Added

• Added a new function to the provided ClientTrait, supportsGrantType to allow the auth server to issue the response unauthorized_client when applicable (PR #1420)

Fixed

• Fix a bug on setting interval visibility of device authorization grant (PR #1410)
• Fix a bug where the new poll date were not persisted when slow_down error happens, because the exception is thrown before calling persistDeviceCode. (PR #1410)
• Fix a bug where slow_down error response may have been returned even after the user has completed the auth flow (already approved / denied the request). (PR #1410)
• Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #1420)
• Emit RequestAccessTokenEvent and RequestRefreshTokenEvent events instead of the general RequestEvent event when an access / refresh token is issued using device authorization grant. (PR #1467)

Fixed

• PHP 8.4 deprecation notices fixed (PR #1466)

Fixed

• PHP 8.4 deprecation notices fixed (PR #1466)

Added

• Support for PHP 8.4 (PR #1454)

Fixed

• In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433)
• Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412)
• Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436)

Fixed

• Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
• Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
• Fixed bug where "state" parameter wasn't present on invalid_scope error response and wasn't on fragment part of access_denied redirect URI on Implicit grant (PR #1298)
• Fixed bug where disabling refresh token revocation via revokeRefreshTokens(false) unintentionally disables issuing new refresh token (PR #1449)

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• Basic authorization is now case insensitive (PR #1403)
• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
• Request parameters are now parsed into strings to use internally in the library (PR #1402)
• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

Added

• Support for league/uri ^7.0 (PR #1367)

Security

• If a key string is provided to the CryptKey constructor with an invalid
  passphrase, the LogicException message generated will contain the given key.
  The key is no longer leaked via this exception (PR #1359)

Security

• If a key string is provided to the CryptKey constructor with an invalid
  passphrase, the LogicException message generated will expose the given key.
  The key is no longer leaked via this exception (PR #1353)