8.3.2

Changed

• Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
• When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
• Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
• The regex for matching the bearer token has been simplified (PR #1238)

8.3.1

Fixed

• Revert check on clientID. We will no longer require this to be a string (PR #1233)

8.3.0

Added

• The server will now validate redirect uris according to rfc8252 (PR #1203)
• Events emitted now include the refresh token and access token payloads (PR #1211)
• Use the revokeRefreshTokens() function to decide whether refresh tokens are revoked or not upon use (PR #1189)

Changed

• Keys are now validated using openssl_pkey_get_private() and openssl_pkey_get_public()` instead of regex matching (PR #1215)

Fixed

• The server will now only recognise and handle an authorization header if the value of the header is non-empty. This is to circumvent issues where some common frameworks set this header even if no value is present (PR #1170)
• Added type validation for redirect uri, client ID, client secret, scopes, auth code, state, username, and password inputs (PR #1210)
• Allow scope "0" to be used. Previously this was removed from a request because it failed an empty() check (PR #1181)

8.2.4

Fixed

• Reverted the enforcement of at least one redirect_uri for a client. This change has instead been moved to version 9 (PR #1169)

8.2.3

Added

• Re-added support for PHP 7.2 (PR #1165, #1167)

8.2.2

Fixed

• Fix issue where the private key passphrase isn't correctly passed to JWT library (PR #1164)

8.2.1

Fixed

• If you have a password on your private key, it is now passed correctly to the JWT configuration object. (PR #1159)

8.2.0

Added

• Add a getRedirectUri function to the OAuthServerException class (PR #1123)
• Support for PHP 8.0 (PR #1146)

Removed

• Removed support for PHP 7.2 (PR #1146)

Fixed

• Fix typo in parameter hint. code_challenged changed to code_challenge. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
• Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)

8.1.1

Fixed

• If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given
  redirect_uri instead of the default client redirect uri (PR #1126)

8.1.0

Added

• Added support for PHP 7.4 (PR #1075)

Changed

• If an error is encountered when running preg_match() to validate an RSA key, the server will now throw a RuntimeException (PR #1047)
• Replaced deprecated methods with recommended ones when using Lcobucci\JWT\Builder to build a JWT token. (PR #1060)
• When storing a key, we no longer touch the file before writing it as this is an unnecessary step (PR #1064)
• Prefix native PHP functions in namespaces with backslashes for micro-optimisations (PR #1071)

Removed

• Support for PHP 7.1 (PR #1075)

Fixed

• Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
  with the OAuth2 spec (PR #1035)
• Abstract method getIdentifier() added to AccessTokenTrait. The trait cannot be used without the getIdentifier()
  method being defined (PR #1051)
• An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
  Auth Code Grant (PR #1057)
• Can now send access token request without being forced to specify a redirect URI (PR #1096)
• In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)