OAuthLib v3.1.1 Release Notes

Release Date: 2021-05-31 // 8 months ago
  • ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • #753: Fix acceptance of valid IPv6 addresses in URI validation

    OAuth2.0 Provider - Features

    • #751: OIDC add support of refreshing ID Tokens

    ๐Ÿ›  OAuth2.0 Client - Bugfixes

    • #730: Base OAuth2 Client now has a consistent way of managing the scope: it consistently relies on the scope provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-None scope in prepare_authorization_request or prepare_refresh_token does not override anymore self.scope forever, it is just used temporarily.
    • #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response, ServiceApplicationClient.prepare_request_body, and WebApplicationClient.prepare_request_uri now correctly use the default scope provided in constructor.
    • #725: LegacyApplicationClient.prepare_request_body now correctly uses the default scope provided in constructor

    ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • #711: client_credentials grant: fix log message
    • #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
    • #756: Different prompt values are now handled according to spec (e.g. prompt=none)
    • #759: OpenID Connect - fix Authorization: Basic parsing
    • #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).


    • #716: improved skeleton validator for public vs private client
    • #720: replace mock library with standard unittest.mock
    • #727: build isort integration
    • #734: python2 code removal
    • #735, #750: add python3.8 support
    • #749: bump minimum versions of pyjwt and cryptography

Previous changes from v3.1.0

  • ๐Ÿš€ 3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !

    OAuth2.0 Provider - Features

    • #660: OIDC add support of nonce, c_hash, at_hash fields
      • New RequestValidator.fill_id_token method
      • Deprecated RequestValidator.get_id_token method
    • #677: OIDC add UserInfo endpoint
      • New RequestValidator.get_userinfo_claims method

    ๐Ÿ”’ OAuth2.0 Provider - Security

    • ๐Ÿ”Š #665: Enhance data leak to logs
      • New default to not expose request content in logs
      • New function oauthlib.set_debug(True)
    • #666: Disabling query parameters for POST requests

    ๐Ÿ›  OAuth2.0 Provider - Bugfixes

    • #670: Fix validate_authorization_request to return the new PKCE fields
    • #674: Fix token_type to be case-insensitive (bearer and Bearer)

    ๐Ÿ›  OAuth2.0 Client - Bugfixes

    • #290: Fix Authorization Code's errors processing
    • #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
    • #672: Fix edge case when expires_in=Null

    OAuth1.0 Client

    • ๐Ÿ‘€ #669: Add case-insensitive headers to oauth1 BaseEndpoint