Skip to content

Releases: lepture/authlib

Version 1.3.2

30 Aug 14:26
d7db2c3
Compare
Choose a tag to compare
  • Prevent ever-growing session size for OAuth clients.
  • Revert quote client id and secret.
  • unquote basic auth header for authorization server.

Version 1.3.1

04 Jun 02:48
df226ab
Compare
Choose a tag to compare

Prevent OctKey to import ssh and PEM strings.

Version 1.3.0

17 Dec 12:54
Compare
Choose a tag to compare

Bug fixes

  • Restore AuthorizationServer.create_authorization_response behavior, via #558 by @TurnrDev
  • Include leeway in validate_iat() for JWT, via #565 by @dhallam
  • Fix encode_client_secret_basic, via #594 by @Prilkop
  • Use single key in JWK if JWS does not specify kid, via #596 by @dklimpel
  • Fix error when RFC9068 JWS has no scope field, via #598 by @tanguilp
  • Get werkzeug version using importlib, via #591 by @Sparrow0hawk

Breaking changes

Version 1.2.1

21 Nov 13:51
a18d0a5
Compare
Choose a tag to compare
  • Apply headers in ClientSecretJWT.sign method, via #552
  • Allow falsy but non-None grant uri params, via #544
  • Fixed authorize_redirect for Starlette v0.26.0, via #533
  • Removed has_client_secret method and documentation, via #513
  • Removed request_invalid and token_revoked remaining occurences
    and documentation. #514
  • Fixed RFC7591 grant_types and response_types default values, via #509
  • Add support for python 3.12, via #590

Version 1.2.0

06 Dec 08:43
7575ea3
Compare
Choose a tag to compare
  • Not passing request.body to ResourceProtector, #485.
  • Use flask.g instead of _app_ctx_stack, #482.
  • Add headers parameter back to ClientSecretJWT, #457.
  • Always passing realm parameter in OAuth 1 clients, #339.
  • Implemented RFC7592 Dynamic Client Registration Management Protocol, #505`
  • Add default_timeout for requests OAuth2Session and AssertionSession.
  • Deprecate jwk.loads and jwk.dumps

Version 1.1.0

09 Nov 05:13
2a8a226
Compare
Choose a tag to compare

This release contains breaking changes and security fixes.

  • Allow to pass claims_options to Framework OpenID Connect clients, via #446 by @Galaxy102
  • Fix .stream with context for HTTPX OAuth clients, via #465 by @bjoernmeier
  • Fix Starlette OAuth client for cache store, via #478 by @haggen

Breaking changes:

  • Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.
  • The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:
jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])

Security fixes for JOSE module

  • CVE-2022-39175
  • CVE-2022-39174

Version 1.0.1

06 Apr 11:56
2e721aa
Compare
Choose a tag to compare
  • Fix authenticate_none method, via #438.
  • Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447.
  • Fix missing_token for Flask OAuth client, via #448.
  • Allow openid in any place of the scope, via #449.
  • Security fix for validating essential value on blank value in JWT, via #445.

Version 1.0.0

15 Mar 10:18
c73e2a8
Compare
Choose a tag to compare

We have dropped support for Python 2 in this release. We have removed
built-in SQLAlchemy integration.

OAuth Client Changes:

The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...), it would work as
before.

OAuth Provider Changes:

In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX configuration, instead, developers should define
.get_jwt_config on OpenID extensions and grant types.

SQLAlchemy integrations has been removed from Authlib. Developers
should define the database by themselves.

JOSE Changes

  • JWS has been renamed to JsonWebSignature
  • JWE has been renamed to JsonWebEncryption
  • JWK has been renamed to JsonWebKey
  • JWT has been renamed to JsonWebToken

The "Key" model has been re-designed, checkout the JSON Web Key for updates.

Added ES256K algorithm for JWS and JWT.

Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f

Version 0.15.5

18 Oct 12:16
d8e428c
Compare
Choose a tag to compare
  • Make Authlib compatible with latest httpx
  • Make Authlib compatible with latest werkzeug
  • Allow customize RFC7523 alg value

Version 0.15.4

17 Jul 03:08
4570144
Compare
Choose a tag to compare

Security fix when JWT claims is None.

For example, JWT payload has iss=None:

{
  "iss": None,
  ...
}

But we need to decode it with claims:

claims_options = {
  'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)

It didn't raise an error before this fix.