The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
Bug fixes
Breaking changes
ClientSecretJWT.sign
method, via #552authorize_redirect
for Starlette v0.26.0, via #533has_client_secret
method and documentation, via #513request_invalid
and token_revoked
remaining occurences
and documentation. #514grant_types
and response_types
default values, via #509request.body
to ResourceProtector
, #485.flask.g
instead of _app_ctx_stack
, #482.headers
parameter back to ClientSecretJWT
, #457.realm
parameter in OAuth 1 clients, #339.default_timeout
for requests OAuth2Session
and AssertionSession
.jwk.loads
and jwk.dumps
This release contains breaking changes and security fixes.
claims_options
to Framework OpenID Connect clients, via #446 by @Galaxy102.stream
with context for HTTPX OAuth clients, via #465 by @bjoernmeierBreaking changes:
InvalidGrantError
for invalid code, redirect_uri and no user errors in OAuth 2.0 server.authlib.jose.jwt
would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
Security fixes for JOSE module
authenticate_none
method, via #438.missing_token
for Flask OAuth client, via #448.openid
in any place of the scope, via #449.We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.
OAuth Client Changes:
The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...)
, it would work as
before.
OAuth Provider Changes:
In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX
configuration, instead, developers should define
.get_jwt_config
on OpenID extensions and grant types.
SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.
JOSE Changes
JWS
has been renamed to JsonWebSignature
JWE
has been renamed to JsonWebEncryption
JWK
has been renamed to JsonWebKey
JWT
has been renamed to JsonWebToken
The "Key" model has been re-designed, checkout the JSON Web Key for updates.
Added ES256K
algorithm for JWS and JWT.
Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f
alg
valueSecurity fix when JWT claims is None.
For example, JWT payload has iss=None
:
{
"iss": None,
...
}
But we need to decode it with claims:
claims_options = {
'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)
It didn't raise an error before this fix.
Fixed .authorize_access_token
for OAuth 1.0 services, via https://github.com/lepture/authlib/issues/308
Fixed httpx authentication bug via #283