Accepting request 1311065 from devel:languages:python

- Update to 1.6.5 (fixes CVE-2025-61920, bsc#1251921)
  * RFC7591 generate_client_info and generate_client_secret take a request
    parameter.
  * Add size limitation when decode JWS/JWE to prevent DoS.
  * Add size limitation for DEF JWE zip algorithm.
- Update to 1.6.4
  * fix(jose): prevent public/unprotected header overwriting protected header
    by @lepture in #809
  * Fix InsecureTransportError raising by @azmeuk in #810
  * Add conventional-commits pre-commit hook by @azmeuk in #811
  * Fix response_mode=form_post with Starlette client by @azmeuk in #812
  * Specify README.md as project long description by @EpicWink in #817
  * Migrate tests to pytest paradigm by @azmeuk in #813
  * jose/jws: Reject unprotected ‘crit’ and enforce type; add tests
    by @AL-Cybision in #823
  * Use explicit *.test urls in unit tests by @azmeuk in #824
- Update to 1.6.3
  * Add diff-cover check in GHA by @azmeuk in #803
  * Run GHA unit tests with uv by @azmeuk in #805
  * Move from pre-commit to prek by @azmeuk in #804
  * Sign OIDC id_token according to id_token_signed_response_alg client
    metadata by @azmeuk in #802
- Update to 1.6.2
  * Allow insecure transport for 127.0.0.1 for debugging
    by @geigerzaehler in #788
  * Raise a MissingCodeError when code parameter is missing by @lepture in #786
  * Temporarily restore OAuth2Request body parameter by @azmeuk in #791
  * Raise MissingCodeException when code parameter is missing
    by @lepture in #794
  * Fix id_token generation with EdDSA alg by @azmeuk in #800
- Update test requirements (forwarded request 1311035 from nkrapp)

OBS-URL: https://build.opensuse.org/request/show/1311065
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-Authlib?expand=0&rev=26

767-skip-xc20p-tests.patch

@@ -1,39 +0,0 @@
-From 8f823db3fe552b8337cce1eb4ec4207411c63d0b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
-Date: Thu, 1 May 2025 10:04:21 +0200
-Subject: [PATCH] fix: skip xc20p unit tests when unavailable in cryptodome
-
----
- tests/jose/test_chacha20.py |    6 ++++++
- 1 file changed, 6 insertions(+)
-
-Index: authlib-1.5.2/tests/jose/test_chacha20.py
-===================================================================
---- authlib-1.5.2.orig/tests/jose/test_chacha20.py	2025-04-02 12:30:25.000000000 +0200
-+++ authlib-1.5.2/tests/jose/test_chacha20.py	2025-05-02 18:21:41.958090585 +0200
-@@ -1,5 +1,7 @@
- import unittest
- 
-+import pytest
-+
- from authlib.jose import JsonWebEncryption
- from authlib.jose import OctKey
- from authlib.jose.drafts import register_jwe_draft
-@@ -22,6 +24,8 @@
-         self.assertRaises(ValueError, jwe.serialize_compact, protected, b"hello", key2)
- 
-     def test_dir_alg_xc20p(self):
-+        pytest.importorskip("Cryptodome.Cipher.ChaCha20_Poly1305")
-+
-         jwe = JsonWebEncryption()
-         key = OctKey.generate_key(256, is_private=True)
-         protected = {"alg": "dir", "enc": "XC20P"}
-@@ -35,6 +39,8 @@
-         self.assertRaises(ValueError, jwe.serialize_compact, protected, b"hello", key2)
- 
-     def test_xc20p_content_encryption_decryption(self):
-+        pytest.importorskip("Cryptodome.Cipher.ChaCha20_Poly1305")
-+
-         # https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha-03#appendix-A.3.1
-         enc = JsonWebEncryption.ENC_REGISTRY["XC20P"]
- 

CVE-2025-68158.patch

@@ -1,149 +0,0 @@
-From 2808378611dd6fb2532b189a9087877d8f0c0489 Mon Sep 17 00:00:00 2001
-From: Hsiaoming Yang <me@lepture.com>
-Date: Fri, 12 Dec 2025 16:37:44 +0900
-Subject: [PATCH] Merge commit from fork
-
----
- .../base_client/framework_integration.py      | 25 +++++-----
- tests/clients/test_flask/test_oauth_client.py | 49 +++++++++++++++++--
- 2 files changed, 59 insertions(+), 15 deletions(-)
-
-Index: authlib-1.5.2/authlib/integrations/base_client/framework_integration.py
-===================================================================
---- authlib-1.5.2.orig/authlib/integrations/base_client/framework_integration.py
-+++ authlib-1.5.2/authlib/integrations/base_client/framework_integration.py
-@@ -20,11 +20,9 @@ class FrameworkIntegration:
- 
-     def _clear_session_state(self, session):
-         now = time.time()
-+        prefix = f"_state_{self.name}"
-         for key in dict(session):
--            if "_authlib_" in key:
--                # TODO: remove in future
--                session.pop(key)
--            elif key.startswith("_state_"):
-+            if key.startswith(prefix):
-                 value = session[key]
-                 exp = value.get("exp")
-                 if not exp or exp < now:
-@@ -32,29 +30,32 @@ class FrameworkIntegration:
- 
-     def get_state_data(self, session, state):
-         key = f"_state_{self.name}_{state}"
-+        session_data = session.get(key)
-+        if not session_data:
-+            return None
-         if self.cache:
--            value = self._get_cache_data(key)
-+            cached_value = self._get_cache_data(key)
-         else:
--            value = session.get(key)
--        if value:
--            return value.get("data")
-+            cached_value = session_data
-+        if cached_value:
-+            return cached_value.get("data")
-         return None
- 
-     def set_state_data(self, session, state, data):
-         key = f"_state_{self.name}_{state}"
-+        now = time.time()
-         if self.cache:
-             self.cache.set(key, json.dumps({"data": data}), self.expires_in)
-+            session[key] = {"exp": now + self.expires_in}
-         else:
--            now = time.time()
-             session[key] = {"data": data, "exp": now + self.expires_in}
- 
-     def clear_state_data(self, session, state):
-         key = f"_state_{self.name}_{state}"
-         if self.cache:
-             self.cache.delete(key)
--        else:
--            session.pop(key, None)
--            self._clear_session_state(session)
-+        session.pop(key, None)
-+        self._clear_session_state(session)
- 
-     def update_token(self, token, refresh_token=None, access_token=None):
-         raise NotImplementedError()
-Index: authlib-1.5.2/tests/clients/test_flask/test_oauth_client.py
-===================================================================
---- authlib-1.5.2.orig/tests/clients/test_flask/test_oauth_client.py
-+++ authlib-1.5.2/tests/clients/test_flask/test_oauth_client.py
-@@ -143,9 +143,13 @@ class FlaskOAuthTest(TestCase):
-                 self.assertEqual(resp.status_code, 302)
-                 url = resp.headers.get("Location")
-                 self.assertIn("oauth_token=foo", url)
-+                session_data = session["_state_dev_foo"]
-+                assert "exp" in session_data
-+                assert "data" not in session_data
- 
-         with app.test_request_context("/?oauth_token=foo"):
-             with mock.patch("requests.sessions.Session.send") as send:
-+                session["_state_dev_foo"] = session_data
-                 send.return_value = mock_send_value(
-                     "oauth_token=a&oauth_token_secret=b"
-                 )
-@@ -203,7 +207,44 @@ class FlaskOAuthTest(TestCase):
-         session = oauth.dev._get_oauth_client()
-         self.assertIsNotNone(session.update_token)
- 
--    def test_oauth2_authorize(self):
-+    def test_oauth2_authorize_cache(self):
-+        app = Flask(__name__)
-+        app.secret_key = "!"
-+        cache = SimpleCache()
-+        oauth = OAuth(app, cache=cache)
-+        client = oauth.register(
-+            "dev",
-+            client_id="dev",
-+            client_secret="dev",
-+            api_base_url="https://resource.test/api",
-+            access_token_url="https://provider.test/token",
-+            authorize_url="https://provider.test/authorize",
-+        )
-+        with app.test_request_context():
-+            resp = client.authorize_redirect("https://client.test/callback")
-+            assert resp.status_code == 302
-+            url = resp.headers.get("Location")
-+            assert "state=" in url
-+            state = dict(url_decode(urlparse.urlparse(url).query))["state"]
-+            assert state is not None
-+            session_data = session[f"_state_dev_{state}"]
-+            assert "exp" in session_data
-+            assert "data" not in session_data
-+
-+        with app.test_request_context(path=f"/?code=a&state={state}"):
-+            # session is cleared in tests
-+            session[f"_state_dev_{state}"] = session_data
-+
-+            with mock.patch("requests.sessions.Session.send") as send:
-+                send.return_value = mock_send_value(get_bearer_token())
-+                token = client.authorize_access_token()
-+                assert token["access_token"] == "a"
-+
-+        with app.test_request_context():
-+            assert client.token is None
-+
-+
-+    def test_oauth2_authorize_session(self):
-         app = Flask(__name__)
-         app.secret_key = "!"
-         oauth = OAuth(app)
-@@ -223,11 +264,12 @@ class FlaskOAuthTest(TestCase):
-             self.assertIn("state=", url)
-             state = dict(url_decode(urlparse.urlparse(url).query))["state"]
-             self.assertIsNotNone(state)
--            data = session[f"_state_dev_{state}"]
--
-+            session_data = session[f"_state_dev_{state}"]
-+            assert "exp" in session_data
-+            assert "data" in session_data
-         with app.test_request_context(path=f"/?code=a&state={state}"):
-             # session is cleared in tests
--            session[f"_state_dev_{state}"] = data
-+            session[f"_state_dev_{state}"] = session_data
- 
-             with mock.patch("requests.sessions.Session.send") as send:
-                 send.return_value = mock_send_value(get_bearer_token())

authlib-1.5.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6f94a1259f69645d6d6c4ecf9a8f32a9c3e2b2d2e6b8163cc90bc0e4a7245939
-size 331162

authlib-1.6.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:488ea98a032cb803e3af502cef6db616d76735b631097bc661b2a9dd10db73cc
+size 328496

python-Authlib.changes

@@ -1,9 +1,62 @@
 -------------------------------------------------------------------
-Wed Feb 18 13:28:57 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+Mon Oct 13 08:51:01 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
 
-- CVE-2025-68158: 1-click account takeover in applications that use
-  the Authlib library (bsc#1256414)
-  * added CVE-2025-68158.patch
+- Update to 1.6.5 (fixes CVE-2025-61920, bsc#1251921)
+  * RFC7591 generate_client_info and generate_client_secret take a request
+    parameter.
+  * Add size limitation when decode JWS/JWE to prevent DoS.
+  * Add size limitation for DEF JWE zip algorithm.
+- Update to 1.6.4
+  * fix(jose): prevent public/unprotected header overwriting protected header
+    by @lepture in #809
+  * Fix InsecureTransportError raising by @azmeuk in #810
+  * Add conventional-commits pre-commit hook by @azmeuk in #811
+  * Fix response_mode=form_post with Starlette client by @azmeuk in #812
+  * Specify README.md as project long description by @EpicWink in #817
+  * Migrate tests to pytest paradigm by @azmeuk in #813
+  * jose/jws: Reject unprotected ‘crit’ and enforce type; add tests
+    by @AL-Cybision in #823
+  * Use explicit *.test urls in unit tests by @azmeuk in #824
+- Update to 1.6.3
+  * Add diff-cover check in GHA by @azmeuk in #803
+  * Run GHA unit tests with uv by @azmeuk in #805
+  * Move from pre-commit to prek by @azmeuk in #804
+  * Sign OIDC id_token according to id_token_signed_response_alg client
+    metadata by @azmeuk in #802
+- Update to 1.6.2
+  * Allow insecure transport for 127.0.0.1 for debugging
+    by @geigerzaehler in #788
+  * Raise a MissingCodeError when code parameter is missing by @lepture in #786
+  * Temporarily restore OAuth2Request body parameter by @azmeuk in #791
+  * Raise MissingCodeException when code parameter is missing
+    by @lepture in #794
+  * Fix id_token generation with EdDSA alg by @azmeuk in #800
+- Update test requirements
+
+-------------------------------------------------------------------
+Tue Aug  5 07:34:40 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 1.6.1
+  * Filter key set with additional "alg" and "use" parameters.
+- Fix bogus version number in previous changelog entry
+- Rename README.rst to README.md in %files section
+
+-------------------------------------------------------------------
+Tue Jun  3 06:26:39 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 1.6.0
+  * Fix issue when RFC9207 is enabled and the authorization endpoint
+    response is not a redirection. pull request #733
+  * Fix missing state parameter in authorization error responses.
+    issue #525
+  * Support for acr and amr claims in id_token. issue #734
+  * Support for the none JWS algorithm.
+  * Fix response_types strict order during dynamic client
+    registration. issue #760
+  * Implement RFC9101 The OAuth 2.0 Authorization Framework:
+    JWT-Secured Authorization Request (JAR). issue #723
+  * OIDC UserInfo endpoint support. issue #459
+- Drop 767-skip-xc20p-tests.patch, merged upstream
 
 -------------------------------------------------------------------
 Fri May  2 21:29:54 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

python-Authlib.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-Authlib
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,17 +19,12 @@
 %define modname authlib
 %{?sle15_python_module_pythons}
 Name:           python-Authlib
-Version:        1.5.2
+Version:        1.6.5
 Release:        0
 Summary:        Python library for building OAuth and OpenID Connect servers
 License:        BSD-3-Clause
 URL:            https://authlib.org/
 Source:         https://github.com/lepture/%{modname}/archive/refs/tags/v%{version}.tar.gz#/%{modname}-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM 767-skip-xc20p-tests.patch bsc#[0-9]+ mcepl@suse.com
-# skip unavailable tests
-Patch0:         767-skip-xc20p-tests.patch
-# PATCH-FIX-UPSTREAM CVE-2025-68158.patch bsc#1256414
-Patch1:         CVE-2025-68158.patch
 BuildRequires:  %{python_module base >= 3.9}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
@@ -46,7 +41,9 @@ BuildRequires:  %{python_module cachelib}
 BuildRequires:  %{python_module cryptography}
 BuildRequires:  %{python_module httpx}
 BuildRequires:  %{python_module pytest-asyncio}
+BuildRequires:  %{python_module pytest-django}
 BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module python-multipart}
 BuildRequires:  %{python_module requests}
 BuildRequires:  %{python_module starlette}
 BuildRequires:  %{python_module typing_extensions}
@@ -80,14 +77,13 @@ $python -mpytest tests/flask
 # gh#lepture/authlib#456
 # $python -mpytest tests/jose -k 'not (test_dir_alg_xc20p or test_xc20p_content_encryption_decryption)'
 $python -mpytest tests/jose
-export DJANGO_SETTINGS_MODULE=tests.clients.test_django.settings
+export DJANGO_SETTINGS_MODULE=tests.django_settings
 $python -mpytest tests/clients
-# export DJANGO_SETTINGS_MODULE=tests.django.settings
-# $python -mpytest tests/django
+$python -mpytest tests/django
 }
 
 %files %{python_files}
-%doc README.rst
+%doc README.md
 %license LICENSE
 %{python_sitelib}/%{modname}
 %{python_sitelib}/[Aa]uthlib-%{version}.dist-info