Skip to content

Latest commit

 

History

History
194 lines (143 loc) · 6.9 KB

CHANGELOG.md

File metadata and controls

194 lines (143 loc) · 6.9 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[1.0.1] - 2024-09-13

Fixed

  • Cast $_SERVER['SERVER_PORT'] to integer to prevent adding 80 or 443 port to redirect URL. #437

[1.0.1] - 2024-09-05

Fixed

  • Fix JWT decode of non JWT tokens #428
  • Fix method signatures #427
  • Cast $_SERVER['SERVER_PORT'] to integer to prevent adding 80 or 443 port to redirect URL. #403
  • Check subject when verifying JWT #406
  • Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373

[1.0.0] - 2023-12-13

Added

  • PHP 7.0 is required. #327
  • Support for signed and encrypted UserInfo response and ID Token. #305
  • Allow to set User-Agent header. #370

Fixed

  • User-Agent is set for any HTTP method in fetchURL() (not just POST). #382
  • Update visibility of getWellKnownConfigValue to protected. #363
  • Fixed issue on authentication for php8. #354
  • Update construct typehint in docblock. #364
  • Fixed LogoutToken verification for single value aud claims. #334
  • Update well known config value function response types. #376

[0.9.10] - 2022-09-30

Fixed

  • private_key_jwt and client_secret_jwt need to explicitly be enabled #331

[0.9.9] - 2022-09-28

Added

  • Added support for back-channel logout. #302
  • Added support for private_key_jwt Client Authentication method #322
  • Added support for client_secret_jwt Client Authentication method #324
  • Added PS512 encryption support #342

Fixed

  • Harden self-signed JWK header usage. #323

[0.9.8] - 2022-08-05

Fixed

  • Do not use PKCE if IdP does not support it. #317

[0.9.7] - 2022-07-13

Added

  • Support for Self-Contained JWTs. #308
  • Support for RFC8693 Token Exchange Request. #275

Fixed

  • PHP 5.4 compatibility. #304
  • Use session_status(). #306

[0.9.6] - 2022-05-08

Added

  • Support for phpseclib/phpseclib version 3. #260
  • Support client_secret on token endpoint with PKCE. #293
  • Added new parameter to requestTokens() to pass custom HTTP headers #297

Changed

  • Allow serializing OpenIDConnectClient using serialize() #295

[0.9.5] - 2021-11-24

Changed

  • signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
  • Fixed issue where missing nonce within the claims was causing an exception. #280

[0.9.4] - 2021-11-21

Added

  • Enabled client_secret_basic authentication on refreshToken() #215
  • Basic auth support for requestResourceOwnerToken #271

[0.9.3] - 2021-11-20

Added

  • getRedirectURL() will not log a warning for PHP 7.1+ #179
  • it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling setHttpUpgradeInsecureRequests(false) #241
  • bugfix in getSessionKey when _SESSION key does not exist #251
  • Added scope parameter to refresh token request #225
  • bugfix in verifyJWTclaims when $accessToken is empty and $claims->at_hash is not #276
  • bugfix with the empty function in PHP 5.4 #267

[0.9.2] - 2020-11-16

Added

  • Support for PKCE. Currently, the supported methods are 'plain' and 'S256'.

[0.9.1] - 2020-08-27

Added

  • Add support for MS Azure Active Directory B2C user flows

Changed

  • Fix at_hash verification #200
  • Getters for public parameters #204
  • Removed client ID query parameter when making a token request using Basic Auth
  • Use of random_bytes() for token generation instead of uniqid(); polyfill for PHP < 7.0 provided.

Removed

  • Removed explicit content-length header - caused issues with proxy servers

[0.9.0] - 2020-03-09

Added

  • php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
  • Adding a header to indicate JSON as the return type for userinfo endpoint #151
  • Updated OpenIDConnectClient to conditionally verify nonce #146
  • Add possibility to change enc_type parameter for http_build_query #155
  • Adding OAuth 2.0 Token Introspection #156
  • Add optional parameters clientId/clientSecret for introspection #157 & #158
  • Adding OAuth 2.0 Token Revocation #160
  • Adding issuer validator #145
  • Adding signing algorithm PS256 #180
  • Check http status of request user info #186
  • URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
  • Adjust PHPDoc to state that null is also allowed #193

Changed

  • Bugfix/code cleanup #152
  • Cleanup PHPDoc #46e5b59
  • Replace unnecessary double quotes with single quotes #2a76b57
  • Use original function names instead of aliases #1f37892
  • Remove unnecessary default values #5ab801e
  • Explicit declare field $redirectURL #9187c0b
  • Remove unused code #1e65384
  • Fix indent #e9cdf56
  • Cleanup conditional code flow for better readability #107f3fb
  • Added strict type comparisons #167
  • Bugfix: required openid scope was omitted when additional scopes were registered using addScope method. This resulted in failing OpenID process.

[0.8.0] - 2019-01-02

Added

  • Fix verifyJWTsignature(): verify JWT to prevent php errors and warnings on invalid token

Changed

  • Decouple session manipulation, it's allow use of other session libraries #134
  • Broaden version requirements of the phpseclib/phpseclib package. #144

[0.7.0] - 2018-10-15

Added

  • Add "license" field to composer.json #138
  • Ensure key_alg is set when getting key #139
  • Add option to send additional registration parameters like post_logout_redirect_uris. #140

Changed

  • disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137

[0.6.0] - 2018-07-17

Added

  • Added five minutes leeway due to clock skew between openidconnect server and client.
  • Fix save access_token from request in implicit flow authentication #129
  • verifyJWTsignature() method private -> public #126
  • Support for providers where provider/login URL is not the same as the issuer URL. #125
  • Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).

Changed

  • refreshToken method update #124

[0.5.0] - 2018-04-09

Added

  • Implement Azure AD B2C Implicit Workflow

[0.4.1] - 2018-02-16

Changed

  • Documentation updates for include path.

[0.4.0] - 2018-02-15

Added

  • Timeout is configurable via setTimeout method. This addresses issue #94.
  • Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
  • Add support for HS256, HS512 and HS384 signatures
  • Removed unused calls to $this->getProviderConfigValue("token_endpoint_…