Version conflict with lcobucci/jwt 4.1.4

[ghdi]

Hi,

Currently, I have installed league/oauth2-server 8.2.4 and lcobucci/jwt 4.1.4, which works like a charm.

When trying to upgrade to league/oauth2-server 8.3.1, I bump into a version conflict with lcobucci/jwt 4.1.4, requiring lcobucci/jwt ^3.4 || ~4.0.0 instead.

Is there something I might have missed in the release notes?

Thanks!

[NicoHaase]

This looks related to https://github.com/thephpleague/oauth2-server/commit/a60313319786ca17973791dab6cf99f13b43d976 - but I'm a bit surprised that there are no more details, like a pull request or a description of the problem that existed.

[Sephster]

Sorry folks I'm on holiday just now and can't remember off the top of my head. Basically the lib needs to support php 7.2 and there were some functions in jwt 4.1 that didn't support 7.2 so we had to downgrade

[derrabus]

On PHP 7.2, Composer should not install version 4.1 of the jwt library (and also not 4.0, fwiw). Is there something we can do to broaden the compatibility for the library, allowing applications to install 4.1 again? I don't feel comfortable pinning down a dependency that is critical to the authentication layer of my application to an outdated release.

[Sephster]

Sorry for the delay. I've looked into this now and remember why I made this change. Version 4.1 of the JWT library deprecated validAt in favour of the strictValidAt() check. However, the strictValidAt() method is not in version 3.4 which we support for PHP version 7.2.

I raised an issue https://github.com/lcobucci/jwt/issues/722 to see if we could backport strictValidAt() to version 3.4 but was told this wouldn't happen because the 3.4x branch will only accept security fixes now.

We originally were going to ditch PHP version 7.2 but after discussions with Dries Vints, decided to keep it for one release longer so Passport could move on to the latest version of the server without having to wait for their own upgrade cycle.

I will likely ditch PHP 7.2 on the next release and we can upgrade the version of the JWT library then.

@derrabus I understand your concerns with us pinning to the 4.0 version at the moment but this version is still supported by Luis so there is no security concerns at present. We just won't have access to some of the nice new features in the 4.1x versions until we upgrade.

Hope that answers everyone's questions and concerns.

[derrabus]

Thank you for the explanation, @Sephster. Would #1236 be an acceptable solution?

[ghdi]

All,

Thanks a million for looking into this, very much appreciated!

Oauth2-server plays a critical role in our systems and I sleep better when the latest version is installed.

Regards,

Edwin

[Sephster]

Merged in fix. Thanks to @derrabus for the PR.

[ghdi]

Thanks for following up on this, much appreciated!