CHANGELOG

7.1

Add #[IsCsrfTokenValid] attribute
Add CAS 2.0 access token handler
Make empty username or empty password on form login attempts return Bad Request (400)

Add argument $badgeFqcn to Passport::addBadge()
Add argument $lifetime to LoginLinkHandlerInterface::createLoginLink()
Throw when calling the constructor of DefaultLoginRateLimiter with an empty secret

UserValueResolver no longer implements ArgumentValueResolverInterface
Deprecate calling the constructor of DefaultLoginRateLimiter with an empty secret

Add RememberMeBadge to JsonLoginAuthenticator and enable reading parameter in JSON request body
Add argument $exceptionCode to #[IsGranted]
Deprecate passing a secret as the 2nd argument to the constructor of Symfony\Component\Security\Http\RememberMe\PersistentRememberMeHandler
Add OidcUserInfoTokenHandler and OidcTokenHandler with OIDC support for AccessTokenAuthenticator
Add attributes optional array argument in UserBadge
Call UserBadge::userLoader with attributes if the argument is set
Allow to override badge fqcn on Passport::addBadge
Add SecurityTokenValueResolver to inject token as controller argument

Add maximum username length enforcement of 4096 characters in UserBadge
Add #[IsGranted()]
Deprecate empty username or password when using when using JsonLoginAuthenticator
Set custom lifetime for login link
Add $lifetime parameter to LoginLinkHandlerInterface::createLoginLink()
Add RFC6750 Access Token support to allow token-based authentication
Allow using expressions as #[IsGranted()] attribute and subject

Remove LogoutSuccessHandlerInterface and LogoutHandlerInterface, register a listener on the LogoutEvent event instead
Remove CookieClearingLogoutHandler, SessionLogoutHandler and CsrfTokenClearingLogoutHandler. Use CookieClearingLogoutListener, SessionLogoutListener and CsrfTokenClearingLogoutListener instead

Deprecate the $authenticationEntryPoint argument of ChannelListener, and add $httpPort and $httpsPort arguments
Deprecate RetryAuthenticationEntryPoint, this code is now inlined in the ChannelListener
Deprecate FormAuthenticationEntryPoint and BasicAuthenticationEntryPoint, in the new system the FormLoginAuthenticator and HttpBasicAuthenticator should be used instead
Deprecate AbstractRememberMeServices, PersistentTokenBasedRememberMeServices, RememberMeServicesInterface, TokenBasedRememberMeServices, use the remember me handler alternatives instead
Deprecate the $authManager argument of AccessListener
Deprecate not setting the $exceptionOnNoToken argument of AccessListener to false
Deprecate DeauthenticatedEvent, use TokenDeauthenticatedEvent instead
Deprecate CookieClearingLogoutHandler, SessionLogoutHandler and CsrfTokenClearingLogoutHandler. Use CookieClearingLogoutListener, SessionLogoutListener and CsrfTokenClearingLogoutListener instead
Deprecate PassportInterface, UserPassportInterface and PassportTrait, use Passport instead