Revision history for Net-OAuth2-AuthorizationServer
0.28 2020-11-02
- Handle lack of token in Authorization header (GH #27)
0.27 2020-09-02
- Update example w/r/t recent(ish) changes in callback return expectations
0.26 2020-07-20
- Allow access_token_ttl to be passed as callback
0.25 2020-05-06
- Add "FURTHER READING" section to Manual
- Audit code from "OAuth 2.0 Security Best Current Practice" draft
- The above states "clients SHOULD NOT use the implicit grant"
- The above states "The resource owner password credentials grant MUST NOT be used"
- Add some documentation to note the above, with links
- The above draft also reveals:
- PKCE will be required (https://tools.ietf.org/html/rfc7636)
- "authorization codes MUST be invalidated by the AS after their first use at the token endpoint"
- "configured to return an AS identitifier [sic] ("iss") as a non-standard parameter"
- "Authorization server MUST utilize ... methods to detect refresh token replay"
0.24 2019-12-09
- Remove hard dependency on Mojo::JWT (GH #26, with thanks to ap)
0.23 2019-06-04
- Fix examples to work with recent version of deps (GH #23, GH #25)
0.22 2019-04-27
- Add support for JWEs as well as JWTs (GH #24)
- Fix make sure user_id is returned in AuthorizationCodeGrant defaults
0.20 2019-03-01
- Fix example oauth2_client.pl (GH #23)
0.19 2018-12-01
- Avoid returning from the try/catch block as this never works
(GH #20, GH #21, thanks to Dylan William Hardison)
0.18 2018-05-17
- Fix a couple of typos and path issues revealed by Debian package
built linter (GH #18, GH #17, with thanks to Mirko Tietge)
0.17 2018-04-16
- Handle inconsistencies between various grant types and the return
data from ->verify_token_and_scope sometimes returning a hash ref
and sometimes returning a string - now they always return a hash
ref in the case of a successful authentication (GH #16)
- Note that this may be a BREAKING CHANGE if you are using password
grant in your app
- Thanks to sillitoe for the above find + suggestions on a fix
0.16 2017-09-01
- Correct return type from verification of refresh token when
the refresh token is a JWT (GH #12, thanks to pierre-vigier)
0.15 2017-05-12
- Add support for jwt_claims_cb in call to ->token to allow the
override or addition of claims to the JWT
0.14 2017-03-03
- Additions and changes for handling modification of scopes, many
thanks to Martin Renvoize for patches and assistance with this
- Add scopes to returned information from from verify_client (GH #5)
this will allow modification of requested scopes, which can be then
passed back through other callbacks
- Add document response_type in verify_client (GH #5)
- Fix catch missing client_id in _verify_client callback
0.13 2016-10-15
- Remove undocumented legacy_args flag
0.12 2016-10-15
- Deprecate undocumented legacy_args flag
0.11 2016-09-16
- Add more documentation to Net::OAuth2::AuthorizationServer::Manual
0.10 2016-09-15
- Add Net::OAuth2::AuthorizationServer::ClientCredentialsGrant
- Add more documentation to Net::OAuth2::AuthorizationServer::Manual
0.09 2016-08-31
- Fix clients with a client_secret must use Authorization Code
flow and not Implicit Grant flow
- Fix pass redirect_uri and response_type to verify_client cb
so correct validation can be done for above fix
0.08 2016-08-31
- Add Net::OAuth2::AuthorizationServer::ImplicitGrant
0.07 2016-05-12
- Transfer repo from G3S to Humanstate
0.06 2016-04-17
- Add Net::OAuth2::AuthorizationServer::PasswordGrant
- Add Net::OAuth2::AuthorizationServer::Manual
0.03 2016-04-11
- First release, broken out of Mojolicious::Plugin::OAuth2::Server
for better abstraction and decoupling from the Mojolicious framework.
Should also allow tidying up of method args and easier additions of
other OAtuth2 grant types