All Versions
Latest Version
Avg Release Cycle
68 days
Latest Release
416 days ago

Changelog History
Page 1

  • v8.3.4 Changes

    April 07, 2022

    ๐Ÿ›  Fixed

    • ๐Ÿ“œ Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
  • v8.3.3 Changes

    October 11, 2021

    ๐Ÿ”’ Security

    • โœ‚ Removed the use of LocalFileReference() in lcobucci/jwt. Function deprecated as per GHSA-7322-jrq4-x5hf (PR #1249)
  • v8.3.2 Changes

    July 27, 2021

    ๐Ÿ”„ Changed

    • ๐Ÿ‘ Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
    • When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
    • Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
    • The regex for matching the bearer token has been simplified (PR #1238)
  • v8.3.1 Changes

    June 04, 2021

    ๐Ÿ›  Fixed

    • โช Revert check on clientID. We will no longer require this to be a string (PR #1233)
  • v8.3.0 Changes

    June 03, 2021

    โž• Added

    • The server will now validate redirect uris according to rfc8252 (PR #1203)
    • ๐Ÿ›ฐ Events emitted now include the refresh token and access token payloads (PR #1211)
    • ๐Ÿ‘‰ Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

    ๐Ÿ”„ Changed

    • Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public() instead of regex matching (PR #1215)

    ๐Ÿ›  Fixed

    • The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
    • โž• Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
    • ๐Ÿ‘ Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)
  • v8.2.4 Changes

    December 10, 2020

    ๐Ÿ›  Fixed

    • โช Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)
  • v8.2.3 Changes

    December 02, 2020

    โž• Added

    • ๐Ÿ‘ Re-added support for PHP 7.2 (PR #1165, #1167)
  • v8.2.2 Changes

    November 30, 2020

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)
  • v8.2.1 Changes

    November 26, 2020

    ๐Ÿ›  Fixed

    • ๐Ÿ”ง If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)
  • v8.2.0 Changes

    November 25, 2020

    โž• Added

    • โž• Add a getRedirectUri function to the OAuthServerException class (PR #1123)
    • ๐Ÿ‘Œ Support for PHP 8.0 (PR #1146)

    โœ‚ Removed

    • โœ‚ Removed support for PHP 7.2 (PR #1146)

    ๐Ÿ›  Fixed

    • Fix typo in parameter hint. code_challenged changed to code_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
    • ๐Ÿ‘ป Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)