Skip to content

Latest commit

 

History

History
488 lines (389 loc) · 19.2 KB

CHANGELOG.md

File metadata and controls

488 lines (389 loc) · 19.2 KB

Change Log

All notable changes to this project will be documented in this file.

The format is based on the KeepAChangeLog project.

Unreleased

1.6.1 [2023-07-13]

  • #862 Fixed pydantic dependency

1.6.0 [2023-05-15]

  • [#854] Improve OIDC Session Management support by using the session_state parameter from an Authentication Response (if available) as a key to store Consumer data.

Changed

  • #847 Using pydantic for settings instead of custom class
  • #851, #852 Add authn_method to Consumer.complete

Fixed

  • #857 Made oauth_example less broken

1.5.0 [2022-12-14]

Changed

  • #827 Added support for python 3.11
  • #830, #831 Allow null and empty values in UserInfo responses, but filter them out.
  • #832 Added support for mypy with --no_implicit_optional=True

Fixed

  • #826, #829 Fixed RP-Initiated Logout To Accept id_token_hint

Removed

  • #820 Removed Client.grant_from_state method.

1.4.0 [2022-05-23]

Changed

  • #810 Drop python 3.6 support

Fixed

  • #812 Fixed parsing of zero content lenght responses

1.3.0 [2021-07-09]

Changed

  • #763 Drop python 3.5 support

Added

  • #790 Support for dict in Client.parse_response formats
  • #739 Better error message for providers which return HTTP Error 405 on userinfo
  • #723 Add settings class to handle settings related to Client and Server

1.2.1 [2020-12-01]

Fixed

  • Fixed several client vulnerabilities (CVE-2020-26244)

1.2.0 [2020-02-05]

Fixed

  • #727 OAuth client request using Client Credentials grant

Added

  • #719 Add support for JWT registration tokens
  • #728 OAuth client request using Extension grant
  • #731 Session cookie need to be visible to OP IFrame.

1.1.2 [2019-11-23]

Fixed

  • #711 Deal with no post_logout_redirect_uri
  • #712 Set Content-Type on BackChannel logout POST.
  • #717 Missing OP logout metadata.

1.1.1 [2019-11-04]

Fixed

  • #708 Wants the original non-parsed JWT and not an IDToken instance.

1.1.0 [2019-10-25]

Changed

  • #688 Second stage of adding logout support.
  • #700 Third stage of adding logout support, provider side

Fixed

  • #602 Fixed uncaught error on unpacking of message
  • #679 Make state optional in EndSessionRequest
  • #683 Fix basic_auth with client password
  • #698 state in EndSessionRequest request args and kwargs different

Removed

  • #671 Removed deprecated request/response_cls kwargs from Provider/Client methods
  • #677 Removed more deprecated code

1.0.1 [2019-06-30]

Fixed

  • #669 Install as PEP561 compliant package

1.0.0 [2019-06-19]

Fixed

  • #341 Using constant time comparison for password verification
  • #598 Move alabaster from runtime dependencies to docs
  • #398 Do not echo cookies that do not belong to us
  • #607 Fixed key recovery on encryption of payload
  • #618 Prettified client_management.py CLI and wrapped it as a setup.py console script oic-client-management
  • #615 Fix ROPC grant in the extensions provider
  • #640 Use more secure random generator for client_secret
  • #639 Make sure symmetric keys are available after server restart
  • #146 Make SessionDB storage conductive with multi-session

Changed

  • #578 Dropped python 2.7 support
  • #612 Dropped python 3.4 support
  • #588 Switch to defusedxml for XML parsing
  • #605 Message.c_param dictionary values have to be a ParamDefinition namedtuple type
  • #56 Updated README, CLI help texts, pip requirements.txt and such for OP2, making it into a stand-alone example easy for beginners to take on
  • #624 token_endpoint implementation and kwargs have been changed
  • #629 Duplicated methods in oic.oic classes were removed.
  • #642 Deprecated bearer_auth method.
  • #631 Refactored message type handling in Client/Provider.
  • #644 refresh_db kwarg in SessionDB has been deprecated

Added

  • #655 Host can be forced on webfinger discovery
  • #441 CookieDealer now accepts secure and httponly params
  • #638 Moved providerinfo_endpoint from oic.extensions to oic.oauth2
  • #664 Messages needed for Single-Sign-Out Support

0.15.1 [2019-01-31]

Fixed

  • #592 Do not append cookie header if there is nothing to append
  • #591 Fix verification of encrypted id_token
  • #601 Fix headers od encrypted id_token

0.15.0 [2019-01-17]

Fixed

  • #553 Made sure a reload would not lead to duplicated keys in a keybundle.
  • #557 Fixed PKCE verification
  • #562 Fixed error response from oic request with invalid params
  • #565 Fixed checking token_type in AuthorizationResponse
  • #547 Fixed get_userinfo_claims method
  • #268 Fixed SessionDB.revoke_token implementation
  • #571 Return error when when resolving request_uri fails
  • #579 Fix error with unicode chars in redirect_uris
  • #581 Fix error in verification of sector_identifier
  • #542 Updated examples
  • #587 Fix JWKS content type detection
  • #582 Handling import of non-compliant JWKS

Added

  • #577 Check that issuer of a signed JWT exists in the KeyJar used to verify the signature.
  • #566 Added timeout to communications to remote servers
  • #590 Worked on support for RP initiated logout

0.14.0 [2018-05-15]

Fixed

  • #534 Fixed a bug in client_secret_basic authentication
  • #503 Fix error on UserInfo endpoint for removed clients
  • #508 JWT now uses verify keys for JWT verification
  • #502 IntrospectionEndpoint now returns False if it encounters any error as per specs
  • #481 Loading AuthnEvent from session
  • #492 Do not verify JWT signature on distributed claims
  • #526 Cleaned up extra claims from UserInfo with distributed claims
  • #528 Fix faulty redirect_uri with query
  • #532 Fix userinfo endpoint without auhtn_event in session
  • #528 Fix faulty redirect_uri with query
  • #498 Clean up replaced tokens on refresh and add Client.clean_tokens to clean old and replaced tokens

Removed

  • #494 Methods and functions deprecated in previous releases have been removed

Changed

  • #507 Altered structure of client_db. It no longer stores mapping of registration_access_token to client_id
  • #481 AuthnEvent in session is now represented as JSON

Added

  • #496 Ability to specify additional supported scopes for oic.Provider
  • #432 Ability to specify Initial Access Token for Client.register

0.13.1 [2018-04-06]

Fixed

  • #515: Fix arguments to WSGI start_response

0.13.0 [2018-02-19]

Added

  • #493 grant_types specification should follow the response_types specification in a client registration request.
  • #469 Allow endpoints to have query parts
  • #443 Ability to specify additional supported claims for oic.Provider
  • #134 Added method kwarg to registration_endpoint that enables the client to read/modify registration
  • #478 Addedd base-class for Client databases oic.utils.clientdb.BaseClientDatabase
  • #334 Ability to specify custom template rendering function for form_post and verify_logout

Changed

  • #134 l_registration_enpoint has been deprecated, use create_registration instead
  • #457 pyldap is now an optional dependency. oic.utils.authn.ldapc and oic.utils.userinfo.ldap_info raise ImportError on import if pyldap is not present
  • #471 ca_certs option has been removed, use verify_ssl instead
  • #483 oic.oauth2.uril.verify_header now raises ValueError insteaad of AssertionError.
  • #491 oic.utils.http_util.Response.status is deprecated in favor of status_code
  • #491 Some functions and kwargs in oic.oauth2 module are deprecated

Removed

  • #334 Removed template_lookup and template kwargs from oic.Provider

Fixed

  • #430 Audience of a client assertion is endpoint dependent.
  • #427 Made matching for response_types order independent for authorization requests
  • #399 Matching response_types for authz requests is too strict
  • #436 Fixed client.read_registration
  • #446 Fixed provider.read_registration
  • #449 Fixed creation of error_response on client registration
  • #445 Fixed get_client_id
  • #421 Fixed handling of unicode in sanitize function
  • #145 Successful token endpoint responses have correct no-cache headers
  • #352 Fixed broken windows test for test_provider_key_setup.
  • #475 get_verify_key returns inactive sig keys for verification
  • #429 An expired token is not possible to use.
  • #485 Skip import of improperly defined keys
  • #370 Use oic.oic.Provider.endp instead of dynamic provider.endpoints in examples

Security

  • #486 SystemRandom is not imported correctly, so various secrets get initialized with bad randomness

0.12.0 [2017-09-25]

Fixed

  • #419: Inconsistent release numbers/tags
  • #420: Distributed claims

0.11.1.0 [2017-08-26]

Fixed

  • #405: Fix generation of endpoint urls
  • #411: Empty lists not indexable
  • #413: Fix error when wrong response_mode requested
  • #418: Made phone_number_claim be boolean and fixed a bug when importing JSON (non-boolean where boolean expected)

0.11.0.0 [2017-07-07]

Changed

  • #318: oic.utils.authn.saml raises ImportError on import if optional saml2 dependency is not present.
  • #324: Make the Provider symkey argument optional.
  • #325: oic.oic.claims_match implementation refactored.
  • #368: oic.oauth2.Client.construct_AccessTokenRequest() as well as oic.oic.Client are now able to perform proper Resource Owner Password Credentials Grant
  • #374: Made the to_jwe/from_jwe methods of Message accept list of keys value of parameter keys.
  • #387: Refactored the oic.utils.sdb.SessionDB constructor API.
  • #380: Made cookie_path and cookie_domain configurable via Provider like the cookie_name.
  • #386: An exception will now be thrown if a sub claim received from the userinfo endpoint is not the same as a sub claim previously received in an ID Token.
  • #392: Made sid creation simpler and faster

Fixed

  • #317: Resolved an AttibuteError exception under Python 2.
  • #313: Catch exception correctly
  • #319: Fix sanitize on strings starting with "B" or "U"
  • #330: Fix client_management user input being eval'd under Python 2
  • #358: Fixed claims_match
  • #362: Fix bad package settings URL
  • #369: The AuthnEvent object is now serialized to JSON for the session.
  • #373: Made the standard way the default when dealing with signed JWTs without 'kid'. Added the possibility to override this behavior if necessary.
  • #401: Fixed message decoding and verifying errors.

Security

  • #349: Changed crypto algorithm used by oic.utils.sdb.Crypt for token encryption to Fernet. Old stored tokens are incompatible.
  • #363: Fixed IV reuse for CookieDealer class. Replaced the encrypt-then-mac construction with a proper AEAD (AES-SIV).

0.10.0.0 [2017-03-28]

Changed

  • #291: Testing more relevant Python versions.
  • #296: parse_qs import from future.backports to future.moves.
  • #188: Added future dependency, updated dependecies
  • #305: Some import were removed from oic.oauth2 and oic.oic.provider, please import them from respective modules (oic.oath2.message and oic.exception).

Removed

  • #294: Generating code indices in documentation.

Fixed

  • #295: Access token issuance and typo/exception handling.

0.9.5.0 [2017-03-22]

Added

  • #276: Use a Change log for change history.
  • #277: Use pip-tools for dependency management.

Removed

Changed

  • #273: Allow webfinger accept kwargs.

Fixed

  • #286: Account for missing code in the SessionDB.

0.9.4.0 [2016-12-22]

No change log folks. Sorry.