Merge branch 'thephpleague:master' into pass-user-id-to-finalize-scopes

Author: pl-github

.github/workflows/coding-standards.yml

@@ -31,6 +31,6 @@ jobs:
 
       - name: Install Dependencies
         run: composer update --prefer-stable --prefer-dist --no-interaction --no-progress
-          
+
       - name: Run Codesniffer
         run: vendor/bin/phpcs

.github/workflows/static-analysis.yml

@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        php-version: [8.1, 8.2, 8.3]
+        php-version: [8.1, 8.2, 8.3, 8.4]
         composer-stability: [prefer-lowest, prefer-stable]
         operating-system:
           - ubuntu-latest
@@ -34,4 +34,4 @@ jobs:
 
       - name: Run Static Analysis
         run: vendor/bin/phpstan analyse
-            
+

.github/workflows/tests.yml

@@ -11,25 +11,25 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: [8.1, 8.2, 8.3]
-        os: [ubuntu-22.04]
+        php: [8.1, 8.2, 8.3, 8.4]
+        os: [ubuntu-latest, windows-latest]
         stability: [prefer-lowest, prefer-stable]
 
     runs-on: ${{ matrix.os }}
 
-    name: PHP ${{ matrix.php }} - ${{ matrix.stability }}
+    name: PHP ${{ matrix.php }} - ${{ matrix.stability }} - ${{ matrix.os }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with: 
+        with:
           fetch-depth: 0
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
-          extensions: dom, curl, libxml, mbstring, zip
+          extensions: dom, curl, libxml, mbstring, sodium, zip
           coverage: pcov
 
       - name: Install dependencies

CHANGELOG.md

@@ -4,6 +4,35 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+### Added
+- Added a new function to the provided ClientTrait, `supportsGrantType` to allow the auth server to issue the response `unauthorized_client` when applicable (PR #1420)
+
+### Fixed
+- Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #1420)
+
+### Changed
+- Key permission checks ignored on Windows regardless of userland choice as cannot be run successfully on this OS (PR #1447)
+
+## [9.1.0] - released 2024-11-21
+### Added
+- Support for PHP 8.4 (PR #1454)
+
+### Fixed
+- In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #1433)
+- Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #1412)
+- Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #1436)
+- Fixed bug on setting interval visibility of device authorization grant (PR #1410)
+- Fix a bug where the new poll date were not persisted when `slow_down` error happens, because the exception is thrown before calling `persistDeviceCode`. (PR #1410)
+- Fix a bug where `slow_down` error response may have been returned even after the user has completed the auth flow (already approved / denied the request). (PR #1410)
+
+## [9.0.1] - released 2024-10-14
+### Fixed
+- Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #1428)
+- Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #1428)
+- Fixed bug where "state" parameter wasn't present on `invalid_scope` error response and wasn't on fragment part of `access_denied` redirect URI on Implicit grant (PR #1298)
+- Fixed bug where disabling refresh token revocation via `revokeRefreshTokens(false)` unintentionally disables issuing new refresh token (PR #1449)
+
 ## [9.0.0] - released 2024-05-13
 ### Added
 - Device Authorization Grant added (PR #1074)
@@ -53,13 +82,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [8.5.3] - released 2023-07-06
 ### Security
-- If a key string is provided to the CryptKey constructor with an invalid 
-passphrase, the LogicException message generated will expose the given key. 
+- If a key string is provided to the CryptKey constructor with an invalid
+passphrase, the LogicException message generated will expose the given key.
 The key is no longer leaked via this exception (PR #1353)
 
 ## [8.5.2] - released 2023-06-16
 ### Changed
-- Bumped the versions for laminas/diactoros and psr/http-message to support 
+- Bumped the versions for laminas/diactoros and psr/http-message to support
 PSR-7 v2.0 (PR #1339)
 
 ## [8.5.1] - released 2023-04-04
@@ -151,13 +180,13 @@ a PKCE downgrade attack (PR #1326)
 - Removed support for PHP 7.2 (PR #1146)
 
 ### Fixed
-- Fix typo in parameter hint. `code_challenged` changed to `code_challenge`. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130) 
+- Fix typo in parameter hint. `code_challenged` changed to `code_challenge`. Thrown by Auth Code Grant when the code challenge does not match the regex. (PR #1130)
 - Undefined offset was returned when no client redirect URI was set. Now throw an invalidClient exception if no redirect URI is set against a client (PR #1140)
 
 ## [8.1.1] - released 2020-07-01
 
 ### Fixed
-- If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given 
+- If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given
 redirect_uri instead of the default client redirect uri (PR #1126)
 
 ## [8.1.0] - released 2020-04-29
@@ -177,9 +206,9 @@ redirect_uri instead of the default client redirect uri (PR #1126)
 ### Fixed
 - Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
  with the OAuth2 spec (PR #1035)
-- Abstract method `getIdentifier()` added to AccessTokenTrait. The trait cannot be used without the `getIdentifier()` 
+- Abstract method `getIdentifier()` added to AccessTokenTrait. The trait cannot be used without the `getIdentifier()`
 method being defined (PR #1051)
-- An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the 
+- An exception is now thrown if a refresh token is accidentally sent in place of an authorization code when using the
 Auth Code Grant (PR #1057)
 - Can now send access token request without being forced to specify a redirect URI (PR #1096)
 - In the BearerTokenValidator, if an implementation is using PDO, there is a possibility that a RuntimeException will be thrown when checking if an access token is revoked. This scenario no longer incorrectly issues an exception with a hint mentioning an issue with JSON decoding. (PR #1107)
@@ -233,7 +262,7 @@ Auth Code Grant (PR #1057)
 ## [7.3.0] - released 2018-11-13
 
 ### Changed
-- Moved  the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923)
+- Moved the `finalizeScopes()` call from `validateAuthorizationRequest` method to the `completeAuthorizationRequest` method so it is called just before the access token is issued (PR #923)
 
 ### Added
 - Added a ScopeTrait to provide an implementation for jsonSerialize (PR #952)
@@ -335,7 +364,7 @@ To address feedback from the security release the following change has been made
 ## [5.1.4] - 2017-07-01
 
 - Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.
-	- It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples.
+- It is recommended on each `AuthorizationServer` instance you set the `setEncryptionKey()`. This will result in stronger encryption being used. If this method is not set messages will be sent to the defined error handling routines (using `error_log`). Please see the examples and documentation for examples.
 - TravisCI now tests PHP 7.1 (Issue #671)
 - Fix middleware example fatal error (Issue #682)
 - Fix typo in the first README sentence (Issue #690)
@@ -646,7 +675,9 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/9.0.0...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/9.1.0...HEAD
+[9.1.0]: https://github.com/thephpleague/oauth2-server/compare/9.0.1...9.1.0
+[9.0.1]: https://github.com/thephpleague/oauth2-server/compare/9.0.0...9.0.1
 [9.0.0]: https://github.com/thephpleague/oauth2-server/compare/9.0.0-RC1...9.0.0
 [9.0.0-RC1]: https://github.com/thephpleague/oauth2-server/compare/8.5.4...9.0.0-RC1
 [8.5.4]: https://github.com/thephpleague/oauth2-server/compare/8.5.3...8.5.4

README.md

@@ -21,7 +21,7 @@ Out of the box it supports the following grants:
 The following RFCs are implemented:
 
 * [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
-* [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
+* [RFC6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
 * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
 * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
 * [RFC8628 "OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628)
@@ -35,6 +35,7 @@ The latest version of this package supports the following versions of PHP:
 * PHP 8.1
 * PHP 8.2
 * PHP 8.3
+* PHP 8.4
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -4,7 +4,7 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "~8.1.0 || ~8.2.0 || ~8.3.0",
+        "php": "~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0",
         "ext-openssl": "*",
         "league/event": "^3.0",
         "league/uri": "^7.0",
@@ -16,9 +16,9 @@
         "psr/http-server-middleware": "^1.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6.15",
-        "laminas/laminas-diactoros": "^3.3.0",
-        "phpstan/phpstan": "^1.10.55",
+        "phpunit/phpunit": "^9.6.21",
+        "laminas/laminas-diactoros": "^3.5",
+        "phpstan/phpstan": "^1.12",
         "phpstan/phpstan-phpunit": "^1.3.15",
         "roave/security-advisories": "dev-master",
         "phpstan/extension-installer": "^1.3.1",

examples/README.md

@@ -1,12 +1,11 @@
-# Example implementations
+# Example implementations (via [`Slim 3`](https://github.com/slimphp/Slim/tree/3.x))
 
 ## Installation
 
 0. Run `composer install` in this directory to install dependencies
 0. Create a private key `openssl genrsa -out private.key 2048`
-0. Create a public key `openssl rsa -in private.key -pubout > public.key`
-0. `cd` into the public directory
-0. Start a PHP server `php -S localhost:4444`
+0. Export the public key `openssl rsa -in private.key -pubout > public.key`
+0. Start local PHP server `php -S 127.0.0.1:4444 -t public/`
 
 ## Testing the client credentials grant example
 
@@ -63,12 +62,12 @@ curl -X "POST" "http://localhost:4444/device_code.php/device_authorization" \
 	--data-urlencode "client_id=myawesomeapp" \
 	--data-urlencode "client_secret=abc123" \
 	--data-urlencode "scope=basic email"
-```	
+```
 
 We have set up the example so that a user ID is already associated with the device code. In a production application you
 would implement an authorization view to allow a user to authorize the device.
 
-Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the 
+Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the
 device code returned from your first cURL post:
 
 ```
@@ -79,4 +78,4 @@ curl -X "POST" "http://localhost:4444/device_code.php/access_token" \
 	--data-urlencode "device_code={{DEVICE_CODE}}" \
 	--data-urlencode "client_id=myawesomeapp" \
 	--data-urlencode "client_secret=abc123"
-```
+```

examples/public/auth_code.php

@@ -10,6 +10,8 @@
 
 declare(strict_types=1);
 
+include __DIR__ . '/../vendor/autoload.php';
+
 use Laminas\Diactoros\Stream;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -24,10 +26,8 @@
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
 
-include __DIR__ . '/../vendor/autoload.php';
-
 $app = new App([
-    'settings'    => [
+    'settings' => [
         'displayErrorDetails' => true,
     ],
     AuthorizationServer::class => function () {

examples/public/client_credentials.php

@@ -24,7 +24,7 @@
 use Slim\App;
 
 $app = new App([
-    'settings'                 => [
+    'settings' => [
         'displayErrorDetails' => true,
     ],
     AuthorizationServer::class => function () {

examples/public/device_code.php

@@ -12,6 +12,7 @@
 
 include __DIR__ . '/../vendor/autoload.php';
 
+use Laminas\Diactoros\Stream;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\DeviceCodeGrant;
@@ -23,7 +24,6 @@
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
-use Zend\Diactoros\Stream;
 
 $app = new App([
     'settings' => [

examples/public/implicit.php

@@ -10,6 +10,8 @@
 
 declare(strict_types=1);
 
+include __DIR__ . '/../vendor/autoload.php';
+
 use Laminas\Diactoros\Stream;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -22,10 +24,8 @@
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
 
-include __DIR__ . '/../vendor/autoload.php';
-
 $app = new App([
-    'settings'    => [
+    'settings' => [
         'displayErrorDetails' => true,
     ],
     AuthorizationServer::class => function () {

examples/public/middleware_use.php

@@ -29,7 +29,7 @@
 use Slim\App;
 
 $app = new App([
-    'settings'                 => [
+    'settings' => [
         'displayErrorDetails' => true,
     ],
     AuthorizationServer::class => function () {

examples/public/password.php

@@ -2,6 +2,8 @@
 
 declare(strict_types=1);
 
+include __DIR__ . '/../vendor/autoload.php';
+
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\PasswordGrant;
@@ -14,8 +16,6 @@
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
 
-include __DIR__ . '/../vendor/autoload.php';
-
 $app = new App([
     // Add the authorization server to the DI container
     AuthorizationServer::class => function () {

examples/public/refresh_token.php

@@ -10,6 +10,8 @@
 
 declare(strict_types=1);
 
+include __DIR__ . '/../vendor/autoload.php';
+
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
@@ -21,10 +23,8 @@
 use Psr\Http\Message\ServerRequestInterface;
 use Slim\App;
 
-include __DIR__ . '/../vendor/autoload.php';
-
 $app = new App([
-    'settings'    => [
+    'settings' => [
         'displayErrorDetails' => true,
     ],
     AuthorizationServer::class => function () {

examples/src/Repositories/AuthCodeRepository.php

@@ -21,31 +21,31 @@ class AuthCodeRepository implements AuthCodeRepositoryInterface
     /**
      * {@inheritdoc}
      */
-    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void
     {
         // Some logic to persist the auth code to a database
     }
 
     /**
      * {@inheritdoc}
      */
-    public function revokeAuthCode($codeId)
+    public function revokeAuthCode($codeId): void
     {
         // Some logic to revoke the auth code in a database
     }
 
     /**
      * {@inheritdoc}
      */
-    public function isAuthCodeRevoked($codeId)
+    public function isAuthCodeRevoked($codeId): bool
     {
         return false; // The auth code has not been revoked
     }
 
     /**
      * {@inheritdoc}
      */
-    public function getNewAuthCode()
+    public function getNewAuthCode(): AuthCodeEntityInterface
     {
         return new AuthCodeEntity();
     }