Skip to content

Commit

Permalink
Merge commit 'e46f108adf9be166f232edfe1e5315e6fcf168e5' from jumbojet…
Browse files Browse the repository at this point in the history 
…t/master

* commit 'e46f108adf9be166f232edfe1e5315e6fcf168e5':
  chore: Update visibility of getWellKnownConfigValue to protected (jumbojett#363)
  chore: Update construct typehint in docblock (jumbojett#364)
  Update CHANGELOG.md
  docs: fix changelog format
  Correct variable docstring
  Fix if statement to throw error instead of bypass
  Add an extra check on $_REQUEST['state']
  Fix return type
  Removed interface and added function that can be extended to add the jwe functionality
  Remove unnecessary method overrides in UnitTest
  Add Changelog entry
  Fix LogoutToken verification for single value `aud` claims
  Updated changelog
  Added id token jwe decryption
  set response as jwt when not jwe
  use correct types
  Added userInfo response type check to handle signed and encrypted responses

# Conflicts:
#	CHANGELOG.md
  • Loading branch information
@Magentron
Magentron committed Apr 3, 2023
2 parents 8ef1281 + e46f108 commit 5e83bc4
Show file tree
Hide file tree
Showing 3 changed files with 365 additions and 167 deletions.
233 changes: 110 additions & 123 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,191 +1,178 @@
# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).

## [0.9.11]

### Added
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [unreleased]
* Update visibility of getWellKnownConfigValue to protected. #363
* Fixed issue on authentication for php8. #354
* Enabled `client_secret_basic` authentication on `requestClientCredentialsToken()` #347
* Support for signed and encrypted UserInfo response. #305
* Support for signed and encrypted ID Token. #305
* Update construct typehint in docblock. #364
* Fixed LogoutToken verification for single value aud claims #334

## [0.9.10]

## Fixed
### Added
- Support for signed and encrypted UserInfo response. #305
- Support for signed and encrypted ID Token. #305

* `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331
## [0.9.10] - 2022-09-30

### Fixed
- `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331

## [0.9.9]
## [0.9.9] - 2022-09-28

### Added
- Added support for back-channel logout. #302
- Added support for `private_key_jwt` Client Authentication method #322
- Added support for `client_secret_jwt` Client Authentication method #324
- Added PS512 encryption support #342

* Added support for back-channel logout. #302
* Added support for `private_key_jwt` Client Authentication method #322
* Added support for `client_secret_jwt` Client Authentication method #324
* Added PS512 encryption support #342

## Fixed

* Harden self-signed JWK header usage. #323

## [0.9.8]
### Fixed
- Harden self-signed JWK header usage. #323

## Fixed
## [0.9.8] - 2022-08-05

* Do not use PKCE if IdP does not support it. #317
### Fixed
- Do not use PKCE if IdP does not support it. #317

## [0.9.7]
## [0.9.7] - 2022-07-13

### Added

* Support for Self-Contained JWTs. #308
* Support for RFC8693 Token Exchange Request. #275
- Support for Self-Contained JWTs. #308
- Support for RFC8693 Token Exchange Request. #275

### Fixed
- PHP 5.4 compatibility. #304
- Use session_status(). #306

* PHP 5.4 compatibility. #304
* Use session_status(). #306

## [0.9.6]
## [0.9.6] - 2022-05-08

### Added

* Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
* Support client_secret on token endpoint with PKCE. #293
* Added new parameter to `requestTokens()` to pass custom HTTP headers #297
- Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
- Support client_secret on token endpoint with PKCE. #293
- Added new parameter to `requestTokens()` to pass custom HTTP headers #297

### Changed
- Allow serializing `OpenIDConnectClient` using `serialize()` #295

* Allow serializing `OpenIDConnectClient` using `serialize()` #295

## [0.9.5]
## [0.9.5] - 2021-11-24

### Changed
- signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
- Fixed issue where missing nonce within the claims was causing an exception. #280

* signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
* Fixed issue where missing nonce within the claims was causing an exception. #280

## [0.9.4]
## [0.9.4] - 2021-11-21

### Added
- Enabled `client_secret_basic` authentication on `refreshToken()` #215
- Basic auth support for requestResourceOwnerToken #271

* Enabled `client_secret_basic` authentication on `refreshToken()` #215
* Basic auth support for requestResourceOwnerToken #271

## [0.9.3]
## [0.9.3] - 2021-11-20

### Added
- getRedirectURL() will not log a warning for PHP 7.1+ #179
- it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
- bugfix in getSessionKey when _SESSION key does not exist #251
- Added scope parameter to refresh token request #225
- bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
- bugfix with the `empty` function in PHP 5.4 #267

* getRedirectURL() will not log a warning for PHP 7.1+ #179
* it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
* bugfix in getSessionKey when _SESSION key does not exist #251
* Added scope parameter to refresh token request #225
* bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
* bugfix with the `empty` function in PHP 5.4 #267

## [0.9.2]
## [0.9.2] - 2020-11-16

### Added
* Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.
- Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.

## [0.9.1]
## [0.9.1] - 2020-08-27

### Added
* Add support for MS Azure Active Directory B2C user flows
- Add support for MS Azure Active Directory B2C user flows

### Changed
* Fix at_hash verification #200
* Getters for public parameters #204
* Removed client ID query parameter when making a token request using Basic Auth
* Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.
- Fix at_hash verification #200
- Getters for public parameters #204
- Removed client ID query parameter when making a token request using Basic Auth
- Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.

### Removed
* Removed explicit content-length header - caused issues with proxy servers
- Removed explicit content-length header - caused issues with proxy servers


## [0.9.0]
## [0.9.0] - 2020-03-09

### Added
* php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
* Adding a header to indicate JSON as the return type for userinfo endpoint #151
* ~Updated OpenIDConnectClient to conditionally verify nonce #146~
* Add possibility to change enc_type parameter for http_build_query #155
* Adding OAuth 2.0 Token Introspection #156
* Add optional parameters clientId/clientSecret for introspection #157 & #158
* Adding OAuth 2.0 Token Revocation #160
* Adding issuer validator #145
* Adding signing algorithm PS256 #180
* Check http status of request user info #186
* URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
* Adjust PHPDoc to state that null is also allowed #193
- php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
- Adding a header to indicate JSON as the return type for userinfo endpoint #151
- ~Updated OpenIDConnectClient to conditionally verify nonce #146~
- Add possibility to change enc_type parameter for http_build_query #155
- Adding OAuth 2.0 Token Introspection #156
- Add optional parameters clientId/clientSecret for introspection #157 & #158
- Adding OAuth 2.0 Token Revocation #160
- Adding issuer validator #145
- Adding signing algorithm PS256 #180
- Check http status of request user info #186
- URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
- Adjust PHPDoc to state that null is also allowed #193

### Changed
* Bugfix/code cleanup #152
* Cleanup PHPDoc #46e5b59
* Replace unnecessary double quotes with single quotes #2a76b57
* Use original function names instead of aliases #1f37892
* Remove unnecessary default values #5ab801e
* Explicit declare field $redirectURL #9187c0b
* Remove unused code #1e65384
* Fix indent #e9cdf56
* Cleanup conditional code flow for better readability #107f3fb
* Added strict type comparisons #167
* Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.

## [0.8.0]
- Bugfix/code cleanup #152
- Cleanup PHPDoc #46e5b59
- Replace unnecessary double quotes with single quotes #2a76b57
- Use original function names instead of aliases #1f37892
- Remove unnecessary default values #5ab801e
- Explicit declare field $redirectURL #9187c0b
- Remove unused code #1e65384
- Fix indent #e9cdf56
- Cleanup conditional code flow for better readability #107f3fb
- Added strict type comparisons #167
- Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.

## [0.8.0] - 2019-01-02

### Added
* Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token
- Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token

### Changed
* Decouple session manipulation, it's allow use of other session libraries #134
* Broaden version requirements of the phpseclib/phpseclib package. #144
- Decouple session manipulation, it's allow use of other session libraries #134
- Broaden version requirements of the phpseclib/phpseclib package. #144

## [0.7.0]
## [0.7.0] - 2018-10-15

### Added
* Add "license" field to composer.json #138
* Ensure key_alg is set when getting key #139
* Add option to send additional registration parameters like post_logout_redirect_uris. #140
- Add "license" field to composer.json #138
- Ensure key_alg is set when getting key #139
- Add option to send additional registration parameters like post_logout_redirect_uris. #140

### Changed
* disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137

### Removed
*
- disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137

## [0.6.0]
## [0.6.0] - 2018-07-17

### Added
* Added five minutes leeway due to clock skew between openidconnect server and client.
* Fix save access_token from request in implicit flow authentication #129
* `verifyJWTsignature()` method private -> public #126
* Support for providers where provider/login URL is not the same as the issuer URL. #125
* Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).
- Added five minutes leeway due to clock skew between openidconnect server and client.
- Fix save access_token from request in implicit flow authentication #129
- `verifyJWTsignature()` method private -> public #126
- Support for providers where provider/login URL is not the same as the issuer URL. #125
- Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).

### Changed
* refreshToken method update #124
- refreshToken method update #124

### Removed
*

## [0.5.0]
## Added
* Implement Azure AD B2C Implicit Workflow
## [0.5.0] - 2018-04-09

## [0.4.1]
## Changed
* Documentation updates for include path.

## [0.4]
### Added
* Timeout is configurable via setTimeout method. This addresses issue #94.
* Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
* Add support for HS256, HS512 and HS384 signatures
* Removed unused calls to $this->getProviderConfigValue("token_endpoint_
- Implement Azure AD B2C Implicit Workflow

## [0.4.1] - 2018-02-16

### Changed
- Documentation updates for include path.

### Removed
## [0.4.0] - 2018-02-15

### Added
- Timeout is configurable via setTimeout method. This addresses issue #94.
- Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
- Add support for HS256, HS512 and HS384 signatures
- Removed unused calls to $this->getProviderConfigValue("token_endpoint_
Loading

0 comments on commit 5e83bc4

Please sign in to comment.