7.10.1 (2023-08-07)
- Addressed an issue where, under certain circumstances, permissions state could be lost after authenticating.
7.10.0 (2023-07-24)
- Organization Name support added for Authentication API and token handling ¹
- Guards are now registered with the priority middleware list.
- Bumped
auth0-php
dependency version range to^8.7
. - Updated telemetry to indicate new
laravel
package name (previouslylaravel-auth0
.)
- Addressed issue where placeholder
AUTH0_
dotenv values could erroneously be interpreted as true configuration values.
Note ¹ To use this feature, an Auth0 tenant must have support for it enabled. This feature is not yet available to all tenants.
7.9.1 (2023-06-21)
- Resolved an issue where, under certain circumstances, the AuthenticationGuard middleware could get erroneously added to the
api
middleware group, causing a session to be established in a stateless request. (#415)
7.9.0 (2023-06-15)
- SDK configuration (
config/auth0.php
) now supports aconfigurationPath
property for specifying a custom search path for.auth0.*.json
and.env*
files. (#407) Auth0\Laravel\Guards\GuardAbstract
now extendsIlluminate\Contracts\Auth\Guard
. (#410)
- Resolved host environment variables not being loaded as expected when a
.env
file is also used. (#408) - Resolved surrounding quote characters not being trimmed from environment variables and
.env
files during processing. (#409)
7.8.1 (2023-05-19)
- Resolved an issue where parsing
.env
files could sometimes throw an exception when handling non-key-value pair strings. (#395)
7.8.0 (2023-05-18)
-
This release adds support for authenticating using Pushed Authorization Requests.
-
This release introduces two new Authentication Guards which provide a streamlined integration experience for developers that need to simultaneously support both session-based authentication and token-based endpoint authorization in their Laravel applications.
Guard Class Description auth0.authenticator
Auth0\Laravel\Auth\Guards\AuthenticationGuard
Session-based authentication. auth0.authorizer
Auth0\Laravel\Auth\Guards\AuthorizationGuard
Token-based authorization. -
These guards are compatible with Laravel's Authentication API and support the standard
auth
middleware. -
These guards are compatible with Laravel's Authorization API and support the standard
can
middleware, and theGuard
facade, and work with the Policies API. -
3 new pre-built Guards are available:
scope
andpermission
, as well as a dynamic*:*
. This enables you to verify whether the user's access token has a particular scope or (if RBAC is enabled on the Auth0 API) a particular permission. For exampleGate::check('scope', 'email')
orRoute::get(/*...*/)->can('read:messages')
. -
The SDK now automatically registers these guards to Laravel's standard
web
andapi
middleware groups, respectively. Manual Guard setup inconfig/auth.php
is no longer necessary. -
The SDK now automatically registers the Authentication routes. Manual route setup in
routes/web.php
is no longer necessary. -
2 new routing Middleware have been added:
Auth0\Laravel\Http\Middleware\AuthenticatorMiddleware
andAuth0\Laravel\Http\Middleware\AuthorizerMiddleware
. These are automatically registered with your Laravel application, and ensure the Auth0 Guards are used for authentication forweb
routes and authorization forapi
routes, respectively. This replaces the need for theguard
middleware or otherwise manual Guard assignment in your routes.
-
We've introduced a new configuration syntax. This new syntax is more flexible and allows for more complex configuration scenarios, and introduces support for multiple guard instances. Developers using the previous syntax will have their existing configurations applied to all guards uniformly.
-
The SDK can now configure itself using a
.auth0.json
file in the project root directory. This file can be generated using the Auth0 CLI, and provides a significantly simpler configuration experience for developers. -
The previous
auth0.guard
Guard (Auth0\Laravel\Auth\Guard
) has been refactored as a lightweight wrapper around the newAuthenticationGuard
andAuthorizationGuard
guards.
7.7.0 (2023-04-26)
-
Auth0\Laravel\Auth0
now has amanagement()
shortcut method for issuing Management API calls. (#376) -
Auth0\Laravel\Auth0\Guard
now has arefreshUser()
method for querying/userinfo
endpoint and refreshing the authenticated user's cached profile data. (#375) -
Auth0\Laravel\Http\Controller\Stateful\Login
now raises aLoginAttempting
event, offering an opportunity to customize the authorization parameters before the login redirect is issued. (#382)
- The
tokenCache
,managementTokenCache
,sessionStorage
andtransientStorage
configuration values now supportfalse
orstring
values pointing to class names (e.g.\Some\Cache::class
) or class aliases (e.g.cache.psr6
) registered with Laravel. (#381)
7.6.0 (2023-04-12)
Auth0\Laravel\Http\Middleware\Guard
, new middleware that forces Laravel to route requests through a group using a specific Guard. (#362)
Auth0\Laravel\Http\Middleware\Stateful\Authenticate
now remembers the intended route (usingredirect()->setIntendedUrl()
) before kicking off the authentication flow redirect. Users will be returned to the memorized intended route after completing their authentication flow. (#364)
- legacyGuardUserMethod behavior should use
$session
, not$token
(#353)
7.5.2 (2023-04-10)
- Relaxed response types from middleware to use low-level
Symfony\Component\HttpFoundation\Response
class, allowing for broader and custom response types.
7.5.1 (2023-04-04)
- Resolved an issue wherein custom user repositories could fail to be instantiated under certain circumstances.
7.5.0 (2023-04-03)
This release includes support for Laravel 10, and major improvements to the internal state handling mechanisms of the SDK.
- Support for Laravel 10 #349
- New
Auth0\Laravel\Traits\Imposter
trait to allow for easier testing. Example usage - New Exception types have been added for more precise error-catching.
The following changes have no effect on the external API of this package but may affect internal usage.
-
Guard
will now more reliably detect changes in the underlying Auth0-PHP SDK session state. -
Guard
will now more reliably sync changes back to the underlying Auth0-PHP SDK session state. -
StateInstance
concept has been replaced by a newCredentials
entity. -
Guard
updated to use newCredentials
entity as primary internal storage for user data. -
Auth0\Laravel\Traits\ActingAsAuth0User
was updated to use newCredentials
entity. -
The HTTP middleware has been refactored to more clearly differentiate between token and session-based identities.
-
The
authenticate
,authenticate.optional
andauthorize.optional
HTTP middleware now supports scope filtering, asauthorize
already did. -
Upgraded test suite to use PEST 2.0 framework.
-
Updated test coverage to 100%.
- A 'Session store not set on request' error could occur when downstream applications implemented unit testing that uses the Guard. This should be resolved now.
Guard
would not always honor theprovider
configuration value inconfig/auth.php
.Guard
is no longer defined as a Singleton to better support applications that need multi-guard configurations.
This release includes a significant behavior change around the user()
method of the Guard. Previously, by simply invoking the method, the SDK would search for any available credential (access token, device session, etc.) and automatically assign the user within the Guard. The HTTP middleware has been upgraded to handle the user assignment step, and user()
now only returns the current state of the user assignment without altering it.
A new property has been added to the config/auth0.php
configuration file: behavior
. This is an array. At this time, there is a single option: legacyGuardUserMethod
, a bool. If this value is set to true, or if the key is missing, the previously expected behavior will be applied, and user()
will behave as it did before this release. The property defaults to false
.
We identified an issue with using identical alias naming for both the Guard and Provider singletons under Laravel 10, which has required us to rename these aliases. As previous guidance had been to instantiate these using their class names, this should not be a breaking change in most cases. However, if you had used auth0
as the name for either the Guard or the Provider drivers, kindly note that these have changed. Please use auth0.guard
for the Guard driver and `auth0.provider`` for the Provider driver. This is a regrettable change but was necessary for adequate Laravel 10 support.
7.4.0 (2022-12-12)
- feat: Add
Auth0\Laravel\Event\Middleware\...
event hooks #340 - feat: Add
Auth0\Laravel\Event\Configuration\Building
event hook #339
7.3.0 (2022-11-07)
- add: Raise additional Laravel Auth Events #331
- fix:
env()
incorrectly assignscookieExpires
to astring
value #332 - fix: Auth0\Laravel\Cache\LaravelCachePool::createItem returning a cache miss #329
7.2.2 (2022-10-19)
7.2.1 (2022-10-13)
Auth0\Laravel\Auth0
no longer requires a session configuration for stateless strategies, restoring previous behavior. #317- The SDK now requires
^3.0
of thepsr/cache
dependency, to accommodate breaking changes made in the upstream interface (typed parameters and return types) for PHP 8.0+. #316
7.2.0 (2022-10-10)
Auth0\Laravel\Store\LaravelSession
has been added as the defaultsessionStorage
andtransientStorage
interfaces for the underlying Auth0-PHP SDK. The SDK now leverages the native Laravel Session APIs by default. #307¹Auth0\Laravel\Cache\LaravelCachePool
andAuth0\Laravel\Cache\LaravelCacheItem
have been added as the defaulttokenCache
andmanagementTokenCache
interfaces for the underlying Auth0-PHP SDK. The SDK now leverages the native Laravel Cache APIs by default. #307Auth0\Laravel\Auth\Guard
now supports theviaRemember
method. #306Auth0\Laravel\Http\Middleware\Stateless\Authorize
now returns a 401 status instead of 403 for unauthenticated users. #304- PHP 8.0 is now the minimum supported runtime version. Please review the README for more information on support windows.
¹ This change may require your application's users to re-authenticate. You can avoid this by changing the sessionStorage
and transientStorage
options in your SDK configuration to their previous default instances of Auth0\SDK\Store\CookieStore
, but it is recommended you migrate to the new LaravelSession
default.
7.1.0 (2022-08-08)
- Fix:
Missing Code
error on Callback Route for Octane Customers #297
7.0.1 (2022-06-01)
- Fixed an issue in
Auth0\Laravel\Http\Controller\Stateful\Callback
where$errorDescription
's value was assigned an incorrect value when an error was encountered. #266
7.0.0 (2022-03-21)
Auth0 Laravel SDK v7 includes many significant changes over previous versions:
- Support for Laravel 9.
- Support for Auth0-PHP SDK 8.
- New authentication route controllers for plug-and-play login support.
- Improved authentication middleware for regular web applications.
- New authorization middleware for token-based backend API applications.
As expected with a major release, Auth0 Laravel SDK v7 includes breaking changes. Please review the upgrade guide thoroughly to understand the changes required to migrate your application to v7.
- Namespace has been updated from
Auth0\Login
toAuth0\Laravel
- Auth0-PHP SDK dependency updated to V8
- New configuration format
- SDK now self-registers its services and middleware
- New UserProvider API
Changelog entries for releases prior to 8.0 have been relocated to CHANGELOG.ARCHIVE.md.