Here you can see the full list of changes between each Authlib release.

Version 0.6: Matoi

Released on Mar 20, 2018. Going Beta!

From alpha to beta. This is a huge release with lots of deprecating changes and some breaking changes. And finally, OpenID Connect server is supported by now, because Authlib has added these specifications:

The specifications are not completed yet, but they are ready to use. The missing RFC7516 (JWE) is going to be implemented in next version. Open ID Connect 1.0 is added with:

Besides that, there are more changes:

  • Implementation of RFC7662: OAuth 2.0 Token Introspection via PR#36.
  • Use the token_endpoint_auth_method concept defined in RFC7591.
  • Signal feature for Flask integration of OAuth 2.0 server.
  • Bug fixes for OAuth client parts, thanks for the instruction by Lukas Schink.

Breaking Changes:

  1. the columns in authlib.flask.oauth2.sqla has been changed a lot. If you are using it, you need to upgrade your database.
  2. use register_token_validator on ResourceProtector.
  3. authlib.client.oauth1.OAuth1 has been renamed to authlib.client.oauth1.OAuth1Auth.

Deprecate Changes: find how to solve the deprecate issues via

Version 0.5.1

Released on Feb 11, 2018.

Just a quick bug fix release.

  • Fixed OAuth2Session.request with auth.

Version 0.5: Kirie

Released on Feb 11, 2018. Breaking Changes!

This version breaks a lot of things. There are many redesigns in order to get a better stable API. It is still in Alpha stage, with these breaking changes, I hope Authlib will go into Beta in the next version.

  • Added register_error_uri() and its Flask integration.
  • OAuth2Session supports more grant types.
  • Deprecate built-in cache. Read more on issue#23.
  • Redesigned OAuth 1 Flask server. Read the docs Flask OAuth 1.0 Server.
  • Deprecate client_model. Read more on issue#27.
  • Breaking change on AuthorizationCodeGrant.create_authorization_code, last parameter is changed to an OAuth2Request instance.
  • Rename callback_uri to redirect_uri in client.


Rollback the breaking change in Version 0.4. Pass grant_user as a user instance:

@app.route('/authorize', methods=['POST'])
def confirm_authorize():
    if request.form['confirm'] == 'ok':
        # HERE
        grant_user = current_user
        grant_user = None
    return server.create_authorization_response(grant_user)

Read the documentation on Flask OAuth 2.0 Server, and search for grant_user.

Breaking Changes

Update the initialization for AuthorizationServer and ResourceProtector for both OAuth 1 and OAuth 2:

from authlib.flask.oauth2 import AuthorizationServer
from your_project.models import Client

server = AuthorizationServer(app, client_model=Client)
# or lazily
server = AuthorizationServer()
server.init_app(app, client_model=Client)

from authlib.flask.oauth1 import AuthorizationServer, ResourceProtector

server = AuthorizationServer(app, client_model=Client)
# or lazily
server.init_app(app, client_model=Client)

require_oauth = ResourceProtector(
    app, client_model=Client,
# or initialize it lazily
require_oauth = ResourceProtector()
    app, client_model=Client,

Version 0.4.1

Released on Feb 2, 2018. A Quick Bugfix

  • Fixed missing code params when fetching access token. This bug is introduced when fixing issue#16.

Version 0.4: Tsukino

Released on Jan 31, 2018. Enjoy the Super Blue Blood Moon!

This is a feature releasing for OAuth 1 server. Things are not settled yet, there will still be breaking changes in the future. Some of the breaking changes are compatible with deprecated messages, a few are not. I’ll keep the deprecated message for 2 versions. Here is the main features:

  • RFC5847, OAuth 1 client and server
  • Flask implementation of OAuth 1 authorization server and resource protector.
  • Mixin of SQLAlchemy models for easy integration with OAuth 1.

In version 0.4, there is also several bug fixes. Thanks for the early contributors.

  • Allow Flask OAuth register fetch_token and update_token.
  • Bug fix for OAuthClient when refresh_token_params is None via PR#14.
  • Don’t pass everything in request args for Flask OAuth client via issue#16.
  • Bug fix for IDToken.validate_exp via issue#17.

Deprecated Changes

There are parameters naming changes in the client part:

  • client_key has been changed to client_id
  • resource_owner_key has been changed to token
  • resource_owner_secret has been changed to token_secret

Currently, they are backward compatible. You will be notified by warnings.

Version 0.3: Nagato

Released on Dec 24, 2017. Merry Christmas!

This is a feature releasing for OAuth 2 server. Since this is the first release of the server implementation, you would expect that there are bugs, security vulnerabilities, and uncertainties. Try it bravely.

  • RFC6749, all grant types, refresh token, authorization server.
  • RFC6750, bearer token creation and validation.
  • RFC7009, token revocation.
  • Flask implementation of authorization server and resource protector.
  • Mixin of SQLAlchemy models for easy integration with OAuth 2.

Version 0.2.1

Released on Dec 6, 2017

This is a bugfix version for Akemi. Sorry for the typo.

Version 0.2: Akemi

Released on Nov 25, 2017

This is a Beta version for Clients. You would expect that the clients works well enough for daily use.

Version 0.1

Released on Nov 18, 2017.

This is an Alpha version for previewing. You can expect there are many features missing, however the client part works well enough. These APIs are considered stable enough to use in production: