Here you can see the full list of changes between each Authlib release.
Released on Dec 6, 2022
ResourceProtector, via issue#485.
flask.g instead of
_app_ctx_stack, via issue#482.
headers parameter back to
ClientSecretJWT, via issue#457.
realm parameter in OAuth 1 clients, via issue#339.
Implemented RFC7592 Dynamic Client Registration Management Protocol, via PR#505.
default_timeout for requests
Released on Sep 13, 2022
This release contains breaking changes and security fixes.
Allow to pass
claims_options to Framework OpenID Connect clients, via PR#446.
.stream with context for HTTPX OAuth clients, via PR#465.
Fix Starlette OAuth client for cache store, via PR#478.
InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth
authlib.jose.jwt would only work with JSON Web Signature algorithms, if
you would like to use JWT with JWE algorithms, please pass the algorithms parameter:
jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
Security fixes: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.
Released on Apr 6, 2022
Fix authenticate_none method, via issue#438.
Allow to pass in alternative signing algorithm to RFC7523 authentication methods via PR#447.
missing_token for Flask OAuth client, via issue#448.
openid in any place of the scope, via issue#449.
Security fix for validating essential value on blank value in JWT, via issue#445.
Released on Mar 15, 2022.
We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.
OAuth Client Changes:
The whole framework client integrations have been restructured, if you are
using the client properly, e.g.
oauth.register(...), it would work as
OAuth Provider Changes:
In Flask OAuth 2.0 provider, we have removed the deprecated
OAUTH2_JWT_XXX configuration, instead, developers should define
.get_jwt_config on OpenID extensions and grant types.
SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.
JWS has been renamed to
JWE has been renamed to
JWK has been renamed to
JWT has been renamed to
The “Key” model has been re-designed, checkout the JSON Web Key (JWK) for updates.
ES256K algorithm for JWS and JWT.
Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f
Released on Oct 18, 2021.
Make Authlib compatible with latest httpx
Make Authlib compatible with latest werkzeug
Allow customize RFC7523
Released on Jul 17, 2021.
Security fix when JWT claims is None.
Released on Jan 15, 2021.
Fixed .authorize_access_token for OAuth 1.0 services, via issue#308.
Released on Oct 18, 2020.
Fixed HTTPX authentication bug, via issue#283.
Released on Oct 14, 2020.
Backward compatible fix for using JWKs in JWT, via issue#280.
Released on Oct 10, 2020.
This is the last release before v1.0. In this release, we added more RFCs implementations and did some refactors for JOSE:
RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
RFC7638: JSON Web Key (JWK) Thumbprint
We also fixed bugs for integrations:
Fixed support for HTTPX>=0.14.3
Added OAuth clients of HTTPX back via PR#270
Fixed parallel token refreshes for HTTPX async OAuth 2 client
Raise OAuthError when callback contains errors via issue#275
1. The parameter
are changed. Usually you don’t have to care about it since you won’t use it directly.
2. Whole JSON Web Key is refactored, please check JSON Web Key (JWK).
Released on May 18, 2020.
Add “bearer” as default token type for OAuth 2 Client.
JWS and JWE don’t validate private headers by default.
none auth method for authorization code by default.
Allow usage of user provided
code_verifier via issue#216.
introspect_token method on OAuth 2 Client via issue#224.
Released on May 6, 2020.
Released on Feb 12, 2020.
Quick fix for legacy imports of Flask and Django clients
Released on Feb 11, 2020.
In this release, Authlib has introduced a new way to write framework integrations for clients.
Bug fixes and enhancements in this release:
Fix HTTPX integrations due to HTTPX breaking changes
Fix ES algorithms for JWS
Allow user given
nonce via issue#180.
Fix OAuth errors
code_verifier via issue#165.
Breaking Change: drop sync OAuth clients of HTTPX.
Find old changelog at https://github.com/lepture/authlib/releases
Version 0.13.0: Released on Nov 11, 2019
Version 0.12.0: Released on Sep 3, 2019
Version 0.11.0: Released on Apr 6, 2019
Version 0.10.0: Released on Oct 12, 2018
Version 0.9.0: Released on Aug 12, 2018
Version 0.8.0: Released on Jun 17, 2018
Version 0.7.0: Released on Apr 28, 2018
Version 0.6.0: Released on Mar 20, 2018
Version 0.5.1: Released on Feb 11, 2018
Version 0.5.0: Released on Feb 11, 2018
Version 0.4.1: Released on Feb 2, 2018
Version 0.4.0: Released on Jan 31, 2018
Version 0.3.0: Released on Dec 24, 2017
Version 0.2.1: Released on Dec 6, 2017
Version 0.2.0: Released on Nov 25, 2017
Version 0.1.0: Released on Nov 18, 2017