Documentation

This method is called on a valid authorization token request. The $data array is guaranteed to have the following keys:

• client_id: the validated client_id request parameter
• redirect_uri: the validated redirect_uri request parameter
• state: the state request parameter
• code_challenge: the code_challenge request parameter
• code_challenge_method: the code_challenge_method request parameter
• requested_scope: the value of the scope request parameter
• me: the value of the me key from the authentication result returned from the authentication request handler callback

It may also have additional keys, which can come from the following locations:

• All keys from the the authentication request handler callback result which do not clash with the keys listed above (with the exception of me, which is always present). Usually this is a profile key, but you may choose to return additional data from the authentication callback, which will be present in $data.
• Any keys added by the transformAuthorizationCode method on the currently active instance of Taproot\IndieAuth\Callback\AuthorizationFormInterface. Typically this is the scope key, which is a valid space-separated scope string listing the scopes granted by the user on the consent screen. Other implementations of AuthorizationFormInterface may add additional data, such as custom token-specific settings, or a custom token lifetime.

This method should store the data passed to it, generate a corresponding authorization code, and return an instance of Storage\Token containing both. Implementations will usually add an expiry time, usually under the valid_until key.

The method call and data is structured such that implementations have a lot of flexibility about how to store authorization code data. It could be a record in an auth code database table, a record in a table which is used for both auth codes and access tokens, or even a stateless self-encrypted token — note that in the latter case, you must persist a copy of the auth code with its exchanged access token to check against, in order to prevent it being exchanged more than once.

On an error, return null. The reason for the error is irrelevant for calling code, but it’s recommended to log it internally for reference. For the same reason, this method should not throw exceptions.

Attempt to exchange an authorization code identified by $code for an access token, returning it in a Token on success and null on error.

This method is called at the beginning of a code exchange request, before further error checking or validation is applied. On an error, the created access token is immediately revoked via revokeAccessToken().

For this reason, the token data in the returned Token object MUST include the client_id and redirect_uri parameters associated with the authorization code, as these are used by the IndieAuth Server for further validation.

This method is responsible for ensuring that the matched auth code is not expired. If it is, it should return null, presumably after deleting the corresponding authorization code record.

If the exchanged access token should expire, this method should set its expiry time, usually in a valid_until key.

Fetch access token data identified by the token $token, returning null if it is expired or invalid. The data should be structured in exactly the same way it was stored by exchangeAuthCodeForAccessToken.

Revoke the access token identified by $token. Return true on success, or false on error, including if the token did not exist.