Update league/oauth2-server requirement from ^8.1 to ^9.0

[dependabot[bot]]

Updates the requirements on league/oauth2-server to permit the latest version.

Release notes

Sourced from league/oauth2-server's releases.

9.0.0

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• Basic authorization is now case insensitive (PR #1403)
• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
• Request parameters are now parsed into strings to use internally in the library (PR #1402)
• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

Changelog

Sourced from league/oauth2-server's changelog.

[9.0.0] - released 2024-05-13

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• Basic authorization is now case insensitive (PR #1403)
• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• All interfaces now specify types for all params and return values. Strict typing enforced (PR #1074)
• Request parameters are now parsed into strings to use internally in the library (PR #1402)
• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

[9.0.0-RC1] - released 2024-03-27

Added

• Device Authorization Grant added (PR #1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #1375)

Fixed

• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #1042) (PR #1082)

Changed

• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #1375)

[8.5.4] - released 2023-08-25

Added

• Support for league/uri ^7.0 (PR #1367)

[8.5.3] - released 2023-07-06

Security

• If a key string is provided to the CryptKey constructor with an invalid

... (truncated)

Commits

• 2ed9e5f Fix style issue
• 42ba1f8 Fix style CI issues
• 92c6519 Fix styleci issues
• 7795ca2 Update changelog for v9
• 00a2ce5 Update changelog to include typing changes
• 7b65618 Merge pull request #1402 from thephpleague/fix-passport-compatibility
• 26b33a6 Update changelog
• c64d95e revert formatting changes
• 669debf revert scopeId to scope
• 02a85f2 Merge master into this branch
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codeclimate[bot]]

Code Climate has analyzed commit 3137fd02 and detected 0 issues on this pull request.

View more on Code Climate.