Move to thephpleague/oauth2-server 9.0

Created on 26 April 2022, almost 3 years ago
Updated 5 November 2024, 5 months ago

Problem/Motivation

Issues such as #3263634: [PP-1] Introspection/debug response should be conform OAuth2 specs β†’ are blocked on 9.0 of the upstream library.

Has yet to be seen if this needs to be in a major or not? Guess it would depend on any major BC breaks in the library that cascade down to us.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🌱 Plan
Status

Active

Version

6.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States bradjones1 Digital Nomad Life

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Pipeline finished with Canceled
    5 months ago
    Total: 92s
    #330318
  • Pipeline finished with Failed
    5 months ago
    Total: 220s
    #330321
  • πŸ‡³πŸ‡±Netherlands idebr

    One test failure remaining

  • Pipeline finished with Canceled
    5 months ago
    Total: 67s
    #334730
  • Pipeline finished with Failed
    5 months ago
    Total: 822s
    #334731
  • πŸ‡³πŸ‡±Netherlands idebr

    The merge request updates thephpleague/oauth2-server to 9.0.x

    Breaking changes are listed at the release page https://github.com/thephpleague/oauth2-server/releases/tag/9.0.0, but most notably:

    1. New: Strict typing and return types
    2. Changed: some exceptions return a different status code and the error message data structure has changed
    3. Refresh token scopes are now finalized again, so any invalid scopes are removed (this was the last test failure in #4)

    Seems fine to include in the module's beta phase, but this is up to the module's maintainer

  • Pipeline finished with Success
    3 months ago
    Total: 401s
    #377074
  • πŸ‡³πŸ‡±Netherlands bojan_dev

    Looks good, thanks!

  • Status changed to Fixed 3 months ago
  • Automatically closed - issue fixed for 2 weeks with no activity.

  • πŸ‡ΊπŸ‡ΈUnited States m.stenta

    The upgrade to league/oauth2-server 9.0 breaks the Password Grant β†’ module: πŸ› Refreshed access_token is missing scope with league/oauth2-server ^9 Active

    Has yet to be seen if this needs to be in a major or not? Guess it would depend on any major BC breaks in the library that cascade down to us.

    Was any consideration given to this comment by @bradjones1 before this change was merged??

    @bojan_dev PLEASE can we be more careful with these kinds of changes, and save them for major version releases?

    I understand that the maintainers of simple_oauth are not responsible for downstream projects like simple_oauth_password_grant, but updating the major versions of core dependencies like this without tagging a new major version of simple_oauth provides no indication to downstream dependencies, or site admins, that there are potentially breaking changes to consider.

  • πŸ‡ΊπŸ‡ΈUnited States m.stenta

    Was any consideration given to this comment by @bradjones1 before this change was merged??

    Sorry @idebr: I see that you outlined the breaking changes in your comment #5.

    Seems fine to include in the module's beta phase, but this is up to the module's maintainer

    I disagree with this.

    6.0.0 has been in "beta" since 2022. And we should absolutely be avoiding breaking changes, even in "beta" modules. That is what semantic versioning is for.

    Please @bojan_dev can we drop the "beta" designation and adopt true semantic versioning policy moving forward?

  • πŸ‡ΊπŸ‡ΈUnited States m.stenta

    Update: The issue I described is fixed in πŸ› Return invalid_scope error when refresh token second time. Needs work

    Thank you again @bojan_dev! So good to see 6.0.0 officially released! :-)

Production build 0.71.5 2024