Authlib

**Bug fixes**

- Restore AuthorizationServer.create_authorization_response behavior, via 558 by TurnrDev
- Include leeway in validate_iat() for JWT, via 565 by dhallam
- Fix encode_client_secret_basic, via 594 by Prilkop
- Use single key in JWK if JWS does not specify kid, via 596 by dklimpel
- Fix error when RFC9068 JWS has no scope field, via 598 by tanguilp
- Get werkzeug version using importlib, via 591 by Sparrow0hawk

**Breaking changes**

- RFC9068 implementation, via 586 by azmeuk.

- Apply headers in ``ClientSecretJWT.sign`` method, via 552
- Allow falsy but non-None grant uri params, via 544
- Fixed ``authorize_redirect`` for Starlette v0.26.0, via 533
- Removed ``has_client_secret`` method and documentation, via 513
- Removed ``request_invalid`` and ``token_revoked`` remaining occurences
and documentation. 514
- Fixed RFC7591 ``grant_types`` and ``response_types`` default values, via 509
- Add support for python 3.12, via 590

- Not passing ``request.body`` to ``ResourceProtector``, 485.
- Use ``flask.g`` instead of ``_app_ctx_stack``, 482.
- Add ``headers`` parameter back to ``ClientSecretJWT``, 457.
- Always passing ``realm`` parameter in OAuth 1 clients, 339.
- Implemented RFC7592 Dynamic Client Registration Management Protocol, 505`
- Add ``default_timeout`` for requests ``OAuth2Session`` and ``AssertionSession``.
- Deprecate ``jwk.loads`` and ``jwk.dumps``

This release contains **breaking changes** and **security fixes**.

- Allow to pass `claims_options` to Framework OpenID Connect clients, via 446 by Galaxy102
- Fix `.stream` with context for HTTPX OAuth clients, via 465 by bjoernmeier
- Fix Starlette OAuth client for cache store, via 478 by haggen

**Breaking changes:**

- Raise `InvalidGrantError` for invalid code, redirect_uri and no user errors in OAuth 2.0 server.
- The default `authlib.jose.jwt` would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:

python
jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])


**Security fixes** for JOSE module

- CVE-2022-39175
- CVE-2022-39174

- Fix `authenticate_none` method, via 438.
- Allow to pass in alternative signing algorithm to RFC7523 authentication methods via 447.
- Fix `missing_token` for Flask OAuth client, via 448.
- Allow `openid` in any place of the scope, via 449.
- Security fix for validating essential value on blank value in JWT, via 445.

We have dropped support for Python 2 in this release. We have removed
built-in SQLAlchemy integration.

**OAuth Client Changes:**

The whole framework client integrations have been restructured, if you are
using the client properly, e.g. ``oauth.register(...)``, it would work as
before.

**OAuth Provider Changes:**

In Flask OAuth 2.0 provider, we have removed the deprecated
``OAUTH2_JWT_XXX`` configuration, instead, developers should define
`.get_jwt_config` on OpenID extensions and grant types.

**SQLAlchemy** integrations has been removed from Authlib. Developers
should define the database by themselves.

**JOSE Changes**

- ``JWS`` has been renamed to ``JsonWebSignature``
- ``JWE`` has been renamed to ``JsonWebEncryption``
- ``JWK`` has been renamed to ``JsonWebKey``
- ``JWT`` has been renamed to ``JsonWebToken``

The "Key" model has been re-designed, checkout the [JSON Web Key](https://docs.authlib.org/en/latest/jose/jwk.html#jwk-guide) for updates.

Added ``ES256K`` algorithm for JWS and JWT.

**Breaking Changes**: find how to solve the deprecate issues via https://git.io/JkY4f