- First commit to issue fork.
- Merge request !148Issue #3277256: Move to thephpleague/oauth2-server 9.0 β (Merged) created by idebr
- π³π±Netherlands idebr
The merge request updates thephpleague/oauth2-server to 9.0.x
Breaking changes are listed at the release page https://github.com/thephpleague/oauth2-server/releases/tag/9.0.0, but most notably:
- New: Strict typing and return types
- Changed: some exceptions return a different status code and the error message data structure has changed
- Refresh token scopes are now finalized again, so any invalid scopes are removed (this was the last test failure in #4)
Seems fine to include in the module's beta phase, but this is up to the module's maintainer
-
bojan_dev β
committed 9712c7c0 on 6.0.x authored by
idebr β
Issue #3277256: Move to thephpleague/oauth2-server 9.0
-
bojan_dev β
committed 9712c7c0 on 6.0.x authored by
idebr β
- Status changed to Fixed
3 months ago 8:04am 7 January 2025 Automatically closed - issue fixed for 2 weeks with no activity.
- πΊπΈUnited States m.stenta
The upgrade to
league/oauth2-server9.0 breaks the Password Grant β module: π Refreshed access_token is missing scope with league/oauth2-server ^9 ActiveHas yet to be seen if this needs to be in a major or not? Guess it would depend on any major BC breaks in the library that cascade down to us.
Was any consideration given to this comment by @bradjones1 before this change was merged??
@bojan_dev PLEASE can we be more careful with these kinds of changes, and save them for major version releases?
I understand that the maintainers of
simple_oauthare not responsible for downstream projects likesimple_oauth_password_grant, but updating the major versions of core dependencies like this without tagging a new major version ofsimple_oauthprovides no indication to downstream dependencies, or site admins, that there are potentially breaking changes to consider. - πΊπΈUnited States m.stenta
Was any consideration given to this comment by @bradjones1 before this change was merged??
Sorry @idebr: I see that you outlined the breaking changes in your comment #5.
Seems fine to include in the module's beta phase, but this is up to the module's maintainer
I disagree with this.
6.0.0 has been in "beta" since 2022. And we should absolutely be avoiding breaking changes, even in "beta" modules. That is what semantic versioning is for.
Please @bojan_dev can we drop the "beta" designation and adopt true semantic versioning policy moving forward?
- πΊπΈUnited States m.stenta
Update: The issue I described is fixed in π Return invalid_scope error when refresh token second time. Needs work
Thank you again @bojan_dev! So good to see 6.0.0 officially released! :-)