oauth2-server

Added

• Add a getRedirectUri function to the OAuthServerException class (PR #1123)
• Support for PHP 8.0 (PR #1146)

Removed

• Removed support for PHP 7.2 (PR #1146)

Fixed

• Fix typo in parameter hint. code_challenged changed to code_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
• Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)

Fixed

• If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given
  redirect_uri instead of the default client redirect uri (PR #1126)

Added

• Added support for PHP 7.4 (PR #1075)

Changed

• If an error is encountered when running preg_match() to validate an RSA key, the server will now throw a RuntimeException (PR #1047)
• Replaced deprecated methods with recommended ones when using Lcobucci\JWT\Builder to build a JWT token. (PR #1060)
• When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
• Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)

Removed

• Support for PHP 7.1 (PR #1075)

Fixed

• Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
  with the OAuth2 spec (PR #1035)
• Abstract method getIdentifier() added to AccessTokenTrait. The trait cannot be used without the getIdentifier()
  method being defined (PR #1051)
• An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
  Auth Code Grant (PR #1057)
• Can now send access token request without being forced to specify a redirect URI (PR #1096)
• In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)

Added

• Flag, requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
• Public clients can now use the Auth Code Grant (PR #938)
• isConfidential getter added to ClientEntity to identify type of client (PR #938)
• Function validateClient() added to validate clients which was previously performed by the getClientEntity() function (PR #938)
• Add a new function to the AbstractGrant class called getClientEntityOrFail(). This is a wrapper around the getClientEntity() function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)

Changed

• Replace convertToJWT() interface with a more generic __toString() to improve extensibility; AccessTokenEntityInterface now requires setPrivateKey(CryptKey $privateKey) so __toString() has everything it needs to work (PR #874)
• The invalidClient() function accepts a PSR-7 compliant $serverRequest argument to avoid accessing the $_SERVER global variable and improve testing (PR #899)
• issueAccessToken() in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling getNewToken() (PR #919)
• No longer need to enable PKCE with enableCodeExchangeProof flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
• Function getClientEntity() no longer performs client validation (PR #938)
• Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
• Use DateTimeImmutable() instead of DateTime(), time() instead of (new DateTime())->getTimeStamp(), and DateTime::getTimeStamp() instead of DateTime::format('U') (PR #963)

Removed

• enableCodeExchangeProof flag (PR #938)
• Support for PHP 7.0 (PR #1014)
• Remove JTI claim from JWT header (PR #1031)

Changed

• RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)

Added

• Added error_description to the error payload to improve standards compliance. The contents of this are copied from the existing message value. (PR #1006)

Deprecated

• Error payload will not issue message value in the next major release (PR #1006)

Fixed

• Revert setting keys on response type to be inside getResponseType() function instead of AuthorizationServer constructor (PR #969)

Fixed

• Fix issue with previous release where interface had changed for the AuthorizationServer. Reverted to the previous interface while maintaining functionality changes (PR #970)

Changed

• Moved the finalizeScopes() call from validateAuthorizationRequest method to the completeAuthorizationRequest method so it is called just before the access token is issued (PR #923)

Added

• Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
• Ability to nest exceptions (PR #965)

Fixed

• Fix issue where AuthorizationServer is not stateless as ResponseType could store state of a previous request (PR #960)

Changed

• Added newvalidateRedirectUri method AbstractGrant to remove three instances of code duplication (PR #912)
• Allow 640 as a crypt key file permission (PR #917)

Added

• Function hasRedirect() added to OAuthServerException (PR #703)

Fixed

• Catch and handle BadMethodCallException from the verify() method of the JWT token in the validateAuthorization method (PR #904)

Fixed

• Ensure empty() function call only contains variable to be compatible with PHP 5.4 (PR #918)

Fixed

• No longer set a WWW-Authenticate header for invalid clients if the client did not send an Authorization header in the original request (PR #902)

Changed

• Changed hint for unsupportedGrantType exception so it no longer references the grant type parameter which isn't always expected (PR #893)
• Upgrade PHPStan checks to level 7 (PR #856)

Added

• Added event emitters for issued access and refresh tokens (PR #860)
• Can now use Defuse\Crypto\Key for encryption/decryption of keys which is faster than the Cryto class (PR #812)

• Removing check on empty scopes

• Changed the token type issued by the Implicit Grant to be Bearer instead of bearer. (PR #724)
• Replaced call to array_key_exists() with the faster isset() on the Implicit Grant. (PR #749)
• Allow specification of query delimiter character in the Password Grant (PR #801)
• Add Zend Diactoros library dependency to examples (PR #678)
• Can set default scope for the authorization endpoint. If no scope is passed during an authorization request, the default scope will be used if set. If not, the server will issue an invalid scope exception (PR #811)
• Added validation for redirect URIs on the authorization end point to ensure exactly one redirection URI has been passed (PR #573)

• Add toggle to disable key permissions check. (Issue #776)

• An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
• Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
• Fixes invalid code challenge method payload key name (Issue #777)

To address feedback from the security release the following two changes have been made:

• If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
• Not using the new encryption key method on AuthorizationServer will set throw an E_USER_DEPRECATED message instead of an error.

• Breaking change: The AuthorizationServer constructor now expects an encryption key string instead of a public key
• Remove support for HHVM
• Remove support for PHP 5.5