The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
BSD-3-CLAUSE License
Published by lepture about 2 months ago
quote
client id and secret.unquote
basic auth header for authorization server.Prevent OctKey
to import ssh and PEM strings.
Published by lepture 10 months ago
Bug fixes
Breaking changes
Published by lepture 11 months ago
ClientSecretJWT.sign
method, via #552authorize_redirect
for Starlette v0.26.0, via #533has_client_secret
method and documentation, via #513request_invalid
and token_revoked
remaining occurencesgrant_types
and response_types
default values, via #509Published by lepture almost 2 years ago
request.body
to ResourceProtector
, #485.flask.g
instead of _app_ctx_stack
, #482.headers
parameter back to ClientSecretJWT
, #457.realm
parameter in OAuth 1 clients, #339.default_timeout
for requests OAuth2Session
and AssertionSession
.jwk.loads
and jwk.dumps
Published by lepture almost 2 years ago
This release contains breaking changes and security fixes.
claims_options
to Framework OpenID Connect clients, via #446 by @Galaxy102.stream
with context for HTTPX OAuth clients, via #465 by @bjoernmeierBreaking changes:
InvalidGrantError
for invalid code, redirect_uri and no user errors in OAuth 2.0 server.authlib.jose.jwt
would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
Security fixes for JOSE module
Published by lepture over 2 years ago
authenticate_none
method, via #438.missing_token
for Flask OAuth client, via #448.openid
in any place of the scope, via #449.Published by lepture over 2 years ago
We have dropped support for Python 2 in this release. We have removed
built-in SQLAlchemy integration.
OAuth Client Changes:
The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...)
, it would work as
before.
OAuth Provider Changes:
In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX
configuration, instead, developers should define
.get_jwt_config
on OpenID extensions and grant types.
SQLAlchemy integrations has been removed from Authlib. Developers
should define the database by themselves.
JOSE Changes
JWS
has been renamed to JsonWebSignature
JWE
has been renamed to JsonWebEncryption
JWK
has been renamed to JsonWebKey
JWT
has been renamed to JsonWebToken
The "Key" model has been re-designed, checkout the JSON Web Key for updates.
Added ES256K
algorithm for JWS and JWT.
Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f
Published by lepture about 3 years ago
alg
valuePublished by lepture over 3 years ago
Security fix when JWT claims is None.
For example, JWT payload has iss=None
:
{
"iss": None,
...
}
But we need to decode it with claims:
claims_options = {
'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)
It didn't raise an error before this fix.
Published by lepture almost 4 years ago
Fixed .authorize_access_token
for OAuth 1.0 services, via https://github.com/lepture/authlib/issues/308
Published by lepture about 4 years ago
Fixed httpx authentication bug via #283
Published by lepture about 4 years ago
Backward compitable fix for using JWKs in JWT, via #280.
Published by lepture about 4 years ago
This is the last release before v1.0. In this release, we added more RFCs
implementations and did some refactors for JOSE:
We also fixed bugs for integrations:
Breaking Change:
algorithms
in JsonWebSignature
and JsonWebEncryption
Published by lepture over 4 years ago
none
auth method for authorization code by default.code_verifier
via #216.introspect_token
method on OAuth 2 Client via #224.Published by lepture over 4 years ago
expires_at
or expires_in
is 0 via #227.Published by lepture over 4 years ago
Published by lepture over 4 years ago
In this release, Authlib has introduced a new way to write framework integrations for clients.
Bug fixes and enhancements in this release:
Breaking Change: drop sync OAuth clients of HTTPX.
Published by lepture almost 5 years ago
This is the release that makes Authlib one more step close to v1.0. We did a huge refactor on our integrations. Authlib believes in monolithic design, it enables us to design the API to integrate with every framework in the best way. In this release, Authlib has re-organized the folder structure, moving every integration into the integrations folder. It makes Authlib to add more integrations
easily in the future.
RFC implementations and updates in this release:
New integrations and changes in this release:
authlib.client.aiohttp
has been removedBug fixes and enhancements in this release:
alg
values easily for JWS and JWE.Deprecate Changes: find how to solve the deprecate issues via https://git.io/Jeclj
Published by lepture about 5 years ago
This is a bug fix version. Here are the fixes:
client.get_allowed_scope
on every grant typesrequest.client
before validate_requested_scope