Authlib
Changelog¶
Here you can see the full list of changes between each Authlib release.
Version 1.5.1¶
Released on Feb 28, 2025
Fix RFC9207
issparameter. pull request #715
Version 1.5.0¶
Released on Feb 25, 2025
Fix token introspection auth method for clients. pull request #662
Optional
typclaim in JWT tokens. pull request #696JWT validation leeway. pull request #689
Implement server-side RFC9207. issue #700 pull request #701
generate_id_tokencan take akidparameter. pull request #702More detailed
InvalidClientError. pull request #706OpenID Connect Dynamic Client Registration implementation. pull request #707
Version 1.4.1¶
Released on Jan 28, 2025
Improve garbage collection on OAuth clients. issue #698
Fix client parameters for httpx. issue #694
Version 1.4.0¶
Released on Dec 20, 2024
Fix
id_tokendecoding when kid is null. pull request #659Support for Python 3.13. pull request #682
Force login if the
promptparameter value islogin. pull request #637Support for httpx 0.28, pull request #695
Breaking changes:
Stop support for Python 3.8. pull request #682
Version 1.3.2¶
Released on Aug 30 2024
Prevent ever-growing session size for OAuth clients.
Revert
quoteclient id and secret.unquotebasic auth header for authorization server.
Version 1.3.1¶
Released on June 4, 2024
Prevent
OctKeyto import ssh and PEM strings.
Version 1.3.0¶
Released on Dec 17, 2023
Restore
AuthorizationServer.create_authorization_responsebehavior, via pull request #558Include
leewayinvalidate_iat()for JWT, via pull request #565Fix
encode_client_secret_basic, via pull request #594Use single key in JWK if JWS does not specify
kid, via pull request #596Fix error when RFC9068 JWS has no scope field, via pull request #598
Get werkzeug version using importlib, via pull request #591
New features:
RFC9068 implementation, via pull request #586, by @azmeuk.
Breaking changes:
End support for python 3.7
Version 1.2.1¶
Released on Jun 25, 2023
Apply headers in
ClientSecretJWT.signmethod, via pull request #552Allow falsy but non-None grant uri params, via pull request #544
Fixed
authorize_redirectfor Starlette v0.26.0, via pull request #533Removed
has_client_secretmethod and documentation, via pull request #513Removed
request_invalidandtoken_revokedremaining occurences and documentation. pull request #514Fixed RFC7591
grant_typesandresponse_typesdefault values, via pull request #509.Add support for python 3.12, via pull request #590.
Version 1.2.0¶
Released on Dec 6, 2022
Not passing
request.bodytoResourceProtector, via issue #485.Use
flask.ginstead of_app_ctx_stack, via issue #482.Add
headersparameter back toClientSecretJWT, via issue #457.Always passing
realmparameter in OAuth 1 clients, via issue #339.Implemented RFC7592 Dynamic Client Registration Management Protocol, via pull request #505.
Add
default_timeoutfor requestsOAuth2SessionandAssertionSession.Deprecate
jwk.loadsandjwk.dumps
Version 1.1.0¶
Released on Sep 13, 2022
This release contains breaking changes and security fixes.
Allow to pass
claims_optionsto Framework OpenID Connect clients, via pull request #446.Fix
.streamwith context for HTTPX OAuth clients, via pull request #465.Fix Starlette OAuth client for cache store, via pull request #478.
Breaking changes:
Raise
InvalidGrantErrorfor invalid code, redirect_uri and no user errors in OAuth 2.0 server.The default
authlib.jose.jwtwould only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
Security fixes: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.
Version 1.0.1¶
Released on Apr 6, 2022
Fix authenticate_none method, via issue #438.
Allow to pass in alternative signing algorithm to RFC7523 authentication methods via pull request #447.
Fix
missing_tokenfor Flask OAuth client, via issue #448.Allow
openidin any place of the scope, via issue #449.Security fix for validating essential value on blank value in JWT, via issue #445.
Version 1.0.0¶
Released on Mar 15, 2022.
We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.
OAuth Client Changes:
The whole framework client integrations have been restructured, if you are
using the client properly, e.g. oauth.register(...), it would work as
before.
OAuth Provider Changes:
In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX configuration, instead, developers should define
.get_jwt_config on OpenID extensions and grant types.
SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.
JOSE Changes
JWShas been renamed toJsonWebSignatureJWEhas been renamed toJsonWebEncryptionJWKhas been renamed toJsonWebKeyJWThas been renamed toJsonWebToken
The “Key” model has been re-designed, checkout the JSON Web Key (JWK) for updates.
Added ES256K algorithm for JWS and JWT.
Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f
Old Versions¶
Find old changelog at https://github.com/lepture/authlib/releases
Version 0.15.5: Released on Oct 18, 2021
Version 0.15.4: Released on Jul 17, 2021
Version 0.15.3: Released on Jan 15, 2021
Version 0.15.2: Released on Oct 18, 2020
Version 0.15.1: Released on Oct 14, 2020
Version 0.15.0: Released on Oct 10, 2020
Version 0.14.3: Released on May 18, 2020
Version 0.14.2: Released on May 6, 2020
Version 0.14.1: Released on Feb 12, 2020
Version 0.14.0: Released on Feb 11, 2020
Version 0.13.0: Released on Nov 11, 2019
Version 0.12.0: Released on Sep 3, 2019
Version 0.11.0: Released on Apr 6, 2019
Version 0.10.0: Released on Oct 12, 2018
Version 0.9.0: Released on Aug 12, 2018
Version 0.8.0: Released on Jun 17, 2018
Version 0.7.0: Released on Apr 28, 2018
Version 0.6.0: Released on Mar 20, 2018
Version 0.5.1: Released on Feb 11, 2018
Version 0.5.0: Released on Feb 11, 2018
Version 0.4.1: Released on Feb 2, 2018
Version 0.4.0: Released on Jan 31, 2018
Version 0.3.0: Released on Dec 24, 2017
Version 0.2.1: Released on Dec 6, 2017
Version 0.2.0: Released on Nov 25, 2017
Version 0.1.0: Released on Nov 18, 2017