felicity-iiith · backstroke-bot · Mar 8, 2019 · Mar 13, 2019 · Mar 13, 2019 · Mar 13, 2019
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,38 @@
+---
+name: build
+
+on: [push, pull_request]
+
+env:
+    DEFAULT_COMPOSER_FLAGS: "--prefer-dist --no-interaction --no-progress --optimize-autoloader --ansi"
+
+jobs:
+    phpunit:
+        name: PHP ${{ matrix.php }} on ${{ matrix.os }}
+        runs-on: ${{ matrix.os }}
+        strategy:
+            fail-fast: false
+            matrix:
+                os: [ubuntu-latest]
+                php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+            - name: Install PHP
+              uses: shivammathur/setup-php@v2
+              with:
+                  php-version: ${{ matrix.php }}
+            - name: Get composer cache directory
+              id: composer-cache
+              run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+            - name: Cache composer dependencies
+              uses: actions/cache@v4
+              with:
+                  path: ${{ steps.composer-cache.outputs.dir }}
+                  key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+                  restore-keys: ${{ runner.os }}-composer-
+            - name: Install dependencies
+              run: composer update $DEFAULT_COMPOSER_FLAGS
+            - name: Run unit tests
+              run: vendor/bin/phpunit --verbose --colors=always tests
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+/.idea
+/vendor
+/composer.lock
+.phpunit.result.cache
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,16 +1,188 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](http://keepachangelog.com/)
-and this project adheres to [Semantic Versioning](http://semver.org/).
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+[unreleased]
+- Updated CI to also test on PHP 8.3 #407
+- Updated readme PHP requirement to PHP 7.0+ #407
+- Added dependabot for GitHub Actions #407
+- Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
+- Check subject when verifying JWT #406
+- Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373
+
+## [1.0.0] - 2023-12-13
+
+### Added
+- PHP 7.0 is required. #327
+- Support for signed and encrypted UserInfo response and ID Token. #305
+- Allow to set User-Agent header. #370
+
+### Fixed
+- User-Agent is set for any HTTP method in fetchURL() (not just POST). #382
+- Update visibility of getWellKnownConfigValue to protected. #363
+- Fixed issue on authentication for php8. #354
+- Update construct typehint in docblock. #364
+- Fixed LogoutToken verification for single value aud claims. #334
+- Update well known config value function response types. #376
+
+## [0.9.10] - 2022-09-30
+
+### Fixed
+- `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331
+
+## [0.9.9] - 2022-09-28
+
+### Added
+- Added support for back-channel logout. #302
+- Added support for `private_key_jwt` Client Authentication method #322
+- Added support for `client_secret_jwt` Client Authentication method #324
+- Added PS512 encryption support #342
+
+### Fixed
+- Harden self-signed JWK header usage. #323
+
+## [0.9.8] - 2022-08-05
+
+### Fixed
+- Do not use PKCE if IdP does not support it. #317
+
+## [0.9.7] - 2022-07-13
+
+### Added
+- Support for Self-Contained JWTs. #308
+- Support for RFC8693 Token Exchange Request. #275
+
+### Fixed
+- PHP 5.4 compatibility. #304
+- Use session_status(). #306
+
+## [0.9.6] - 2022-05-08
+
+### Added
+- Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
+- Support client_secret on token endpoint with PKCE. #293
+- Added new parameter to `requestTokens()` to pass custom HTTP headers #297
+
+### Changed
+- Allow serializing `OpenIDConnectClient` using `serialize()` #295
+
+## [0.9.5] - 2021-11-24
+
+### Changed
+- signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
+- Fixed issue where missing nonce within the claims was causing an exception. #280
+
+## [0.9.4] - 2021-11-21
+
+### Added
+- Enabled `client_secret_basic` authentication on `refreshToken()` #215
+- Basic auth support for requestResourceOwnerToken #271
+
+## [0.9.3] - 2021-11-20
+
+### Added
+- getRedirectURL() will not log a warning for PHP 7.1+ #179
+- it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
+- bugfix in getSessionKey when _SESSION key does not exist #251
+- Added scope parameter to refresh token request #225
+- bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
+- bugfix with the `empty` function in PHP 5.4 #267
+
+## [0.9.2] - 2020-11-16
 
-## [Unreleased]
 ### Added
-* Timeout is configurable via setTimeout method. This addresses issue #94.
-* Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
-* Add support for HS256, HS512 and HS384 signatures
-* Removed unused calls to $this->getProviderConfigValue("token_endpoint_…
+- Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.
+
+## [0.9.1] - 2020-08-27
+
+### Added
+- Add support for MS Azure Active Directory B2C user flows
 
 ### Changed
+- Fix at_hash verification #200
+- Getters for public parameters #204
+- Removed client ID query parameter when making a token request using Basic Auth
+- Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.
 
 ### Removed
+- Removed explicit content-length header - caused issues with proxy servers
+
+## [0.9.0] - 2020-03-09
+
+### Added
+- php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
+- Adding a header to indicate JSON as the return type for userinfo endpoint #151
+- ~Updated OpenIDConnectClient to conditionally verify nonce #146~
+- Add possibility to change enc_type parameter for http_build_query #155
+- Adding OAuth 2.0 Token Introspection #156
+- Add optional parameters clientId/clientSecret for introspection #157 & #158
+- Adding OAuth 2.0 Token Revocation #160
+- Adding issuer validator #145
+- Adding signing algorithm PS256 #180
+- Check http status of request user info #186
+- URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
+- Adjust PHPDoc to state that null is also allowed #193
+
+### Changed
+- Bugfix/code cleanup #152
+- Cleanup PHPDoc #46e5b59
+- Replace unnecessary double quotes with single quotes #2a76b57
+- Use original function names instead of aliases #1f37892
+- Remove unnecessary default values #5ab801e
+- Explicit declare field $redirectURL #9187c0b
+- Remove unused code #1e65384
+- Fix indent #e9cdf56
+- Cleanup conditional code flow for better readability #107f3fb
+- Added strict type comparisons #167
+- Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.
+
+## [0.8.0] - 2019-01-02
+
+### Added
+- Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token
+
+### Changed
+- Decouple session manipulation, it's allow use of other session libraries #134
+- Broaden version requirements of the phpseclib/phpseclib package. #144
+
+## [0.7.0] - 2018-10-15
+
+### Added
+- Add "license" field to composer.json #138
+- Ensure key_alg is set when getting key #139
+- Add option to send additional registration parameters like post_logout_redirect_uris. #140
+
+### Changed
+- disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137
+
+## [0.6.0] - 2018-07-17
+
+### Added
+- Added five minutes leeway due to clock skew between openidconnect server and client.
+- Fix save access_token from request in implicit flow authentication #129
+- `verifyJWTsignature()` method private -> public #126
+- Support for providers where provider/login URL is not the same as the issuer URL. #125
+- Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).
+
+### Changed
+- refreshToken method update #124
+
+## [0.5.0] - 2018-04-09
+
+### Added
+- Implement Azure AD B2C Implicit Workflow
+
+## [0.4.1] - 2018-02-16
+
+### Changed
+- Documentation updates for include path.
+
+## [0.4.0] - 2018-02-15
+
+### Added
+- Timeout is configurable via setTimeout method. This addresses issue #94.
+- Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
+- Add support for HS256, HS512 and HS384 signatures
+- Removed unused calls to $this->getProviderConfigValue("token_endpoint_…