Authlib 1.6.3__py2.py3-none-any.whl → 1.6.5__py2.py3-none-any.whl

authlib/consts.py

@@ -1,5 +1,5 @@
 name = "Authlib"
-version = "1.6.3"
+version = "1.6.5"
 author = "Hsiaoming Yang <me@lepture.com>"
 homepage = "https://authlib.org"
 default_user_agent = f"{name}/{version} (+{homepage})"

authlib/integrations/django_oauth2/authorization_server.py

@@ -24,11 +24,15 @@ class AuthorizationServer(_AuthorizationServer):
     """
 
     def __init__(self, client_model, token_model):
-        self.config = getattr(settings, "AUTHLIB_OAUTH2_PROVIDER", {})
+        super().__init__()
         self.client_model = client_model
         self.token_model = token_model
+        self.load_config(getattr(settings, "AUTHLIB_OAUTH2_PROVIDER", {}))
+
+    def load_config(self, config):
+        self.config = config
         scopes_supported = self.config.get("scopes_supported")
-        super().__init__(scopes_supported=scopes_supported)
+        self.scopes_supported = scopes_supported
         # add default token generator
         self.register_token_generator("default", self.create_bearer_token_generator())
 

authlib/integrations/flask_oauth2/authorization_server.py

@@ -53,12 +53,14 @@ class AuthorizationServer(_AuthorizationServer):
             self._query_client = query_client
         if save_token is not None:
             self._save_token = save_token
+        self.load_config(app.config)
 
+    def load_config(self, config):
         self.register_token_generator(
-            "default", self.create_bearer_token_generator(app.config)
+            "default", self.create_bearer_token_generator(config)
         )
-        self.scopes_supported = app.config.get("OAUTH2_SCOPES_SUPPORTED")
-        self._error_uris = app.config.get("OAUTH2_ERROR_URIS")
+        self.scopes_supported = config.get("OAUTH2_SCOPES_SUPPORTED")
+        self._error_uris = config.get("OAUTH2_ERROR_URIS")
 
     def query_client(self, client_id):
         return self._query_client(client_id)

authlib/integrations/starlette_client/apps.py

@@ -63,15 +63,22 @@ class StarletteOAuth2App(
     client_cls = AsyncOAuth2Client
 
     async def authorize_access_token(self, request, **kwargs):
-        error = request.query_params.get("error")
-        if error:
-            description = request.query_params.get("error_description")
-            raise OAuthError(error=error, description=description)
-
-        params = {
-            "code": request.query_params.get("code"),
-            "state": request.query_params.get("state"),
-        }
+        if request.scope.get("method", "GET") == "GET":
+            error = request.query_params.get("error")
+            if error:
+                description = request.query_params.get("error_description")
+                raise OAuthError(error=error, description=description)
+
+            params = {
+                "code": request.query_params.get("code"),
+                "state": request.query_params.get("state"),
+            }
+        else:
+            async with request.form() as form:
+                params = {
+                    "code": form.get("code"),
+                    "state": form.get("state"),
+                }
 
         if self.framework.cache:
             session = None

authlib/jose/errors.py

@@ -33,6 +33,14 @@ class InvalidHeaderParameterNameError(JoseError):
         super().__init__(description=description)
 
 
+class InvalidCritHeaderParameterNameError(JoseError):
+    error = "invalid_crit_header_parameter_name"
+
+    def __init__(self, name):
+        description = f"Invalid Header Parameter Name: {name}"
+        super().__init__(description=description)
+
+
 class InvalidEncryptionAlgorithmForECDH1PUWithKeyWrappingError(JoseError):
     error = "invalid_encryption_algorithm_for_ECDH_1PU_with_key_wrapping"
 

authlib/jose/rfc7515/jws.py

@@ -4,6 +4,7 @@ from authlib.common.encoding import to_unicode
 from authlib.common.encoding import urlsafe_b64encode
 from authlib.jose.errors import BadSignatureError
 from authlib.jose.errors import DecodeError
+from authlib.jose.errors import InvalidCritHeaderParameterNameError
 from authlib.jose.errors import InvalidHeaderParameterNameError
 from authlib.jose.errors import MissingAlgorithmError
 from authlib.jose.errors import UnsupportedAlgorithmError
@@ -33,6 +34,8 @@ class JsonWebSignature:
         ]
     )
 
+    MAX_CONTENT_LENGTH: int = 256000
+
     #: Defined available JWS algorithms in the registry
     ALGORITHMS_REGISTRY = {}
 
@@ -64,6 +67,7 @@ class JsonWebSignature:
         """
         jws_header = JWSHeader(protected, None)
         self._validate_private_headers(protected)
+        self._validate_crit_headers(protected)
         algorithm, key = self._prepare_algorithm_key(protected, payload, key)
 
         protected_segment = json_b64encode(jws_header.protected)
@@ -87,6 +91,9 @@ class JsonWebSignature:
 
         .. _`Section 7.1`: https://tools.ietf.org/html/rfc7515#section-7.1
         """
+        if len(s) > self.MAX_CONTENT_LENGTH:
+            raise ValueError("Serialization is too long.")
+
         try:
             s = to_bytes(s)
             signing_input, signature_segment = s.rsplit(b".", 1)
@@ -95,6 +102,7 @@ class JsonWebSignature:
             raise DecodeError("Not enough segments") from exc
 
         protected = _extract_header(protected_segment)
+        self._validate_crit_headers(protected)
         jws_header = JWSHeader(protected, None)
 
         payload = _extract_payload(payload_segment)
@@ -132,6 +140,11 @@ class JsonWebSignature:
 
         def _sign(jws_header):
             self._validate_private_headers(jws_header)
+            # RFC 7515 §4.1.11: 'crit' MUST be integrity-protected.
+            # Reject if present in unprotected header, and validate only
+            # against the protected header parameters.
+            self._reject_unprotected_crit(jws_header.header)
+            self._validate_crit_headers(jws_header.protected)
             _alg, _key = self._prepare_algorithm_key(jws_header, payload, key)
 
             protected_segment = json_b64encode(jws_header.protected)
@@ -272,6 +285,28 @@ class JsonWebSignature:
                 if k not in names:
                     raise InvalidHeaderParameterNameError(k)
 
+    def _reject_unprotected_crit(self, unprotected_header):
+        """Reject 'crit' when found in the unprotected header (RFC 7515 §4.1.11)."""
+        if unprotected_header and "crit" in unprotected_header:
+            raise InvalidHeaderParameterNameError("crit")
+
+    def _validate_crit_headers(self, header):
+        if "crit" in header:
+            crit_headers = header["crit"]
+            # Type enforcement for robustness and predictable errors
+            if not isinstance(crit_headers, list) or not all(
+                isinstance(x, str) for x in crit_headers
+            ):
+                raise InvalidHeaderParameterNameError("crit")
+            names = self.REGISTERED_HEADER_PARAMETER_NAMES.copy()
+            if self._private_headers:
+                names = names.union(self._private_headers)
+            for k in crit_headers:
+                if k not in names:
+                    raise InvalidCritHeaderParameterNameError(k)
+                elif k not in header:
+                    raise InvalidCritHeaderParameterNameError(k)
+
     def _validate_json_jws(self, payload_segment, payload, header_obj, key):
         protected_segment = header_obj.get("protected")
         if not protected_segment:
@@ -286,7 +321,14 @@ class JsonWebSignature:
         header = header_obj.get("header")
         if header and not isinstance(header, dict):
             raise DecodeError('Invalid "header" value')
-
+        # RFC 7515 §4.1.11: 'crit' MUST be integrity-protected. If present in
+        # the unprotected header object, reject the JWS.
+        self._reject_unprotected_crit(header)
+
+        # Enforce must-understand semantics for names listed in protected
+        # 'crit'. This will also ensure each listed name is present in the
+        # protected header.
+        self._validate_crit_headers(protected)
         jws_header = JWSHeader(protected, header)
         algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
         signing_input = b".".join([protected_segment, payload_segment])

authlib/jose/rfc7515/models.py

@@ -50,10 +50,10 @@ class JWSHeader(dict):
 
     def __init__(self, protected, header):
         obj = {}
-        if protected:
-            obj.update(protected)
         if header:
             obj.update(header)
+        if protected:
+            obj.update(protected)
         super().__init__(obj)
         self.protected = protected
         self.header = header

authlib/jose/rfc7516/models.py

@@ -117,10 +117,10 @@ class JWESharedHeader(dict):
 
     def __init__(self, protected, unprotected):
         obj = {}
-        if protected:
-            obj.update(protected)
         if unprotected:
             obj.update(unprotected)
+        if protected:
+            obj.update(protected)
         super().__init__(obj)
         self.protected = protected if protected else {}
         self.unprotected = unprotected if unprotected else {}
@@ -145,12 +145,12 @@ class JWEHeader(dict):
 
     def __init__(self, protected, unprotected, header):
         obj = {}
-        if protected:
-            obj.update(protected)
         if unprotected:
             obj.update(unprotected)
         if header:
             obj.update(header)
+        if protected:
+            obj.update(protected)
         super().__init__(obj)
         self.protected = protected if protected else {}
         self.unprotected = unprotected if unprotected else {}

authlib/jose/rfc7518/jwe_zips.py

@@ -3,20 +3,31 @@ import zlib
 from ..rfc7516 import JsonWebEncryption
 from ..rfc7516 import JWEZipAlgorithm
 
+GZIP_HEAD = bytes([120, 156])
+MAX_SIZE = 250 * 1024
+
 
 class DeflateZipAlgorithm(JWEZipAlgorithm):
     name = "DEF"
     description = "DEFLATE"
 
-    def compress(self, s):
+    def compress(self, s: bytes) -> bytes:
         """Compress bytes data with DEFLATE algorithm."""
         data = zlib.compress(s)
-        # drop gzip headers and tail
+        # https://datatracker.ietf.org/doc/html/rfc1951
+        # since DEF is always gzip, we can drop gzip headers and tail
         return data[2:-4]
 
-    def decompress(self, s):
+    def decompress(self, s: bytes) -> bytes:
         """Decompress DEFLATE bytes data."""
-        return zlib.decompress(s, -zlib.MAX_WBITS)
+        if s.startswith(GZIP_HEAD):
+            decompressor = zlib.decompressobj()
+        else:
+            decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
+        value = decompressor.decompress(s, MAX_SIZE)
+        if decompressor.unconsumed_tail:
+            raise ValueError(f"Decompressed string exceeds {MAX_SIZE} bytes")
+        return value
 
 
 def register_jwe_rfc7518():

authlib/jose/util.py

@@ -7,6 +7,9 @@ from authlib.jose.errors import DecodeError
 
 
 def extract_header(header_segment, error_cls):
+    if len(header_segment) > 256000:
+        raise ValueError("Value of header is too long")
+
     header_data = extract_segment(header_segment, error_cls, "header")
 
     try:
@@ -20,6 +23,9 @@ def extract_header(header_segment, error_cls):
 
 
 def extract_segment(segment, error_cls, name="payload"):
+    if len(segment) > 256000:
+        raise ValueError(f"Value of {name} is too long")
+
     try:
         return urlsafe_b64decode(segment)
     except (TypeError, binascii.Error) as exc:

authlib/oauth2/rfc6749/authorization_server.py

@@ -251,8 +251,9 @@ class AuthorizationServer(Hookable):
         """Validate current HTTP request for authorization page. This page
         is designed for resource owner to grant or deny the authorization.
         """
+        request = self.create_oauth2_request(request)
+
         try:
-            request = self.create_oauth2_request(request)
             request.user = end_user
 
             grant = self.get_authorization_grant(request)

authlib/oauth2/rfc6749/parameters.py

@@ -54,9 +54,14 @@ def prepare_grant_uri(
     if state:
         params.append(("state", state))
 
-    for k in kwargs:
-        if kwargs[k] is not None:
-            params.append((to_unicode(k), kwargs[k]))
+    for k, value in kwargs.items():
+        if value is not None:
+            if isinstance(value, (list, tuple)):
+                for v in value:
+                    if v is not None:
+                        params.append((to_unicode(k), v))
+            else:
+                params.append((to_unicode(k), value))
 
     return add_params_to_uri(uri, params)
 

authlib/oauth2/rfc7591/endpoint.py

@@ -4,6 +4,7 @@ import time
 
 from authlib.common.security import generate_token
 from authlib.consts import default_json_headers
+from authlib.deprecate import deprecate
 from authlib.jose import JoseError
 from authlib.jose import JsonWebToken
 
@@ -41,7 +42,7 @@ class ClientRegistrationEndpoint:
         request.credential = token
 
         client_metadata = self.extract_client_metadata(request)
-        client_info = self.generate_client_info()
+        client_info = self.generate_client_info(request)
         body = {}
         body.update(client_metadata)
         body.update(client_info)
@@ -91,10 +92,28 @@ class ClientRegistrationEndpoint:
         except JoseError as exc:
             raise InvalidSoftwareStatementError() from exc
 
-    def generate_client_info(self):
+    def generate_client_info(self, request):
         # https://tools.ietf.org/html/rfc7591#section-3.2.1
-        client_id = self.generate_client_id()
-        client_secret = self.generate_client_secret()
+        try:
+            client_id = self.generate_client_id(request)
+        except TypeError:  # pragma: no cover
+            client_id = self.generate_client_id()
+            deprecate(
+                "generate_client_id takes a 'request' parameter. "
+                "It will become mandatory in coming releases",
+                version="1.8",
+            )
+
+        try:
+            client_secret = self.generate_client_secret(request)
+        except TypeError:  # pragma: no cover
+            client_secret = self.generate_client_secret()
+            deprecate(
+                "generate_client_secret takes a 'request' parameter. "
+                "It will become mandatory in coming releases",
+                version="1.8",
+            )
+
         client_id_issued_at = int(time.time())
         client_secret_expires_at = 0
         return dict(
@@ -114,13 +133,13 @@ class ClientRegistrationEndpoint:
     def create_endpoint_request(self, request):
         return self.server.create_json_request(request)
 
-    def generate_client_id(self):
+    def generate_client_id(self, request):
         """Generate ``client_id`` value. Developers MAY rewrite this method
         to use their own way to generate ``client_id``.
         """
         return generate_token(42)
 
-    def generate_client_secret(self):
+    def generate_client_secret(self, request):
         """Generate ``client_secret`` value. Developers MAY rewrite this method
         to use their own way to generate ``client_secret``.
         """

authlib-1.6.5.dist-info/METADATA

@@ -0,0 +1,178 @@
+Metadata-Version: 2.4
+Name: Authlib
+Version: 1.6.5
+Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
+Author-email: Hsiaoming Yang <me@lepture.com>
+License: BSD-3-Clause
+Project-URL: Documentation, https://docs.authlib.org/
+Project-URL: Purchase, https://authlib.org/plans
+Project-URL: Issues, https://github.com/authlib/authlib/issues
+Project-URL: Source, https://github.com/authlib/authlib
+Project-URL: Donate, https://github.com/sponsors/lepture
+Project-URL: Blog, https://blog.authlib.org/
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
+Classifier: Environment :: Web Environment
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Classifier: Topic :: Security
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography
+Dynamic: license-file
+
+<div align="center">
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="docs/_static/dark-logo.svg" />
+  <img alt="Authlib" src="docs/_static/light-logo.svg" height="68" />
+</picture>
+
+[![Build Status](https://github.com/authlib/authlib/workflows/tests/badge.svg)](https://github.com/authlib/authlib/actions)
+[![PyPI version](https://img.shields.io/pypi/v/authlib.svg)](https://pypi.org/project/authlib)
+[![conda-forge version](https://img.shields.io/conda/v/conda-forge/authlib.svg?label=conda-forge&colorB=0090ff)](https://anaconda.org/conda-forge/authlib)
+[![PyPI Downloads](https://static.pepy.tech/badge/authlib/month)](https://pepy.tech/projects/authlib)
+[![Code Coverage](https://codecov.io/gh/authlib/authlib/graph/badge.svg?token=OWTdxAIsPI)](https://codecov.io/gh/authlib/authlib)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=authlib_authlib&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=authlib_authlib)
+
+</div>
+
+The ultimate Python library in building OAuth and OpenID Connect servers.
+JWS, JWK, JWA, JWT are included.
+
+Authlib is compatible with Python3.9+.
+
+## Migrations
+
+Authlib will deprecate `authlib.jose` module, please read:
+
+- [Migrating from `authlib.jose` to `joserfc`](https://jose.authlib.org/en/dev/migrations/authlib/)
+
+## Sponsors
+
+<table>
+<tr>
+<td><img align="middle" width="48" src="https://cdn.auth0.com/website/website/favicons/auth0-favicon.svg"></td>
+<td>If you want to quickly add secure token-based authentication to Python projects, feel free to check Auth0's Python SDK and free plan at <a href="https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=authlib&utm_content=auth">auth0.com/overview</a>.</td>
+</tr>
+<tr>
+<td><img align="middle" width="48" src="https://typlog.com/assets/icon-white.svg"></td>
+<td>A blogging and podcast hosting platform with minimal design but powerful features. Host your blog and Podcast with <a href="https://typlog.com/">Typlog.com</a>.
+</td>
+</tr>
+</table>
+
+[**Fund Authlib to access additional features**](https://docs.authlib.org/en/latest/community/funding.html)
+
+## Features
+
+Generic, spec-compliant implementation to build clients and providers:
+
+- [The OAuth 1.0 Protocol](https://docs.authlib.org/en/latest/basic/oauth1.html)
+  - [RFC5849: The OAuth 1.0 Protocol](https://docs.authlib.org/en/latest/specs/rfc5849.html)
+- [The OAuth 2.0 Authorization Framework](https://docs.authlib.org/en/latest/basic/oauth2.html)
+  - [RFC6749: The OAuth 2.0 Authorization Framework](https://docs.authlib.org/en/latest/specs/rfc6749.html)
+  - [RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://docs.authlib.org/en/latest/specs/rfc6750.html)
+  - [RFC7009: OAuth 2.0 Token Revocation](https://docs.authlib.org/en/latest/specs/rfc7009.html)
+  - [RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://docs.authlib.org/en/latest/specs/rfc7523.html)
+  - [RFC7591: OAuth 2.0 Dynamic Client Registration Protocol](https://docs.authlib.org/en/latest/specs/rfc7591.html)
+  - [RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol](https://docs.authlib.org/en/latest/specs/rfc7592.html)
+  - [RFC7636: Proof Key for Code Exchange by OAuth Public Clients](https://docs.authlib.org/en/latest/specs/rfc7636.html)
+  - [RFC7662: OAuth 2.0 Token Introspection](https://docs.authlib.org/en/latest/specs/rfc7662.html)
+  - [RFC8414: OAuth 2.0 Authorization Server Metadata](https://docs.authlib.org/en/latest/specs/rfc8414.html)
+  - [RFC8628: OAuth 2.0 Device Authorization Grant](https://docs.authlib.org/en/latest/specs/rfc8628.html)
+  - [RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://docs.authlib.org/en/latest/specs/rfc9068.html)
+  - [RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://docs.authlib.org/en/latest/specs/rfc9101.html)
+  - [RFC9207: OAuth 2.0 Authorization Server Issuer Identification](https://docs.authlib.org/en/latest/specs/rfc9207.html)
+- [Javascript Object Signing and Encryption](https://docs.authlib.org/en/latest/jose/index.html)
+  - [RFC7515: JSON Web Signature](https://docs.authlib.org/en/latest/jose/jws.html)
+  - [RFC7516: JSON Web Encryption](https://docs.authlib.org/en/latest/jose/jwe.html)
+  - [RFC7517: JSON Web Key](https://docs.authlib.org/en/latest/jose/jwk.html)
+  - [RFC7518: JSON Web Algorithms](https://docs.authlib.org/en/latest/specs/rfc7518.html)
+  - [RFC7519: JSON Web Token](https://docs.authlib.org/en/latest/jose/jwt.html)
+  - [RFC7638: JSON Web Key (JWK) Thumbprint](https://docs.authlib.org/en/latest/specs/rfc7638.html)
+  - [ ] RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
+  - [RFC8037: ECDH in JWS and JWE](https://docs.authlib.org/en/latest/specs/rfc8037.html)
+  - [ ] draft-madden-jose-ecdh-1pu-04: Public Key Authenticated Encryption for JOSE: ECDH-1PU
+- [OpenID Connect 1.0](https://docs.authlib.org/en/latest/specs/oidc.html)
+  - [x] OpenID Connect Core 1.0
+  - [x] OpenID Connect Discovery 1.0
+  - [x] OpenID Connect Dynamic Client Registration 1.0
+
+Connect third party OAuth providers with Authlib built-in client integrations:
+
+- Requests
+  - [OAuth1Session](https://docs.authlib.org/en/latest/client/requests.html#requests-oauth-1-0)
+  - [OAuth2Session](https://docs.authlib.org/en/latest/client/requests.html#requests-oauth-2-0)
+  - [OpenID Connect](https://docs.authlib.org/en/latest/client/requests.html#requests-openid-connect)
+  - [AssertionSession](https://docs.authlib.org/en/latest/client/requests.html#requests-service-account)
+- HTTPX
+  - [AsyncOAuth1Client](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-1-0)
+  - [AsyncOAuth2Client](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-2-0)
+  - [OpenID Connect](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-2-0)
+  - [AsyncAssertionClient](https://docs.authlib.org/en/latest/client/httpx.html#async-service-account)
+- [Flask OAuth Client](https://docs.authlib.org/en/latest/client/flask.html)
+- [Django OAuth Client](https://docs.authlib.org/en/latest/client/django.html)
+- [Starlette OAuth Client](https://docs.authlib.org/en/latest/client/starlette.html)
+- [FastAPI OAuth Client](https://docs.authlib.org/en/latest/client/fastapi.html)
+
+Build your own OAuth 1.0, OAuth 2.0, and OpenID Connect providers:
+
+- Flask
+  - [Flask OAuth 1.0 Provider](https://docs.authlib.org/en/latest/flask/1/)
+  - [Flask OAuth 2.0 Provider](https://docs.authlib.org/en/latest/flask/2/)
+  - [Flask OpenID Connect 1.0 Provider](https://docs.authlib.org/en/latest/flask/2/openid-connect.html)
+- Django
+  - [Django OAuth 1.0 Provider](https://docs.authlib.org/en/latest/django/1/)
+  - [Django OAuth 2.0 Provider](https://docs.authlib.org/en/latest/django/2/)
+  - [Django OpenID Connect 1.0 Provider](https://docs.authlib.org/en/latest/django/2/openid-connect.html)
+
+## Useful Links
+
+1. Homepage: <https://authlib.org/>.
+2. Documentation: <https://docs.authlib.org/>.
+3. Purchase Commercial License: <https://authlib.org/plans>.
+4. Blog: <https://blog.authlib.org/>.
+5. Twitter: <https://twitter.com/authlib>.
+6. StackOverflow: <https://stackoverflow.com/questions/tagged/authlib>.
+7. Other Repositories: <https://github.com/authlib>.
+8. Subscribe Tidelift: [https://tidelift.com/subscription/pkg/pypi-authlib](https://tidelift.com/subscription/pkg/pypi-authlib?utm_source=pypi-authlib&utm_medium=referral&utm_campaign=links).
+
+## Security Reporting
+
+If you found security bugs, please do not send a public issue or patch.
+You can send me email at <me@lepture.com>. Attachment with patch is welcome.
+My PGP Key fingerprint is:
+
+```
+72F8 E895 A70C EBDF 4F2A DFE0 7E55 E3E0 118B 2B4C
+```
+
+Or, you can use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## License
+
+Authlib offers two licenses:
+
+1. BSD LICENSE
+2. COMMERCIAL-LICENSE
+
+Any project, open or closed source, can use the BSD license.
+If your company needs commercial support, you can purchase a commercial license at
+[Authlib Plans](https://authlib.org/plans). You can find more information at
+<https://authlib.org/support>.

{authlib-1.6.3.dist-info → authlib-1.6.5.dist-info}/RECORD

@@ -1,5 +1,5 @@
 authlib/__init__.py,sha256=9F2r7k-nrTBFVDVWk0oghhIpLioCwQtt-35ppwRNfGU,487
-authlib/consts.py,sha256=YgalKdydoFhPg798XeAcbd56CRGWdb3fMsDVU9acpYg,299
+authlib/consts.py,sha256=9cqeotlkDe69rVuzp_CwFO01qxVvyzzzbB2UpHWEvDg,299
 authlib/deprecate.py,sha256=BaH7IdSK0WEmanyJAl7-Rpmvm6NJcez-Z03k0OYPXl0,506
 authlib/common/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 authlib/common/encoding.py,sha256=S80EkhVVJABStdEuZvQV1c47gQnu359fgLAFDmqLaP0,1544
@@ -23,7 +23,7 @@ authlib/integrations/django_oauth1/authorization_server.py,sha256=xtI50oMRKfA5tk
 authlib/integrations/django_oauth1/nonce.py,sha256=jwhnA3SFCoGtEN7LBLv3pyKc1rWepFM9_iTSpt6BvR4,396
 authlib/integrations/django_oauth1/resource_protector.py,sha256=xSpHsX7X88IXwE4Qb0pHMPPiEag_ZalGBjFZqt9nG4o,2332
 authlib/integrations/django_oauth2/__init__.py,sha256=gmWoCspRgvmtO3VuA34-FluF5pmgbo-oQyeD1KW2rVQ,333
-authlib/integrations/django_oauth2/authorization_server.py,sha256=Sr-Lvqj4MBw_4H3_HEON5bly0L2lhoQUmSqek-IqqX0,4378
+authlib/integrations/django_oauth2/authorization_server.py,sha256=6P0pYQpS83igXm-XyUmdIfTLq0_O3kpKApEVDynHaZA,4463
 authlib/integrations/django_oauth2/endpoints.py,sha256=dlGwktdT_miFCZDKYTFaiKxBPxBlL0cGlJCsE19wBv4,1838
 authlib/integrations/django_oauth2/requests.py,sha256=Qkk-G-VLlQwfh_QA2Wq9NBQr5EYnYGUSvX_ba9WZc5g,1850
 authlib/integrations/django_oauth2/resource_protector.py,sha256=QTrO0nZWJVki2lggx80Ud9y9bM9wBTBRn4SXvchhMf0,2597
@@ -36,7 +36,7 @@ authlib/integrations/flask_oauth1/authorization_server.py,sha256=mogA8tai-cU2-0c
 authlib/integrations/flask_oauth1/cache.py,sha256=iF_mvWvkv6S7n0bm5Q9kUqBIlXcmwgxx01chPZM27xo,3012
 authlib/integrations/flask_oauth1/resource_protector.py,sha256=h3nDaEc1W7eRht4jLROURCDsZfFX9Ak9JyPGWJv63Eg,3842
 authlib/integrations/flask_oauth2/__init__.py,sha256=cQ7vhDQuXp2R5IMPTpb6rR0ChKAt_tmY95mlrOjYXOc,284
-authlib/integrations/flask_oauth2/authorization_server.py,sha256=ffw-MtyYsLAdWYy3vJ-rp-UtgvpCXwcchMsFM_kBXB4,5851
+authlib/integrations/flask_oauth2/authorization_server.py,sha256=rWrRJh3pr6tito6OKYGTbdY4Y2OYMKyMmD20CtmVb1s,5911
 authlib/integrations/flask_oauth2/errors.py,sha256=ku67ILaSYS9i028Ipx26TYslXTK9UWiumqf07tjbICo,1085
 authlib/integrations/flask_oauth2/requests.py,sha256=DcLTETbx0OjNa8mpjRr4UKifuni1oXGQOHBlXF1WWSk,1480
 authlib/integrations/flask_oauth2/resource_protector.py,sha256=s0LbjE0nTKbEIqngEe0chphOlULh9LmzVIiEdszd7ts,3875
@@ -56,22 +56,22 @@ authlib/integrations/sqla_oauth2/client_mixin.py,sha256=4hTqHeS34JUFJLLvOJqpfzBG
 authlib/integrations/sqla_oauth2/functions.py,sha256=Lc_mK1LV_FonUUHXmswxlze7NPyAhs-pxW1pOGgWxXw,3156
 authlib/integrations/sqla_oauth2/tokens_mixins.py,sha256=B62cFI-jZhtIU79of6l6Lxzia6tnutZHMeZrpSLIEd8,2261
 authlib/integrations/starlette_client/__init__.py,sha256=qIPzeCFSCJ1AnCJ_I9tvmL2qDOJtaPUwgG7Mb4wz3VI,713
-authlib/integrations/starlette_client/apps.py,sha256=QVdkB8A_WByazu1dUmNlZUVbBOgnyOlGJTJdp3TfS1A,3852
+authlib/integrations/starlette_client/apps.py,sha256=3rIzMYCzdu4ajfyaHlBeFIJb6gI8lBjNl_Ry7VTT_go,4140
 authlib/integrations/starlette_client/integration.py,sha256=Dlu7w36dPrBz_-ybcwmOasGrZprQiCQ9IQqd47VeDQk,2253
 authlib/jose/__init__.py,sha256=wtdmtHrQV3a3-us9K6nVVGHrC82zSJ27FX106uUxeLI,1703
-authlib/jose/errors.py,sha256=4Mo7dKWKRc_9C5uG498tEv5MZqaoasIjGLqhKff41Sw,2950
+authlib/jose/errors.py,sha256=NK3sAewwLTZ6eaNS4QVcpndf3oL2CySrwsF9xiTWDqs,3199
 authlib/jose/jwk.py,sha256=LqCE7K1WozgSR_UHwXEajwVJjjBwXkIKebT1Z_AzFE0,491
-authlib/jose/util.py,sha256=nJklBxnAmgRGx27b3eZQQzZq7o1mO8EuQGRdrjclTAE,1175
+authlib/jose/util.py,sha256=24oOQ3Vnm9gUa0rDyEau9-l-F7ovzsDV6VbzxTscCiU,1357
 authlib/jose/drafts/__init__.py,sha256=AXAw9r6-6XsVbugtoJ6zFn0u85iYDssVLLbDGm-HIWU,520
 authlib/jose/drafts/_jwe_algorithms.py,sha256=qkYzPAteYSs1jRZGc3lxBVPbYy8jFgf_O2GE-LW0xUM,7199
 authlib/jose/drafts/_jwe_enc_cryptodome.py,sha256=-Qq-JWsBrui5-UJW1QqDltsJCygvWAicSkbQqcH0jdo,1848
 authlib/jose/drafts/_jwe_enc_cryptography.py,sha256=yd63oNubl-vSMC8H_g8xFGCMa3AUEhOzrXQnGS2TBSU,1731
 authlib/jose/rfc7515/__init__.py,sha256=ub5iDwyqk1z_W1QSFqtFn6tEJvLqEgMg6ftHmGVsSvQ,367
-authlib/jose/rfc7515/jws.py,sha256=K5QZ3u2J4286MUdPkDHgIswGGs6aG-Og3eJTVvfhG7A,11636
-authlib/jose/rfc7515/models.py,sha256=POdLZ8Jqyau2b-y-V2UvuxMRoV2cglsB4BflhC-AwVc,2448
+authlib/jose/rfc7515/jws.py,sha256=QmpynjXy9YgMDP9V1ESSqivA3fFkoAFmoWy4DjBfr6s,13720
+authlib/jose/rfc7515/models.py,sha256=81IbGsdq9I4Qe0NIusgRia4G3CFsh70gWf2v9lT9kJA,2448
 authlib/jose/rfc7516/__init__.py,sha256=85pDv76XJrL_ZVl89Thr6ilzM9yelMWGBad20klWjDM,514
 authlib/jose/rfc7516/jwe.py,sha256=MTOtywMG6Ji2-PM0paW4jx4r5q1zVC0GNL3pZveGHu4,30539
-authlib/jose/rfc7516/models.py,sha256=aeOJtAW0L6CYwK0iwgMHwSQik5fuVhqaVcoe7n7ItXM,4381
+authlib/jose/rfc7516/models.py,sha256=vzYq1du-F59IqFlcGnTATVCDLEy0Tsisz5yF57tcppw,4381
 authlib/jose/rfc7517/__init__.py,sha256=RmMT_4O1d4YaqVl_5V5bM0blqXqjdKZsdYNQObtTkPc,404
 authlib/jose/rfc7517/_cryptography_key.py,sha256=bp-2kiKpzKdOWSuzMTCMhsyZdvdEUrv9nYVyNBlqqys,1361
 authlib/jose/rfc7517/asymmetric_key.py,sha256=NoCPBm8rjoW1Lonyt-LP44_TZnwceRv6DKHoRb4DDRw,6464
@@ -82,7 +82,7 @@ authlib/jose/rfc7518/__init__.py,sha256=qvxQ-N7dlZu2d4qg30rH0JkNp-_eeaY0VK20vAv4
 authlib/jose/rfc7518/ec_key.py,sha256=IIpDO9hKzDGhOd8CxwxH08iO_6j7sR86cJBm6wN0SFw,3921
 authlib/jose/rfc7518/jwe_algs.py,sha256=tBw_lUUrs9RCYjyVi4OOu1_Fgh15Qtp-h4qHjCAc0e8,11422
 authlib/jose/rfc7518/jwe_encs.py,sha256=A0wKhj9u9hF_B51U7nHxZFQ5TskRfJ5Uube1DlvB8Aw,5093
-authlib/jose/rfc7518/jwe_zips.py,sha256=jp0V1xVjrYWqH6amlu2SzVgB8VOHDc6Izt5TbZWgIMg,583
+authlib/jose/rfc7518/jwe_zips.py,sha256=dFCRYN5J7_iHmiaB8t_FjUqRz966t2TYXrJ2lmvUJfg,1060
 authlib/jose/rfc7518/jws_algs.py,sha256=tCnBPwtlQ0gSY5LgW1F5FaKNT36kWkPHLXGxHBLLQCs,6573
 authlib/jose/rfc7518/oct_key.py,sha256=0XRdpxpFExYtlXse9ZAM6Bj-26fgZOHHBQdJoTdl1ec,2744
 authlib/jose/rfc7518/rsa_key.py,sha256=PmX2WWd3rLmwihqGhJYPW6C50aEmYghfbsZKPO_4bRU,4581
@@ -114,11 +114,11 @@ authlib/oauth2/base.py,sha256=8ZG02kdskhdh5vfK4P2nSsnE1WcwSUxsx5banmYJyVk,2025
 authlib/oauth2/client.py,sha256=Txg4tghGHItiTE2TTzDi8r-3V6aCEf78oOgaQtUSRx8,18938
 authlib/oauth2/rfc6749/__init__.py,sha256=35h_BcWs2rFC62A0U2AlVpMZCVnD74ddZELK35VTqF8,2845
 authlib/oauth2/rfc6749/authenticate_client.py,sha256=nFBxSrw62zLYl1JRON3rjCv_BUZzTivZ7HYuqnkdQmg,3985
-authlib/oauth2/rfc6749/authorization_server.py,sha256=ZHiDIiWtg_rBQE5UDt3dpjZpqd7HSZyNYxWjslDnrEE,13370
+authlib/oauth2/rfc6749/authorization_server.py,sha256=GhuWgVVxuJ7fxwLUA-kHtLuo0DPmd0hM_sfYEV0gziA,13367
 authlib/oauth2/rfc6749/errors.py,sha256=FfT5OJJEk0RJaUjJKT1v_npN5AvCUuASqP8LtX2e4xo,7242
 authlib/oauth2/rfc6749/hooks.py,sha256=v8emOHmENAen3WbOXgmhLwHur6_i5QUgRE5NNXI_ukI,1004
 authlib/oauth2/rfc6749/models.py,sha256=PZO-owOyb1RzbmD-xdYwO_Q6Si57pqFGPqhDXiDhNVs,7773
-authlib/oauth2/rfc6749/parameters.py,sha256=DWm2MT3mg1cfPjL3DGV-VwET5SU91KMd9tronD3prPY,8358
+authlib/oauth2/rfc6749/parameters.py,sha256=-hauWerU6UlMuyVA-oxQaWc_r_y5BfDVnz7nh-oZd7E,8564
 authlib/oauth2/rfc6749/requests.py,sha256=8m2bVR9KrUGzqFRBI8aXp7h-Y3a8H6wLY5hLajYiIRM,5095
 authlib/oauth2/rfc6749/resource_protector.py,sha256=OKXtwUVn0kgK55mIzc9mGNbfUpwoOWTxb105Td5iVPE,5404
 authlib/oauth2/rfc6749/token_endpoint.py,sha256=kxjK39EHBgeD7uvJLyoLF5DAr1ef4l31jpCt6C4gYJ0,1103
@@ -150,7 +150,7 @@ authlib/oauth2/rfc7523/token.py,sha256=olIDs43sKuVtrOis5l7tRjJS-p_ns1c1VWkf9NUgM
 authlib/oauth2/rfc7523/validator.py,sha256=4d0FHSi8UR9pLlyYRpG8M2lW8MvYZyoOuhS-RpZoNAA,1668
 authlib/oauth2/rfc7591/__init__.py,sha256=BC7HMHZmLvgHIcpU3uRP48IHnVyeS77LADhhRw5h9aY,694
 authlib/oauth2/rfc7591/claims.py,sha256=wAsPmqOD-qYPrZpCJxphLOrIPEthUJPml6O8I7J26n4,12169
-authlib/oauth2/rfc7591/endpoint.py,sha256=EqRaSNkjHFuXqUCFjra120tpMiTQ8Q2QXdndrGhufsY,6459
+authlib/oauth2/rfc7591/endpoint.py,sha256=1SeM471z3G31RPTAlQcH0AG7eEx9fcMwnm67iNwpGeA,7183
 authlib/oauth2/rfc7591/errors.py,sha256=oflYk0Qj9FBIU6eBvqgIpUMHK2dA73A8Y5UWOXZMmq4,1106
 authlib/oauth2/rfc7592/__init__.py,sha256=8oCqEJwbLOyFLq9qmEFy2WFu6-bj9rCUpJMj0ICTZSA,295
 authlib/oauth2/rfc7592/endpoint.py,sha256=CkY9RP3w4f3KXAHl4Mzqq9OtJlL7pgY8V1RyBkjHyBw,8788
@@ -199,8 +199,8 @@ authlib/oidc/discovery/models.py,sha256=yzdWYQn-VfC48gywoxswge4tgnKb8uQ-UkjhVTCl
 authlib/oidc/discovery/well_known.py,sha256=ry1VHxCmwvjmlMxOFEbSC6FsE_ttijyRcn2xUpv2CaU,574
 authlib/oidc/registration/__init__.py,sha256=lV_Og-DMFKzWWYsdK04oF83xKUGTE2gQhikPPsOdW84,77
 authlib/oidc/registration/claims.py,sha256=K7Ft8GDXkVrjJrc53Ihkhn2SVN4pvEf3qiHOkzVOJ7g,17264
-authlib-1.6.3.dist-info/licenses/LICENSE,sha256=jhtIUY3pxs0Ay0jH_luAI_2Q1VUsoS6-c2Kg3zDdvkU,1514
-authlib-1.6.3.dist-info/METADATA,sha256=ALFKjjILvTFCN3t-YbI39dHwnC3gxBg1X5UO86yUHRo,1634
-authlib-1.6.3.dist-info/WHEEL,sha256=JNWh1Fm1UdwIQV075glCn4MVuCRs0sotJIq-J6rbxCU,109
-authlib-1.6.3.dist-info/top_level.txt,sha256=Rj3mJn0jhRuCs6x7ysI6hYE2PePbuxey6y6jswadAEY,8
-authlib-1.6.3.dist-info/RECORD,,
+authlib-1.6.5.dist-info/licenses/LICENSE,sha256=jhtIUY3pxs0Ay0jH_luAI_2Q1VUsoS6-c2Kg3zDdvkU,1514
+authlib-1.6.5.dist-info/METADATA,sha256=JSpi4anvkVQ9zL3GuZR4mvuto9yjFI39uhUnGfKGwdY,9845
+authlib-1.6.5.dist-info/WHEEL,sha256=JNWh1Fm1UdwIQV075glCn4MVuCRs0sotJIq-J6rbxCU,109
+authlib-1.6.5.dist-info/top_level.txt,sha256=Rj3mJn0jhRuCs6x7ysI6hYE2PePbuxey6y6jswadAEY,8
+authlib-1.6.5.dist-info/RECORD,,

authlib-1.6.3.dist-info/METADATA

@@ -1,36 +0,0 @@
-Metadata-Version: 2.4
-Name: Authlib
-Version: 1.6.3
-Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
-Author-email: Hsiaoming Yang <me@lepture.com>
-License: BSD-3-Clause
-Project-URL: Documentation, https://docs.authlib.org/
-Project-URL: Purchase, https://authlib.org/plans
-Project-URL: Issues, https://github.com/authlib/authlib/issues
-Project-URL: Source, https://github.com/authlib/authlib
-Project-URL: Donate, https://github.com/sponsors/lepture
-Project-URL: Blog, https://blog.authlib.org/
-Classifier: Development Status :: 5 - Production/Stable
-Classifier: Environment :: Console
-Classifier: Environment :: Web Environment
-Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: BSD License
-Classifier: Operating System :: OS Independent
-Classifier: Programming Language :: Python
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Classifier: Programming Language :: Python :: Implementation :: CPython
-Classifier: Programming Language :: Python :: Implementation :: PyPy
-Classifier: Topic :: Security
-Classifier: Topic :: Security :: Cryptography
-Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
-Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
-Requires-Python: >=3.9
-Description-Content-Type: text/x-rst
-License-File: LICENSE
-Requires-Dist: cryptography
-Dynamic: license-file