Changelog
=========

3.3.1 (2025-06-19):
------------------
OAuth2.0 Client:
* #906: fix regression of expires_in parsing when float in string.


3.3.0 (2025-06-17):
------------------
OAuth2.0 Provider:
* OIDC: #879 Changed in how ui_locales is parsed
* RFC8628: Added OAuth2.0 Device Authorization Grant support
* PKCE: #876, #893 Fixed `create_code_verifier` length
* OIDC: Pre-configured OIDC server to use Refresh Token by default

OAuth2.0 Common:
* OAuth2Error: Allow 0 to be a valid state

OAuth2.0 Client:
* #745: expires_at is forced to be an int
* #899: expires_at clarification

General:
* Removed Python 3.5, 3.6, 3.7 support
* #859, #883: Added Python 3.12, 3.13 Support
* Added dependency-review GitHub Action
* Updated various references of license (SPDX identifier..)
* Added GitHub Action for lint, replaced bandy with ruff, removed isort...
* Migrated to GitHub Actions from Travis
* Added Security Policy

3.2.2 (2022-10-17)
------------------
OAuth2.0 Provider:
* CVE-2022-36087

3.2.1 (2022-09-09)
------------------
OAuth2.0 Provider:
* #803: Metadata endpoint support of non-HTTPS

OAuth1.0:
* #818: Allow IPv6 being parsed by signature

General:
* Improved and fixed documentation warnings.
* Cosmetic changes based on isort

3.2.0 (2022-01-29)
------------------
OAuth2.0 Client:
* #795: Add Device Authorization Flow for Web Application
* #786: Add PKCE support for Client
* #783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:
* #790: Add support for CORS to metadata endpoint.
* #791: Add support for CORS to token endpoint.
* #787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:
  * #755: Call save_token in Hybrid code flow
  * #751: OIDC add support of refreshing ID Tokens with `refresh_id_token`
  * #751: The RefreshTokenGrant modifiers now take the same arguments as the
    AuthorizationCodeGrant modifiers (`token`, `token_handler`, `request`).

General:
  * Added Python 3.9, 3.10, 3.11
  * Improve Travis & Coverage

3.1.1 (2021-05-31)
------------------
OAuth2.0 Provider - Bugfixes

  * #753: Fix acceptance of valid IPv6 addresses in URI validation

OAuth2.0 Client - Bugfixes

  * #730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
    relies on the `scope` provided in the constructor if any, except if overridden temporarily
    in a method call. Note that in particular providing a non-None `scope` in
    `prepare_authorization_request` or `prepare_refresh_token` does not override anymore
    `self.scope` forever, it is just used temporarily.
  * #726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
    ServiceApplicationClient.prepare_request_body,
    and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
    constructor.
  * #725: LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor

OAuth2.0 Provider - Bugfixes
  * #711: client_credentials grant: fix log message
  * #746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
  * #756: Different prompt values are now handled according to spec (e.g. prompt=none)
  * #759: OpenID Connect - fix Authorization: Basic parsing

General
  * #716: improved skeleton validator for public vs private client
  * #720: replace mock library with standard unittest.mock
  * #727: build isort integration
  * #734: python2 code removal
  * #735, #750: add python3.8 support
  * #749: bump minimum versions of pyjwt and cryptography 

3.1.0 (2019-08-06)
------------------
OAuth2.0 Provider - Features

  * #660: OIDC add support of `nonce`, `c_hash`, `at_hash fields`
      - New `RequestValidator.fill_id_token` method
      - Deprecated `RequestValidator.get_id_token` method
  * #677: OIDC add `UserInfo` endpoint - New `RequestValidator.get_userinfo_claims` method

OAuth2.0 Provider - Security

    * #665: Enhance data leak to logs
        * New default to not expose request content in logs
        * New function `oauthlib.set_debug(True)`
    * #666: Disabling query parameters for POST requests

OAuth2.0 Provider - Bugfixes

  * #670: Fix `validate_authorization_request` to return the new PKCE fields
  * #674: Fix `token_type` to be case-insensitive (`bearer` and `Bearer`)

OAuth2.0 Client - Bugfixes

  * #290: Fix Authorization Code's errors processing
  * #603: BackendApplicationClient.prepare_request_body use the `scope` argument as intended.
  * #672: Fix edge case when `expires_in=Null`

OAuth1.0 Client

  * #669: Add case-insensitive headers to oauth1 `BaseEndpoint`

OAuth1.0

  * #722: Added support for HMAC-SHA512, RSA-SHA256 and RSA-SHA512 signature methods.

3.0.2 (2019-07-04)
------------------
* #650: Fixed space encoding in base string URI used in the signature base string.
* #652: Fixed OIDC /token response which wrongly returned "&state=None"
* #654: Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
* #656: Fixed OIDC "nonce" checks: raise errors when it's mandatory

3.0.1 (2019-01-24)
------------------
* Fixed OAuth2.0 regression introduced in 3.0.0: Revocation with Basic auth no longer possible #644

3.0.0 (2019-01-01)
------------------
OAuth2.0 Provider - outstanding Features

* OpenID Connect Core support
* RFC7662 Introspect support
* RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
* RFC7636 PKCE support (#617 #624)

OAuth2.0 Provider - API/Breaking Changes

* Add "request" to confirm_redirect_uri #504
* confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
* invalid_client is now a FatalError #606
* Changed errors status code from 401 to 400:
 - invalid_grant: #264
 - invalid_scope: #620
 - access_denied/unauthorized_client/consent_required/login_required #623
 - 401 must have WWW-Authenticate HTTP Header set. #623

OAuth2.0 Provider - Bugfixes

* empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406

OAuth2.0 Client - Bugfixes / Changes:

* expires_in in Implicit flow is now an integer #569
* expires is no longer overriding expires_in #506
* parse_request_uri_response is now required #499
* Unknown error=xxx raised by OAuth2 providers was not understood #431
* OAuth2's `prepare_token_request` supports sending an empty string for `client_id` (#585)
* OAuth2's `WebApplicationClient.prepare_request_body` was refactored to better
  support sending or omitting the `client_id` via a new `include_client_id` kwarg.
  By default this is included. The method will also emit a DeprecationWarning if
  a `client_id` parameter is submitted; the already configured `self.client_id`
  is the preferred option. (#585)

OAuth1.0 Client:

* Support for HMAC-SHA256 #498

General fixes:

* $ and ' are allowed to be unencoded in query strings #564
* Request attributes are no longer overridden by HTTP Headers #409
* Removed unnecessary code for handling python2.6
* Add support of python3.7 #621
* Several minors updates to setup.py and tox
* Set pytest as the default unittest framework


2.1.0 (2018-05-21)
------------------

* Fixed some copy and paste typos (#535)
* Use secrets module in Python 3.6 and later (#533)
* Add request argument to confirm_redirect_uri (#504)
* Avoid populating spurious token credentials (#542)
* Make populate attributes API public (#546)

2.0.7 (2018-03-19)
------------------

* Moved oauthlib into new organization on GitHub.
* Include license file in the generated wheel package. (#494)
* When deploying a release to PyPI, include the wheel distribution. (#496)
* Check access token in self.token dict. (#500)
* Added bottle-oauthlib to docs. (#509)
* Update repository location in Travis. (#514)
* Updated docs for organization change. (#515)
* Replace G+ with Gitter. (#517)
* Update requirements. (#518)
* Add shields for Python versions, license and RTD. (#520)
* Fix ReadTheDocs build (#521).
* Fixed "make" command to test upstream with local oauthlib. (#522)
* Replace IRC notification with Gitter Hook. (#523)
* Added Github Releases deploy provider. (#523)

2.0.6 (2017-10-20)
------------------

* 2.0.5 contains breaking changes.

2.0.5 (2017-10-19)
------------------

* Fix OAuth2Error.response_mode for #463.
* Documentation improvement.

2.0.4 (2017-09-17)
------------------
* Fixed typo that caused OAuthlib to crash because of the fix in "Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception".

2.0.3 (2017-09-07)
------------------
* Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception.
* Update proxy keys on CaseInsensitiveDict.update().
* Redirect errors according to OIDC's response_mode.
* Added universal wheel support.
* Added log statements to except clauses.
* According to RC7009 Section 2.1, a client should include authentication credentials when revoking its tokens.
  As discussed in #339, this is not make sense for public clients.
  However, in that case, the public client should still be checked that is in fact a public client (authenticate_client_id).
* Improved prompt parameter validation.
* Added two error codes from RFC 6750.
* Hybrid response types are now be fragment-encoded.
* Added Python 3.6 to Travis CI testing and trove classifiers.
* Fixed BytesWarning issued when using a string placeholder for bytes object.
* Documented PyJWT dependency and improved logging and exception messages.
* Documentation improvements and fixes.

2.0.2 (2017-03-19)
------------------
* Dropped support for Python 2.6, 3.2 & 3.3.
* (FIX) `OpenIDConnector` will no longer raise an AttributeError when calling `openid_authorization_validator()` twice.

2.0.1 (2016-11-23)
------------------
* (FIX) Normalize handling of request.scopes list

2.0.0 (2016-09-03)
------------------
* (New Feature) **OpenID** support.
* Documentation improvements and fixes.

1.1.2 (2016-06-01)
------------------
* (Fix) Query strings should be able to include colons.
* (Fix) Cast body to a string to ensure that we can perform a regex substitution on it.

1.1.1 (2016-05-01)
------------------
* (Enhancement) Better sanitisation of Request objects __repr__.

1.1.0 (2016-04-11)
------------------
* (Fix) '(', ')', '/' and '?' are now safe characters in url encoded strings.
* (Enhancement) Added support for specifying if refresh tokens should be created on authorization code grants.
* (Fix) OAuth2Token now handles None scopes correctly.
* (Fix) Request token is now available for OAuth 1.
* (Enhancement) OAuth2Token is declared with __slots__ for smaller memory footprint.
* (Enhancement) RefreshTokenGrant now allows to set issue_new_refresh_tokens.
* Documentation improvements and fixes.

1.0.3 (2015-08-16)
------------------
* (Fix) Changed the documented return type of the ```invalidate_request_token()``` method from the RSA key to None since nobody is using the return type.
* (Enhancement) Added a validator log that will store what the endpoint has computed for debugging and logging purposes (OAuth 1 only for now).

1.0.2 (2015-08-10)
------------------
* (Fix) Allow client secret to be null for public applications that do not mandate it's specification in the query parameters.
* (Fix) Encode request body before hashing in order to prevent encoding errors in Python 3.

1.0.1 (2015-07-27)
------------------
* (Fix) Added token_type_hint to the list of default Request parameters.

1.0.0 (2015-07-19)
------------------

* (Breaking Change) Replace pycrypto with cryptography from https://cryptography.io
* (Breaking Change) Update jwt to 1.0.0 (which is backwards incompatible) no oauthlib api changes
  were made.
* (Breaking Change) Raise attribute error for non-existing attributes in the Request object.
* (Fix) Strip whitespace off of scope string.
* (Change) Don't require to return the state in the access token response.
* (Change) Hide password in logs.
* (Fix) Fix incorrect invocation of prepare_refresh_body in the OAuth2 client.
* (Fix) Handle empty/non-parsable query strings.
* (Fix) Check if an RSA key is actually needed before requiring it.
* (Change) Allow tuples for list_to_scope as well as sets and lists.
* (Change) Add code to determine if client authentication is required for OAuth2.
* (Fix) Fix error message on invalid Content-Type header for OAtuh1 signing.
* (Fix) Allow ! character in query strings.
* (Fix) OAuth1 now includes the body hash for requests that specify any content-type that isn't x-www-form-urlencoded.
* (Fix) Fixed error description in oauth1 endpoint.
* (Fix) Revocation endpoint for oauth2 will now return an empty string in the response body instead of 'None'.
* Increased test coverage.
* Performance improvements.
* Documentation improvements and fixes.

0.7.2 (2014-11-13)
------------------

* (Quick fix) Unpushed locally modified files got included in the PyPI 0.7.1
  release. Doing a new clean release to address this. Please upgrade quickly
  and report any issues you are running into.

0.7.1 (2014-10-27)
------------------

* (Quick fix) Add oauthlib.common.log object back in for libraries using it.

0.7.0 (2014-10-27)
------------------

* (Change) OAuth2 clients will not raise a Warning on scope change if
  the environment variable ``OAUTHLIB_RELAX_TOKEN_SCOPE`` is set. The token
  will now be available as an attribute on the error, ``error.token``.
  Token changes will now also be announced using blinker.
* (Fix/Feature) Automatic fixes of non-compliant OAuth2 provider responses (e.g. Facebook).
* (Fix) Logging is now tiered (per file) as opposed to logging all under ``oauthlib``.
* (Fix) Error messages should now include a description in their message.
* (Fix/Feature) Optional support for jsonp callbacks after token revocation.
* (Feature) Client side preparation of OAuth 2 token revocation requests.
* (Feature) New OAuth2 client API methods for preparing full requests.
* (Feature) OAuth1 SignatureOnlyEndpoint that only verifies signatures and client IDs.
* (Fix/Feature) Refresh token grant now allow optional refresh tokens.
* (Fix) add missing state param to OAuth2 errors.
* (Fix) add_params_to_uri now properly parse fragment.
* (Fix/Feature) All OAuth1 errors can now be imported from oauthlib.oauth1.
* (Fix/Security) OAuth2 logs will now strip client provided password, if present.
* Allow unescaped @ in urlencoded parameters.

0.6.3 (2014-06-10)
------------------

Quick fix. OAuth 1 client repr in 0.6.2 overwrote secrets when scrubbing for print.

0.6.2 (2014-06-06)
------------------

* Numerous OAuth2 provider errors now suggest a status code of 401 instead
  of 400 (#247.

* Added support for JSON web tokens with oauthlib.common.generate_signed_token.
  Install extra dependency with oauthlib[signedtoken] (#237).

* OAuth2 scopes can be arbitrary objects with __str__ defined (#240).

* OAuth 1 Clients can now register custom signature methods (#239).

* Exposed new method oauthlib.oauth2.is_secure_transport that checks whether
  the given URL is HTTPS. Checks using this method can be disabled by setting
  the environment variable OAUTHLIB_INSECURE_TRANSPORT (#249).

* OAuth1 clients now has __repr__ and will be printed with secrets scrubbed.

* OAuth1 Client.get_oauth_params now takes an oauthlib.Request as an argument.

* urldecode will now raise a much more informative error message on
  incorrectly encoded strings.

* Plenty of typo and other doc fixes.

0.6.1 (2014-01-20)
------------------

Draft revocation endpoint features and numerous fixes including:

* (OAuth 2 Provider) is_within_original_scope to check whether a refresh token
  is trying to acquire a new set of scopes that are a subset of the original scope.

* (OAuth 2 Provider) expires_in token lifetime can be set per request.

* (OAuth 2 Provider) client_authentication_required method added to differentiate
  between public and confidential clients.

* (OAuth 2 Provider) rotate_refresh_token now indicates whether a new refresh
  token should be generated during token refresh or if old should be kept.

* (OAuth 2 Provider) returned JSON headers no longer include charset.

* (OAuth 2 Provider) validate_authorizatoin_request now also includes the
  internal request object in the returned dictionary. Note that this is
  not meant to be relied upon heavily and its interface might change.

* and many style and typo fixes.

0.6.0
-----

OAuth 1 & 2 provider API refactor with breaking changes:

* All endpoint methods change contract to return 3 values instead of 4. The new
  signature is `headers`, `body`, `status code` where the initial `redirect_uri`
  has been relocated to its rightful place inside headers as `Location`.

* OAuth 1 Access Token Endpoint has a new required validator method
  `invalidate_request_token`.

* OAuth 1 Authorization Endpoint now returns a 200 response instead of 302 on
  `oob` callbacks.

0.5.1
-----

OAuth 1 provider fix for incorrect token param in nonce validation.

0.5.0
-----

OAuth 1 provider refactor. OAuth 2 refresh token validation fix.

0.4.2
-----

OAuth 2 draft to RFC. Removed OAuth 2 framework decorators.

0.4.1
-----

Documentation corrections and various small code fixes.

0.4.0
-----

OAuth 2 Provider support (experimental).

0.3.8
-----

OAuth 2 Client now uses custom errors and raise on expire.

0.3.7
-----

OAuth 1 optional encoding of Client.sign return values.

0.3.6
-----

Revert default urlencoding.

0.3.5
-----

Default unicode conversion (utf-8) and urlencoding of input.

0.3.4
-----

A number of small features and bug fixes.

0.3.3
-----

OAuth 1 Provider verify now return useful params.

0.3.2
-----

Fixed #62, all Python 3 tests pass.

0.3.1
-----

Python 3.1, 3.2, 3.3 support (experimental).

0.3.0
-----

Initial OAuth 2 client support.

0.2.1
-----

Exclude non urlencoded bodies during request verification.

0.2.0
-----

OAuth provider support.

0.1.4
-----

Soft dependency on PyCrypto.

0.1.3
-----

Use python-rsa instead of pycrypto.

0.1.1 / 0.1.2
-------------

Fix installation of pycrypto dependency.

0.1.0
-----

OAuth 1 client functionality seems to be working. Hooray!

0.0.x
-----

In the beginning, there was the word.