Problem/Motivation

Issues such as #3263634: Introspection/debug response should be conform OAuth2 specs are blocked on 9.0 of the upstream library.

Has yet to be seen if this needs to be in a major or not? Guess it would depend on any major BC breaks in the library that cascade down to us.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork simple_oauth-3277256

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

bradjones1 created an issue. See original summary.

idebr made their first commit to this issue’s fork.

idebr opened merge request !148

idebr’s picture

idebr commented
Status: Active » Needs work

One test failure remaining

idebr’s picture

idebr commented
Category: Plan » Task
Status: Needs work » Needs review

The merge request updates thephpleague/oauth2-server to 9.0.x

Breaking changes are listed at the release page https://github.com/thephpleague/oauth2-server/releases/tag/9.0.0, but most notably:

  1. New: Strict typing and return types
  2. Changed: some exceptions return a different status code and the error message data structure has changed
  3. Refresh token scopes are now finalized again, so any invalid scopes are removed (this was the last test failure in #4)

Seems fine to include in the module's beta phase, but this is up to the module's maintainer

  • bojan_dev committed 9712c7c0 on 6.0.x authored by idebr 
    Issue #3277256: Move to thephpleague/oauth2-server 9.0
bojan_dev’s picture

bojan_dev commented
Status: Needs review » Fixed

Looks good, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

m.stenta’s picture

m.stenta
he/him
Primary language English
commented

The upgrade to league/oauth2-server 9.0 breaks the Password Grant module: #3511488: Refreshed access_token is missing scope with league/oauth2-server ^9

Has yet to be seen if this needs to be in a major or not? Guess it would depend on any major BC breaks in the library that cascade down to us.

Was any consideration given to this comment by @bradjones1 before this change was merged??

@bojan_dev PLEASE can we be more careful with these kinds of changes, and save them for major version releases?

I understand that the maintainers of simple_oauth are not responsible for downstream projects like simple_oauth_password_grant, but updating the major versions of core dependencies like this without tagging a new major version of simple_oauth provides no indication to downstream dependencies, or site admins, that there are potentially breaking changes to consider.

m.stenta’s picture

m.stenta
he/him
Primary language English
commented

Was any consideration given to this comment by @bradjones1 before this change was merged??

Sorry @idebr: I see that you outlined the breaking changes in your comment #5.

Seems fine to include in the module's beta phase, but this is up to the module's maintainer

I disagree with this.

6.0.0 has been in "beta" since 2022. And we should absolutely be avoiding breaking changes, even in "beta" modules. That is what semantic versioning is for.

Please @bojan_dev can we drop the "beta" designation and adopt true semantic versioning policy moving forward?

m.stenta’s picture

m.stenta
he/him
Primary language English
commented

Update: The issue I described is fixed in #3509299: Return invalid_scope error when refresh token second time.

Thank you again @bojan_dev! So good to see 6.0.0 officially released! :-)