Skip to content

Releases: AuthPlane/python-sdk

v0.2.0

20 May 13:13
@github-actions github-actions
v0.2.0
26c28ed

Choose a tag to compare

View all tags
v0.2.0 Latest
Latest

Released commit: 26c28ed5eec94ac83f853a69ecca137f65d50a0e

Security

  • www_authenticate() now sanitizes CR, LF, double-quote, and backslash from every value it interpolates (realm, error_description, scope, resource_metadata), closing a header-injection path through attacker-influenced error messages.

Fixed

  • DPoPNotSupportedError now emits WWW-Authenticate: Bearer instead of DPoP. The resource is bearer-only by configuration, so advertising the DPoP scheme misled clients into retries that would fail the same way.
  • http_status(CircuitOpenError) now returns 503 (was 500). The circuit breaker is structurally identical to other temporary-AS-unavailability errors and should be retryable, not surfaced as an internal error.
  • Outbound Host header now preserves non-default ports and brackets IPv6 hostnames, fixing DPoP htu validation against authservers on non-standard ports.
  • Packaging issues discovered after the first release.
  • Documentation links and demo references.
  • authplane-fastmcp dependency range now correctly requires fastmcp>=3.2,<4 (was >=2.0, which could resolve to a version the adapter can't import).

Added

  • www_authenticate() accepts resource_metadata_url= (RFC 9728 §5.1) and scope= (RFC 6750 §3) keyword arguments. When the caller does not pass scope=, the helper auto-populates it from InsufficientScopeError.required_scopes.
  • InsufficientScopeError now carries a structured required_scopes attribute, populated automatically by VerifiedClaims.require_scope() so the wire challenge can advertise the missing scope.
  • response_headers_for(error, *, realm, resource_metadata_url, scope) — bundled helper returning (status, {"WWW-Authenticate": challenge}) in one call.
  • Both adapter verifiers (authplane-mcp, authplane-fastmcp) now emit a logging.DEBUG event authplane.token_verification_failed with structured error_class and error fields before returning None. Wire behaviour is unchanged; operators can now distinguish expired tokens from JWKS outages and DPoP replays in logs.

Changed

  • CI and release workflow improvements from first-release learnings.
Assets 2
Loading

v0.1.0

13 May 10:24
@muralx muralx
v0.1.0
34f030a

Choose a tag to compare

View all tags
v0.1.0

Released commit: 34f030a

  • Initial release.
Loading