8.0.0

Added

• Flag, requireCodeChallengeForPublicClients, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
• Public clients can now use the Auth Code Grant (PR #938)
• isConfidential getter added to ClientEntity to identify type of client (PR #938)
• Function validateClient() added to validate clients which was previously performed by the getClientEntity() function (PR #938)
• Add a new function to the AbstractGrant class called getClientEntityOrFail(). This is a wrapper around the getClientEntity() function that ensures we emit and throw an exception if the repo doesn't return a client entity. (PR #1010)

Changed

• Replace convertToJWT() interface with a more generic __toString() to improve extensibility; AccessTokenEntityInterface now requires setPrivateKey(CryptKey $privateKey) so __toString() has everything it needs to work (PR #874)
• The invalidClient() function accepts a PSR-7 compliant $serverRequest argument to avoid accessing the $_SERVER global variable and improve testing (PR #899)
• issueAccessToken() in the Abstract Grant no longer sets access token client, user ID or scopes. These values should already have been set when calling getNewToken() (PR #919)
• No longer need to enable PKCE with enableCodeExchangeProof flag. Any client sending a code challenge will initiate PKCE checks. (PR #938)
• Function getClientEntity() no longer performs client validation (PR #938)
• Password Grant now returns an invalid_grant error instead of invalid_credentials if a user cannot be validated (PR #967)
• Use DateTimeImmutable() instead of DateTime(), time() instead of (new DateTime())->getTimeStamp(), and DateTime::getTimeStamp() instead of DateTime::format('U') (PR #963)

Removed

• enableCodeExchangeProof flag (PR #938)
• Support for PHP 7.0 (PR #1014)
• Remove JTI claim from JWT header (PR #1031)

7.4.0

Changed

• RefreshTokenRepository can now return null, allowing refresh tokens to be optional. (PR #649)

7.3.3

Added

• Added error_description to the error payload to improve standards compliance. The contents of this are copied from the existing message value. (PR #1006)

Deprecated

• Error payload will not issue message value in the next major release (PR #1006)

7.3.2

Fixed

• Revert setting keys on response type to be inside getResponseType() function instead of AuthorizationServer constructor (PR #969)

7.3.1

Fixed

• Fix issue with previous release where interface had changed for the AuthorizationServer. Reverted to the previous interface while maintaining functionality changes (PR #970)

7.3.0

Changed

• Moved the finalizeScopes() call from validateAuthorizationRequest method to the completeAuthorizationRequest method so it is called just before the access token is issued (PR #923)

Added

• Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
• Ability to nest exceptions (PR #965)

Fixed

• Fix issue where AuthorizationServer is not stateless as ResponseType could store state of a previous request (PR #960)

7.2.0

Changed

• Added newvalidateRedirectUri method AbstractGrant to remove three instances of code duplication (PR #912)
• Allow 640 as a crypt key file permission (PR #917)

Added

• Function hasRedirect() added to OAuthServerException (PR #703)

Fixed

• Catch and handle BadMethodCallException from the verify() method of the JWT token in the validateAuthorization method (PR #904)

4.1.7

Fixed

• Ensure empty() function call only contains variable to be compatible with PHP 5.4 (PR #918)

7.1.1

Fixed

• No longer set a WWW-Authenticate header for invalid clients if the client did not send an Authorization header in the original request (PR #902)

7.1.0

Changed

• Changed hint for unsupportedGrantType exception so it no longer references the grant type parameter which isn't always expected (PR #893)
• Upgrade PHPStan checks to level 7 (PR #856)

Added

• Added event emitters for issued access and refresh tokens (PR #860)
• Can now use Defuse\Crypto\Key for encryption/decryption of keys which is faster than the Cryto class (PR #812)