betterself
betterself copied to clipboard
Update oauthlib to 3.2.0
This PR updates oauthlib from 2.0.6 to 3.2.0.
Changelog
3.2.0
------------------
OAuth2.0 Client:
* 795: Add Device Authorization Flow for Web Application
* 786: Add PKCE support for Client
* 783: Fallback to none in case of wrong expires_at format.
OAuth2.0 Provider:
* 790: Add support for CORS to metadata endpoint.
* 791: Add support for CORS to token endpoint.
* 787: Remove comma after Bearer in WWW-Authenticate
OAuth2.0 Provider - OIDC:
* 755: Call save_token in Hybrid code flow
* 751: OIDC add support of refreshing ID Tokens with `refresh_id_token`
* 751: The RefreshTokenGrant modifiers now take the same arguments as the
AuthorizationCodeGrant modifiers (`token`, `token_handler`, `request`).
General:
* Added Python 3.9, 3.10, 3.11
* Improve Travis & Coverage
3.1.1
------------------
OAuth2.0 Provider - Bugfixes
* 753: Fix acceptance of valid IPv6 addresses in URI validation
OAuth2.0 Client - Bugfixes
* 730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
relies on the `scope` provided in the constructor if any, except if overridden temporarily
in a method call. Note that in particular providing a non-None `scope` in
`prepare_authorization_request` or `prepare_refresh_token` does not override anymore
`self.scope` forever, it is just used temporarily.
* 726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
ServiceApplicationClient.prepare_request_body,
and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
constructor.
* 725: LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor
OAuth2.0 Provider - Bugfixes
* 711: client_credentials grant: fix log message
* 746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
* 756: Different prompt values are now handled according to spec (e.g. prompt=none)
* 759: OpenID Connect - fix Authorization: Basic parsing
General
* 716: improved skeleton validator for public vs private client
* 720: replace mock library with standard unittest.mock
* 727: build isort integration
* 734: python2 code removal
* 735, 750: add python3.8 support
* 749: bump minimum versions of pyjwt and cryptography
3.1.0
------------------
OAuth2.0 Provider - Features
* 660: OIDC add support of `nonce`, `c_hash`, `at_hash fields`
- New `RequestValidator.fill_id_token` method
- Deprecated `RequestValidator.get_id_token` method
* 677: OIDC add `UserInfo` endpoint - New `RequestValidator.get_userinfo_claims` method
OAuth2.0 Provider - Security
* 665: Enhance data leak to logs
* New default to not expose request content in logs
* New function `oauthlib.set_debug(True)`
* 666: Disabling query parameters for POST requests
OAuth2.0 Provider - Bugfixes
* 670: Fix `validate_authorization_request` to return the new PKCE fields
* 674: Fix `token_type` to be case-insensitive (`bearer` and `Bearer`)
OAuth2.0 Client - Bugfixes
* 290: Fix Authorization Code's errors processing
* 603: BackendApplicationClient.prepare_request_body use the `scope` argument as intended.
* 672: Fix edge case when `expires_in=Null`
OAuth1.0 Client
* 669: Add case-insensitive headers to oauth1 `BaseEndpoint`
OAuth1.0
* 722: Added support for HMAC-SHA512, RSA-SHA256 and RSA-SHA512 signature methods.
3.0.2
------------------
* 650: Fixed space encoding in base string URI used in the signature base string.
* 652: Fixed OIDC /token response which wrongly returned "&state=None"
* 654: Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
* 656: Fixed OIDC "nonce" checks: raise errors when it's mandatory
3.0.1
------------------
* Fixed OAuth2.0 regression introduced in 3.0.0: Revocation with Basic auth no longer possible 644
3.0.0
------------------
OAuth2.0 Provider - outstanding Features
* OpenID Connect Core support
* RFC7662 Introspect support
* RFC8414 OAuth2.0 Authorization Server Metadata support (605)
* RFC7636 PKCE support (617 624)
OAuth2.0 Provider - API/Breaking Changes
* Add "request" to confirm_redirect_uri 504
* confirm_redirect_uri/get_default_redirect_uri has a bit changed 445
* invalid_client is now a FatalError 606
* Changed errors status code from 401 to 400:
- invalid_grant: 264
- invalid_scope: 620
- access_denied/unauthorized_client/consent_required/login_required 623
- 401 must have WWW-Authenticate HTTP Header set. 623
OAuth2.0 Provider - Bugfixes
* empty scopes no longer raise exceptions for implicit and authorization_code 475 / 406
OAuth2.0 Client - Bugfixes / Changes:
* expires_in in Implicit flow is now an integer 569
* expires is no longer overriding expires_in 506
* parse_request_uri_response is now required 499
* Unknown error=xxx raised by OAuth2 providers was not understood 431
* OAuth2's `prepare_token_request` supports sending an empty string for `client_id` (585)
* OAuth2's `WebApplicationClient.prepare_request_body` was refactored to better
support sending or omitting the `client_id` via a new `include_client_id` kwarg.
By default this is included. The method will also emit a DeprecationWarning if
a `client_id` parameter is submitted; the already configured `self.client_id`
is the preferred option. (585)
OAuth1.0 Client:
* Support for HMAC-SHA256 498
General fixes:
* $ and ' are allowed to be unencoded in query strings 564
* Request attributes are no longer overriden by HTTP Headers 409
* Removed unnecessary code for handling python2.6
* Add support of python3.7 621
* Several minors updates to setup.py and tox
* Set pytest as the default unittest framework
2.1.0
------------------
* Fixed some copy and paste typos (535)
* Use secrets module in Python 3.6 and later (533)
* Add request argument to confirm_redirect_uri (504)
* Avoid populating spurious token credentials (542)
* Make populate attributes API public (546)
2.0.7
------------------
* Moved oauthlib into new organization on GitHub.
* Include license file in the generated wheel package. (494)
* When deploying a release to PyPI, include the wheel distribution. (496)
* Check access token in self.token dict. (500)
* Added bottle-oauthlib to docs. (509)
* Update repository location in Travis. (514)
* Updated docs for organization change. (515)
* Replace G+ with Gitter. (517)
* Update requirements. (518)
* Add shields for Python versions, license and RTD. (520)
* Fix ReadTheDocs build (521).
* Fixed "make" command to test upstream with local oauthlib. (522)
* Replace IRC notification with Gitter Hook. (523)
* Added Github Releases deploy provider. (523)
Links
- PyPI: https://pypi.org/project/oauthlib
- Changelog: https://pyup.io/changelogs/oauthlib/
- Repo: https://github.com/oauthlib/oauthlib