Features
- Support for Firebase v6.0 (#391)
IMPORTANT This release will break backwards compatibility in some cases. If you are using OAuth2::verifyIdToken
and passing multiple algorithms as the second argument, this will now throw an exception:
// No problem here, only 1 algorithm is being used
$oauth->verifyIdToken($publicKeys, ['RS256']);
// This was accepted before, but it will now throw an InvalidArgumentException
$oauth->verifyIdToken($publicKeys, ['RS256', 'HS256']);
This is because we are closing a security vulnerability (see CVE-2021-46743 and GHSA-8xf4-w7qw-pjjw), and there is no way to close it without throwing an exception in this case. The recommended way to do this is now to pass an array of Firebase\JWT\Key
as $publicKeys
:
// create an array of Firebase\JWT\Key. For example:
use Firebase\JWT\Key;
$keys = [
new Key($publicKeys[0], 'RS256'),
new Key($publicKeys[1], 'HS256'),
];
$oauth->verifyIdToken($keys);