- Bug #392: Now using array as default value for
token_endpoint_auth_methods_supportedinOpenIdConnect::applyClientCredentialsToRequest()(strtob, rhertogh)
- Enh #387: Use appropriate exception if client does not exist (eluhr)
- Enh #388: Added support to configure the OAuth2 access token location in requests and added a generic OAuth2 client (rhertogh)
- Enh #389: Added ability to configure OpenIdConnect cache duration, default is 1 week (viktorprogger)
- Enh GHSA-w8vh-p74j-x9xp: Improved security for OAuth1, OAuth2 and OpenID Connect clients by using timing attack safe string comparsion (rhertogh)
- Enh GHSA-rw54-6826-c8j5: Improved security for OAuth2 client by requiring an
authCodeVerifierif PKCE is enabled and clearing it after usage (rhertogh) - Bug #364: Use issuer claim from OpenID Configuration (radwouters)
- Enh #367: Throw more specific
ClientErrorResponseExceptionwhen the response code inBaseOAuth::sendRequest()is a 4xx (rhertogh)
- Bug #351: Unable to set TokenParamKey in OAuth2 config, gets hard overwritten in OAuth2::createToken() (DSTester)
- Bug #354: Fix PHP 8.1 deprecated message in BaseOAuth
stripos(): Passing null to parameter #1 ($haystack) of type string is deprecated(marty-macfly)
- Bug #330: OpenID Connect client now defaults to
'client_secret_basic'in casetoken_endpoint_auth_methods_supportedisn't specified (rhertogh) - Bug #331: OpenID Connect
audclaim can either be a string or a list of strings (azmeuk) - Bug #332: OpenID Connect
audnonce is passed from the authentication request to the token request (azmeuk) - Bug #339: OpenID Connect client now regenerates a new
noncewhen refreshing the access token (rhertogh) - Bug #344: Fix Facebook OAuth 400 error when latin characters are used in App name (pawelkania)
- Enh #279: Add
AuthAction::$defaultClientIdandAuthAction::getClientId()(ditibal) - Enh #341: OpenID Connect client now uses access token
'id_token'claim forgetUserAttributes()ifuserinfo_endpointis not available (rhertogh) - Enh #342: OpenID Connect client support for JWT in
userinfo_endpointresponse (rhertogh)
- Enh #318: Add
statusCodefrom response to initInvalidResponseExceptioninsendRequestmethod ofyii\authclient\BaseOAuthclass (vleedev) - Enh #327: Use
random_int()when generating OAuth1 nonce (samdark)
- Chg #315: Add proof key for code exchange PKCE support to oauth2 (AdeAttwood)
- Bug #312: do not refresh access token if it is not expired (albertborsos)
- Bug #309: Try to refresh token in
BaseOAuth->beforeApiRequestSend()ifBaseOAuth->autoRefreshAccessToken = trueinstead of throwing "Invalid access token" exception (marty-macfly) - Bug #311: Fix PHP 8 compatibility (samdark)
- Bug #292: Updated GitHub token transfer method according to https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters (raidkon)
- Bug #288: Default request option for turning off SSL peer verification was removed (Rutger, samdark)
- Enh #205: Add alternative storage system based on cache component (marty-macfly, tunecino)
- Enh #217: Replace spomky-labs/jose by JWT Framework (marty-macfly, smcyr)
- Enh #276: Bumped VK API version to 5.95, according to developers recommendation (EvgeniyRRU)
- Enh #278: Keep only selected parameters in default return URLs of OAuth services (albertborsos)
- Chg #273:
OpenIdConnect::validateClaims()is now protected (samdark)
- Bug #270: Updated Facebook icon to match brand guidelines (ServerDotBiz)
- Bug #252: Fix bug when
OAuthTokenis incorrectly instantiated if configuration array has incorrect order (rob006)
- Bug #266: Updated Google client image (nurielmeni)
- Bug #267: Upgrade LinkedIn client to v2 (machour)
- Bug #237: Fix redirect from LinkedIn if user refused to authorize permissions request (jakim)
- Enh #218: Allow configuring user component in
AuthAction(samdark, lab362) - Enh #258: Use Google Sign-in API instead of Google Plus in
yii\authclient\clients\Googleas Google Plus is deprecated (alexeevdv) - Enh #259: Allow to pass buildAuthUrl params to OAuth flows in
AuthAction(albertborsos)
- Bug #241: Unset parameter
scopeondefaultReturnUrlforOAuth2class since it was causing bad request response from Google provider (okiwan)
- Bug #211:
RsaShawas not passing$keytoopenssl_pkey_get_private()ingenerateSignature()(cfhodges) - Bug #220: Make
OpenIdConnectclient send token as bearer auth instead of querystring parameter (lukos) - Bug #237: Fixed redirect if user cancels login in auth form (msvit1989)
- Enh #203: Updated VKontakte client to use API version 5.0 (Shketkol)
- Enh #187: URL endpoints for
authUrlandtokenUrlforyii\authclient\clients\LinkedInupdated (Felli) - Enh #195:
yii\authclient\AuthActionrefactored to useyii\web\Application::$requestfor request data access (klimov-paul) - Enh #196: Added
yii\authclient\AuthAction::$cancelCallbackallowing custom handling for authentication cancelation (terales, klimov-paul)
- Bug #152: Fixed JavaScript callback generated by
\yii\authclient\widgets\GooglePlusButtonconsider 'immediate_failed' as instant auth error (klimov-paul) - Bug: Usage of deprecated
yii\base\Objectchanged toyii\base\BaseObjectallowing compatibility with PHP 7.2 (klimov-paul) - Enh #178: Added
yii\authclient\clients\TwitterOAuth2supporting 'application-only authentication' workflow for Twitter (klimov-paul) - Enh #179: Added
apiVersionatyii\authclient\clients\VKontakte(isudakoff) - Enh #185:
yii\authclient\clients\VKontakte::initUserAttributes()now throws verbose exception on unexpected API response instead of PHP error (klimov-paul)
- Bug #152: Fixed
\yii\authclient\OAuth1::fetchRequestToken()skips formatting foryii\httpclient\Request(klimov-paul) - Bug #160: Fixed
\yii\authclient\OAuth1::composeSignatureBaseString()does not take URL query string into account (klimov-paul) - Enh #155: Added
\yii\authclient\OpenIdConnectsupporting OpenID Connect protocol (klimov-paul) - Enh #156: Added
\yii\authclient\signature\RsaShaand\yii\authclient\signature\HmacShasupporting general 'SHAwithRSA' and 'HMAC SHA' signature methods (klimov-paul) - Enh #157: Added
\yii\authclient\OAuth2::authenticateUserJwt()supporting authentication via JSON Web Token (JWT) (klimov-paul) - Enh #163: Added support for exchanging access token at
yii\authclient\clients\Facebook(klimov-paul) - Enh #163: Added support for client-specific access tokens at
yii\authclient\clients\Facebook(klimov-paul) - Chg #163:
yii\authclient\clients\Facebook::$autoRefreshAccessTokenis now disabled by default (klimov-paul)
- Bug #135: Fixed
\yii\authclient\OAuth1::fetchRequestToken()duplicates auth params in the request body, which may cause error on some OAuth 1.0 providers (klimov-paul) - Bug #149: Changed
$tojQueryto prevent global conflicts in widget JavaScript (Ariestattoo) - Enh #67: Added
appsecret_proofgeneration for the API requests atyii\authclient\clients\Facebook(blackhpro, SDKiller, klimov-paul)
- Bug #128: Fixed
\yii\authclient\BaseClient::createRequest()does not applydefaultRequestOptionsandrequestOptions(klimov-paul) - Bug #130: Fixed
\yii\authclient\OAuth1::fetchRequestToken()unable to unset current access token (klimov-paul) - Enh #27: Added
\yii\authclient\OAuth1::authorizationHeaderMethodsoption allowing to control request methods, which require authorization header (klimov-paul) - Enh #132: URL endpoints for
authUrlandtokenUrlforyii\authclient\clients\VKontakteupdated (KhristenkoYura)
- Enh #27: This extension no longer require PHP 'cURL' extension to be installed (klimov-paul)
- Enh #30: Added support for 'client_credentials' grant type via
\yii\authclient\OAuth2::authenticateClient()(klimov-paul) - Enh #33: Added ability to pass raw request content at
\yii\authclient\BaseOAuth::api()(klimov-paul) - Enh #41: Added support for signature generation from request token at
\yii\authclient\OAuth1::fetchAccessToken()(klimov-paul) - Enh #63: Markup for
\yii\authclient\widgets\AuthChoicesimplified (klimov-paul) - Enh #108: This extension now uses
yii2-httpclientlibrary for the HTTP requests (klimov-paul) - Enh #118: Added support for 'password' grant type via
\yii\authclient\OAuth2::authenticateUser()(klimov-paul) - Enh #121: Auth client 'State Storage' abstraction layer extracted (klimov-paul)
- Enh #124: Methods
clientLink()andrenderMainContent()ofyii\authclient\widgets\AuthChoicereworked to return HTML instead of echo (klimov-paul) - Enh #127: Auth 'state' validation added to
OAuth2for preventing cross-site request forgery (klimov-paul)
- Bug #37: Fixed
\yii\authclient\widgets\AuthChoiceoverrides any<a>tag click behavior betweenbegin()andend()methods (klimov-paul) - Enh #31: Allow to disable automatic 'refresh access token' requests (klimov-paul)
- Enh #58: Added support for user attribute request params setup for Twitter (umanamente, klimov-paul)
- Enh #111:
yii\authclient\clients\GitHubnow retrieves user email even if it is set as 'private' at GitHub account (klimov-paul)
- Bug #25:
yii\authclient\BaseOAuthnow can be used without withoutsessionapplication component available (klimov-paul) - Enh #40: Added
attributeNamesfield toyii\authclient\clients\Facebook, which allows definition of attributes list fetched from API (samdark) - Chg: #47: Default popup size for
yii\authclient\clients\Facebookhas been increased up to 860x480 (lame07, klimov-paul)
- Bug #7224: Fixed incorrect POST fields composition at
yii\authclient\OAuth1(klimov-paul) - Bug #7639: Automatic exception throw on 'error' key presence at
yii\authclient\BaseOAuth::processResponse()removed (klimov-paul) - Enh #17: Added
attributeNamesfield toyii\authclient\clients\VKontakteandyii\authclient\clients\LinkedIn, which allows definition of attributes list fetched from API (klimov-paul) - Enh #6743: Icon for Google at
yii\authclient\widgets\AuthChoicefixed to follow the Google Brand guidelines (klimov-paul) - Enh #7733:
yii\authclient\clients\VKontaktenow gets attributes from access token also (klimov-paul) - Enh #7754: New client
yii\authclient\clients\GooglePlusadded to support Google recommended auth flow (klimov-paul) - Chg: #7754:
yii\authclient\clients\GoogleOpenIdis now deprecated because this auth method is no longer supported by Google as of April 20, 2015 (klimov-paul)
- Enh #6892: Default value of
yii\authclient\clients\Twitter::$authUrlchanged to 'authenticate', allowing usage of previous logged user without request an access (kotchuprik)
- Bug #6502: Fixed
\yii\authclient\OAuth2::refreshAccessToken()does not save fetched token (sebathi) - Bug #6510: Fixed infinite redirect loop using default
\yii\authclient\AuthAction::cancelUrl(klimov-paul)
- Bug #6000: Fixed CCS for
yii\authclient\widgets\AuthChoicedoes not loaded ifpopupModedisabled (klimov-paul)
- Enh #5135: Added ability to operate nested and complex attributes via
yii\authclient\BaseClient::normalizeUserAttributeMap(zinzinday, klimov-paul)
- Bug #3633: OpenId return URL comparison advanced to prevent url encode problem (klimov-paul)
- Bug #4490:
yii\authclient\widgets\AuthChoicedoes not preserve initial settings while opening popup (klimov-paul) - Bug #5011: OAuth API Response with 20x status were not considered success (ychongsaytc)
- Enh #3416: VKontakte OAuth support added (klimov-paul)
- Enh #4076: Request HTTP headers argument added to
yii\authclient\BaseOAuth::api()method (klimov-paul) - Enh #4134:
yii\authclient\InvalidResponseExceptionadded for tracking invalid remote server response (klimov-paul) - Enh #4139: User attributes requesting at GoogleOAuth switched to Google+ API (klimov-paul)
- Initial release.