oauth2-server

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

Added

• Support for league/uri ^7.0 (PR #1367)

Security

• If a key string is provided to the CryptKey constructor with an invalid
  passphrase, the LogicException message generated will contain the given key.
  The key is no longer leaked via this exception (PR #1359)

Security

• If a key string is provided to the CryptKey constructor with an invalid
  passphrase, the LogicException message generated will expose the given key.
  The key is no longer leaked via this exception (PR #1353)

Changed

• Bumped the versions for laminas/diactoros and psr/http-message to support
  PSR-7 v2.0 (PR #1339)

Fixed

• Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)

Added

• Support for PHP 8.1 and 8.2 (PR #1333)

Removed

• Support PHP 7.2, 7.3, and 7.4 (PR #1333)

Fixed

• Fix deprecation notices for PHP 8.x (PR #1329)

Added

• You can now set a leeway for time drift between servers when validating a JWT (PR #1304)

Security

• Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
  a PKCE downgrade attack (PR #1326)

Fixed

• Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)

Fixed

• Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid new empty string exception thrown by lcobucci/jwt (PR #1282)

Fixed

• Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)

Security

• Removed the use of LocalFileReference() in lcobucci/jwt. Function deprecated as per GHSA-7322-jrq4-x5hf (PR #1249)

Changed

• Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
• When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
• Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
• The regex for matching the bearer token has been simplified (PR #1238)

Fixed

• Revert check on clientID. We will no longer require this to be a string (PR #1233)

Added

• The server will now validate redirect uris according to rfc8252 (PR #1203)
• Events emitted now include the refresh token and access token payloads (PR #1211)
• Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

Changed

• Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public()` instead of regex matching (PR #1215)

Fixed

• The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
• Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
• Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)

Fixed

• Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)

Added

• Re-added support for PHP 7.2 (PR #1165, #1167)

Fixed

• Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)

Fixed

• If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)