Revision history for Net-OAuth2-AuthorizationServer 0.28 2020-11-02 - Handle lack of token in Authorization header (GH #27) 0.27 2020-09-02 - Update example w/r/t recent(ish) changes in callback return expectations 0.26 2020-07-20 - Allow access_token_ttl to be passed as callback 0.25 2020-05-06 - Add "FURTHER READING" section to Manual - Audit code from "OAuth 2.0 Security Best Current Practice" draft - The above states "clients SHOULD NOT use the implicit grant" - The above states "The resource owner password credentials grant MUST NOT be used" - Add some documentation to note the above, with links - The above draft also reveals: - PKCE will be required (https://tools.ietf.org/html/rfc7636) - "authorization codes MUST be invalidated by the AS after their first use at the token endpoint" - "configured to return an AS identitifier [sic] ("iss") as a non-standard parameter" - "Authorization server MUST utilize ... methods to detect refresh token replay" 0.24 2019-12-09 - Remove hard dependency on Mojo::JWT (GH #26, with thanks to ap) 0.23 2019-06-04 - Fix examples to work with recent version of deps (GH #23, GH #25) 0.22 2019-04-27 - Add support for JWEs as well as JWTs (GH #24) - Fix make sure user_id is returned in AuthorizationCodeGrant defaults 0.20 2019-03-01 - Fix example oauth2_client.pl (GH #23) 0.19 2018-12-01 - Avoid returning from the try/catch block as this never works (GH #20, GH #21, thanks to Dylan William Hardison) 0.18 2018-05-17 - Fix a couple of typos and path issues revealed by Debian package built linter (GH #18, GH #17, with thanks to Mirko Tietge) 0.17 2018-04-16 - Handle inconsistencies between various grant types and the return data from ->verify_token_and_scope sometimes returning a hash ref and sometimes returning a string - now they always return a hash ref in the case of a successful authentication (GH #16) - Note that this may be a BREAKING CHANGE if you are using password grant in your app - Thanks to sillitoe for the above find + suggestions on a fix 0.16 2017-09-01 - Correct return type from verification of refresh token when the refresh token is a JWT (GH #12, thanks to pierre-vigier) 0.15 2017-05-12 - Add support for jwt_claims_cb in call to ->token to allow the override or addition of claims to the JWT 0.14 2017-03-03 - Additions and changes for handling modification of scopes, many thanks to Martin Renvoize for patches and assistance with this - Add scopes to returned information from from verify_client (GH #5) this will allow modification of requested scopes, which can be then passed back through other callbacks - Add document response_type in verify_client (GH #5) - Fix catch missing client_id in _verify_client callback 0.13 2016-10-15 - Remove undocumented legacy_args flag 0.12 2016-10-15 - Deprecate undocumented legacy_args flag 0.11 2016-09-16 - Add more documentation to Net::OAuth2::AuthorizationServer::Manual 0.10 2016-09-15 - Add Net::OAuth2::AuthorizationServer::ClientCredentialsGrant - Add more documentation to Net::OAuth2::AuthorizationServer::Manual 0.09 2016-08-31 - Fix clients with a client_secret must use Authorization Code flow and not Implicit Grant flow - Fix pass redirect_uri and response_type to verify_client cb so correct validation can be done for above fix 0.08 2016-08-31 - Add Net::OAuth2::AuthorizationServer::ImplicitGrant 0.07 2016-05-12 - Transfer repo from G3S to Humanstate 0.06 2016-04-17 - Add Net::OAuth2::AuthorizationServer::PasswordGrant - Add Net::OAuth2::AuthorizationServer::Manual 0.03 2016-04-11 - First release, broken out of Mojolicious::Plugin::OAuth2::Server for better abstraction and decoupling from the Mojolicious framework. Should also allow tidying up of method args and easier additions of other OAtuth2 grant types