authlib

authlib - Version 0.12

Published by lepture about 5 years ago

Released on Sep 3, 2019.

Breaking Change: Authlib Grant system has been redesigned. If you
are creating OpenID Connect providers, please read the new documentation
for OpenID Connect.

Important Update: Django OAuth 2.0 server integration is ready now.
You can create OAuth 2.0 provider and OpenID Connect 1.0 with Django
framework.

RFC implementations and updates in this release:

RFC6749: Fixed scope validation, omit the invalid scope
RFC7521: Added a common AssertionClient for the assertion framework
RFC7662: Added IntrospectionToken for introspection token endpoint
OpenID Connect Discover: Added discovery model based on RFC8414

Refactor and bug fixes in this release:

Breaking Change: add RefreshTokenGrant.revoke_old_credential method
Rewrite lots of code for authlib.client, no breaking changes
Refactor OAuth2Request, use explicit query and form
Change requests to optional dependency
Add AsyncAssertionClient for aiohttp

Deprecate Changes: find how to solve the deprecate issues via https://git.io/fjPsV

Code Changes: https://github.com/lepture/authlib/compare/v0.11...v0.12

authlib - Version 0.11

Published by lepture over 5 years ago

BIG NEWS: Authlib has changed its open source license from AGPL to BSD.

Important Changes: Authlib specs module has been split into jose, oauth1, oauth2, and oidc. Find how to solve the deprecate issues via https://git.io/fjvpt.

RFC implementations and updates in this release:

RFC7518: Added A128GCMKW, A192GCMKW, A256GCMKW algorithms for JWE.
RFC5849: Removed draft-eaton-oauth-bodyhash-00 spec for OAuth 1.0.

Small changes and bug fixes in this release:

Fixed missing scope on password and client_credentials grant types of OAuth2Session via issue#96.
Fixed Flask OAuth client cache detection via issue#98.
Enabled ssl certificates for OAuth2Session via PR#100, thanks to pingz.
Fixed error response for invalid/expired refresh token via issue#112.
Fixed error handle for invalid redirect uri via issue#113.
Fixed error response redirect to fragment via issue#114.
Fixed non-compliant responses from RFC7009 via issue#119.

Experiment Features: There is an experiment aiohttp client for OAuth1 and OAuth2 in authlib.client.aiohttp.

Code Changes: https://github.com/lepture/authlib/compare/v0.10...v0.11

authlib - Version 0.10

Published by lepture about 6 years ago

The most important change in this version is grant extension system. When registering a grant, developers can pass extensions to the grant:

authorization_server.register_grant(GrantClass, [extension])

Find Flask Grant Extensions implementation.

RFC implementations and updates in this release:

RFC8414: OAuth 2.0 Authorization Server Metadata
RFC7636: make CodeChallenge a grant extension
OIDC: make OpenIDCode a grant extension

Besides that, there are other improvements:

Export save_authorize_state method on Flask and Django client
Add fetch_token to Django OAuth client
Add scope operator for @require_oauth Multiple Scopes
Fix two OAuth clients in the same Flask route PR#85

Deprecate Changes: find how to solve the deprecate issues via https://git.io/fAmW1

Code Changes: https://github.com/lepture/authlib/compare/v0.9...v0.10

authlib - Version 0.9

Published by lepture about 6 years ago

There is no big break changes in this version. The very great improvement is
adding JWE support. But the JWA parts of JWE are not finished yet, use with
caution.

RFC implementations in this release:

RFC7636: client and server implementation of Proof Key for Code Exchange by OAuth Public Clients.
RFC7523: easy integration of Using JWTs Client Assertion in OAuth2Session.
RFC7516: JWE compact serialization and deserialization.
RFC7519: JWT with JWE encode and decode.

Other Changes:

Fixed the lazy initialization of Flask OAuth 2.0 provider.
Deprecated authlib.client.apps from v0.7 has been dropped.

Documentation: https://docs.authlib.org/en/v0.9/

Code Changes: https://github.com/lepture/authlib/compare/v0.8...v0.9

authlib - Version 0.8

Published by lepture over 6 years ago

Authlib has tried to introduce Django OAuth server implementation in this
version. It turns out that it is not that easy. In this version, only Django
OAuth 1.0 server is provided.

As always, there are also RFC features added in this release, here is what's
in version 0.8:

RFC7523: Add JWTs for Client Authentication of JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants.
OIDC: Add response_mode=form_post support for OpenID Connect.

Improvement in this release:

A new redesigned error system. All errors are subclasses of a AuthlibBaseError.
I18N support for error descriptions.
Separate AuthorizationCodeMixin in authlib.flask.oauth2.sqla via issue#57.
Add context information when generate token via issue#58.
Improve JWT key handles, auto load JWK and JWK set.
Add require_oauth.acquire with statement, get example on Flask OAuth 2.0 Server.

Deprecate Changes: find how to solve the deprecate issues via https://git.io/vhL75

Code Changes: https://github.com/lepture/authlib/compare/v0.7...v0.8

authlib - Version 0.7

Published by lepture over 6 years ago

Authlib has changed its license from LGPL to AGPL. This is not a huge release like v0.6, but it still contains some deprecate changes, the good news is they are compatible, they won’t break your project. Authlib can’t go further without these deprecate changes.

As always, Authlib is adding specification implementations. Here is what’s new in version 0.7:

RFC7515: Refactored JWS, make it a full implementation.
RFC7521: Add AssertionSession, only works with RFC7523.
RFC7523: Add JWTBearerGrant, read the guide in JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants.

Besides that, there are more changes:

Add overwrite parameter for framework integrations clients.
Add response_mode=query for OpenID Connect implicit and hybrid flow.
Bug fix and documentation fix via issue#42, issue#43.
Dropping authlib.client.apps. Use loginpass instead.

Deprecate Changes: find how to solve the deprecate issues via https://git.io/vpCH5

Code Changes: https://github.com/lepture/authlib/compare/v0.6...v0.7

authlib - Version 0.6

Published by lepture over 6 years ago

From alpha to beta. This is a huge release with lots of deprecating changes and some breaking changes. And finally, OpenID Connect server is supported by now, because Authlib has added these specifications:

RFC7515: JSON Web Signature (JWS)
RFC7517: JSON Web Key (JWK)
RFC7518: JSON Web Algorithms (JWA)
RFC7519: JSON Web Token (JWT)

The specifications are not completed yet, but they are ready to use. The missing RFC7516 (JWE) is going to be implemented in next version. Open ID Connect 1.0 is added with:

Authentication using the Code Flow
Authentication using the Implicit Flow
Authentication using the Hybrid Flow
ID Token Validation

Besides that, there are more changes:

Implementation of RFC7662: OAuth 2.0 Token Introspection via #36.
Use the token_endpoint_auth_method concept defined in RFC7591.
Signal feature for Flask integration of OAuth 2.0 server.
Bug fixes for OAuth client parts, thanks for the instruction by Lukas Schink.

Breaking Changes:

the columns in authlib.flask.oauth2.sqla has been changed a lot. If you are using it, you need to upgrade your database.
use register_token_validator on ResourceProtector.
authlib.client.oauth1.OAuth1 has been renamed to authlib.client.oauth1.OAuth1Auth.

Deprecate Changes: find how to solve the deprecate issues via https://git.io/vAAUK

Code Changes: https://github.com/lepture/authlib/compare/v0.5.1...v0.6

authlib - Version 0.5.1

Published by lepture over 6 years ago

Just a quick bug fix release.

Fixed OAuth2Session.request with auth.

authlib - Version 0.5

Published by lepture over 6 years ago

This version breaks a lot of things. There are many redesigns in order to get a better stable API. It is still in Alpha stage, with these breaking changes, I hope Authlib will go into Beta in the next version.

Added register_error_uri() and its Flask integration.
OAuth2Session supports more grant types.
Deprecate built-in cache. Read more on issue#23.
Redesigned OAuth 1 Flask server. Read the docs Flask OAuth 1 Server.
Deprecate client_model. Read more on issue#27.
Breaking change on AuthorizationCodeGrant.create_authorization_code, last parameter is changed to an
OAuth2Request instance.
Rename callback_uri to redirect_uri in client.

authlib - Version 0.4.1

Published by lepture over 6 years ago

This is a quick bug fix version.

Fixed missing code params when fetching access token. This bug is introduced when fixing issue#16.

authlib - Version 0.4

Published by lepture over 6 years ago

This version is released when people are enjoying the super blue blood moon. That's why this version is called Tsukino. The full name would be Tsukino Usagi.

This is a feature releasing for OAuth 1 server. Things are not settled yet, there will still be breaking changes in the future. Some of the breaking changes are compatible with deprecated messages, a few are not. I’ll keep the deprecated message for 2 versions. Here is the main features:

RFC5847, OAuth 1 client and server
Flask implementation of OAuth 1 authorization server and resource protector.
Mixin of SQLAlchemy models for easy integration with OAuth 1.

In version 0.4, there is also several bug fixes. Thanks for the early contributors.

Allow Flask OAuth register fetch_token and update_token.
Bug fix for OAuthClient when refresh_token_params is None via PR#14.
Don’t pass everything in request args for Flask OAuth client via issue#16.
Bug fix for IDToken.validate_exp via issue#17.

authlib - Version 0.3

Published by lepture almost 7 years ago

This is a feature releasing for OAuth 2 server. Since this is the first release of the server implementation, you would expect that there are bugs, security vulnerabilities, and uncertainties. Try it bravely.