7.12.0

Added

• Implement support for Back-Channel Logout #435 (evansims)
• Restore configurable route paths #436 (evansims)

Fixed

• Resolve CacheBridgeAbstract::save() not storing values when cache misses #434 (seruymt)

7.11.0

Added

• Significant performance improvements by eliminating redundant user queries.
• Compatibility support for Laravel Telescope. See docs/Telescope.md for more information.
• A refactored Events API has been introduced. See docs/Events.md for more information.
• AUTH0_SESSION_STORAGE and AUTH0_TRANSIENT_STORAGE now support a cookie value to enable the native Auth0-PHP SDK cookie session handler. See docs/Cookies.md for more information.

Fixed

• Addressed an issue where, under certain circumstances, the first user authentication attempt after a session invalidation could fail.

Changed

• Session regeneration/invalidation has been refactored.
• Discarded sessions are now deleted when they are invalidated by the SDK, rather than wait for Laravel to garbage collect.
• Session storage has been refactored. Session data is now stored as a JSON array in a single auth0_session entry in the Laravel session store, rather than in multiple keys.

Documentation

• A demonstration Eloquent user model and repository implementation has been added to docs/Eloquent.md.
• A new docs/Sessions.md document has been added for guidance on the various session driver options available.

7.10.1

Fixed

• Addressed an issue where, under certain circumstances, permissions state could be lost after authenticating.

7.10.0

Added

• Organization Name support added for Authentication API and token handling ¹

Changed

• Guards are now registered with the priority middleware list.
• Bumped auth0-php dependency version range to ^8.7.
• Updated telemetry to indicate new laravel package name (previously laravel-auth0.)

Fixed

• Addressed issue where placeholder AUTH0_ dotenv values could erroneously be interpreted as true configuration values.

Note
¹ To use this feature, an Auth0 tenant must have support for it enabled. This feature is not yet available to all tenants.

7.9.1

Fixed

• Resolved an issue where, under certain circumstances, the AuthenticationGuard middleware could get erroneously added to the api middleware group, causing a session to be established in a stateless request. (#415)

7.9.0

Added

• SDK configuration (config/auth0.php) now supports a configurationPath property for specifying a custom search path for .auth0.*.json and .env* files. (#407)
• Auth0\Laravel\Guards\GuardAbstract now extends Illuminate\Contracts\Auth\Guard. (#410)

Fixed

• Resolved host environment variables not being loaded as expected when a .env file is also used. (#408)
• Resolved surrounding quote characters not being trimmed from environment variables and .env files during processing. (#409)

7.8.1

Fixed

• Resolved an issue where parsing .env files could sometimes throw an exception when handling non-key-value pair strings. (#395)

7.8.0

Good news, Laravel Artisans! Auth0 is proud to announce the availability of v7.8 of our Laravel SDK! 🎉 This is a substantial release that includes features long requested by developers, including fully separate and independently configurable authentication and authorization guards, support for Laravel's auth and can middleware, and Laravel's Gates and Policies APIs.

We've made some exciting changes that remove nearly all the boilerplate and setup required to integrate the SDK. Short of configuring your account details, the SDK can now work largely "out of the box," as it will silently register its guards, middleware, and authentication routes. Speaking of configuration — the SDK can now be configured entirely using the Auth0 CLI!

We've updated our authentication and authorization quickstarts to reflect the simplified setup process. Of course, the updated quickstart code is available here on GitHub, as well.

Added

• This release adds support for authenticating using Pushed Authorization Requests.

• This release introduces two new Authentication Guards which provide a streamlined integration experience for developers that need to simultaneously support both session-based authentication and token-based endpoint authorization in their Laravel applications.

  Guard	Class	Description
  auth0.authenticator	Auth0\Laravel\Auth\Guards\AuthenticationGuard	Session-based authentication.
  auth0.authorizer	Auth0\Laravel\Auth\Guards\AuthorizationGuard	Token-based authorization.

• These guards are compatible with Laravel's Authentication API and support the standard auth middleware.

• These guards are compatible with Laravel's Authorization API and support the standard can middleware, and the Guard facade, and work with the Policies API.

• 3 new pre-built Guards are available: scope and permission, as well as a dynamic *:*. This enables you to verify whether the user's access token has a particular scope or (if RBAC is enabled on the Auth0 API) a particular permission. For example Gate::check('scope', 'email') or Route::get(/*...*/)->can('read:messages').

• The SDK now automatically registers these guards to Laravel's standard web and api middleware groups, respectively. Manual Guard setup in config/auth.php is no longer necessary.

• The SDK now automatically registers the Authentication routes. Manual route setup in routes/web.php is no longer necessary.

• 2 new routing Middleware have been added: Auth0\Laravel\Http\Middleware\AuthenticatorMiddleware and Auth0\Laravel\Http\Middleware\AuthorizerMiddleware. These are automatically registered with your Laravel application, and ensure the Auth0 Guards are used for authentication for web routes and authorization for api routes, respectively. This replaces the need for the guard middleware or otherwise manual Guard assignment in your routes.

Improved

• We've introduced a new configuration syntax. This new syntax is more flexible and allows for more complex configuration scenarios, and introduces support for multiple guard instances. Developers using the previous syntax will have their existing configurations applied to all guards uniformly.

• The SDK can now configure itself using a .auth0.json file in the project root directory. This file can be generated using the Auth0 CLI, and provides a significantly simpler configuration experience for developers.

• The previous auth0.guard Guard (Auth0\Laravel\Auth\Guard) has been refactored as a lightweight wrapper around the new AuthenticationGuard and AuthorizationGuard guards.

Notes

• This is a significant refactoring of the SDK's codebase, but we have implemented these changes in a manner that should avoid breaking changes.
• We have deprecated the previous auth0.guard. It will continue to work until the next release, but we recommend migrating to auth0.authorizer and/or auth0.authenticator for a better experience.
• We have deprecated the previous auth0.authorize, auth0.authorize.optional, auth0.authenticate and auth0.authenticate.optional middleware. These will continue to work until the next release, but we recommend migrating to the new auth0.authorizer and/or auth0.authenticator guards for a better experience. These new guards do not require the previous middleware to work, and support Laravel's standard auth and can middleware.

7.7.0

Added

• Auth0\Laravel\Auth0 now has a management() shortcut method for issuing Management API calls. (#376)

• Auth0\Laravel\Auth0\Guard now has a refreshUser() method for querying /userinfo endpoint and refreshing the authenticated user's cached profile data. (#375)

• Auth0\Laravel\Http\Controller\Stateful\Login now raises a LoginAttempting event, offering an opportunity to customize the authorization parameters before the login redirect is issued. (#382)

Improved

• The tokenCache, managementTokenCache, sessionStorage and transientStorage configuration values now support false or string values pointing to class names (e.g. \Some\Cache::class) or class aliases (e.g. cache.psr6) registered with Laravel. (#381)

7.6.0

Added

• Auth0\Laravel\Http\Middleware\Guard, new middleware that forces Laravel to route requests through a group using a specific Guard. (#362)

Improved

• Auth0\Laravel\Http\Middleware\Stateful\Authenticate now remembers the intended route (using redirect()->setIntendedUrl()) before kicking off authentication flow redirect. Users will be returned to the memorized intended route after completing their authentication flow. (#364)

Fixed

• legacyGuardUserMethod behaviour should use $session, not $token (#353)