Authlib Versions Save

Bug fixes

• Restore AuthorizationServer.create_authorization_response behavior, via #558 by @TurnrDev
• Include leeway in validate_iat() for JWT, via #565 by @dhallam
• Fix encode_client_secret_basic, via #594 by @Prilkop
• Use single key in JWK if JWS does not specify kid, via #596 by @dklimpel
• Fix error when RFC9068 JWS has no scope field, via #598 by @tanguilp
• Get werkzeug version using importlib, via #591 by @Sparrow0hawk

Breaking changes

• RFC9068 implementation, via #586 by @azmeuk.

• Apply headers in ClientSecretJWT.sign method, via #552
• Allow falsy but non-None grant uri params, via #544
• Fixed authorize_redirect for Starlette v0.26.0, via #533
• Removed has_client_secret method and documentation, via #513
• Removed request_invalid and token_revoked remaining occurences and documentation. #514
• Fixed RFC7591 grant_types and response_types default values, via #509
• Add support for python 3.12, via #590

• Not passing request.body to ResourceProtector, #485.
• Use flask.g instead of _app_ctx_stack, #482.
• Add headers parameter back to ClientSecretJWT, #457.
• Always passing realm parameter in OAuth 1 clients, #339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

This release contains breaking changes and security fixes.

• Allow to pass claims_options to Framework OpenID Connect clients, via #446 by @Galaxy102
• Fix .stream with context for HTTPX OAuth clients, via #465 by @bjoernmeier
• Fix Starlette OAuth client for cache store, via #478 by @haggen

Breaking changes:

• Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.
• The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:

jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])

Security fixes for JOSE module

• CVE-2022-39175
• CVE-2022-39174

• Fix authenticate_none method, via #438.
• Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447.
• Fix missing_token for Flask OAuth client, via #448.
• Allow openid in any place of the scope, via #449.
• Security fix for validating essential value on blank value in JWT, via #445.

We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.

OAuth Client Changes:

The whole framework client integrations have been restructured, if you are using the client properly, e.g. oauth.register(...), it would work as before.

OAuth Provider Changes:

In Flask OAuth 2.0 provider, we have removed the deprecated OAUTH2_JWT_XXX configuration, instead, developers should define .get_jwt_config on OpenID extensions and grant types.

SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.

JOSE Changes

• JWS has been renamed to JsonWebSignature
• JWE has been renamed to JsonWebEncryption
• JWK has been renamed to JsonWebKey
• JWT has been renamed to JsonWebToken

The "Key" model has been re-designed, checkout the JSON Web Key for updates.

Added ES256K algorithm for JWS and JWT.

Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f

• Make Authlib compatible with latest httpx
• Make Authlib compatible with latest werkzeug
• Allow customize RFC7523 alg value

Security fix when JWT claims is None.

For example, JWT payload has iss=None:

{
  "iss": None,
  ...
}

But we need to decode it with claims:

claims_options = {
  'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)

It didn't raise an error before this fix.

Fixed .authorize_access_token for OAuth 1.0 services, via https://github.com/lepture/authlib/issues/308

Fixed httpx authentication bug via #283