Skip to content

@Sephster Sephster released this Apr 29, 2020 · 2 commits to master since this release

Added

  • Added support for PHP 7.4 (PR #1075)

Changed

  • If an error is encountered when running preg_match() to validate an RSA key, the server will now throw a RuntimeException (PR #1047)
  • Replaced deprecated methods with recommended ones when using Lcobucci\JWT\Builder to build a JWT token. (PR #1060)
  • When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
  • Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)

Removed

  • Support for PHP 7.1 (PR #1075)

Fixed

  • Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
    with the OAuth2 spec (PR #1035)
  • Abstract method getIdentifier() added to AccessTokenTrait. The trait cannot be used without the getIdentifier()
    method being defined (PR #1051)
  • An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
    Auth Code Grant (PR #1057)
  • Can now send access token request without being forced to specify a redirect URI (PR #1096)
  • In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)
Assets 2

@Sephster Sephster released this Jul 13, 2019 · 83 commits to master since this release

Added

  • Flag, requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
  • Public clients can now use the Auth Code Grant (PR #938)
  • isConfidential getter added to ClientEntity to identify type of client (PR #938)
  • Function validateClient() added to validate clients which was previously performed by the getClientEntity() function (PR #938)
  • Add a new function to the AbstractGrant class called getClientEntityOrFail(). This is a wrapper around the getClientEntity() function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)

Changed

  • Replace convertToJWT() interface with a more generic __toString() to improve extensibility; AccessTokenEntityInterface now requires setPrivateKey(CryptKey $privateKey) so __toString() has everything it needs to work (PR #874)
  • The invalidClient() function accepts a PSR-7 compliant $serverRequest argument to avoid accessing the $_SERVER global variable and improve testing (PR #899)
  • issueAccessToken() in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling getNewToken() (PR #919)
  • No longer need to enable PKCE with enableCodeExchangeProof flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
  • Function getClientEntity() no longer performs client validation (PR #938)
  • Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
  • Use DateTimeImmutable() instead of DateTime(), time() instead of (new DateTime())->getTimeStamp(), and DateTime::getTimeStamp() instead of DateTime::format('U') (PR #963)

Removed

  • enableCodeExchangeProof flag (PR #938)
  • Support for PHP 7.0 (PR #1014)
  • Remove JTI claim from JWT header (PR #1031)
Assets 2
  • 7.4.0
  • 2eb1cf7
  • Compare
    Choose a tag to compare
    Search for a tag
  • 7.4.0
  • 2eb1cf7
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this May 5, 2019 · 214 commits to master since this release

Changed

  • RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)
Assets 2
  • 7.3.3
  • c7f4998
  • Compare
    Choose a tag to compare
    Search for a tag
  • 7.3.3
  • c7f4998
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this Mar 29, 2019 · 229 commits to master since this release

Added

  • Added error_description to the error payload to improve standards compliance. The contents of this are copied from the existing message value. (PR #1006)

Deprecated

  • Error payload will not issue message value in the next major release (PR #1006)
Assets 2

@Sephster Sephster released this Nov 21, 2018 · 239 commits to master since this release

Fixed

  • Revert setting keys on response type to be inside getResponseType() function instead of AuthorizationServer constructor (PR #969)
Assets 2
  • 7.3.1
  • f2cd364
  • Compare
    Choose a tag to compare
    Search for a tag
  • 7.3.1
  • f2cd364
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this Nov 15, 2018 · 245 commits to master since this release

Fixed

  • Fix issue with previous release where interface had changed for the AuthorizationServer. Reverted to the previous interface while maintaining functionality changes (PR #970)
Assets 2
  • 7.3.0
  • a61c6a3
  • Compare
    Choose a tag to compare
    Search for a tag
  • 7.3.0
  • a61c6a3
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this Nov 13, 2018 · 248 commits to master since this release

Changed

  • Moved the finalizeScopes() call from validateAuthorizationRequest method to the completeAuthorizationRequest method so it is called just before the access token is issued (PR #923)

Added

  • Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
  • Ability to nest exceptions (PR #965)

Fixed

  • Fix issue where AuthorizationServer is not stateless as ResponseType could store state of a previous request (PR #960)
Assets 2
  • 7.2.0
  • 8184f77
  • Compare
    Choose a tag to compare
    Search for a tag
  • 7.2.0
  • 8184f77
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this Jun 23, 2018 · 294 commits to master since this release

Changed

  • Added newvalidateRedirectUri method AbstractGrant to remove three instances of code duplication (PR #912)
  • Allow 640 as a crypt key file permission (PR #917)

Added

  • Function hasRedirect() added to OAuthServerException (PR #703)

Fixed

  • Catch and handle BadMethodCallException from the verify() method of the JWT token in the validateAuthorization method (PR #904)
Assets 2
  • 4.1.7
  • 1385249
  • Compare
    Choose a tag to compare
    Search for a tag
  • 4.1.7
  • 1385249
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this Jun 23, 2018

Fixed

  • Ensure empty() function call only contains variable to be compatible with PHP 5.4 (PR #918)
Assets 2
  • 7.1.1
  • 2e47fa7
  • Compare
    Choose a tag to compare
    Search for a tag
  • 7.1.1
  • 2e47fa7
  • Compare
    Choose a tag to compare
    Search for a tag

@Sephster Sephster released this May 21, 2018 · 323 commits to master since this release

Fixed

  • No longer set a WWW-Authenticate header for invalid clients if the client did not send an Authorization header in the original request (PR #902)
Assets 2
You can’t perform that action at this time.