PHP OAuth 2.0 Server v8.0.0 Release Notes
Release Date: 2019-07-13 // almost 5 years ago-
โ Added
- Flag,
requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938) - Public clients can now use the Auth Code Grant (PR #938)
isConfidentialgetter added toClientEntityto identify type of client (PR #938)- Function
validateClient()added to validate clients which was previously performed by thegetClientEntity()function (PR #938) - โ Add a new function to the AbstractGrant class called
getClientEntityOrFail(). This is a wrapper around thegetClientEntity()function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)
๐ Changed
- Replace
convertToJWT()interface with a more generic__toString()to improve extensibility; AccessTokenEntityInterface now requiressetPrivateKey(CryptKey $privateKey)so__toString()has everything it needs to work (PR #874) - โ
The
invalidClient()function accepts a PSR-7 compliant$serverRequestargument to avoid accessing the$_SERVERglobal variable and improve testing (PR #899) issueAccessToken()in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when callinggetNewToken()(PR #919)- No longer need to enable PKCE with
enableCodeExchangeProofflag. Any client sending a code challenge will initiate PKCE checks. (PR #938) - Function
getClientEntity()no longer performs client validation (PR #938) - Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
- ๐ Use
DateTimeImmutable()instead ofDateTime(),time()instead of(new DateTime())->getTimeStamp(), andDateTime::getTimeStamp()instead ofDateTime::format('U')(PR #963)
โ Removed
- Flag,