From 4dfd38c1ad0d84b6cfc2b5cdd372858d068325de Mon Sep 17 00:00:00 2001
From: Marc Bennewitz <m.bennewitz@dcmn.com>
Date: Fri, 2 Nov 2018 10:04:17 +0100
Subject: [PATCH] An OAuth2 client is not a user

---
 src/OAuth2Adapter.php      |  9 +++++++--
 test/OAuth2AdapterTest.php | 11 ++++++-----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/OAuth2Adapter.php b/src/OAuth2Adapter.php
index 999bcd6..c24659c 100644
--- a/src/OAuth2Adapter.php
+++ b/src/OAuth2Adapter.php
@@ -29,6 +29,11 @@ class OAuth2Adapter implements AuthenticationInterface
      */
     protected $responseFactory;
 
+    /**
+     * @var callable
+     */
+    protected $userFactory;
+
     public function __construct(
         ResourceServer $resourceServer,
         callable $responseFactory,
@@ -56,9 +61,9 @@ public function authenticate(ServerRequestInterface $request) : ?UserInterface
             $result = $this->resourceServer->validateAuthenticatedRequest($request);
             $userId = $result->getAttribute('oauth_user_id', null);
             $clientId = $result->getAttribute('oauth_client_id', null);
-            if (isset($userId) || isset($clientId)) {
+            if (isset($userId)) {
                 return ($this->userFactory)(
-                    $userId ?? $clientId,
+                    $userId,
                     [],
                     [
                         'oauth_user_id' => $userId,
diff --git a/test/OAuth2AdapterTest.php b/test/OAuth2AdapterTest.php
index e1bdb3a..1b1a80e 100644
--- a/test/OAuth2AdapterTest.php
+++ b/test/OAuth2AdapterTest.php
@@ -14,6 +14,7 @@
 use League\OAuth2\Server\ResourceServer;
 use PHPUnit\Framework\TestCase;
 use Prophecy\Argument;
+use Prophecy\Prophecy\ObjectProphecy;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Zend\Expressive\Authentication\AuthenticationInterface;
@@ -32,6 +33,9 @@ class OAuth2AdapterTest extends TestCase
     /** @var callable */
     private $responseFactory;
 
+    /** @var callable */
+    private $userFactory;
+
     public function setUp()
     {
         $this->resourceServer  = $this->prophesize(ResourceServer::class);
@@ -122,7 +126,7 @@ public function testAuthenticateReturnsAUserIfTheResourceServerProducesAUserId()
         $this->assertSame([], $user->getRoles());
     }
 
-    public function testAuthenticateReturnsAClientIfTheResourceServerProducesAClientId()
+    public function testAuthenticateReturnNullIfTheResourceServerProducesAClientIdOnly()
     {
         $request = $this->prophesize(ServerRequestInterface::class);
         $request->getAttribute('oauth_user_id', null)->willReturn(null);
@@ -141,10 +145,7 @@ public function testAuthenticateReturnsAClientIfTheResourceServerProducesAClient
         );
 
         $user = $adapter->authenticate($request->reveal());
-
-        $this->assertInstanceOf(UserInterface::class, $user);
-        $this->assertSame('some-identifier', $user->getIdentity());
-        $this->assertSame([], $user->getRoles());
+        $this->assertNull($user);
     }
 
     public function testUnauthorizedResponseProducesAResponseWithAWwwAuthenticateHeader()