Bump authlib from 0.15.5 to 1.6.0

[dependabot[bot]]

Bumps authlib from 0.15.5 to 1.6.0.

Release notes

Sourced from authlib's releases.

Version 1.6.0

• Fix issue when RFC9207 is enabled and the authorization endpoint response is not a redirection. [pull request #733](authlib/authlib#733)
• Fix missing state parameter in authorization error responses. [issue #525](authlib/authlib#525)
• Support for acr and amr claims in id_token. [issue #734](authlib/authlib#734)
• Support for the none JWS algorithm.
• Fix response_types strict order during dynamic client registration. [issue #760](authlib/authlib#760)
• Implement RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR). [issue #723](authlib/authlib#723)
• OIDC UserInfo endpoint support. [issue #459](authlib/authlib#459)

Version 1.5.2

Released on Apr 1, 2025

• Forbid fragments in redirect_uris. #714
• Fix invalid characters in error_description. #720
• Add claims_cls parameter for client's parse_id_token method. #725

Version 1.5.1

Released on Feb 28, 2025

• Fix RFC9207 iss parameter. #715

Version 1.5.0

• Fix token introspection auth method for clients. #662
• Optional typ claim in JWT tokens. #696
• JWT validation leeway. #689
• Implement server-side RFC9207. #700 #701
• generate_id_token can take a kid parameter. #702
• More detailed InvalidClientError. #706
• OpenID Connect Dynamic Client Registration implementation. #707

Version 1.4.1

• Improve garbage collection on OAuth clients. #698
• Fix client parameters for httpx. #694

Version 1.4.0

Bugfixes

• Fix id_token decoding when kid is null. #659
• Support for Python 3.13. #682
• Force login if the prompt parameter value is login. #637
• Support for httpx 0.28. #695

Breaking changes

• Stop support for Python 3.8. #682

Version 1.3.2

• Prevent ever-growing session size for OAuth clients.
• Revert quote client id and secret.

... (truncated)

Changelog

Sourced from authlib's changelog.

Version 1.6.0

Released on May 22, 2025

• Fix issue when :rfc:RFC9207 <9207> is enabled and the authorization endpoint response is not a redirection. :pr:733
• Fix missing state parameter in authorization error responses. :issue:525
• Support for acr and amr claims in id_token. :issue:734
• Support for the none JWS algorithm.
• Fix response_types strict order during dynamic client registration. :issue:760
• Implement :rfc:RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) <9101>. :issue:723
• OIDC :class:UserInfo endpoint <authlib.oidc.core.userinfo.UserInfoEndpoint> support. :issue:459

Version 1.5.2

Released on Apr 1, 2025

• Forbid fragments in redirect_uris. :issue:714
• Fix invalid characters in error_description. :issue:720
• Add claims_cls parameter for client's parse_id_token method. :issue:725

Version 1.5.1

Released on Feb 28, 2025

• Fix RFC9207 iss parameter. :pr:715

Version 1.5.0

Released on Feb 25, 2025

• Fix token introspection auth method for clients. :pr:662
• Optional typ claim in JWT tokens. :pr:696
• JWT validation leeway. :pr:689
• Implement server-side :rfc:RFC9207 <9207>. :issue:700 :pr:701
• generate_id_token can take a kid parameter. :pr:702
• More detailed InvalidClientError. :pr:706
• OpenID Connect Dynamic Client Registration implementation. :pr:707

Version 1.4.1

Released on Jan 28, 2025

• Improve garbage collection on OAuth clients. :issue:698
• Fix client parameters for httpx. :issue:694

... (truncated)

Commits

• fe87a11 chore: release version 1.6.0
• 036a0b7 Merge pull request #774 from azmeuk/459-userinfo
• 449a1a2 feat: OIDC userinfo endpoint support
• d429c36 Merge pull request #749 from azmeuk/724-jar
• a524d23 chore: move 1.7 deprecations to 1.8
• f37e60e feat: implement rfc9101 JWT authorization request
• 8a6c714 refactor: OAuth2 hook mechanism overhaul
• ff1b66b refactor: extract OAuth2Payload from OAuth2Request
• 98eebd1 refactor: remove uncovered code in OAuth2Request
• 1b848e2 refactor: create_authorization_response can take an optional 'grant' arg
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)