Changelogs » Oauthlib

PyUp Safety actively tracks 382,903 Python packages for vulnerabilities and notifies you when to upgrade.

Oauthlib

3.1.1

------------------
  OAuth2.0 Provider - Bugfixes
  
  * 753: Fix acceptance of valid IPv6 addresses in URI validation
  
  OAuth2.0 Client - Bugfixes
  
  * 730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
  relies on the `scope` provided in the constructor if any, except if overridden temporarily
  in a method call. Note that in particular providing a non-None `scope` in
  `prepare_authorization_request` or `prepare_refresh_token` does not override anymore
  `self.scope` forever, it is just used temporarily.
  * 726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
  ServiceApplicationClient.prepare_request_body,
  and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
  constructor.
  * 725: LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor
  
  OAuth2.0 Provider - Bugfixes
  * 711: client_credentials grant: fix log message
  * 746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
  * 756: Different prompt values are now handled according to spec (e.g. prompt=none)
  * 759: OpenID Connect - fix Authorization: Basic parsing
  
  General
  * 716: improved skeleton validator for public vs private client
  * 720: replace mock library with standard unittest.mock
  * 727: build isort integration
  * 734: python2 code removal
  * 735, 750: add python3.8 support
  * 749: bump minimum versions of pyjwt and cryptography

3.1.0

------------------
  OAuth2.0 Provider - Features
  
  * 660: OIDC add support of `nonce`, `c_hash`, `at_hash fields`
  - New `RequestValidator.fill_id_token` method
  - Deprecated `RequestValidator.get_id_token` method
  * 677: OIDC add `UserInfo` endpoint - New `RequestValidator.get_userinfo_claims` method
  
  OAuth2.0 Provider - Security
  
  * 665: Enhance data leak to logs
  * New default to not expose request content in logs
  * New function `oauthlib.set_debug(True)`
  * 666: Disabling query parameters for POST requests
  
  OAuth2.0 Provider - Bugfixes
  
  * 670: Fix `validate_authorization_request` to return the new PKCE fields
  * 674: Fix `token_type` to be case-insensitive (`bearer` and `Bearer`)
  
  OAuth2.0 Client - Bugfixes
  
  * 290: Fix Authorization Code's errors processing
  * 603: BackendApplicationClient.prepare_request_body use the `scope` argument as intended.
  * 672: Fix edge case when `expires_in=Null`
  
  OAuth1.0 Client
  
  * 669: Add case-insensitive headers to oauth1 `BaseEndpoint`
  
  OAuth1.0
  
  * 722: Added support for HMAC-SHA512, RSA-SHA256 and RSA-SHA512 signature methods.

3.0.2

------------------
  * 650: Fixed space encoding in base string URI used in the signature base string.
  * 652: Fixed OIDC /token response which wrongly returned "&state=None"
  * 654: Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
  * 656: Fixed OIDC "nonce" checks: raise errors when it's mandatory

3.0.1

------------------
  * Fixed OAuth2.0 regression introduced in 3.0.0: Revocation with Basic auth no longer possible 644

3.0.0

------------------
  OAuth2.0 Provider - outstanding Features
  
  * OpenID Connect Core support
  * RFC7662 Introspect support
  * RFC8414 OAuth2.0 Authorization Server Metadata support (605)
  * RFC7636 PKCE support (617 624)
  
  OAuth2.0 Provider - API/Breaking Changes
  
  * Add "request" to confirm_redirect_uri 504
  * confirm_redirect_uri/get_default_redirect_uri has a bit changed 445
  * invalid_client is now a FatalError 606
  * Changed errors status code from 401 to 400:
  - invalid_grant: 264
  - invalid_scope: 620
  - access_denied/unauthorized_client/consent_required/login_required 623
  - 401 must have WWW-Authenticate HTTP Header set. 623
  
  OAuth2.0 Provider - Bugfixes
  
  * empty scopes no longer raise exceptions for implicit and authorization_code 475 / 406
  
  OAuth2.0 Client - Bugfixes / Changes:
  
  * expires_in in Implicit flow is now an integer 569
  * expires is no longer overriding expires_in 506
  * parse_request_uri_response is now required 499
  * Unknown error=xxx raised by OAuth2 providers was not understood 431
  * OAuth2's `prepare_token_request` supports sending an empty string for `client_id` (585)
  * OAuth2's `WebApplicationClient.prepare_request_body` was refactored to better
  support sending or omitting the `client_id` via a new `include_client_id` kwarg.
  By default this is included. The method will also emit a DeprecationWarning if
  a `client_id` parameter is submitted; the already configured `self.client_id`
  is the preferred option. (585)
  
  OAuth1.0 Client:
  
  * Support for HMAC-SHA256 498
  
  General fixes:
  
  * $ and ' are allowed to be unencoded in query strings 564
  * Request attributes are no longer overriden by HTTP Headers 409
  * Removed unnecessary code for handling python2.6
  * Add support of python3.7 621
  * Several minors updates to setup.py and tox
  * Set pytest as the default unittest framework

2.1.0

------------------
  
  * Fixed some copy and paste typos (535)
  * Use secrets module in Python 3.6 and later (533)
  * Add request argument to confirm_redirect_uri (504)
  * Avoid populating spurious token credentials (542)
  * Make populate attributes API public (546)

2.0.7

------------------
  
  * Moved oauthlib into new organization on GitHub.
  * Include license file in the generated wheel package. (494)
  * When deploying a release to PyPI, include the wheel distribution. (496)
  * Check access token in self.token dict. (500)
  * Added bottle-oauthlib to docs. (509)
  * Update repository location in Travis. (514)
  * Updated docs for organization change. (515)
  * Replace G+ with Gitter. (517)
  * Update requirements. (518)
  * Add shields for Python versions, license and RTD. (520)
  * Fix ReadTheDocs build (521).
  * Fixed "make" command to test upstream with local oauthlib. (522)
  * Replace IRC notification with Gitter Hook. (523)
  * Added Github Releases deploy provider. (523)

2.0.6

------------------
  
  * 2.0.5 contains breaking changes.

2.0.5

------------------
  
  * Fix OAuth2Error.response_mode for 463.
  * Documentation improvement.

2.0.4

------------------
  * Fixed typo that caused OAuthlib to crash because of the fix in "Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception".

2.0.3

------------------
  * Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception.
  * Update proxy keys on CaseInsensitiveDict.update().
  * Redirect errors according to OIDC's response_mode.
  * Added universal wheel support.
  * Added log statements to except clauses.
  * According to RC7009 Section 2.1, a client should include authentication credentials when revoking its tokens.
  As discussed in 339, this is not make sense for public clients.
  However, in that case, the public client should still be checked that is infact a public client (authenticate_client_id).
  * Improved prompt parameter validation.
  * Added two error codes from RFC 6750.
  * Hybrid response types are now be fragment-encoded.
  * Added Python 3.6 to Travis CI testing and trove classifiers.
  * Fixed BytesWarning issued when using a string placeholder for bytes object.
  * Documented PyJWT dependency and improved logging and exception messages.
  * Documentation improvements and fixes.

2.0.2

------------------
  * Dropped support for Python 2.6, 3.2 & 3.3.
  * (FIX) `OpenIDConnector` will no longer raise an AttributeError when calling `openid_authorization_validator()` twice.

2.0.1

------------------
  * (FIX) Normalize handling of request.scopes list

2.0.0

------------------
  * (New Feature) **OpenID** support.
  * Documentation improvements and fixes.

1.3.0

++++++++++++++++++++++++
  
  - Instagram compliance fix
  - Added ``force_querystring`` argument to fetch_token() method on OAuth2Session

1.2.0

++++++++++++++++++++++++
  
  - This project now depends on OAuthlib 3.0.0 and above. It does **not** support
  versions of OAuthlib before 3.0.0.
  - Updated oauth2 tests to use 'sess' for an OAuth2Session instance instead of `auth`
  because OAuth2Session objects and methods acceept an `auth` paramether which is
  typically an instance of `requests.auth.HTTPBasicAuth`
  - `OAuth2Session.fetch_token` previously tried to guess how and where to provide
  "client" and "user" credentials incorrectly. This was incompatible with some
  OAuth servers and incompatible with breaking changes in oauthlib that seek to
  correctly provide the `client_id`. The older implementation also did not raise
  the correct exceptions when username and password are not present on Legacy
  clients.
  - Avoid automatic netrc authentication for OAuth2Session.

1.1.2

------------------
  * (Fix) Query strings should be able to include colons.
  * (Fix) Cast body to a string to ensure that we can perform a regex substitution on it.

1.1.1

------------------
  * (Enhancement) Better sanitisation of Request objects __repr__.

1.1.0

------------------
  * (Fix) '(', ')', '/' and '?' are now safe characters in url encoded strings.
  * (Enhancement) Added support for specifying if refresh tokens should be created on authorization code grants.
  * (Fix) OAuth2Token now handles None scopes correctly.
  * (Fix) Request token is now available for OAuth 1.
  * (Enhancement) OAuth2Token is declared with __slots__ for smaller memory footprint.
  * (Enhancement) RefreshTokenGrant now allows to set issue_new_refresh_tokens.
  * Documentation improvements and fixes.

1.0.3

------------------
  * (Fix) Changed the documented return type of the invalidate_request_token() method from the RSA key to None since nobody is using the return type.
  * (Enhancement) Added a validator log that will store what the endpoint has computed for debugging and logging purposes (OAuth 1 only for now).

1.0.2

------------------
  * (Fix) Allow client secret to be null for public applications that do not mandate it's specification in the query parameters.
  * (Fix) Encode request body before hashing in order to prevent encoding errors in Python 3.

1.0.1

------------------
  * (Fix) Added token_type_hint to the list of default Request parameters.

1.0.0

------------------
  
  * (Breaking Change) Replace pycrypto with cryptography from https://cryptography.io
  * (Breaking Change) Update jwt to 1.0.0 (which is backwards incompatible) no oauthlib api changes
  were made.
  * (Breaking Change) Raise attribute error for non-existing attributes in the Request object.
  * (Fix) Strip whitespace off of scope string.
  * (Change) Don't require to return the state in the access token response.
  * (Change) Hide password in logs.
  * (Fix) Fix incorrect invocation of prepare_refresh_body in the OAuth2 client.
  * (Fix) Handle empty/non-parsable query strings.
  * (Fix) Check if an RSA key is actually needed before requiring it.
  * (Change) Allow tuples for list_to_scope as well as sets and lists.
  * (Change) Add code to determine if client authentication is required for OAuth2.
  * (Fix) Fix error message on invalid Content-Type header for OAtuh1 signing.
  * (Fix) Allow ! character in query strings.
  * (Fix) OAuth1 now includes the body hash for requests that specify any content-type that isn't x-www-form-urlencoded.
  * (Fix) Fixed error description in oauth1 endpoint.
  * (Fix) Revocation endpoint for oauth2 will now return an empty string in the response body instead of 'None'.
  * Increased test coverage.
  * Performance improvements.
  * Documentation improvements and fixes.

0.9.6

-------------
  
  Released on Sept 7, 2020
  
  - Fix dependency conflict with requests-oauthlib
  - Fix imports for Werkzeug

0.9.5

-------------
  
  Released on May 16, 2018
  
  - Fix error handlers
  - Update supported OAuthlib
  - Add support for string type token

0.9.4

-------------
  
  Released on Jun 9, 2017
  
  - Handle HTTP Basic Auth for client's access to token endpoint (301)
  - Allow having access tokens without expiration date (311)
  - Log exception traceback. (281)

0.9.3

-------------
  
  Released on Jun 2, 2016
  
  - Revert the wrong implement of non credential oauth2 require auth
  - Catch all exceptions in OAuth2 providers
  - Bugfix for examples, docs and other things

0.9.2

-------------
  
  Released on Nov 3, 2015
  
  - Bugfix in client parse_response when body is none.
  - Update contrib client by tonyseek
  - Typo fix for OAuth1 provider
  - Fix OAuth2 provider on non credential clients by Fleurer

0.9.1

-------------
  
  Released on Mar 9, 2015
  
  - Improve on security.
  - Fix on contrib client.

0.9.0

-------------
  
  Released on Feb 3, 2015
  
  - New feature for contrib client, which will become the official client in
  the future via `136`_ and `176`_.
  - Add appropriate headers when making POST request for access toke via `169`_.
  - Use a local copy of instance 'request_token_params' attribute to avoid side
  effects via `177`_.
  - Some minor fixes of contrib by Hsiaoming Yang.
  
  .. _`177`: https://github.com/lepture/flask-oauthlib/pull/177
  .. _`169`: https://github.com/lepture/flask-oauthlib/pull/169
  .. _`136`: https://github.com/lepture/flask-oauthlib/pull/136
  .. _`176`: https://github.com/lepture/flask-oauthlib/pull/176

0.8.0

-------------
  
  Released on Dec 3, 2014
  
  .. module:: flask_oauthlib.provider.oauth2
  
  - New feature for generating refresh tokens
  - Add new function :meth:`OAuth2Provider.verify_request` for non vanilla Flask projects
  - Some small bugfixes

0.7.2

------------------
  
  * (Quick fix) Unpushed locally modified files got included in the PyPI 0.7.1
  release. Doing a new clean release to address this. Please upgrade quickly
  and report any issues you are running into.

0.7.1

------------------
  
  * (Quick fix) Add oauthlib.common.log object back in for libraries using it.

0.7.0

-------------
  
  Released on Aug 20, 2014
  
  .. module:: flask_oauthlib.client
  
  - Deprecated :meth:`OAuthRemoteApp.authorized_handler` in favor of
  :meth:`OAuthRemoteApp.authorized_response`.
  - Add revocation endpoint via `131`_.
  - Handle unknown exceptions in providers.
  - Add PATCH method for client via `134`_.
  
  .. _`131`: https://github.com/lepture/flask-oauthlib/pull/131
  .. _`134`: https://github.com/lepture/flask-oauthlib/pull/134

0.6.3 not secure

------------------
  
  Quick fix. OAuth 1 client repr in 0.6.2 overwrote secrets when scrubbing for print.

0.6.2 not secure

------------------
  
  * Numerous OAuth2 provider errors now suggest a status code of 401 instead
  of 400 (247.
  
  * Added support for JSON web tokens with oauthlib.common.generate_signed_token.
  Install extra dependency with oauthlib[signedtoken] (237).
  
  * OAuth2 scopes can be arbitrary objects with __str__ defined (240).
  
  * OAuth 1 Clients can now register custom signature methods (239).
  
  * Exposed new method oauthlib.oauth2.is_secure_transport that checks whether
  the given URL is HTTPS. Checks using this method can be disabled by setting
  the environment variable OAUTHLIB_INSECURE_TRANSPORT (249).
  
  * OAuth1 clients now has __repr__ and will be printed with secrets scrubbed.
  
  * OAuth1 Client.get_oauth_params now takes an oauthlib.Request as an argument.
  
  * urldecode will now raise a much more informative error message on
  incorrectly encoded strings.
  
  * Plenty of typo and other doc fixes.

0.6.1 not secure

------------------
  
  Draft revocation endpoint features and numerous fixes including:
  
  * (OAuth 2 Provider) is_within_original_scope to check whether a refresh token
  is trying to aquire a new set of scopes that are a subset of the original scope.
  
  * (OAuth 2 Provider) expires_in token lifetime can be set per request.
  
  * (OAuth 2 Provider) client_authentication_required method added to differentiate
  between public and confidential clients.
  
  * (OAuth 2 Provider) rotate_refresh_token now indicates whether a new refresh
  token should be generated during token refresh or if old should be kept.
  
  * (OAuth 2 Provider) returned JSON headers no longer include charset.
  
  * (OAuth 2 Provider) validate_authorizatoin_request now also includes the
  internal request object in the returned dictionary. Note that this is
  not meant to be relied upon heavily and its interface might change.
  
  * and many style and typo fixes.

0.6.0 not secure

-------------
  
  Released on Jul 29, 2014
  
  - Compatible with OAuthLib 0.6.2 and 0.6.3
  - Add invalid_response decorator to handle invalid request
  - Add error_message for OAuthLib Request.

0.5.1 not secure

-----
  
  OAuth 1 provider fix for incorrect token param in nonce validation.

0.5.0 not secure

~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  API for OAuth providers ``oauth.require_oauth`` has changed.
  
  Before the change, you would write code like::
  
  app.route('/api/user')
  oauth.require_oauth('email')
  def user(req):
  return jsonify(req.user)
  
  After the change, you would write code like::
  
  from flask import request
  
  app.route('/api/user')
  oauth.require_oauth('email')
  def user():
  return jsonify(request.oauth.user)
  
  .. _`94`: https://github.com/lepture/flask-oauthlib/pull/94
  .. _`93`: https://github.com/lepture/flask-oauthlib/issues/93
  .. _`92`: https://github.com/lepture/flask-oauthlib/issues/92
  .. _`91`: https://github.com/lepture/flask-oauthlib/issues/91
  .. _`89`: https://github.com/lepture/flask-oauthlib/issues/89
  .. _`86`: https://github.com/lepture/flask-oauthlib/pull/86
  .. _`85`: https://github.com/lepture/flask-oauthlib/pull/85
  .. _`83`: https://github.com/lepture/flask-oauthlib/pull/83
  .. _`82`: https://github.com/lepture/flask-oauthlib/issues/82
  
  Thanks Stian Prestholdt and Jiangge Zhang.

0.4.3

-------------
  
  Released on Feb 18, 2014
  
  - OAuthlib released 0.6.1, which caused a bug in oauth2 provider.
  - Validation for scopes on oauth2 right via `72`_.
  - Handle empty response for application/json via `69`_.
  
  .. _`69`: https://github.com/lepture/flask-oauthlib/issues/69
  .. _`72`: https://github.com/lepture/flask-oauthlib/issues/72

0.4.2 not secure

-------------
  
  Released on Jan 3, 2014
  
  Happy New Year!
  
  - Add param ``state`` in authorize method via `63`_.
  - Bugfix for encoding error in Python 3 via `65`_.
  
  .. _`63`: https://github.com/lepture/flask-oauthlib/issues/63
  .. _`65`: https://github.com/lepture/flask-oauthlib/issues/65

0.4.1 not secure

-------------
  
  Released on Nov 25, 2013
  
  - Add access_token on request object via `53`_.
  - Bugfix for lazy loading configuration via `55`_.
  
  .. _`53`: https://github.com/lepture/flask-oauthlib/issues/53
  .. _`55`: https://github.com/lepture/flask-oauthlib/issues/55

0.4.0 not secure

-------------
  
  Released on Nov 12, 2013
  
  - Redesign contrib library.
  - A new way for lazy loading configuration via `51`_.
  - Some bugfixes.
  
  .. _`51`: https://github.com/lepture/flask-oauthlib/issues/51

0.3.8 not secure

-----
  
  OAuth 2 Client now uses custom errors and raise on expire.

0.3.7 not secure

-----
  
  OAuth 1 optional encoding of Client.sign return values.

0.3.6 not secure

-----
  
  Revert default urlencoding.

0.3.5 not secure

-----
  
  Default unicode conversion (utf-8) and urlencoding of input.

0.3.4 not secure

-------------
  
  Released on Oct 31, 2013
  
  - Bugfix for client missing a string placeholder via `49`_.
  - Bugfix for client property getter via `48`_.
  
  .. _`49`: https://github.com/lepture/flask-oauthlib/issues/49
  .. _`48`: https://github.com/lepture/flask-oauthlib/issues/48

0.3.3 not secure

-------------
  
  Released on Oct 4, 2013
  
  - Support for token generator in OAuth2 Provider via `42`_.
  - Improve client part, improve test cases.
  - Fix scope via `44`_.
  
  .. _`42`: https://github.com/lepture/flask-oauthlib/issues/42
  .. _`44`: https://github.com/lepture/flask-oauthlib/issues/44

0.3.2 not secure

-------------
  
  Released on Sep 13, 2013
  
  - Upgrade oauthlib to 0.6
  - A quick bugfix for request token params via `40`_.
  
  .. _`40`: https://github.com/lepture/flask-oauthlib/issues/40

0.3.1

-------------
  
  Released on Aug 22, 2013
  
  - Add contrib module via `15`_. We are still working on it,
  take your own risk.
  - Add example of linkedin via `35`_.
  - Compatible with new proposals of oauthlib.
  - Bugfix for client part.
  - Backward compatible for lower version of Flask via `37`_.
  
  .. _`15`: https://github.com/lepture/flask-oauthlib/issues/15
  .. _`35`: https://github.com/lepture/flask-oauthlib/issues/35
  .. _`37`: https://github.com/lepture/flask-oauthlib/issues/37

0.3.0 not secure

-------------
  
  Released on July 10, 2013.
  
  - OAuth1 Provider available. Documentation at :doc:`oauth1`. :)
  - Add ``before_request`` and ``after_request`` via `22`_.
  - Lazy load configuration for client via `23`_. Documentation at :ref:`lazy-configuration`.
  - Python 3 compatible now.
  
  .. _`22`: https://github.com/lepture/flask-oauthlib/issues/22
  .. _`23`: https://github.com/lepture/flask-oauthlib/issues/23

0.2.1

-----
  
  Exclude non urlencoded bodies during request verification.

0.2.0

-------------
  
  Released on June 19, 2013.
  
  - OAuth2 Provider available. Documentation at :doc:`oauth2`. :)
  - Make client part testable.
  - Change extension name of client from ``oauth-client`` to ``oauthlib.client``.

0.1.4

-----
  
  Soft dependency on PyCrypto.

0.1.3 not secure

-----
  
  Use python-rsa instead of pycrypto.

0.1.1 not secure

-------------
  
  Released on May 23, 2013.
  
  - Fix setup.py

0.1.0 not secure

-------------
  
  First public preview release on May 18, 2013.