6.0.2

• An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
• Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
• Fixes invalid code challenge method payload key name (Issue #777)

5.1.5

To address feedback from the security release the following two changes have been made:

• If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
• Not using the new encryption key method on AuthorizationServer will set throw an E_USER_DEPRECATED message instead of an error.

6.0.0

• Breaking change: The AuthorizationServer constructor now expects an encryption key string instead of a public key
• Remove support for HHVM
• Remove support for PHP 5.5

5.1.4

• Fixed multiple security vulnerabilities as a result of a security audit paid for by the Mozilla Secure Open Source Fund. All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
  • It is recommended on each AuthorizationServer instance you set the setEncryptionKey(). This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using error_log). Please visit this page for more information - https://oauth2.thephpleague.com/v5-security-improvements/
• TravisCI now tests PHP 7.1 (Issue #671)
• Fix middleware example fatal error (Issue #682)
• Fix typo in the first README sentence (Issue #690)
• Corrected DateInterval from 1 min to 1 month (Issue #709)

5.1.1

• Improved test suite (Issue #614)
• Updated docblocks (Issue #616)
• Replace array_shift with foreach loop (Issue #621)
• Allow easy addition of custom fields to Bearer token response (Issue #624)
• Key file auto-generation from string (Issue #625)

5.1.0

• Implemented RFC7636 (Issue #574)
• Unify middleware exception responses (Issue #578)
• Updated examples (Issue #589)
• Ensure state is in access denied redirect (Issue #597)
• Remove redundant isExpired() method from entity interfaces and traits (Issue #600)
• Added a check for unique access token constraint violation (Issue #601)
• Look at Authorization header directly for HTTP Basic auth checks (Issue #604)
• Added catch Runtime exception when parsing JWT string (Issue #605)
• Allow paragonie/random_compat 2.x (Issue #606)
• Added indigophp/hash-compat to Composer suggestions and require-dev for PHP 5.5 support

5.0.3

• Fix hints in PasswordGrant (Issue #560)
• Add meaning of Resource owner to terminology.md (Issue #561)
• Use constant for event name instead of explicit string (Issue #563)
• Remove unused request property (Issue #564)
• Correct wrong phpdoc (Issue #569)
• Fixed typo in exception string (Issue #570)

5.0.2

• state parameter is now correctly returned after implicit grant authorization
• Small code and docblock improvements

5.0.1

• Fixes an issue (#550) whereby it was unclear whether or not to validate a client's secret during a request.

5.0.0

Version 5 is a complete code rewrite.

• JWT support
• PSR-7 support
• Improved exception errors
• Replace all occurrences of the term "Storage" with "Repository"
• Simplify repositories
• Entities conform to interfaces and use traits
• Auth code grant updated
  • Allow support for public clients
  • Add support for #439
• Client credentials grant updated
• Password grant updated
  • Allow support for public clients
• Refresh token grant updated
• Implement Implicit grant
• Bearer token output type
• Remove MAC token output type
• Authorization server rewrite
• Resource server class moved to PSR-7 middleware
• Tests
• Much much better documentation

Changes since RC2:

• Renamed Server class to AuthorizationServer
• Added ResourceServer class
• Run unit tests again PHP 5.5.9 as it's the minimum supported version
• Enable PHPUnit 5.0 support
• Improved examples and documentation
• Make it clearer that the implicit grant doesn't support refresh tokens
• Improved refresh token validation errors
• Fixed refresh token expiry date