All notable changes to this project will be documented in this file.
The format is based on the KeepAChangeLog project.
- #862 Fixed pydantic dependency
- [#854] Improve OIDC Session Management support by using the
session_state
parameter from an Authentication Response (if available) as a key to storeConsumer
data.
- #847 Using pydantic for settings instead of custom class
- #851, #852 Add
authn_method
toConsumer.complete
- #857 Made oauth_example less broken
- #827 Added support for python 3.11
- #830, #831 Allow null and empty values in UserInfo responses, but filter them out.
- #832 Added support for mypy with --no_implicit_optional=True
- #820 Removed Client.grant_from_state method.
- #810 Drop python 3.6 support
- #812 Fixed parsing of zero content lenght responses
- #763 Drop python 3.5 support
- #790 Support for dict in Client.parse_response formats
- #739 Better error message for providers which return HTTP Error 405 on userinfo
- #723 Add settings class to handle settings related to Client and Server
- Fixed several client vulnerabilities (CVE-2020-26244)
- #727 OAuth client request using Client Credentials grant
- #719 Add support for JWT registration tokens
- #728 OAuth client request using Extension grant
- #731 Session cookie need to be visible to OP IFrame.
- #711 Deal with no post_logout_redirect_uri
- #712 Set Content-Type on BackChannel logout POST.
- #717 Missing OP logout metadata.
- #708 Wants the original non-parsed JWT and not an IDToken instance.
- #688 Second stage of adding logout support.
- #700 Third stage of adding logout support, provider side
- #602 Fixed uncaught error on unpacking of message
- #679 Make
state
optional inEndSessionRequest
- #683 Fix basic_auth with client password
- #698
state
inEndSessionRequest
request args and kwargs different
- #671 Removed deprecated request/response_cls kwargs from Provider/Client methods
- #677 Removed more deprecated code
- #669 Install as PEP561 compliant package
- #341 Using constant time comparison for password verification
- #598 Move alabaster from runtime dependencies to docs
- #398 Do not echo cookies that do not belong to us
- #607 Fixed key recovery on encryption of payload
- #618 Prettified
client_management.py
CLI and wrapped it as a setup.py console scriptoic-client-management
- #615 Fix ROPC grant in the extensions provider
- #640 Use more secure random generator for client_secret
- #639 Make sure symmetric keys are available after server restart
- #146 Make SessionDB storage conductive with multi-session
- #578 Dropped python 2.7 support
- #612 Dropped python 3.4 support
- #588 Switch to defusedxml for XML parsing
- #605 Message.c_param dictionary values have to be a ParamDefinition namedtuple type
- #56 Updated README, CLI help texts, pip requirements.txt and such for OP2, making it into a stand-alone example easy for beginners to take on
- #624 token_endpoint implementation and kwargs have been changed
- #629 Duplicated methods in oic.oic classes were removed.
- #642 Deprecated
bearer_auth
method. - #631 Refactored message type handling in Client/Provider.
- #644 refresh_db kwarg in SessionDB has been deprecated
- #655 Host can be forced on webfinger discovery
- #441 CookieDealer now accepts secure and httponly params
- #638 Moved
providerinfo_endpoint
fromoic.extensions
tooic.oauth2
- #664 Messages needed for Single-Sign-Out Support
- #592 Do not append cookie header if there is nothing to append
- #591 Fix verification of encrypted id_token
- #601 Fix headers od encrypted id_token
- #553 Made sure a reload would not lead to duplicated keys in a keybundle.
- #557 Fixed PKCE verification
- #562 Fixed error response from oic request with invalid params
- #565 Fixed checking token_type in AuthorizationResponse
- #547 Fixed get_userinfo_claims method
- #268 Fixed SessionDB.revoke_token implementation
- #571 Return error when when resolving request_uri fails
- #579 Fix error with unicode chars in redirect_uris
- #581 Fix error in verification of sector_identifier
- #542 Updated examples
- #587 Fix JWKS content type detection
- #582 Handling import of non-compliant JWKS
- #577 Check that issuer of a signed JWT exists in the KeyJar used to verify the signature.
- #566 Added timeout to communications to remote servers
- #590 Worked on support for RP initiated logout
- #534 Fixed a bug in client_secret_basic authentication
- #503 Fix error on UserInfo endpoint for removed clients
- #508 JWT now uses verify keys for JWT verification
- #502 IntrospectionEndpoint now returns False if it encounters any error as per specs
- #481 Loading AuthnEvent from session
- #492 Do not verify JWT signature on distributed claims
- #526 Cleaned up extra claims from UserInfo with distributed claims
- #528 Fix faulty redirect_uri with query
- #532 Fix userinfo endpoint without auhtn_event in session
- #528 Fix faulty redirect_uri with query
- #498 Clean up replaced tokens on refresh and add Client.clean_tokens to clean old and replaced tokens
- #494 Methods and functions deprecated in previous releases have been removed
- #507 Altered structure of client_db. It no longer stores mapping of
registration_access_token
toclient_id
- #481 AuthnEvent in session is now represented as JSON
- #496 Ability to specify additional supported scopes for oic.Provider
- #432 Ability to specify Initial Access Token for
Client.register
- #515: Fix arguments to WSGI start_response
- #493 grant_types specification should follow the response_types specification in a client registration request.
- #469 Allow endpoints to have query parts
- #443 Ability to specify additional supported claims for oic.Provider
- #134 Added method kwarg to registration_endpoint that enables the client to read/modify registration
- #478 Addedd base-class for Client databases
oic.utils.clientdb.BaseClientDatabase
- #334 Ability to specify custom template rendering function for form_post and verify_logout
- #134
l_registration_enpoint
has been deprecated, usecreate_registration
instead - #457 pyldap is now an optional dependency.
oic.utils.authn.ldapc
andoic.utils.userinfo.ldap_info
raiseImportError
on import ifpyldap
is not present - #471
ca_certs
option has been removed, useverify_ssl
instead - #483
oic.oauth2.uril.verify_header
now raisesValueError
insteaad ofAssertionError
. - #491
oic.utils.http_util.Response.status
is deprecated in favor ofstatus_code
- #491 Some functions and kwargs in
oic.oauth2
module are deprecated
- #334 Removed template_lookup and template kwargs from oic.Provider
- #430 Audience of a client assertion is endpoint dependent.
- #427 Made matching for response_types order independent for authorization requests
- #399 Matching response_types for authz requests is too strict
- #436 Fixed client.read_registration
- #446 Fixed provider.read_registration
- #449 Fixed creation of error_response on client registration
- #445 Fixed get_client_id
- #421 Fixed handling of unicode in sanitize function
- #145 Successful token endpoint responses have correct no-cache headers
- #352 Fixed broken windows test for
test_provider_key_setup
. - #475
get_verify_key
returns inactivesig
keys for verification - #429 An expired token is not possible to use.
- #485 Skip import of improperly defined keys
- #370 Use oic.oic.Provider.endp instead of dynamic provider.endpoints in examples
- #486 SystemRandom is not imported correctly, so various secrets get initialized with bad randomness
- #405: Fix generation of endpoint urls
- #411: Empty lists not indexable
- #413: Fix error when wrong response_mode requested
- #418: Made phone_number_claim be boolean and fixed a bug when importing JSON (non-boolean where boolean expected)
- #318:
oic.utils.authn.saml
raisesImportError
on import if optionalsaml2
dependency is not present. - #324: Make the Provider
symkey
argument optional. - #325:
oic.oic.claims_match
implementation refactored. - #368:
oic.oauth2.Client.construct_AccessTokenRequest()
as well asoic.oic.Client
are now able to perform proper Resource Owner Password Credentials Grant - #374: Made the to_jwe/from_jwe methods of Message accept list of keys value of parameter keys.
- #387: Refactored the
oic.utils.sdb.SessionDB
constructor API. - #380: Made cookie_path and cookie_domain configurable via Provider like the cookie_name.
- #386: An exception will now be thrown if a sub claim received from the userinfo endpoint is not the same as a sub claim previously received in an ID Token.
- #392: Made sid creation simpler and faster
- #317: Resolved an
AttibuteError
exception under Python 2. - #313: Catch exception correctly
- #319: Fix sanitize on strings starting with "B" or "U"
- #330: Fix client_management user input being eval'd under Python 2
- #358: Fixed claims_match
- #362: Fix bad package settings URL
- #369: The AuthnEvent object is now serialized to JSON for the session.
- #373: Made the standard way the default when dealing with signed JWTs without 'kid'. Added the possibility to override this behavior if necessary.
- #401: Fixed message decoding and verifying errors.
- #349: Changed crypto algorithm used by
oic.utils.sdb.Crypt
for token encryption to Fernet. Old stored tokens are incompatible. - #363: Fixed IV reuse for CookieDealer class. Replaced the encrypt-then-mac construction with a proper AEAD (AES-SIV).
- #291: Testing more relevant Python versions.
- #296:
parse_qs
import fromfuture.backports
tofuture.moves
. - #188: Added
future
dependency, updated dependecies - #305: Some import were removed from
oic.oauth2
andoic.oic.provider
, please import them from respective modules (oic.oath2.message
andoic.exception
).
- #294: Generating code indices in documentation.
- #295: Access token issuance and typo/exception handling.
- #273: Allow webfinger accept
kwargs
.
- #286: Account for missing code in the SessionDB.
No change log folks. Sorry.