oauth2-server
oauth2-server copied to clipboard
thephpleague
A spec compliant, secure by default PHP OAuth 2.0 Server
According to [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2.1) on error response of the implicit grant, the authorization server should add parameters to the fragment component of the redirection URI. It's already done for access...
Updates the requirements on [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit) to permit the latest version. Changelog Sourced from phpunit/phpunit's changelog. [9.5.24] - 2022-08-30 Added #4931: Support null and false as stand-alone types #4955: Support true...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Currently, the `RefreshTokenGrant` immediately revokes an access token when it gets refreshed. The [RFC Section 6](https://www.rfc-editor.org/rfc/rfc6749#section-6) makes no mention that this should happen. The current behavior sometimes causes issues: Some...
Currently we have to override the whole `convertToJWT` method to add custom claims to JWT. This PR makes it possible to override the new `withBuilder` method instead: ```php // \League\OAuth2\Server\Entities\Traits\AccessTokenTrait...
Hey guys, has anyone tried to implement 2FA with this bundle? I tried [scheb 2fa bundle ](https://github.com/scheb/2fa) but with no luck.
RefreshTokenGrant::respondToAccessTokenRequest requires a client_secret, otherwise it will throw an exception (OAuthServerException::invalidClient). This does not make sense for non-confidential clients, as they are not able to send the client_secret.
In class `AbstractGrant::issueAccessToken` 3rd param `$userIdentifier` must be equal to `AccessTokenRepositoryInterface::getNewToken` 3rd param. Change `@param string|null $userIdentifier` to `mixed` in [AbstractGrant.php#L441](https://github.com/thephpleague/oauth2-server/blob/master/src/Grant/AbstractGrant.php#L441) like in [AccessTokenRepositoryInterface.php#L27](https://github.com/thephpleague/oauth2-server/blob/master/src/Repositories/AccessTokenRepositoryInterface.php#L27)
Due to `new DateTimeImmutable()` is used inside `convertToJWT` method, it gives different result each call. Is it possible to add `$issuedAt` property to make this method pure? Many thanks
The [documentation](https://oauth2.thephpleague.com/authorization-server/auth-code-grant/) states that in Part Two of an Auth Code flow, redirect_uri must contain "the same redirect URI the user was redirect back to". However, as per https://github.com/thephpleague/oauth2-server/pull/1096, it...
Metadata
Owner
Metadata
A spec compliant, secure by default PHP OAuth 2.0 Server