Changelog¶
Here you can see the full list of changes between each Authlib release.
Unreleased¶
Fix
id_token
decoding when kid is null. pull request #659Stop support for Python 3.8. pull request #682
Support for Python 3.13. pull request #682
Force login if the
prompt
parameter value islogin
. pull request #637
Version 1.3.2¶
Prevent ever-growing session size for OAuth clients.
Revert
quote
client id and secret.unquote
basic auth header for authorization server.
Version 1.3.1¶
Released on June 4, 2024
Prevent
OctKey
to import ssh and PEM strings.
Version 1.3.0¶
Released on Dec 17, 2023
Restore
AuthorizationServer.create_authorization_response
behavior, via pull request #558Include
leeway
invalidate_iat()
for JWT, via pull request #565Fix
encode_client_secret_basic
, via pull request #594Use single key in JWK if JWS does not specify
kid
, via pull request #596Fix error when RFC9068 JWS has no scope field, via pull request #598
Get werkzeug version using importlib, via pull request #591
New features:
RFC9068 implementation, via pull request #586, by @azmeuk.
Breaking changes:
End support for python 3.7
Version 1.2.1¶
Released on Jun 25, 2023
Apply headers in
ClientSecretJWT.sign
method, via pull request #552Allow falsy but non-None grant uri params, via pull request #544
Fixed
authorize_redirect
for Starlette v0.26.0, via pull request #533Removed
has_client_secret
method and documentation, via pull request #513Removed
request_invalid
andtoken_revoked
remaining occurences and documentation. pull request #514Fixed RFC7591
grant_types
andresponse_types
default values, via pull request #509.Add support for python 3.12, via pull request #590.
Version 1.2.0¶
Released on Dec 6, 2022
Not passing
request.body
toResourceProtector
, via issue #485.Use
flask.g
instead of_app_ctx_stack
, via issue #482.Add
headers
parameter back toClientSecretJWT
, via issue #457.Always passing
realm
parameter in OAuth 1 clients, via issue #339.Implemented RFC7592 Dynamic Client Registration Management Protocol, via pull request #505.
Add
default_timeout
for requestsOAuth2Session
andAssertionSession
.Deprecate
jwk.loads
andjwk.dumps
Version 1.1.0¶
Released on Sep 13, 2022
This release contains breaking changes and security fixes.
Allow to pass
claims_options
to Framework OpenID Connect clients, via pull request #446.Fix
.stream
with context for HTTPX OAuth clients, via pull request #465.Fix Starlette OAuth client for cache store, via pull request #478.
Breaking changes:
Raise
InvalidGrantError
for invalid code, redirect_uri and no user errors in OAuth 2.0 server.The default
authlib.jose.jwt
would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
Security fixes: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.
Version 1.0.1¶
Released on Apr 6, 2022
Fix authenticate_none method, via issue #438.
Allow to pass in alternative signing algorithm to RFC7523 authentication methods via pull request #447.
Fix
missing_token
for Flask OAuth client, via issue #448.Allow
openid
in any place of the scope, via issue #449.Security fix for validating essential value on blank value in JWT, via issue #445.
Version 1.0.0¶
Released on Mar 15, 2022.
We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.
OAuth Client Changes:
The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...)
, it would work as
before.
OAuth Provider Changes:
In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX
configuration, instead, developers should define
.get_jwt_config on OpenID extensions and grant types.
SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.
JOSE Changes
JWS
has been renamed toJsonWebSignature
JWE
has been renamed toJsonWebEncryption
JWK
has been renamed toJsonWebKey
JWT
has been renamed toJsonWebToken
The “Key” model has been re-designed, checkout the JSON Web Key (JWK) for updates.
Added ES256K
algorithm for JWS and JWT.
Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f
Old Versions¶
Find old changelog at https://github.com/lepture/authlib/releases
Version 0.15.5: Released on Oct 18, 2021
Version 0.15.4: Released on Jul 17, 2021
Version 0.15.3: Released on Jan 15, 2021
Version 0.15.2: Released on Oct 18, 2020
Version 0.15.1: Released on Oct 14, 2020
Version 0.15.0: Released on Oct 10, 2020
Version 0.14.3: Released on May 18, 2020
Version 0.14.2: Released on May 6, 2020
Version 0.14.1: Released on Feb 12, 2020
Version 0.14.0: Released on Feb 11, 2020
Version 0.13.0: Released on Nov 11, 2019
Version 0.12.0: Released on Sep 3, 2019
Version 0.11.0: Released on Apr 6, 2019
Version 0.10.0: Released on Oct 12, 2018
Version 0.9.0: Released on Aug 12, 2018
Version 0.8.0: Released on Jun 17, 2018
Version 0.7.0: Released on Apr 28, 2018
Version 0.6.0: Released on Mar 20, 2018
Version 0.5.1: Released on Feb 11, 2018
Version 0.5.0: Released on Feb 11, 2018
Version 0.4.1: Released on Feb 2, 2018
Version 0.4.0: Released on Jan 31, 2018
Version 0.3.0: Released on Dec 24, 2017
Version 0.2.1: Released on Dec 6, 2017
Version 0.2.0: Released on Nov 25, 2017
Version 0.1.0: Released on Nov 18, 2017