Releases: thephpleague/oauth2-server
Releases · thephpleague/oauth2-server
8.5.1
Fixed
- Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
8.5.0
Added
- Support for PHP 8.1 and 8.2 (PR #1333)
Removed
- Support PHP 7.2, 7.3, and 7.4 (PR #1333)
8.4.1
Fixed
- Fix deprecation notices for PHP 8.x (PR #1329)
8.4.0
Added
- You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
Security
- Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
a PKCE downgrade attack (PR #1326)
8.3.6
Fixed
- Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
8.3.4
Fixed
- Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
8.3.2
Changed
- Conditionally support the
StrictValidAt()
method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
- When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
- Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
- The regex for matching the bearer token has been simplified (PR #1238)
8.3.1
Fixed
- Revert check on clientID. We will no longer require this to be a string (PR #1233)