Merge in master

.github/workflows/backwards-compatibility.yml

@@ -14,7 +14,8 @@ jobs:
         uses: "actions/checkout@v2"
         with:
           fetch-depth: 0
-
+      - name: Fix git safe.directory in container
+        run: mkdir -p /home/runner/work/_temp/_github_home && printf "[safe]\n\tdirectory = /github/workspace" > /home/runner/work/_temp/_github_home/.gitconfig
       - name: "Backwards Compatibility Check"
         uses: docker://nyholm/roave-bc-check-ga
         with:

.github/workflows/tests.yml

@@ -8,19 +8,29 @@ on:
 
 jobs:
   tests:
-    runs-on: ubuntu-latest
-
     strategy:
       fail-fast: false
       matrix:
-        php: [7.2, 7.3, 7.4, 8.0]
+        php: [8.1, 8.2]
+        os: [ubuntu-22.04]
         stability: [prefer-lowest, prefer-stable]
+        include:
+          - os: ubuntu-20.04
+            php: 8.0
+            stability: prefer-lowest
+          - os: ubuntu-20.04
+            php: 8.0
+            stability: prefer-stable
+
+    runs-on: ${{ matrix.os }}
 
     name: PHP ${{ matrix.php }} - ${{ matrix.stability }}
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+        with: 
+          fetch-depth: 0
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
@@ -30,13 +40,17 @@ jobs:
           coverage: pcov
 
       - name: Install dependencies
-        run: composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+        run:
+          composer update --${{ matrix.stability }} --prefer-dist --no-interaction --no-progress
+
+      - name: Install Scrutinizer/Ocular
+        run:
+          composer global require scrutinizer/ocular
 
       - name: Execute tests
         run: vendor/bin/phpunit --verbose --coverage-clover=coverage.clover
 
       - name: Code coverage
-        if: ${{ github.ref == 'refs/heads/master' && matrix.php != 8.0 && github.repository == 'thephpleague/oauth2-server' }}
-        run: |
-          wget https://scrutinizer-ci.com/ocular.phar
-          php ocular.phar code-coverage:upload --format=php-clover coverage.clover
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'thephpleague/oauth2-server' }}
+        run:
+          ~/.composer/vendor/bin/ocular code-coverage:upload --format=php-clover coverage.clover

CHANGELOG.md

@@ -5,6 +5,38 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Changed
+- Bumped the versions for laminas/diactoros and psr/http-message to support 
+PSR-7 v2.0 (PR #1339)
+
+## [8.5.1] - released 2023-04-04
+### Fixed
+- Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
+
+## [8.5.0] - released 2023-04-03
+### Added
+- Support for PHP 8.1 and 8.2 (PR #1333)
+
+### Removed
+- Support PHP 7.2, 7.3, and 7.4 (PR #1333)
+
+## [8.4.1] - released 2023-03-22
+### Fixed
+- Fix deprecation notices for PHP 8.x (PR #1329)
+
+## [8.4.0] - released 2023-02-15
+### Added
+- You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
+
+### Security
+- Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
+a PKCE downgrade attack (PR #1326)
+
+## [8.3.6] - released 2022-11-14
+### Fixed
+- Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
+
+## [8.3.5] - released 2022-05-12
 ### Fixed
 - Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid [new empty string exception](https://github.com/lcobucci/jwt/pull/833) thrown by lcobucci/jwt (PR #1282)
 
@@ -562,7 +594,13 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.3.4...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.5.1...HEAD
+[8.5.1]: https://github.com/thephpleague/oauth2-server/compare/8.5.0...8.5.1
+[8.5.0]: https://github.com/thephpleague/oauth2-server/compare/8.4.1...8.5.0
+[8.4.1]: https://github.com/thephpleague/oauth2-server/compare/8.4.0...8.4.1
+[8.4.0]: https://github.com/thephpleague/oauth2-server/compare/8.3.6...8.4.0
+[8.3.6]: https://github.com/thephpleague/oauth2-server/compare/8.3.5...8.3.6
+[8.3.5]: https://github.com/thephpleague/oauth2-server/compare/8.3.4...8.3.5
 [8.3.4]: https://github.com/thephpleague/oauth2-server/compare/8.3.3...8.3.4
 [8.3.3]: https://github.com/thephpleague/oauth2-server/compare/8.3.2...8.3.3
 [8.3.2]: https://github.com/thephpleague/oauth2-server/compare/8.3.1...8.3.2

README.md

@@ -30,10 +30,9 @@ This library was created by Alex Bilbie. Find him on Twitter at [@alexbilbie](ht
 
 The latest version of this package supports the following versions of PHP:
 
-* PHP 7.2
-* PHP 7.3
-* PHP 7.4
 * PHP 8.0
+* PHP 8.1
+* PHP 8.2
 
 The `openssl` and `json` extensions are also required.
 

composer.json

@@ -4,18 +4,18 @@
     "homepage": "https://oauth2.thephpleague.com/",
     "license": "MIT",
     "require": {
-        "php": "^7.2 || ^8.0",
+        "php": "^8.0",
         "ext-openssl": "*",
         "league/event": "^3.0",
-        "league/uri": "^6.4",
-        "lcobucci/jwt": "^3.4.6 || ^4.0.4",
-        "psr/http-message": "^1.0.1",
-        "defuse/php-encryption": "^2.2.1",
-        "ext-json": "*"
+        "league/uri": "^6.7",
+        "lcobucci/jwt": "^4.3 || ^5.0",
+        "psr/http-message": "^1.0.1 || ^2.0",
+        "defuse/php-encryption": "^2.3",
+        "lcobucci/clock": "^2.2 || ^3.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^8.5.13",
-        "laminas/laminas-diactoros": "^2.4.1",
+        "phpunit/phpunit": "^9.6.6",
+        "laminas/laminas-diactoros": "^3.0.0",
         "phpstan/phpstan": "^0.12.57",
         "phpstan/phpstan-phpunit": "^0.12.16",
         "roave/security-advisories": "dev-master"

examples/public/client_credentials.php

@@ -53,20 +53,16 @@
 ]);
 
 $app->post('/access_token', function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-
     /* @var \League\OAuth2\Server\AuthorizationServer $server */
     $server = $app->getContainer()->get(AuthorizationServer::class);
 
     try {
-
         // Try to respond to the request
         return $server->respondToAccessTokenRequest($request, $response);
     } catch (OAuthServerException $exception) {
-
         // All instances of OAuthServerException can be formatted into a HTTP response
         return $exception->generateHttpResponse($response);
     } catch (\Exception $exception) {
-
         // Unknown exception
         $body = new Stream('php://temp', 'r+');
         $body->write($exception->getMessage());

examples/public/password.php

@@ -17,7 +17,6 @@
 $app = new App([
     // Add the authorization server to the DI container
     AuthorizationServer::class => function () {
-
         // Setup the authorization server
         $server = new AuthorizationServer(
             new ClientRepository(),                 // instance of ClientRepositoryInterface
@@ -46,20 +45,16 @@
 $app->post(
     '/access_token',
     function (ServerRequestInterface $request, ResponseInterface $response) use ($app) {
-
         /* @var \League\OAuth2\Server\AuthorizationServer $server */
         $server = $app->getContainer()->get(AuthorizationServer::class);
 
         try {
-
             // Try to respond to the access token request
             return $server->respondToAccessTokenRequest($request, $response);
         } catch (OAuthServerException $exception) {
-
             // All instances of OAuthServerException can be converted to a PSR-7 response
             return $exception->generateHttpResponse($response);
         } catch (\Exception $exception) {
-
             // Catch unexpected exceptions
             $body = $response->getBody();
             $body->write($exception->getMessage());

phpunit.xml.dist

@@ -1,14 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit colors="true" convertNoticesToExceptions="true" convertWarningsToExceptions="true" stopOnError="true"
-         stopOnFailure="true" stopOnIncomplete="false" stopOnSkipped="false" bootstrap="tests/Bootstrap.php">
-    <testsuites>
-        <testsuite name="Tests">
-            <directory>./tests/</directory>
-        </testsuite>
-    </testsuites>
-    <filter>
-        <whitelist addUncoveredFilesFromWhitelist="true">
-            <directory suffix=".php">src</directory>
-        </whitelist>
-    </filter>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd"
+         colors="true"
+         stopOnError="true"
+         stopOnFailure="true"
+         stopOnIncomplete="false"
+         stopOnSkipped="false"
+         bootstrap="tests/Bootstrap.php"
+>
+  <coverage includeUncoveredFiles="true">
+    <include>
+      <directory suffix=".php">src</directory>
+    </include>
+  </coverage>
+  <testsuites>
+    <testsuite name="Tests">
+      <directory>./tests/</directory>
+    </testsuite>
+  </testsuites>
 </phpunit>

src/AuthorizationValidators/BearerTokenValidator.php

@@ -14,9 +14,8 @@
 use Lcobucci\JWT\Configuration;
 use Lcobucci\JWT\Signer\Key\InMemory;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
-use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
-use Lcobucci\JWT\Validation\Constraint\ValidAt;
 use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\CryptTrait;
@@ -43,12 +42,19 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
      */
     private $jwtConfiguration;
 
+    /**
+     * @var \DateInterval|null
+     */
+    private $jwtValidAtDateLeeway;
+
     /**
      * @param AccessTokenRepositoryInterface $accessTokenRepository
+     * @param \DateInterval|null             $jwtValidAtDateLeeway
      */
-    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository)
+    public function __construct(AccessTokenRepositoryInterface $accessTokenRepository, \DateInterval $jwtValidAtDateLeeway = null)
     {
         $this->accessTokenRepository = $accessTokenRepository;
+        $this->jwtValidAtDateLeeway = $jwtValidAtDateLeeway;
     }
 
     /**
@@ -73,10 +79,9 @@ private function initJwtConfiguration()
             InMemory::plainText('empty', 'empty')
         );
 
+        $clock = new SystemClock(new DateTimeZone(\date_default_timezone_get()));
         $this->jwtConfiguration->setValidationConstraints(
-            \class_exists(StrictValidAt::class)
-                ? new StrictValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get())))
-                : new ValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get()))),
+            new LooseValidAt($clock, $this->jwtValidAtDateLeeway),
             new SignedWith(
                 new Sha256(),
                 InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
@@ -108,7 +113,7 @@ public function validateAuthorization(ServerRequestInterface $request)
             $constraints = $this->jwtConfiguration->validationConstraints();
             $this->jwtConfiguration->validator()->assert($token, ...$constraints);
         } catch (RequiredConstraintsViolated $exception) {
-            throw OAuthServerException::accessDenied('Access token could not be verified');
+            throw OAuthServerException::accessDenied('Access token could not be verified', null, $exception);
         }
 
         $claims = $token->claims();

src/Entities/Traits/ClientTrait.php

@@ -30,6 +30,7 @@ trait ClientTrait
      * Get the client's name.
      *
      * @return string
+     *
      * @codeCoverageIgnore
      */
     public function getName()

src/Entities/Traits/ScopeTrait.php

@@ -16,6 +16,7 @@ trait ScopeTrait
      *
      * @return string
      */
+    #[\ReturnTypeWillChange]
     public function jsonSerialize()
     {
         return $this->getIdentifier();

src/Grant/AbstractGrant.php

@@ -294,8 +294,8 @@ protected function validateRedirectUri(
     /**
      * Validate scopes in the request.
      *
-     * @param string|array $scopes
-     * @param string       $redirectUri
+     * @param string|array|null $scopes
+     * @param string            $redirectUri
      *
      * @throws OAuthServerException
      *