8.3.0

Added

• The server will now validate redirect uris according to rfc8252 (PR #1203)
• Events emitted now include the refresh token and access token payloads (PR #1211)
• Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

Changed

• Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public()` instead of regex matching (PR #1215)

Fixed

• The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
• Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
• Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)

8.2.4

Fixed

• Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)

8.2.3

Added

• Re-added support for PHP 7.2 (PR #1165, #1167)

8.2.2

Fixed

• Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)

8.2.1

Fixed

• If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)

8.2.0

Added

• Add a getRedirectUri function to the OAuthServerException class (PR #1123)
• Support for PHP 8.0 (PR #1146)

Removed

• Removed support for PHP 7.2 (PR #1146)

Fixed

• Fix typo in parameter hint. code_challenged changed to code_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
• Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)

8.1.1

Fixed

• If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given
  redirect_uri instead of the default client redirect uri (PR #1126)

8.1.0

Added

• Added support for PHP 7.4 (PR #1075)

Changed

• If an error is encountered when running preg_match() to validate an RSA key, the server will now throw a RuntimeException (PR #1047)
• Replaced deprecated methods with recommended ones when using Lcobucci\JWT\Builder to build a JWT token. (PR #1060)
• When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
• Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)

Removed

• Support for PHP 7.1 (PR #1075)

Fixed

• Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
  with the OAuth2 spec (PR #1035)
• Abstract method getIdentifier() added to AccessTokenTrait. The trait cannot be used without the getIdentifier()
  method being defined (PR #1051)
• An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
  Auth Code Grant (PR #1057)
• Can now send access token request without being forced to specify a redirect URI (PR #1096)
• In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)

8.0.0

Added

• Flag, requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
• Public clients can now use the Auth Code Grant (PR #938)
• isConfidential getter added to ClientEntity to identify type of client (PR #938)
• Function validateClient() added to validate clients which was previously performed by the getClientEntity() function (PR #938)
• Add a new function to the AbstractGrant class called getClientEntityOrFail(). This is a wrapper around the getClientEntity() function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)

Changed

• Replace convertToJWT() interface with a more generic __toString() to improve extensibility; AccessTokenEntityInterface now requires setPrivateKey(CryptKey $privateKey) so __toString() has everything it needs to work (PR #874)
• The invalidClient() function accepts a PSR-7 compliant $serverRequest argument to avoid accessing the $_SERVER global variable and improve testing (PR #899)
• issueAccessToken() in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling getNewToken() (PR #919)
• No longer need to enable PKCE with enableCodeExchangeProof flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
• Function getClientEntity() no longer performs client validation (PR #938)
• Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
• Use DateTimeImmutable() instead of DateTime(), time() instead of (new DateTime())->getTimeStamp(), and DateTime::getTimeStamp() instead of DateTime::format('U') (PR #963)

Removed

• enableCodeExchangeProof flag (PR #938)
• Support for PHP 7.0 (PR #1014)
• Remove JTI claim from JWT header (PR #1031)

7.4.0

Changed

• RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)