Skip to content

Releases: thephpleague/oauth2-server

8.4.1

22 Mar 11:51
@Sephster Sephster
8.4.1
eed31d8
Compare
Choose a tag to compare
8.4.1

Fixed

  • Fix deprecation notices for PHP 8.x (PR #1329)
Assets 2
Loading

8.4.0

15 Feb 16:09
@Sephster Sephster
8.4.0
539f434
Compare
Choose a tag to compare
8.4.0

Added

  • You can now set a leeway for time drift between servers when validating a JWT (PR #1304)

Security

  • Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
    a PKCE downgrade attack (PR #1326)
Assets 2
Loading

8.3.6

14 Nov 19:50
@Sephster Sephster
8.3.6
28c5441
Compare
Choose a tag to compare
8.3.6

Fixed

  • Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
Assets 2
Loading

8.3.5

12 May 21:10
@Sephster Sephster
8.3.5
7aeb7c4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
8.3.5

Fixed

Assets 2
Loading

8.3.4

07 Apr 21:35
@Sephster Sephster
8.3.4
0c2f32c
Compare
Choose a tag to compare
8.3.4

Fixed

  • Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
Assets 2
Loading

8.3.3

11 Oct 20:49
@Sephster Sephster
8.3.3
f5698a3
Compare
Choose a tag to compare
8.3.3

Security

Assets 2
Loading

8.3.2

27 Jul 08:18
@Sephster Sephster
8.3.2
0809487
Compare
Choose a tag to compare
8.3.2

Changed

  • Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
  • When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
  • Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
  • The regex for matching the bearer token has been simplified (PR #1238)
Assets 2
Loading

8.3.1

04 Jun 08:29
@Sephster Sephster
8.3.1
97dbc97
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
8.3.1

Fixed

  • Revert check on clientID. We will no longer require this to be a string (PR #1233)
Assets 2
Loading

8.3.0

03 Jun 21:55
@Sephster Sephster
8.3.0
4ea27e8
Compare
Choose a tag to compare
8.3.0

Added

  • The server will now validate redirect uris according to rfc8252 (PR #1203)
  • Events emitted now include the refresh token and access token payloads (PR #1211)
  • Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

Changed

  • Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public()` instead of regex matching (PR #1215)

Fixed

  • The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
  • Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
  • Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)
Assets 2
Loading

8.2.4

10 Dec 11:36
@Sephster Sephster
8.2.4
622eaa1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
8.2.4

Fixed

  • Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)
Assets 2
Loading