Skip to content
d8e428c
Compare
Choose a tag to compare
  • Make Authlib compatible with latest httpx
  • Make Authlib compatible with latest werkzeug
  • Allow customize RFC7523 alg value
4570144
Compare
Choose a tag to compare

Security fix when JWT claims is None.

For example, JWT payload has iss=None:

{
  "iss": None,
  ...
}

But we need to decode it with claims:

claims_options = {
  'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)

It didn't raise an error before this fix.

33aab02
Compare
Choose a tag to compare

Fixed .authorize_access_token for OAuth 1.0 services, via #308

1969b56
Compare
Choose a tag to compare

Fixed httpx authentication bug via #283

c70a805
Compare
Choose a tag to compare

Backward compitable fix for using JWKs in JWT, via #280.

4e501ce
Compare
Choose a tag to compare

This is the last release before v1.0. In this release, we added more RFCs
implementations and did some refactors for JOSE:

  • RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
  • RFC7638: JSON Web Key (JWK) Thumbprint

We also fixed bugs for integrations:

  • Fixed support for HTTPX>=0.14.3
  • Added OAuth clients of HTTPX back via #270
  • Fixed parallel token refreshes for HTTPX async OAuth 2 client
  • Raise OAuthError when callback contains errors via #275

Breaking Change:

  1. The parameter algorithms in JsonWebSignature and JsonWebEncryption
    are changed. Usually you don't have to care about it since you won't use it directly.
  2. Whole JSON Web Key is refactored, please check JSON Web Key (JWK)
ffdc437
Compare
Choose a tag to compare
  • Fix HTTPX integration via #232 and #233.
  • Add "bearer" as default token type for OAuth 2 Client.
  • JWS and JWE don't validate private headers by default.
  • Remove none auth method for authorization code by default.
  • Allow usage of user provided code_verifier via #216.
  • Add introspect_token method on OAuth 2 Client via #224.
ce8b46b
Compare
Choose a tag to compare
  • Fix OAuth 1.0 client for starlette.
  • Allow leeway option in client parse ID token via #228.
  • Fix OAuthToken when expires_at or expires_in is 0 via #227.
  • Fix auto refresh token logic.
  • Load server metadata before request.
8e8786b
Compare
Choose a tag to compare
  • Quick fix for legacy imports of Flask and Django clients
25e7fe4
Compare
Choose a tag to compare

In this release, Authlib has introduced a new way to write framework integrations for clients.

Bug fixes and enhancements in this release:

  • Fix HTTPX integrations due to HTTPX breaking changes
  • Fix ES algorithms for JWS
  • Allow user given nonce via #180.
  • Fix OAuth errors get_headers leak.
  • Fix code_verifier via #165.

Breaking Change: drop sync OAuth clients of HTTPX.