All Versions
71
Latest Version
Avg Release Cycle
64 days
Latest Release
87 days ago

Changelog History
Page 1

  • v8.3.2 Changes

    July 27, 2021

    ๐Ÿ”„ Changed

    • ๐Ÿ‘ Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
    • When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
    • Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
    • The regex for matching the bearer token has been simplified (PR #1238)
  • v8.3.1 Changes

    June 04, 2021

    ๐Ÿ›  Fixed

    • โช Revert check on clientID. We will no longer require this to be a string (PR #1233)
  • v8.3.0 Changes

    June 03, 2021

    โž• Added

    • The server will now validate redirect uris according to rfc8252 (PR #1203)
    • ๐Ÿ›ฐ Events emitted now include the refresh token and access token payloads (PR #1211)
    • ๐Ÿ‘‰ Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

    ๐Ÿ”„ Changed

    • Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public() instead of regex matching (PR #1215)

    ๐Ÿ›  Fixed

    • The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
    • โž• Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
    • ๐Ÿ‘ Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)
  • v8.2.4 Changes

    December 10, 2020

    ๐Ÿ›  Fixed

    • โช Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)
  • v8.2.3 Changes

    December 02, 2020

    โž• Added

    • ๐Ÿ‘ Re-added support for PHP 7.2 (PR #1165, #1167)
  • v8.2.2 Changes

    November 30, 2020

    ๐Ÿ›  Fixed

    • ๐Ÿ›  Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)
  • v8.2.1 Changes

    November 26, 2020

    ๐Ÿ›  Fixed

    • ๐Ÿ”ง If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)
  • v8.2.0 Changes

    November 25, 2020

    โž• Added

    • โž• Add a getRedirectUri function to the OAuthServerException class (PR #1123)
    • ๐Ÿ‘Œ Support for PHP 8.0 (PR #1146)

    โœ‚ Removed

    • โœ‚ Removed support for PHP 7.2 (PR #1146)

    ๐Ÿ›  Fixed

    • Fix typo in parameter hint. code_challenged changed to code_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
    • ๐Ÿ‘ป Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)
  • v8.1.1 Changes

    July 01, 2020

    ๐Ÿ›  Fixed

    • If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given
      0๏ธโƒฃ redirect_uri instead of the default client redirect uri (PR #1126)
  • v8.1.0 Changes

    April 29, 2020

    โž• Added

    • โž• Added support for PHP 7.4 (PR #1075)

    ๐Ÿ”„ Changed

    • If an error is encountered when running preg_match() to validate an RSA key, the server will now throw a RuntimeException (PR #1047)
    • ๐Ÿ— Replaced deprecated methods with recommended ones when using Lcobucci\JWT\Builder to build a JWT token. (PR #1060)
    • When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
    • Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)

    โœ‚ Removed

    • ๐Ÿ‘Œ Support for PHP 7.1 (PR #1075)

    ๐Ÿ›  Fixed

    • Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
      with the OAuth2 spec (PR #1035)
    • Abstract method getIdentifier() added to AccessTokenTrait. The trait cannot be used without the getIdentifier()
      method being defined (PR #1051)
    • ๐Ÿ‘ป An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
      Auth Code Grant (PR #1057)
    • Can now send access token request without being forced to specify a redirect URI (PR #1096)
    • ๐Ÿ‘ป In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)