Unfortunately the thephpleague/oauth2-server used by this library is does not work well with swoole server because its stateful. You can see data persisting between requests, in our case an access and refresh token get injected on the first successful password authentication and after that the same swoole worker serves a successful client credentials authentication and the response contains the refresh token on the first password authentication.

This is now fixed in 7.3.0 (thephpleague/oauth2-server#960) unfortunately zend-expressive-authentication-oauth2 used 6.x. It would be awesome if we can switch the dependancy to 7.x which in fact is fairly simple, because there is only a small BC break and it is addressed by this PR

• Are you fixing a bug?

  • Detail how the bug is invoked currently.
  • Detail the original, incorrect behavior.
  • Detail the new, expected behavior.
  • Base your feature on the master branch, and submit against that branch.
  • Add a regression test that demonstrates the bug, and proves the fix.
  • Add a CHANGELOG.md entry for the fix.

• Are you creating a new feature?

  • Why is the new feature needed? What purpose does it serve?
  • How will users use the new feature?
  • Base your feature on the develop branch, and submit against that branch.
  • Add only one feature per pull request; split multiple features over multiple pull requests
  • Add tests for the new feature.
  • Add documentation for the new feature.
  • Add a CHANGELOG.md entry for the new feature.

• Is this related to quality assurance?

• Is this related to documentation?