mezzio-authentication-oauth2 icon indicating copy to clipboard operation
mezzio-authentication-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon mezzio

Update dependency league/oauth2-server to v9

Open renovate[bot] opened this issue 1 year ago • 0 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
league/oauth2-server (source) ^8.3.5 -> ^8.3.5 || ^9.0.0 age adoption passing confidence

Release Notes

thephpleague/oauth2-server (league/oauth2-server)

v9.2.0

Compare Source

Added
  • Added a new function to the provided ClientTrait, supportsGrantType to allow the auth server to issue the response unauthorized_client when applicable (PR #​1420)
Fixed
  • Fix a bug on setting interval visibility of device authorization grant (PR #​1410)
  • Fix a bug where the new poll date were not persisted when slow_down error happens, because the exception is thrown before calling persistDeviceCode. (PR #​1410)
  • Fix a bug where slow_down error response may have been returned even after the user has completed the auth flow (already approved / denied the request). (PR #​1410)
  • Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #​1420)
  • Emit RequestAccessTokenEvent and RequestRefreshTokenEvent events instead of the general RequestEvent event when an access / refresh token is issued using device authorization grant. (PR #​1467)
Changed
  • Key permission checks ignored on Windows regardless of userland choice as cannot be run successfully on this OS (PR #​1447)

v9.1.0

Compare Source

Added
Fixed
  • In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #​1433)
  • Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #​1412)
  • Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #​1436)

v9.0.1

Compare Source

Fixed
  • Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #​1428)
  • Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #​1428)
  • Fixed bug where "state" parameter wasn't present on invalid_scope error response and wasn't on fragment part of access_denied redirect URI on Implicit grant (PR #​1298)
  • Fixed bug where disabling refresh token revocation via revokeRefreshTokens(false) unintentionally disables issuing new refresh token (PR #​1449)

v9.0.0

Compare Source

Added
  • Device Authorization Grant added (PR #​1074)
  • GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #​1375)
  • A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #​1044)
  • The authorization server can now finalize scopes when a client uses a refresh token (PR #​1094)
  • An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #​1110)
  • Added function getKeyContents() to the CryptKeyInterface (PR #​1375)
Fixed
  • Basic authorization is now case insensitive (PR #​1403)
  • If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #​1042) (PR #​1082)
Changed
  • All interfaces now specify types for all params and return values. Strict typing enforced (PR #​1074)
  • Request parameters are now parsed into strings to use internally in the library (PR #​1402)
  • Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #​1111)
  • Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #​1112)
  • AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #​1395)
Removed
  • Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #​1375)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

Read more information about the use of Renovate Bot within Laminas.

renovate[bot] avatar May 22 '24 23:05 renovate[bot]