9.4.0

Changed

• Authorization requests are now checked for the required response_type parameter before we determine which grant type is being used (PR #1507)
• User ID is now passed to the finalizeScopes method for the Refresh Grant (PR #1414)

Removed

• Removed support for PHP 8.1 (PR #1500)

9.3.0

Added

• Added sensitive parameter to avoid sensitive data being included in stack traces (PR #1483)
• Support for PHP 8.5 (PR #1492)

Fixed

• Made the Bearer header case insensitive to match the specs correctly (PR #1491)

9.2.0

Added

• Added a new function to the provided ClientTrait, supportsGrantType to allow the auth server to issue the response unauthorized_client when applicable (PR #1420)

Fixed

• Fix a bug on setting interval visibility of device authorization grant (PR #1410)
• Fix a bug where the new poll date were not persisted when slow_down error happens, because the exception is thrown before calling persistDeviceCode. (PR #1410)
• Fix a bug where slow_down error response may have been returned even after the user has completed the auth flow (already approved / denied the request). (PR #1410)
• Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #1420)
• Emit RequestAccessTokenEvent and RequestRefreshTokenEvent events instead of the general RequestEvent event when an access / refresh token is issued using device authorization grant. (PR #1467)

8.5.5

Fixed

• PHP 8.4 deprecation notices fixed (PR #1466)

8.4.3

Fixed

• PHP 8.4 deprecation notices fixed (PR #1466)

9.1.0

Added

• Support for PHP 8.4 (PR #1454)

Fixed

• In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433)
• Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412)
• Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436)

9.0.1

Fixed

• Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
• Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
• Fixed bug where "state" parameter wasn't present on invalid_scope error response and wasn't on fragment part of access_denied redirect URI on Implicit grant (PR #1298)
• Fixed bug where disabling refresh token revocation via revokeRefreshTokens(false) unintentionally disables issuing new refresh token (PR #1449)

9.0.0

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• Basic authorization is now case insensitive (PR #1403)
• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
• Request parameters are now parsed into strings to use internally in the library (PR #1402)
• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

9.0.0-RC1

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

8.5.4

Added

• Support for league/uri ^7.0 (PR #1367)