python-Authlib/python-Authlib.changes

-------------------------------------------------------------------
Mon Oct 13 08:51:01 UTC 2025 - Nico Krapp <nico.krapp@suse.com>

- Update to 1.6.5 (fixes CVE-2025-61920, bsc#1251921)
  * RFC7591 generate_client_info and generate_client_secret take a request
    parameter.
  * Add size limitation when decode JWS/JWE to prevent DoS.
  * Add size limitation for DEF JWE zip algorithm.
- Update to 1.6.4
  * fix(jose): prevent public/unprotected header overwriting protected header
    by @lepture in #809
  * Fix InsecureTransportError raising by @azmeuk in #810
  * Add conventional-commits pre-commit hook by @azmeuk in #811
  * Fix response_mode=form_post with Starlette client by @azmeuk in #812
  * Specify README.md as project long description by @EpicWink in #817
  * Migrate tests to pytest paradigm by @azmeuk in #813
  * jose/jws: Reject unprotected ‘crit’ and enforce type; add tests
    by @AL-Cybision in #823
  * Use explicit *.test urls in unit tests by @azmeuk in #824
- Update to 1.6.3
  * Add diff-cover check in GHA by @azmeuk in #803
  * Run GHA unit tests with uv by @azmeuk in #805
  * Move from pre-commit to prek by @azmeuk in #804
  * Sign OIDC id_token according to id_token_signed_response_alg client
    metadata by @azmeuk in #802
- Update to 1.6.2
  * Allow insecure transport for 127.0.0.1 for debugging
    by @geigerzaehler in #788
  * Raise a MissingCodeError when code parameter is missing by @lepture in #786
  * Temporarily restore OAuth2Request body parameter by @azmeuk in #791
  * Raise MissingCodeException when code parameter is missing
    by @lepture in #794
  * Fix id_token generation with EdDSA alg by @azmeuk in #800
- Update test requirements

-------------------------------------------------------------------
Tue Aug  5 07:34:40 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to 1.6.1
  * Filter key set with additional "alg" and "use" parameters.
- Fix bogus version number in previous changelog entry
- Rename README.rst to README.md in %files section

-------------------------------------------------------------------
Tue Jun  3 06:26:39 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to 1.6.0
  * Fix issue when RFC9207 is enabled and the authorization endpoint
    response is not a redirection. pull request #733
  * Fix missing state parameter in authorization error responses.
    issue #525
  * Support for acr and amr claims in id_token. issue #734
  * Support for the none JWS algorithm.
  * Fix response_types strict order during dynamic client
    registration. issue #760
  * Implement RFC9101 The OAuth 2.0 Authorization Framework:
    JWT-Secured Authorization Request (JAR). issue #723
  * OIDC UserInfo endpoint support. issue #459
- Drop 767-skip-xc20p-tests.patch, merged upstream

-------------------------------------------------------------------
Fri May  2 21:29:54 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

- Add 767-skip-xc20p-tests.patch to skip unavailable tests
  (gh#authlib/authlib#456).

-------------------------------------------------------------------
Wed Apr 23 10:49:33 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to 1.5.2
  * Forbid fragments in ``redirect_uris``. :issue:`714`
  * Fix invalid characters in ``error_description``. :issue:`720`
  * Add ``claims_cls``` parameter for client's ``parse_id_token``
    method. :issue:`725`

-------------------------------------------------------------------
Mon Apr 14 05:42:44 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>

- Support both lowercased and unnormalized metadata directory names.

-------------------------------------------------------------------
Wed Mar 26 00:26:31 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>

- Lowercase metadata directory name.

-------------------------------------------------------------------
Sun Mar 23 21:41:44 UTC 2025 - Dirk Müller <dmueller@suse.com>

- update to 1.5.1:
  * Fix RFC9207 iss parameter.
  * Fix token introspection auth method for clients.
  * Optional typ claim in JWT tokens.
  * JWT validation leeway.
  * Implement server-side :rfc:`RFC9207 <9207>`.
  * generate_id_token can take a kid parameter.
  * More detailed InvalidClientError.
  * OpenID Connect Dynamic Client Registration implementation.

-------------------------------------------------------------------
Thu Feb  6 11:41:00 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to 1.4.1
  * Improve garbage collection on OAuth clients. (#698)
  * Fix client parameters for httpx. (#694)

-------------------------------------------------------------------
Fri Jan 24 18:21:06 UTC 2025 - ecsos <ecsos@opensuse.org>

- Update to 1.4.0
  * Fix id_token decoding when kid is null. :pr:`659`
  * Support for Python 3.13. :pr:`682`
  * Force login if the prompt parameter value is login. :pr:`637`
  * Support for httpx 0.28, :pr:`695`
  * Breaking changes:
    - Stop support for Python 3.8. :pr:`682`
- Drop py313-tests.patch, because now in upstream.
- Drop httpx028.patch, because now in upstream.

-------------------------------------------------------------------
Thu Dec 19 13:57:51 UTC 2024 - Markéta Machová <mmachova@suse.com>

- Add httpx028.patch to add compatibility with new httpx

-------------------------------------------------------------------
Thu Oct 31 09:13:27 UTC 2024 - Dirk Müller <dmueller@suse.com>

- add py313-tests.patch
- modernize spec file

-------------------------------------------------------------------
Sat Sep 28 20:03:15 UTC 2024 - Dirk Müller <dmueller@suse.com>

- update to 1.3.2:
  * Prevent ever-growing session size for OAuth clients.
  * Revert quote client id and secret.
  * unquote basic auth header for authorization server.

-------------------------------------------------------------------
Mon Jun 10 11:05:10 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>

- Update to 1.3.1 (CVE-2024-37568, bsc#1226138):
  * Prevent OctKey to import ssh and PEM strings.

-------------------------------------------------------------------
Tue Jan 23 17:10:58 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>

- Remove the file containing a Commercial license otherwise
  licensedigger rejects the dual-licensed package.
  See https://docs.authlib.org/en/latest/community/licenses.html .

-------------------------------------------------------------------
Mon Jan  8 20:58:02 UTC 2024 - Dirk Müller <dmueller@suse.com>

- update to 1.3.0:
  * Restore AuthorizationServer.create_authorization_response
    behavior, via :PR:`558`
  * Include leeway in validate_iat() for JWT, via :PR:`565`
  * Fix encode_client_secret_basic, via :PR:`594`
  * Use single key in JWK if JWS does not specify kid, via
    :PR:`596`
  * Fix error when RFC9068 JWS has no scope field, via :PR:`598`
  * Get werkzeug version using importlib, via :PR:`591`
  * New features:
  * RFC9068 implementation, via :PR:`586`, by @azmeuk.
  * Breaking changes:
  * End support for python 3.7

-------------------------------------------------------------------
Sun Jun 25 18:48:52 UTC 2023 - Dirk Müller <dmueller@suse.com>

- update to 1.2.1:
  * Apply headers in ``ClientSecretJWT.sign`` method
  * Allow falsy but non-None grant uri params
  * Fixed ``authorize_redirect`` for Starlette v0.26.0
  * Removed ``has_client_secret`` method and documentation
  * Removed ``request_invalid`` and ``token_revoked`` remaining
    occurences and documentation.
  * Fixed RFC7591 ``grant_types`` and ``response_types`` default
    values

-------------------------------------------------------------------
Sun Jun 11 14:11:54 UTC 2023 - ecsos <ecsos@opensuse.org>

- Add %{?sle15_python_module_pythons}

-------------------------------------------------------------------
Tue Dec 13 03:19:54 UTC 2022 - Yogalakshmi Arunachalam <yarunachalam@suse.com>

- Update to version 1.2.0
  * Not passing request.body to ResourceProtector, #485.
  * Use flask.g instead of _app_ctx_stack, #482.
  * Add headers parameter back to ClientSecretJWT, #457.
  * Always passing realm parameter in OAuth 1 clients, #339.
  * Implemented RFC7592 Dynamic Client Registration Management Protocol, #505`
  * Add default_timeout for requests OAuth2Session and AssertionSession.
  * Deprecate jwk.loads and jwk.dumps

-------------------------------------------------------------------
Tue Oct 11 23:14:36 UTC 2022 - Yogalakshmi Arunachalam <yarunachalam@suse.com>

- Update to Version 1.1.0
  * This release contains breaking changes and security fixes.
  * Allow to pass claims_options to Framework OpenID Connect clients, via PR#446.
  * Fix .stream with context for HTTPX OAuth clients, via PR#465.
  * Fix Starlette OAuth client for cache store, via PR#478.

-------------------------------------------------------------------
Thu Aug  4 06:30:52 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>

- Remove unneeded BuildRequires on mock.
- Remove duplicated BuildRequires on pytest.

-------------------------------------------------------------------
Mon May  9 22:06:00 UTC 2022 - Matej Cepl <mcepl@suse.com>

- Fix tests.

-------------------------------------------------------------------
Thu Apr 21 11:29:21 UTC 2022 - Michael Ströder <michael@stroeder.com>

- Update to 1.0.1
  * Fix authenticate_none method, via #438.
  * Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447.
  * Fix missing_token for Flask OAuth client, via #448.
  * Allow openid in any place of the scope, via #449.
  * Security fix for validating essential value on blank value in JWT, via #445.
- Update to 1.0.0
  * Dropped support for Python 2
  * Removed built-in SQLAlchemy integration.
  * The whole framework client integrations have been restructured

-------------------------------------------------------------------
Tue Nov 16 13:42:27 UTC 2021 - Michael Ströder <michael@stroeder.com>

- Update to 0.15.5
  * Make Authlib compatible with latest httpx
  * Make Authlib compatible with latest werkzeug
  * Allow customize RFC7523 alg value

-------------------------------------------------------------------
Fri Aug 13 11:16:21 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

- Update to 0.15.4
  * Security fix when JWT claims is None.

-------------------------------------------------------------------
Mon Aug  9 22:19:38 UTC 2021 - Jan Engelhardt <jengelh@inai.de>

- Drop filler wording from description again.

-------------------------------------------------------------------
Tue Mar 23 11:52:52 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>

- Update to 0.15.3
  https://docs.authlib.org/en/latest/changelog.html#version-0-15-3
  https://docs.authlib.org/en/latest/changelog.html#version-0-15-2
  https://docs.authlib.org/en/latest/changelog.html#version-0-15-1
  https://docs.authlib.org/en/latest/changelog.html#version-0-15

-------------------------------------------------------------------
Wed Aug  5 14:44:15 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc>

- Initial package