Version 9 RC1

.github/workflows/coding-standards.yml

@@ -0,0 +1,36 @@
+name: Coding Standards
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  coding-standards:
+    name: Coding Standards
+
+    runs-on: ${{ matrix.operating-system }}
+
+    strategy:
+      matrix:
+        php-version:
+          - 8.3
+        operating-system:
+          - ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          php-version: ${{ matrix.php-version }}
+          ini-values: memory_limit=-1
+          tools: composer:v2, cs2pr
+
+      - name: Install Dependencies
+        run: composer update --prefer-stable --prefer-dist --no-interaction --no-progress
+
+      - name: Run Codesniffer
+        run: vendor/bin/phpcs

.github/workflows/static-analysis.yml

@@ -0,0 +1,37 @@
+name: Static Analysis
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  static-analysis:
+    name: Static Analysis
+
+    runs-on: ${{ matrix.operating-system }}
+
+    strategy:
+      matrix:
+        php-version: [8.1, 8.2, 8.3]
+        composer-stability: [prefer-lowest, prefer-stable]
+        operating-system:
+          - ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          php-version: ${{ matrix.php-version }}
+          ini-values: memory_limit=-1
+          tools: composer:v2, cs2pr
+
+      - name: Install Dependencies
+        run: composer update --${{ matrix.composer-stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Run Static Analysis
+        run: vendor/bin/phpstan analyse
+

.github/workflows/tests.yml

@@ -11,16 +11,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: [8.1, 8.2]
+        php: [8.1, 8.2, 8.3]
         os: [ubuntu-22.04]
         stability: [prefer-lowest, prefer-stable]
-        include:
-          - os: ubuntu-20.04
-            php: 8.0
-            stability: prefer-lowest
-          - os: ubuntu-20.04
-            php: 8.0
-            stability: prefer-stable
 
     runs-on: ${{ matrix.os }}
 
@@ -48,7 +41,7 @@ jobs:
           composer global require scrutinizer/ocular
 
       - name: Execute tests
-        run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
+        run: vendor/bin/phpunit --coverage-clover=coverage.clover
 
       - name: Code coverage
         if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}

CHANGELOG.md

@@ -5,6 +5,24 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Device Authorization Grant added (PR #1074)
+- GrantTypeInterface has a new function, `revokeRefreshTokens()` for enabling or disabling refresh tokens after use (PR #1375)
+- A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
+- The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
+- An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
+- Added function `getKeyContents()` to the `CryptKeyInterface` (PR #1375)
+
+### Fixed
+- If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an `invalid_grant` error and a HTTP 400 response. In previous versions the server incorrectly issued an `invalid_request` and HTTP 401 response (PR #1042) (PR #1082)
+
+### Changed
+- Authorization Request objects are now created through the factory method, `createAuthorizationRequest()` (PR #1111)
+- Changed parameters for `finalizeScopes()` to allow a reference to an auth code ID (PR #1112)
+- AccessTokenEntityInterface now requires the implementation of `toString()` instead of the magic method `__toString()` (PR #XXXX)
+
+### Removed
+- Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)
 
 ## [8.5.4] - released 2023-08-25
 ### Added
@@ -119,7 +137,6 @@ a PKCE downgrade attack (PR #1326)
 - If you provide a valid redirect_uri with the auth code grant and an invalid scope, the server will use the given 
 redirect_uri instead of the default client redirect uri (PR #1126)
 
-
 ## [8.1.0] - released 2020-04-29
 
 ### Added

README.md

@@ -12,27 +12,29 @@
 Out of the box it supports the following grants:
 
 * Authorization code grant
-* Implicit grant
 * Client credentials grant
-* Resource owner password credentials grant
+* Device authorization grant
+* Implicit grant
 * Refresh grant
+* Resource owner password credentials grant
 
 The following RFCs are implemented:
 
 * [RFC6749 "OAuth 2.0"](https://tools.ietf.org/html/rfc6749)
 * [RFC6750 " The OAuth 2.0 Authorization Framework: Bearer Token Usage"](https://tools.ietf.org/html/rfc6750)
 * [RFC7519 "JSON Web Token (JWT)"](https://tools.ietf.org/html/rfc7519)
 * [RFC7636 "Proof Key for Code Exchange by OAuth Public Clients"](https://tools.ietf.org/html/rfc7636)
+* [RFC8628 "OAuth 2.0 Device Authorization Grant](https://tools.ietf.org/html/rfc8628)
 
 This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](https://twitter.com/alexbilbie).
 
 ## Requirements
 
 The latest version of this package supports the following versions of PHP:
 
-* PHP 8.0
 * PHP 8.1
 * PHP 8.2
+* PHP 8.3
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -4,21 +4,29 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "^8.0",
+        "php": "~8.1.0 || ~8.2.0 || ~8.3.0",
         "ext-openssl": "*",
-        "league/event": "^2.2",
-        "league/uri": "^6.7 || ^7.0",
-        "lcobucci/jwt": "^4.3 || ^5.0",
-        "psr/http-message": "^1.0.1 || ^2.0",
-        "defuse/php-encryption": "^2.3",
-        "lcobucci/clock": "^2.2 || ^3.0"
+        "league/event": "^3.0",
+        "league/uri": "^7.0",
+        "lcobucci/jwt": "^5.0",
+        "psr/http-message": "^2.0",
+        "defuse/php-encryption": "^2.4",
+        "ext-json": "*",
+        "lcobucci/clock": "^2.3 || ^3.0",
+        "psr/http-server-middleware": "^1.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^9.6.6",
-        "laminas/laminas-diactoros": "^3.0.0",
-        "phpstan/phpstan": "^0.12.57",
-        "phpstan/phpstan-phpunit": "^0.12.16",
-        "roave/security-advisories": "dev-master"
+        "phpunit/phpunit": "^9.6.15",
+        "laminas/laminas-diactoros": "^3.3.0",
+        "phpstan/phpstan": "^1.10.55",
+        "phpstan/phpstan-phpunit": "^1.3.15",
+        "roave/security-advisories": "dev-master",
+        "phpstan/extension-installer": "^1.3.1",
+        "phpstan/phpstan-deprecation-rules": "^1.1.4",
+        "phpstan/phpstan-strict-rules": "^1.5.2",
+        "slevomat/coding-standard": "^8.14.1",
+        "php-parallel-lint/php-parallel-lint": "^1.3.2",
+        "squizlabs/php_codesniffer": "^3.8"
     },
     "repositories": [
         {
@@ -69,5 +77,12 @@
         "psr-4": {
             "LeagueTests\\": "tests/"
         }
+    },
+    "config": {
+        "allow-plugins": {
+            "ocramius/package-versions": true,
+            "phpstan/extension-installer": true,
+            "dealerdirect/phpcodesniffer-composer-installer": false
+        }
     }
 }

examples/README.md

@@ -51,3 +51,32 @@ curl -X "POST" "http://localhost:4444/refresh_token.php/access_token" \
 	--data-urlencode "client_secret=abc123" \
 	--data-urlencode "refresh_token={{REFRESH_TOKEN}}"
 ```
+
+## Testing the device authorization grant example
+
+Send the following cURL request. This will return a device code which can be exchanged for an access token.
+
+```
+curl -X "POST" "http://localhost:4444/device_code.php/device_authorization" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123" \
+	--data-urlencode "scope=basic email"
+```	
+
+We have set up the example so that a user ID is already associated with the device code. In a production application you
+would implement an authorization view to allow a user to authorize the device.
+
+Issue the following cURL request to exchange your device code for an access token. Replace `{{DEVICE_CODE}}` with the 
+device code returned from your first cURL post:
+
+```
+curl -X "POST" "http://localhost:4444/device_code.php/access_token" \
+	-H "Content-Type: application/x-www-form-urlencoded" \
+	-H "Accept: 1.0" \
+	--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" \
+	--data-urlencode "device_code={{DEVICE_CODE}}" \
+	--data-urlencode "client_id=myawesomeapp" \
+	--data-urlencode "client_secret=abc123"
+```

examples/composer.json

@@ -3,7 +3,7 @@
         "slim/slim": "^3.12.3"
     },
     "require-dev": {
-        "league/event": "^2.2",
+        "league/event": "^3.0",
         "lcobucci/jwt": "^3.4.6 || ^4.0.4",
         "psr/http-message": "^1.0.1",
         "defuse/php-encryption": "^2.2.1",