCase
 {
    public function testGetSet()
    {
        /** @var AbstractGrant $grantMock */
        $grantMock = $this->getMockForAbstractClass(AbstractGrant::class);
-        $grantMock->setPrivateKey(new CryptKey(__DIR__ . '/../Stubs/private.key'));
-        $grantMock->setPublicKey(new CryptKey(__DIR__ . '/../Stubs/public.key'));
        $grantMock->setEmitter(new Emitter());
    }

@@ -344,7 +342,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
        $accessToken = new AccessTokenEntity();
        /** @var RefreshTokenEntityInterface $refreshToken */
        $refreshToken = $issueRefreshTokenMethod->invoke($grantMock, $accessToken);
-        $this->assertTrue($refreshToken instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $refreshToken);
        $this->assertEquals($accessToken, $refreshToken->getAccessToken());
    }

@@ -369,7 +367,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
            123,
            [new ScopeEntity()]
        );
-        $this->assertTrue($accessToken instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $accessToken);
    }

    public function testIssueAuthCode()
@@ -385,7 +383,8 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
        $issueAuthCodeMethod = $abstractGrantReflection->getMethod('issueAuthCode');
        $issueAuthCodeMethod->setAccessible(true);

-        $this->assertTrue(
+        $this->assertInstanceOf(
+            AuthCodeEntityInterface::class,
            $issueAuthCodeMethod->invoke(
                $grantMock,
                new \DateInterval('PT1H'),
@@ -393,7 +392,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
                123,
                'http://foo/bar',
                [new ScopeEntity()]
-            ) instanceof AuthCodeEntityInterface
+            )
        );
    }

@@ -469,7 +468,7 @@ class AbstractGrantTest extends \PHPUnit_Framework_TestCase
        $method = $abstractGrantReflection->getMethod('generateUniqueIdentifier');
        $method->setAccessible(true);

-        $this->assertTrue(is_string($method->invoke($grantMock)));
+        $this->assertInternalType('string', $method->invoke($grantMock));
    }

    public function testCanRespondToAuthorizationRequest()
--- a/tests/Grant/AuthCodeGrantTest.php
+++ b/tests/Grant/AuthCodeGrantTest.php
@@ -2,7 +2,6 @@

 namespace LeagueTests\Grant;

-use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -23,15 +22,22 @@ use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;

-class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
+class AuthCodeGrantTest extends TestCase
 {
+    const DEFAULT_SCOPE = 'basic';
+
    /**
     * @var CryptTraitStub
     */
    protected $cryptStub;

+    const CODE_VERIFIER = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
+
+    const CODE_CHALLENGE = 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM';
+
    public function setUp()
    {
        $this->cryptStub = new CryptTraitStub;
@@ -77,15 +83,22 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
    {
        $client = new ClientEntity();
        $client->setRedirectUri('http://foo/bar');
+
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $request = new ServerRequest(
            [],
@@ -102,7 +115,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );

-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }

    public function testValidateAuthorizationRequestRedirectUriArray()
@@ -112,12 +125,18 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $request = new ServerRequest(
            [],
@@ -134,7 +153,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );

-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }

    public function testValidateAuthorizationRequestCodeChallenge()
@@ -144,6 +163,49 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->enableCodeExchangeProof();
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            [],
+            [],
+            [
+                'response_type'  => 'code',
+                'client_id'      => 'foo',
+                'redirect_uri'   => 'http://foo/bar',
+                'code_challenge' => self::CODE_CHALLENGE,
+            ]
+        );
+
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateAuthorizationRequestCodeChallengeInvalidLengthTooShort()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -164,11 +226,85 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                'response_type'  => 'code',
                'client_id'      => 'foo',
                'redirect_uri'   => 'http://foo/bar',
-                'code_challenge' => 'FOOBAR',
+                'code_challenge' => str_repeat('A', 42),
            ]
        );

-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $grant->validateAuthorizationRequest($request);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateAuthorizationRequestCodeChallengeInvalidLengthTooLong()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->enableCodeExchangeProof();
+        $grant->setClientRepository($clientRepositoryMock);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            [],
+            [],
+            [
+                'response_type'  => 'code',
+                'client_id'      => 'foo',
+                'redirect_uri'   => 'http://foo/bar',
+                'code_challenge' => str_repeat('A', 129),
+            ]
+        );
+
+        $grant->validateAuthorizationRequest($request);
+    }
+
+    /**
+     * @expectedException \League\OAuth2\Server\Exception\OAuthServerException
+     */
+    public function testValidateAuthorizationRequestCodeChallengeInvalidCharacters()
+    {
+        $client = new ClientEntity();
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->enableCodeExchangeProof();
+        $grant->setClientRepository($clientRepositoryMock);
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            null,
+            'php://input',
+            [],
+            [],
+            [
+                'response_type'  => 'code',
+                'client_id'      => 'foo',
+                'redirect_uri'   => 'http://foo/bar',
+                'code_challenge' => str_repeat('A', 42) . '!',
+            ]
+        );
+
+        $grant->validateAuthorizationRequest($request);
    }

    /**
@@ -318,6 +454,10 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -325,6 +465,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $request = new ServerRequest(
            [],
@@ -355,6 +497,10 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

+        $scope = new ScopeEntity();
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
+
        $grant = new AuthCodeGrant(
            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
@@ -362,6 +508,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        );
        $grant->enableCodeExchangeProof();
        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $request = new ServerRequest(
            [],
@@ -399,11 +547,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
+        $grant->setEncryptionKey($this->cryptStub->getKey());

-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-
-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

    /**
@@ -426,9 +572,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
-
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $grant->completeAuthorizationRequest($authRequest);
    }
@@ -463,8 +607,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -497,8 +640,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));

-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }

    public function testRespondToAccessTokenRequestCodeChallengePlain()
@@ -532,8 +675,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -548,7 +690,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                'grant_type'    => 'authorization_code',
                'client_id'     => 'foo',
                'redirect_uri'  => 'http://foo/bar',
-                'code_verifier' => 'foobar',
+                'code_verifier' => self::CODE_VERIFIER,
                'code'          => $this->cryptStub->doEncrypt(
                    json_encode(
                        [
@@ -558,7 +700,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                            'user_id'               => 123,
                            'scopes'                => ['foo'],
                            'redirect_uri'          => 'http://foo/bar',
-                            'code_challenge'        => 'foobar',
+                            'code_challenge'        => self::CODE_VERIFIER,
                            'code_challenge_method' => 'plain',
                        ]
                    )
@@ -569,8 +711,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));

-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }

    public function testRespondToAccessTokenRequestCodeChallengeS256()
@@ -604,8 +746,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -620,7 +761,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                'grant_type'    => 'authorization_code',
                'client_id'     => 'foo',
                'redirect_uri'  => 'http://foo/bar',
-                'code_verifier' => 'foobar',
+                'code_verifier' => self::CODE_VERIFIER,
                'code'          => $this->cryptStub->doEncrypt(
                    json_encode(
                        [
@@ -630,7 +771,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                            'user_id'               => 123,
                            'scopes'                => ['foo'],
                            'redirect_uri'          => 'http://foo/bar',
-                            'code_challenge'        => urlencode(base64_encode(hash('sha256', 'foobar'))),
+                            'code_challenge'        => self::CODE_CHALLENGE,
                            'code_challenge_method' => 'S256',
                        ]
                    )
@@ -641,8 +782,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));

-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }

    /**
@@ -662,7 +803,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -709,7 +850,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );
        $grant->setClientRepository($clientRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -762,8 +903,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -808,8 +948,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -872,8 +1011,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -933,8 +1071,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -994,8 +1131,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1053,8 +1189,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1069,7 +1204,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
                'grant_type'    => 'authorization_code',
                'client_id'     => 'foo',
                'redirect_uri'  => 'http://foo/bar',
-                'code_verifier' => 'nope',
+                'code_verifier' => self::CODE_VERIFIER,
                'code'          => $this->cryptStub->doEncrypt(
                    json_encode(
                        [
@@ -1126,8 +1261,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1164,7 +1298,151 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            /* @var StubResponseType $response */
            $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
        } catch (OAuthServerException $e) {
-            $this->assertEquals($e->getHint(), 'Failed to verify `code_verifier`.');
+            $this->assertEquals($e->getHint(), 'Code Verifier must follow the specifications of RFC-7636.');
+        }
+    }
+
+    public function testRespondToAccessTokenRequestMalformedCodeVerifierS256WithInvalidChars()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeEntity = new ScopeEntity();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->enableCodeExchangeProof();
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setEncryptionKey($this->cryptStub->getKey());
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'    => 'authorization_code',
+                'client_id'     => 'foo',
+                'redirect_uri'  => 'http://foo/bar',
+                'code_verifier' => 'dqX7C-RbqjHYtytmhGTigKdZCXfxq-+xbsk9_GxUcaE', // Malformed code. Contains `+`.
+                'code'          => $this->cryptStub->doEncrypt(
+                    json_encode(
+                        [
+                            'auth_code_id'          => uniqid(),
+                            'expire_time'           => time() + 3600,
+                            'client_id'             => 'foo',
+                            'user_id'               => 123,
+                            'scopes'                => ['foo'],
+                            'redirect_uri'          => 'http://foo/bar',
+                            'code_challenge'        => self::CODE_CHALLENGE,
+                            'code_challenge_method' => 'S256',
+                        ]
+                    )
+                ),
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getHint(), 'Code Verifier must follow the specifications of RFC-7636.');
+        }
+    }
+
+    public function testRespondToAccessTokenRequestMalformedCodeVerifierS256WithInvalidLength()
+    {
+        $client = new ClientEntity();
+        $client->setIdentifier('foo');
+        $client->setRedirectUri('http://foo/bar');
+        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
+        $clientRepositoryMock->method('getClientEntity')->willReturn($client);
+
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeEntity = new ScopeEntity();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
+        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);
+
+        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
+        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
+        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();
+
+        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
+        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
+        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());
+
+        $grant = new AuthCodeGrant(
+            $this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
+            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
+            new \DateInterval('PT10M')
+        );
+        $grant->enableCodeExchangeProof();
+        $grant->setClientRepository($clientRepositoryMock);
+        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
+        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
+        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setEncryptionKey($this->cryptStub->getKey());
+
+        $request = new ServerRequest(
+            [],
+            [],
+            null,
+            'POST',
+            'php://input',
+            [],
+            [],
+            [],
+            [
+                'grant_type'    => 'authorization_code',
+                'client_id'     => 'foo',
+                'redirect_uri'  => 'http://foo/bar',
+                'code_verifier' => 'dqX7C-RbqjHY', // Malformed code. Invalid length.
+                'code'          => $this->cryptStub->doEncrypt(
+                    json_encode(
+                        [
+                            'auth_code_id'          => uniqid(),
+                            'expire_time'           => time() + 3600,
+                            'client_id'             => 'foo',
+                            'user_id'               => 123,
+                            'scopes'                => ['foo'],
+                            'redirect_uri'          => 'http://foo/bar',
+                            'code_challenge'        => 'R7T1y1HPNFvs1WDCrx4lfoBS6KD2c71pr8OHvULjvv8',
+                            'code_challenge_method' => 'S256',
+                        ]
+                    )
+                ),
+            ]
+        );
+
+        try {
+            /* @var StubResponseType $response */
+            $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));
+        } catch (OAuthServerException $e) {
+            $this->assertEquals($e->getHint(), 'Code Verifier must follow the specifications of RFC-7636.');
        }
    }

@@ -1199,8 +1477,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1259,11 +1536,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
+        $grant->setEncryptionKey($this->cryptStub->getKey());

-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-
-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

    /**
@@ -1287,11 +1562,9 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
            new \DateInterval('PT10M')
        );
+        $grant->setEncryptionKey($this->cryptStub->getKey());

-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-
-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

    /**
@@ -1316,10 +1589,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
            new \DateInterval('PT10M')
        );

-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-
-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

    public function testRefreshTokenRepositoryUniqueConstraintCheck()
@@ -1353,8 +1623,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1387,8 +1656,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));

-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }

    /**
@@ -1425,8 +1694,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1459,8 +1727,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));

-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }

    /**
@@ -1497,8 +1765,7 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
-        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());

        $request = new ServerRequest(
            [],
@@ -1531,8 +1798,8 @@ class AuthCodeGrantTest extends \PHPUnit_Framework_TestCase
        /** @var StubResponseType $response */
        $response = $grant->respondToAccessTokenRequest($request, new StubResponseType(), new \DateInterval('PT10M'));

-        $this->assertTrue($response->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($response->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $response->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $response->getRefreshToken());
    }

    /**
--- a/tests/Grant/ClientCredentialsGrantTest.php
+++ b/tests/Grant/ClientCredentialsGrantTest.php
@@ -9,11 +9,15 @@ use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;

-class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
+class ClientCredentialsGrantTest extends TestCase
 {
+    const DEFAULT_SCOPE = 'basic';
+
    public function testGetIdentifier()
    {
        $grant = new ClientCredentialsGrant();
@@ -30,13 +34,16 @@ class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();

+        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);

        $grant = new ClientCredentialsGrant();
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $serverRequest = new ServerRequest();
        $serverRequest = $serverRequest->withParsedBody(
@@ -49,6 +56,6 @@ class ClientCredentialsGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));

-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
    }
 }
--- a/tests/Grant/ImplicitGrantTest.php
+++ b/tests/Grant/ImplicitGrantTest.php
@@ -18,10 +18,13 @@ use LeagueTests\Stubs\CryptTraitStub;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;

-class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
+class ImplicitGrantTest extends TestCase
 {
+    const DEFAULT_SCOPE = 'basic';
+
    /**
     * CryptTrait stub
     */
@@ -96,6 +99,7 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $request = new ServerRequest(
            [],
@@ -112,7 +116,7 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );

-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }

    public function testValidateAuthorizationRequestRedirectUriArray()
@@ -130,6 +134,7 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $request = new ServerRequest(
            [],
@@ -146,7 +151,7 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase
            ]
        );

-        $this->assertTrue($grant->validateAuthorizationRequest($request) instanceof AuthorizationRequest);
+        $this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
    }

    /**
@@ -283,10 +288,9 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase

        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

    /**
@@ -307,7 +311,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase

        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

        $grant->completeAuthorizationRequest($authRequest);
@@ -329,10 +332,9 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase

        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

-        $this->assertTrue($grant->completeAuthorizationRequest($authRequest) instanceof RedirectResponse);
+        $this->assertInstanceOf(RedirectResponse::class, $grant->completeAuthorizationRequest($authRequest));
    }

    /**
@@ -354,7 +356,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase

        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

        $grant->completeAuthorizationRequest($authRequest);
@@ -379,7 +380,6 @@ class ImplicitGrantTest extends \PHPUnit_Framework_TestCase

        $grant = new ImplicitGrant(new \DateInterval('PT10M'));
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);

        $grant->completeAuthorizationRequest($authRequest);
--- a/tests/Grant/PasswordGrantTest.php
+++ b/tests/Grant/PasswordGrantTest.php
@@ -13,12 +13,16 @@ use League\OAuth2\Server\Repositories\UserRepositoryInterface;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\RefreshTokenEntity;
+use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
 use LeagueTests\Stubs\UserEntity;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;

-class PasswordGrantTest extends \PHPUnit_Framework_TestCase
+class PasswordGrantTest extends TestCase
 {
+    const DEFAULT_SCOPE = 'basic';
+
    public function testGetIdentifier()
    {
        $userRepositoryMock = $this->getMockBuilder(UserRepositoryInterface::class)->getMock();
@@ -46,13 +50,16 @@ class PasswordGrantTest extends \PHPUnit_Framework_TestCase
        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();
        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());

+        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);

        $grant = new PasswordGrant($userRepositoryMock, $refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
+        $grant->setDefaultScope(self::DEFAULT_SCOPE);

        $serverRequest = new ServerRequest();
        $serverRequest = $serverRequest->withParsedBody(
@@ -67,8 +74,8 @@ class PasswordGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));

-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }

    /**
--- a/tests/Grant/RefreshTokenGrantTest.php
+++ b/tests/Grant/RefreshTokenGrantTest.php
@@ -16,12 +16,13 @@ use LeagueTests\Stubs\CryptTraitStub;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequest;

-class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
+class RefreshTokenGrantTest extends TestCase
 {
    /**
-     * CryptTrait stub
+     * @var CryptTraitStub
     */
    protected $cryptStub;

@@ -45,27 +46,24 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

-        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeEntity = new ScopeEntity();
+        $scopeEntity->setIdentifier('foo');
+        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);

        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('getNewToken')->willReturn(new AccessTokenEntity());
-        $accessTokenRepositoryMock
-            ->expects($this->once())
-            ->method('persistNewAccessToken')->willReturnSelf();
+        $accessTokenRepositoryMock->expects($this->once())->method('persistNewAccessToken')->willReturnSelf();

        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
        $refreshTokenRepositoryMock->method('getNewRefreshToken')->willReturn(new RefreshTokenEntity());
-        $refreshTokenRepositoryMock
-            ->expects($this->once())
-            ->method('persistNewRefreshToken')->willReturnSelf();
+        $refreshTokenRepositoryMock->expects($this->once())->method('persistNewRefreshToken')->willReturnSelf();

        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -82,19 +80,18 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        );

        $serverRequest = new ServerRequest();
-        $serverRequest = $serverRequest->withParsedBody(
-            [
-                'client_id'     => 'foo',
-                'client_secret' => 'bar',
-                'refresh_token' => $oldRefreshToken,
-            ]
-        );
+        $serverRequest = $serverRequest->withParsedBody([
+            'client_id'     => 'foo',
+            'client_secret' => 'bar',
+            'refresh_token' => $oldRefreshToken,
+            'scopes'        => ['foo'],
+        ]);

        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));

-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }

    public function testRespondToReducedScopes()
@@ -121,7 +118,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -150,8 +147,8 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $responseType = new StubResponseType();
        $grant->respondToAccessTokenRequest($serverRequest, $responseType, new \DateInterval('PT5M'));

-        $this->assertTrue($responseType->getAccessToken() instanceof AccessTokenEntityInterface);
-        $this->assertTrue($responseType->getRefreshToken() instanceof RefreshTokenEntityInterface);
+        $this->assertInstanceOf(AccessTokenEntityInterface::class, $responseType->getAccessToken());
+        $this->assertInstanceOf(RefreshTokenEntityInterface::class, $responseType->getRefreshToken());
    }

    /**
@@ -180,7 +177,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
        $grant->setScopeRepository($scopeRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -227,7 +224,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $serverRequest = new ServerRequest();
@@ -259,7 +256,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = 'foobar';
@@ -291,14 +288,13 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
        $accessTokenRepositoryMock->method('persistNewAccessToken')->willReturnSelf();

-
        $refreshTokenRepositoryMock = $this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock();
        $refreshTokenRepositoryMock->method('persistNewRefreshToken')->willReturnSelf();

        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -344,7 +340,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = $this->cryptStub->doEncrypt(
@@ -391,7 +387,7 @@ class RefreshTokenGrantTest extends \PHPUnit_Framework_TestCase
        $grant = new RefreshTokenGrant($refreshTokenRepositoryMock);
        $grant->setClientRepository($clientRepositoryMock);
        $grant->setAccessTokenRepository($accessTokenRepositoryMock);
-        $grant->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $grant->setEncryptionKey($this->cryptStub->getKey());
        $grant->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));

        $oldRefreshToken = $this->cryptStub->doEncrypt(
--- a/tests/Middleware/AuthorizationServerMiddlewareTest.php
+++ b/tests/Middleware/AuthorizationServerMiddlewareTest.php
@@ -11,18 +11,24 @@ use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
+use LeagueTests\Stubs\ScopeEntity;
 use LeagueTests\Stubs\StubResponseType;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequestFactory;

-class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
+class AuthorizationServerMiddlewareTest extends TestCase
 {
+    const DEFAULT_SCOPE = 'basic';
+
    public function testValidResponse()
    {
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());

+        $scopeEntity = new ScopeEntity;
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
+        $scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scopeEntity);
        $scopeRepositoryMock->method('finalizeScopes')->willReturnArgument(0);

        $accessRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
@@ -33,10 +39,11 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
            $accessRepositoryMock,
            $scopeRepositoryMock,
            'file://' . __DIR__ . '/../Stubs/private.key',
-            'file://' . __DIR__ . '/../Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );

+        $server->setDefaultScope(self::DEFAULT_SCOPE);
        $server->enableGrantType(new ClientCredentialsGrant());

        $_POST['grant_type'] = 'client_credentials';
@@ -66,7 +73,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
            $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock(),
            $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(),
            'file://' . __DIR__ . '/../Stubs/private.key',
-            'file://' . __DIR__ . '/../Stubs/public.key',
+            base64_encode(random_bytes(36)),
            new StubResponseType()
        );

@@ -97,7 +104,8 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
        $response = $exception->generateHttpResponse(new Response());

        $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope', $response->getHeader('location')[0]);
+        $this->assertEquals('http://foo/bar?error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
+            $response->getHeader('location')[0]);
    }

    public function testOAuthErrorResponseRedirectUriFragment()
@@ -106,6 +114,7 @@ class AuthorizationServerMiddlewareTest extends \PHPUnit_Framework_TestCase
        $response = $exception->generateHttpResponse(new Response(), true);

        $this->assertEquals(302, $response->getStatusCode());
-        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope', $response->getHeader('location')[0]);
+        $this->assertEquals('http://foo/bar#error=invalid_scope&message=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed&hint=Check+the+%60test%60+scope',
+            $response->getHeader('location')[0]);
    }
 }
--- a/tests/Middleware/ResourceServerMiddlewareTest.php
+++ b/tests/Middleware/ResourceServerMiddlewareTest.php
@@ -8,10 +8,11 @@ use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\ResourceServer;
 use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequest;

-class ResourceServerMiddlewareTest extends \PHPUnit_Framework_TestCase
+class ResourceServerMiddlewareTest extends TestCase
 {
    public function testValidResponse()
    {
--- a/tests/PHPStan/AbstractGrantExtension.php
+++ b/tests/PHPStan/AbstractGrantExtension.php
@@ -0,0 +1,39 @@
+<?php
+declare(strict_types = 1);
+
+namespace LeagueTests\PHPStan;
+
+use League\OAuth2\Server\Grant\AbstractGrant;
+use PhpParser\Node\Expr\MethodCall;
+use PHPStan\Analyser\Scope;
+use PHPStan\Reflection\MethodReflection;
+use PHPStan\Type\DynamicMethodReturnTypeExtension;
+use PHPStan\Type\NullType;
+use PHPStan\Type\StringType;
+use PHPStan\Type\Type;
+use PHPStan\Type\TypeCombinator;
+
+final class AbstractGrantExtension implements DynamicMethodReturnTypeExtension
+{
+    public function getClass(): string
+    {
+        return AbstractGrant::class;
+    }
+
+    public function isMethodSupported(MethodReflection $methodReflection): bool
+    {
+        return in_array($methodReflection->getName(), [
+            'getRequestParameter',
+            'getQueryStringParameter',
+            'getCookieParameter',
+        ], true);
+    }
+
+    public function getTypeFromMethodCall(MethodReflection $methodReflection, MethodCall $methodCall, Scope $scope): Type
+    {
+        return TypeCombinator::union(...[
+            new StringType(),
+            isset($methodCall->args[2]) ? $scope->getType($methodCall->args[2]->value) : new NullType(),
+        ]);
+    }
+}
--- a/tests/ResourceServerTest.php
+++ b/tests/ResourceServerTest.php
@@ -6,9 +6,10 @@ namespace LeagueTests;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use League\OAuth2\Server\ResourceServer;
+use PHPUnit\Framework\TestCase;
 use Zend\Diactoros\ServerRequestFactory;

-class ResourceServerTest extends \PHPUnit_Framework_TestCase
+class ResourceServerTest extends TestCase
 {
    public function testValidateAuthenticatedRequest()
    {
--- a/tests/ResponseTypes/BearerResponseTypeTest.php
+++ b/tests/ResponseTypes/BearerResponseTypeTest.php
@@ -11,19 +11,18 @@ use LeagueTests\Stubs\AccessTokenEntity;
 use LeagueTests\Stubs\ClientEntity;
 use LeagueTests\Stubs\RefreshTokenEntity;
 use LeagueTests\Stubs\ScopeEntity;
+use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\ResponseInterface;
 use Zend\Diactoros\Response;
 use Zend\Diactoros\ServerRequest;

-class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
+class BearerResponseTypeTest extends TestCase
 {
    public function testGenerateHttpResponse()
    {
-        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-
-        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
+        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -47,7 +46,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase

        $response = $responseType->generateHttpResponse(new Response());

-        $this->assertTrue($response instanceof ResponseInterface);
+        $this->assertInstanceOf(ResponseInterface::class, $response);
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals('no-cache', $response->getHeader('pragma')[0]);
        $this->assertEquals('no-store', $response->getHeader('cache-control')[0]);
@@ -55,19 +54,17 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase

        $response->getBody()->rewind();
        $json = json_decode($response->getBody()->getContents());
-        $this->assertEquals('Bearer', $json->token_type);
-        $this->assertTrue(isset($json->expires_in));
-        $this->assertTrue(isset($json->access_token));
-        $this->assertTrue(isset($json->refresh_token));
+        $this->assertAttributeEquals('Bearer', 'token_type', $json);
+        $this->assertObjectHasAttribute('expires_in', $json);
+        $this->assertObjectHasAttribute('access_token', $json);
+        $this->assertObjectHasAttribute('refresh_token', $json);
    }

    public function testGenerateHttpResponseWithExtraParams()
    {
-        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-
-        $responseType = new BearerTokenResponseWithParams($accessTokenRepositoryMock);
+        $responseType = new BearerTokenResponseWithParams();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -91,7 +88,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase

        $response = $responseType->generateHttpResponse(new Response());

-        $this->assertTrue($response instanceof ResponseInterface);
+        $this->assertInstanceOf(ResponseInterface::class, $response);
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals('no-cache', $response->getHeader('pragma')[0]);
        $this->assertEquals('no-store', $response->getHeader('cache-control')[0]);
@@ -99,23 +96,20 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase

        $response->getBody()->rewind();
        $json = json_decode($response->getBody()->getContents());
-        $this->assertEquals('Bearer', $json->token_type);
-        $this->assertTrue(isset($json->expires_in));
-        $this->assertTrue(isset($json->access_token));
-        $this->assertTrue(isset($json->refresh_token));
+        $this->assertAttributeEquals('Bearer', 'token_type', $json);
+        $this->assertObjectHasAttribute('expires_in', $json);
+        $this->assertObjectHasAttribute('access_token', $json);
+        $this->assertObjectHasAttribute('refresh_token', $json);

-        $this->assertTrue(isset($json->foo));
-        $this->assertEquals('bar', $json->foo);
+        $this->assertObjectHasAttribute('foo', $json);
+        $this->assertAttributeEquals('bar', 'foo', $json);
    }

    public function testDetermineAccessTokenInHeaderValidToken()
    {
-        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-        $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(false);
-
-        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
+        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -141,7 +135,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(false);

        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

        $request = new ServerRequest();
@@ -158,11 +151,10 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
    public function testDetermineAccessTokenInHeaderInvalidJWT()
    {
        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-        $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(false);

-        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
+        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -185,7 +177,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $json = json_decode((string) $response->getBody());

        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

        $request = new ServerRequest();
@@ -205,7 +196,7 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
    {
        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $client = new ClientEntity();
        $client->setIdentifier('clientName');
@@ -231,7 +222,6 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase
        $accessTokenRepositoryMock->method('isAccessTokenRevoked')->willReturn(true);

        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

        $request = new ServerRequest();
@@ -249,16 +239,13 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase

    public function testDetermineAccessTokenInHeaderInvalidToken()
    {
-        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-
-        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
+        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();

        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

        $request = new ServerRequest();
@@ -276,16 +263,13 @@ class BearerResponseTypeTest extends \PHPUnit_Framework_TestCase

    public function testDetermineMissingBearerInHeader()
    {
-        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();
-
-        $responseType = new BearerTokenResponse($accessTokenRepositoryMock);
+        $responseType = new BearerTokenResponse();
        $responseType->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
-        $responseType->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));
+        $responseType->setEncryptionKey(base64_encode(random_bytes(36)));

        $accessTokenRepositoryMock = $this->getMockBuilder(AccessTokenRepositoryInterface::class)->getMock();

        $authorizationValidator = new BearerTokenValidator($accessTokenRepositoryMock);
-        $authorizationValidator->setPrivateKey(new CryptKey('file://' . __DIR__ . '/../Stubs/private.key'));
        $authorizationValidator->setPublicKey(new CryptKey('file://' . __DIR__ . '/../Stubs/public.key'));

        $request = new ServerRequest();
--- a/tests/Stubs/.gitattributes
+++ b/tests/Stubs/.gitattributes
@@ -0,0 +1 @@
+private.key.crlf text eol=crlf
--- a/tests/Stubs/CryptTraitStub.php
+++ b/tests/Stubs/CryptTraitStub.php
@@ -2,7 +2,6 @@

 namespace LeagueTests\Stubs;

-use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;

 class CryptTraitStub
@@ -11,8 +10,12 @@ class CryptTraitStub

    public function __construct()
    {
-        $this->setPrivateKey(new CryptKey('file://' . __DIR__ . '/private.key'));
-        $this->setPublicKey(new CryptKey('file://' . __DIR__ . '/public.key'));
+        $this->setEncryptionKey(base64_encode(random_bytes(36)));
+    }
+
+    public function getKey()
+    {
+        return $this->encryptionKey;
    }

    public function doEncrypt($unencryptedData)
--- a/tests/Stubs/private.key.crlf
+++ b/tests/Stubs/private.key.crlf
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtHYxRBYATiiyDFs3pEhFg6Ei/UiQEmolTaQyQK810xHY23+X
+4elLl6HP1J09mefmJ3ZdIgjIOS6rfK1BQnZIvI+IkoC7+qpD92y9f48iL0tCYKsn
+i1LFFjP0bESTGDe7XANifQPkp9GvKgJbu7h1/ac8x4CBSU0ZjtEvinQRsdYil6OM
+MXLWGozbBy13X8G+Ganv2i1aPZ2B25GyrH6lVIEwztGrSYxUrFVL+8dHhONf6PYX
+19gjdzxkXCYQy2AGMc1FevZmnpIqDNQwX7CUUXQ4TDJmiP0aBEni094gUhnRFUr9
+dmGpLQcCb2i0WMh2K+swFk3EutDAJ+73LKoZ3QIDAQABAoIBADo8Tge3xd9zGIoO
+QbV9MRmaPW1ZJk0a/fDBRQpEwGzdvIqQ8VWQ8Lj9GdF18LQi9s3TT5i1FtAFNIfm
+bUHiY/SdqSgF7SOmIIrPB5QLf6+dbM0/TmKSklFo8L6jnohZK9g0q2rGf9p8Ozem
+TS4WB9WUS3PiD1a1T8Mb1Gisri0h7rvI4TIkrcx6lUUCgphCZd2TWUhmE3YmybOg
+4h855W685g/ydzjwB+5Y6CS3V6a78Z5Gb4df3l0XfqCWh/xzuNs7nIpRv8CE0vRE
+vq9j/cVyKkzMjiagteJaisTCBkDmtAi9dEVL8uaSDoTJq1g+VOGuJxHUm31Pavqr
+3RwvXS0CgYEA74jUqmzxAwr/uBWquIkfMg+hsKjJe3gsSAJIAPzcA9OkzZd9w/1R
+P8C92N2UaDbCW7ZEl7ZzS+IO6nA4OcR98j77/nBk6cYykyVRkSaj01epz3bRApxc
+R18e49MBftSMnI5R7lIJO/UAIRfd0rntX4jkdVAdn9s/VOvG8w4KQXcCgYEAwN3W
+b3azSNYlj4CW8+t6qS/3JQ/qpPgVuqkqP9dQXC9O6VlV03pJIwFk2Ldjd7/eXT+0
+hFVB3O71iECfet/1UgustlgFp5I4ZrPmYF/J1nGpx1KIE8P4d0qC8lODtdnsGAcU
+/vBjXinX7pWgM8e6LAJzqNUq/xal/wNY325dEsCgYB7J0+n+/ECToJhhApNbHq0
+g2LvcCh/Ka8iqsGYeGkqMoOWDKBlxvUiIRe6y1nFJvpQquqjUfP/fM+Ma3wM/2B9
+zzJChEjuBK/2BYblaQdr3rN47i7R99BeBaLdIZywN9m/mFC5hkYnJHUXjqzG7j8E
+El7bjgBdMx1hrQOR7ZMKSwKBgQC2SXXBiBlPwEdj6I/EH06h1hnrR63pGim/cN/j
+0ye62WPmHW+HH888bLbaNgqnRgtvayS85rAHlzst+pZBVqfRUgN9nJhLl2IDgAlA
+EYj9TBTBtXmz5MdUSHKXguO73yrMUvU8bOi1Q9I+IipcOGboWmoKikke/LbLa4lj
+/ZJpHQKBgQCuDanU+AJKgUQkkC2gHwT8quxPoRcFFErHp3iaDAwd5XsZJG9FHQUP
+RkPE+JkSaj65byFLhCPHUayfk4Y4udHEy4cXiv2SxZNK8q1HwuFEvb7uFprj0hNs
+14qJunONVt/jzswdwO5kGVbpGlHl7U0JABnTJP71fW/rE5SH4zYxqg==
+-----END RSA PRIVATE KEY-----
--- a/tests/Utils/CryptKeyTest.php
+++ b/tests/Utils/CryptKeyTest.php
@@ -3,8 +3,9 @@
 namespace LeagueTests\Utils;

 use League\OAuth2\Server\CryptKey;
+use PHPUnit\Framework\TestCase;

-class CryptKeyTest extends \PHPUnit_Framework_TestCase
+class CryptKeyTest extends TestCase
 {
    /**
     * @expectedException \LogicException
@@ -16,7 +17,7 @@ class CryptKeyTest extends \PHPUnit_Framework_TestCase

    public function testKeyCreation()
    {
-        $keyFile = __DIR__ . '/Stubs/public.key';
+        $keyFile = __DIR__ . '/../Stubs/public.key';
        $key = new CryptKey($keyFile, 'secret');

        $this->assertEquals('file://' . $keyFile, $key->getKeyPath());
@@ -25,7 +26,15 @@ class CryptKeyTest extends \PHPUnit_Framework_TestCase

    public function testKeyFileCreation()
    {
-        $keyContent = file_get_contents(__DIR__ . '/Stubs/public.key');
+        $keyContent = file_get_contents(__DIR__ . '/../Stubs/public.key');
+        $key = new CryptKey($keyContent);
+
+        $this->assertEquals(
+            'file://' . sys_get_temp_dir() . '/' . sha1($keyContent) . '.key',
+            $key->getKeyPath()
+        );
+
+        $keyContent = file_get_contents(__DIR__ . '/../Stubs/private.key.crlf');
        $key = new CryptKey($keyContent);

        $this->assertEquals(
--- a/tests/Utils/CryptTraitTest.php
+++ b/tests/Utils/CryptTraitTest.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace LeagueTests\Utils;
+
+use Defuse\Crypto\Key;
+use LeagueTests\Stubs\CryptTraitStub;
+use PHPUnit\Framework\TestCase;
+
+class CryptTraitTest extends TestCase
+{
+    protected $cryptStub;
+
+    protected function setUp()
+    {
+        $this->cryptStub = new CryptTraitStub();
+    }
+
+    public function testEncryptDecryptWithPassword()
+    {
+        $this->cryptStub->setEncryptionKey(base64_encode(random_bytes(36)));
+
+        $this->encryptDecrypt();
+    }
+
+    public function testEncryptDecryptWithKey()
+    {
+        $this->cryptStub->setEncryptionKey(Key::createNewRandomKey());
+
+        $this->encryptDecrypt();
+    }
+
+    private function encryptDecrypt()
+    {
+        $payload = 'alex loves whisky';
+        $encrypted = $this->cryptStub->doEncrypt($payload);
+        $plainText = $this->cryptStub->doDecrypt($encrypted);
+
+        $this->assertNotEquals($payload, $encrypted);
+        $this->assertEquals($payload, $plainText);
+    }
+}