- An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
- Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
- Fixes invalid code challenge method payload key name (Issue #777)
To address feedback from the security release the following change has been made:
- If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
- Breaking change: The
AuthorizationServer
constructor now expects an encryption key string instead of a public key - Remove support for HHVM
- Remove support for PHP 5.5
- Fixed multiple security vulnerabilities as a result of a security audit paid for by the Mozilla Secure Open Source Fund. All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
- It is recommended on each
AuthorizationServer
instance you set thesetEncryptionKey()
. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (usingerror_log
). Please see the examples and documentation for examples.
- It is recommended on each
- TravisCI now tests PHP 7.1 (Issue #671)
- Fix middleware example fatal error (Issue #682)
- Fix typo in the first README sentence (Issue #690)
- Corrected DateInterval from 1 min to 1 month (Issue #709)
- Fixed WWW-Authenticate header (Issue #669)
- Increase the recommended RSA key length from 1024 to 2048 bits (Issue #668)
- Fixed
finalizeScopes
call (Issue #650)
- Improved test suite (Issue #614)
- Updated docblocks (Issue #616)
- Replace
array_shift
withforeach
loop (Issue #621) - Allow easy addition of custom fields to Bearer token response (Issue #624)
- Key file auto-generation from string (Issue #625)
- Implemented RFC7636 (Issue #574)
- Unify middleware exception responses (Issue #578)
- Updated examples (Issue #589)
- Ensure state is in access denied redirect (Issue #597)
- Remove redundant
isExpired()
method from entity interfaces and traits (Issue #600) - Added a check for unique access token constraint violation (Issue #601)
- Look at Authorization header directly for HTTP Basic auth checks (Issue #604)
- Added catch Runtime exception when parsing JWT string (Issue #605)
- Allow
paragonie/random_compat
2.x (Issue #606) - Added
indigophp/hash-compat
to Composer suggestions andrequire-dev
for PHP 5.5 support
- Fix hints in PasswordGrant (Issue #560)
- Add meaning of
Resource owner
to terminology.md (Issue #561) - Use constant for event name instead of explicit string (Issue #563)
- Remove unused request property (Issue #564)
- Correct wrong phpdoc (Issue #569)
- Fixed typo in exception string (Issue #570)
state
parameter is now correctly returned after implicit grant authorization- Small code and docblock improvements
- Fixes an issue (#550) whereby it was unclear whether or not to validate a client's secret during a request.
Version 5 is a complete code rewrite.
- JWT support
- PSR-7 support
- Improved exception errors
- Replace all occurrences of the term "Storage" with "Repository"
- Simplify repositories
- Entities conform to interfaces and use traits
- Auth code grant updated
- Allow support for public clients
- Add support for #439
- Client credentials grant updated
- Password grant updated
- Allow support for public clients
- Refresh token grant updated
- Implement Implicit grant
- Bearer token output type
- Remove MAC token output type
- Authorization server rewrite
- Resource server class moved to PSR-7 middleware
- Tests
- Much much better documentation
Changes since RC2:
- Renamed Server class to AuthorizationServer
- Added ResourceServer class
- Run unit tests again PHP 5.5.9 as it's the minimum supported version
- Enable PHPUnit 5.0 support
- Improved examples and documentation
- Make it clearer that the implicit grant doesn't support refresh tokens
- Improved refresh token validation errors
- Fixed refresh token expiry date
Changes since RC1:
- Allow multiple client redirect URIs (Issue #511)
- Remove unused mac token interface (Issue #503)
- Handle RSA key passphrase (Issue #502)
- Remove access token repository from response types (Issue #501)
- Remove unnecessary methods from entity interfaces (Issue #490)
- Ensure incoming JWT hasn't expired (Issue #509)
- Fix client identifier passed where user identifier is expected (Issue #498)
- Removed built-in entities; added traits to for quick re-use (Issue #504)
- Redirect uri is required only if the "redirect_uri" parameter was included in the authorization request (Issue #514)
- Removed templating for auth code and implicit grants (Issue #499)
Version 5 is a complete code rewrite.
- JWT support
- PSR-7 support
- Improved exception errors
- Replace all occurrences of the term "Storage" with "Repository"
- Simplify repositories
- Entities conform to interfaces and use traits
- Auth code grant updated
- Allow support for public clients
- Add support for #439
- Client credentials grant updated
- Password grant updated
- Allow support for public clients
- Refresh token grant updated
- Implement Implicit grant
- Bearer token output type
- Remove MAC token output type
- Authorization server rewrite
- Resource server class moved to PSR-7 middleware
- Tests
- Much much better documentation
- Enable Symfony 3.0 support (#412)
- Fix for determining access token in header (Issue #328)
- Refresh tokens are now returned for MAC responses (Issue #356)
- Added integration list to readme (Issue #341)
- Expose parameter passed to exceptions (Issue #345)
- Removed duplicate routing setup code (Issue #346)
- Docs fix (Issues #347, #360, #380)
- Examples fix (Issues #348, #358)
- Fix typo in docblock (Issue #352)
- Improved timeouts for MAC tokens (Issue #364)
hash_hmac()
should output raw binary data, not hexits (Issue #370)- Improved regex for matching all Base64 characters (Issue #371)
- Fix incorrect signature parameter (Issue #372)
- AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
- Added priority argument to event listener (Issue #388)
- Docblock, namespace and inconsistency fixes (Issue #303)
- Docblock type fix (Issue #310)
- Example bug fix (Issue #300)
- Updated league/event to ~2.1 (Issue #311)
- Fixed missing session scope (Issue #319)
- Updated interface docs (Issue #323)
.travis.yml
updates
- Remove side-effects in hash_equals() implementation (Issue #290)
- Changed
symfony/http-foundation
dependency version to~2.4
so package can be installed in Laravel4.1.*
- Added MAC token support (Issue #158)
- Fixed example init code (Issue #280)
- Toggle refresh token rotation (Issue #286)
- Docblock fixes
- Prevent duplicate session in auth code grant (Issue #282)
- Ensure refresh token hasn't expired (Issue #270)
- Fix bad type hintings (Issue #267)
- Do not forget to set the expire time (Issue #268)
- Improved interfaces (Issue #255)
- Learnt how to spell delimiter and so
getScopeDelimiter()
andsetScopeDelimiter()
methods have been renamed - Docblock improvements (Issue #254)
- Alias the master branch in composer.json (Issue #243)
- Numerous PHP CodeSniffer fixes (Issue #244)
- .travis.yml update (Issue #245)
- The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
- Complete rewrite
- Check out the documentation - http://oauth2.thephpleague.com
- Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
- Support Authorization being an environment variable. See more
- Normalize headers when
getallheaders()
is available (Issues #108 and #114)
- No longer necessary to inject the authorisation server into a grant, the server will inject itself
- Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
- Forgot to tell TravisCI from testing PHP 5.3
- Fixed spelling of Implicit grant class (Issue #84)
- Travis CI now tests for PHP 5.5
- Fixes for checking headers for resource server (Issues #79 and #)
- The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
- All grants no longer remove old sessions by default
- All grants now support custom access token TTL (Issue #92)
- All methods which didn't before return a value now return
$this
to support method chaining - Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
- Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
- Moved some grant related functions into a trait to reduce duplicate code
- Added conditional
isValid()
flag to check for Authorization header only (thanks @alexmcroberts) - Fixed semantic meaning of
requireScopeParam()
andrequireStateParam()
by changing their default value to true - Updated some duff docblocks
- Corrected array key call in Resource.php (Issue #63)
- Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
- New method in Refresh grant called
rotateRefreshTokens()
. Pass intrue
to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47) - Rename
key
column in oauth_scopes table toscope
askey
is a reserved SQL word. (Issue #45) - The
scope
parameter is no longer required by default as per the RFC. (Issue #43) - You can now set multiple default scopes by passing an array into
setDefaultScope()
. (Issue #42) - The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
- Scopes associated to authorization codes are not held in their own table (Issue #44)
- Database schema updates.
- Fixed
oauth_session_token_scopes
table primary key - Removed
DEFAULT ''
that has slipped into some tables - Fixed docblock for
SessionInterface::associateRefreshToken()
- Renamed primary key in oauth_client_endpoints table
- Adding missing column to oauth_session_authcodes
- SECURITY FIX: A refresh token should be bound to a client ID
- Fixed a link to code in composer.json
- Updated README with wiki guides
- Removed
null
as default parameters in some methods in the storage interfaces - Fixed license copyright
If you're upgrading from v1.0.8 there are lots of breaking changes
- Rewrote the session storage interface from scratch so methods are more obvious
- Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
- Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
- A session can have multiple associated access tokens
- Individual grants can have custom expire times for access tokens
- Authorization codes now have a TTL of 10 minutes by default (can be manually set)
- Refresh tokens now have a TTL of one week by default (can be manually set)
- The client credentials grant will no longer gives out refresh tokens as per the specification
- Fixed check for required state parameter
- Fixed check that user's credentials are correct in Password grant
- Added method
requireStateParam()
- Added method
requireScopeParam()
- Added links to tutorials in the README
- Added missing
state
parameter request to thecheckAuthoriseParams()
method.
- Fixed the SQL example for SessionInterface::getScopes()
- Changed all instances of the "authentication server" to "authorization server"
- Fixed MySQL create table order
- Fixed version number in composer.json
- Updated AuthServer.php to use
self::getParam()
- First major release