thephpleague:9.0.0-WIP -> skroczek:wip/private-claims Upstream merge and conflict resolve

.gitattributes

@@ -7,7 +7,6 @@
 /.gitignore export-ignore
 /.scrutinizer.yml export-ignore
 /.styleci.yml export-ignore
-/.travis.yml export-ignore
 /phpstan.neon export-ignore
 /phpunit.xml.dist export-ignore
 /CHANGELOG.md export-ignore

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: composer
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "11:00"
+  open-pull-requests-limit: 10
+  ignore:
+  - dependency-name: league/event
+    versions:
+    - 3.0.0

.github/workflows/backwards-compatibility.yml

@@ -0,0 +1,21 @@
+name: "Backwards compatibility check"
+
+on:
+  pull_request:
+
+jobs:
+  bc-check:
+    name: "Backwards compatibility check"
+
+    runs-on: "ubuntu-latest"
+
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v2"
+        with:
+          fetch-depth: 0
+
+      - name: "Backwards Compatibility Check"
+        uses: docker://nyholm/roave-bc-check-ga
+        with:
+          args: --from=${{ github.event.pull_request.base.sha }}

.github/workflows/tests.yml

@@ -0,0 +1,42 @@
+name: tests
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        php: [7.2, 7.3, 7.4, 8.0]
+        stability: [prefer-lowest, prefer-stable]
+
+    name: PHP ${{ matrix.php }} - ${{ matrix.stability }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: dom, curl, libxml, mbstring, zip
+          coverage: pcov
+
+      - name: Install dependencies
+        run: composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Execute tests
+        run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
+
+      - name: Code coverage
+        if: ${{ github.ref == 'refs/heads/master' && matrix.php != 8.0 && github.repository == 'thephpleague/oauth2-server' }}
+        run: |
+          wget https://scrutinizer-ci.com/ocular.phar
+          php ocular.phar code-coverage:upload --format=php-clover coverage.clover

.gitignore

@@ -1,6 +1,7 @@
 /vendor
 /composer.lock
 phpunit.xml
+.phpunit.result.cache
 .idea
 /examples/vendor
 examples/public.key

CHANGELOG.md

@@ -5,27 +5,76 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-
-### Added (v9)
+### Added
 - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
 - The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
 - An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
 - Ability to set custom claims on a JWT (PR #1122)
 
+### Fixed
+- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an `invalid_grant` error and a HTTP 400 response. In previous versions the server incorrectly issued an `invalid_request` and HTTP 401 response (PR #1042) (PR #1082)
+
+### Changed
+- Authorization Request objects are now created through the factory method, `createAuthorizationRequest()` (PR #1111)
+- Changed parameters for `finalizeScopes()` to allow a reference to an auth code ID (PR #1112)
+
+## [8.3.3] - released 2021-10-11
+### Security
+- Removed the use of `LocalFileReference()` in lcobucci/jwt. Function deprecated as per [GHSA-7322-jrq4-x5hf](https://github.com/lcobucci/jwt/security/advisories/GHSA-7322-jrq4-x5hf) (PR #1249)
+
+## [8.3.2] - released 2021-07-27
+### Changed
+- Conditionally support the `StrictValidAt()` method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
+- When providing invalid credentials, the library now responds with the error message _The user credentials were incorrect_ (PR #1230)
+- Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
+- The regex for matching the bearer token has been simplified (PR #1238)
+
+## [8.3.1] - released 2021-06-04
+### Fixed
+- Revert check on clientID. We will no longer require this to be a string (PR #1233)
+
+## [8.3.0] - released 2021-06-03
+### Added
+- The server will now validate redirect uris according to rfc8252 (PR #1203)
+- Events emitted now include the refresh token and access token payloads (PR #1211)
+- Use the `revokeRefreshTokens()` function to decide whether refresh tokens are revoked or not upon use (PR #1189)
+
+### Changed
+- Keys are now validated using `openssl_pkey_get_private()` and `openssl_pkey_get_public()` instead of regex matching (PR #1215)
+
+### Fixed
+- The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
+- Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
+- Allow scope "0" to be used. Previously this was removed from a request because it failed an `empty()` check (PR #1181)
+
+## [8.2.4] - released 2020-12-10
+### Fixed
+- Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)
+
+## [8.2.3] - released 2020-12-02
+### Added
+- Re-added support for PHP 7.2 (PR #1165, #1167)
+
+## [8.2.2] - released 2020-11-30
+### Fixed
+- Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)
+
+## [8.2.1] - released 2020-11-26
+### Fixed
+- If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)
+
+## [8.2.0] - released 2020-11-25
 ### Added
 - Add a `getRedirectUri` function to the `OAuthServerException` class (PR #1123)
+- Support for PHP 8.0 (PR #1146)
 
-### Fixed (v9)
-- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an `invalid_grant` error and a HTTP 400 response. In previous versions the server incorrectly issued an `invalid_request` and HTTP 401 response (PR #1042) (PR #1082)
+### Removed
+- Removed support for PHP 7.2 (PR #1146)
 
 ### Fixed
 - Fix typo in parameter hint. `code_challenged` changed to `code_challenge`. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130) 
 - Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)
 
-### Changed (v9)
-- Authorization Request objects are now created through the factory method, `createAuthorizationRequest()` (PR #1111)
-- Changed parameters for `finalizeScopes()` to allow a reference to an auth code ID (PR #1112)
-
 ## [8.1.1] - released 2020-07-01
 
 ### Fixed
@@ -518,7 +567,16 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.1.1...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.3.3...HEAD
+[8.3.3]: https://github.com/thephpleague/oauth2-server/compare/8.3.2...8.3.3
+[8.3.2]: https://github.com/thephpleague/oauth2-server/compare/8.3.1...8.3.2
+[8.3.1]: https://github.com/thephpleague/oauth2-server/compare/8.3.0...8.3.1
+[8.3.0]: https://github.com/thephpleague/oauth2-server/compare/8.2.4...8.3.0
+[8.2.4]: https://github.com/thephpleague/oauth2-server/compare/8.2.3...8.2.4
+[8.2.3]: https://github.com/thephpleague/oauth2-server/compare/8.2.2...8.2.3
+[8.2.2]: https://github.com/thephpleague/oauth2-server/compare/8.2.1...8.2.2
+[8.2.1]: https://github.com/thephpleague/oauth2-server/compare/8.2.0...8.2.1
+[8.2.0]: https://github.com/thephpleague/oauth2-server/compare/8.1.1...8.2.0
 [8.1.1]: https://github.com/thephpleague/oauth2-server/compare/8.1.0...8.1.1
 [8.1.0]: https://github.com/thephpleague/oauth2-server/compare/8.0.0...8.1.0
 [8.0.0]: https://github.com/thephpleague/oauth2-server/compare/7.4.0...8.0.0

README.md

@@ -2,11 +2,10 @@
 
 [![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
 [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
-[![Build Status](https://img.shields.io/travis/thephpleague/oauth2-server/master.svg?style=flat-square)](https://travis-ci.org/thephpleague/oauth2-server)
+[![Build Status](https://github.com/thephpleague/oauth2-server/workflows/tests/badge.svg)](https://github.com/thephpleague/oauth2-server/actions)
 [![Coverage Status](https://img.shields.io/scrutinizer/coverage/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server/code-structure)
 [![Quality Score](https://img.shields.io/scrutinizer/g/thephpleague/oauth2-server.svg?style=flat-square)](https://scrutinizer-ci.com/g/thephpleague/oauth2-server)
 [![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-server.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-server)
-[![PHPStan](https://img.shields.io/badge/PHPStan-enabled-brightgreen.svg?style=flat-square)](https://github.com/phpstan/phpstan)
 
 `league/oauth2-server` is a standards compliant implementation of an [OAuth 2.0](https://tools.ietf.org/html/rfc6749) authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
 
@@ -29,11 +28,12 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht
 
 ## Requirements
 
-The following versions of PHP are supported:
+The latest version of this package supports the following versions of PHP:
 
 * PHP 7.2
 * PHP 7.3
 * PHP 7.4
+* PHP 8.0
 
 The `openssl` and `json` extensions are also required.
 
@@ -52,24 +52,23 @@ You can contribute to the documentation in the [gh-pages branch](https://github.
 
 ## Testing
 
-The library uses [PHPUnit](https://phpunit.de/) for unit tests and [PHPStan](https://github.com/phpstan/phpstan) for static analysis of the code.
+The library uses [PHPUnit](https://phpunit.de/) for unit tests.
 
 ```
 vendor/bin/phpunit
-vendor/bin/phpstan analyse -l 7 -c phpstan.neon src tests
 ```
 
-## Continous Integration
+## Continuous Integration
 
-We use [Travis CI](https://travis-ci.org/), [Scrutinizer](https://scrutinizer-ci.com/), and [StyleCI](https://styleci.io/) for continuous integration. Check out [our](https://github.com/thephpleague/oauth2-server/blob/master/.travis.yml) [configuration](https://github.com/thephpleague/oauth2-server/blob/master/.scrutinizer.yml) [files](https://github.com/thephpleague/oauth2-server/blob/master/.styleci.yml) if you'd like to know more.
+We use [Github Actions](https://github.com/features/actions), [Scrutinizer](https://scrutinizer-ci.com/), and [StyleCI](https://styleci.io/) for continuous integration. Check out [our](https://github.com/thephpleague/oauth2-server/blob/master/.github/workflows/tests.yml) [configuration](https://github.com/thephpleague/oauth2-server/blob/master/.scrutinizer.yml) [files](https://github.com/thephpleague/oauth2-server/blob/master/.styleci.yml) if you'd like to know more.
 
 ## Community Integrations
 
 * [Drupal](https://www.drupal.org/project/simple_oauth)
 * [Laravel Passport](https://github.com/laravel/passport)
 * [OAuth 2 Server for CakePHP 3](https://github.com/uafrica/oauth-server)
 * [OAuth 2 Server for Mezzio](https://github.com/mezzio/mezzio-authentication-oauth2)
-* [Trikoder OAuth 2 Bundle (Symfony)](https://github.com/trikoder/oauth2-bundle)
+* [OAuth 2 Server Bundle (Symfony)](https://github.com/thephpleague/oauth2-server-bundle)
 * [Heimdall for CodeIgniter 4](https://github.com/ezralazuardy/heimdall)
 
 ## Changelog

composer.json

@@ -4,19 +4,19 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": ">=7.2.0",
+        "php": "^7.2 || ^8.0",
         "ext-openssl": "*",
         "league/event": "^2.2",
-        "lcobucci/jwt": "^3.3.1",
+        "lcobucci/jwt": "^3.4.6 || ^4.0.4",
         "psr/http-message": "^1.0.1",
         "defuse/php-encryption": "^2.2.1",
         "ext-json": "*"
     },
     "require-dev": {
-        "phpunit/phpunit": "^8.5.4 || ^9.1.3",
-        "laminas/laminas-diactoros": "^2.3.0",
-        "phpstan/phpstan": "^0.11.19",
-        "phpstan/phpstan-phpunit": "^0.11.2",
+        "phpunit/phpunit": "^8.5.13",
+        "laminas/laminas-diactoros": "^2.4.1",
+        "phpstan/phpstan": "^0.12.57",
+        "phpstan/phpstan-phpunit": "^0.12.16",
         "roave/security-advisories": "dev-master"
     },
     "repositories": [

examples/composer.json

@@ -1,13 +1,13 @@
 {
     "require": {
-        "slim/slim": "^3.0.0"
+        "slim/slim": "^3.12.3"
     },
     "require-dev": {
         "league/event": "^2.2",
-        "lcobucci/jwt": "^3.3",
-        "psr/http-message": "^1.0",
-        "defuse/php-encryption": "^2.2",
-        "laminas/laminas-diactoros": "^2.1.2"
+        "lcobucci/jwt": "^3.4.6 || ^4.0.4",
+        "psr/http-message": "^1.0.1",
+        "defuse/php-encryption": "^2.2.1",
+        "laminas/laminas-diactoros": "^2.5.0"
     },
     "autoload": {
         "psr-4": {