Oauthlib Versions Save

A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

v3.2.2

1 year ago

OAuth2.0 Provider:

  • CVE-2022-36087

v3.2.1

1 year ago

In short

OAuth2.0 Provider:

  • #803 : Metadata endpoint support of non-HTTPS

OAuth1.0:

  • #818 : Allow IPv6 being parsed by signature

General:

  • Improved and fixed documentation warnings.
  • Cosmetic changes based on isort

What's Changed

New Contributors

Full Changelog: https://github.com/oauthlib/oauthlib/compare/v3.2.0...v3.2.1

v3.2.0

2 years ago

Changelog

OAuth2.0 Client:

  • #795: Add Device Authorization Flow for Web Application
  • #786: Add PKCE support for Client
  • #783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:

  • #790: Add support for CORS to metadata endpoint.
  • #791: Add support for CORS to token endpoint.
  • #787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:

  • #755: Call save_token in Hybrid code flow
  • #751: OIDC add support of refreshing ID Tokens with refresh_id_token
  • #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

General:

  • Added Python 3.9, 3.10, 3.11
  • Improve Travis & Coverage

New Contributors

Full Changelog: https://github.com/oauthlib/oauthlib/compare/v3.1.1...v3.2.0

v3.1.1

2 years ago

OAuth2.0 Provider - Bugfixes

  • #753: Fix acceptance of valid IPv6 addresses in URI validation

OAuth2.0 Client - Bugfixes

  • #730: Base OAuth2 Client now has a consistent way of managing the scope: it consistently relies on the scope provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-None scope in prepare_authorization_request or prepare_refresh_token does not override anymore self.scope forever, it is just used temporarily.
  • #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response, ServiceApplicationClient.prepare_request_body, and WebApplicationClient.prepare_request_uri now correctly use the default scope provided in constructor.
  • #725: LegacyApplicationClient.prepare_request_body now correctly uses the default scope provided in constructor

OAuth2.0 Provider - Bugfixes

  • #711: client_credentials grant: fix log message
  • #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
  • #756: Different prompt values are now handled according to spec (e.g. prompt=none)
  • #759: OpenID Connect - fix Authorization: Basic parsing

General

  • #716: improved skeleton validator for public vs private client
  • #720: replace mock library with standard unittest.mock
  • #727: build isort integration
  • #734: python2 code removal
  • #735, #750: add python3.8 support
  • #749: bump minimum versions of pyjwt and cryptography

v3.1.0

4 years ago

3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !

OAuth2.0 Provider - Features

  • #660: OIDC add support of nonce, c_hash, at_hash fields
    • New RequestValidator.fill_id_token method
    • Deprecated RequestValidator.get_id_token method
  • #677: OIDC add UserInfo endpoint
    • New RequestValidator.get_userinfo_claims method

OAuth2.0 Provider - Security

  • #665: Enhance data leak to logs
    • New default to not expose request content in logs
    • New function oauthlib.set_debug(True)
  • #666: Disabling query parameters for POST requests

OAuth2.0 Provider - Bugfixes

  • #670: Fix validate_authorization_request to return the new PKCE fields
  • #674: Fix token_type to be case-insensitive (bearer and Bearer)

OAuth2.0 Client - Bugfixes

  • #290: Fix Authorization Code's errors processing
  • #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
  • #672: Fix edge case when expires_in=Null

OAuth1.0 Client

  • #669: Add case-insensitive headers to oauth1 BaseEndpoint

v3.0.2

4 years ago

Bug fix release

  • #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
  • #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
  • #652: OIDC: Fixed /token response which wrongly returned "&state=None"
  • #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory

v3.0.1

5 years ago

Fix regression introduced in 3.0.0

  • #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth.

v3.0.0

5 years ago

This is a major release containing API Breaking changes, and new major features. See the full list below:

OAuth2.0 Provider - outstanding Features

  • OpenID Connect Core support
  • RFC7662 Introspect support
  • RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
  • RFC7636 PKCE support (#617 #624)

OAuth2.0 Provider - API/Breaking Changes

  • Add "request" to confirm_redirect_uri #504
  • confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
  • invalid_client is now a FatalError #606
  • Changed errors status code from 401 to 400:
  • invalid_grant: #264
  • invalid_scope: #620
  • access_denied/unauthorized_client/consent_required/login_required #623
  • 401 must have WWW-Authenticate HTTP Header set. #623

OAuth2.0 Provider - Bugfixes

  • empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406

OAuth2.0 Client - Bugfixes / Changes:

  • expires_in in Implicit flow is now an integer #569
  • expires is no longer overriding expires_in #506
  • parse_request_uri_response is now required #499
  • Unknown error=xxx raised by OAuth2 providers was not understood #431
  • OAuth2's prepare_token_request supports sending an empty string for client_id (#585)
  • OAuth2's WebApplicationClient.prepare_request_body was refactored to better support sending or omitting the client_id via a new include_client_id kwarg. By default this is included. The method will also emit a DeprecationWarning if a client_id parameter is submitted; the already configured self.client_id is the preferred option. (#585)

OAuth1.0 Client:

  • Support for HMAC-SHA256 #498

General fixes:

  • $ and ' are allowed to be unencoded in query strings #564
  • Request attributes are no longer overriden by HTTP Headers #409
  • Removed unnecessary code for handling python2.6
  • Add support of python3.7 #621
  • Several minors updates to setup.py and tox
  • Set pytest as the default unittest framework

v2.1.0

5 years ago

This minor release includes the following changes:

  • Fixed some copy and paste typos (#535)
  • Use secrets module in Python 3.6 and later (#533)
  • Add request argument to confirm_redirect_uri (#504)
  • Avoid populating spurious token credentials (#542)
  • Make populate attributes API public (#546)

v2.0.7

6 years ago

:tada: First oauthlib community release. :tada:

  • Moved oauthlib into new organization on GitHub.
  • Include license file in the generated wheel package. (#494)
  • When deploying a release to PyPI, include the wheel distribution. (#496)
  • Check access token in self.token dict. (#500)
  • Added bottle-oauthlib to docs. (#509)
  • Update repository location in Travis. (#514)
  • Updated docs for organization change. (#515)
  • Replace G+ with Gitter. (#517)
  • Update requirements. (#518)
  • Add shields for Python versions, license and RTD. (#520)
  • Fix ReadTheDocs build (#521).
  • Fixed "make" command to test upstream with local oauthlib. (#522)
  • Replace IRC notification with Gitter Hook. (#523)
  • Added Github Releases deploy provider. (#523)