OAuth2.0 Provider:

• CVE-2022-36087

In short

OAuth2.0 Provider:

• #803 : Metadata endpoint support of non-HTTPS

OAuth1.0:

• #818 : Allow IPv6 being parsed by signature

General:

• Improved and fixed documentation warnings.
• Cosmetic changes based on isort

What's Changed

• add missing slots to TokenBase by @ariebovenberg in #804
• Add CORS support for Refresh Token Grant. by @luhn in #806
• GitHub Action to lint Python code by @cclauss in #797
• Docs: fix Sphinx warnings for better ReadTheDocs generation by @JonathanHuot in #807
• Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT. by @luhn in #803
• chore: fix typo in test by @tamanobi in #816
• Fix typo in server.rst by @NemanjaT in #819
• Fixed isort imports by @dasm in #820
• docs: Fix a few typos by @timgates42 in #822
• docs: fix typos by @kianmeng in #823

New Contributors

• @ariebovenberg made their first contribution in #804
• @tamanobi made their first contribution in #816
• @NemanjaT made their first contribution in #819
• @kianmeng made their first contribution in #823

Full Changelog: v3.2.0...v3.2.1

Changelog

OAuth2.0 Client:

• #795: Add Device Authorization Flow for Web Application
• #786: Add PKCE support for Client
• #783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:

• #790: Add support for CORS to metadata endpoint.
• #791: Add support for CORS to token endpoint.
• #787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:

• #755: Call save_token in Hybrid code flow
• #751: OIDC add support of refreshing ID Tokens with refresh_id_token
• #751: The RefreshTokenGrant modifiers now take the same arguments as the
  AuthorizationCodeGrant modifiers (token, token_handler, request).

General:

• Added Python 3.9, 3.10, 3.11
• Improve Travis & Coverage

New Contributors

• @kazkansouh made their first contribution in #771
• @riconnon made their first contribution in #777
• @dotGiff made their first contribution in #783
• @freeman1981 made their first contribution in #787
• @Xpyder made their first contribution in #793
• @rigzba21 made their first contribution in #786
• @cclauss made their first contribution in #796
• @kellyma2 made their first contribution in #795

Full Changelog: v3.1.1...v3.2.0

OAuth2.0 Provider - Bugfixes

• #753: Fix acceptance of valid IPv6 addresses in URI validation

OAuth2.0 Client - Bugfixes

• #730: Base OAuth2 Client now has a consistent way of managing the scope: it consistently
  relies on the scope provided in the constructor if any, except if overridden temporarily
  in a method call. Note that in particular providing a non-None scope in
  prepare_authorization_request or prepare_refresh_token does not override anymore
  self.scope forever, it is just used temporarily.
• #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
  ServiceApplicationClient.prepare_request_body,
  and WebApplicationClient.prepare_request_uri now correctly use the default scope provided in
  constructor.
• #725: LegacyApplicationClient.prepare_request_body now correctly uses the default scope provided in constructor

OAuth2.0 Provider - Bugfixes

• #711: client_credentials grant: fix log message
• #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
• #756: Different prompt values are now handled according to spec (e.g. prompt=none)
• #759: OpenID Connect - fix Authorization: Basic parsing

General

• #716: improved skeleton validator for public vs private client
• #720: replace mock library with standard unittest.mock
• #727: build isort integration
• #734: python2 code removal
• #735, #750: add python3.8 support
• #749: bump minimum versions of pyjwt and cryptography

3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !

OAuth2.0 Provider - Features

• #660: OIDC add support of nonce, c_hash, at_hash fields
  • New RequestValidator.fill_id_token method
  • Deprecated RequestValidator.get_id_token method
• #677: OIDC add UserInfo endpoint
  • New RequestValidator.get_userinfo_claims method

OAuth2.0 Provider - Security

• #665: Enhance data leak to logs
  • New default to not expose request content in logs
  • New function oauthlib.set_debug(True)
• #666: Disabling query parameters for POST requests

OAuth2.0 Provider - Bugfixes

• #670: Fix validate_authorization_request to return the new PKCE fields
• #674: Fix token_type to be case-insensitive (bearer and Bearer)

OAuth2.0 Client - Bugfixes

• #290: Fix Authorization Code's errors processing
• #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
• #672: Fix edge case when expires_in=Null

OAuth1.0 Client

• #669: Add case-insensitive headers to oauth1 BaseEndpoint

Bug fix release

• #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
• #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
• #652: OIDC: Fixed /token response which wrongly returned "&state=None"
• #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory

Fix regression introduced in 3.0.0

• #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth.

This is a major release containing API Breaking changes, and new major features. See the full list below:

OAuth2.0 Provider - outstanding Features

• OpenID Connect Core support
• RFC7662 Introspect support
• RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
• RFC7636 PKCE support (#617 #624)

OAuth2.0 Provider - API/Breaking Changes

• Add "request" to confirm_redirect_uri #504
• confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
• invalid_client is now a FatalError #606
• Changed errors status code from 401 to 400:

• invalid_grant: #264
• invalid_scope: #620
• access_denied/unauthorized_client/consent_required/login_required #623
• 401 must have WWW-Authenticate HTTP Header set. #623

OAuth2.0 Provider - Bugfixes

• empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406

OAuth2.0 Client - Bugfixes / Changes:

• expires_in in Implicit flow is now an integer #569
• expires is no longer overriding expires_in #506
• parse_request_uri_response is now required #499
• Unknown error=xxx raised by OAuth2 providers was not understood #431
• OAuth2's prepare_token_request supports sending an empty string for client_id (#585)
• OAuth2's WebApplicationClient.prepare_request_body was refactored to better
  support sending or omitting the client_id via a new include_client_id kwarg.
  By default this is included. The method will also emit a DeprecationWarning if
  a client_id parameter is submitted; the already configured self.client_id
  is the preferred option. (#585)

OAuth1.0 Client:

• Support for HMAC-SHA256 #498

General fixes:

• $ and ' are allowed to be unencoded in query strings #564
• Request attributes are no longer overriden by HTTP Headers #409
• Removed unnecessary code for handling python2.6
• Add support of python3.7 #621
• Several minors updates to setup.py and tox
• Set pytest as the default unittest framework

This minor release includes the following changes:

• Fixed some copy and paste typos (#535)
• Use secrets module in Python 3.6 and later (#533)
• Add request argument to confirm_redirect_uri (#504)
• Avoid populating spurious token credentials (#542)
• Make populate attributes API public (#546)

🎉 First oauthlib community release. 🎉

• Moved oauthlib into new organization on GitHub.
• Include license file in the generated wheel package. (#494)
• When deploying a release to PyPI, include the wheel distribution. (#496)
• Check access token in self.token dict. (#500)
• Added bottle-oauthlib to docs. (#509)
• Update repository location in Travis. (#514)
• Updated docs for organization change. (#515)
• Replace G+ with Gitter. (#517)
• Update requirements. (#518)
• Add shields for Python versions, license and RTD. (#520)
• Fix ReadTheDocs build (#521).
• Fixed "make" command to test upstream with local oauthlib. (#522)
• Replace IRC notification with Gitter Hook. (#523)
• Added Github Releases deploy provider. (#523)