blob: e0f091055cccc07b04f302add5837a728ff7e156 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
## [unreleased]
## [0.9.7]
### Added
* Support for Self-Contained JWTs. #308
* Support for RFC8693 Token Exchange Request. #275
### Fixed
* PHP 5.4 compatibility. #304
* Use session_status(). #306
## [0.9.6]
### Added
* Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
* Support client_secret on token endpoint with PKCE. #293
* Added new parameter to `requestTokens()` to pass custom HTTP headers #297
### Changed
* Allow serializing `OpenIDConnectClient` using `serialize()` #295
## [0.9.5]
### Changed
* signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
* Fixed issue where missing nonce within the claims was causing an exception. #280
## [0.9.4]
### Added
* Enabled `client_secret_basic` authentication on `refreshToken()` #215
* Basic auth support for requestResourceOwnerToken #271
## [0.9.3]
### Added
* getRedirectURL() will not log a warning for PHP 7.1+ #179
* it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
* bugfix in getSessionKey when _SESSION key does not exist #251
* Added scope parameter to refresh token request #225
* bugfix in verifyJWTclaims when $accessToken is empty and $claims->at_hash is not #276
* bugfix with the `empty` function in PHP 5.4 #267
## [0.9.2]
### Added
* Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently the supported methods are 'plain' and 'S256'.
## [0.9.1]
### Added
* Add support for MS Azure Active Directory B2C user flows
### Changed
* Fix at_hash verification #200
* Getters for public parameters #204
* Removed client ID query parameter when making a token request using Basic Auth
* Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.
### Removed
* Removed explicit content-length header - caused issues with proxy servers
## [0.9.0]
### Added
* php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
* Adding a header to indicate JSON as the return type for userinfo endpoint #151
* ~Updated OpenIDConnectClient to conditionally verify nonce #146~
* Add possibility to change enc_type parameter for http_build_query #155
* Adding OAuth 2.0 Token Introspection #156
* Add optional parameters clientId/clientSecret for introspection #157 & #158
* Adding OAuth 2.0 Token Revocation #160
* Adding issuer validator #145
* Adding signing algorithm PS256 #180
* Check http status of request user info #186
* URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
* Adjust PHPDoc to state that null is also allowed #193
### Changed
* Bugfix/code cleanup #152
* Cleanup PHPDoc #46e5b59
* Replace unnecessary double quotes with single quotes #2a76b57
* Use original function names instead of aliases #1f37892
* Remove unnecessary default values #5ab801e
* Explicit declare field $redirectURL #9187c0b
* Remove unused code #1e65384
* Fix indent #e9cdf56
* Cleanup conditional code flow for better readability #107f3fb
* Added strict type comparisons #167
* Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.
## [0.8.0]
### Added
* Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token
### Changed
* Decouple session manipulation, it's allow use of other session libraries #134
* Broaden version requirements of the phpseclib/phpseclib package. #144
## [0.7.0]
### Added
* Add "license" field to composer.json #138
* Ensure key_alg is set when getting key #139
* Add option to send additional registration parameters like post_logout_redirect_uris. #140
### Changed
* disabled autoload for Crypt_RSA + makre refreshToken() method tolerant for errors #137
### Removed
*
## [0.6.0]
### Added
* Added five minutes leeway due to clock skew between openidconnect server and client.
* Fix save access_token from request in implicit flow authentication #129
* verifyJWTsignature() method private -> public #126
* Support for providers where provider/login URL is not the same as the issuer URL. #125
* Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).
### Changed
* refreshToken method update #124
### Removed
*
## [0.5.0]
## Added
* Implement Azure AD B2C Implicit Workflow
## [0.4.1]
## Changed
* Documentation updates for include path.
## [0.4]
### Added
* Timeout is configurable via setTimeout method. This addresses issue #94.
* Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
* Add support for HS256, HS512 and HS384 signatures
* Removed unused calls to $this->getProviderConfigValue("token_endpoint_…
### Changed
### Removed
|
