Releases: oauthlib/oauthlib
Releases · oauthlib/oauthlib
v3.3.1
What's Changed
- Stop installing
examplesintosite-packagesby @mgorny in #904 - Add explicit GHSA for vuln disclosure by @JonathanHuot in #903
- Add mandatory RTD configuration by @JonathanHuot in #908
- Fix 3.3.0 regression of expires_in by @JonathanHuot in #907
Full Changelog: v3.3.0...v3.3.1
Contributors
mgorny and JonathanHuot
Assets 2
3.3.0
What's Changed
See also CHANGELOG.md
- Use proper SPDX identifier by @Shortfinga in #836
- Upgrade GitHub Actions and make bandit, codespell, and pytest mandatory by @cclauss in #835
- OAuth2Error: Allow falsy values as state by @TiphaineLAURENT in #815
- Update pre-configured OIDC server to use OIDC flavor of Refresh Token grant type by @burkel24 in #838
- Update setup.cfg to use license_files by @mgorny in #839
- Ensure expires_at is always int by @sindrig in #828
- create security policy by @auvipy in #831
- Fix failing GitHub Action lint_python.yml by @cclauss in #854
- Lint with ruff to replace bandit, flake8, isort, pyupgrade by @cclauss in #855
- Add classifier for Python 3.11 by @eseifert in #840
- Move from Travis to GitHub Actions CI by @auvipy in #834
- Add support for Python 3.12 by @hugovk in #859
- CI: Only attempt upload for upstream by @hugovk in #858
- Lint with ruff to replace bandit, flake8, isort, pyupgrade by @cclauss in #861
- Ensure that
request.client_idis set during Refresh Token Grant. by @luhn in #853 - Tox use ruff by @cclauss in #864
- Make UtilsTests.test_filter_params Python 3.13+ compatible by @hroncok in #866
- Create dependency-review.yml by @auvipy in #850
- Update supported python versions in classifier by @auvipy in #860
- Coveralls parallel is True — Turn GitHub Actions green by @cclauss in #871
- Fix CI Errors by @shawnz in #878
- Update create_code_verifier to output the proper length by @shawnz in #876
- Add the device authorization endpoint (RFC8628 section 3.1 & 3.2) by @duzumaki in #881
- Add support for Python 3.13 by @hugovk in #883
- Allow user_code to be configured for device auth flow (Device Authorization Grant) by @duzumaki in #885
- Guard ui_locales.split() by @jaap3 in #879
- Add DeviceCodeGrant type for device code flow(rfc8628) section 3.4 & 3.5 by @duzumaki in #889
- Device flow: Pass verification_uri_complete to endpoint + pass Server kwargs to DeviceCodeGrant to allow validators to be setup with more flexibility by @duzumaki in #891
- Remove code verifier regex by @shawnz in #893
- Remove generic classifier by @EvertonSA in #895
- docs: add django-allauth to available options by @pennersr in #902
- Handle expires_at with best effort basis by @JonathanHuot in #900
- 3.3.0 release by @JonathanHuot in #898
New Contributors
- @Shortfinga made their first contribution in #836
- @TiphaineLAURENT made their first contribution in #815
- @burkel24 made their first contribution in #838
- @sindrig made their first contribution in #828
- @eseifert made their first contribution in #840
- @hroncok made their first contribution in #866
- @shawnz made their first contribution in #878
- @duzumaki made their first contribution in #881
- @jaap3 made their first contribution in #879
- @EvertonSA made their first contribution in #895
- @pennersr made their first contribution in #902
Full Changelog: v3.2.2...v3.3.0
Contributors
jaap3, mgorny, and 15 other contributors
Assets 2
3.2.2
OAuth2.0 Provider:
3.2.1
In short
OAuth2.0 Provider:
- #803 : Metadata endpoint support of non-HTTPS
OAuth1.0:
- #818 : Allow IPv6 being parsed by signature
General:
- Improved and fixed documentation warnings.
- Cosmetic changes based on isort
What's Changed
- add missing slots to TokenBase by @ariebovenberg in #804
- Add CORS support for Refresh Token Grant. by @luhn in #806
- GitHub Action to lint Python code by @cclauss in #797
- Docs: fix Sphinx warnings for better ReadTheDocs generation by @JonathanHuot in #807
- Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT. by @luhn in #803
- chore: fix typo in test by @tamanobi in #816
- Fix typo in server.rst by @NemanjaT in #819
- Fixed isort imports by @dasm in #820
- docs: Fix a few typos by @timgates42 in #822
- docs: fix typos by @kianmeng in #823
New Contributors
- @ariebovenberg made their first contribution in #804
- @tamanobi made their first contribution in #816
- @NemanjaT made their first contribution in #819
- @kianmeng made their first contribution in #823
Full Changelog: v3.2.0...v3.2.1
Contributors
kianmeng, JonathanHuot, and 7 other contributors
Assets 2
3.2.0
Changelog
OAuth2.0 Client:
- #795: Add Device Authorization Flow for Web Application
- #786: Add PKCE support for Client
- #783: Fallback to none in case of wrong expires_at format.
OAuth2.0 Provider:
- #790: Add support for CORS to metadata endpoint.
- #791: Add support for CORS to token endpoint.
- #787: Remove comma after Bearer in WWW-Authenticate
OAuth2.0 Provider - OIDC:
- #755: Call save_token in Hybrid code flow
- #751: OIDC add support of refreshing ID Tokens with
refresh_id_token - #751: The RefreshTokenGrant modifiers now take the same arguments as the
AuthorizationCodeGrant modifiers (token,token_handler,request).
General:
- Added Python 3.9, 3.10, 3.11
- Improve Travis & Coverage
New Contributors
- @kazkansouh made their first contribution in #771
- @riconnon made their first contribution in #777
- @dotGiff made their first contribution in #783
- @freeman1981 made their first contribution in #787
- @Xpyder made their first contribution in #793
- @rigzba21 made their first contribution in #786
- @cclauss made their first contribution in #796
- @kellyma2 made their first contribution in #795
Full Changelog: v3.1.1...v3.2.0
Contributors
kazkansouh, riconnon, and 6 other contributors
Assets 2
3.1.1
OAuth2.0 Provider - Bugfixes
- #753: Fix acceptance of valid IPv6 addresses in URI validation
OAuth2.0 Client - Bugfixes
- #730: Base OAuth2 Client now has a consistent way of managing the
scope: it consistently
relies on thescopeprovided in the constructor if any, except if overridden temporarily
in a method call. Note that in particular providing a non-Nonescopein
prepare_authorization_requestorprepare_refresh_tokendoes not override anymore
self.scopeforever, it is just used temporarily. - #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
ServiceApplicationClient.prepare_request_body,
and WebApplicationClient.prepare_request_uri now correctly use the defaultscopeprovided in
constructor. - #725: LegacyApplicationClient.prepare_request_body now correctly uses the default
scopeprovided in constructor
OAuth2.0 Provider - Bugfixes
- #711: client_credentials grant: fix log message
- #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
- #756: Different prompt values are now handled according to spec (e.g. prompt=none)
- #759: OpenID Connect - fix Authorization: Basic parsing
General
3.1.0
3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !
OAuth2.0 Provider - Features
- #660: OIDC add support of nonce, c_hash, at_hash fields
- New RequestValidator.fill_id_token method
- Deprecated RequestValidator.get_id_token method
- #677: OIDC add UserInfo endpoint
- New RequestValidator.get_userinfo_claims method
OAuth2.0 Provider - Security
- #665: Enhance data leak to logs
- New default to not expose request content in logs
- New function oauthlib.set_debug(True)
- #666: Disabling query parameters for POST requests
OAuth2.0 Provider - Bugfixes
- #670: Fix validate_authorization_request to return the new PKCE fields
- #674: Fix token_type to be case-insensitive (bearer and Bearer)
OAuth2.0 Client - Bugfixes
- #290: Fix Authorization Code's errors processing
- #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
- #672: Fix edge case when expires_in=Null
OAuth1.0 Client
- #669: Add case-insensitive headers to oauth1 BaseEndpoint
3.0.2
Bug fix release
- #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
- #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
- #652: OIDC: Fixed /token response which wrongly returned "&state=None"
- #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory
3.0.1
3.0.0
This is a major release containing API Breaking changes, and new major features. See the full list below:
OAuth2.0 Provider - outstanding Features
- OpenID Connect Core support
- RFC7662 Introspect support
- RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
- RFC7636 PKCE support (#617 #624)
OAuth2.0 Provider - API/Breaking Changes
- Add "request" to confirm_redirect_uri #504
- confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
- invalid_client is now a FatalError #606
- Changed errors status code from 401 to 400:
- invalid_grant: #264
- invalid_scope: #620
- access_denied/unauthorized_client/consent_required/login_required #623
- 401 must have WWW-Authenticate HTTP Header set. #623
OAuth2.0 Provider - Bugfixes
OAuth2.0 Client - Bugfixes / Changes:
- expires_in in Implicit flow is now an integer #569
- expires is no longer overriding expires_in #506
- parse_request_uri_response is now required #499
- Unknown error=xxx raised by OAuth2 providers was not understood #431
- OAuth2's
prepare_token_requestsupports sending an empty string forclient_id(#585) - OAuth2's
WebApplicationClient.prepare_request_bodywas refactored to better
support sending or omitting theclient_idvia a newinclude_client_idkwarg.
By default this is included. The method will also emit a DeprecationWarning if
aclient_idparameter is submitted; the already configuredself.client_id
is the preferred option. (#585)
OAuth1.0 Client:
- Support for HMAC-SHA256 #498
General fixes: