Oauth2 Server Laravel Package

Added

• Added sensitive parameter to avoid sensitive data being included in stack traces (PR #1483)
• Support for PHP 8.5 (PR #1492)

Fixed

• Made the Bearer header case insensitive to match the specs correctly (PR #1491)

Added

• Added a new function to the provided ClientTrait, supportsGrantType to allow the auth server to issue the response unauthorized_client when applicable (PR #1420)

Fixed

• Fix a bug on setting interval visibility of device authorization grant (PR #1410)
• Fix a bug where the new poll date were not persisted when slow_down error happens, because the exception is thrown before calling persistDeviceCode. (PR #1410)
• Fix a bug where slow_down error response may have been returned even after the user has completed the auth flow (already approved / denied the request). (PR #1410)
• Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #1420)
• Emit RequestAccessTokenEvent and RequestRefreshTokenEvent events instead of the general RequestEvent event when an access / refresh token is issued using device authorization grant. (PR #1467)

Fixed

• PHP 8.4 deprecation notices fixed (PR #1466)

Fixed

• PHP 8.4 deprecation notices fixed (PR #1466)

Added

• Support for PHP 8.4 (PR #1454)

Fixed

• In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433)
• Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412)
• Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436)

Fixed

• Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
• Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
• Fixed bug where "state" parameter wasn't present on invalid_scope error response and wasn't on fragment part of access_denied redirect URI on Implicit grant (PR #1298)
• Fixed bug where disabling refresh token revocation via revokeRefreshTokens(false) unintentionally disables issuing new refresh token (PR #1449)

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• Basic authorization is now case insensitive (PR #1403)
• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
• Request parameters are now parsed into strings to use internally in the library (PR #1402)
• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

Added

• Support for league/uri ^7.0 (PR #1367)

Security

• If a key string is provided to the CryptKey constructor with an invalid passphrase, the LogicException message generated will contain the given key. The key is no longer leaked via this exception (PR #1359)

Security

• If a key string is provided to the CryptKey constructor with an invalid passphrase, the LogicException message generated will expose the given key. The key is no longer leaked via this exception (PR #1353)

Changed

• Bumped the versions for laminas/diactoros and psr/http-message to support PSR-7 v2.0 (PR #1339)

Fixed

• Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)

Added

• Support for PHP 8.1 and 8.2 (PR #1333)

Removed

• Support PHP 7.2, 7.3, and 7.4 (PR #1333)

Fixed

• Fix deprecation notices for PHP 8.x (PR #1329)

Added

• You can now set a leeway for time drift between servers when validating a JWT (PR #1304)

Security

• Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent a PKCE downgrade attack (PR #1326)

Fixed

• Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)

Fixed

• Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid new empty string exception thrown by lcobucci/jwt (PR #1282)

Fixed

• Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)

Security

• Removed the use of LocalFileReference() in lcobucci/jwt. Function deprecated as per GHSA-7322-jrq4-x5hf (PR #1249)

Changed

• Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
• When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
• Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
• The regex for matching the bearer token has been simplified (PR #1238)

Fixed

• Revert check on clientID. We will no longer require this to be a string (PR #1233)

Added

• The server will now validate redirect uris according to rfc8252 (PR #1203)
• Events emitted now include the refresh token and access token payloads (PR #1211)
• Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

Changed

• Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public()` instead of regex matching (PR #1215)

Fixed

• The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
• Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
• Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)

Fixed

• Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)

Added

• Re-added support for PHP 7.2 (PR #1165, #1167)

Fixed

• Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)

Fixed

• If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)

Added

• Add a getRedirectUri function to the OAuthServerException class (PR #1123)
• Support for PHP 8.0 (PR #1146)

Removed

• Removed support for PHP 7.2 (PR #1146)

Fixed

• Fix typo in parameter hint. code_challenged changed to code_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
• Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)

Fixed

• If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given redirect_uri instead of the default client redirect uri (PR #1126)

Added

• Added support for PHP 7.4 (PR #1075)

Changed

• If an error is encountered when running preg_match() to validate an RSA key, the server will now throw a RuntimeException (PR #1047)
• Replaced deprecated methods with recommended ones when using Lcobucci\JWT\Builder to build a JWT token. (PR #1060)
• When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
• Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)

Removed

• Support for PHP 7.1 (PR #1075)

Fixed

• Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform with the OAuth2 spec (PR #1035)
• Abstract method getIdentifier() added to AccessTokenTrait. The trait cannot be used without the getIdentifier() method being defined (PR #1051)
• An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the Auth Code Grant (PR #1057)
• Can now send access token request without being forced to specify a redirect URI (PR #1096)
• In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)