authlib
authlib copied to clipboard
lepture
The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
**Describe the bug** When using the exactly same credentials and API call signatures, the requests client could access protected resources from OAuth protected API, while the signature of requests made...
Hi, is there a way to disable the nonce validation on client-side? I ask this question because, if I understand correctly, that parameter is optional, differently from the state which...
**Describe the bug** The [IntrospectionToken](https://github.com/lepture/authlib/blob/master/authlib/oauth2/rfc7662/models.py#L4) class doesn't seem to implement the [TokenMixin](https://github.com/lepture/authlib/blob/9ae4db94b10767452da55183d265a8a2acf4d441/authlib/oauth2/rfc6749/models.py#L174) in it's current form, and looks like it still implements the older 0.15 TokenMixin
My OAuth provider has OAuth1. For `fetch_request_token` method, the provider requires an extra authorization header parameter `oauth_callback="oob"` like the following: ``` Authorization: OAuth realm="",oauth_callback="oob", oauth_signature="xxx", oauth_nonce="xxx", oauth_signature_method="HMAC-SHA1",oauth_consumer_key="xxx", oauth_timestamp="1273254425" ``` Do...
[Section 2 of RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009#section-2) says: "The authorization server first validates the client credentials (in case of a confidential client) and then verifies whether the token was issued to the...
[Section 3.1 of the RFC6749](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1) says "Request and response parameters MUST NOT be included more than once." Add a method to the OAuth2Request object to obtain all the values for...
A small fix to the documentation of `authlib.oauth2.rfc9068.JWTIntrospectionEndpoint` **What kind of change does this PR introduce?** (check at least one) - [x] Bugfix - [ ] Feature - [ ]...
**What kind of change does this PR introduce?** (check at least one) - [ ] Bugfix - [ ] Feature - [ ] Code style update - [ ] Refactor...
Fix https://github.com/lepture/authlib/issues/622. See https://github.com/lepture/authlib/issues/622#issuecomment-2049294579 for more context about the proposed solution. The PR deletes old states from the cookie to avoid reaching the 4kb limit. cc @lepture @frozturk
**Describe the bug** According to https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6 the `iat` field should be a numeric field. Creating a token with `iat:true` passes validation. This looks to be because [`_validate_numeric_time`](https://github.com/lepture/authlib/blob/98d8a923cb8fbb785e85536d0c3a7a6447be0782/authlib/jose/rfc7519/claims.py#L226-L227) returns True for...
