Skip to content

Commit

Permalink
Merge branch 'master' into Fix_LogoutToken_Validation_AUD_Claim
Browse files Browse the repository at this point in the history
  • Loading branch information
rvogel committed Mar 29, 2023
2 parents 05964b3 + 20b51cb commit dd9ceb0
Show file tree
Hide file tree
Showing 3 changed files with 216 additions and 168 deletions.
234 changes: 110 additions & 124 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,191 +1,177 @@
# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.9.11]
## [unreleased]
* Update visibility of getWellKnownConfigValue to protected. #363
* Fixed issue on authentication for php8. #354
* Support for signed and encrypted UserInfo response. #305
* Support for signed and encrypted ID Token. #305
* Update construct typehint in docblock. #364
* Fixed LogoutToken verification for single value aud claims #334

## Fixed

* `verifyLogoutToken` fails with single-value `aud` claim #333

## [0.9.10]

## Fixed
### Added
- Support for signed and encrypted UserInfo response. #305
- Support for signed and encrypted ID Token. #305

* `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331
## [0.9.10] - 2022-09-30

### Fixed
- `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331

## [0.9.9]
## [0.9.9] - 2022-09-28

### Added
- Added support for back-channel logout. #302
- Added support for `private_key_jwt` Client Authentication method #322
- Added support for `client_secret_jwt` Client Authentication method #324
- Added PS512 encryption support #342

* Added support for back-channel logout. #302
* Added support for `private_key_jwt` Client Authentication method #322
* Added support for `client_secret_jwt` Client Authentication method #324
* Added PS512 encryption support #342

## Fixed

* Harden self-signed JWK header usage. #323

## [0.9.8]
### Fixed
- Harden self-signed JWK header usage. #323

## Fixed
## [0.9.8] - 2022-08-05

* Do not use PKCE if IdP does not support it. #317
### Fixed
- Do not use PKCE if IdP does not support it. #317

## [0.9.7]
## [0.9.7] - 2022-07-13

### Added

* Support for Self-Contained JWTs. #308
* Support for RFC8693 Token Exchange Request. #275
- Support for Self-Contained JWTs. #308
- Support for RFC8693 Token Exchange Request. #275

### Fixed
- PHP 5.4 compatibility. #304
- Use session_status(). #306

* PHP 5.4 compatibility. #304
* Use session_status(). #306

## [0.9.6]
## [0.9.6] - 2022-05-08

### Added

* Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
* Support client_secret on token endpoint with PKCE. #293
* Added new parameter to `requestTokens()` to pass custom HTTP headers #297
- Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
- Support client_secret on token endpoint with PKCE. #293
- Added new parameter to `requestTokens()` to pass custom HTTP headers #297

### Changed
- Allow serializing `OpenIDConnectClient` using `serialize()` #295

* Allow serializing `OpenIDConnectClient` using `serialize()` #295

## [0.9.5]
## [0.9.5] - 2021-11-24

### Changed
- signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
- Fixed issue where missing nonce within the claims was causing an exception. #280

* signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
* Fixed issue where missing nonce within the claims was causing an exception. #280

## [0.9.4]
## [0.9.4] - 2021-11-21

### Added
- Enabled `client_secret_basic` authentication on `refreshToken()` #215
- Basic auth support for requestResourceOwnerToken #271

* Enabled `client_secret_basic` authentication on `refreshToken()` #215
* Basic auth support for requestResourceOwnerToken #271

## [0.9.3]
## [0.9.3] - 2021-11-20

### Added
- getRedirectURL() will not log a warning for PHP 7.1+ #179
- it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
- bugfix in getSessionKey when _SESSION key does not exist #251
- Added scope parameter to refresh token request #225
- bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
- bugfix with the `empty` function in PHP 5.4 #267

* getRedirectURL() will not log a warning for PHP 7.1+ #179
* it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
* bugfix in getSessionKey when _SESSION key does not exist #251
* Added scope parameter to refresh token request #225
* bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
* bugfix with the `empty` function in PHP 5.4 #267

## [0.9.2]
## [0.9.2] - 2020-11-16

### Added
* Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.
- Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.

## [0.9.1]
## [0.9.1] - 2020-08-27

### Added
* Add support for MS Azure Active Directory B2C user flows
- Add support for MS Azure Active Directory B2C user flows

### Changed
* Fix at_hash verification #200
* Getters for public parameters #204
* Removed client ID query parameter when making a token request using Basic Auth
* Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.
- Fix at_hash verification #200
- Getters for public parameters #204
- Removed client ID query parameter when making a token request using Basic Auth
- Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.

### Removed
* Removed explicit content-length header - caused issues with proxy servers

- Removed explicit content-length header - caused issues with proxy servers

## [0.9.0]
## [0.9.0] - 2020-03-09

### Added
* php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
* Adding a header to indicate JSON as the return type for userinfo endpoint #151
* ~Updated OpenIDConnectClient to conditionally verify nonce #146~
* Add possibility to change enc_type parameter for http_build_query #155
* Adding OAuth 2.0 Token Introspection #156
* Add optional parameters clientId/clientSecret for introspection #157 & #158
* Adding OAuth 2.0 Token Revocation #160
* Adding issuer validator #145
* Adding signing algorithm PS256 #180
* Check http status of request user info #186
* URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
* Adjust PHPDoc to state that null is also allowed #193
- php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
- Adding a header to indicate JSON as the return type for userinfo endpoint #151
- ~Updated OpenIDConnectClient to conditionally verify nonce #146~
- Add possibility to change enc_type parameter for http_build_query #155
- Adding OAuth 2.0 Token Introspection #156
- Add optional parameters clientId/clientSecret for introspection #157 & #158
- Adding OAuth 2.0 Token Revocation #160
- Adding issuer validator #145
- Adding signing algorithm PS256 #180
- Check http status of request user info #186
- URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
- Adjust PHPDoc to state that null is also allowed #193

### Changed
* Bugfix/code cleanup #152
* Cleanup PHPDoc #46e5b59
* Replace unnecessary double quotes with single quotes #2a76b57
* Use original function names instead of aliases #1f37892
* Remove unnecessary default values #5ab801e
* Explicit declare field $redirectURL #9187c0b
* Remove unused code #1e65384
* Fix indent #e9cdf56
* Cleanup conditional code flow for better readability #107f3fb
* Added strict type comparisons #167
* Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.

## [0.8.0]
- Bugfix/code cleanup #152
- Cleanup PHPDoc #46e5b59
- Replace unnecessary double quotes with single quotes #2a76b57
- Use original function names instead of aliases #1f37892
- Remove unnecessary default values #5ab801e
- Explicit declare field $redirectURL #9187c0b
- Remove unused code #1e65384
- Fix indent #e9cdf56
- Cleanup conditional code flow for better readability #107f3fb
- Added strict type comparisons #167
- Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.

## [0.8.0] - 2019-01-02

### Added
* Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token
- Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token

### Changed
* Decouple session manipulation, it's allow use of other session libraries #134
* Broaden version requirements of the phpseclib/phpseclib package. #144
- Decouple session manipulation, it's allow use of other session libraries #134
- Broaden version requirements of the phpseclib/phpseclib package. #144

## [0.7.0]
## [0.7.0] - 2018-10-15

### Added
* Add "license" field to composer.json #138
* Ensure key_alg is set when getting key #139
* Add option to send additional registration parameters like post_logout_redirect_uris. #140
- Add "license" field to composer.json #138
- Ensure key_alg is set when getting key #139
- Add option to send additional registration parameters like post_logout_redirect_uris. #140

### Changed
* disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137
- disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137

### Removed
*

## [0.6.0]
## [0.6.0] - 2018-07-17

### Added
* Added five minutes leeway due to clock skew between openidconnect server and client.
* Fix save access_token from request in implicit flow authentication #129
* `verifyJWTsignature()` method private -> public #126
* Support for providers where provider/login URL is not the same as the issuer URL. #125
* Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).
- Added five minutes leeway due to clock skew between openidconnect server and client.
- Fix save access_token from request in implicit flow authentication #129
- `verifyJWTsignature()` method private -> public #126
- Support for providers where provider/login URL is not the same as the issuer URL. #125
- Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).

### Changed
* refreshToken method update #124
- refreshToken method update #124

### Removed
*
## [0.5.0] - 2018-04-09

## [0.5.0]
## Added
* Implement Azure AD B2C Implicit Workflow

## [0.4.1]
## Changed
* Documentation updates for include path.

## [0.4]
### Added
* Timeout is configurable via setTimeout method. This addresses issue #94.
* Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
* Add support for HS256, HS512 and HS384 signatures
* Removed unused calls to $this->getProviderConfigValue("token_endpoint_
- Implement Azure AD B2C Implicit Workflow

## [0.4.1] - 2018-02-16

### Changed
- Documentation updates for include path.

### Removed
## [0.4.0] - 2018-02-15

### Added
- Timeout is configurable via setTimeout method. This addresses issue #94.
- Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
- Add support for HS256, HS512 and HS384 signatures
- Removed unused calls to $this->getProviderConfigValue("token_endpoint_
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ ensure your RP performs 'single sign out' for the user even if they didn't have
device, but still had an active session there.

Either the sid or the sub may be accessible from the logout token sent from the OP. You can use either
`getSidFromBackChannel()` or `getSubFromBackChannel()` to retrieve them if it is helpful to match them to a session
`getSidFromBackChannel()` or `getSubjectFromBackChannel()` to retrieve them if it is helpful to match them to a session
in order to destroy it.

The below ensures the use of this library to ensure validation of the back-channel logout token, but is afterward
Expand Down
Loading

0 comments on commit dd9ceb0

Please sign in to comment.