6.1.0

• Changed the token type issued by the Implicit Grant to be Bearer instead of bearer. (PR #724)
• Replaced call to array_key_exists() with the faster isset() on the Implicit Grant. (PR #749)
• Allow specification of query delimiter character in the Password Grant (PR #801)
• Add Zend Diactoros library dependency to examples (PR #678)
• Can set default scope for the authorization endpoint. If no scope is passed during an authorization request, the default scope will be used if set. If not, the server will issue an invalid scope exception (PR #811)
• Added validation for redirect URIs on the authorization end point to ensure exactly one redirection URI has been passed (PR #573)

5.1.6

• Add toggle to disable key permissions check. (Issue #776)

6.0.2

• An invalid refresh token that can't be decrypted now returns a HTTP 401 error instead of HTTP 400 (Issue #759)
• Removed chmod from CryptKey and add toggle to disable checking (Issue #776)
• Fixes invalid code challenge method payload key name (Issue #777)

5.1.5

To address feedback from the security release the following two changes have been made:

• If an RSA key cannot be chmod'ed to 600 then it will now throw a E_USER_NOTICE instead of an exception.
• Not using the new encryption key method on AuthorizationServer will set throw an E_USER_DEPRECATED message instead of an error.

6.0.0

• Breaking change: The AuthorizationServer constructor now expects an encryption key string instead of a public key
• Remove support for HHVM
• Remove support for PHP 5.5

5.1.4

• Fixed multiple security vulnerabilities as a result of a security audit paid for by the Mozilla Secure Open Source Fund. All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
  • It is recommended on each AuthorizationServer instance you set the setEncryptionKey(). This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using error_log). Please visit this page for more information - https://oauth2.thephpleague.com/v5-security-improvements/
• TravisCI now tests PHP 7.1 (Issue #671)
• Fix middleware example fatal error (Issue #682)
• Fix typo in the first README sentence (Issue #690)
• Corrected DateInterval from 1 min to 1 month (Issue #709)

5.1.1

• Improved test suite (Issue #614)
• Updated docblocks (Issue #616)
• Replace array_shift with foreach loop (Issue #621)
• Allow easy addition of custom fields to Bearer token response (Issue #624)
• Key file auto-generation from string (Issue #625)

5.1.0

• Implemented RFC7636 (Issue #574)
• Unify middleware exception responses (Issue #578)
• Updated examples (Issue #589)
• Ensure state is in access denied redirect (Issue #597)
• Remove redundant isExpired() method from entity interfaces and traits (Issue #600)
• Added a check for unique access token constraint violation (Issue #601)
• Look at Authorization header directly for HTTP Basic auth checks (Issue #604)
• Added catch Runtime exception when parsing JWT string (Issue #605)
• Allow paragonie/random_compat 2.x (Issue #606)
• Added indigophp/hash-compat to Composer suggestions and require-dev for PHP 5.5 support

5.0.3

• Fix hints in PasswordGrant (Issue #560)
• Add meaning of Resource owner to terminology.md (Issue #561)
• Use constant for event name instead of explicit string (Issue #563)
• Remove unused request property (Issue #564)
• Correct wrong phpdoc (Issue #569)
• Fixed typo in exception string (Issue #570)

5.0.2

• state parameter is now correctly returned after implicit grant authorization
• Small code and docblock improvements