authlib

• Prevent ever-growing session size for OAuth clients.
• Revert quote client id and secret.
• unquote basic auth header for authorization server.

Prevent OctKey to import ssh and PEM strings.

Bug fixes

• Restore AuthorizationServer.create_authorization_response behavior, via #558 by @TurnrDev
• Include leeway in validate_iat() for JWT, via #565 by @dhallam
• Fix encode_client_secret_basic, via #594 by @Prilkop
• Use single key in JWK if JWS does not specify kid, via #596 by @dklimpel
• Fix error when RFC9068 JWS has no scope field, via #598 by @tanguilp
• Get werkzeug version using importlib, via #591 by @Sparrow0hawk

Breaking changes

• RFC9068 implementation, via #586 by @azmeuk.

• Apply headers in ClientSecretJWT.sign method, via #552
• Allow falsy but non-None grant uri params, via #544
• Fixed authorize_redirect for Starlette v0.26.0, via #533
• Removed has_client_secret method and documentation, via #513
• Removed request_invalid and token_revoked remaining occurences
  and documentation. #514
• Fixed RFC7591 grant_types and response_types default values, via #509
• Add support for python 3.12, via #590

• Not passing request.body to ResourceProtector, #485.
• Use flask.g instead of _app_ctx_stack, #482.
• Add headers parameter back to ClientSecretJWT, #457.
• Always passing realm parameter in OAuth 1 clients, #339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

This release contains breaking changes and security fixes.

• Allow to pass claims_options to Framework OpenID Connect clients, via #446 by @Galaxy102
• Fix .stream with context for HTTPX OAuth clients, via #465 by @bjoernmeier
• Fix Starlette OAuth client for cache store, via #478 by @haggen

Breaking changes:

• Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.
• The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:

jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])

Security fixes for JOSE module

• CVE-2022-39175
• CVE-2022-39174

• Fix authenticate_none method, via #438.
• Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447.
• Fix missing_token for Flask OAuth client, via #448.
• Allow openid in any place of the scope, via #449.
• Security fix for validating essential value on blank value in JWT, via #445.

We have dropped support for Python 2 in this release. We have removed
built-in SQLAlchemy integration.

OAuth Client Changes:

The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...), it would work as
before.

OAuth Provider Changes:

In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX configuration, instead, developers should define
.get_jwt_config on OpenID extensions and grant types.

SQLAlchemy integrations has been removed from Authlib. Developers
should define the database by themselves.

JOSE Changes

• JWS has been renamed to JsonWebSignature
• JWE has been renamed to JsonWebEncryption
• JWK has been renamed to JsonWebKey
• JWT has been renamed to JsonWebToken

The "Key" model has been re-designed, checkout the JSON Web Key for updates.

Added ES256K algorithm for JWS and JWT.

Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f

• Make Authlib compatible with latest httpx
• Make Authlib compatible with latest werkzeug
• Allow customize RFC7523 alg value

Security fix when JWT claims is None.

For example, JWT payload has iss=None:

{
  "iss": None,
  ...
}

But we need to decode it with claims:

claims_options = {
  'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)

It didn't raise an error before this fix.

Fixed .authorize_access_token for OAuth 1.0 services, via https://github.com/lepture/authlib/issues/308

Fixed httpx authentication bug via #283

Backward compitable fix for using JWKs in JWT, via #280.

This is the last release before v1.0. In this release, we added more RFCs
implementations and did some refactors for JOSE:

• RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
• RFC7638: JSON Web Key (JWK) Thumbprint

We also fixed bugs for integrations:

• Fixed support for HTTPX>=0.14.3
• Added OAuth clients of HTTPX back via #270
• Fixed parallel token refreshes for HTTPX async OAuth 2 client
• Raise OAuthError when callback contains errors via #275

Breaking Change:

1. The parameter algorithms in JsonWebSignature and JsonWebEncryption
   are changed. Usually you don't have to care about it since you won't use it directly.
2. Whole JSON Web Key is refactored, please check JSON Web Key (JWK)

• Fix HTTPX integration via #232 and #233.
• Add "bearer" as default token type for OAuth 2 Client.
• JWS and JWE don't validate private headers by default.
• Remove none auth method for authorization code by default.
• Allow usage of user provided code_verifier via #216.
• Add introspect_token method on OAuth 2 Client via #224.

• Fix OAuth 1.0 client for starlette.
• Allow leeway option in client parse ID token via #228.
• Fix OAuthToken when expires_at or expires_in is 0 via #227.
• Fix auto refresh token logic.
• Load server metadata before request.

• Quick fix for legacy imports of Flask and Django clients

In this release, Authlib has introduced a new way to write framework integrations for clients.

Bug fixes and enhancements in this release:

• Fix HTTPX integrations due to HTTPX breaking changes
• Fix ES algorithms for JWS
• Allow user given nonce via #180.
• Fix OAuth errors get_headers leak.
• Fix code_verifier via #165.

Breaking Change: drop sync OAuth clients of HTTPX.

This is the release that makes Authlib one more step close to v1.0. We did a huge refactor on our integrations. Authlib believes in monolithic design, it enables us to design the API to integrate with every framework in the best way. In this release, Authlib has re-organized the folder structure, moving every integration into the integrations folder. It makes Authlib to add more integrations easily in the future.

RFC implementations and updates in this release:

• RFC7591: OAuth 2.0 Dynamic Client Registration Protocol
• RFC8628: OAuth 2.0 Device Authorization Grant

New integrations and changes in this release:

• HTTPX OAuth 1.0 and OAuth 2.0 clients in both sync and async way
• Starlette OAuth 1.0 and OAuth 2.0 client registry
• The experimental authlib.client.aiohttp has been removed

Bug fixes and enhancements in this release:

• Add custom client authentication methods for framework integrations.
• Refresh token automatically for client_credentials grant type.
• Enhancements on JOSE, specifying alg values easily for JWS and JWE.
• Add PKCE into requests OAuth2Session and HTTPX OAuth2Client.

Deprecate Changes: find how to solve the deprecate issues via https://git.io/Jeclj

This is a bug fix version. Here are the fixes:

1. ensure client.get_allowed_scope on every grant types
2. add request.client before validate_requested_scope