oauth2-server

Complete rewrite!

Check out the documentation - http://oauth2.thephpleague.com

Add a new "missing_token" exception message to Resource server (#204)

• Merged #186: Send HTTP 401 status is for invalid_token, not insufficient_scope

• Merged #178: General improvements to Resource server errors

Added normalize headers because it's required by lucadegasperi/oauth2-server-laravel.

Fixes #170

Seeing as 2.1.1 is the version required by lucadegasperi/oauth2-server-laravel for Laravel 4 users, it seemed important to get this bug-fix into the 2.x branch as well as 3.x.

• Fix checking for access token in $_SERVER['HTTP_AUTHORIZATION'], which effects the PHP development server, FortRabbit and probably plenty of other environments.

• Support Authorization being an environment variable. See more

• Normalize headers when getallheaders() is available (Issues #108 and #114)

• No longer necessary to inject the authorisation server into a grant, the server will inject itself
• Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605

• Forgot to tell TravisCI from testing PHP 5.3

• Fixed spelling of Implicit grant class (Issue #84)
• Travis CI now tests for PHP 5.5
• Fixes for checking headers for resource server (Issues #79 and #)
• The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
• All grants no longer remove old sessions by default
• All grants now support custom access token TTL (Issue #92)
• All methods which didn't before return a value now return $this to support method chaining
• Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
• Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
• Moved some grant related functions into a trait to reduce duplicate code

If you're upgrading from v1.0.8 there are lots of breaking changes

• Rewrote the session storage interface from scratch so methods are more obvious
• Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
• Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
• A session can have multiple associated access tokens
• Induvidual grants can have custom expire times for access tokens
• Authorization codes now have a TTL of 10 minutes by default (can be manually set)
• Refresh tokens now have a TTL of one week by default (can be manually set)
• The client credentials grant will no longer gives out refresh tokens as per the specification

• Updated README with wiki guides
• Removed null as default parameters in some methods in the storage interfaces
• Fixed license copyright

• Fixed a link to code in composer.json

• Renamed primary key in oauth_client_endpoints table
• Adding missing column to oauth_session_authcodes
• SECURITY FIX: A refresh token should be bound to a client ID

• Fixed oauth_session_token_scopes table primary key
• Removed DEFAULT '' that has slipped into some tables
• Fixed docblock for SessionInterface::associateRefreshToken()

• Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
• New method in Refresh grant called rotateRefreshTokens(). Pass in true to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47)
• Rename key column in oauth_scopes table to scope as key is a reserved SQL word. (Issue #45)
• The scope parameter is no longer required by default as per the RFC. (Issue #43)
• You can now set multiple default scopes by passing an array into setDefaultScope(). (Issue #42)
• The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
• Scopes associated to authorization codes are not held in their own table (Issue #44)
• Database schema updates.

• Added conditional isValid() flag to check for Authorization header only (thanks @alexmcroberts)
• Fixed semantic meaning of requireScopeParam() and requireStateParam() by changing their default value to true
• Updated some duff docblocks
• Corrected array key call in Resource.php (Issue #63)