All Versions
51
Latest Version
Avg Release Cycle
124 days
Latest Release
566 days ago

Changelog History
Page 1

  • v3.2.1 Changes

    September 09, 2022

    OAuth2.0 Provider:

    • ๐Ÿ“‡ #803: Metadata endpoint support of non-HTTPS
    • CVE-2022-36087

    OAuth1.0:

    • ๐Ÿ“œ #818: Allow IPv6 being parsed by signature

    General:

    • ๐Ÿ‘Œ Improved and fixed documentation warnings.
    • ๐Ÿ’„ Cosmetic changes based on isort
  • v3.2.0 Changes

    January 29, 2022

    OAuth2.0 Client:

    • ๐ŸŒ #795: Add Device Authorization Flow for Web Application
    • ๐Ÿ‘ #786: Add PKCE support for Client
    • #783: Fallback to none in case of wrong expires_at format.

    OAuth2.0 Provider:

    • ๐Ÿ“‡ #790: Add support for CORS to metadata endpoint.
    • ๐Ÿ‘ #791: Add support for CORS to token endpoint.
    • ๐Ÿšš #787: Remove comma after Bearer in WWW-Authenticate

    OAuth2.0 Provider - OIDC:

    • #755: Call save_token in Hybrid code flow
    • #751: OIDC add support of refreshing ID Tokens with refresh_id_token
    • #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

    General:

    • Added Python 3.9, 3.10, 3.11
    • Improve Travis & Coverage
  • v3.1.1 Changes

    May 31, 2021

    ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • #753: Fix acceptance of valid IPv6 addresses in URI validation

    OAuth2.0 Provider - Features

    • #751: OIDC add support of refreshing ID Tokens

    ๐Ÿ›  OAuth2.0 Client - Bugfixes

    • #730: Base OAuth2 Client now has a consistent way of managing the scope: it consistently relies on the scope provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-None scope in prepare_authorization_request or prepare_refresh_token does not override anymore self.scope forever, it is just used temporarily.
    • #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response, ServiceApplicationClient.prepare_request_body, and WebApplicationClient.prepare_request_uri now correctly use the default scope provided in constructor.
    • #725: LegacyApplicationClient.prepare_request_body now correctly uses the default scope provided in constructor

    ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • #711: client_credentials grant: fix log message
    • #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
    • #756: Different prompt values are now handled according to spec (e.g. prompt=none)
    • #759: OpenID Connect - fix Authorization: Basic parsing
    • #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

    General

    • #716: improved skeleton validator for public vs private client
    • #720: replace mock library with standard unittest.mock
    • #727: build isort integration
    • #734: python2 code removal
    • #735, #750: add python3.8 support
    • #749: bump minimum versions of pyjwt and cryptography
  • v3.1.0 Changes

    August 06, 2019

    ๐Ÿš€ 3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !

    OAuth2.0 Provider - Features

    • #660: OIDC add support of nonce, c_hash, at_hash fields
      • New RequestValidator.fill_id_token method
      • Deprecated RequestValidator.get_id_token method
    • #677: OIDC add UserInfo endpoint
      • New RequestValidator.get_userinfo_claims method

    ๐Ÿ”’ OAuth2.0 Provider - Security

    • ๐Ÿ”Š #665: Enhance data leak to logs
      • New default to not expose request content in logs
      • New function oauthlib.set_debug(True)
    • #666: Disabling query parameters for POST requests

    ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • #670: Fix validate_authorization_request to return the new PKCE fields
    • #674: Fix token_type to be case-insensitive (bearer and Bearer)

    ๐Ÿ›  OAuth2.0 Client - Bugfixes

    • #290: Fix Authorization Code's errors processing
    • #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
    • #672: Fix edge case when expires_in=Null

    OAuth1.0 Client

    • ๐Ÿ‘€ #669: Add case-insensitive headers to oauth1 BaseEndpoint
  • v3.0.2 Changes

    July 04, 2019

    ๐Ÿ› Bug fix release

    • ๐Ÿ›  #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
    • #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
    • ๐Ÿ›  #652: OIDC: Fixed /token response which wrongly returned "&state=None"
    • ๐Ÿšฉ #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory
  • v3.0.1 Changes

    January 24, 2019

    ๐Ÿ›  Fix regression introduced in 3.0.0

    • ๐Ÿ›  #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth.
  • v3.0.0 Changes

    January 01, 2019

    ๐Ÿš€ This is a major release containing API Breaking changes, and new major features. See the full list below:

    OAuth2.0 Provider - outstanding Features

    • ๐Ÿ‘ OpenID Connect Core support
    • ๐Ÿ‘ RFC7662 Introspect support
    • ๐Ÿ“‡ RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
    • ๐Ÿ‘ RFC7636 PKCE support (#617 #624)

    OAuth2.0 Provider - API/Breaking Changes

    • Add "request" to confirm_redirect_uri #504
    • confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
    • invalid_client is now a FatalError #606
    • ๐Ÿ”„ Changed errors status code from 401 to 400:

    • invalid_grant: #264

    • invalid_scope: #620

    • access_denied/unauthorized_client/consent_required/login_required #623

    • 401 must have WWW-Authenticate HTTP Header set. #623

    ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406

    ๐Ÿ›  OAuth2.0 Client - Bugfixes / Changes:

    • expires_in in Implicit flow is now an integer #569
    • expires is no longer overriding expires_in #506
    • parse_request_uri_response is now required #499
    • Unknown error=xxx raised by OAuth2 providers was not understood #431
    • OAuth2's prepare_token_request supports sending an empty string for client_id (#585)
    • OAuth2's WebApplicationClient.prepare_request_body was refactored to better
      support sending or omitting the client_id via a new include_client_id kwarg.
      ๐Ÿ—„ By default this is included. The method will also emit a DeprecationWarning if
      ๐Ÿ”ง a client_id parameter is submitted; the already configured self.client_id
      is the preferred option. (#585)

    OAuth1.0 Client:

    • ๐Ÿ‘Œ Support for HMAC-SHA256 #498

    ๐Ÿ›  General fixes:

    • $ and ' are allowed to be unencoded in query strings #564
    • Request attributes are no longer overriden by HTTP Headers #409
    • โœ‚ Removed unnecessary code for handling python2.6
    • โž• Add support of python3.7 #621
    • โšก๏ธ Several minors updates to setup.py and tox
    • โœ… Set pytest as the default unittest framework
  • v2.1.0 Changes

    May 21, 2018

    ๐Ÿš€ This minor release includes the following changes:

    • ๐Ÿ›  Fixed some copy and paste typos (#535)
    • ๐Ÿ‘‰ Use secrets module in Python 3.6 and later (#533)
    • Add request argument to confirm_redirect_uri (#504)
    • Avoid populating spurious token credentials (#542)
    • ๐Ÿ‘‰ Make populate attributes API public (#546)
  • v2.0.7 Changes

    March 19, 2018

    ๐Ÿš€ ๐ŸŽ‰ First oauthlib community release. ๐ŸŽ‰

    • ๐Ÿšš Moved oauthlib into new organization on GitHub.
    • ๐Ÿ“ฆ Include license file in the generated wheel package. (#494)
    • ๐Ÿš€ When deploying a release to PyPI, include the wheel distribution. (#496)
    • Check access token in self.token dict. (#500)
    • โž• Added bottle-oauthlib to docs. (#509)
    • โšก๏ธ Update repository location in Travis. (#514)
    • โšก๏ธ Updated docs for organization change. (#515)
    • Replace G+ with Gitter. (#517)
    • โšก๏ธ Update requirements. (#518)
    • โž• Add shields for Python versions, license and RTD. (#520)
    • ๐Ÿ›  Fix ReadTheDocs build (#521).
    • ๐Ÿ›  Fixed "make" command to test upstream with local oauthlib. (#522)
    • Replace IRC notification with Gitter Hook. (#523)
    • โž• Added Github Releases deploy provider. (#523)
  • v2.0.6 Changes

    October 20, 2017

    ๐Ÿ›  Fix-up release, since 2.0.5 contained breaking changes.