In short

OAuth2.0 Provider:

• #803 : Metadata endpoint support of non-HTTPS
• CVE-2022-36087

OAuth1.0:

• #818 : Allow IPv6 being parsed by signature

General:

• Improved and fixed documentation warnings.
• Cosmetic changes based on isort

What's Changed

• add missing slots to TokenBase by @ariebovenberg in https://github.com/oauthlib/oauthlib/pull/804
• Add CORS support for Refresh Token Grant. by @luhn in https://github.com/oauthlib/oauthlib/pull/806
• GitHub Action to lint Python code by @cclauss in https://github.com/oauthlib/oauthlib/pull/797
• Docs: fix Sphinx warnings for better ReadTheDocs generation by @JonathanHuot in https://github.com/oauthlib/oauthlib/pull/807
• Allow non-HTTPS issuer when OAUTHLIB_INSECURE_TRANSPORT. by @luhn in https://github.com/oauthlib/oauthlib/pull/803
• chore: fix typo in test by @tamanobi in https://github.com/oauthlib/oauthlib/pull/816
• Fix typo in server.rst by @NemanjaT in https://github.com/oauthlib/oauthlib/pull/819
• Fixed isort imports by @dasm in https://github.com/oauthlib/oauthlib/pull/820
• docs: Fix a few typos by @timgates42 in https://github.com/oauthlib/oauthlib/pull/822
• docs: fix typos by @kianmeng in https://github.com/oauthlib/oauthlib/pull/823

New Contributors

• @ariebovenberg made their first contribution in https://github.com/oauthlib/oauthlib/pull/804
• @tamanobi made their first contribution in https://github.com/oauthlib/oauthlib/pull/816
• @NemanjaT made their first contribution in https://github.com/oauthlib/oauthlib/pull/819
• @kianmeng made their first contribution in https://github.com/oauthlib/oauthlib/pull/823

Full Changelog: https://github.com/oauthlib/oauthlib/compare/v3.2.0...v3.2.1

Changelog

OAuth2.0 Client:

• #795: Add Device Authorization Flow for Web Application
• #786: Add PKCE support for Client
• #783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:

• #790: Add support for CORS to metadata endpoint.
• #791: Add support for CORS to token endpoint.
• #787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:

• #755: Call save_token in Hybrid code flow
• #751: OIDC add support of refreshing ID Tokens with refresh_id_token
• #751: The RefreshTokenGrant modifiers now take the same arguments as the AuthorizationCodeGrant modifiers (token, token_handler, request).

General:

• Added Python 3.9, 3.10, 3.11
• Improve Travis & Coverage

New Contributors

• @kazkansouh made their first contribution in https://github.com/oauthlib/oauthlib/pull/771
• @riconnon made their first contribution in https://github.com/oauthlib/oauthlib/pull/777
• @dotGiff made their first contribution in https://github.com/oauthlib/oauthlib/pull/783
• @freeman1981 made their first contribution in https://github.com/oauthlib/oauthlib/pull/787
• @Xpyder made their first contribution in https://github.com/oauthlib/oauthlib/pull/793
• @rigzba21 made their first contribution in https://github.com/oauthlib/oauthlib/pull/786
• @cclauss made their first contribution in https://github.com/oauthlib/oauthlib/pull/796
• @kellyma2 made their first contribution in https://github.com/oauthlib/oauthlib/pull/795

Full Changelog: https://github.com/oauthlib/oauthlib/compare/v3.1.1...v3.2.0

OAuth2.0 Provider - Bugfixes

• #753: Fix acceptance of valid IPv6 addresses in URI validation

OAuth2.0 Client - Bugfixes

• #730: Base OAuth2 Client now has a consistent way of managing the scope: it consistently relies on the scope provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-None scope in prepare_authorization_request or prepare_refresh_token does not override anymore self.scope forever, it is just used temporarily.
• #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response, ServiceApplicationClient.prepare_request_body, and WebApplicationClient.prepare_request_uri now correctly use the default scope provided in constructor.
• #725: LegacyApplicationClient.prepare_request_body now correctly uses the default scope provided in constructor

OAuth2.0 Provider - Bugfixes

• #711: client_credentials grant: fix log message
• #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
• #756: Different prompt values are now handled according to spec (e.g. prompt=none)
• #759: OpenID Connect - fix Authorization: Basic parsing

General

• #716: improved skeleton validator for public vs private client
• #720: replace mock library with standard unittest.mock
• #727: build isort integration
• #734: python2 code removal
• #735, #750: add python3.8 support
• #749: bump minimum versions of pyjwt and cryptography

3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out !

OAuth2.0 Provider - Features

• #660: OIDC add support of nonce, c_hash, at_hash fields
  • New RequestValidator.fill_id_token method
  • Deprecated RequestValidator.get_id_token method
• #677: OIDC add UserInfo endpoint
  • New RequestValidator.get_userinfo_claims method

OAuth2.0 Provider - Security

• #665: Enhance data leak to logs
  • New default to not expose request content in logs
  • New function oauthlib.set_debug(True)
• #666: Disabling query parameters for POST requests

OAuth2.0 Provider - Bugfixes

• #670: Fix validate_authorization_request to return the new PKCE fields
• #674: Fix token_type to be case-insensitive (bearer and Bearer)

OAuth2.0 Client - Bugfixes

• #290: Fix Authorization Code's errors processing
• #603: BackendApplication.Client.prepare_request_body use the "scope" argument as intended.
• #672: Fix edge case when expires_in=Null

OAuth1.0 Client

• #669: Add case-insensitive headers to oauth1 BaseEndpoint

Bug fix release

• #650: OAuth1: Fixed space encoding in base string URI used in the signature base string.
• #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response.
• #652: OIDC: Fixed /token response which wrongly returned "&state=None"
• #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory

Fix regression introduced in 3.0.0

• #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth.

This is a major release containing API Breaking changes, and new major features. See the full list below:

OAuth2.0 Provider - outstanding Features

• OpenID Connect Core support
• RFC7662 Introspect support
• RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
• RFC7636 PKCE support (#617 #624)

OAuth2.0 Provider - API/Breaking Changes

• Add "request" to confirm_redirect_uri #504
• confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
• invalid_client is now a FatalError #606
• Changed errors status code from 401 to 400:

• invalid_grant: #264
• invalid_scope: #620
• access_denied/unauthorized_client/consent_required/login_required #623
• 401 must have WWW-Authenticate HTTP Header set. #623

OAuth2.0 Provider - Bugfixes

• empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406

OAuth2.0 Client - Bugfixes / Changes:

• expires_in in Implicit flow is now an integer #569
• expires is no longer overriding expires_in #506
• parse_request_uri_response is now required #499
• Unknown error=xxx raised by OAuth2 providers was not understood #431
• OAuth2's prepare_token_request supports sending an empty string for client_id (#585)
• OAuth2's WebApplicationClient.prepare_request_body was refactored to better support sending or omitting the client_id via a new include_client_id kwarg. By default this is included. The method will also emit a DeprecationWarning if a client_id parameter is submitted; the already configured self.client_id is the preferred option. (#585)

OAuth1.0 Client:

• Support for HMAC-SHA256 #498

General fixes:

• $ and ' are allowed to be unencoded in query strings #564
• Request attributes are no longer overriden by HTTP Headers #409
• Removed unnecessary code for handling python2.6
• Add support of python3.7 #621
• Several minors updates to setup.py and tox
• Set pytest as the default unittest framework

This minor release includes the following changes:

• Fixed some copy and paste typos (#535)
• Use secrets module in Python 3.6 and later (#533)
• Add request argument to confirm_redirect_uri (#504)
• Avoid populating spurious token credentials (#542)
• Make populate attributes API public (#546)

:tada: First oauthlib community release. :tada:

• Moved oauthlib into new organization on GitHub.
• Include license file in the generated wheel package. (#494)
• When deploying a release to PyPI, include the wheel distribution. (#496)
• Check access token in self.token dict. (#500)
• Added bottle-oauthlib to docs. (#509)
• Update repository location in Travis. (#514)
• Updated docs for organization change. (#515)
• Replace G+ with Gitter. (#517)
• Update requirements. (#518)
• Add shields for Python versions, license and RTD. (#520)
• Fix ReadTheDocs build (#521).
• Fixed "make" command to test upstream with local oauthlib. (#522)
• Replace IRC notification with Gitter Hook. (#523)
• Added Github Releases deploy provider. (#523)

Fix-up release, since 2.0.5 contained breaking changes.

This was a bad release; don't use.

• Fix OAuth2Error.response_mode for #463.
• Documentation improvement.

• Fixed typo that caused OAuthlib to crash because of the fix in "Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception".

• Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception.
• Update proxy keys on CaseInsensitiveDict.update().
• Redirect errors according to OIDC's response_mode.
• Added universal wheel support.
• Added log statements to except clauses.
• According to RC7009 Section 2.1, a client should include authentication credentials when revoking its tokens. As discussed in #339, this is not make sense for public clients. However, in that case, the public client should still be checked that is infact a public client (authenticate_client_id).
• Improved prompt parameter validation.
• Added two error codes from RFC 6750.
• Hybrid response types are now be fragment-encoded.
• Added Python 3.6 to Travis CI testing and trove classifiers.
• Fixed BytesWarning issued when using a string placeholder for bytes object.
• Documented PyJWT dependency and improved logging and exception messages.
• Documentation improvements and fixes.

• Dropped support for Python 2.6, 3.2 & 3.3.
• (FIX) OpenIDConnector will no longer raise an AttributeError when calling openid_authorization_validator() twice.

• (FIX) Normalize handling of request.scopes list

• (New Feature) OpenID support.
• Documentation improvements and fixes.

• (Fix) Query strings should be able to include colons.
• (Fix) Cast body to a string to ensure that we can perform a regex substitution on it.

• (Enhancement) Better sanitisation of Request objects __repr__.

• (Fix) '(', ')', '/' and '?' are now safe characters in url encoded strings.
• (Enhancement) Added support for specifying if refresh tokens should be created on authorization code grants.
• (Fix) OAuth2Token now handles None scopes correctly.
• (Fix) Request token is now available for OAuth 1.
• (Enhancement) OAuth2Token is declared with __slots__ for smaller memory footprint.
• (Enhancement) RefreshTokenGrant now allows to set issue_new_refresh_tokens.
• Documentation improvements and fixes.

• (Fix) Changed the documented return type of the invalidate_request_token() method from the RSA key to None since nobody is using the return type.
• (Enhancement) Added a validator log that will store what the endpoint has computed for debugging and logging purposes (OAuth 1 only for now).

• (Fix) Allow client secret to be null for public applications that do not mandate it's specification in the query parameters.
• (Fix) Encode request body before hashing in order to prevent encoding errors in Python 3.

• (Fix) Added token_type_hint to the list of default Request parameters.

• (Breaking Change) Replace pycrypto with cryptography from https://cryptography.io
• (Breaking Change) Update jwt to 1.0.0 (which is backwards incompatible) no oauthlib api changes were made.
• (Breaking Change) Raise attribute error for non-existing attributes in the Request object.
• (Fix) Strip whitespace off of scope string.
• (Change) Don't require to return the state in the access token response.
• (Change) Hide password in logs.
• (Fix) Fix incorrect invocation of prepare_refresh_body in the OAuth2 client.
• (Fix) Handle empty/non-parsable query strings.
• (Fix) Check if an RSA key is actually needed before requiring it.
• (Change) Allow tuples for list_to_scope as well as sets and lists.
• (Change) Add code to determine if client authentication is required for OAuth2.
• (Fix) Fix error message on invalid Content-Type header for OAtuh1 signing.
• (Fix) Allow ! character in query strings.
• (Fix) OAuth1 now includes the body hash for requests that specify any content-type that isn't x-www-form-urlencoded.
• (Fix) Fixed error description in oauth1 endpoint.
• (Fix) Revocation endpoint for oauth2 will now return an empty string in the response body instead of 'None'.
• Increased test coverage.
• Performance improvements.
• Documentation improvements and fixes.

• (Quick fix) Unpushed locally modified files got included in the PyPI 0.7.1 release. Doing a new clean release to address this. Please upgrade quickly and report any issues you are running into.

• (Quick fix) Add oauthlib.common.log object back in for libraries using it.

• (Change) OAuth2 clients will not raise a Warning on scope change if the environment variable OAUTHLIB_RELAX_TOKEN_SCOPE is set. The token will now be available as an attribute on the error, error.token. Token changes will now also be announced using blinker.
• (Fix/Feature) Automatic fixes of non-compliant OAuth2 provider responses (e.g. Facebook).
• (Fix) Logging is now tiered (per file) as opposed to logging all under oauthlib.
• (Fix) Error messages should now include a description in their message.
• (Fix/Feature) Optional support for jsonp callbacks after token revocation.
• (Feature) Client side preparation of OAuth 2 token revocation requests.
• (Feature) New OAuth2 client API methods for preparing full requests.
• (Feature) OAuth1 SignatureOnlyEndpoint that only verifies signatures and client IDs.
• (Fix/Feature) Refresh token grant now allow optional refresh tokens.
• (Fix) add missing state param to OAuth2 errors.
• (Fix) add_params_to_uri now properly parse fragment.
• (Fix/Feature) All OAuth1 errors can now be imported from oauthlib.oauth1.
• (Fix/Security) OAuth2 logs will now strip client provided password, if present.
• Allow unescaped @ in urlencoded parameters.

• (Quick fix) OAuth 1 client repr in 0.6.2 overwrote secrets when scrubbing for print.

• Numerous OAuth2 provider errors now suggest a status code of 401 instead of 400 (#247).
• Added support for JSON web tokens with oauthlib.common.generate_signed_token. Install extra dependency with oauthlibsignedtoken.
• OAuth2 scopes can be arbitrary objects with str defined (#240).
• OAuth 1 Clients can now register custom signature methods (#239).
• Exposed new method oauthlib.oauth2.is_secure_transport that checks whether the given URL is HTTPS. Checks using this method can be disabled by setting the environment variable OAUTHLIB_INSECURE_TRANSPORT (#249).
• OAuth1 clients now has repr and will be printed with secrets scrubbed.
• OAuth1 Client.get_oauth_params now takes an oauthlib.Request as an argument.
• urldecode will now raise a much more informative error message on incorrectly encoded strings.
• Plenty of typo and other doc fixes.

Draft revocation endpoint features and numerous fixes including:

• (OAuth 2 Provider) is_within_original_scope to check whether a refresh token is trying to aquire a new set of scopes that are a subset of the original scope.
• (OAuth 2 Provider) expires_in token lifetime can be set per request.
• (OAuth 2 Provider) client_authentication_required method added to differentiate between public and confidential clients.
• (OAuth 2 Provider) rotate_refresh_token now indicates whether a new refresh token should be generated during token refresh or if old should be kept.
• (OAuth 2 Provider) returned JSON headers no longer include charset.
• (OAuth 2 Provider) validate_authorizatoin_request now also includes the internal request object in the returned dictionary. Note that this is not meant to be relied upon heavily and its interface might change.
• and many style and typo fixes.

OAuth 1 & 2 provider API refactor with breaking changes:

• All endpoint methods change contract to return 3 values instead of 4. The new signature is headers, body, status code where the initial redirect_uri has been relocated to its rightful place inside headers as Location.
• OAuth 1 Access Token Endpoint has a new required validator method invalidate_request_token.
• OAuth 1 Authorization Endpoint now returns a 200 response instead of 302 on oob callbacks.