Authlib 1.6.3__tar.gz → 1.6.5__tar.gz

authlib-1.6.5/Authlib.egg-info/PKG-INFO

@@ -0,0 +1,178 @@
+Metadata-Version: 2.4
+Name: Authlib
+Version: 1.6.5
+Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
+Author-email: Hsiaoming Yang <me@lepture.com>
+License: BSD-3-Clause
+Project-URL: Documentation, https://docs.authlib.org/
+Project-URL: Purchase, https://authlib.org/plans
+Project-URL: Issues, https://github.com/authlib/authlib/issues
+Project-URL: Source, https://github.com/authlib/authlib
+Project-URL: Donate, https://github.com/sponsors/lepture
+Project-URL: Blog, https://blog.authlib.org/
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
+Classifier: Environment :: Web Environment
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Classifier: Topic :: Security
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography
+Dynamic: license-file
+
+<div align="center">
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="docs/_static/dark-logo.svg" />
+  <img alt="Authlib" src="docs/_static/light-logo.svg" height="68" />
+</picture>
+
+[![Build Status](https://github.com/authlib/authlib/workflows/tests/badge.svg)](https://github.com/authlib/authlib/actions)
+[![PyPI version](https://img.shields.io/pypi/v/authlib.svg)](https://pypi.org/project/authlib)
+[![conda-forge version](https://img.shields.io/conda/v/conda-forge/authlib.svg?label=conda-forge&colorB=0090ff)](https://anaconda.org/conda-forge/authlib)
+[![PyPI Downloads](https://static.pepy.tech/badge/authlib/month)](https://pepy.tech/projects/authlib)
+[![Code Coverage](https://codecov.io/gh/authlib/authlib/graph/badge.svg?token=OWTdxAIsPI)](https://codecov.io/gh/authlib/authlib)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=authlib_authlib&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=authlib_authlib)
+
+</div>
+
+The ultimate Python library in building OAuth and OpenID Connect servers.
+JWS, JWK, JWA, JWT are included.
+
+Authlib is compatible with Python3.9+.
+
+## Migrations
+
+Authlib will deprecate `authlib.jose` module, please read:
+
+- [Migrating from `authlib.jose` to `joserfc`](https://jose.authlib.org/en/dev/migrations/authlib/)
+
+## Sponsors
+
+<table>
+<tr>
+<td><img align="middle" width="48" src="https://cdn.auth0.com/website/website/favicons/auth0-favicon.svg"></td>
+<td>If you want to quickly add secure token-based authentication to Python projects, feel free to check Auth0's Python SDK and free plan at <a href="https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=authlib&utm_content=auth">auth0.com/overview</a>.</td>
+</tr>
+<tr>
+<td><img align="middle" width="48" src="https://typlog.com/assets/icon-white.svg"></td>
+<td>A blogging and podcast hosting platform with minimal design but powerful features. Host your blog and Podcast with <a href="https://typlog.com/">Typlog.com</a>.
+</td>
+</tr>
+</table>
+
+[**Fund Authlib to access additional features**](https://docs.authlib.org/en/latest/community/funding.html)
+
+## Features
+
+Generic, spec-compliant implementation to build clients and providers:
+
+- [The OAuth 1.0 Protocol](https://docs.authlib.org/en/latest/basic/oauth1.html)
+  - [RFC5849: The OAuth 1.0 Protocol](https://docs.authlib.org/en/latest/specs/rfc5849.html)
+- [The OAuth 2.0 Authorization Framework](https://docs.authlib.org/en/latest/basic/oauth2.html)
+  - [RFC6749: The OAuth 2.0 Authorization Framework](https://docs.authlib.org/en/latest/specs/rfc6749.html)
+  - [RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://docs.authlib.org/en/latest/specs/rfc6750.html)
+  - [RFC7009: OAuth 2.0 Token Revocation](https://docs.authlib.org/en/latest/specs/rfc7009.html)
+  - [RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://docs.authlib.org/en/latest/specs/rfc7523.html)
+  - [RFC7591: OAuth 2.0 Dynamic Client Registration Protocol](https://docs.authlib.org/en/latest/specs/rfc7591.html)
+  - [RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol](https://docs.authlib.org/en/latest/specs/rfc7592.html)
+  - [RFC7636: Proof Key for Code Exchange by OAuth Public Clients](https://docs.authlib.org/en/latest/specs/rfc7636.html)
+  - [RFC7662: OAuth 2.0 Token Introspection](https://docs.authlib.org/en/latest/specs/rfc7662.html)
+  - [RFC8414: OAuth 2.0 Authorization Server Metadata](https://docs.authlib.org/en/latest/specs/rfc8414.html)
+  - [RFC8628: OAuth 2.0 Device Authorization Grant](https://docs.authlib.org/en/latest/specs/rfc8628.html)
+  - [RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://docs.authlib.org/en/latest/specs/rfc9068.html)
+  - [RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://docs.authlib.org/en/latest/specs/rfc9101.html)
+  - [RFC9207: OAuth 2.0 Authorization Server Issuer Identification](https://docs.authlib.org/en/latest/specs/rfc9207.html)
+- [Javascript Object Signing and Encryption](https://docs.authlib.org/en/latest/jose/index.html)
+  - [RFC7515: JSON Web Signature](https://docs.authlib.org/en/latest/jose/jws.html)
+  - [RFC7516: JSON Web Encryption](https://docs.authlib.org/en/latest/jose/jwe.html)
+  - [RFC7517: JSON Web Key](https://docs.authlib.org/en/latest/jose/jwk.html)
+  - [RFC7518: JSON Web Algorithms](https://docs.authlib.org/en/latest/specs/rfc7518.html)
+  - [RFC7519: JSON Web Token](https://docs.authlib.org/en/latest/jose/jwt.html)
+  - [RFC7638: JSON Web Key (JWK) Thumbprint](https://docs.authlib.org/en/latest/specs/rfc7638.html)
+  - [ ] RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
+  - [RFC8037: ECDH in JWS and JWE](https://docs.authlib.org/en/latest/specs/rfc8037.html)
+  - [ ] draft-madden-jose-ecdh-1pu-04: Public Key Authenticated Encryption for JOSE: ECDH-1PU
+- [OpenID Connect 1.0](https://docs.authlib.org/en/latest/specs/oidc.html)
+  - [x] OpenID Connect Core 1.0
+  - [x] OpenID Connect Discovery 1.0
+  - [x] OpenID Connect Dynamic Client Registration 1.0
+
+Connect third party OAuth providers with Authlib built-in client integrations:
+
+- Requests
+  - [OAuth1Session](https://docs.authlib.org/en/latest/client/requests.html#requests-oauth-1-0)
+  - [OAuth2Session](https://docs.authlib.org/en/latest/client/requests.html#requests-oauth-2-0)
+  - [OpenID Connect](https://docs.authlib.org/en/latest/client/requests.html#requests-openid-connect)
+  - [AssertionSession](https://docs.authlib.org/en/latest/client/requests.html#requests-service-account)
+- HTTPX
+  - [AsyncOAuth1Client](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-1-0)
+  - [AsyncOAuth2Client](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-2-0)
+  - [OpenID Connect](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-2-0)
+  - [AsyncAssertionClient](https://docs.authlib.org/en/latest/client/httpx.html#async-service-account)
+- [Flask OAuth Client](https://docs.authlib.org/en/latest/client/flask.html)
+- [Django OAuth Client](https://docs.authlib.org/en/latest/client/django.html)
+- [Starlette OAuth Client](https://docs.authlib.org/en/latest/client/starlette.html)
+- [FastAPI OAuth Client](https://docs.authlib.org/en/latest/client/fastapi.html)
+
+Build your own OAuth 1.0, OAuth 2.0, and OpenID Connect providers:
+
+- Flask
+  - [Flask OAuth 1.0 Provider](https://docs.authlib.org/en/latest/flask/1/)
+  - [Flask OAuth 2.0 Provider](https://docs.authlib.org/en/latest/flask/2/)
+  - [Flask OpenID Connect 1.0 Provider](https://docs.authlib.org/en/latest/flask/2/openid-connect.html)
+- Django
+  - [Django OAuth 1.0 Provider](https://docs.authlib.org/en/latest/django/1/)
+  - [Django OAuth 2.0 Provider](https://docs.authlib.org/en/latest/django/2/)
+  - [Django OpenID Connect 1.0 Provider](https://docs.authlib.org/en/latest/django/2/openid-connect.html)
+
+## Useful Links
+
+1. Homepage: <https://authlib.org/>.
+2. Documentation: <https://docs.authlib.org/>.
+3. Purchase Commercial License: <https://authlib.org/plans>.
+4. Blog: <https://blog.authlib.org/>.
+5. Twitter: <https://twitter.com/authlib>.
+6. StackOverflow: <https://stackoverflow.com/questions/tagged/authlib>.
+7. Other Repositories: <https://github.com/authlib>.
+8. Subscribe Tidelift: [https://tidelift.com/subscription/pkg/pypi-authlib](https://tidelift.com/subscription/pkg/pypi-authlib?utm_source=pypi-authlib&utm_medium=referral&utm_campaign=links).
+
+## Security Reporting
+
+If you found security bugs, please do not send a public issue or patch.
+You can send me email at <me@lepture.com>. Attachment with patch is welcome.
+My PGP Key fingerprint is:
+
+```
+72F8 E895 A70C EBDF 4F2A DFE0 7E55 E3E0 118B 2B4C
+```
+
+Or, you can use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## License
+
+Authlib offers two licenses:
+
+1. BSD LICENSE
+2. COMMERCIAL-LICENSE
+
+Any project, open or closed source, can use the BSD license.
+If your company needs commercial support, you can purchase a commercial license at
+[Authlib Plans](https://authlib.org/plans). You can find more information at
+<https://authlib.org/support>.

authlib-1.6.5/PKG-INFO

@@ -0,0 +1,178 @@
+Metadata-Version: 2.4
+Name: Authlib
+Version: 1.6.5
+Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients.
+Author-email: Hsiaoming Yang <me@lepture.com>
+License: BSD-3-Clause
+Project-URL: Documentation, https://docs.authlib.org/
+Project-URL: Purchase, https://authlib.org/plans
+Project-URL: Issues, https://github.com/authlib/authlib/issues
+Project-URL: Source, https://github.com/authlib/authlib
+Project-URL: Donate, https://github.com/sponsors/lepture
+Project-URL: Blog, https://blog.authlib.org/
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
+Classifier: Environment :: Web Environment
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Classifier: Topic :: Security
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Internet :: WWW/HTTP :: WSGI :: Application
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography
+Dynamic: license-file
+
+<div align="center">
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="docs/_static/dark-logo.svg" />
+  <img alt="Authlib" src="docs/_static/light-logo.svg" height="68" />
+</picture>
+
+[![Build Status](https://github.com/authlib/authlib/workflows/tests/badge.svg)](https://github.com/authlib/authlib/actions)
+[![PyPI version](https://img.shields.io/pypi/v/authlib.svg)](https://pypi.org/project/authlib)
+[![conda-forge version](https://img.shields.io/conda/v/conda-forge/authlib.svg?label=conda-forge&colorB=0090ff)](https://anaconda.org/conda-forge/authlib)
+[![PyPI Downloads](https://static.pepy.tech/badge/authlib/month)](https://pepy.tech/projects/authlib)
+[![Code Coverage](https://codecov.io/gh/authlib/authlib/graph/badge.svg?token=OWTdxAIsPI)](https://codecov.io/gh/authlib/authlib)
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=authlib_authlib&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=authlib_authlib)
+
+</div>
+
+The ultimate Python library in building OAuth and OpenID Connect servers.
+JWS, JWK, JWA, JWT are included.
+
+Authlib is compatible with Python3.9+.
+
+## Migrations
+
+Authlib will deprecate `authlib.jose` module, please read:
+
+- [Migrating from `authlib.jose` to `joserfc`](https://jose.authlib.org/en/dev/migrations/authlib/)
+
+## Sponsors
+
+<table>
+<tr>
+<td><img align="middle" width="48" src="https://cdn.auth0.com/website/website/favicons/auth0-favicon.svg"></td>
+<td>If you want to quickly add secure token-based authentication to Python projects, feel free to check Auth0's Python SDK and free plan at <a href="https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=authlib&utm_content=auth">auth0.com/overview</a>.</td>
+</tr>
+<tr>
+<td><img align="middle" width="48" src="https://typlog.com/assets/icon-white.svg"></td>
+<td>A blogging and podcast hosting platform with minimal design but powerful features. Host your blog and Podcast with <a href="https://typlog.com/">Typlog.com</a>.
+</td>
+</tr>
+</table>
+
+[**Fund Authlib to access additional features**](https://docs.authlib.org/en/latest/community/funding.html)
+
+## Features
+
+Generic, spec-compliant implementation to build clients and providers:
+
+- [The OAuth 1.0 Protocol](https://docs.authlib.org/en/latest/basic/oauth1.html)
+  - [RFC5849: The OAuth 1.0 Protocol](https://docs.authlib.org/en/latest/specs/rfc5849.html)
+- [The OAuth 2.0 Authorization Framework](https://docs.authlib.org/en/latest/basic/oauth2.html)
+  - [RFC6749: The OAuth 2.0 Authorization Framework](https://docs.authlib.org/en/latest/specs/rfc6749.html)
+  - [RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://docs.authlib.org/en/latest/specs/rfc6750.html)
+  - [RFC7009: OAuth 2.0 Token Revocation](https://docs.authlib.org/en/latest/specs/rfc7009.html)
+  - [RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://docs.authlib.org/en/latest/specs/rfc7523.html)
+  - [RFC7591: OAuth 2.0 Dynamic Client Registration Protocol](https://docs.authlib.org/en/latest/specs/rfc7591.html)
+  - [RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol](https://docs.authlib.org/en/latest/specs/rfc7592.html)
+  - [RFC7636: Proof Key for Code Exchange by OAuth Public Clients](https://docs.authlib.org/en/latest/specs/rfc7636.html)
+  - [RFC7662: OAuth 2.0 Token Introspection](https://docs.authlib.org/en/latest/specs/rfc7662.html)
+  - [RFC8414: OAuth 2.0 Authorization Server Metadata](https://docs.authlib.org/en/latest/specs/rfc8414.html)
+  - [RFC8628: OAuth 2.0 Device Authorization Grant](https://docs.authlib.org/en/latest/specs/rfc8628.html)
+  - [RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://docs.authlib.org/en/latest/specs/rfc9068.html)
+  - [RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://docs.authlib.org/en/latest/specs/rfc9101.html)
+  - [RFC9207: OAuth 2.0 Authorization Server Issuer Identification](https://docs.authlib.org/en/latest/specs/rfc9207.html)
+- [Javascript Object Signing and Encryption](https://docs.authlib.org/en/latest/jose/index.html)
+  - [RFC7515: JSON Web Signature](https://docs.authlib.org/en/latest/jose/jws.html)
+  - [RFC7516: JSON Web Encryption](https://docs.authlib.org/en/latest/jose/jwe.html)
+  - [RFC7517: JSON Web Key](https://docs.authlib.org/en/latest/jose/jwk.html)
+  - [RFC7518: JSON Web Algorithms](https://docs.authlib.org/en/latest/specs/rfc7518.html)
+  - [RFC7519: JSON Web Token](https://docs.authlib.org/en/latest/jose/jwt.html)
+  - [RFC7638: JSON Web Key (JWK) Thumbprint](https://docs.authlib.org/en/latest/specs/rfc7638.html)
+  - [ ] RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
+  - [RFC8037: ECDH in JWS and JWE](https://docs.authlib.org/en/latest/specs/rfc8037.html)
+  - [ ] draft-madden-jose-ecdh-1pu-04: Public Key Authenticated Encryption for JOSE: ECDH-1PU
+- [OpenID Connect 1.0](https://docs.authlib.org/en/latest/specs/oidc.html)
+  - [x] OpenID Connect Core 1.0
+  - [x] OpenID Connect Discovery 1.0
+  - [x] OpenID Connect Dynamic Client Registration 1.0
+
+Connect third party OAuth providers with Authlib built-in client integrations:
+
+- Requests
+  - [OAuth1Session](https://docs.authlib.org/en/latest/client/requests.html#requests-oauth-1-0)
+  - [OAuth2Session](https://docs.authlib.org/en/latest/client/requests.html#requests-oauth-2-0)
+  - [OpenID Connect](https://docs.authlib.org/en/latest/client/requests.html#requests-openid-connect)
+  - [AssertionSession](https://docs.authlib.org/en/latest/client/requests.html#requests-service-account)
+- HTTPX
+  - [AsyncOAuth1Client](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-1-0)
+  - [AsyncOAuth2Client](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-2-0)
+  - [OpenID Connect](https://docs.authlib.org/en/latest/client/httpx.html#httpx-oauth-2-0)
+  - [AsyncAssertionClient](https://docs.authlib.org/en/latest/client/httpx.html#async-service-account)
+- [Flask OAuth Client](https://docs.authlib.org/en/latest/client/flask.html)
+- [Django OAuth Client](https://docs.authlib.org/en/latest/client/django.html)
+- [Starlette OAuth Client](https://docs.authlib.org/en/latest/client/starlette.html)
+- [FastAPI OAuth Client](https://docs.authlib.org/en/latest/client/fastapi.html)
+
+Build your own OAuth 1.0, OAuth 2.0, and OpenID Connect providers:
+
+- Flask
+  - [Flask OAuth 1.0 Provider](https://docs.authlib.org/en/latest/flask/1/)
+  - [Flask OAuth 2.0 Provider](https://docs.authlib.org/en/latest/flask/2/)
+  - [Flask OpenID Connect 1.0 Provider](https://docs.authlib.org/en/latest/flask/2/openid-connect.html)
+- Django
+  - [Django OAuth 1.0 Provider](https://docs.authlib.org/en/latest/django/1/)
+  - [Django OAuth 2.0 Provider](https://docs.authlib.org/en/latest/django/2/)
+  - [Django OpenID Connect 1.0 Provider](https://docs.authlib.org/en/latest/django/2/openid-connect.html)
+
+## Useful Links
+
+1. Homepage: <https://authlib.org/>.
+2. Documentation: <https://docs.authlib.org/>.
+3. Purchase Commercial License: <https://authlib.org/plans>.
+4. Blog: <https://blog.authlib.org/>.
+5. Twitter: <https://twitter.com/authlib>.
+6. StackOverflow: <https://stackoverflow.com/questions/tagged/authlib>.
+7. Other Repositories: <https://github.com/authlib>.
+8. Subscribe Tidelift: [https://tidelift.com/subscription/pkg/pypi-authlib](https://tidelift.com/subscription/pkg/pypi-authlib?utm_source=pypi-authlib&utm_medium=referral&utm_campaign=links).
+
+## Security Reporting
+
+If you found security bugs, please do not send a public issue or patch.
+You can send me email at <me@lepture.com>. Attachment with patch is welcome.
+My PGP Key fingerprint is:
+
+```
+72F8 E895 A70C EBDF 4F2A DFE0 7E55 E3E0 118B 2B4C
+```
+
+Or, you can use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## License
+
+Authlib offers two licenses:
+
+1. BSD LICENSE
+2. COMMERCIAL-LICENSE
+
+Any project, open or closed source, can use the BSD license.
+If your company needs commercial support, you can purchase a commercial license at
+[Authlib Plans](https://authlib.org/plans). You can find more information at
+<https://authlib.org/support>.

{authlib-1.6.3 → authlib-1.6.5}/authlib/consts.py

@@ -1,5 +1,5 @@
 name = "Authlib"
-version = "1.6.3"
+version = "1.6.5"
 author = "Hsiaoming Yang <me@lepture.com>"
 homepage = "https://authlib.org"
 default_user_agent = f"{name}/{version} (+{homepage})"

{authlib-1.6.3 → authlib-1.6.5}/authlib/integrations/django_oauth2/authorization_server.py

@@ -24,11 +24,15 @@ class AuthorizationServer(_AuthorizationServer):
     """
 
     def __init__(self, client_model, token_model):
-        self.config = getattr(settings, "AUTHLIB_OAUTH2_PROVIDER", {})
+        super().__init__()
         self.client_model = client_model
         self.token_model = token_model
+        self.load_config(getattr(settings, "AUTHLIB_OAUTH2_PROVIDER", {}))
+
+    def load_config(self, config):
+        self.config = config
         scopes_supported = self.config.get("scopes_supported")
-        super().__init__(scopes_supported=scopes_supported)
+        self.scopes_supported = scopes_supported
         # add default token generator
         self.register_token_generator("default", self.create_bearer_token_generator())
 

{authlib-1.6.3 → authlib-1.6.5}/authlib/integrations/flask_oauth2/authorization_server.py

@@ -53,12 +53,14 @@ class AuthorizationServer(_AuthorizationServer):
             self._query_client = query_client
         if save_token is not None:
             self._save_token = save_token
+        self.load_config(app.config)
 
+    def load_config(self, config):
         self.register_token_generator(
-            "default", self.create_bearer_token_generator(app.config)
+            "default", self.create_bearer_token_generator(config)
         )
-        self.scopes_supported = app.config.get("OAUTH2_SCOPES_SUPPORTED")
-        self._error_uris = app.config.get("OAUTH2_ERROR_URIS")
+        self.scopes_supported = config.get("OAUTH2_SCOPES_SUPPORTED")
+        self._error_uris = config.get("OAUTH2_ERROR_URIS")
 
     def query_client(self, client_id):
         return self._query_client(client_id)

{authlib-1.6.3 → authlib-1.6.5}/authlib/integrations/starlette_client/apps.py

@@ -63,15 +63,22 @@ class StarletteOAuth2App(
     client_cls = AsyncOAuth2Client
 
     async def authorize_access_token(self, request, **kwargs):
-        error = request.query_params.get("error")
-        if error:
-            description = request.query_params.get("error_description")
-            raise OAuthError(error=error, description=description)
-
-        params = {
-            "code": request.query_params.get("code"),
-            "state": request.query_params.get("state"),
-        }
+        if request.scope.get("method", "GET") == "GET":
+            error = request.query_params.get("error")
+            if error:
+                description = request.query_params.get("error_description")
+                raise OAuthError(error=error, description=description)
+
+            params = {
+                "code": request.query_params.get("code"),
+                "state": request.query_params.get("state"),
+            }
+        else:
+            async with request.form() as form:
+                params = {
+                    "code": form.get("code"),
+                    "state": form.get("state"),
+                }
 
         if self.framework.cache:
             session = None

{authlib-1.6.3 → authlib-1.6.5}/authlib/jose/errors.py

@@ -33,6 +33,14 @@ class InvalidHeaderParameterNameError(JoseError):
         super().__init__(description=description)
 
 
+class InvalidCritHeaderParameterNameError(JoseError):
+    error = "invalid_crit_header_parameter_name"
+
+    def __init__(self, name):
+        description = f"Invalid Header Parameter Name: {name}"
+        super().__init__(description=description)
+
+
 class InvalidEncryptionAlgorithmForECDH1PUWithKeyWrappingError(JoseError):
     error = "invalid_encryption_algorithm_for_ECDH_1PU_with_key_wrapping"
 

{authlib-1.6.3 → authlib-1.6.5}/authlib/jose/rfc7515/jws.py

@@ -4,6 +4,7 @@ from authlib.common.encoding import to_unicode
 from authlib.common.encoding import urlsafe_b64encode
 from authlib.jose.errors import BadSignatureError
 from authlib.jose.errors import DecodeError
+from authlib.jose.errors import InvalidCritHeaderParameterNameError
 from authlib.jose.errors import InvalidHeaderParameterNameError
 from authlib.jose.errors import MissingAlgorithmError
 from authlib.jose.errors import UnsupportedAlgorithmError
@@ -33,6 +34,8 @@ class JsonWebSignature:
         ]
     )
 
+    MAX_CONTENT_LENGTH: int = 256000
+
     #: Defined available JWS algorithms in the registry
     ALGORITHMS_REGISTRY = {}
 
@@ -64,6 +67,7 @@ class JsonWebSignature:
         """
         jws_header = JWSHeader(protected, None)
         self._validate_private_headers(protected)
+        self._validate_crit_headers(protected)
         algorithm, key = self._prepare_algorithm_key(protected, payload, key)
 
         protected_segment = json_b64encode(jws_header.protected)
@@ -87,6 +91,9 @@ class JsonWebSignature:
 
         .. _`Section 7.1`: https://tools.ietf.org/html/rfc7515#section-7.1
         """
+        if len(s) > self.MAX_CONTENT_LENGTH:
+            raise ValueError("Serialization is too long.")
+
         try:
             s = to_bytes(s)
             signing_input, signature_segment = s.rsplit(b".", 1)
@@ -95,6 +102,7 @@ class JsonWebSignature:
             raise DecodeError("Not enough segments") from exc
 
         protected = _extract_header(protected_segment)
+        self._validate_crit_headers(protected)
         jws_header = JWSHeader(protected, None)
 
         payload = _extract_payload(payload_segment)
@@ -132,6 +140,11 @@ class JsonWebSignature:
 
         def _sign(jws_header):
             self._validate_private_headers(jws_header)
+            # RFC 7515 §4.1.11: 'crit' MUST be integrity-protected.
+            # Reject if present in unprotected header, and validate only
+            # against the protected header parameters.
+            self._reject_unprotected_crit(jws_header.header)
+            self._validate_crit_headers(jws_header.protected)
             _alg, _key = self._prepare_algorithm_key(jws_header, payload, key)
 
             protected_segment = json_b64encode(jws_header.protected)
@@ -272,6 +285,28 @@ class JsonWebSignature:
                 if k not in names:
                     raise InvalidHeaderParameterNameError(k)
 
+    def _reject_unprotected_crit(self, unprotected_header):
+        """Reject 'crit' when found in the unprotected header (RFC 7515 §4.1.11)."""
+        if unprotected_header and "crit" in unprotected_header:
+            raise InvalidHeaderParameterNameError("crit")
+
+    def _validate_crit_headers(self, header):
+        if "crit" in header:
+            crit_headers = header["crit"]
+            # Type enforcement for robustness and predictable errors
+            if not isinstance(crit_headers, list) or not all(
+                isinstance(x, str) for x in crit_headers
+            ):
+                raise InvalidHeaderParameterNameError("crit")
+            names = self.REGISTERED_HEADER_PARAMETER_NAMES.copy()
+            if self._private_headers:
+                names = names.union(self._private_headers)
+            for k in crit_headers:
+                if k not in names:
+                    raise InvalidCritHeaderParameterNameError(k)
+                elif k not in header:
+                    raise InvalidCritHeaderParameterNameError(k)
+
     def _validate_json_jws(self, payload_segment, payload, header_obj, key):
         protected_segment = header_obj.get("protected")
         if not protected_segment:
@@ -286,7 +321,14 @@ class JsonWebSignature:
         header = header_obj.get("header")
         if header and not isinstance(header, dict):
             raise DecodeError('Invalid "header" value')
-
+        # RFC 7515 §4.1.11: 'crit' MUST be integrity-protected. If present in
+        # the unprotected header object, reject the JWS.
+        self._reject_unprotected_crit(header)
+
+        # Enforce must-understand semantics for names listed in protected
+        # 'crit'. This will also ensure each listed name is present in the
+        # protected header.
+        self._validate_crit_headers(protected)
         jws_header = JWSHeader(protected, header)
         algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
         signing_input = b".".join([protected_segment, payload_segment])

authlib-1.6.5/authlib/jose/rfc7518/jwe_zips.py

@@ -0,0 +1,34 @@
+import zlib
+
+from ..rfc7516 import JsonWebEncryption
+from ..rfc7516 import JWEZipAlgorithm
+
+GZIP_HEAD = bytes([120, 156])
+MAX_SIZE = 250 * 1024
+
+
+class DeflateZipAlgorithm(JWEZipAlgorithm):
+    name = "DEF"
+    description = "DEFLATE"
+
+    def compress(self, s: bytes) -> bytes:
+        """Compress bytes data with DEFLATE algorithm."""
+        data = zlib.compress(s)
+        # https://datatracker.ietf.org/doc/html/rfc1951
+        # since DEF is always gzip, we can drop gzip headers and tail
+        return data[2:-4]
+
+    def decompress(self, s: bytes) -> bytes:
+        """Decompress DEFLATE bytes data."""
+        if s.startswith(GZIP_HEAD):
+            decompressor = zlib.decompressobj()
+        else:
+            decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
+        value = decompressor.decompress(s, MAX_SIZE)
+        if decompressor.unconsumed_tail:
+            raise ValueError(f"Decompressed string exceeds {MAX_SIZE} bytes")
+        return value
+
+
+def register_jwe_rfc7518():
+    JsonWebEncryption.register_algorithm(DeflateZipAlgorithm())

{authlib-1.6.3 → authlib-1.6.5}/authlib/jose/util.py

@@ -7,6 +7,9 @@ from authlib.jose.errors import DecodeError
 
 
 def extract_header(header_segment, error_cls):
+    if len(header_segment) > 256000:
+        raise ValueError("Value of header is too long")
+
     header_data = extract_segment(header_segment, error_cls, "header")
 
     try:
@@ -20,6 +23,9 @@ def extract_header(header_segment, error_cls):
 
 
 def extract_segment(segment, error_cls, name="payload"):
+    if len(segment) > 256000:
+        raise ValueError(f"Value of {name} is too long")
+
     try:
         return urlsafe_b64decode(segment)
     except (TypeError, binascii.Error) as exc:

{authlib-1.6.3 → authlib-1.6.5}/authlib/oauth2/rfc6749/authorization_server.py

@@ -251,8 +251,9 @@ class AuthorizationServer(Hookable):
         """Validate current HTTP request for authorization page. This page
         is designed for resource owner to grant or deny the authorization.
         """
+        request = self.create_oauth2_request(request)
+
         try:
-            request = self.create_oauth2_request(request)
             request.user = end_user
 
             grant = self.get_authorization_grant(request)

{authlib-1.6.3 → authlib-1.6.5}/authlib/oauth2/rfc6749/parameters.py

@@ -54,9 +54,14 @@ def prepare_grant_uri(
     if state:
         params.append(("state", state))
 
-    for k in kwargs:
-        if kwargs[k] is not None:
-            params.append((to_unicode(k), kwargs[k]))
+    for k, value in kwargs.items():
+        if value is not None:
+            if isinstance(value, (list, tuple)):
+                for v in value:
+                    if v is not None:
+                        params.append((to_unicode(k), v))
+            else:
+                params.append((to_unicode(k), value))
 
     return add_params_to_uri(uri, params)