Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-Authlib for openSUSE:Factory checked in at 2026-03-07 20:09:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-Authlib (Old) and /work/SRC/openSUSE:Factory/.python-Authlib.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Authlib" Sat Mar 7 20:09:22 2026 rev:29 rq:1337357 version:1.6.9 Changes: -------- --- /work/SRC/openSUSE:Factory/python-Authlib/python-Authlib.changes 2026-02-18 17:12:06.086388596 +0100 +++ /work/SRC/openSUSE:Factory/.python-Authlib.new.8177/python-Authlib.changes 2026-03-07 20:14:13.494526749 +0100 @@ -1,0 +2,9 @@ +Fri Mar 6 16:50:14 UTC 2026 - Dirk Müller <[email protected]> + +- update to 1.6.9: + * Not using header's `jwk` automatically + * Add `ES256K` into default jwt algorithms + * Remove deprecated algorithm from default registry + * Generate random `cek` when `cek` length doesn't match + +------------------------------------------------------------------- Old: ---- authlib-1.6.8.tar.gz New: ---- authlib-1.6.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-Authlib.spec ++++++ --- /var/tmp/diff_new_pack.pdUaUV/_old 2026-03-07 20:14:14.074550742 +0100 +++ /var/tmp/diff_new_pack.pdUaUV/_new 2026-03-07 20:14:14.078550908 +0100 @@ -19,7 +19,7 @@ %define modname authlib %{?sle15_python_module_pythons} Name: python-Authlib -Version: 1.6.8 +Version: 1.6.9 Release: 0 Summary: Python library for building OAuth and OpenID Connect servers License: BSD-3-Clause ++++++ authlib-1.6.8.tar.gz -> authlib-1.6.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/consts.py new/authlib-1.6.9/authlib/consts.py --- old/authlib-1.6.8/authlib/consts.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/consts.py 2026-03-02 08:42:53.000000000 +0100 @@ -1,5 +1,5 @@ name = "Authlib" -version = "1.6.8" +version = "1.6.9" author = "Hsiaoming Yang <[email protected]>" homepage = "https://authlib.org"; default_user_agent = f"{name}/{version} (+{homepage})" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/__init__.py new/authlib-1.6.9/authlib/jose/__init__.py --- old/authlib-1.6.8/authlib/jose/__init__.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/__init__.py 2026-03-02 08:42:53.000000000 +0100 @@ -55,6 +55,7 @@ "RS384", "RS512", "ES256", + "ES256K", "ES384", "ES512", "PS256", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/rfc7515/jws.py new/authlib-1.6.9/authlib/jose/rfc7515/jws.py --- old/authlib-1.6.8/authlib/jose/rfc7515/jws.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/rfc7515/jws.py 2026-03-02 08:42:53.000000000 +0100 @@ -261,16 +261,18 @@ raise MissingAlgorithmError() alg = header["alg"] - if self._algorithms is not None and alg not in self._algorithms: - raise UnsupportedAlgorithmError() if alg not in self.ALGORITHMS_REGISTRY: raise UnsupportedAlgorithmError() algorithm = self.ALGORITHMS_REGISTRY[alg] + if self._algorithms is None: + if algorithm.deprecated: + raise UnsupportedAlgorithmError() + elif alg not in self._algorithms: + raise UnsupportedAlgorithmError() + if callable(key): key = key(header, payload) - elif key is None and "jwk" in header: - key = header["jwk"] key = algorithm.prepare_key(key) return algorithm, key diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/rfc7515/models.py new/authlib-1.6.9/authlib/jose/rfc7515/models.py --- old/authlib-1.6.8/authlib/jose/rfc7515/models.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/rfc7515/models.py 2026-03-02 08:42:53.000000000 +0100 @@ -5,6 +5,7 @@ name = None description = None + deprecated = False algorithm_type = "JWS" algorithm_location = "alg" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/rfc7516/jwe.py new/authlib-1.6.9/authlib/jose/rfc7516/jwe.py --- old/authlib-1.6.8/authlib/jose/rfc7516/jwe.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/rfc7516/jwe.py 2026-03-02 08:42:53.000000000 +0100 @@ -697,11 +697,19 @@ raise MissingAlgorithmError() alg = header["alg"] - if self._algorithms is not None and alg not in self._algorithms: - raise UnsupportedAlgorithmError() if alg not in self.ALG_REGISTRY: raise UnsupportedAlgorithmError() - return self.ALG_REGISTRY[alg] + + instance = self.ALG_REGISTRY[alg] + + # use all ALG_REGISTRY algorithms + if self._algorithms is None: + # do not use deprecated algorithms + if instance.deprecated: + raise UnsupportedAlgorithmError() + elif alg not in self._algorithms: + raise UnsupportedAlgorithmError() + return instance def get_header_enc(self, header): if "enc" not in header: @@ -754,6 +762,4 @@ def prepare_key(alg, header, key): if callable(key): key = key(header, None) - elif key is None and "jwk" in header: - key = header["jwk"] return alg.prepare_key(key) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/rfc7516/models.py new/authlib-1.6.9/authlib/jose/rfc7516/models.py --- old/authlib-1.6.8/authlib/jose/rfc7516/models.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/rfc7516/models.py 2026-03-02 08:42:53.000000000 +0100 @@ -9,6 +9,7 @@ name = None description = None + deprecated = False algorithm_type = "JWE" algorithm_location = "alg" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/rfc7518/jwe_algs.py new/authlib-1.6.9/authlib/jose/rfc7518/jwe_algs.py --- old/authlib-1.6.8/authlib/jose/rfc7518/jwe_algs.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/rfc7518/jwe_algs.py 2026-03-02 08:42:53.000000000 +0100 @@ -1,4 +1,4 @@ -import os +import secrets import struct from cryptography.hazmat.backends import default_backend @@ -41,7 +41,7 @@ def unwrap(self, enc_alg, ek, headers, key): cek = key.get_op_key("decrypt") if len(cek) * 8 != enc_alg.CEK_SIZE: - raise ValueError('Invalid "cek" length') + cek = secrets.token_bytes(enc_alg.CEK_SIZE // 8) return cek @@ -52,6 +52,7 @@ def __init__(self, name, description, pad_fn): self.name = name + self.deprecated = name == "RSA1_5" self.description = description self.padding = pad_fn @@ -75,11 +76,10 @@ return {"ek": ek, "cek": cek} def unwrap(self, enc_alg, ek, headers, key): - # it will raise ValueError if failed op_key = key.get_op_key("unwrapKey") cek = op_key.decrypt(ek, self.padding) if len(cek) * 8 != enc_alg.CEK_SIZE: - raise ValueError('Invalid "cek" length') + cek = secrets.token_bytes(enc_alg.CEK_SIZE // 8) return cek @@ -118,7 +118,7 @@ self._check_key(op_key) cek = aes_key_unwrap(op_key, ek, default_backend()) if len(cek) * 8 != enc_alg.CEK_SIZE: - raise ValueError('Invalid "cek" length') + cek = secrets.token_bytes(enc_alg.CEK_SIZE // 8) return cek @@ -154,7 +154,7 @@ #: The "iv" (initialization vector) Header Parameter value is the #: base64url-encoded representation of the 96-bit IV value iv_size = 96 - iv = os.urandom(iv_size // 8) + iv = secrets.token_bytes(iv_size // 8) cipher = Cipher(AES(op_key), GCM(iv), backend=default_backend()) enc = cipher.encryptor() @@ -185,7 +185,7 @@ d = cipher.decryptor() cek = d.update(ek) + d.finalize() if len(cek) * 8 != enc_alg.CEK_SIZE: - raise ValueError('Invalid "cek" length') + cek = secrets.token_bytes(enc_alg.CEK_SIZE // 8) return cek diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/jose/rfc7518/jws_algs.py new/authlib-1.6.9/authlib/jose/rfc7518/jws_algs.py --- old/authlib-1.6.8/authlib/jose/rfc7518/jws_algs.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/jose/rfc7518/jws_algs.py 2026-03-02 08:42:53.000000000 +0100 @@ -27,6 +27,7 @@ class NoneAlgorithm(JWSAlgorithm): name = "none" description = "No digital signature or MAC performed" + deprecated = True def prepare_key(self, raw_data): return None diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/authlib/oidc/core/claims.py new/authlib-1.6.9/authlib/oidc/core/claims.py --- old/authlib-1.6.8/authlib/oidc/core/claims.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/authlib/oidc/core/claims.py 2026-03-02 08:42:53.000000000 +0100 @@ -303,6 +303,6 @@ def _verify_hash(signature, s, alg): hash_value = create_half_hash(s, alg) - if not hash_value: - return True + if hash_value is None: + return False return hmac.compare_digest(hash_value, to_bytes(signature)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/tests/core/test_oidc/test_core.py new/authlib-1.6.9/tests/core/test_oidc/test_core.py --- old/authlib-1.6.8/tests/core/test_oidc/test_core.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/tests/core/test_oidc/test_core.py 2026-03-02 08:42:53.000000000 +0100 @@ -99,9 +99,10 @@ ) claims.params = {"access_token": "a"} - # invalid alg won't raise + # invalid alg will raise too claims.header = {"alg": "HS222"} - claims.validate(1000) + with pytest.raises(InvalidClaimError): + claims.validate(1000) claims.header = {"alg": "HS256"} with pytest.raises(InvalidClaimError): @@ -143,10 +144,11 @@ with pytest.raises(MissingClaimError): claims.validate(1000) - # invalid alg won't raise + # invalid alg will raise too claims.header = {"alg": "HS222"} claims["c_hash"] = "a" - claims.validate(1000) + with pytest.raises(InvalidClaimError): + claims.validate(1000) claims.header = {"alg": "HS256"} with pytest.raises(InvalidClaimError): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/tests/jose/test_chacha20.py new/authlib-1.6.9/tests/jose/test_chacha20.py --- old/authlib-1.6.8/tests/jose/test_chacha20.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/tests/jose/test_chacha20.py 2026-03-02 08:42:53.000000000 +0100 @@ -1,4 +1,5 @@ import pytest +from cryptography.exceptions import InvalidTag from authlib.jose import JsonWebEncryption from authlib.jose import OctKey @@ -16,7 +17,7 @@ assert rv["payload"] == b"hello" key2 = OctKey.generate_key(128, is_private=True) - with pytest.raises(ValueError): + with pytest.raises(InvalidTag): jwe.deserialize_compact(data, key2) with pytest.raises(ValueError): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/authlib-1.6.8/tests/jose/test_jwe.py new/authlib-1.6.9/tests/jose/test_jwe.py --- old/authlib-1.6.8/tests/jose/test_jwe.py 2026-02-14 05:01:10.000000000 +0100 +++ new/authlib-1.6.9/tests/jose/test_jwe.py 2026-03-02 08:42:53.000000000 +0100 @@ -1143,7 +1143,7 @@ assert rv["payload"] == b"hello" key2 = OctKey.generate_key(256, is_private=True) - with pytest.raises(ValueError): + with pytest.raises(InvalidTag): jwe.deserialize_compact(data, key2) with pytest.raises(ValueError):
