Andrew Millington
Andrew Millington
Something that was confusing to me about this is the `AuthCodeGrant` [only calls `validateCredentials` for private clients](https://github.com/thephpleague/oauth2-server/blob/e1dc4d708c56fcfa205be4bb1862b6d525b4baac/src/Grant/AuthCodeGrant.php#L102) which made it seem like you no longer needed to check if the...
This PR removes the hints from the OAuthException class and instead, provides more useful error messages in the default exception error message.
The latest version of lcobucci/jwt passes an array instead of a string for the `aud` claim. To prevent breaking changes, if this array contains a single value, we convert it...
In previous versions of the server, we used to write error descriptions in a "message" parameter on the JSON payload instead of an "error_description" parameter. This was changed in recent...
At the moment, the only error we do not handle is unauthorized_client. This is issued when a client tries to use a grant they have not been given permissions to....
To use version 4 of lcobucci/jwt, we needed to init the new Configuration object. At the moment, this is instantiated locally but it would be good if we could inject...
Removed PHPStan as the version compatible with PHP 8 doesn't run any levels without us making breaking changes. Need to reinstate in the next major version
Most repos return `string` for their `getIdentifier()` function. However, the user repo returns `mixed`. This causes confusion as implementers might think that you can return `mixed` for a client repository...
As part of the release for version 8, I removed PHPStan's strict rules as it required big changes to a lot of signatures. I didn't want this to delay the...
The JWT library we use now supports clock leeway. We should allow implementations to use this feature in an upcoming version of this library