Releases: thephpleague/oauth2-server
Releases · thephpleague/oauth2-server
8.5.5
8.4.3
9.1.0
Added
- Support for PHP 8.4 (PR #1454)
Fixed
- In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433)
- Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412)
- Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436)
9.0.1
Fixed
- Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
- Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
- Fixed bug where "state" parameter wasn't present on
invalid_scope
error response and wasn't on fragment part ofaccess_denied
redirect URI on Implicit grant (PR #1298) - Fixed bug where disabling refresh token revocation via
revokeRefreshTokens(false)
unintentionally disables issuing new refresh token (PR #1449)
9.0.0
Added
- Device Authorization Grant added (PR #1074)
- GrantTypeInterface has a new function,
revokeRefreshTokens()
for enabling or disabling refresh tokens after use (PR #1375) - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
- The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
- An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
- Added function
getKeyContents()
to theCryptKeyInterface
(PR #1375)
Fixed
- Basic authorization is now case insensitive (PR #1403)
- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an
invalid_grant
error and a HTTP 400 response. In previous versions the server incorrectly issued aninvalid_request
and HTTP 401 response (PR #1042) (PR #1082)
Changed
- All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
- Request parameters are now parsed into strings to use internally in the library (PR #1402)
- Authorization Request objects are now created through the factory method,
createAuthorizationRequest()
(PR #1111) - Changed parameters for
finalizeScopes()
to allow a reference to an auth code ID (PR #1112) - AccessTokenEntityInterface now requires the implementation of
toString()
instead of the magic method__toString()
(PR #1395)
Removed
- Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)
9.0.0-RC1
Added
- Device Authorization Grant added (PR #1074)
- GrantTypeInterface has a new function,
revokeRefreshTokens()
for enabling or disabling refresh tokens after use (PR #1375) - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
- The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
- An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
- Added function
getKeyContents()
to theCryptKeyInterface
(PR #1375)
Fixed
- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an
invalid_grant
error and a HTTP 400 response. In previous versions the server incorrectly issued aninvalid_request
and HTTP 401 response (PR #1042) (PR #1082)
Changed
- Authorization Request objects are now created through the factory method,
createAuthorizationRequest()
(PR #1111) - Changed parameters for
finalizeScopes()
to allow a reference to an auth code ID (PR #1112) - AccessTokenEntityInterface now requires the implementation of
toString()
instead of the magic method__toString()
(PR #1395)
Removed
- Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)