Skip to content

3.3.0 release #898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 26 commits into from
Jun 17, 2025
Merged

3.3.0 release #898

merged 26 commits into from
Jun 17, 2025

Conversation

JonathanHuot
Copy link
Member

Dear community, upstreams & downstream consumers @evonove, @masci, @singingwolfboy & al,
Please check if this 3.3.0 release is working with your projects.
Unless any major issues, this will go out soon,

@JonathanHuot JonathanHuot changed the title 3.3.0 release WIP: 3.3.0 release May 14, 2025
@JonathanHuot JonathanHuot mentioned this pull request May 14, 2025
Closed
@JonathanHuot
Copy link
Member Author

Put on hold until #899 is resolved.

JonathanHuot and others added 2 commits May 14, 2025 22:02
@JonathanHuot
Removed version ping to work with all py versions
6bdec30
@JonathanHuot @Copilot
Simplified str convertion of expires_at
7d4b288 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@pennersr
Copy link
Contributor

I have a test case that works fine with 3.2.2, but fails when using:

git+https://github.com/oauthlib/oauthlib@dab6a5ae1830ddd8a79c1e9687f63508eae60b57

An assert starts failing here -- when refreshing the token:

https://codeberg.org/allauth/django-allauth/src/branch/main/allauth/idp/oidc/tests/test_views.py#L430

The failure is as follows:

FAILED allauth/idp/oidc/tests/test_views.py::test_refresh_token - AssertionError: assert {'access_token': 'P3lWEna6Z2HPjDbKUx2JqtcadIePjo0PcLAW8O3C_B1gmeNZCM3uOfob-EwkkeWj0SdxbrudyETDulmAzrbx-A', 'expires_in': 3600, 'token_type': 'Bearer', 'scope': 'openid profile', 'refresh_token': 's6CAVWD7IF46vVl6xO9BRnEOyFnhbuzwIQZM3XQw6k4vYHieXX8-wcgcwV_iBvjqJU-T3ay2niAiDmPfeZ8cQA', 'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InhWYkt1bXg1X2o0SlduRGE0TXc4M1IyWk5SNDEtRHhnVDgxcGxJWXZNLWMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJmMmIxMDI0ZjE5MjI0MWFhYjk1OTZlZWZkMzY2MTk4OSIsImlhdCI6MTc0Nzc2NDQyOSwiYXRfaGFzaCI6ImdzUlA0OXNQYy1GM1kyTll2NXVRMEEiLCJpc3MiOiJodHRwOi8vdGVzdHNlcnZlciIsImV4cCI6MTc0Nzc2NDcyOSwianRpIjoiNDg2MzdjYjRiYTcxNDY0OGEzYThjZTkxNzQ4ZjYyMTciLCJzdWIiOiIxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYjJhN2JhYzcxOGM2NDk3MjgwZTk1N2FhZjNmNGQ1NjYifQ.L7P5M0brhtkGN1n_ocrtod-wHj_AroMVkb6z30vJIR8eF2rbzipYJgmbeEIVEfcDlAJR351iI8Z79PQcSg0C_sBKWeODcNd22Y0duV51TR5mFyU9mA2jJhQDA2pxaKMEgTcDtnboxBW4qgndnsr0DPEVGEyg3N7vNgheefdlxg0eJItQTzS4lC_o_kK9sffUocEFGxGAsXFea3rSZ4-RiMOB_Xv5apKmLuO98ZFx-eC_B6JY4QjTtDlWPrjQFap_Y9ZYgcwsJvdtkHw8X-OYDvJ6ovlaY-JK59DFYvGgHmFnQ6M79ENw0J71B1WzZMMege9aJcpTXfI5UICfHk3X9A'} == {'access_token': <ANY>, 'expires_in': 3600, 'refresh_token': <ANY>, 'scope': 'openid profile', 'token_type': 'Bearer'}
  
  Common items:
  {'access_token': 'P3lWEna6Z2HPjDbKUx2JqtcadIePjo0PcLAW8O3C_B1gmeNZCM3uOfob-EwkkeWj0SdxbrudyETDulmAzrbx-A',
   'expires_in': 3600,
   'refresh_token': 's6CAVWD7IF46vVl6xO9BRnEOyFnhbuzwIQZM3XQw6k4vYHieXX8-wcgcwV_iBvjqJU-T3ay2niAiDmPfeZ8cQA',
   'scope': 'openid profile',
   'token_type': 'Bearer'}
  Left contains 1 more item:
  {'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InhWYkt1bXg1X2o0SlduRGE0TXc4M1IyWk5SNDEtRHhnVDgxcGxJWXZNLWMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJmMmIxMDI0ZjE5MjI0MWFhYjk1OTZlZWZkMzY2MTk4OSIsImlhdCI6MTc0Nzc2NDQyOSwiYXRfaGFzaCI6ImdzUlA0OXNQYy1GM1kyTll2NXVRMEEiLCJpc3MiOiJodHRwOi8vdGVzdHNlcnZlciIsImV4cCI6MTc0Nzc2NDcyOSwianRpIjoiNDg2MzdjYjRiYTcxNDY0OGEzYThjZTkxNzQ4ZjYyMTciLCJzdWIiOiIxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYjJhN2JhYzcxOGM2NDk3MjgwZTk1N2FhZjNmNGQ1NjYifQ.L7P5M0brhtkGN1n_ocrtod-wHj_AroMVkb6z30vJIR8eF2rbzipYJgmbeEIVEfcDlAJR351iI8Z79PQcSg0C_sBKWeODcNd22Y0duV51TR5mFyU9mA2jJhQDA2pxaKMEgTcDtnboxBW4qgndnsr0DPEVGEyg3N7vNgheefdlxg0eJItQTzS4lC_o_kK9sffUocEFGxGAsXFea3rSZ4-RiMOB_Xv5apKmLuO98ZFx-eC_B6JY4QjTtDlWPrjQFap_Y9ZYgcwsJvdtkHw8X-OYDvJ6ovlaY-JK59DFYvGgHmFnQ6M79ENw0J71B1WzZMMege9aJcpTXfI5UICfHk3X9A'}
  
  Full diff:
    {
  -     'access_token': <ANY>,
  +     'access_token': 'P3lWEna6Z2HPjDbKUx2JqtcadIePjo0PcLAW8O3C_B1gmeNZCM3uOfob-EwkkeWj0SdxbrudyETDulmAzrbx-A',
        'expires_in': 3600,
  -     'refresh_token': <ANY>,
  +     'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InhWYkt1bXg1X2o0SlduRGE0TXc4M1IyWk5SNDEtRHhnVDgxcGxJWXZNLWMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJmMmIxMDI0ZjE5MjI0MWFhYjk1OTZlZWZkMzY2MTk4OSIsImlhdCI6MTc0Nzc2NDQyOSwiYXRfaGFzaCI6ImdzUlA0OXNQYy1GM1kyTll2NXVRMEEiLCJpc3MiOiJodHRwOi8vdGVzdHNlcnZlciIsImV4cCI6MTc0Nzc2NDcyOSwianRpIjoiNDg2MzdjYjRiYTcxNDY0OGEzYThjZTkxNzQ4ZjYyMTciLCJzdWIiOiIxIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYjJhN2JhYzcxOGM2NDk3MjgwZTk1N2FhZjNmNGQ1NjYifQ.L7P5M0brhtkGN1n_ocrtod-wHj_AroMVkb6z30vJIR8eF2rbzipYJgmbeEIVEfcDlAJR351iI8Z79PQcSg0C_sBKWeODcNd22Y0duV51TR5mFyU9mA2jJhQDA2pxaKMEgTcDtnboxBW4qgndnsr0DPEVGEyg3N7vNgheefdlxg0eJItQTzS4lC_o_kK9sffUocEFGxGAsXFea3rSZ4-RiMOB_Xv5apKmLuO98ZFx-eC_B6JY4QjTtDlWPrjQFap_Y9ZYgcwsJvdtkHw8X-OYDvJ6ovlaY-JK59DFYvGgHmFnQ6M79ENw0J71B1WzZMMege9aJcpTXfI5UICfHk3X9A',
  +     'refresh_token': 's6CAVWD7IF46vVl6xO9BRnEOyFnhbuzwIQZM3XQw6k4vYHieXX8-wcgcwV_iBvjqJU-T3ay2niAiDmPfeZ8cQA',
        'scope': 'openid profile',
        'token_type': 'Bearer',
    }
======================================================== 1 failed, 23 deselected, 7 warnings in 1.67s ========================================================

So, with the new version an additional id_token key appears which was not there before.

@JonathanHuot
Copy link
Member Author

Might be related to changes added since 7e69a15

Based on the commit only, if openid is present in scope, you will have an id_token by default which seems to be the natural expected behavior.
Let me dig into what we have done for these pre_configured servers and see if they are accurate.

@JonathanHuot
Does not round if float is provided
6588f80
@JonathanHuot
Factorized parsing of expires_at
d953188 
Added similar behaviors to all interfaces where expires_at is parsed, this will facilitate the implementations. Note this is breaking change for those which are expecting the "default" `expires_at` (as in, not provided) to be a float. This will now default to a int.
@JonathanHuot
Added expires_at changelog
753619b
@JonathanHuot
Removed unnecessary comments
102a3aa
@JonathanHuot
Simplify isinstance calls to one/Ruff/SIM101
a74f72b
@JonathanHuot JonathanHuot mentioned this pull request Jun 12, 2025
Merged
@JonathanHuot
Merge pull request #900 from oauthlib/bugfix-expires_at
0aefd7e 
Handle expires_at with best effort basis
@JonathanHuot
Copy link
Member Author

Hi @pennersr, while the specification does not enforce having id_token in the refresh response, from an oauthlib perspective, the preconfigured openid server use the RefreshGrant provided by the openid and not the oauth2 flavor.

So the new behavior seems logical to me.
We will release a 3.3.0 with this new behavior soon, but happy to discuss further.

Thanks for your feedback.

@JonathanHuot JonathanHuot changed the title WIP: 3.3.0 release 3.3.0 release Jun 15, 2025
@JonathanHuot JonathanHuot added this to the 3.3.0 milestone Jun 15, 2025
@JonathanHuot JonathanHuot merged commit 6413d2e into master Jun 17, 2025
33 checks passed
@JonathanHuot JonathanHuot deleted the 2025-05-release branch June 18, 2025 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.3.0
Development

Successfully merging this pull request may close these issues.
3 participants
@JonathanHuot @pennersr @auvipy
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy