Changelog History
Page 1
-
v3.2.1 Changes
September 09, 2022OAuth2.0 Provider:
- ๐ #803: Metadata endpoint support of non-HTTPS
- CVE-2022-36087
OAuth1.0:
- ๐ #818: Allow IPv6 being parsed by signature
General:
- ๐ Improved and fixed documentation warnings.
- ๐ Cosmetic changes based on isort
-
v3.2.0 Changes
January 29, 2022OAuth2.0 Client:
- ๐ #795: Add Device Authorization Flow for Web Application
- ๐ #786: Add PKCE support for Client
- #783: Fallback to none in case of wrong expires_at format.
OAuth2.0 Provider:
- ๐ #790: Add support for CORS to metadata endpoint.
- ๐ #791: Add support for CORS to token endpoint.
- ๐ #787: Remove comma after Bearer in WWW-Authenticate
OAuth2.0 Provider - OIDC:
- #755: Call save_token in Hybrid code flow
- #751: OIDC add support of refreshing ID Tokens with
refresh_id_token
- #751: The RefreshTokenGrant modifiers now take the same arguments as the
AuthorizationCodeGrant modifiers (
token
,token_handler
,request
).
General:
- Added Python 3.9, 3.10, 3.11
- Improve Travis & Coverage
-
v3.1.1 Changes
May 31, 2021๐ OAuth2.0 Provider - Bugfixes
- #753: Fix acceptance of valid IPv6 addresses in URI validation
OAuth2.0 Provider - Features
- #751: OIDC add support of refreshing ID Tokens
๐ OAuth2.0 Client - Bugfixes
- #730: Base OAuth2 Client now has a consistent way of managing the
scope
: it consistently relies on thescope
provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-Nonescope
inprepare_authorization_request
orprepare_refresh_token
does not override anymoreself.scope
forever, it is just used temporarily. - #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
ServiceApplicationClient.prepare_request_body,
and WebApplicationClient.prepare_request_uri now correctly use the default
scope
provided in constructor. - #725: LegacyApplicationClient.prepare_request_body now correctly uses the default
scope
provided in constructor
๐ OAuth2.0 Provider - Bugfixes
- #711: client_credentials grant: fix log message
- #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
- #756: Different prompt values are now handled according to spec (e.g. prompt=none)
- #759: OpenID Connect - fix Authorization: Basic parsing
- #751: The RefreshTokenGrant modifiers now take the same arguments as the
AuthorizationCodeGrant modifiers (
token
,token_handler
,request
).
General
- #716: improved skeleton validator for public vs private client
- #720: replace mock library with standard unittest.mock
- #727: build isort integration
- #734: python2 code removal
- #735, #750: add python3.8 support
- #749: bump minimum versions of pyjwt and cryptography
-
v3.1.0 Changes
August 06, 2019๐ 3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !
OAuth2.0 Provider - Features
- #660: OIDC add support of nonce, c_hash, at_hash fields
- New RequestValidator.fill_id_token method
- Deprecated RequestValidator.get_id_token method
- #677: OIDC add UserInfo endpoint
- New RequestValidator.get_userinfo_claims method
๐ OAuth2.0 Provider - Security
- ๐ #665: Enhance data leak to logs
- New default to not expose request content in logs
- New function oauthlib.set_debug(True)
- #666: Disabling query parameters for POST requests
๐ OAuth2.0 Provider - Bugfixes
- #670: Fix validate_authorization_request to return the new PKCE fields
- #674: Fix token_type to be case-insensitive (bearer and Bearer)
๐ OAuth2.0 Client - Bugfixes
- #290: Fix Authorization Code's errors processing
- #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
- #672: Fix edge case when expires_in=Null
OAuth1.0 Client
- ๐ #669: Add case-insensitive headers to oauth1 BaseEndpoint
- #660: OIDC add support of nonce, c_hash, at_hash fields
-
v3.0.2 Changes
July 04, 2019๐ Bug fix release
- ๐ #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
- #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
- ๐ #652: OIDC: Fixed /token response which wrongly returned "&state=None"
- ๐ฉ #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory
-
v3.0.1 Changes
January 24, 2019๐ Fix regression introduced in 3.0.0
- ๐ #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth.
-
v3.0.0 Changes
January 01, 2019๐ This is a major release containing API Breaking changes, and new major features. See the full list below:
OAuth2.0 Provider - outstanding Features
- ๐ OpenID Connect Core support
- ๐ RFC7662 Introspect support
- ๐ RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
- ๐ RFC7636 PKCE support (#617 #624)
OAuth2.0 Provider - API/Breaking Changes
- Add "request" to confirm_redirect_uri #504
- confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
- invalid_client is now a FatalError #606
๐ Changed errors status code from 401 to 400:
invalid_grant: #264
invalid_scope: #620
access_denied/unauthorized_client/consent_required/login_required #623
401 must have WWW-Authenticate HTTP Header set. #623
๐ OAuth2.0 Provider - Bugfixes
๐ OAuth2.0 Client - Bugfixes / Changes:
- expires_in in Implicit flow is now an integer #569
- expires is no longer overriding expires_in #506
- parse_request_uri_response is now required #499
- Unknown error=xxx raised by OAuth2 providers was not understood #431
- OAuth2's
prepare_token_request
supports sending an empty string forclient_id
(#585) - OAuth2's
WebApplicationClient.prepare_request_body
was refactored to better
support sending or omitting theclient_id
via a newinclude_client_id
kwarg.
๐ By default this is included. The method will also emit a DeprecationWarning if
๐ง aclient_id
parameter is submitted; the already configuredself.client_id
is the preferred option. (#585)
OAuth1.0 Client:
- ๐ Support for HMAC-SHA256 #498
๐ General fixes:
- $ and ' are allowed to be unencoded in query strings #564
- Request attributes are no longer overriden by HTTP Headers #409
- โ Removed unnecessary code for handling python2.6
- โ Add support of python3.7 #621
- โก๏ธ Several minors updates to setup.py and tox
- โ Set pytest as the default unittest framework
-
v2.1.0 Changes
May 21, 2018๐ This minor release includes the following changes:
-
v2.0.7 Changes
March 19, 2018๐ ๐ First oauthlib community release. ๐
- ๐ Moved oauthlib into new organization on GitHub.
- ๐ฆ Include license file in the generated wheel package. (#494)
- ๐ When deploying a release to PyPI, include the wheel distribution. (#496)
- Check access token in self.token dict. (#500)
- โ Added bottle-oauthlib to docs. (#509)
- โก๏ธ Update repository location in Travis. (#514)
- โก๏ธ Updated docs for organization change. (#515)
- Replace G+ with Gitter. (#517)
- โก๏ธ Update requirements. (#518)
- โ Add shields for Python versions, license and RTD. (#520)
- ๐ Fix ReadTheDocs build (#521).
- ๐ Fixed "make" command to test upstream with local oauthlib. (#522)
- Replace IRC notification with Gitter Hook. (#523)
- โ Added Github Releases deploy provider. (#523)
-
v2.0.6 Changes
October 20, 2017๐ Fix-up release, since 2.0.5 contained breaking changes.