auth0-PHP

Full Changelog

Fixed

• fix(SDK-4716): Resolve thrown exception when enumerating device cookies that include non-string keys/names #739 (evansims)

Full Changelog

Added

• feat(SDK-4543): Support Organizations with Client Grants #736 (evansims)

Added

• Support initiate_login_uri property for PATCH requests to the /api/v2/clients/:id Management API endpoint. #732

Fixed

• Token generator typo in claim header. #729

Changed

• composer.json now identifies mbstring as a required extension. #730
• PHP 8.3 nightlies have been added to the continuous integration testing matrix. #733

Fixed

• Corrected Management API route for deploy action endpoint by @speercy (#723)

Added

• Organization Name support added for Authentication API and token handling ¹ (#719)

Note
¹ To use this feature, an Auth0 tenant must have support for it enabled. This feature is not yet available to all tenants.

Added

• PAR (Pushed Authorization Request) support¹ (#714):
  • Auth0\SDK\API\Authentication\PushedAuthorizationRequest is a new class for issuing Pushed Authorization Requests and producing authorization links for them.
  • Auth0\SDK\API\Authentication::pushedAuthorizationRequest() has been added as a shortcut method for returning a configured instantiation of the above class.
  • Auth0\SDK\Auth0::login() has been updated to support issuing Pushed Authorization Requests and returning authorization links for them.
  • Auth0\SDK\Configuration\SdkConfiguration has been updated to accept a pushedAuthorizationRequest boolean to enable this feature.
• Auth0\SDK\Auth0::isAuthenticated() has been added as a shortcut method. It is an alias for getCredentials() !== null.

¹ Note: To use this feature, an Auth0 tenant must have support for it enabled. This feature is not yet available to all tenants.

This release improves the SDK's automatic discovery process of compatible HTTP clients, factories and messages (PSR-18, 17 and 7, respectively). If you encounter issues with your implementation not being discovered, please open an issue.

This release also introduces support for a number of additional Management API endpoints.

Added

• State Management

  • Added Auth0\SDK\Auth0::refreshState() to force a refresh of the SDK's internal state. This is useful when you have updated the SDK's configuration and want to ensure the SDK is using the latest values.

• Management API

  • Auth0\APIs\Management\Users
    • DELETE /users/:id/authenticators → deleteAllAuthenticators() (#702) (Documentation)
  • Support for Authentication Method endpoints: (#707):
    • GET /api/v2/users/:user/authentication-methods → getAuthenticationMethods() (Documentation)
    • PUT /api/v2/users/:user/authentication-methods → replaceAuthenticationMethods() (Documentation)
    • DELETE /api/v2/users/:user/authentication-methods → deleteAuthenticationMethods(string user) (Documentation)
    • POST /api/v2/users/:user/authentication-methods → createAuthenticationMethod() (Documentation)
    • GET /api/v2/users/:user/authentication-methods/:method → getAuthenticationMethod() (Documentation)
    • PATCH /api/v2/users/:user/authentication-methods/:method → updateAuthenticationMethod() (Documentation)
    • DELETE /api/v2/users/:user/authentication-methods/:method → deleteAuthenticationMethod() (Documentation)

Fixed

• Transient storage would sometimes not be fully cleared after a successful code exchange under certain conditions.
• Calls to certain methods under Auth0\SDK\API\Authentication with manually assigned client_id or client_secret parameters could have those values overwritten by the SDK's assigned configuration. #705

Changed

• Upgraded test suite to PEST 2.0 framework.
• Updated code styling rules, along with some light refactoring.
• Updated production dependencies:
  • Replaced php-http/discovery dependency with psr-discovery/all.
  • Replaced php-http/httplug dependency with psr-discovery/all.
• Updated development dependencies:
  • Removed ergebnis/composer-normalize as it now runs in CI.
  • Removed firebase/php-jwt as it was replaced by an in-library generator.
  • Replaced hyperf/event with symfony/event-dispatcher.
  • Replaced laravel/pint with friendsofphp/php-cs-fixer.
  • Replaced nyholm/psr7 with psr-mock/http-factory-implementation.
  • Replaced php-http/mock-client with psr-mock/http-client-implementation.
  • Updated vimeo/psalm to 5.8.
  • Updated phpstan/phpstan to 1.10.
  • Updated rector/rector to 0.15.

Thanks to our contributors for this release: knash94

Added

• Client Assertion (private_key_jwt) support #699 (evansims)
• Client Credentials management endpoints #700 (evansims)
• JSON Web Token generator classes, Auth0\SDK\Token\Generator and Auth0\SDK\Token\ClientAssertionGenerator. #698 (evansims)

Changed

• Restore test coverage to 100% #697 (evansims)
• Exclude unnecessary files from distribution package #696 (ramsey)

Full Changelog

Fixed

• fix: Always store provided state in transient medium #674 (evansims)

Full Changelog

Fixed

• fix: emailPasswordlessStart() incorrectly passes params as array under some conditions #670 (evansims)
• fix: Remove redundant Cache getItem() call in Auth0\SDK\Token\Verifier::getKeySet() #669 (pkivits-litebit)

Full Changelog

Fixed

• Allow SdkConfiguration::setScope() to be nullable #665 (evansims)

Full Changelog

Fixed

• [SDK-3722] Fix: Stateless strategies should not invoke stateful session classes #662 (evansims)

Full Changelog

Fixed

• Fix SdkConfiguration::setScope() not assigning default values when an empty array is passed #659 (evansims)

Full Changelog

Fixed

• Configuration validator improvements #657 (evansims)

Fixed

• Fix PHP 8.0+ SdkConfiguration named arguments usage #654 (evansims)

Full Changelog

Changed

• [SDK-3647] Add PHP 8.2.0-dev to test matrix #650 (evansims)

Fixed

• [SDK-3646] Reliability and performance improvements to CookieStore #649 (evansims)

Note: Previously in some circumstances, cookie secrets were not always being required in strategies where they should have been required. This has been resolved as part of the fixes in this release. If you are suddenly prompted to configure a cookie secret in an app that doesn't use sessions/cookies, please ensure you are using the correct strategy: https://github.com/auth0/auth0-PHP/tree/8.3.1#configuration-strategies

Full Changelog

Added

• Add PSR-14 Event Dispatcher, for highly customizable session storage mediums #646 (evansims)

Changed

• Treat passing an empty string to SdkConfiguration as the default undefined value type of NULL #643 (evansims)
• Enable configuration of SessionStore and CookieStore samesite property #645 (evansims)
• Add hardcoded debugging flag to CookieStore to disable encryption of session cookies #644 (evansims)
• Update getRequestParameter() filter to use FILTER_SANITIZE_FULL_SPECIAL_CHARS and allow passing extra filter options #642 (evansims)
• Defer/batch "Set-Cookie" headers at login() for transient cookies, and clear() #641 (evansims)

Full Changelog

Fixed

• Fixed an issue in Auth0\SDK\Configuration\SdkConfiguration where customDomain was not properly formatted in some configurations, leading to inconsistencies in certain SDK functions, such as Token validation. customDomain is now formatted identically to domain. #633 (evansims)

Closed Issues

• Resolves #630 (barasimumatik)

Full Changelog

Many thanks to our community contributors for this release: elbebass, fullstackfool, jeromefitzpatrick, marko-ilic and sepiariver.

Added

• Add bearer token extraction helper, Auth0\SDK\Auth0::getBearerToken() #620 (evansims)
• Add configuration strategy constants, e.g. Auth0\SDK\Configuration\SdkConfiguration::STRATEGY_API #619 (evansims)

Changed

• Throw Auth0\SDK\Exception\InvalidTokenException on JsonException #614 (marko-ilic)
• Throw Auth0\SDK\Exception\NetworkException when Management API credential exchange fails #608 (sepiariver)

Documentation Contributions

• Correct the new method name for get_authorize_link() for 8.x in UPGRADE.md #623 (jeromefitzpatrick)
• Remove PHP 7.3 README note (deprecated) #610 (evansims)
• Update CONTRIBUTING.md guidance #609 (sepiariver)
• Update README.md guidance on management configuration strategy (domain is required) #604 (fullstackfool)
• Correct README.md typos in Management API example #602 (elbebass)

Other Improvements

• Relax pestphp/pest-plugin-parallel dev dependency from ^0.2 to ^0.2 || ^1.0 #617
• Bump firebase/php-jwt dev dependency to ^6.0 #613 (evansims)
• Add Semgrep to continous integration test suite #616 (evansims)

Full Changelog

Added

• Add Attack Protection endpoints #593 (evansims)