forked from jumbojett/OpenID-Connect-PHP
Progress on fixing upstream issues
JuliusPC edited this page May 16, 2021
·
5 revisions
Since jumbojett seems not be able or willing to fix problems with jumbojett/OpenID-Connect-PHP anymore, I forked the repo and fixed some issues. Below table shows the progress on some issues:
| Issue (or PR) | resolved in this repo | resolved in upstream repo? | comment |
|---|---|---|---|
| 174 | ✓ | added httpUpgradeInsecureRequests() for this |
|
| 255 and PR 251 | ✓ | ||
| PR 178 and PR 127 | ✓ | ||
| PR 179 | ✓ | ||
| 206 and PR 245, PR 215 | ✓ | As of 1.1.2, the algorithm to determine if client_secret_basic or client_secret_post will be used for authentication in refreshToken() and requestClientCredentialsToken() is now the same like in requestTokens(). |
|
| 169 | |||
| 120 | |||
| 194 and PR 195 | |||
| PR 225 | ✓ | This needs to be checked against the spec, should the openid scope be added in every case? Regardless of the flow in which the refresh token was obtained in Authorization Code Grant with openid scope or Resource Owner Password Credentials Grant? Rare edge case. Maybe the ROPCG should be removed from the library.
|
|
| 206 and PR 245 | Check if this should be applied to every token request routine. | ||
| 163 | ✓ | You can disable nonce checking if you really need via setUnsafeDisableNonce(true)
|