• Add support for PHP 8.5 #1081

• Only provide scopes in access token when set in options #1053
• Add missing [@throws](https://github.com/throws) annotations for Guzzle exceptions #1055

• This version is certified for PHP 8.3 and PHP 8.4! 🎉
• Fix cases where expires is not a number #929
• Add SettableRefreshTokenInterface to support setting the refresh token #994
• Set minimum version of Guzzle to 6.5.8 and 7.4.5, due to security vulnerabilities reported in earlier versions #1022
• Fix parameter docblock type hint for AbstractProvider::prepareAccessTokenResponse() #1025
  • Take note, this might affect static analysis reports for downstream providers
• Send scopes with access token request #1029 #1030
• Explicitly mark nullable parameter #1034 #1039
  • This change requires PHP 7.1 as the minimum version for this library
• Plus a number of test and documentation improvements; see the commit log for more details

• Add support for PKCE (Proof Key for Code Exchange, RFC 7636) #901
• Various type improvements for static analysis #939 #959 #972 #997

• Fix deprecation notices, providing full support for PHP 8.1 #919 #920

• Indicate support for PHP 8
• Allow time to be set for testing purposes #852

• Allow Guzzle 7.x to be used #847

• Revert to use of AccessToken in type hints to preserve backwards compatibility; this fixes the issue reported in #752 and #753

• Add HttpBasicAuthOptionProvider to ease implementation for providers requiring HTTP basic auth
• Add GuardedPropertyTrait to allow providers the ability to specify properties that may not be overridden by user-defined values passed to the provider constructor
• Add AccessTokenInterface and ResourceOwnerAccessTokenInterface to allow providers the ability to override the default AccessToken

• Allow paragonie/random_compat's empty 9.99.99 placeholder
• Throw an UnexpectedValueException on non-JSON responses from access token request (when calling AbstractProvider::getAccessToken())

• Add ProviderRedirectTrait tool for 3rd-party provider libraries to use when handling provider redirections
• Fix TypeError thrown because getResourceOwner() receives a non-JSON Response
• Gracefully handle non-standard errors received from providers
• Update README to reflect official support of PHP 7.2

• Fix potential type error when HTTP 500 errors are encountered
• Allow broader range of random_compat versions

• Allow base URLs to contain query parameters
• Protect against + being improperly encoded in URL parameters
• Remove misleading state option from authorization parameters
• Stop generating more random bytes than necessary

• Allow expires_in with a value of 0

• PHP 5.6 or greater is now required
• Rename getResponse() to getParsedResponse()
• Add getResponse() method that returns the unparsed PSR-7 Response instance
• Removed RandomFactory, switched to native random functions

Fixed

• Random state strings will now always be alpha-numeric, to prevent URI encoding issue #546

Added

• Add QueryBuilderTrait to standardize query string generation.

Added

• Add AccessToken::getValues() to access additional vendor data provided with tokens.

• Enable dynamic parameters being passed into the authorization URL
• Minor documentation updates

• Add resource_owner_id to the JSON-serialized representation of the access token.
• Minor documentation updates and improved test coverage.

• Add ArrayAccessorTrait, update AbstractProvider to utilize.
• Use expires to serialize access tokens.
• Documentation updates.

• Allow access tokens to be created from storage (see #431).
• Minor fixes and documentation updates.

• Allow required parameters checked using the RequiredParameterTrait to be set as false, null, "0", etc.

• We are running code-quality builds through Scrutinizer, and we are running unit test builds on the new Travis CI container-based infrastructure.
• Cleaned up code, as recommended by Scrutinizer.
• Documentation updates.

Please also refer to the changelog notes for 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, and 1.0.0-beta2.

• BREAK: Add toArray() to ResourceOwnerInterface.
• Always attempt to parse responses as JSON and fallback on failure.
• Add dot notation support to access token resource owner ID.
• Use the Bearer authorization header for the generic provider.
• Documentation updates.

• API for 1.0 is now frozen!
• BREAK: Convert all uses of "User" to "ResourceOwner" to more closely match the OAuth 2.0 specification.
• BREAK: Rename StandardProvider to GenericProvider.
• BREAK: Move access token creation to the AbstractProvider. It was previously handled in the AbstractGrant.
• FIX: Add Content-Type header with value of application/x-www-form-urlencoded to the request header when retrieving access tokens. This adheres to the OAuth 2.0 specification and fixes issues where certain OAuth servers expect this header.
• Enhanced json_encode() serialization of AccessToken; when using json_encode() on an AccessToken, it will return a JSON object with these properties: access_token, refresh_token, and expires_in.

• BREAK: Renamed AbstractProvider::ACCESS_TOKEN_METHOD_GET to AbstractProvider::METHOD_GET.
• BREAK: Renamed AbstractProvider::ACCESS_TOKEN_METHOD_POST to AbstractProvider::METHOD_POST.
• BREAK: Renamed AbstractProvider::prepareUserDetails() to AbstractProvider::createUser().
• BREAK: Renamed AbstractProvider::getUserDetails() to AbstractProvider::getUser().
• BREAK: Removed $token parameter from AbstractProvider::getDefaultHeaders().
• BREAK: Modify AbstractProvider::getBaseAccessTokenUrl() to accept a required array of parameters, allowing providers the ability to vary the access token URL, based on the parameters.
• Removed newline characters from MAC Authorization header.
• Documentation updates, notably:
  • Moved list of providers to README.PROVIDERS.md.
  • Moved provider creation notes to README.PROVIDER-GUIDE.md.

This release contains numerous BC breaks from the 0.x series. Please note these breaks and refer to the upgrade guide.

• BREAK: Requires PHP 5.5.0 and greater.
• BREAK: All providers have been moved to separate repositories, one for each provider.
• BREAK: All public properties have been set as protected or private and getters/setters have been introduced for access to these properties.
• BREAK: The Provider\ProviderInterface has been removed. Please extend from and override Provider\AbstractProvider.
• BREAK: The Entity\User has been removed. Providers should implement the Provider\UserInterface and provide user functionality instead of expecting it in this base library.
• BREAK: The Grant\GrantInterface has been removed. Providers needing to provide a new grant type should extend from and override Grant\AbstractGrant.
• A generic Provider\StandardProvider has been introduced, which may be used as a client to integrate with most OAuth 2.0 compatible servers.
• A Grant\GrantFactory has been introduced as a means to register and retrieve singleton grants from a registry.
• Introduced traits for bearer and MAC authorization (Tool\BearerAuthorizationTrait and Tool\MacAuthorizationTrait), which providers may use to enable these header authorization types.

• FIX: Scope separators for LinkedIn and Instagram are now correctly a single space

• BREAK: LinkedIn Provider: Default scopes removed from LinkedIn Provider. See "Managing LinkedIn Scopes" in the README for information on how to set scopes. See #327 and #307 for details on this change.
• FIX: LinkedIn Provider: A scenario existed in which publicProfileUrl was not set, generating a PHP notice; this has been fixed.
• FIX: Instagram Provider: Fixed scope separator.
• Documentation updates and corrections.