Skip to content

Bump authlib from 0.14.3 to 0.15.5#388

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/authlib-0.15.5
Closed

Bump authlib from 0.14.3 to 0.15.5#388
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/authlib-0.15.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Oct 18, 2021

Copy link
Copy Markdown
Contributor

Bumps authlib from 0.14.3 to 0.15.5.

Release notes

Sourced from authlib's releases.

Version 0.15.5

  • Make Authlib compatible with latest httpx
  • Make Authlib compatible with latest werkzeug
  • Allow customize RFC7523 alg value

Version 0.15.4

Security fix when JWT claims is None.

For example, JWT payload has iss=None:

{
  "iss": None,
  ...
}

But we need to decode it with claims:

claims_options = {
  'iss': {'essential': True, 'values': ['required']}
}
jwt.decode(token, key, claims_options=claims_options)

It didn't raise an error before this fix.

Version 0.15.3

Fixed .authorize_access_token for OAuth 1.0 services, via lepture/authlib#308

Version 0.15.2

Fixed httpx authentication bug via #283

Version 0.15.1

Backward compitable fix for using JWKs in JWT, via #280.

Version 0.15

This is the last release before v1.0. In this release, we added more RFCs implementations and did some refactors for JOSE:

  • RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
  • RFC7638: JSON Web Key (JWK) Thumbprint

We also fixed bugs for integrations:

  • Fixed support for HTTPX>=0.14.3
  • Added OAuth clients of HTTPX back via #270
  • Fixed parallel token refreshes for HTTPX async OAuth 2 client
  • Raise OAuthError when callback contains errors via #275

... (truncated)

Changelog

Sourced from authlib's changelog.

Version 0.15.5

Released on Oct 18, 2021.

  • Make Authlib compatible with latest httpx
  • Make Authlib compatible with latest werkzeug
  • Allow customize RFC7523 alg value

Version 0.15.4

Released on Jul 17, 2021.

  • Security fix when JWT claims is None

Version 0.15.3

Released on Jan 15, 2021.

  • Fixed fetch OAuth 1.0 token bug, via :gh:issue#308.

Version 0.15.2

Released on Oct 18, 2020.

  • Fixed HTTPX authentication bug, via :gh:issue#283.

Version 0.15.1

Released on Oct 14, 2020.

  • Backward compitable fix for using JWKs in JWT, via :gh:issue#280.

Version 0.15

Released on Oct 10, 2020.*

This is the last release before v1.0. In this release, we added more RFCs implementations and did some refactors for JOSE:

  • RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
  • RFC7638: JSON Web Key (JWK) Thumbprint

... (truncated)

Commits
  • d8e428c Version bump 0.15.5
  • f249628 Add changelog
  • 38ac0d2 Improve rfc7523 parameters compatibility.
  • e880f16 Rename parameters of InsufficientScopeError
  • afaeaf9 Merge pull request #392 from minddistrict/allow-passing-in-additionl-jwt-headers
  • 38c6444 Merge pull request #333 from jeffsawatzky/maintain-0.15
  • 2ea533c Merge pull request #388 from minddistrict/backport-httpx-oauth2-client-fixes-...
  • fca7f85 fix assertion client for httpx
  • 4d8a6ef Merge pull request #390 from minddistrict/parameterize-signing-algoritm-for-r...
  • 1e511ed Merge pull request #393 from nam3less/maintain-0.15-bugfix-377
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [authlib](https://github.com/lepture/authlib) from 0.14.3 to 0.15.5.
- [Release notes](https://github.com/lepture/authlib/releases)
- [Changelog](https://github.com/lepture/authlib/blob/v0.15.5/docs/changelog.rst)
- [Commits](authlib/authlib@v0.14.3...v0.15.5)

---
updated-dependencies:
- dependency-name: authlib
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Oct 18, 2021
@dependabot @github

dependabot Bot commented on behalf of github Mar 15, 2022

Copy link
Copy Markdown
Contributor Author

Superseded by #414.

@dependabot dependabot Bot closed this Mar 15, 2022
@dependabot dependabot Bot deleted the dependabot/pip/authlib-0.15.5 branch March 15, 2022 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants