Changelogs » Authlib

PyUp Safety actively tracks 232,000 Python packages for vulnerabilities and notifies you when to upgrade.



  **Released on May 18, 2020.**
  - Fix HTTPX integration via :gh:`PR232` and :gh:`PR233`.
  - Add "bearer" as default token type for OAuth 2 Client.
  - JWS and JWE don't validate private headers by default.
  - Remove ``none`` auth method for authorization code by default.
  - Allow usage of user provided ``code_verifier`` via :gh:`issue216`.
  - Add ``introspect_token`` method on OAuth 2 Client via :gh:`issue224`.


  **Released on May 6, 2020.**
  - Fix OAuth 1.0 client for starlette.
  - Allow leeway option in client parse ID token via :gh:`PR228`.
  - Fix OAuthToken when ``expires_at`` or ``expires_in`` is 0 via :gh:`PR227`.
  - Fix auto refresh token logic.
  - Load server metadata before request.


  **Released on Feb 12, 2020.**
  - Quick fix for legacy imports of Flask and Django clients


  **Released on Feb 11, 2020.**
  In this release, Authlib has introduced a new way to write framework integrations
  for clients.
  **Bug fixes** and enhancements in this release:
  - Fix HTTPX integrations due to HTTPX breaking changes
  - Fix ES algorithms for JWS
  - Allow user given ``nonce`` via :gh:`issue180`.
  - Fix OAuth errors ``get_headers`` leak.
  - Fix ``code_verifier`` via :gh:`issue165`.
  **Breaking Change**: drop sync OAuth clients of HTTPX.


  **Released on Nov 11, 2019. Go Async**
  This is the release that makes Authlib one more step close to v1.0. We
  did a huge refactor on our integrations. Authlib believes in monolithic
  design, it enables us to design the API to integrate with every framework
  in the best way. In this release, Authlib has re-organized the folder
  structure, moving every integration into the ``integrations`` folder. It
  makes Authlib to add more integrations easily in the future.
  **RFC implementations** and updates in this release:
  - RFC7591: OAuth 2.0 Dynamic Client Registration Protocol
  - RFC8628: OAuth 2.0 Device Authorization Grant
  **New integrations** and changes in this release:
  - **HTTPX** OAuth 1.0 and OAuth 2.0 clients in both sync and async way
  - **Starlette** OAuth 1.0 and OAuth 2.0 client registry
  - The experimental ``authlib.client.aiohttp`` has been removed
  **Bug fixes** and enhancements in this release:
  - Add custom client authentication methods for framework integrations.
  - Refresh token automatically for client_credentials grant type.
  - Enhancements on JOSE, specifying ``alg`` values easily for JWS and JWE.
  - Add PKCE into requests OAuth2Session and HTTPX OAuth2Client.
  **Deprecate Changes**: find how to solve the deprecate issues via


  **Released on Sep 3, 2019.**
  **Breaking Change**: Authlib Grant system has been redesigned. If you
  are creating OpenID Connect providers, please read the new documentation
  for OpenID Connect.
  **Important Update**: Django OAuth 2.0 server integration is ready now.
  You can create OAuth 2.0 provider and OpenID Connect 1.0 with Django
  RFC implementations and updates in this release:
  - RFC6749: Fixed scope validation, omit the invalid scope
  - RFC7521: Added a common ``AssertionClient`` for the assertion framework
  - RFC7662: Added ``IntrospectionToken`` for introspection token endpoint
  - OpenID Connect Discover: Added discovery model based on RFC8414
  Refactor and bug fixes in this release:
  - **Breaking Change**: add ``RefreshTokenGrant.revoke_old_credential`` method
  - Rewrite lots of code for ``authlib.client``, no breaking changes
  - Refactor ``OAuth2Request``, use explicit query and form
  - Change ``requests`` to optional dependency
  - Add ``AsyncAssertionClient`` for aiohttp
  **Deprecate Changes**: find how to solve the deprecate issues via


  **Released on Apr 6, 2019.**
  **BIG NEWS**: Authlib has changed its open source license **from AGPL to BSD**.
  **Important Changes**: Authlib specs module has been split into jose, oauth1,
  oauth2, and oidc. Find how to solve the deprecate issues via
  RFC implementations and updates in this release:
  - RFC7518: Added A128GCMKW, A192GCMKW, A256GCMKW algorithms for JWE.
  - RFC5849: Removed draft-eaton-oauth-bodyhash-00 spec for OAuth 1.0.
  Small changes and bug fixes in this release:
  - Fixed missing scope on password and client_credentials grant types
  of ``OAuth2Session`` via :gh:`issue96`.
  - Fixed Flask OAuth client cache detection via :gh:`issue98`.
  - Enabled ssl certificates for ``OAuth2Session`` via :gh:`PR100`, thanks
  to pingz.
  - Fixed error response for invalid/expired refresh token via :gh:`issue112`.
  - Fixed error handle for invalid redirect uri via :gh:`issue113`.
  - Fixed error response redirect to fragment via :gh:`issue114`.
  - Fixed non-compliant responses from RFC7009 via :gh:`issue119`.
  **Experiment Features**: There is an experiment ``aiohttp`` client for OAuth1
  and OAuth2 in ``authlib.client.aiohttp``.
  Old Versions
  Find old changelog at