Skip to content

Releases: thephpleague/oauth2-server

9.1.0

21 Nov 22:49
Compare
Choose a tag to compare

Added

  • Support for PHP 8.4 (PR #1454)

Fixed

  • In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433)
  • Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412)
  • Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436)

9.0.1

14 Oct 22:18
Compare
Choose a tag to compare

Fixed

  • Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
  • Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
  • Fixed bug where "state" parameter wasn't present on invalid_scope error response and wasn't on fragment part of access_denied redirect URI on Implicit grant (PR #1298)
  • Fixed bug where disabling refresh token revocation via revokeRefreshTokens(false) unintentionally disables issuing new refresh token (PR #1449)

9.0.0

13 May 21:38
Compare
Choose a tag to compare

Added

  • Device Authorization Grant added (PR #1074)
  • GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
  • A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
  • The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
  • An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
  • Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

  • Basic authorization is now case insensitive (PR #1403)
  • If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

  • All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
  • Request parameters are now parsed into strings to use internally in the library (PR #1402)
  • Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
  • Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
  • AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

  • Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

9.0.0-RC1

27 Mar 09:53
Compare
Choose a tag to compare
9.0.0-RC1 Pre-release
Pre-release

Added

  • Device Authorization Grant added (PR #1074)
  • GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
  • A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
  • The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
  • An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
  • Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

  • If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

  • Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
  • Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
  • AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

  • Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

8.5.4

25 Aug 22:36
Compare
Choose a tag to compare

Added

  • Support for league/uri ^7.0 (PR #1367)

8.4.2

02 Aug 22:56
Compare
Choose a tag to compare

Security

  • If a key string is provided to the CryptKey constructor with an invalid
    passphrase, the LogicException message generated will contain the given key.
    The key is no longer leaked via this exception (PR #1359)

8.5.3

05 Jul 23:02
Compare
Choose a tag to compare

Security

  • If a key string is provided to the CryptKey constructor with an invalid
    passphrase, the LogicException message generated will expose the given key.
    The key is no longer leaked via this exception (PR #1353)

8.5.2

16 Jun 15:32
Compare
Choose a tag to compare

Changed

  • Bumped the versions for laminas/diactoros and psr/http-message to support
    PSR-7 v2.0 (PR #1339)

8.5.1

04 Apr 10:25
Compare
Choose a tag to compare

Fixed

  • Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)

8.5.0

03 Apr 14:58
Compare
Choose a tag to compare

Added

  • Support for PHP 8.1 and 8.2 (PR #1333)

Removed

  • Support PHP 7.2, 7.3, and 7.4 (PR #1333)