Releases: thephpleague/oauth2-server
Releases · thephpleague/oauth2-server
8.2.3
8.2.2
8.2.1
8.2.0
Added
- Add a
getRedirectUrifunction to theOAuthServerExceptionclass (PR #1123) - Support for PHP 8.0 (PR #1146)
Removed
- Removed support for PHP 7.2 (PR #1146)
Fixed
- Fix typo in parameter hint.
code_challengedchanged tocode_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130) - Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)
8.1.1
8.1.0
Added
- Added support for PHP 7.4 (PR #1075)
Changed
- If an error is encountered when running
preg_match()to validate an RSA key, the server will now throw a RuntimeException (PR #1047) - Replaced deprecated methods with recommended ones when using
Lcobucci\JWT\Builderto build a JWT token. (PR #1060) - When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
- Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)
Removed
- Support for PHP 7.1 (PR #1075)
Fixed
- Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
with the OAuth2 spec (PR #1035) - Abstract method
getIdentifier()added to AccessTokenTrait. The trait cannot be used without thegetIdentifier()
method being defined (PR #1051) - An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
Auth Code Grant (PR #1057) - Can now send access token request without being forced to specify a redirect URI (PR #1096)
- In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)
8.0.0
Added
- Flag,
requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938) - Public clients can now use the Auth Code Grant (PR #938)
isConfidentialgetter added toClientEntityto identify type of client (PR #938)- Function
validateClient()added to validate clients which was previously performed by thegetClientEntity()function (PR #938) - Add a new function to the AbstractGrant class called
getClientEntityOrFail(). This is a wrapper around thegetClientEntity()function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)
Changed
- Replace
convertToJWT()interface with a more generic__toString()to improve extensibility; AccessTokenEntityInterface now requiressetPrivateKey(CryptKey $privateKey)so__toString()has everything it needs to work (PR #874) - The
invalidClient()function accepts a PSR-7 compliant$serverRequestargument to avoid accessing the$_SERVERglobal variable and improve testing (PR #899) issueAccessToken()in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when callinggetNewToken()(PR #919)- No longer need to enable PKCE with
enableCodeExchangeProofflag. Any client sending a code challenge will initiate PKCE checks. (PR #938) - Function
getClientEntity()no longer performs client validation (PR #938) - Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
- Use
DateTimeImmutable()instead ofDateTime(),time()instead of(new DateTime())->getTimeStamp(), andDateTime::getTimeStamp()instead ofDateTime::format('U')(PR #963)