1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
CHANGELOG for 1.x
=================
This changelog references the relevant changes (bug and security fixes) done
in 1.x minor versions.
To see the files changed for a given bug, go to https://github.com/bshaffer/oauth2-server-php/issues/### where ### is the bug number
To get the diff between two versions, go to https://github.com/bshaffer/oauth2-server-php/compare/v1.0...v1.1
To get the diff for a specific change, go to https://github.com/bshaffer/oauth2-server-php/commit/XXX where XXX is the change hash
* 1.10.0 (2017-11-15)
PR: https://github.com/bshaffer/oauth2-server-php/pull/889
* #795 - [feature] added protected createPayload method to allow easier customization of JWT payload
* #807 - [refactor] simplifies UserInfoController constructor
* #814 - [docs] Adds https to README link
* #827 - [testing] Explicitly pulls in phpunit 4
* #828 - [docs] PHPDoc improvements and type hinting of variables.
* #829 - [bug] Fix CORS issue for revoking and requesting an access token
* #869 - [testing] Remove php 5.3 from travis and use vendored phpunit
* #834 - [feature] use random_bytes if available
* #851 - [docs] Fix PHPDoc
* #872 - [bug] Fix count() error on PHP 7.2
* #873 - [testing] adds php 7.2 to travis
* #794 - [docs] Fix typo in composer.json
* #885 - [testing] Use PHPUnit\Framework\TestCase instead of PHPUnit_Framework_TestCase
* 1.9.0 (2017-01-06)
PR: https://github.com/bshaffer/oauth2-server-php/pull/788
* bug #645 - Allow null for client_secret
* bug #651 - Fix bug in isPublicClient of Cassandra Storage
* bug #670 - Bug in client's scope restriction
* bug #672 - Implemented method to override the password hashing algorithm
* bug #698 - Fix Token Response's Content-Type to application/json
* bug #729 - Ensures unsetAccessToken and unsetRefreshToken return a bool
* bug #749 - Fix UserClaims for CodeIdToken
* bug #784 - RFC6750 compatibility
* bug #776 - Fix "redirect_uri_mismatch" for URIs with encoded characters
* bug #759 - no access token supplied to resource controller results in empty request body
* bug #773 - Use OpenSSL random method before attempting Mcrypt's.
* bug #790 - Add mongo db
* 1.8.0 (2015-09-18)
PR: https://github.com/bshaffer/oauth2-server-php/pull/643
* bug #594 - adds jti
* bug #598 - fixes lifetime configurations for JWTs
* bug #634 - fixes travis builds, upgrade to containers
* bug #586 - support for revoking tokens
* bug #636 - Adds FirebaseJWT bridge
* bug #639 - Mongo HHVM compatibility
* 1.7.0 (2015-04-23)
PR: https://github.com/bshaffer/oauth2-server-php/pull/572
* bug #500 - PDO fetch mode changed from FETCH_BOTH to FETCH_ASSOC
* bug #508 - Case insensitive for Bearer token header name ba716d4
* bug #512 - validateRedirectUri is now public
* bug #530 - Add PublicKeyInterface, UserClaimsInterface to Cassandra Storage
* bug #505 - DynamoDB storage fixes
* bug #556 - adds "code id_token" return type to openid connect
* bug #563 - Include "issuer" config key for JwtAccessToken
* bug #564 - Fixes JWT vulnerability
* bug #571 - Added unset_refresh_token_after_use option
* 1.6 (2015-01-16)
PR: https://github.com/bshaffer/oauth2-server-php/pull/496
* bug 437 - renames CryptoToken to JwtAccessToken / use_crypto_tokens to use_jwt_access_tokens
* bug 447 - Adds a Couchbase storage implementation
* bug 460 - Rename JWT claims to match spec
* bug 470 - order does not matter for multi-valued response types
* bug 471 - Make validateAuthorizeRequest available for POST in addition to GET
* bug 475 - Adds JTI table definitiion
* bug 481 - better randomness for generating access tokens
* bug 480 - Use hash_equals() for signature verification (prevents remote timing attacks)
* bugs 489, 491, 498 - misc other fixes
* 1.5 (2014-08-27)
PR: https://github.com/bshaffer/oauth2-server-php/pull/446
* bug #399 - Add DynamoDB Support
* bug #404 - renamed error name for malformed/expired tokens
* bug #412 - Openid connect: fixes for claims with more than one scope / Add support for the prompt parameter ('consent' and 'none')
* bug #411 - fixes xml output
* bug #413 - fixes invalid format error
* bug #401 - fixes code standards / whitespace
* bug #354 - bundles PDO SQL with the library
* [BC] bug #397 - refresh tokens should not be encrypted
* bug #423 - makes "scope" optional for refresh token storage
* 1.4 (2014-06-12)
PR: https://github.com/bshaffer/oauth2-server-php/pull/392
* bug #189 Storage\PDO - allows DSN string in constructor
* bug #233 Bearer Tokens - allows token in request body for PUT requests
* bug #346 Fixes open_basedir warning
* bug #351 Adds OpenID Connect support
* bug #355 Adds php 5.6 and HHVM to travis.ci testing
* [BC] bug #358 Adds `getQueryStringIdentifier()` to the GrantType interface
* bug #363 Encryption\JWT - Allows for subclassing JWT Headers
* bug #349 Bearer Tokens - adds requestHasToken method for when access tokens are optional
* bug #301 Encryption\JWT - fixes urlSafeB64Encode(): ensures newlines are replaced as expected
* bug #323 ResourceController - client_id is no longer required to be returned when calling getAccessToken
* bug #367 Storage\PDO - adds Postgres support
* bug #368 Access Tokens - use mcrypt_create_iv or openssl_random_pseudo_bytes to create token string
* bug #376 Request - allows case insensitive headers
* bug #384 Storage\PDO - can pass in PDO options in constructor of PDO storage
* misc fixes #361, #292, #373, #374, #379, #396
* 1.3 (2014-02-27)
PR: https://github.com/bshaffer/oauth2-server-php/pull/325
* bug #311 adds cassandra storage
* bug #298 fixes response code for user credentials grant type
* bug #318 adds 'use_crypto_tokens' config to Server class for better DX
* [BC] bug #320 pass client_id to getDefaultScope
* bug #324 better feedback when running tests
* bug #335 adds support for non-expiring refresh tokens
* bug #333 fixes Pdo storage for getClientKey
* bug #336 fixes Redis storage for expireAuthorizationCode
* 1.3 (2014-02-27)
PR: https://github.com/bshaffer/oauth2-server-php/pull/325
* bug #311 adds cassandra storage
* bug #298 fixes response code for user credentials grant type
* bug #318 adds 'use_crypto_tokens' config to Server class for better DX
* bug #320 pass client_id to getDefaultScope
* bug #324 better feedback when running tests
* bug #335 adds support for non-expiring refresh tokens
* bug #333 fixes Pdo storage for getClientKey
* bug #336 fixes Redis storage for expireAuthorizationCode
* 1.2 (2014-01-03)
PR: https://github.com/bshaffer/oauth2-server-php/pull/288
* bug #285 changed response header from 200 to 401 when empty token received
* bug #286 adds documentation and links to spec for not including error messages when no token is supplied
* bug #280 ensures PHP warnings do not get thrown as a result of an invalid argument to $jwt->decode()
* bug #279 predis wrong number of arguments
* bug #277 Securing JS WebApp client secret w/ password grant type
* 1.1 (2013-12-17)
PR: https://github.com/bshaffer/oauth2-server-php/pull/276
* bug #278 adds refresh token configuration to Server class
* bug #274 Supplying a null client_id and client_secret grants API access
* bug #244 [MongoStorage] More detailed implementation info
* bug #268 Implement jti for JWT Bearer tokens to prevent replay attacks.
* bug #266 Removing unused argument to getAccessTokenData
* bug #247 Make Bearer token type consistent
* bug #253 Fixing CryptoToken refresh token lifetime
* bug #246 refactors public key logic to be more intuitive
* bug #245 adds support for JSON crypto tokens
* bug #230 Remove unused columns in oauth_clients
* bug #215 makes Redis Scope Storage obey the same paradigm as PDO
* bug #228 removes scope group
* bug #227 squelches open basedir restriction error
* bug #223 Updated docblocks for RefreshTokenInterface.php
* bug #224 Adds protected properties
* bug #217 Implement ScopeInterface for PDO, Redis
* 1.0 (2013-08-12)
* bug #203 Add redirect\_status_code config param for AuthorizeController
* bug #205 ensures unnecessary ? is not set when ** bug
* bug #204 Fixed call to LogicException
* bug #202 Add explode to checkRestrictedGrant in PDO Storage
* bug #197 adds support for 'false' default scope ** bug
* bug #192 reference errors and adds tests
* bug #194 makes some appropriate properties ** bug
* bug #191 passes config to HttpBasic
* bug #190 validates client credentials before ** bug
* bug #171 Fix wrong redirect following authorization step
* bug #187 client_id is now passed to getDefaultScope().
* bug #176 Require refresh_token in getRefreshToken response
* bug #174 make user\_id not required for refresh_token grant
* bug #173 Duplication in JwtBearer Grant
* bug #168 user\_id not required for authorization_code grant
* bug #133 hardens default security for user object
* bug #163 allows redirect\_uri on authorization_code to be NULL in docs example
* bug #162 adds getToken on ResourceController for convenience
* bug #161 fixes fatal error
* bug #163 Invalid redirect_uri handling
* bug #156 user\_id in OAuth2\_Storage_AuthorizationCodeInterface::getAuthorizationCode() response
* bug #157 Fix for extending access and refresh tokens
* bug #154 ResponseInterface: getParameter method is used in the library but not defined in the interface
* bug #148 Add more detail to examples in Readme.md
|
