PHP OAuth 2.0 Server v8.0.0 Release Notes

Release Date: 2019-07-13 // almost 3 years ago
  • โž• Added

    • Flag, requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
    • Public clients can now use the Auth Code Grant (PR #938)
    • isConfidential getter added to ClientEntity to identify type of client (PR #938)
    • Function validateClient() added to validate clients which was previously performed by the getClientEntity() function (PR #938)
    • โž• Add a new function to the AbstractGrant class called getClientEntityOrFail(). This is a wrapper around the getClientEntity() function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)

    ๐Ÿ”„ Changed

    • Replace convertToJWT() interface with a more generic __toString() to improve extensibility; AccessTokenEntityInterface now requires setPrivateKey(CryptKey $privateKey) so __toString() has everything it needs to work (PR #874)
    • โœ… The invalidClient() function accepts a PSR-7 compliant $serverRequest argument to avoid accessing the $_SERVER global variable and improve testing (PR #899)
    • issueAccessToken() in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling getNewToken() (PR #919)
    • No longer need to enable PKCE with enableCodeExchangeProof flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
    • Function getClientEntity() no longer performs client validation (PR #938)
    • Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
    • ๐Ÿ‘‰ Use DateTimeImmutable() instead of DateTime(), time() instead of (new DateTime())->getTimeStamp(), and DateTime::getTimeStamp() instead of DateTime::format('U') (PR #963)

    โœ‚ Removed

    • enableCodeExchangeProof flag (PR #938)
    • ๐Ÿ‘Œ Support for PHP 7.0 (PR #1014)
    • โœ‚ Remove JTI claim from JWT header (PR #1031)