OAuthLib changelog

Changelog History

Page 1

• v3.2.1 Changes

  September 09, 2022

  OAuth2.0 Provider:

  • 📇 #803: Metadata endpoint support of non-HTTPS
  • CVE-2022-36087

  OAuth1.0:

  • 📜 #818: Allow IPv6 being parsed by signature

  General:

  • 👌 Improved and fixed documentation warnings.
  • 💄 Cosmetic changes based on isort

• v3.2.0 Changes

  January 29, 2022

  OAuth2.0 Client:

  • 🌐 #795: Add Device Authorization Flow for Web Application
  • 👍 #786: Add PKCE support for Client
  • #783: Fallback to none in case of wrong expires_at format.

  OAuth2.0 Provider:

  • 📇 #790: Add support for CORS to metadata endpoint.
  • 👍 #791: Add support for CORS to token endpoint.
  • 🚚 #787: Remove comma after Bearer in WWW-Authenticate

  OAuth2.0 Provider - OIDC:

  • #755: Call save_token in Hybrid code flow
  • #751: OIDC add support of refreshing ID Tokens with refresh_id_token
  • #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

  General:

  • Added Python 3.9, 3.10, 3.11
  • Improve Travis & Coverage

• v3.1.1 Changes

  May 31, 2021

  🛠 OAuth2.0 Provider - Bugfixes

  • #753: Fix acceptance of valid IPv6 addresses in URI validation

  OAuth2.0 Provider - Features

  • #751: OIDC add support of refreshing ID Tokens

  🛠 OAuth2.0 Client - Bugfixes

  • #730: Base OAuth2 Client now has a consistent way of managing the scope: it consistently relies on the scope provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-None scope in prepare_authorization_request or prepare_refresh_token does not override anymore self.scope forever, it is just used temporarily.
  • #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response, ServiceApplicationClient.prepare_request_body, and WebApplicationClient.prepare_request_uri now correctly use the default scope provided in constructor.
  • #725: LegacyApplicationClient.prepare_request_body now correctly uses the default scope provided in constructor

  🛠 OAuth2.0 Provider - Bugfixes

  • #711: client_credentials grant: fix log message
  • #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
  • #756: Different prompt values are now handled according to spec (e.g. prompt=none)
  • #759: OpenID Connect - fix Authorization: Basic parsing
  • #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

  General

  • #716: improved skeleton validator for public vs private client
  • #720: replace mock library with standard unittest.mock
  • #727: build isort integration
  • #734: python2 code removal
  • #735, #750: add python3.8 support
  • #749: bump minimum versions of pyjwt and cryptography

• v3.1.0 Changes

  August 06, 2019

  🚀 3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !

  OAuth2.0 Provider - Features

  • #660: OIDC add support of nonce, c_hash, at_hash fields
    • New RequestValidator.fill_id_token method
    • Deprecated RequestValidator.get_id_token method
  • #677: OIDC add UserInfo endpoint
    • New RequestValidator.get_userinfo_claims method

  🔒 OAuth2.0 Provider - Security

  • 🔊 #665: Enhance data leak to logs
    • New default to not expose request content in logs
    • New function oauthlib.set_debug(True)
  • #666: Disabling query parameters for POST requests

  🛠 OAuth2.0 Provider - Bugfixes

  • #670: Fix validate_authorization_request to return the new PKCE fields
  • #674: Fix token_type to be case-insensitive (bearer and Bearer)

  🛠 OAuth2.0 Client - Bugfixes

  • #290: Fix Authorization Code's errors processing
  • #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
  • #672: Fix edge case when expires_in=Null

  OAuth1.0 Client

  • 👀 #669: Add case-insensitive headers to oauth1 BaseEndpoint

• v3.0.2 Changes

  July 04, 2019

  🐛 Bug fix release

  • 🛠 #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
  • #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
  • 🛠 #652: OIDC: Fixed /token response which wrongly returned "&state=None"
  • 🚩 #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory

• v3.0.1 Changes

  January 24, 2019

  🛠 Fix regression introduced in 3.0.0

  • 🛠 #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth.

• v3.0.0 Changes

  January 01, 2019

  🚀 This is a major release containing API Breaking changes, and new major features. See the full list below:

  OAuth2.0 Provider - outstanding Features

  • 👍 OpenID Connect Core support
  • 👍 RFC7662 Introspect support
  • 📇 RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
  • 👍 RFC7636 PKCE support (#617 #624)

  OAuth2.0 Provider - API/Breaking Changes

  • Add "request" to confirm_redirect_uri #504
  • confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
  • invalid_client is now a FatalError #606

  • 🔄 Changed errors status code from 401 to 400:

  • invalid_grant: #264

  • invalid_scope: #620

  • access_denied/unauthorized_client/consent_required/login_required #623

  • 401 must have WWW-Authenticate HTTP Header set. #623

  🛠 OAuth2.0 Provider - Bugfixes

  • empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406

  🛠 OAuth2.0 Client - Bugfixes / Changes:

  • expires_in in Implicit flow is now an integer #569
  • expires is no longer overriding expires_in #506
  • parse_request_uri_response is now required #499
  • Unknown error=xxx raised by OAuth2 providers was not understood #431
  • OAuth2's prepare_token_request supports sending an empty string for client_id (#585)
  • OAuth2's WebApplicationClient.prepare_request_body was refactored to better
    support sending or omitting the client_id via a new include_client_id kwarg.
    🗄 By default this is included. The method will also emit a DeprecationWarning if
    🔧 a client_id parameter is submitted; the already configured self.client_id
    is the preferred option. (#585)

  OAuth1.0 Client:

  • 👌 Support for HMAC-SHA256 #498

  🛠 General fixes:

  • $ and ' are allowed to be unencoded in query strings #564
  • Request attributes are no longer overriden by HTTP Headers #409
  • ✂ Removed unnecessary code for handling python2.6
  • ➕ Add support of python3.7 #621
  • ⚡️ Several minors updates to setup.py and tox
  • ✅ Set pytest as the default unittest framework

• v2.1.0 Changes

  May 21, 2018

  🚀 This minor release includes the following changes:

  • 🛠 Fixed some copy and paste typos (#535)
  • 👉 Use secrets module in Python 3.6 and later (#533)
  • Add request argument to confirm_redirect_uri (#504)
  • Avoid populating spurious token credentials (#542)
  • 👉 Make populate attributes API public (#546)

• v2.0.7 Changes

  March 19, 2018

  🚀 🎉 First oauthlib community release. 🎉

  • 🚚 Moved oauthlib into new organization on GitHub.
  • 📦 Include license file in the generated wheel package. (#494)
  • 🚀 When deploying a release to PyPI, include the wheel distribution. (#496)
  • Check access token in self.token dict. (#500)
  • ➕ Added bottle-oauthlib to docs. (#509)
  • ⚡️ Update repository location in Travis. (#514)
  • ⚡️ Updated docs for organization change. (#515)
  • Replace G+ with Gitter. (#517)
  • ⚡️ Update requirements. (#518)
  • ➕ Add shields for Python versions, license and RTD. (#520)
  • 🛠 Fix ReadTheDocs build (#521).
  • 🛠 Fixed "make" command to test upstream with local oauthlib. (#522)
  • Replace IRC notification with Gitter Hook. (#523)
  • ➕ Added Github Releases deploy provider. (#523)

• v2.0.6 Changes

  October 20, 2017

  🛠 Fix-up release, since 2.0.5 contained breaking changes.

• 1
• 2
• 3
• 4
• 5
• Next ›
• Last »