Bump authlib from 0.15.3 to 1.2.0

[dependabot]

Bumps authlib from 0.15.3 to 1.2.0.

Release notes

Sourced from authlib's releases.

Version 1.2.0

• Not passing request.body to ResourceProtector, #485.
• Use flask.g instead of _app_ctx_stack, #482.
• Add headers parameter back to ClientSecretJWT, #457.
• Always passing realm parameter in OAuth 1 clients, #339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, #505`
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

Version 1.1.0

This release contains breaking changes and security fixes.

• Allow to pass claims_options to Framework OpenID Connect clients, via #446 by @​Galaxy102
• Fix .stream with context for HTTPX OAuth clients, via #465 by @​bjoernmeier
• Fix Starlette OAuth client for cache store, via #478 by @​haggen

Breaking changes:

• Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.
• The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:

jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])

Security fixes for JOSE module

• CVE-2022-39175
• CVE-2022-39174

Version 1.0.1

• Fix authenticate_none method, via #438.
• Allow to pass in alternative signing algorithm to RFC7523 authentication methods via #447.
• Fix missing_token for Flask OAuth client, via #448.
• Allow openid in any place of the scope, via #449.
• Security fix for validating essential value on blank value in JWT, via #445.

Version 1.0.0

We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.

OAuth Client Changes:

The whole framework client integrations have been restructured, if you are using the client properly, e.g. oauth.register(...), it would work as before.

OAuth Provider Changes:

In Flask OAuth 2.0 provider, we have removed the deprecated

... (truncated)

Changelog

Sourced from authlib's changelog.

Version 1.2.0

Released on Dec 6, 2022

• Not passing request.body to ResourceProtector, via :gh:issue#485.
• Use flask.g instead of _app_ctx_stack, via :gh:issue#482.
• Add headers parameter back to ClientSecretJWT, via :gh:issue#457.
• Always passing realm parameter in OAuth 1 clients, via :gh:issue#339.
• Implemented RFC7592 Dynamic Client Registration Management Protocol, via :gh:PR#505.
• Add default_timeout for requests OAuth2Session and AssertionSession.
• Deprecate jwk.loads and jwk.dumps

Version 1.1.0

Released on Sep 13, 2022

This release contains breaking changes and security fixes.

• Allow to pass claims_options to Framework OpenID Connect clients, via :gh:PR#446.
• Fix .stream with context for HTTPX OAuth clients, via :gh:PR#465.
• Fix Starlette OAuth client for cache store, via :gh:PR#478.

Breaking changes:

• Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.

• The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter::

  jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
  

Security fixes: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.

Version 1.0.1

Released on Apr 6, 2022

• Fix authenticate_none method, via :gh:issue#438.
• Allow to pass in alternative signing algorithm to RFC7523 authentication methods via :gh:PR#447.
• Fix missing_token for Flask OAuth client, via :gh:issue#448.
• Allow openid in any place of the scope, via :gh:issue#449.
• Security fix for validating essential value on blank value in JWT, via :gh:issue#445.

Version 1.0.0

... (truncated)

Commits

• 7575ea3 Version bump 1.2.0
• e98325a deprecate jwk.loads and jwk.dumps
• d186f68 Only re-assign redirect_uri if redirect_uri is not None
• b0fc78f Add default_timeout for requests Session #510
• def72dc Merge pull request #510 from kognity/fix-load-server-metadata-2
• d644ad7 Add support for default timeout in OAuth2Session
• 676645c Merge pull request #503 from ktosiek/patch-1
• a7ac27a Merge pull request #505 from azmeuk/rfc7592
• 831f4d4 rfc7592: get_server_metadata implementation example
• 3fa7312 rfc7592: fixed changelog message, again
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)