- Added support for
xp-forge/sessionsversion 4.0+ - @thekid
- Heads up: Removed support for instantiating OAuth flows w/o callback (@thekid)
- Changed
SessionBasedauthentication to send 401 for sub-requests (e.g. images, fetch(), ...), implementing feature suggested in #38 (@thekid) - Merged PR #37: Refactor OAuth1 & OAuth2 flows, fixing possible flow error states and implifiying their implementation (@thekid)
- Added PHP 8.6 to the test matrix - @thekid
- Merged PR #36: Add support for PKCE for OAuth2. This implements, among other things, the client side of MCP auth described in xp-forge/mcp#11 (@thekid)
- Made the
web.auth.oauth.JWTclass implement thelang.Valueinterface (@thekid) - Merged PR #35: Add
JWT::from()andJWT::tryFrom()to parse JWTs from a given token (@thekid)
- Made compatible with
xp-forge/address7.0+, fixing deprecation warnings about null in array offsets in PHP 8.5+ (@thekid)
- Fixed OAuth (1 and 2) flows raising flow mismatches when invoked with
server state inside a freshly created session, e.g. users having the
URL includìng
?state=...bookmarked or pressing the browser's back button. (@thekid)
- Merged PR #34: Extend
Flow::target()to accept strings and URLs (@thekid)
- Added PHP 8.5 to test matrix - @thekid
- Dropped support for older dependency versions - @thekid
- Merged PR #33: Refactor OAuth flows to handle parallel requests - @thekid
- Fixed OAuth2 implementation to redirect to the correct target URL when reusing state from a previous authorization flow. (@thekid)
- Merged PR #31: Make it possible to change the session namespace (CAS) (@thekid)
- Merged PR #30: Make it possible to change the session namespace (OAuth) (@thekid)
- Merged PR #29: Make callback and scopes mutable - @thekid
- Dropped support for PHP 7.0 - 7.3, step 1 of xp-framework/rfc#343 (@thekid)
- Merged PR #28: Refactor CAS authentication flow to use address library (@thekid)
- Made compatible with
xp-framework/xml12.0+ - @thekid
- Made compatible with XP 12 - @thekid
- Implemented xp-framework/rfc#341: Drop XP <= 9 compatibility - @thekid
- Heads up: Removed deprecated Token class which has been replaced
by
web.auth.oauth.BySecret(@thekid)
- Added PHP 8.4 to the test matrix - @thekid
- Made this library compatible with xp-forge/web version 4.0 - @thekid
- Merged PR #27: Add
UserInfoto map the returned user from a flow (@thekid)
- Merged PR #25: Extract OAuth 2 backend interaction into dedicated class (@thekid)
- Merged PR #24: Implement certificate-based OAuth2 flow - @thekid
- Merged PR #23: Migrate to new testing library - @thekid
- Merged PR #21: Reuse state when previous redirect was incomplete, see also #19 ("Flow error") (@thekid)
- Merged PR #18: Automatically refresh OAuth2 tokens - @thekid
- Made compatible with
xp-forge/sessionsversion 3.0 - @thekid
- Merged PR #15: Add OAuth2Flow::refresh() - which uses
refresh_tokento create a new access token (@thekid) - Fixed session potentially being transmitted twice when completing an authentication flow. (@thekid)
- Fixed "Creation of dynamic property" warnings in PHP 8.2 - @thekid
- Merged PR #14: Store "id_token" if returned from OAuth token endpoint (@thekid)
- Made library compatible with XP 11,
xp-framework/xmlversion 11.0.0 andxp-forge/jsonversion 5.0.0 (@thekid)
- Made compatible with XP web 3.0, see xp-forge/web#83 - @thekid
- Merged PR #13: Create random token, store in session and pass to request.
Heads up: Submitting forms without CSRF tokens will result in a
400error being displayed! (@thekid)
- Fixed issue #10: Undefined array key "token_type" when response value
does not contain this key. The spec clearly states this is REQUIRED
(https://tools.ietf.org/html/rfc6749#section-5.1), some implementations
do not return this nevertheless. Default to
Bearerin this case. (@thekid)
- Reset state after authentication via OAuth in order to prevent dead ends with expired tokens - instead, authentication will be retried (@thekid)
- Made it possible to send more than just
GETrequests withfetch()(@thekid)
- Heads up: OAuth implementations now require a callback URL. If omitted, a deprecation notice will be raised, which will not break production code but make unit tests fail. (@thekid)
- Merged PR #6: Fix callback URL mismatches, fixing issue #5 - @thekid
- Fixed
ISession::transmit()not being called after authentication (@thekid)
- Added support for redirecting to URLs with fragments (
/#/users/123) for OAuth1 and OAuth2; previously only CAS flows supported these. (@thekid) - Heads up: Refactored
web.auth.Flowinterface to an abstract class (@thekid) - Heads up: Refactored
Authenticationto be a base class of the two implementations,web.auth.Basicandweb.auth.SessionBased(@thekid) - Merged PR #4: Implement
Authentication::optional()- @thekid - Merged PR #3: Implement basic authentication - @thekid
- Merged PR #2: Add
Authentication::required()method - @thekid
- Merged PR #1: Add CAS login flow, supporting CAS protocol version 2.0+, see https://apereo.github.io/cas (@thekid)
- Fixed OAuth flows throwing exceptions when a previous authorization flow was not completed successfully. Instead, retry authorization. (@thekid)
- Implemented xp-framework/rfc#334: Drop PHP 5.6: . Heads up: Minimum required PHP version now is PHP 7.0.0 . Rewrote code base, grouping use statements (@thekid)
- Removed
session_stateparameter for OAuth 2.0 responses. See https://stackoverflow.com/questions/24922550/azure-active-directory-session-state (@thekid)
- Added support for text/plain and application/x-www-form-urlencoded
values to
Response::value()(@thekid)
- Added support for authenticating against Microsoft's Office 365:
- Added support for JSON responses when fetching OAuth2 tokens
- Added support for passing scope to OAuth2 flow (@thekid)
- Updated session library dependency to 1.0 - @thekid
- Made compatible with XP 10 - @thekid
- Hello World! First release - @thekid