A spec compliant, secure by default PHP OAuth 2.0 Server
MIT License
Bot releases are visible (Hide)
Published by Sephster almost 4 years ago
getRedirectUri
function to the OAuthServerException
class (PR #1123)code_challenged
changed to code_challenge
. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)Published by Sephster over 4 years ago
Published by Sephster over 4 years ago
preg_match()
to validate an RSA key, the server will now throw a RuntimeException (PR #1047)Lcobucci\JWT\Builder
to build a JWT token. (PR #1060)getIdentifier()
added to AccessTokenTrait. The trait cannot be used without the getIdentifier()
Published by Sephster over 5 years ago
requireCodeChallengeForPublicClients
, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)isConfidential
getter added to ClientEntity
to identify type of client (PR #938)validateClient()
added to validate clients which was previously performed by the getClientEntity()
function (PR #938)getClientEntityOrFail()
. This is a wrapper around the getClientEntity()
function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)convertToJWT()
interface with a more generic __toString()
to improve extensibility; AccessTokenEntityInterface now requires setPrivateKey(CryptKey $privateKey)
so __toString()
has everything it needs to work (PR #874)invalidClient()
function accepts a PSR-7 compliant $serverRequest
argument to avoid accessing the $_SERVER
global variable and improve testing (PR #899)issueAccessToken()
in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling getNewToken()
(PR #919)enableCodeExchangeProof
flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)getClientEntity()
no longer performs client validation (PR #938)DateTimeImmutable()
instead of DateTime()
, time()
instead of (new DateTime())->getTimeStamp()
, and DateTime::getTimeStamp()
instead of DateTime::format('U')
(PR #963)enableCodeExchangeProof
flag (PR #938)Published by Sephster over 5 years ago
Published by Sephster over 5 years ago
error_description
to the error payload to improve standards compliance. The contents of this are copied from the existing message
value. (PR #1006)message
value in the next major release (PR #1006)Published by Sephster almost 6 years ago
getResponseType()
function instead of AuthorizationServer constructor (PR #969)Published by Sephster almost 6 years ago
Published by Sephster almost 6 years ago
finalizeScopes()
call from validateAuthorizationRequest
method to the completeAuthorizationRequest
method so it is called just before the access token is issued (PR #923)Published by Sephster over 6 years ago
validateRedirectUri
method AbstractGrant to remove three instances of code duplication (PR #912)hasRedirect()
added to OAuthServerException
(PR #703)BadMethodCallException
from the verify()
method of the JWT token in the validateAuthorization
method (PR #904)Published by Sephster over 6 years ago
empty()
function call only contains variable to be compatible with PHP 5.4 (PR #918)Published by Sephster over 6 years ago
Published by Sephster over 6 years ago
Published by Sephster over 6 years ago
Published by Sephster almost 7 years ago
Published by Sephster almost 7 years ago
Bearer
instead of bearer
. (PR #724)array_key_exists()
with the faster isset()
on the Implicit Grant. (PR #749)Published by Sephster almost 7 years ago
Published by alexbilbie about 7 years ago
Published by alexbilbie over 7 years ago
To address feedback from the security release the following two changes have been made:
chmod
'ed to 600 then it will now throw a E_USER_NOTICE
instead of an exception.AuthorizationServer
will set throw an E_USER_DEPRECATED
message instead of an error.Published by alexbilbie over 7 years ago
AuthorizationServer
constructor now expects an encryption key string instead of a public key