Releases: lepture/authlib
Version 1.3.2
Version 1.3.1
Prevent OctKey to import ssh and PEM strings.
Version 1.3.0
Bug fixes
- Restore AuthorizationServer.create_authorization_response behavior, via #558 by @TurnrDev
- Include leeway in validate_iat() for JWT, via #565 by @dhallam
- Fix encode_client_secret_basic, via #594 by @Prilkop
- Use single key in JWK if JWS does not specify kid, via #596 by @dklimpel
- Fix error when RFC9068 JWS has no scope field, via #598 by @tanguilp
- Get werkzeug version using importlib, via #591 by @Sparrow0hawk
Breaking changes
Contributors
Assets 2
Version 1.2.1
- Apply headers in
ClientSecretJWT.signmethod, via #552 - Allow falsy but non-None grant uri params, via #544
- Fixed
authorize_redirectfor Starlette v0.26.0, via #533 - Removed
has_client_secretmethod and documentation, via #513 - Removed
request_invalidandtoken_revokedremaining occurences
and documentation. #514 - Fixed RFC7591
grant_typesandresponse_typesdefault values, via #509 - Add support for python 3.12, via #590
Version 1.2.0
- Not passing
request.bodytoResourceProtector, #485. - Use
flask.ginstead of_app_ctx_stack, #482. - Add
headersparameter back toClientSecretJWT, #457. - Always passing
realmparameter in OAuth 1 clients, #339. - Implemented RFC7592 Dynamic Client Registration Management Protocol, #505`
- Add
default_timeoutfor requestsOAuth2SessionandAssertionSession. - Deprecate
jwk.loadsandjwk.dumps
Version 1.1.0
This release contains breaking changes and security fixes.
- Allow to pass
claims_optionsto Framework OpenID Connect clients, via #446 by @Galaxy102 - Fix
.streamwith context for HTTPX OAuth clients, via #465 by @bjoernmeier - Fix Starlette OAuth client for cache store, via #478 by @haggen
Breaking changes:
- Raise
InvalidGrantErrorfor invalid code, redirect_uri and no user errors in OAuth 2.0 server. - The default
authlib.jose.jwtwould only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:
jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])Security fixes for JOSE module
- CVE-2022-39175
- CVE-2022-39174
Contributors
Assets 2
Version 1.0.1
- Fix
authenticate_nonemethod, via #438. - Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447.
- Fix
missing_tokenfor Flask OAuth client, via #448. - Allow
openidin any place of the scope, via #449. - Security fix for validating essential value on blank value in JWT, via #445.
Version 1.0.0
We have dropped support for Python 2 in this release. We have removed
built-in SQLAlchemy integration.
OAuth Client Changes:
The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...), it would work as
before.
OAuth Provider Changes:
In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX configuration, instead, developers should define
.get_jwt_config on OpenID extensions and grant types.
SQLAlchemy integrations has been removed from Authlib. Developers
should define the database by themselves.
JOSE Changes
JWShas been renamed toJsonWebSignatureJWEhas been renamed toJsonWebEncryptionJWKhas been renamed toJsonWebKeyJWThas been renamed toJsonWebToken
The "Key" model has been re-designed, checkout the JSON Web Key for updates.
Added ES256K algorithm for JWS and JWT.
Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f
Version 0.15.5
- Make Authlib compatible with latest httpx
- Make Authlib compatible with latest werkzeug
- Allow customize RFC7523
algvalue
Version 0.15.4
Security fix when JWT claims is None.
For example, JWT payload has iss=None:
{
"iss": None,
...
}
But we need to decode it with claims:
claims_options = {
'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)
It didn't raise an error before this fix.