Update dependency league/oauth2-server to v9

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
league/oauth2-server (source)	^8.3.5 -> ^8.3.5 || ^9.0.0

---

Release Notes

thephpleague/oauth2-server (league/oauth2-server)

v9.1.0

Compare Source

Added

• Support for PHP 8.4 (PR #​1454)

Fixed

• In the Auth Code grant, when requesting an access token with an invalid auth code, we now respond with an invalid_grant error instead of invalid_request (PR #​1433)
• Fixed spec compliance issue where device access token request was mistakenly expecting to receive scopes in the request (PR #​1412)
• Refresh tokens pre version 9 might have had user IDs set as ints which meant they were incorrectly rejected. We now cast these values to strings to allow old refresh tokens (PR #​1436)

v9.0.1

Compare Source

Fixed

• Auto-generated event emitter is now persisted. Previously, a new emitter was generated every time (PR #​1428)
• Fixed bug where you could not omit a redirect uri even if one had not been specified during the auth request (PR #​1428)
• Fixed bug where "state" parameter wasn't present on invalid_scope error response and wasn't on fragment part of access_denied redirect URI on Implicit grant (PR #​1298)
• Fixed bug where disabling refresh token revocation via revokeRefreshTokens(false) unintentionally disables issuing new refresh token (PR #​1449)

v9.0.0

Compare Source

Added

• Device Authorization Grant added (PR #​1074)
• GrantTypeInterface has a new function, revokeRefreshTokens() for enabling or disabling refresh tokens after use (PR #​1375)
• A CryptKeyInterface to allow developers to change the CryptKey implementation with greater ease (PR #​1044)
• The authorization server can now finalize scopes when a client uses a refresh token (PR #​1094)
• An AuthorizationRequestInterface to make it easier to extend the AuthorizationRequest (PR #​1110)
• Added function getKeyContents() to the CryptKeyInterface (PR #​1375)

Fixed

• Basic authorization is now case insensitive (PR #​1403)
• If a refresh token has expired, been revoked, cannot be decrypted, or does not belong to the correct client, the server will now issue an invalid_grant error and a HTTP 400 response. In previous versions the server incorrectly issued an invalid_request and HTTP 401 response (PR #​1042) (PR #​1082)

Changed

• All interfaces now specify types for all params and return values. Strict typing enforced (PR #​1074)
• Request parameters are now parsed into strings to use internally in the library (PR #​1402)
• Authorization Request objects are now created through the factory method, createAuthorizationRequest() (PR #​1111)
• Changed parameters for finalizeScopes() to allow a reference to an auth code ID (PR #​1112)
• AccessTokenEntityInterface now requires the implementation of toString() instead of the magic method __toString() (PR #​1395)

Removed

• Removed message property from OAuthException HTTP response. Now just use error_description as per the OAuth 2 spec (PR #​1375)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

Read more information about the use of Renovate Bot within Laminas.