commit 76cb9302870a653b0c8842a4f89336629843f77cde6aac0ab0ce26a4bcdcaf79 Author: Markéta Machová Date: Mon Jan 12 09:48:51 2026 +0000 - Update to 1.6.6 (bsc#1256414, CVE-2025-68158) * ``get_jwt_config`` takes a ``client`` parameter, #844. * Fix incorrect signature when ``Content-Type`` is x-www-form-urlencoded for OAuth 1.0 Client, #778. * Use ``expires_in`` in ``OAuth2Token`` when ``expires_at`` is unparsable, #842. * Always track ``state`` in session for OAuth client integrations. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Authlib?expand=0&rev=56 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/authlib-1.6.1.tar.gz b/authlib-1.6.1.tar.gz new file mode 100644 index 0000000..8a1afc9 --- /dev/null +++ b/authlib-1.6.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d714698f818fd478161666c319e275f9ffedee3259b9a259360462734c24b5a2 +size 341053 diff --git a/authlib-1.6.5.tar.gz b/authlib-1.6.5.tar.gz new file mode 100644 index 0000000..643b1b1 --- /dev/null +++ b/authlib-1.6.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:488ea98a032cb803e3af502cef6db616d76735b631097bc661b2a9dd10db73cc +size 328496 diff --git a/authlib-1.6.6.tar.gz b/authlib-1.6.6.tar.gz new file mode 100644 index 0000000..46556c8 --- /dev/null +++ b/authlib-1.6.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0c06b18e667033c3ed5c640bcc52d1bd7d8b285c2babc3e974bbb376b0b0b1c1 +size 329249 diff --git a/python-Authlib.changes b/python-Authlib.changes new file mode 100644 index 0000000..77f6a39 --- /dev/null +++ b/python-Authlib.changes @@ -0,0 +1,274 @@ +------------------------------------------------------------------- +Fri Jan 9 08:29:28 UTC 2026 - John Paul Adrian Glaubitz + +- Update to 1.6.6 (bsc#1256414, CVE-2025-68158) + * ``get_jwt_config`` takes a ``client`` parameter, #844. + * Fix incorrect signature when ``Content-Type`` is x-www-form-urlencoded + for OAuth 1.0 Client, #778. + * Use ``expires_in`` in ``OAuth2Token`` when ``expires_at`` is unparsable, #842. + * Always track ``state`` in session for OAuth client integrations. + +------------------------------------------------------------------- +Mon Oct 13 08:51:01 UTC 2025 - Nico Krapp + +- Update to 1.6.5 (fixes CVE-2025-61920, bsc#1251921) + * RFC7591 generate_client_info and generate_client_secret take a request + parameter. + * Add size limitation when decode JWS/JWE to prevent DoS. + * Add size limitation for DEF JWE zip algorithm. +- Update to 1.6.4 + * fix(jose): prevent public/unprotected header overwriting protected header + by @lepture in #809 + * Fix InsecureTransportError raising by @azmeuk in #810 + * Add conventional-commits pre-commit hook by @azmeuk in #811 + * Fix response_mode=form_post with Starlette client by @azmeuk in #812 + * Specify README.md as project long description by @EpicWink in #817 + * Migrate tests to pytest paradigm by @azmeuk in #813 + * jose/jws: Reject unprotected ‘crit’ and enforce type; add tests + by @AL-Cybision in #823 + * Use explicit *.test urls in unit tests by @azmeuk in #824 +- Update to 1.6.3 + * Add diff-cover check in GHA by @azmeuk in #803 + * Run GHA unit tests with uv by @azmeuk in #805 + * Move from pre-commit to prek by @azmeuk in #804 + * Sign OIDC id_token according to id_token_signed_response_alg client + metadata by @azmeuk in #802 +- Update to 1.6.2 + * Allow insecure transport for 127.0.0.1 for debugging + by @geigerzaehler in #788 + * Raise a MissingCodeError when code parameter is missing by @lepture in #786 + * Temporarily restore OAuth2Request body parameter by @azmeuk in #791 + * Raise MissingCodeException when code parameter is missing + by @lepture in #794 + * Fix id_token generation with EdDSA alg by @azmeuk in #800 +- Update test requirements + +------------------------------------------------------------------- +Tue Aug 5 07:34:40 UTC 2025 - John Paul Adrian Glaubitz + +- Update to 1.6.1 + * Filter key set with additional "alg" and "use" parameters. +- Fix bogus version number in previous changelog entry +- Rename README.rst to README.md in %files section + +------------------------------------------------------------------- +Tue Jun 3 06:26:39 UTC 2025 - John Paul Adrian Glaubitz + +- Update to 1.6.0 + * Fix issue when RFC9207 is enabled and the authorization endpoint + response is not a redirection. pull request #733 + * Fix missing state parameter in authorization error responses. + issue #525 + * Support for acr and amr claims in id_token. issue #734 + * Support for the none JWS algorithm. + * Fix response_types strict order during dynamic client + registration. issue #760 + * Implement RFC9101 The OAuth 2.0 Authorization Framework: + JWT-Secured Authorization Request (JAR). issue #723 + * OIDC UserInfo endpoint support. issue #459 +- Drop 767-skip-xc20p-tests.patch, merged upstream + +------------------------------------------------------------------- +Fri May 2 21:29:54 UTC 2025 - Matej Cepl + +- Add 767-skip-xc20p-tests.patch to skip unavailable tests + (gh#authlib/authlib#456). + +------------------------------------------------------------------- +Wed Apr 23 10:49:33 UTC 2025 - John Paul Adrian Glaubitz + +- Update to 1.5.2 + * Forbid fragments in ``redirect_uris``. :issue:`714` + * Fix invalid characters in ``error_description``. :issue:`720` + * Add ``claims_cls``` parameter for client's ``parse_id_token`` + method. :issue:`725` + +------------------------------------------------------------------- +Mon Apr 14 05:42:44 UTC 2025 - Steve Kowalik + +- Support both lowercased and unnormalized metadata directory names. + +------------------------------------------------------------------- +Wed Mar 26 00:26:31 UTC 2025 - Steve Kowalik + +- Lowercase metadata directory name. + +------------------------------------------------------------------- +Sun Mar 23 21:41:44 UTC 2025 - Dirk Müller + +- update to 1.5.1: + * Fix RFC9207 iss parameter. + * Fix token introspection auth method for clients. + * Optional typ claim in JWT tokens. + * JWT validation leeway. + * Implement server-side :rfc:`RFC9207 <9207>`. + * generate_id_token can take a kid parameter. + * More detailed InvalidClientError. + * OpenID Connect Dynamic Client Registration implementation. + +------------------------------------------------------------------- +Thu Feb 6 11:41:00 UTC 2025 - John Paul Adrian Glaubitz + +- Update to 1.4.1 + * Improve garbage collection on OAuth clients. (#698) + * Fix client parameters for httpx. (#694) + +------------------------------------------------------------------- +Fri Jan 24 18:21:06 UTC 2025 - ecsos + +- Update to 1.4.0 + * Fix id_token decoding when kid is null. :pr:`659` + * Support for Python 3.13. :pr:`682` + * Force login if the prompt parameter value is login. :pr:`637` + * Support for httpx 0.28, :pr:`695` + * Breaking changes: + - Stop support for Python 3.8. :pr:`682` +- Drop py313-tests.patch, because now in upstream. +- Drop httpx028.patch, because now in upstream. + +------------------------------------------------------------------- +Thu Dec 19 13:57:51 UTC 2024 - Markéta Machová + +- Add httpx028.patch to add compatibility with new httpx + +------------------------------------------------------------------- +Thu Oct 31 09:13:27 UTC 2024 - Dirk Müller + +- add py313-tests.patch +- modernize spec file + +------------------------------------------------------------------- +Sat Sep 28 20:03:15 UTC 2024 - Dirk Müller + +- update to 1.3.2: + * Prevent ever-growing session size for OAuth clients. + * Revert quote client id and secret. + * unquote basic auth header for authorization server. + +------------------------------------------------------------------- +Mon Jun 10 11:05:10 UTC 2024 - Daniel Garcia + +- Update to 1.3.1 (CVE-2024-37568, bsc#1226138): + * Prevent OctKey to import ssh and PEM strings. + +------------------------------------------------------------------- +Tue Jan 23 17:10:58 UTC 2024 - Antonio Larrosa + +- Remove the file containing a Commercial license otherwise + licensedigger rejects the dual-licensed package. + See https://docs.authlib.org/en/latest/community/licenses.html . + +------------------------------------------------------------------- +Mon Jan 8 20:58:02 UTC 2024 - Dirk Müller + +- update to 1.3.0: + * Restore AuthorizationServer.create_authorization_response + behavior, via :PR:`558` + * Include leeway in validate_iat() for JWT, via :PR:`565` + * Fix encode_client_secret_basic, via :PR:`594` + * Use single key in JWK if JWS does not specify kid, via + :PR:`596` + * Fix error when RFC9068 JWS has no scope field, via :PR:`598` + * Get werkzeug version using importlib, via :PR:`591` + * New features: + * RFC9068 implementation, via :PR:`586`, by @azmeuk. + * Breaking changes: + * End support for python 3.7 + +------------------------------------------------------------------- +Sun Jun 25 18:48:52 UTC 2023 - Dirk Müller + +- update to 1.2.1: + * Apply headers in ``ClientSecretJWT.sign`` method + * Allow falsy but non-None grant uri params + * Fixed ``authorize_redirect`` for Starlette v0.26.0 + * Removed ``has_client_secret`` method and documentation + * Removed ``request_invalid`` and ``token_revoked`` remaining + occurences and documentation. + * Fixed RFC7591 ``grant_types`` and ``response_types`` default + values + +------------------------------------------------------------------- +Sun Jun 11 14:11:54 UTC 2023 - ecsos + +- Add %{?sle15_python_module_pythons} + +------------------------------------------------------------------- +Tue Dec 13 03:19:54 UTC 2022 - Yogalakshmi Arunachalam + +- Update to version 1.2.0 + * Not passing request.body to ResourceProtector, #485. + * Use flask.g instead of _app_ctx_stack, #482. + * Add headers parameter back to ClientSecretJWT, #457. + * Always passing realm parameter in OAuth 1 clients, #339. + * Implemented RFC7592 Dynamic Client Registration Management Protocol, #505` + * Add default_timeout for requests OAuth2Session and AssertionSession. + * Deprecate jwk.loads and jwk.dumps + +------------------------------------------------------------------- +Tue Oct 11 23:14:36 UTC 2022 - Yogalakshmi Arunachalam + +- Update to Version 1.1.0 + * This release contains breaking changes and security fixes. + * Allow to pass claims_options to Framework OpenID Connect clients, via PR#446. + * Fix .stream with context for HTTPX OAuth clients, via PR#465. + * Fix Starlette OAuth client for cache store, via PR#478. + +------------------------------------------------------------------- +Thu Aug 4 06:30:52 UTC 2022 - Steve Kowalik + +- Remove unneeded BuildRequires on mock. +- Remove duplicated BuildRequires on pytest. + +------------------------------------------------------------------- +Mon May 9 22:06:00 UTC 2022 - Matej Cepl + +- Fix tests. + +------------------------------------------------------------------- +Thu Apr 21 11:29:21 UTC 2022 - Michael Ströder + +- Update to 1.0.1 + * Fix authenticate_none method, via #438. + * Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447. + * Fix missing_token for Flask OAuth client, via #448. + * Allow openid in any place of the scope, via #449. + * Security fix for validating essential value on blank value in JWT, via #445. +- Update to 1.0.0 + * Dropped support for Python 2 + * Removed built-in SQLAlchemy integration. + * The whole framework client integrations have been restructured + +------------------------------------------------------------------- +Tue Nov 16 13:42:27 UTC 2021 - Michael Ströder + +- Update to 0.15.5 + * Make Authlib compatible with latest httpx + * Make Authlib compatible with latest werkzeug + * Allow customize RFC7523 alg value + +------------------------------------------------------------------- +Fri Aug 13 11:16:21 UTC 2021 - John Paul Adrian Glaubitz + +- Update to 0.15.4 + * Security fix when JWT claims is None. + +------------------------------------------------------------------- +Mon Aug 9 22:19:38 UTC 2021 - Jan Engelhardt + +- Drop filler wording from description again. + +------------------------------------------------------------------- +Tue Mar 23 11:52:52 UTC 2021 - Marcus Rueckert + +- Update to 0.15.3 + https://docs.authlib.org/en/latest/changelog.html#version-0-15-3 + https://docs.authlib.org/en/latest/changelog.html#version-0-15-2 + https://docs.authlib.org/en/latest/changelog.html#version-0-15-1 + https://docs.authlib.org/en/latest/changelog.html#version-0-15 + +------------------------------------------------------------------- +Wed Aug 5 14:44:15 UTC 2020 - Stasiek Michalski + +- Initial package + diff --git a/python-Authlib.spec b/python-Authlib.spec new file mode 100644 index 0000000..e6d6cb6 --- /dev/null +++ b/python-Authlib.spec @@ -0,0 +1,91 @@ +# +# spec file for package python-Authlib +# +# Copyright (c) 2026 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define modname authlib +%{?sle15_python_module_pythons} +Name: python-Authlib +Version: 1.6.6 +Release: 0 +Summary: Python library for building OAuth and OpenID Connect servers +License: BSD-3-Clause +URL: https://authlib.org/ +Source: https://github.com/lepture/%{modname}/archive/refs/tags/v%{version}.tar.gz#/%{modname}-%{version}.tar.gz +BuildRequires: %{python_module base >= 3.9} +BuildRequires: %{python_module pip} +BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module wheel} +BuildRequires: python-rpm-macros +# SECTION test requirements +BuildRequires: %{python_module anyio} +BuildRequires: %{python_module Django} +BuildRequires: %{python_module Flask-SQLAlchemy} +BuildRequires: %{python_module Flask} +BuildRequires: %{python_module SQLAlchemy} +BuildRequires: %{python_module Werkzeug} +BuildRequires: %{python_module cachelib} +BuildRequires: %{python_module cryptography} +BuildRequires: %{python_module httpx} +BuildRequires: %{python_module pytest-asyncio} +BuildRequires: %{python_module pytest-django} +BuildRequires: %{python_module pytest} +BuildRequires: %{python_module python-multipart} +BuildRequires: %{python_module requests} +BuildRequires: %{python_module starlette} +BuildRequires: %{python_module typing_extensions} +# /SECTION +BuildRequires: fdupes +Requires: python-cryptography +Suggests: python-requests +BuildArch: noarch +%python_subpackages + +%description +A Python library for building OAuth and OpenID Connect servers. + +%prep +%autosetup -p1 -n %{modname}-%{version} +# Remove the file containing the commercial license so licensedigger +# doesn't complain about the dual license +rm COMMERCIAL-LICENSE + +%build +%pyproject_wheel + +%install +%pyproject_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%check +%{python_expand export PYTHONPATH=%{buildroot}%{$python_sitelib} PYTHONDONTWRITEBYTECODE=1 +$python -mpytest tests/core +$python -mpytest tests/flask +# gh#lepture/authlib#456 +# $python -mpytest tests/jose -k 'not (test_dir_alg_xc20p or test_xc20p_content_encryption_decryption)' +$python -mpytest tests/jose +export DJANGO_SETTINGS_MODULE=tests.django_settings +$python -mpytest tests/clients +$python -mpytest tests/django +} + +%files %{python_files} +%doc README.md +%license LICENSE +%{python_sitelib}/%{modname} +%{python_sitelib}/[Aa]uthlib-%{version}.dist-info + +%changelog