ping @ezimuel @xtreamwayz @weierophinney

@jguittard first of all, I'm sorry for this long delay on my reply :(
Can you provide a unit test for this PR? Thanks!

@jguittard Why do you think an OAuth2 client should have a user property?

Same question as @marc-mabe... If you want to add user authentication to Oauth2, you need to look into OpenID Connect.

@marc-mabe and @xtreamwayz the user property can be an idea in case of password grant, where an application exchanges the user’s username and password for an access token.

@marc-mabe and @xtreamwayz the user property can be an idea in case of password grant, where an application exchanges the user’s username and password for an access token.

From my understanding the password grant should be used only for internal applications and not to authenticate your users for third party as this would allow third party to get the username and password. For that reason I setup the allowed grant types for each client and check against that in getClientEntity with if (!$client->getGrantTypes()->contains($grantType)) ....

Also, if you want to know who has registered an application (OAuth2 client) that's an implementation detail for each auth server but should not be part of a general module. For example in my auth server first there is no need for that information and second if we would need something like that it would not be user but company based as it's B2B only. (e.g. if a user leaves a company the user gets deactivated or even moved from one company to the other but the client application should not).

@marc-mabe the scenario that you described is the most used for third party application but OAuth2 is an authorization framework with different use cases. The password grant that I mentioned is for first-party clients, that can be also just a backend PHP application. Anyway, I'm closing this PR since we are also proposing a new approach to user and client authorization in #55.