- Fixed WWW-Authenticate header (Issue #669)
- Increase the recommended RSA key length from 1024 to 2048 bits (Issue #668)
- Fixed
finalizeScopes
call (Issue #650)
- Improved test suite (Issue #614)
- Updated docblocks (Issue #616)
- Replace
array_shift
withforeach
loop (Issue #621) - Allow easy addition of custom fields to Bearer token response (Issue #624)
- Key file auto-generation from string (Issue #625)
- Implemented RFC7636 (Issue #574)
- Unify middleware exception responses (Issue #578)
- Updated examples (Issue #589)
- Ensure state is in access denied redirect (Issue #597)
- Remove redundant
isExpired()
method from entity interfaces and traits (Issue #600) - Added a check for unique access token constraint violation (Issue #601)
- Look at Authorization header directly for HTTP Basic auth checks (Issue #604)
- Added catch Runtime exception when parsing JWT string (Issue #605)
- Allow
paragonie/random_compat
2.x (Issue #606) - Added
indigophp/hash-compat
to Composer suggestions andrequire-dev
for PHP 5.5 support
- Fix hints in PasswordGrant (Issue #560)
- Add meaning of
Resource owner
to terminology.md (Issue #561) - Use constant for event name instead of explicit string (Issue #563)
- Remove unused request property (Issue #564)
- Correct wrong phpdoc (Issue #569)
- Fixed typo in exception string (Issue #570)
state
parameter is now correctly returned after implicit grant authorization- Small code and docblock improvements
- Fixes an issue (#550) whereby it was unclear whether or not to validate a client's secret during a request.
Version 5 is a complete code rewrite.
- JWT support
- PSR-7 support
- Improved exception errors
- Replace all occurrences of the term "Storage" with "Repository"
- Simplify repositories
- Entities conform to interfaces and use traits
- Auth code grant updated
- Allow support for public clients
- Add support for #439
- Client credentials grant updated
- Password grant updated
- Allow support for public clients
- Refresh token grant updated
- Implement Implicit grant
- Bearer token output type
- Remove MAC token output type
- Authorization server rewrite
- Resource server class moved to PSR-7 middleware
- Tests
- Much much better documentation
Changes since RC2:
- Renamed Server class to AuthorizationServer
- Added ResourceServer class
- Run unit tests again PHP 5.5.9 as it's the minimum supported version
- Enable PHPUnit 5.0 support
- Improved examples and documentation
- Make it clearer that the implicit grant doesn't support refresh tokens
- Improved refresh token validation errors
- Fixed refresh token expiry date
Changes since RC1:
- Allow multiple client redirect URIs (Issue #511)
- Remove unused mac token interface (Issue #503)
- Handle RSA key passphrase (Issue #502)
- Remove access token repository from response types (Issue #501)
- Remove unnecessary methods from entity interfaces (Issue #490)
- Ensure incoming JWT hasn't expired (Issue #509)
- Fix client identifier passed where user identifier is expected (Issue #498)
- Removed built-in entities; added traits to for quick re-use (Issue #504)
- Redirect uri is required only if the "redirect_uri" parameter was included in the authorization request (Issue #514)
- Removed templating for auth code and implicit grants (Issue #499)
Version 5 is a complete code rewrite.
- JWT support
- PSR-7 support
- Improved exception errors
- Replace all occurrences of the term "Storage" with "Repository"
- Simplify repositories
- Entities conform to interfaces and use traits
- Auth code grant updated
- Allow support for public clients
- Add support for #439
- Client credentials grant updated
- Password grant updated
- Allow support for public clients
- Refresh token grant updated
- Implement Implicit grant
- Bearer token output type
- Remove MAC token output type
- Authorization server rewrite
- Resource server class moved to PSR-7 middleware
- Tests
- Much much better documentation
- Enable Symfony 3.0 support (#412)
- Fix for determining access token in header (Issue #328)
- Refresh tokens are now returned for MAC responses (Issue #356)
- Added integration list to readme (Issue #341)
- Expose parameter passed to exceptions (Issue #345)
- Removed duplicate routing setup code (Issue #346)
- Docs fix (Issues #347, #360, #380)
- Examples fix (Issues #348, #358)
- Fix typo in docblock (Issue #352)
- Improved timeouts for MAC tokens (Issue #364)
hash_hmac()
should output raw binary data, not hexits (Issue #370)- Improved regex for matching all Base64 characters (Issue #371)
- Fix incorrect signature parameter (Issue #372)
- AuthCodeGrant and RefreshTokenGrant don't require client_secret (Issue #377)
- Added priority argument to event listener (Issue #388)
- Docblock, namespace and inconsistency fixes (Issue #303)
- Docblock type fix (Issue #310)
- Example bug fix (Issue #300)
- Updated league/event to ~2.1 (Issue #311)
- Fixed missing session scope (Issue #319)
- Updated interface docs (Issue #323)
.travis.yml
updates
- Remove side-effects in hash_equals() implementation (Issue #290)
- Changed
symfony/http-foundation
dependency version to~2.4
so package can be installed in Laravel4.1.*
- Added MAC token support (Issue #158)
- Fixed example init code (Issue #280)
- Toggle refresh token rotation (Issue #286)
- Docblock fixes
- Prevent duplicate session in auth code grant (Issue #282)
- Ensure refresh token hasn't expired (Issue #270)
- Fix bad type hintings (Issue #267)
- Do not forget to set the expire time (Issue #268)
- Improved interfaces (Issue #255)
- Learnt how to spell delimiter and so
getScopeDelimiter()
andsetScopeDelimiter()
methods have been renamed - Docblock improvements (Issue #254)
- Alias the master branch in composer.json (Issue #243)
- Numerous PHP CodeSniffer fixes (Issue #244)
- .travis.yml update (Issue #245)
- The getAccessToken method should return an AccessTokenEntity object instead of a string in ResourceServer.php (#246)
- Complete rewrite
- Check out the documentation - http://oauth2.thephpleague.com
- Added the ability to change the algorithm that is used to generate the token strings (Issue #151)
- Support Authorization being an environment variable. See more
- Normalize headers when
getallheaders()
is available (Issues #108 and #114)
- No longer necessary to inject the authorisation server into a grant, the server will inject itself
- Added test for 1419ba8cdcf18dd034c8db9f7de86a2594b68605
- Forgot to tell TravisCI from testing PHP 5.3
- Fixed spelling of Implicit grant class (Issue #84)
- Travis CI now tests for PHP 5.5
- Fixes for checking headers for resource server (Issues #79 and #)
- The word "bearer" now has a capital "B" in JSON output to match OAuth 2.0 spec
- All grants no longer remove old sessions by default
- All grants now support custom access token TTL (Issue #92)
- All methods which didn't before return a value now return
$this
to support method chaining - Removed the build in DB providers - these will be put in their own repos to remove baggage in the main repository
- Removed support for PHP 5.3 because this library now uses traits and will use other modern PHP features going forward
- Moved some grant related functions into a trait to reduce duplicate code
- Added conditional
isValid()
flag to check for Authorization header only (thanks @alexmcroberts) - Fixed semantic meaning of
requireScopeParam()
andrequireStateParam()
by changing their default value to true - Updated some duff docblocks
- Corrected array key call in Resource.php (Issue #63)
- Moved zetacomponents/database to "suggest" in composer.json. If you rely on this feature you now need to include " zetacomponents/database" into "require" key in your own composer.json. (Issue #51)
- New method in Refresh grant called
rotateRefreshTokens()
. Pass intrue
to issue a new refresh token each time an access token is refreshed. This parameter needs to be set to true in order to request reduced scopes with the new access token. (Issue #47) - Rename
key
column in oauth_scopes table toscope
askey
is a reserved SQL word. (Issue #45) - The
scope
parameter is no longer required by default as per the RFC. (Issue #43) - You can now set multiple default scopes by passing an array into
setDefaultScope()
. (Issue #42) - The password and client credentials grants now allow for multiple sessions per user. (Issue #32)
- Scopes associated to authorization codes are not held in their own table (Issue #44)
- Database schema updates.
- Fixed
oauth_session_token_scopes
table primary key - Removed
DEFAULT ''
that has slipped into some tables - Fixed docblock for
SessionInterface::associateRefreshToken()
- Renamed primary key in oauth_client_endpoints table
- Adding missing column to oauth_session_authcodes
- SECURITY FIX: A refresh token should be bound to a client ID
- Fixed a link to code in composer.json
- Updated README with wiki guides
- Removed
null
as default parameters in some methods in the storage interfaces - Fixed license copyright
If you're upgrading from v1.0.8 there are lots of breaking changes
- Rewrote the session storage interface from scratch so methods are more obvious
- Included a PDO driver which implements the storage interfaces so the library is more "get up and go"
- Further normalised the database structure so all sessions no longer contain infomation related to authorization grant (which may or may not be enabled)
- A session can have multiple associated access tokens
- Individual grants can have custom expire times for access tokens
- Authorization codes now have a TTL of 10 minutes by default (can be manually set)
- Refresh tokens now have a TTL of one week by default (can be manually set)
- The client credentials grant will no longer gives out refresh tokens as per the specification
- Fixed check for required state parameter
- Fixed check that user's credentials are correct in Password grant
- Added method
requireStateParam()
- Added method
requireScopeParam()
- Added links to tutorials in the README
- Added missing
state
parameter request to thecheckAuthoriseParams()
method.
- Fixed the SQL example for SessionInterface::getScopes()
- Changed all instances of the "authentication server" to "authorization server"
- Fixed MySQL create table order
- Fixed version number in composer.json
- Updated AuthServer.php to use
self::getParam()
- First major release