Releases: thephpleague/oauth2-server
Releases · thephpleague/oauth2-server
9.0.1
Fixed
- Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
- Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
- Fixed bug where "state" parameter wasn't present on
invalid_scopeerror response and wasn't on fragment part ofaccess_deniedredirect URI on Implicit grant (PR #1298) - Fixed bug where disabling refresh token revocation via
revokeRefreshTokens(false)unintentionally disables issuing new refresh token (PR #1449)
9.0.0
Added
- Device Authorization Grant added (PR #1074)
- GrantTypeInterface has a new function,
revokeRefreshTokens()for enabling or disabling refresh tokens after use (PR #1375) - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
- The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
- An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
- Added function
getKeyContents()to theCryptKeyInterface(PR #1375)
Fixed
- Basic authorization is now case insensitive (PR #1403)
- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an
invalid_granterror and a HTTP 400 response. In previous versions the server incorrectly issued aninvalid_requestand HTTP 401 response (PR #1042) (PR #1082)
Changed
- All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
- Request parameters are now parsed into strings to use internally in the library (PR #1402)
- Authorization Request objects are now created through the factory method,
createAuthorizationRequest()(PR #1111) - Changed parameters for
finalizeScopes()to allow a reference to an auth code ID (PR #1112) - AccessTokenEntityInterface now requires the implementation of
toString()instead of the magic method__toString()(PR #1395)
Removed
- Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)
9.0.0-RC1
Added
- Device Authorization Grant added (PR #1074)
- GrantTypeInterface has a new function,
revokeRefreshTokens()for enabling or disabling refresh tokens after use (PR #1375) - A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
- The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
- An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
- Added function
getKeyContents()to theCryptKeyInterface(PR #1375)
Fixed
- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an
invalid_granterror and a HTTP 400 response. In previous versions the server incorrectly issued aninvalid_requestand HTTP 401 response (PR #1042) (PR #1082)
Changed
- Authorization Request objects are now created through the factory method,
createAuthorizationRequest()(PR #1111) - Changed parameters for
finalizeScopes()to allow a reference to an auth code ID (PR #1112) - AccessTokenEntityInterface now requires the implementation of
toString()instead of the magic method__toString()(PR #1395)
Removed
- Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)