Skip to content
7aeb7c4
Compare
Choose a tag to compare

Fixed

Compare
Choose a tag to compare

Fixed

  • Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
Compare
Choose a tag to compare

Security

Compare
Choose a tag to compare

Changed

  • Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
  • When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
  • Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
  • The regex for matching the bearer token has been simplified (PR #1238)
97dbc97
Compare
Choose a tag to compare

Fixed

  • Revert check on clientID. We will no longer require this to be a string (PR #1233)
Compare
Choose a tag to compare

Added

  • The server will now validate redirect uris according to rfc8252 (PR #1203)
  • Events emitted now include the refresh token and access token payloads (PR #1211)
  • Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

Changed

  • Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public()` instead of regex matching (PR #1215)

Fixed

  • The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
  • Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
  • Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)
622eaa1
Compare
Choose a tag to compare

Fixed

  • Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)
70bb329
Compare
Choose a tag to compare

Added

Compare
Choose a tag to compare

Fixed

  • Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)
284c2b5
Compare
Choose a tag to compare

Fixed

  • If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)