auth0-PHP

Full Changelog

This is a hotfix release to address an issue with a Composer dependency reference and apply a testing configuration change. There are no additional new features or changes.

Full Changelog

SDK 7.6 introduces support for the newly released PHP 8.0 and drops support for PHP 7.1 and 7.2 (which have reached their end of support cycles.) Please ensure you are running supported versions of PHP in your environments.

Added

• PHP 8.0 support #467 (evansims)
• Static code analysis #470 (FrontEndCoffee)

Full Changelog

Closed issues

• createPasswordChangeTicket doesn't support 'ttl_sec' parameter #457
• Make the CACHE_TTL used in the JWKFetcher configurable. #450
• Allow programmatic clearing of cache values managed by Auth0Service #441

Added

• Add support for Authorization Code Flow with PKCE #449 (ls-youssef-jlidat)
• Allow specifying TTL when creating password change tickets #463 (evansims)
• Expand control over TTL/Caching in JWKFetcher #462 (evansims)
• Add support for Management V2 users export job endpoint #461 (evansims)

Full Changelog

Added

• Add support for new identity field for email verifications #455 (jimmyjames)

Full Changelog

Closed issues

• TokenVerifier::verify throws a \RuntimeException instead of an InvalidTokenException #438
• Support Guzzle 7 #421

Added

• Add Support for Log Streams Management APIs #451 (jimmyjames)
• Update composer requirements to support guzzle ~7.0 #443 (banderon1)

Fixed

• Throw InvalidTokenException instead of RuntimeException when parsing malformed token #439 (B-Galati)

Full Changelog

Closed issues

• Renew Tokens throws nonce error #432
• email_passwordless_start not setting client_secret #431

Added

• /passwordless/start accepts client_secret now #430 (abbaspour)

Fixed

• Allow no nonce option #434 (joshcanhelp)

Full Changelog

Closed issues

• Authorized Party (azp) claim mismatch in the ID token #422
• JWTVerifier alternatives #419
• Consider to customize the jwks path #417

Added

• Add TokenVerifier for non-OIDC-compliant JWTs #428 (joshcanhelp)
• Add signing key rotation and custom JWKS URI support #426 (joshcanhelp)
• Add Client ID to verification email method #423 (joshcanhelp)

Full Changelog

BEFORE YOU UPGRADE

This is a major release with several breaking changes. Please see the v5 to v7 migration guide here before you upgrade.

Added

• Add types for StoreInterface and implementors; add back EmptyStore #414 (joshcanhelp)
• Add select Guardian management endpoints #412 (joshcanhelp)
• Add Auth0->decodeIdToken() method for ID token decoding by deps #410 (joshcanhelp)
• Add SameSite cookie attribute handling #400 (joshcanhelp)
• Nonce and max_age handling with new CookieStore class #395 (joshcanhelp)

Changed

• Convert caching to PSR-16 interface #403 (joshcanhelp)
• Move AuthorizationBearer to new namespace #402 (joshcanhelp)
• Improve transient authorization data handling #397 (joshcanhelp)
• Cleanup Auth0 class constructor for clarification and better defaults #394 (joshcanhelp)
• Change client secret requirements #390 (joshcanhelp)
• Improved OIDC compliance #386 (joshcanhelp)
• Update minimum PHP from 5.5 to 7.1 #377 (joshcanhelp)

Removed

• Remove future iat check #411 (joshcanhelp)
• Remove Firebase JWT library #396 (joshcanhelp)
• Remove session cookie expiration option #389 (joshcanhelp)
• Remove deprecated Authentication methods and add types #385 (joshcanhelp)
• Remove deprecated JWKS methods and adjust tests #384 (joshcanhelp)
• Remove deprecated M-API methods #383 (joshcanhelp)
• Remove deprecated InformationHeaders methods and add types #382 (joshcanhelp)
• Remove deprecated methods and add types to RequestBuilder #381 (joshcanhelp)
• Remove deprecated token generator #380 (joshcanhelp)
• Remove deprecated legacy classes #379 (joshcanhelp)
• Update management props #378 (joshcanhelp)

Full Changelog

Added

• Add default scopes to Auth0 class #406 (joshcanhelp)
• fix: add missing options for renewTokens method #405 (bkotrys)

Deprecated

• Add deprecation notices for removals in v7 major release #407 (joshcanhelp)

Fixed

• Fix mkdir race condition in FileSystemCacheHandler #375 (B-Galati)

Full Changelog

Closed issues

• [Auth0\SDK\Exception\CoreException] Invalid domain when trying to run unit tests with Codeception 3.1.0 #358
• JWT Verification fails everytime #356
• Bulk User Imports - I can't Use upsert as a paramater for the importUsers feature #353

Added

• Add \Auth0\SDK\Auth0::getLoginUrl() method and switch login() to use it #371 (joshcanhelp)
• Add JWKFetcher::getFormatted() method and switch validator to use #369 (joshcanhelp)
• Add additional API params to Jobs > importUsers #354 (pinodex)

Deprecated

• Deprecated unused JWKFetcher methods #373 (joshcanhelp)
• Deprecate magic __call method on RequestBuilder class #366 (joshcanhelp)
• Deprecate Management properties; add lazy-load methods #363 (joshcanhelp)
• Deprecate and stop using magic call method on ApiClient #362 (joshcanhelp)
• Deprecate addPathVariable and dump methods on RequestBuilder #361 (joshcanhelp)
• Deprecate TokenGenerator class #360 (joshcanhelp)
  Fixed
• Fix boolean form parameters not sending as strings #357 (joshcanhelp)

Full Changelog

Closed issues

• No packagist package created for 5.5.0 #346

Fixed

• Fix empty url params #349 (joshcanhelp)
• Fix tests to reduce the number of sensitive credentials used #348 (joshcanhelp)
• Change normalizeIncludeTotals() in GenericResource to have sane defaults #347 (kler)

Full Changelog

Closed issues

• Consider dropping PHP-5.x version supports #343
• Auth0 Error: 'Invalid state' in /auth0/vendor/auth0/auth0-php/src/Auth0.php: line#537 #333

Added

• Add missing User endpoints for Management API #341 (joshcanhelp)
• Add all Management API Roles endpoints #337 (joshcanhelp)
• Add missing Users test and switch to mocked calls. #336 (joshcanhelp)
• Add Authentication::refresh_token() method #335 (joshcanhelp)

Full Changelog

Notes for this release:

• \Auth0\SDK\Auth0 now accepts a $config key called skip_userinfo that uses the decoded ID token for the user profile instead of a call to the /userinfo endpoint. This will save an HTTP call during login and should have no affect on most applications.

Closed issues

• Auth0::exchange() assumes a valid id_token #317
• Feature Request: Support sending auth0-forwarded-for header #208

Added

• Authentication class cleanup and tests #322 (joshcanhelp)
• Add Grants Management endpoint #321 (joshcanhelp)
• Add Auth0-Forwarded-For header for RO grant #320 (joshcanhelp)
• Improve API Telemetry #319 (joshcanhelp)
• Add Mock API Request Capability and Mocked Connections Tests #314 (joshcanhelp)

Changed

• Test suite improvements #313 (joshcanhelp)
• Improve repo documentation #312 (joshcanhelp)

Deprecated

• Official deprecation for JWKFetcher method #328 (joshcanhelp)
  • \Auth0\SDK\Helpers\JWKFetcher::fetchKeys()
• Official deprecation for User methods #327 (joshcanhelp)
  • \Auth0\SDK\API\Management\Users::search()
  • \Auth0\SDK\API\Management\Users::unlinkDevice()
• Official deprecation of ClientGrants method #326 (joshcanhelp)
  • \Auth0\SDK\API\Management\ClientGrants::get()
• Official deprecation of legacy InformationHeaders methods #325 (joshcanhelp)
  • \Auth0\SDK\API\Helpers\InformationHeaders::setEnvironment()
  • \Auth0\SDK\API\Helpers\InformationHeaders::setDependency()
  • \Auth0\SDK\API\Helpers\InformationHeaders::setDependencyData()
• Official deprecation of legacy Authentication methods #324 (joshcanhelp)
  • \Auth0\SDK\API\Authentication::setApiClient()
  • \Auth0\SDK\API\Authentication::sms_code_passwordless_verify()
  • \Auth0\SDK\API\Authentication::email_code_passwordless_verify()
  • \Auth0\SDK\API\Authentication::impersonate()

Fixed

• Fix Auth0::exchange() to handle missing id_token #318 (joshcanhelp)

Full Changelog

Closed issues

• Something is wrong with the latest release 5.3.1 #303

Fixed

• Fix info headers Extend error in dependant libs #304 (joshcanhelp)

Full Changelog

Closed issues

• Array to String exception when audience is an array #296
• Passing accessToken from frontend to PHP API #281
• Deprecated method email_code_passwordless_verify #280

Added

• Fix documentation for Auth0 constructor options #298 (biganfa)

Changed

• Change telemetry headers to new format and add tests #300 (joshcanhelp)

Fixed

• Fix bad exception message generation #297 (joshcanhelp)

Full Changelog

Closed issues

• Question: Handling rate limits #277
• Allow configuration of the JWKS URL #276
• Allow changing the session key name #273
• SessionStore overrides PHP session cookie lifetime setting #215

Added

• Add custom JWKS path and kid check to JWKFetcher + tests #287 (joshcanhelp)
• Add config keys for session base name and cookie expires #279 (joshcanhelp)
• Add return request object #278 (joshcanhelp)
• Add pagination and tests to Resource Servers #275 (joshcanhelp)
• Fix formatting, code standards scan #274 (joshcanhelp)
• Add pagination, docs, and better tests for Rules #272 (joshcanhelp)
• Adding pagination, tests, + docs to Client Grants; minor test suite refactor #271 (joshcanhelp)
• Add tests, docblocks for Logs endpoints #270 (joshcanhelp)
• Add PHP_CodeSniffer + ruleset config #267 (joshcanhelp)
• Add session state and dummy state handler tests #266 (joshcanhelp)

Changed

• Build/PHPCS: update/improve the PHPCS configuration #284 (jrfnl)

Deprecated

• Deprecate Auth0\SDK\API\Oauth2Client class #269 (joshcanhelp)

Removed

• Remove examples, add links to Quickstarts #293 (joshcanhelp)

Fixed

• Whitespace pass with new standards using composer phpcbf #268 (joshcanhelp)

Security

• Add ID token validation #285 (joshcanhelp)

Full Changelog

Closed issues

• getAppMetadata - how to use? #248
• Auth0 class missing action to renew access token #234
• DOC maj #217

Added

• User pagination and fields, docblocks, formatting, test improvements #261 (joshcanhelp)
• Unit test for withDictParams method #260 (joshcanhelp)
• Pagination, additional parameters, and tests for the Connections endpoint #258 (joshcanhelp)
• Renew tokens method for Auth0 client class #257 (jspetrak)
• Clients endpoint pagination and improvements #256 (joshcanhelp)
• Add email template endpoints #251 (joshcanhelp)

Changed

• Code style scan and fixes #250 (joshcanhelp)

Fixed

• Fix PHPUnit test. #262 (maurobonfietti)
• Allow $page to be null for Clients so pagination is not triggered #259 (joshcanhelp)
• Rewrite README; add news and notes to CHANGELOG #253 (joshcanhelp)

5.1.1 (2018-04-03)

Full Changelog

Closed issues

• State Handler with Custom Session Store #233
• Implement ResourceServices::getAll #200

Added

• Implement ResourceServices::getAll() #236 joshcanhelp)

Fixed

• Incorrect type hint on SessionStateHandler __construct #235 (joshcanhelp)
• Auth0 class documentation fixed for store and state handler #232 (jspetrak)
• Fixing minor code quality issues #231 joshcanhelp)

State validation was added in 5.1.0 for improved security. By default, this uses session storage and will happen automatically if you are using a combination of Auth0::login() and any method which calls Auth0::exchange() in your callback.

If you need to use a different storage method, implement your own StateHandler and set it using the state_handler config key when you initialize an Auth0 instance.

If you are using Auth0::exchange() and a method other than Auth0::login() to generate the Authorize URL, you can disable automatic state validation by setting the state_handler key to false when you initialize the Auth0 instance. It is highly recommended to implement state validation, either automatically or otherwise

Closed issues

• Support for php-jwt 5 #210

Added

• Adding tests for state handler; correcting storage method used #228 (joshcanhelp)

Changed

• Bumping JWT package version #229 (joshcanhelp)

Added

• Add support for the new users by email API #213 (erichard)

Fixed

• Fixes build #211 (aknosis)