- Added Symfony 5 support,
- Added domain whitelist service to avoid open redirect on
target_path
, - Fixed: session service was not injected in
LoginController
, - Fixed: client id and client secret must be set in
Auth0ResourceOwner::doGetTokenRequest
, - Twig dependency on
LoginController
is now optional,
- Dropped support for PHP 5.6, 7.0 and 7.1,
- Dropped support for FOSUserBundle 1.3,
- Dropped support for Symfony 2.8,
- Minimum Symfony 3 requirement is 3.4,
- Minimum Symfony 4 requirement is 4.3,
- Fixed: WindowsLive Resource Owner token request,
- Fixed: Update Facebook API to v3.1,
- Fixed: Update Linkedin API to v2,
- Fixed: YahooResourceOwner::doGetUserInformationRequest uses wrong arguments,
- Fixed: Symfony deprecation warning in
symfony/config
, - Fixed: SensioConnect now uses new API URLs,
- Fixed: Do not add Authorization header if no client_secret is present,
- Fixed:
LoginController::connectAction
should not fail if no token is available, - Added: Genius.com resource owner,
- Added: HTTPlug 2.0 support,
- Added: Keycloak resource owner,
- Added: The controller is now available as a service,
- Added: Allow to use HTTP Basic auth for token request,
- [BC break] Class
Configuration
has been marked final, - [BC break] Class
ConnectController
has been marked final, - [BC break] Class
HWIOAuthExtension
has been marked final, - [BC break] Class
OAuthExtension
has been marked final, - [BC break] Class
SetResourceOwnerServiceNameCompilerPass
has been marked final, - [BC break] Class
ConnectController
extendsAbstractController
instead ofController
, - [BC break] Service
hwi_oauth.http_client
has been marked private, - [BC break] Service
hwi_oauth.security.oauth_utils
has been marked private, - [BC break] Several service class parameters have been removed,
- Fixed: Vkontakte profile picture & nickname path,
- Fixed:
Content-Length
header must be a string, - Fixed: Upgraded GitLab end point to v4,
- Fixed: Resource owner map parameters must be public,
- Fixed: Azure resource owner
infos_url
should not be empty, - Fixed: Don't start sessions twice & don't start sessions if already started,
- Fixed: Updated BitBucket docs,
- Added: Further compatibility changes for Symfony 4.1,
- Added: LinkedIn
first-
&last-
names, - Added: Facebook profile picture
- Fixed: VK requires API version now,
- Fixed: Updated Slack resource owner to use new Slack API methods,
- Fixed: Changing authorization and access token to v2 for LinkedIn,
- Fixed: Fix double call of
getUserInformation()
inConnectController
, - Fixed: Fix serialization of
AccountNotLinkedException
, - Fixed: Check for grant_rule value
IS_AUTHENTICATED_FULLY
in DI configuration, - Fixed: Don't execute
OAuthProvider::refreshAccessToken()
when there is no refresh token
- BC BREAK: Replaced
PHPUnit_Framework_TestCase
withPHPUnit\Framework\TestCase
in tests, - Added: Implemented
getUserInformation()
for Dropbox v2, - Fixed: Headers passed to
httpRequest()
method in various resource owners, - Fixed: Marked some services as
public
to make code compatible with Symfony 4
- BC BREAK: Fully replaced Buzz library with usage of HTTPlug & Guzzle 6,
- BC BREAK:
hwi.http_client
config options are remove. HTTP configuration must rely on the HTTPlug client, - BC BREAK: Template engine other than Twig are no longer supported,
- BC BREAK: Option
hwi_oauth.templating_engine
was removed, - Added: Symfony 4 support,
- Added:
php-http/httplug-bundle
support, to auto-provide needed HTTPlug services and get full Symfony integration, - Added:
hwi.http.client
andhwi.http.message_factory
config keys to provide your own HTTPlug services, - Added:
HWIOAuthEvents
, - Added:
ResourceOwnerInterface::addPaths()
method for easier managing paths in resource owners, - Fixed: Update Facebook API to v2.8,
- Fixed: Bitbucket2 resource owner,
- Fixed: GitHub resource owner documentation,
- Fixed: Don't require any form for the connect feature,
- Fixed: Uncaught exception with custom error page,
- Fixed:
php-cs-fixer
updated to latest version & run on base code
- Fixed: Prevent uncaught exception when redirecting to invalid route,
- Fixed: Add more details too exception when account was not linked,
- Fixed: Odnoklassinki resource owner,
- Fixed: Office365 resource owner,
- Fixed: StackExchange resource owner,
- Fixed: WeChat resource owner,
- Fixed: WindowsLive resource owner
- Fixed error that could occur with message "302 Header already sent",
- Exclude tests from Composer autoloader
- Fixed:
OAuthHelper
should fallback to newRequest
in case of receivingnull
, - Fixed: Better
FOSUserBundle
integration, - Fixed: Serialization issue in
WechatResourceOwner
, - Fixed: Incorrect refresh token in
WechatResourceOwner
, - Fixed: Broken
TrelloResourceOwner
, - Fixed: Removed dead code in
OAuthProvider
, - Fixed: Update Facebook API to v2.7,
- Added: Symfony 3 support,
- Added: Redirect to
target_path
after successful registration/connection, - Added: Asana resource owner,
- Added: Bitbucket resource owner,
- Added: Clever resource owner,
- Added: Itembase resource owner,
- Added: Jawbon resource owner,
- Added: Office365 resource owner,
- Added: Wunderlist resource owner,
- Added: Hungarian translation
- Fixed: Request parameters are not copied into new Request on forward,
- Fixed: Fixed scope deprecating message,
- Fixed: Resolved deprecated message in ConnectController,
- Fixed: Removed usage of deprecated code in tests
- Fixed: Change Discogs URL from http to https,
- Fixed: Update Facebook API URLs to not use outdated ones
- Fixed: Remove usage of deprecated Twig function
form_enctype
& replace with usage ofform_start
/form_end
, - Fixed: Mark as not fully compatible with Symfony
~3.0
, - Fixed: Multiple firewalls can now have different resource owners,
- Fixed: Wrong URL generated for Safesforce resource owner,
- Added:
include_email
option into Twitter resource owner, - Added: Hungarian translation,
- Added: Documentation about FOSUser integration
- [BC break] Added
UserResponseInterface#getFirstName()
method, also a new default pathfirstname
was added, this path holds the first name of user, - [BC break] Added
UserResponseInterface#getLastName()
method, also a new default pathlastname
was added, this path holds the last name of user, - [BC break] Added
UserResponseInterface::getOAuthToken()
& basic implementation inAbstractUserResponse
, - [BC break]
GenericOAuth1ResourceOwner::getRequestToken()
is now public method (was protected), - Added: configuration parameter
firewall_name
(will be removed in next major version) renamed tofirewall_names
to support multiple firewalls, - Added: configuration parameter:
failed_auth_path
which contains route name, on which user will be redirected after failure when connecting accounts (i.e. user denies connection), - Added:
appsecret_proof
functionality support to the Facebook resource owner, - Added:
sandbox
functionality support to the Salesforce resource owner, - Added Auth0 resource owner,
- Added Azure resource owner,
- Added BufferApp resource owner,
- Added Deezer resource owner,
- Added Discogs resource owner,
- Added EveOnline resource owner,
- Added Fiware resource owner,
- Added Hubic resource owner,
- Added Paypal resource owner,
- Added Reddit resource owner,
- Added Runkeeper resource owner,
- Added Slack resource owner,
- Added Spotify resource owner,
- Added Soundcloud resource owner,
- Added Strava resource owner,
- Added Toshl resource owner,
- Added Trakt resource owner,
- Added Wechat resource owner,
- Added Wordpress resource owner,
- Added Xing resource owner,
- Added Youtube resource owner,
- Fixed: Revoking tokens for Facebook & Google resource owners,
- Fixed: Instagram allows only GET calls to fetch user details,
- Fixed:
ResourceOwnerMap
no longer depends on deprecatedContainerAware
class, - Fixed: Wrong usage of
json_decode
in Mail.ru resource owner, - Fixed: Transform storage exceptions in OAuth1 resource owners into
AuthenticationException
- Fixed: Default scopes & fields for VKontakte resource owner
- Fix: Remove deprecated Twig features
- Fix: Undefined variable in
FOSUBUserProvider::refreshUser
- Fix: Restore property accessor for Symfony 2.3
- Fix: Remove BC break for Symfony < 2.5,
- Fix: Compatibility issues with Symfony 2.6+,
- Fix: Deprecated graph URLs for
FacebookResourceOwner
- Fix:
SessionStorage::save()
could throw php error, - Fix:
OAuthToken::isExpired()
always returnedfalse
, - Fix:
FoursquareResourceOwner
,TwitchResourceOwner
,SensioConnectResourceOwner
not working with bearer header, - Fix: Don't use deprecated fields in
FacebookResourceOwner
, - Fix:
FOSUBUserProvider::refreshUser()
always returning old user,
- Fix:
InstagramResourceOwner
regression while getting user details, - Fix: Add smooth migration for session (de)serialization
- Fix:
LinkedinResourceOwner
regression while getting user details, - Fix: OAuth
revoke
functionality to be available wider, - Fix: Removed undocumented functionality from
SinaWeiboResourceOwner
, - Fix: Always remove default ports from URLs to match OAuth 1.0a, Spec: 9.1.2
- Fix: Instagram OAuth redirect to one url,
- Fix:
FOSUBUserProvider
should also implementUserProviderInterface
, - Fix:
YahooResourceOwner
infos_url
to use new format, - Fix: Send authorization via headers instead of URL parameter,
- Fix:
GithubResourceOwner
revoke method, - Fix: Add login routing documentation note
- Fix: Incorrect redirect URL when no parameters are set,
- Fix: Add missing parameter
prompt
forGoogleResourceOwner
, - Fix:
WordpressResourceOwner
user details API call, - Fix: PHP Notice when
oauth_callback_confirmed
was set toofalse
, - Fix: PHP Fatal when session returns boolean instead of object,
- Fix: Add missing query parameters for
FacebookResourceOwner
- Fix: Prevent
SessionUnavailableException
when returns back from service, - Fix:
EntityUserProvider
should implementUserProviderInterface
, - Fix:
createdAt
property was missing when serializing theOAuthToken
, - Added Italian translations
- Fix: Change Twitter API call to use SSL URL,
- Fix: Problems with options in
VkontakteResourceOwner
, - Fix: Problems with OAuth 1.0a token &
YahooResourceOwner
, - Fix: Throw exception in
FOSUBUserProvider
when username is missing - Added SalesForce resource owner
- [BC break]
AccountConnectorInterface::connect()
method now requires the first parameter to be instance ofSymfony\Component\Security\Core\User\UserInterface
- [BC break]
ConnectController::authenticateUser()
method now requires the first parameter to be instance ofSymfony\Component\HttpFoundation\Request
- [BC break] Removed
AbstractResourceOwner::addOptions()
method - [BC break]
OAuthUtils::getAuthorizationUrl()
&OAuthUtils::getLoginUrl()
methods now expect first parameter to be instance ofSymfony\Component\HttpFoundation\Request
- [BC break] LinkedIn resource owner now uses OAuth2 approach, visit official web page for details how to migrate: https://developer.linkedin.com/documents/authentication#migration
- [BC break] Dropbox resource owner now uses OAuth2 approach
- Added ability to merge response parts into single path
- Added Bitly resource owner
- Added Box resource owner
- Added Dailymotion resource owner
- Added DeviantArt resource owner
- Added Eventbrite resource owner
- Added Mail.ru resource owner
- Added Sina Weibo resource owner
- Added QQ.com resource owner
- Added Trello resource owner
- Added Wordpress resource owner
- [BC break] Added
ResourceOwnerInterface::isCsrfTokenValid()
method - [BC break] Removed
OAuth1RequestTokenStorageInterface
along with the implementations - [BC break]
AbstractResourceOwner::__construct()
now requiresRequestDataStorageInterface
instance as last argument - Fix: Yandex resource owner using invalid parameter when requesting user data
- Fix: To prevent unusual content headers response from resource owners should be first threaten as json and only in case of failure threaten as query text
- Fix: Instagram resource owner is not able to receive user data more than once
- Added ability to disable confirmation page when connecting accounts
- Added CSRF protection for OAuth2 providers (turned off by default)
- Added
RequestDataStorageInterface
along with implementation - Added Stereomood resource owner
- [BC break]
GenericOAuth2ResourceOwner::getAccessToken()
now returns an array instead of a string. This array contains the access token and its 'expires_in' value, along with any other parameters returned from the authentication provider - [BC break] Added
OAuthAwareExceptionInterface#setToken()
,OAuthAwareExceptionInterface#getRefreshToken()
,OAuthAwareExceptionInterface#getRawToken()
,OAuthAwareExceptionInterface#getExpiresIn()
methods - [BC break] Renamed
AbstractResourceOwner::doGetAccessTokenRequest
todoGetTokenRequest
- [BC break] Removed
AdvancedPathUserResponse
&AdvancedUserResponseInterface
- [BC break] Added
UserResponseInterface#getEmail()
,UserResponseInterface#getProfilePicture()
,UserResponseInterface#getRefreshToken()
,UserResponseInterface#getExpiresIn()
,UserResponseInterface#setOAuthToken()
methods - [BC break] Removed
UserResponseInterface::setAccessToken()
method - [BC break] Removed
AbstractUserResponse::getOAuthToken()
method because it was ambiguous - [BC break]
PathUserResponse#setPaths()
method no longer overwrite default paths - [BC break]
PathUserResponse#getPath()
method no longer throws an exception if path not exists - [BC break]
PathUserResponse#getValueForPath()
removed second argument from this method, it will not throw exception anymore if response or value is missing, but now will returnnull
instead - [BC break] Added
ResourceOwnerInterface#getOption($name)
method - [BC break]
ResourceOwnerInterface#getUserInformation()
now must receive array ($accessToken
) as first parameter, also added second parameter ($extraParameters
) to be consistent along all implementations - Added
OAuthToken::getRefreshToken()
,OAuthToken::setRefreshToken()
,OAuthToken::getExpiresIn()
,OAuthToken::setExpiresIn()
,OAuthToken::getRawToken()
,OAuthToken::setRawToken()
- Added
AbstractResourceOwner#addOptions()
&ResourceOwnerInterface#setOption($name, $value)
methods which allows easy overwriting resource specific options - Added support for options:
access_type
,request_visible_actions
,approval_prompt
&hd
in Google resource owner - Added 37signals resource owner
- Added Amazon resource owner
- Added Bitbucket resource owner
- Added Disqus resource owner
- Added Dropbox resource owner
- Added Flickr resource owner
- Added Instagram resource owner
- Added Odnoklassniki resource owner
- Added Yandex resource owner
- Fix: use
Symfony\Component\Security\Core\User\UserInterface
inEntityUserProvider::refreshUser
- Fix: made
SessionStorage
compatible with Symfony 2.0
- Fix: Regression done in version
0.2.8
blocking usage withoutFOSUserBundle
- Fix:
OAuthUtils::getAuthorizationUrl()
ignoring given redirect URL
- Fix: Added missing parts in user providers like:
loadUserByUsername()
orrefreshUser()
methods - Fix: Registering of user provider services
- Fix: Make
OAuthUtils::signRequest()
compatible with OAuth1.0a specification
- Fix: Polish oauth error detection to cover cases from i.e. Facebook resource owner
- Fix: Changed authorization url for Vkontakte resource owner
- Fix: Use same check for FOSUserBundle compatibility to prevent strange errors with calls of undefined services
- Fix: User-land aliased (resource owner) services have the appropriate name
- Fix: Use user identifier represented as string for Twitter to prevent issues with losing accuracy for large numbers (i.e. Javascript) or type comparison (i.e. MongoDB)
- Fix: Don't depend on
arg_separator.output
data for URL generation to prevent issues
- Fix: Throw
Symfony\Component\Security\Core\Exception\AccessDeniedException
&Symfony\Component\HttpKernel\Exception\NotFoundHttpException
instead of\Exception
to make cases more clear - Fix: Detect
oauth_problem
as authorization error and inform user instead logging error in background - Fix: Request extra parameters should have higher priority than default
- Fix: How urls are build in resource owners
- Fix: Missing parameter in
YahooResourceOwner
- Added
AbstractUserResponse::getOAuthToken()
method to allow fetching only OAuth token details - Added french translation
- Fix: FB incompatibility with 'error' field in response
- Fix: FOSUB registration form handler
- Fix: Use API 1.1 for Twitter, not the deprecated 1.0
- Fixed issue with FOSUserBundle 2.x integration
- Added support for a
target_path_parameter
in order to control the redirect path after login - Added
hwi_oauth_authorization_url()
twig helper function - Added Jira resource owner
- Added Yahoo resource owner
- Added setting
realm
in configuration - Added support for FOSUserBundle 2.x integration
- Added Stack Exchange resource owner
- Fix: configuration parameter
firewall_name
is required - Fix: prevent throwing
AlreadyBoundException
when using FOSUserBundle 1.x integration - Fix: check for availability of
profilePicture
in views before calling it - Fix:
InMemoryProvider
now shows user nickname as name instead of unique identifier - Fix: don't set
realm
option if is empty in request headers - Fix: for infinity loop blockade and error token response handling
- [BC break] Renamed path
username
toidentifier
to make it more clear that this path should hold the unique user identifier (previouslyusername
) - [BC break] Method
UserResponseInterface#getUsername()
now always returns a real unique user identifier, and uses pathidentifier
- [BC break]
OAuth1RequestTokenStorageInterface#save()
second param$token
must now be an array - [BC break] Configuration type 'generic' is renamed to 'oauth2'
- [BC break]
redirect.xml
routing has to be imported. See the setup docs - Added
UserResponseInterface#getRealName()
method, also a new default pathrealname
was added, this path holds the real name of user - Added
UserResponseInterface#getNickName()
method, also a new default pathnickname
was added, this path holds the nickname of user - Added
UserResponseInterface#getAccessToken()
andUserResponseInterface#setAccessToken
- Added
OAuthToken#getCredentials()
returns an empty string to be consistent with the security component. The access token can still be retrieved from thegetAccessToken()
method - Added change that forces all authentication requests are now redirected to the login path
- Added change that makes
firewall_name
option required setting - Added OAuth 1.0a support (linkedin/twitter/generic)