Changed

• Bumped the versions for laminas/diactoros and psr/http-message to support
  PSR-7 v2.0 (PR #1339)

Fixed

• Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)

Added

• Support for PHP 8.1 and 8.2 (PR #1333)

Removed

• Support PHP 7.2, 7.3, and 7.4 (PR #1333)

Fixed

• Fix deprecation notices for PHP 8.x (PR #1329)

Added

• You can now set a leeway for time drift between servers when validating a JWT (PR #1304)

Security

• Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
  a PKCE downgrade attack (PR #1326)

Fixed

• Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)

Fixed

• Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid new empty string exception thrown by lcobucci/jwt (PR #1282)

Fixed

• Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)

Security

• Removed the use of LocalFileReference() in lcobucci/jwt. Function deprecated as per GHSA-7322-jrq4-x5hf (PR #1249)

Changed

• Conditionally support the StrictValidAt() method in lcobucci/jwt so we can use version 4.1.x or greater of the library (PR #1236)
• When providing invalid credentials, the library now responds with the error message The user credentials were incorrect (PR #1230)
• Keys are always stored in memory now and are not written to a file in the /tmp directory (PR #1180)
• The regex for matching the bearer token has been simplified (PR #1238)