PHP OAuth 2.0 Server v8.0.0 Release Notes
Release Date: 2019-07-13 // almost 5 years ago-
โ Added
- Flag,
requireCodeChallengeForPublicClients
, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938) - Public clients can now use the Auth Code Grant (PR #938)
isConfidential
getter added toClientEntity
to identify type of client (PR #938)- Function
validateClient()
added to validate clients which was previously performed by thegetClientEntity()
function (PR #938) - โ Add a new function to the AbstractGrant class called
getClientEntityOrFail()
. This is a wrapper around thegetClientEntity()
function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)
๐ Changed
- Replace
convertToJWT()
interface with a more generic__toString()
to improve extensibility; AccessTokenEntityInterface now requiressetPrivateKey(CryptKey $privateKey)
so__toString()
has everything it needs to work (PR #874) - โ
The
invalidClient()
function accepts a PSR-7 compliant$serverRequest
argument to avoid accessing the$_SERVER
global variable and improve testing (PR #899) issueAccessToken()
in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when callinggetNewToken()
(PR #919)- No longer need to enable PKCE with
enableCodeExchangeProof
flag. Any client sending a code challenge will initiate PKCE checks. (PR #938) - Function
getClientEntity()
no longer performs client validation (PR #938) - Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
- ๐ Use
DateTimeImmutable()
instead ofDateTime()
,time()
instead of(new DateTime())->getTimeStamp()
, andDateTime::getTimeStamp()
instead ofDateTime::format('U')
(PR #963)
โ Removed
- Flag,