Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-oauthlib for openSUSE:Factory
checked in at 2022-09-17 20:08:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-oauthlib (Old)
and /work/SRC/openSUSE:Factory/.python-oauthlib.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-oauthlib"
Sat Sep 17 20:08:19 2022 rev:32 rq:1003122 version:3.2.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-oauthlib/python-oauthlib.changes
2022-02-06 23:54:00.694928550 +0100
+++
/work/SRC/openSUSE:Factory/.python-oauthlib.new.2083/python-oauthlib.changes
2022-09-17 20:08:26.704828892 +0200
@@ -1,0 +2,13 @@
+Mon Sep 12 14:39:20 UTC 2022 - Arun Persaud <a...@gmx.de>
+
+- specfile:
+ * update requirements
+
+- update to version 3.2.1:
+ * OAuth2.0 Provider: * #803: Metadata endpoint support of non-HTTPS
+ * CVE-2022-36087, bugzilla # 1203333
+ * OAuth1.0: * #818: Allow IPv6 being parsed by signature
+ * General: * Improved and fixed documentation warnings. * Cosmetic
+ changes based on isort
+
+-------------------------------------------------------------------
Old:
----
oauthlib-3.2.0.tar.gz
New:
----
oauthlib-3.2.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-oauthlib.spec ++++++
--- /var/tmp/diff_new_pack.4BFqqf/_old 2022-09-17 20:08:27.372830820 +0200
+++ /var/tmp/diff_new_pack.4BFqqf/_new 2022-09-17 20:08:27.376830831 +0200
@@ -19,23 +19,23 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
Name: python-oauthlib
-Version: 3.2.0
+Version: 3.2.1
Release: 0
Summary: A Generic Implementation of the OAuth Request-Signing Logic
License: BSD-3-Clause
Group: Development/Languages/Python
URL: https://github.com/oauthlib/oauthlib
Source:
https://files.pythonhosted.org/packages/source/o/oauthlib/oauthlib-%{version}.tar.gz
-BuildRequires: %{python_module PyJWT >= 1.0.0}
-BuildRequires: %{python_module blinker}
-BuildRequires: %{python_module cryptography}
+BuildRequires: %{python_module PyJWT >= 2.0.0}
+BuildRequires: %{python_module blinker >= 1.4}
+BuildRequires: %{python_module cryptography >= 3.0.0 }
BuildRequires: %{python_module pyasn1}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
-Requires: python-PyJWT >= 1.0.0
-Requires: python-blinker
-Requires: python-cryptography
+Requires: python-PyJWT >= 2.0.0
+Requires: python-blinker >= 1.4
+Requires: python-cryptography >= 3.0.0
BuildArch: noarch
%python_subpackages
++++++ oauthlib-3.2.0.tar.gz -> oauthlib-3.2.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/CHANGELOG.rst
new/oauthlib-3.2.1/CHANGELOG.rst
--- old/oauthlib-3.2.0/CHANGELOG.rst 2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/CHANGELOG.rst 2022-09-09 21:53:55.000000000 +0200
@@ -1,6 +1,19 @@
Changelog
=========
+3.2.1 (2022-09-09)
+------------------
+OAuth2.0 Provider:
+* #803: Metadata endpoint support of non-HTTPS
+* CVE-2022-36087
+
+OAuth1.0:
+* #818: Allow IPv6 being parsed by signature
+
+General:
+* Improved and fixed documentation warnings.
+* Cosmetic changes based on isort
+
3.2.0 (2022-01-29)
------------------
OAuth2.0 Client:
@@ -146,7 +159,7 @@
General fixes:
* $ and ' are allowed to be unencoded in query strings #564
-* Request attributes are no longer overriden by HTTP Headers #409
+* Request attributes are no longer overridden by HTTP Headers #409
* Removed unnecessary code for handling python2.6
* Add support of python3.7 #621
* Several minors updates to setup.py and tox
@@ -204,7 +217,7 @@
* Added log statements to except clauses.
* According to RC7009 Section 2.1, a client should include authentication
credentials when revoking its tokens.
As discussed in #339, this is not make sense for public clients.
- However, in that case, the public client should still be checked that is
infact a public client (authenticate_client_id).
+ However, in that case, the public client should still be checked that is in
fact a public client (authenticate_client_id).
* Improved prompt parameter validation.
* Added two error codes from RFC 6750.
* Hybrid response types are now be fragment-encoded.
@@ -354,7 +367,7 @@
Draft revocation endpoint features and numerous fixes including:
* (OAuth 2 Provider) is_within_original_scope to check whether a refresh token
- is trying to aquire a new set of scopes that are a subset of the original
scope.
+ is trying to acquire a new set of scopes that are a subset of the original
scope.
* (OAuth 2 Provider) expires_in token lifetime can be set per request.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/PKG-INFO new/oauthlib-3.2.1/PKG-INFO
--- old/oauthlib-3.2.0/PKG-INFO 2022-01-29 22:59:32.000000000 +0100
+++ new/oauthlib-3.2.1/PKG-INFO 2022-09-09 22:17:50.956804500 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: oauthlib
-Version: 3.2.0
+Version: 3.2.1
Summary: A generic, spec-compliant, thorough implementation of the OAuth
request-signing logic
Home-page: https://github.com/oauthlib/oauthlib
Author: The OAuthlib Community
@@ -42,8 +42,8 @@
*A generic, spec-compliant, thorough implementation of the OAuth
request-signing
logic for Python 3.6+.*
-.. image:: https://travis-ci.org/oauthlib/oauthlib.svg?branch=master
- :target: https://travis-ci.org/oauthlib/oauthlib
+.. image:: https://app.travis-ci.com/oauthlib/oauthlib.svg?branch=master
+ :target: https://app.travis-ci.com/oauthlib/oauthlib
:alt: Travis
.. image:: https://coveralls.io/repos/oauthlib/oauthlib/badge.svg?branch=master
:target: https://coveralls.io/r/oauthlib/oauthlib
@@ -141,7 +141,7 @@
Chances are you have run into something annoying that you wish there was
documentation for, if you wish to gain eternal fame and glory, and a drink if
we
-have the pleasure to run into eachother, please send a docs pull request =)
+have the pleasure to run into each other, please send a docs pull request =)
.. _`Gitter community`: https://gitter.im/oauthlib/Lobby
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/README.rst
new/oauthlib-3.2.1/README.rst
--- old/oauthlib-3.2.0/README.rst 2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/README.rst 2022-09-06 22:10:05.000000000 +0200
@@ -4,8 +4,8 @@
*A generic, spec-compliant, thorough implementation of the OAuth
request-signing
logic for Python 3.6+.*
-.. image:: https://travis-ci.org/oauthlib/oauthlib.svg?branch=master
- :target: https://travis-ci.org/oauthlib/oauthlib
+.. image:: https://app.travis-ci.com/oauthlib/oauthlib.svg?branch=master
+ :target: https://app.travis-ci.com/oauthlib/oauthlib
:alt: Travis
.. image:: https://coveralls.io/repos/oauthlib/oauthlib/badge.svg?branch=master
:target: https://coveralls.io/r/oauthlib/oauthlib
@@ -103,7 +103,7 @@
Chances are you have run into something annoying that you wish there was
documentation for, if you wish to gain eternal fame and glory, and a drink if
we
-have the pleasure to run into eachother, please send a docs pull request =)
+have the pleasure to run into each other, please send a docs pull request =)
.. _`Gitter community`: https://gitter.im/oauthlib/Lobby
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib/__init__.py
new/oauthlib-3.2.1/oauthlib/__init__.py
--- old/oauthlib-3.2.0/oauthlib/__init__.py 2022-01-29 22:58:41.000000000
+0100
+++ new/oauthlib-3.2.1/oauthlib/__init__.py 2022-09-06 22:40:22.000000000
+0200
@@ -12,7 +12,7 @@
from logging import NullHandler
__author__ = 'The OAuthlib Community'
-__version__ = '3.2.0'
+__version__ = '3.2.1'
logging.getLogger('oauthlib').addHandler(NullHandler())
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib/common.py
new/oauthlib-3.2.1/oauthlib/common.py
--- old/oauthlib-3.2.0/oauthlib/common.py 2022-01-29 22:58:41.000000000
+0100
+++ new/oauthlib-3.2.1/oauthlib/common.py 2022-09-06 22:10:05.000000000
+0200
@@ -18,11 +18,9 @@
from . import get_debug
try:
- from secrets import randbits
- from secrets import SystemRandom
+ from secrets import SystemRandom, randbits
except ImportError:
- from random import getrandbits as randbits
- from random import SystemRandom
+ from random import SystemRandom, getrandbits as randbits
UNICODE_ASCII_CHARACTER_SET = ('abcdefghijklmnopqrstuvwxyz'
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib/oauth1/__init__.py
new/oauthlib-3.2.1/oauthlib/oauth1/__init__.py
--- old/oauthlib-3.2.0/oauthlib/oauth1/__init__.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth1/__init__.py 2022-09-06
22:10:05.000000000 +0200
@@ -5,24 +5,19 @@
This module is a wrapper for the most recent implementation of OAuth 1.0 Client
and Server classes.
"""
-from .rfc5849 import Client
-from .rfc5849 import (SIGNATURE_HMAC,
- SIGNATURE_HMAC_SHA1,
- SIGNATURE_HMAC_SHA256,
- SIGNATURE_HMAC_SHA512,
- SIGNATURE_RSA,
- SIGNATURE_RSA_SHA1,
- SIGNATURE_RSA_SHA256,
- SIGNATURE_RSA_SHA512,
- SIGNATURE_PLAINTEXT)
-from .rfc5849 import SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_QUERY
-from .rfc5849 import SIGNATURE_TYPE_BODY
+from .rfc5849 import (
+ SIGNATURE_HMAC, SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256,
+ SIGNATURE_HMAC_SHA512, SIGNATURE_PLAINTEXT, SIGNATURE_RSA,
+ SIGNATURE_RSA_SHA1, SIGNATURE_RSA_SHA256, SIGNATURE_RSA_SHA512,
+ SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY,
+ Client,
+)
+from .rfc5849.endpoints import (
+ AccessTokenEndpoint, AuthorizationEndpoint, RequestTokenEndpoint,
+ ResourceEndpoint, SignatureOnlyEndpoint, WebApplicationServer,
+)
+from .rfc5849.errors import (
+ InsecureTransportError, InvalidClientError, InvalidRequestError,
+ InvalidSignatureMethodError, OAuth1Error,
+)
from .rfc5849.request_validator import RequestValidator
-from .rfc5849.endpoints import RequestTokenEndpoint, AuthorizationEndpoint
-from .rfc5849.endpoints import AccessTokenEndpoint, ResourceEndpoint
-from .rfc5849.endpoints import SignatureOnlyEndpoint, WebApplicationServer
-from .rfc5849.errors import (InsecureTransportError,
- InvalidClientError,
- InvalidRequestError,
- InvalidSignatureMethodError,
- OAuth1Error)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/endpoints/base.py
new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/endpoints/base.py
--- old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/endpoints/base.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/endpoints/base.py
2022-09-06 22:10:05.000000000 +0200
@@ -11,12 +11,11 @@
from oauthlib.common import CaseInsensitiveDict, Request, generate_token
from .. import (
- CONTENT_TYPE_FORM_URLENCODED,
- SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_HMAC_SHA512,
- SIGNATURE_RSA_SHA1, SIGNATURE_RSA_SHA256, SIGNATURE_RSA_SHA512,
- SIGNATURE_PLAINTEXT,
- SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_BODY,
- SIGNATURE_TYPE_QUERY, errors, signature, utils)
+ CONTENT_TYPE_FORM_URLENCODED, SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256,
+ SIGNATURE_HMAC_SHA512, SIGNATURE_PLAINTEXT, SIGNATURE_RSA_SHA1,
+ SIGNATURE_RSA_SHA256, SIGNATURE_RSA_SHA512, SIGNATURE_TYPE_AUTH_HEADER,
+ SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY, errors, signature, utils,
+)
class BaseEndpoint:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/endpoints/request_token.py
new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/endpoints/request_token.py
--- old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/endpoints/request_token.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/endpoints/request_token.py
2022-09-06 22:10:05.000000000 +0200
@@ -152,7 +152,7 @@
request.client_key = self.request_validator.dummy_client
# Note that `realm`_ is only used in authorization headers and how
- # it should be interepreted is not included in the OAuth spec.
+ # it should be interpreted is not included in the OAuth spec.
# However they could be seen as a scope or realm to which the
# client has access and as such every client should be checked
# to ensure it is authorized access to that scope or realm.
@@ -164,7 +164,7 @@
# workflow where a client requests access to a specific realm.
# This first step (obtaining request token) need not require a realm
# and can then be identified by checking the require_resource_owner
- # flag and abscence of realm.
+ # flag and absence of realm.
#
# Clients obtaining an access token will not supply a realm and it will
# not be checked. Instead the previously requested realm should be
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/endpoints/resource.py
new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/endpoints/resource.py
--- old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/endpoints/resource.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/endpoints/resource.py
2022-09-06 22:10:05.000000000 +0200
@@ -113,7 +113,7 @@
request.resource_owner_key =
self.request_validator.dummy_access_token
# Note that `realm`_ is only used in authorization headers and how
- # it should be interepreted is not included in the OAuth spec.
+ # it should be interpreted is not included in the OAuth spec.
# However they could be seen as a scope or realm to which the
# client has access and as such every client should be checked
# to ensure it is authorized access to that scope or realm.
@@ -125,7 +125,7 @@
# workflow where a client requests access to a specific realm.
# This first step (obtaining request token) need not require a realm
# and can then be identified by checking the require_resource_owner
- # flag and abscence of realm.
+ # flag and absence of realm.
#
# Clients obtaining an access token will not supply a realm and it will
# not be checked. Instead the previously requested realm should be
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/request_validator.py
new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/request_validator.py
--- old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/request_validator.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/request_validator.py
2022-09-06 22:10:05.000000000 +0200
@@ -19,7 +19,7 @@
Methods used to check the format of input parameters. Common tests include
length, character set, membership, range or pattern. These tests are
referred to as `whitelisting or blacklisting`_. Whitelisting is better
- but blacklisting can be usefull to spot malicious activity.
+ but blacklisting can be useful to spot malicious activity.
The following have methods a default implementation:
- check_client_key
@@ -443,7 +443,7 @@
:type request: oauthlib.common.Request
:returns: None
- Per `Section 2.3`__ of the spec:
+ Per `Section 2.3`_ of the spec:
"The server MUST (...) ensure that the temporary
credentials have not expired or been used before."
@@ -831,7 +831,7 @@
"""Associate an authorization verifier with a request token.
:param token: A request token string.
- :param verifier A dictionary containing the oauth_verifier and
+ :param verifier: A dictionary containing the oauth_verifier and
oauth_token
:param request: OAuthlib request.
:type request: oauthlib.common.Request
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/signature.py
new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/signature.py
--- old/oauthlib-3.2.0/oauthlib/oauth1/rfc5849/signature.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth1/rfc5849/signature.py 2022-09-06
22:10:05.000000000 +0200
@@ -38,14 +38,13 @@
import hashlib
import hmac
import logging
+import urllib.parse as urlparse
import warnings
from oauthlib.common import extract_params, safe_string_equals, urldecode
-import urllib.parse as urlparse
from . import utils
-
log = logging.getLogger(__name__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/backend_application.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/backend_application.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/backend_application.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/backend_application.py
2022-09-06 22:10:05.000000000 +0200
@@ -39,7 +39,7 @@
format per `Appendix B`_ in the HTTP request entity-body:
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
+ into. This may contain extra parameters. Default ''.
:param scope: The scope of the access request as described by
`Section 3.3`_.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/base.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/base.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/base.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/base.py 2022-09-06
22:10:05.000000000 +0200
@@ -6,12 +6,12 @@
This module is an implementation of various logic needed
for consuming OAuth 2.0 RFC6749.
"""
+import base64
+import hashlib
+import re
+import secrets
import time
import warnings
-import secrets
-import re
-import hashlib
-import base64
from oauthlib.common import generate_token
from oauthlib.oauth2.rfc6749 import tokens
@@ -228,26 +228,21 @@
required parameters to the authorization URL.
:param authorization_url: Provider authorization endpoint URL.
-
:param state: CSRF protection string. Will be automatically created if
- not provided. The generated state is available via the ``state``
- attribute. Clients should verify that the state is unchanged and
- present in the authorization response. This verification is done
- automatically if using the ``authorization_response`` parameter
- with ``prepare_token_request``.
-
+ not provided. The generated state is available via the ``state``
+ attribute. Clients should verify that the state is unchanged and
+ present in the authorization response. This verification is done
+ automatically if using the ``authorization_response`` parameter
+ with ``prepare_token_request``.
:param redirect_url: Redirect URL to which the user will be returned
- after authorization. Must be provided unless previously setup with
- the provider. If provided then it must also be provided in the
- token request.
-
+ after authorization. Must be provided unless previously setup with
+ the provider. If provided then it must also be provided in the
+ token request.
:param scope: List of scopes to request. Must be equal to
- or a subset of the scopes granted when obtaining the refresh
- token. If none is provided, the ones provided in the constructor are
- used.
-
+ or a subset of the scopes granted when obtaining the refresh
+ token. If none is provided, the ones provided in the constructor
are
+ used.
:param kwargs: Additional parameters to included in the request.
-
:returns: The prepared request tuple with (url, headers, body).
"""
if not is_secure_transport(authorization_url):
@@ -271,22 +266,16 @@
credentials.
:param token_url: Provider token creation endpoint URL.
-
:param authorization_response: The full redirection URL string, i.e.
- the location to which the user was redirected after successfull
- authorization. Used to mine credentials needed to obtain a token
- in this step, such as authorization code.
-
+ the location to which the user was redirected after successful
+ authorization. Used to mine credentials needed to obtain a token
+ in this step, such as authorization code.
:param redirect_url: The redirect_url supplied with the authorization
- request (if there was one).
-
+ request (if there was one).
:param state:
-
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
-
+ into. This may contain extra parameters. Default ''.
:param kwargs: Additional parameters to included in the request.
-
:returns: The prepared request tuple with (url, headers, body).
"""
if not is_secure_transport(token_url):
@@ -312,19 +301,14 @@
obtain a new access token, and possibly a new refresh token.
:param token_url: Provider token refresh endpoint URL.
-
:param refresh_token: Refresh token string.
-
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
-
+ into. This may contain extra parameters. Default ''.
:param scope: List of scopes to request. Must be equal to
- or a subset of the scopes granted when obtaining the refresh
- token. If none is provided, the ones provided in the constructor are
- used.
-
+ or a subset of the scopes granted when obtaining the refresh
+ token. If none is provided, the ones provided in the constructor
are
+ used.
:param kwargs: Additional parameters to included in the request.
-
:returns: The prepared request tuple with (url, headers, body).
"""
if not is_secure_transport(token_url):
@@ -341,20 +325,14 @@
"""Prepare a token revocation request.
:param revocation_url: Provider token revocation endpoint URL.
-
:param token: The access or refresh token to be revoked (string).
-
:param token_type_hint: ``"access_token"`` (default) or
- ``"refresh_token"``. This is optional and if you wish to not pass it
you
- must provide ``token_type_hint=None``.
-
+ ``"refresh_token"``. This is optional and if you wish to not pass
it you
+ must provide ``token_type_hint=None``.
:param body:
-
:param callback: A jsonp callback such as ``package.callback`` to be
invoked
- upon receiving the response. Not that it should not include a ()
suffix.
-
+ upon receiving the response. Not that it should not include a ()
suffix.
:param kwargs: Additional parameters to included in the request.
-
:returns: The prepared request tuple with (url, headers, body).
Note that JSONP request may use GET requests as the parameters will
@@ -362,7 +340,7 @@
An example of a revocation request
- .. code-block: http
+ .. code-block:: http
POST /revoke HTTP/1.1
Host: server.example.com
@@ -373,7 +351,7 @@
An example of a jsonp revocation request
- .. code-block: http
+ .. code-block:: http
GET /revoke?token=agabcdefddddafdd&callback=package.myCallback
HTTP/1.1
Host: server.example.com
@@ -382,9 +360,9 @@
and an error response
- .. code-block: http
+ .. code-block:: javascript
- package.myCallback({"error":"unsupported_token_type"});
+ package.myCallback({"error":"unsupported_token_type"});
Note that these requests usually require client credentials, client_id
in
the case for public clients and provider specific authentication
@@ -408,9 +386,10 @@
:param body: The response body from the token request.
:param scope: Scopes originally requested. If none is provided, the
ones
- provided in the constructor are used.
+ provided in the constructor are used.
:return: Dictionary of token parameters.
- :raises: Warning if scope has changed. OAuth2Error if response is
invalid.
+ :raises: Warning if scope has changed.
:py:class:`oauthlib.oauth2.errors.OAuth2Error`
+ if response is invalid.
These response are json encoded and could easily be parsed without
the assistance of OAuthLib. However, there are a few subtle issues
@@ -436,7 +415,7 @@
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
- **scope**
+ **scope**
Providers may supply this in all responses but are required to only
if it has changed since the authorization request.
@@ -454,20 +433,16 @@
If the authorization server issued a refresh token to the client, the
client makes a refresh request to the token endpoint by adding the
- following parameters using the "application/x-www-form-urlencoded"
+ following parameters using the `application/x-www-form-urlencoded`
format in the HTTP request entity-body:
- grant_type
- REQUIRED. Value MUST be set to "refresh_token".
- refresh_token
- REQUIRED. The refresh token issued to the client.
- scope
- OPTIONAL. The scope of the access request as described by
- Section 3.3. The requested scope MUST NOT include any scope
- not originally granted by the resource owner, and if omitted is
- treated as equal to the scope originally granted by the
- resource owner. Note that if none is provided, the ones
provided
- in the constructor are used if any.
+ :param refresh_token: REQUIRED. The refresh token issued to the
client.
+ :param scope: OPTIONAL. The scope of the access request as described
by
+ Section 3.3. The requested scope MUST NOT include any scope
+ not originally granted by the resource owner, and if omitted is
+ treated as equal to the scope originally granted by the
+ resource owner. Note that if none is provided, the ones provided
+ in the constructor are used if any.
"""
refresh_token = refresh_token or self.refresh_token
scope = self.scope if scope is None else scope
@@ -492,18 +467,21 @@
def create_code_verifier(self, length):
"""Create PKCE **code_verifier** used in computing **code_challenge**.
+ See `RFC7636 Section 4.1`_
+
+ :param length: REQUIRED. The length of the code_verifier.
- :param length: REQUIRED. The length of the code_verifier.
+ The client first creates a code verifier, "code_verifier", for each
+ OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
- The client first creates a code verifier, "code_verifier", for each
- OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
+ .. code-block:: text
- code_verifier = high-entropy cryptographic random STRING using the
- unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
- from Section 2.3 of [RFC3986], with a minimum length of 43
characters
- and a maximum length of 128 characters.
-
- .. _`Section 4.1`: https://tools.ietf.org/html/rfc7636#section-4.1
+ code_verifier = high-entropy cryptographic random STRING using
the
+ unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" /
"~"
+ from Section 2.3 of [RFC3986], with a minimum length of 43
characters
+ and a maximum length of 128 characters.
+
+ .. _`RFC7636 Section 4.1`:
https://tools.ietf.org/html/rfc7636#section-4.1
"""
code_verifier = None
@@ -525,33 +503,30 @@
def create_code_challenge(self, code_verifier, code_challenge_method=None):
"""Create PKCE **code_challenge** derived from the **code_verifier**.
+ See `RFC7636 Section 4.2`_
- :param code_verifier: REQUIRED. The **code_verifier** generated
from create_code_verifier().
- :param code_challenge_method: OPTIONAL. The method used to derive
the **code_challenge**. Acceptable
- values include "S256". DEFAULT is "plain".
-
+ :param code_verifier: REQUIRED. The **code_verifier** generated from
`create_code_verifier()`.
+ :param code_challenge_method: OPTIONAL. The method used to derive the
**code_challenge**. Acceptable values include `S256`. DEFAULT is `plain`.
- The client then creates a code challenge derived from the code
+ The client then creates a code challenge derived from the code
verifier by using one of the following transformations on the
code
- verifier:
-
- plain
- code_challenge = code_verifier
-
- S256
- code_challenge =
BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
+ verifier::
- If the client is capable of using "S256", it MUST use "S256", as
- "S256" is Mandatory To Implement (MTI) on the server. Clients
are
- permitted to use "plain" only if they cannot support "S256" for
some
+ plain
+ code_challenge = code_verifier
+ S256
+ code_challenge =
BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
+
+ If the client is capable of using `S256`, it MUST use `S256`, as
+ `S256` is Mandatory To Implement (MTI) on the server. Clients
are
+ permitted to use `plain` only if they cannot support `S256` for
some
technical reason and know via out-of-band configuration that the
- server supports "plain".
+ server supports `plain`.
The plain transformation is for compatibility with existing
- deployments and for constrained environments that can't use the
S256
- transformation.
+ deployments and for constrained environments that can't use the
S256 transformation.
- .. _`Section 4.2`: https://tools.ietf.org/html/rfc7636#section-4.2
+ .. _`RFC7636 Section 4.2`:
https://tools.ietf.org/html/rfc7636#section-4.2
"""
code_challenge = None
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/legacy_application.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/legacy_application.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/legacy_application.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/legacy_application.py
2022-09-06 22:10:05.000000000 +0200
@@ -49,7 +49,7 @@
:param username: The resource owner username.
:param password: The resource owner password.
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
+ into. This may contain extra parameters. Default ''.
:param scope: The scope of the access request as described by
`Section 3.3`_.
:param include_client_id: `True` to send the `client_id` in the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/mobile_application.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/mobile_application.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/mobile_application.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/mobile_application.py
2022-09-06 22:10:05.000000000 +0200
@@ -55,7 +55,7 @@
using the "application/x-www-form-urlencoded" format, per `Appendix
B`_:
:param redirect_uri: OPTIONAL. The redirect URI must be an absolute
URI
- and it should have been registerd with the OAuth
+ and it should have been registered with the OAuth
provider prior to use. As described in `Section
3.1.2`_.
:param scope: OPTIONAL. The scope of the access request as described
by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/service_application.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/service_application.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/service_application.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/service_application.py
2022-09-06 22:10:05.000000000 +0200
@@ -31,7 +31,7 @@
def __init__(self, client_id, private_key=None, subject=None, issuer=None,
audience=None, **kwargs):
- """Initalize a JWT client with defaults for implicit use later.
+ """Initialize a JWT client with defaults for implicit use later.
:param client_id: Client identifier given by the OAuth provider upon
registration.
@@ -99,7 +99,7 @@
:param extra_claims: A dict of additional claims to include in the JWT.
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
+ into. This may contain extra parameters. Default ''.
:param scope: The scope of the access request.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/web_application.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/web_application.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/clients/web_application.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/clients/web_application.py
2022-09-06 22:10:05.000000000 +0200
@@ -49,7 +49,7 @@
using the "application/x-www-form-urlencoded" format, per `Appendix
B`_:
:param redirect_uri: OPTIONAL. The redirect URI must be an absolute
URI
- and it should have been registerd with the OAuth
+ and it should have been registered with the OAuth
provider prior to use. As described in `Section
3.1.2`_.
:param scope: OPTIONAL. The scope of the access request as described
by
@@ -117,7 +117,7 @@
values MUST be identical.
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
+ into. This may contain extra parameters. Default ''.
:param include_client_id: `True` (default) to send the `client_id` in
the
body of the upstream request. This is
required
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/endpoints/introspect.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/endpoints/introspect.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/endpoints/introspect.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/endpoints/introspect.py
2022-09-06 22:10:05.000000000 +0200
@@ -86,9 +86,9 @@
an HTTP POST request with parameters sent as
"application/x-www-form-urlencoded".
- token REQUIRED. The string value of the token.
+ * token REQUIRED. The string value of the token.
+ * token_type_hint OPTIONAL.
- token_type_hint OPTIONAL.
A hint about the type of the token submitted for
introspection. The protected resource MAY pass this parameter to
help the authorization server optimize the token lookup. If the
@@ -96,11 +96,9 @@
extend its search across all of its supported token types. An
authorization server MAY ignore this parameter, particularly if it
is able to detect the token type automatically.
- * access_token: An Access Token as defined in [`RFC6749`],
- `section 1.4`_
- * refresh_token: A Refresh Token as defined in [`RFC6749`],
- `section 1.5`_
+ * access_token: An Access Token as defined in [`RFC6749`], `section
1.4`_
+ * refresh_token: A Refresh Token as defined in [`RFC6749`], `section
1.5`_
The introspection endpoint MAY accept other OPTIONAL
parameters to provide further context to the query. For
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/endpoints/metadata.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/endpoints/metadata.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/endpoints/metadata.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/endpoints/metadata.py
2022-09-06 22:10:05.000000000 +0200
@@ -10,7 +10,7 @@
import json
import logging
-from .. import grant_types
+from .. import grant_types, utils
from .authorization import AuthorizationEndpoint
from .base import BaseEndpoint, catch_errors_and_unavailability
from .introspect import IntrospectEndpoint
@@ -68,7 +68,7 @@
raise ValueError("key {} is a mandatory metadata.".format(key))
elif is_issuer:
- if not array[key].startswith("https"):
+ if not utils.is_secure_transport(array[key]):
raise ValueError("key {}: {} must be an HTTPS URL".format(key,
array[key]))
if "?" in array[key] or "&" in array[key] or "#" in array[key]:
raise ValueError("key {}: {} must not contain query or
fragment components".format(key, array[key]))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/endpoints/revocation.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/endpoints/revocation.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/endpoints/revocation.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/endpoints/revocation.py
2022-09-06 22:10:05.000000000 +0200
@@ -42,7 +42,7 @@
The authorization server responds with HTTP status code 200 if the
- token has been revoked sucessfully or if the client submitted an
+ token has been revoked successfully or if the client submitted an
invalid token.
Note: invalid tokens do not cause an error response since the client
@@ -95,7 +95,7 @@
submitted for revocation. Clients MAY pass this parameter in order to
help the authorization server to optimize the token lookup. If the
server is unable to locate the token using the given hint, it MUST
- extend its search accross all of its supported token types. An
+ extend its search across all of its supported token types. An
authorization server MAY ignore this parameter, particularly if it is
able to detect the token type automatically. This specification
defines two such values:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
---
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
2022-01-29 22:58:41.000000000 +0100
+++
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
2022-02-18 21:33:05.000000000 +0100
@@ -10,7 +10,6 @@
from oauthlib import common
from .. import errors
-from ..utils import is_secure_transport
from .base import GrantTypeBase
log = logging.getLogger(__name__)
@@ -547,20 +546,3 @@
if challenge_method in self._code_challenge_methods:
return self._code_challenge_methods[challenge_method](verifier,
challenge)
raise NotImplementedError('Unknown challenge_method %s' %
challenge_method)
-
- def _create_cors_headers(self, request):
- """If CORS is allowed, create the appropriate headers."""
- if 'origin' not in request.headers:
- return {}
-
- origin = request.headers['origin']
- if not is_secure_transport(origin):
- log.debug('Origin "%s" is not HTTPS, CORS not allowed.', origin)
- return {}
- elif not self.request_validator.is_origin_allowed(
- request.client_id, origin, request):
- log.debug('Invalid origin "%s", CORS not allowed.', origin)
- return {}
- else:
- log.debug('Valid origin "%s", injecting CORS headers.', origin)
- return {'Access-Control-Allow-Origin': origin}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/grant_types/base.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/grant_types/base.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/grant_types/base.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/grant_types/base.py
2022-02-18 21:33:05.000000000 +0100
@@ -10,6 +10,7 @@
from oauthlib.uri_validate import is_absolute_uri
from ..request_validator import RequestValidator
+from ..utils import is_secure_transport
log = logging.getLogger(__name__)
@@ -248,3 +249,20 @@
raise errors.MissingRedirectURIError(request=request)
if not is_absolute_uri(request.redirect_uri):
raise errors.InvalidRedirectURIError(request=request)
+
+ def _create_cors_headers(self, request):
+ """If CORS is allowed, create the appropriate headers."""
+ if 'origin' not in request.headers:
+ return {}
+
+ origin = request.headers['origin']
+ if not is_secure_transport(origin):
+ log.debug('Origin "%s" is not HTTPS, CORS not allowed.', origin)
+ return {}
+ elif not self.request_validator.is_origin_allowed(
+ request.client_id, origin, request):
+ log.debug('Invalid origin "%s", CORS not allowed.', origin)
+ return {}
+ else:
+ log.debug('Valid origin "%s", injecting CORS headers.', origin)
+ return {'Access-Control-Allow-Origin': origin}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
2022-02-18 21:33:05.000000000 +0100
@@ -69,6 +69,7 @@
log.debug('Issuing new token to client id %r (%r), %r.',
request.client_id, request.client, token)
+ headers.update(self._create_cors_headers(request))
return headers, json.dumps(token), 200
def validate_token_request(self, request):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/parameters.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/parameters.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/parameters.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/parameters.py 2022-09-06
22:10:05.000000000 +0200
@@ -45,7 +45,7 @@
back to the client. The parameter SHOULD be used for
preventing cross-site request forgery as described in
`Section 10.12`_.
- :param code_challenge: PKCE paramater. A challenge derived from the
+ :param code_challenge: PKCE parameter. A challenge derived from the
code_verifier that is sent in the authorization
request, to be verified against later.
:param code_challenge_method: PKCE parameter. A method that was used to
derive the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/request_validator.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/request_validator.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/request_validator.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/request_validator.py
2022-09-06 22:10:05.000000000 +0200
@@ -191,6 +191,7 @@
claims associated, or `None` in case the token is unknown.
Below the list of registered claims you should be interested in:
+
- scope : space-separated list of scopes
- client_id : client identifier
- username : human-readable identifier for the resource owner
@@ -204,10 +205,10 @@
- jti : string identifier for the token
Note that most of them are coming directly from JWT RFC. More details
- can be found in `Introspect Claims`_ or `_JWT Claims`_.
+ can be found in `Introspect Claims`_ or `JWT Claims`_.
The implementation can use *token_type_hint* to improve lookup
- efficency, but must fallback to other types to be compliant with RFC.
+ efficiency, but must fallback to other types to be compliant with RFC.
The dict of claims is added to request.token after this method.
@@ -443,6 +444,7 @@
- request.user
- request.scopes
- request.claims (if given)
+
OBS! The request.user attribute should be set to the resource owner
associated with this authorization code. Similarly request.scopes
must also be set.
@@ -451,6 +453,7 @@
If PKCE is enabled (see 'is_pkce_required' and
'save_authorization_code')
you MUST set the following based on the information stored:
+
- request.code_challenge
- request.code_challenge_method
@@ -561,7 +564,7 @@
OBS! The validation should also set the user attribute of the request
to a valid resource owner, i.e. request.user = username or similar. If
not set you will be unable to associate a token with a user in the
- persistance method used (commonly, save_bearer_token).
+ persistence method used (commonly, save_bearer_token).
:param username: Unicode username.
:param password: Unicode password.
@@ -671,6 +674,7 @@
Method is used by:
- Authorization Code Grant
+ - Refresh Token Grant
"""
return False
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/tokens.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/tokens.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc6749/tokens.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc6749/tokens.py 2022-02-18
21:33:05.000000000 +0100
@@ -257,6 +257,7 @@
class TokenBase:
+ __slots__ = ()
def __call__(self, request, refresh_token=False):
raise NotImplementedError('Subclasses must implement this method.')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/oauth2/rfc8628/clients/device.py
new/oauthlib-3.2.1/oauthlib/oauth2/rfc8628/clients/device.py
--- old/oauthlib-3.2.0/oauthlib/oauth2/rfc8628/clients/device.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/oauth2/rfc8628/clients/device.py
2022-09-06 22:10:05.000000000 +0200
@@ -5,12 +5,11 @@
This module is an implementation of various logic needed
for consuming and providing OAuth 2.0 Device Authorization RFC8628.
"""
-
+from oauthlib.common import add_params_to_uri
from oauthlib.oauth2 import BackendApplicationClient, Client
from oauthlib.oauth2.rfc6749.errors import InsecureTransportError
from oauthlib.oauth2.rfc6749.parameters import prepare_token_request
from oauthlib.oauth2.rfc6749.utils import is_secure_transport, list_to_scope
-from oauthlib.common import add_params_to_uri
class DeviceClient(Client):
@@ -62,7 +61,7 @@
body.
:param body: Existing request body (URL encoded string) to embed
parameters
- into. This may contain extra paramters. Default ''.
+ into. This may contain extra parameters. Default ''.
:param scope: The scope of the access request as described by
`Section 3.3`_.
@@ -84,6 +83,8 @@
>>> client.prepare_request_body(scope=['hello', 'world'])
'grant_type=urn:ietf:params:oauth:grant-type:device_code&scope=hello+world'
+ .. _`Section 3.2.1`:
https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1
+ .. _`Section 3.3`:
https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
.. _`Section 3.4`:
https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
"""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/openid/connect/core/endpoints/userinfo.py
new/oauthlib-3.2.1/oauthlib/openid/connect/core/endpoints/userinfo.py
--- old/oauthlib-3.2.0/oauthlib/openid/connect/core/endpoints/userinfo.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/openid/connect/core/endpoints/userinfo.py
2022-09-06 22:10:05.000000000 +0200
@@ -69,7 +69,7 @@
5.3.1. UserInfo Request
The Client sends the UserInfo Request using either HTTP GET or HTTP
POST. The Access Token obtained from an OpenID Connect Authentication
- Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0
+ Request MUST be sent as a Bearer Token, per `Section 2`_ of OAuth 2.0
Bearer Token Usage [RFC6750].
It is RECOMMENDED that the request use the HTTP GET method and the
@@ -77,21 +77,28 @@
The following is a non-normative example of a UserInfo Request:
- GET /userinfo HTTP/1.1
- Host: server.example.com
- Authorization: Bearer SlAV32hkKG
+ .. code-block:: http
+
+ GET /userinfo HTTP/1.1
+ Host: server.example.com
+ Authorization: Bearer SlAV32hkKG
5.3.3. UserInfo Error Response
When an error condition occurs, the UserInfo Endpoint returns an Error
- Response as defined in Section 3 of OAuth 2.0 Bearer Token Usage
+ Response as defined in `Section 3`_ of OAuth 2.0 Bearer Token Usage
[RFC6750]. (HTTP errors unrelated to RFC 6750 are returned to the User
Agent using the appropriate HTTP status code.)
The following is a non-normative example of a UserInfo Error Response:
- HTTP/1.1 401 Unauthorized
- WWW-Authenticate: Bearer error="invalid_token",
+ .. code-block:: http
+
+ HTTP/1.1 401 Unauthorized
+ WWW-Authenticate: Bearer error="invalid_token",
error_description="The Access Token expired"
+
+ .. _`Section 2`:
https://datatracker.ietf.org/doc/html/rfc6750#section-2
+ .. _`Section 3`:
https://datatracker.ietf.org/doc/html/rfc6750#section-3
"""
if not self.bearer.validate_request(request):
raise errors.InvalidTokenError()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/openid/connect/core/grant_types/base.py
new/oauthlib-3.2.1/oauthlib/openid/connect/core/grant_types/base.py
--- old/oauthlib-3.2.0/oauthlib/openid/connect/core/grant_types/base.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/openid/connect/core/grant_types/base.py
2022-09-06 22:10:05.000000000 +0200
@@ -8,7 +8,6 @@
ConsentRequired, InvalidRequestError, LoginRequired,
)
-
log = logging.getLogger(__name__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/openid/connect/core/grant_types/dispatchers.py
new/oauthlib-3.2.1/oauthlib/openid/connect/core/grant_types/dispatchers.py
--- old/oauthlib-3.2.0/oauthlib/openid/connect/core/grant_types/dispatchers.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/openid/connect/core/grant_types/dispatchers.py
2022-09-06 22:10:05.000000000 +0200
@@ -84,7 +84,7 @@
code = parameters.get('code', None)
redirect_uri = parameters.get('redirect_uri', None)
- # If code is not pressent fallback to `default_grant` which will
+ # If code is not present fallback to `default_grant` which will
# raise an error for the missing `code` in `create_token_response`
step.
if code:
scopes =
self.request_validator.get_authorization_code_scopes(client_id, code,
redirect_uri, request)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/oauthlib/openid/connect/core/tokens.py
new/oauthlib-3.2.1/oauthlib/openid/connect/core/tokens.py
--- old/oauthlib-3.2.0/oauthlib/openid/connect/core/tokens.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib/openid/connect/core/tokens.py 2022-09-06
22:10:05.000000000 +0200
@@ -4,7 +4,9 @@
This module contains methods for adding JWT tokens to requests.
"""
-from oauthlib.oauth2.rfc6749.tokens import TokenBase, random_token_generator,
get_token_from_header
+from oauthlib.oauth2.rfc6749.tokens import (
+ TokenBase, get_token_from_header, random_token_generator,
+)
class JWTToken(TokenBase):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oauthlib-3.2.0/oauthlib.egg-info/PKG-INFO
new/oauthlib-3.2.1/oauthlib.egg-info/PKG-INFO
--- old/oauthlib-3.2.0/oauthlib.egg-info/PKG-INFO 2022-01-29
22:59:32.000000000 +0100
+++ new/oauthlib-3.2.1/oauthlib.egg-info/PKG-INFO 2022-09-09
22:17:50.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: oauthlib
-Version: 3.2.0
+Version: 3.2.1
Summary: A generic, spec-compliant, thorough implementation of the OAuth
request-signing logic
Home-page: https://github.com/oauthlib/oauthlib
Author: The OAuthlib Community
@@ -42,8 +42,8 @@
*A generic, spec-compliant, thorough implementation of the OAuth
request-signing
logic for Python 3.6+.*
-.. image:: https://travis-ci.org/oauthlib/oauthlib.svg?branch=master
- :target: https://travis-ci.org/oauthlib/oauthlib
+.. image:: https://app.travis-ci.com/oauthlib/oauthlib.svg?branch=master
+ :target: https://app.travis-ci.com/oauthlib/oauthlib
:alt: Travis
.. image:: https://coveralls.io/repos/oauthlib/oauthlib/badge.svg?branch=master
:target: https://coveralls.io/r/oauthlib/oauthlib
@@ -141,7 +141,7 @@
Chances are you have run into something annoying that you wish there was
documentation for, if you wish to gain eternal fame and glory, and a drink if
we
-have the pleasure to run into eachother, please send a docs pull request =)
+have the pleasure to run into each other, please send a docs pull request =)
.. _`Gitter community`: https://gitter.im/oauthlib/Lobby
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/tests/oauth1/rfc5849/test_signatures.py
new/oauthlib-3.2.1/tests/oauth1/rfc5849/test_signatures.py
--- old/oauthlib-3.2.0/tests/oauth1/rfc5849/test_signatures.py 2022-01-29
22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/tests/oauth1/rfc5849/test_signatures.py 2022-09-06
22:10:05.000000000 +0200
@@ -1,26 +1,15 @@
# -*- coding: utf-8 -*-
from oauthlib.oauth1.rfc5849.signature import (
- collect_parameters,
- signature_base_string,
- base_string_uri,
- normalize_parameters,
- sign_hmac_sha1_with_client,
- sign_hmac_sha256_with_client,
- sign_hmac_sha512_with_client,
- sign_rsa_sha1_with_client,
- sign_rsa_sha256_with_client,
- sign_rsa_sha512_with_client,
- sign_plaintext_with_client,
- verify_hmac_sha1,
- verify_hmac_sha256,
- verify_hmac_sha512,
- verify_rsa_sha1,
- verify_rsa_sha256,
- verify_rsa_sha512,
- verify_plaintext
+ base_string_uri, collect_parameters, normalize_parameters,
+ sign_hmac_sha1_with_client, sign_hmac_sha256_with_client,
+ sign_hmac_sha512_with_client, sign_plaintext_with_client,
+ sign_rsa_sha1_with_client, sign_rsa_sha256_with_client,
+ sign_rsa_sha512_with_client, signature_base_string, verify_hmac_sha1,
+ verify_hmac_sha256, verify_hmac_sha512, verify_plaintext, verify_rsa_sha1,
+ verify_rsa_sha256, verify_rsa_sha512,
)
-from tests.unittest import TestCase
+from tests.unittest import TestCase
# ################################################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/tests/oauth2/rfc6749/clients/test_web_application.py
new/oauthlib-3.2.1/tests/oauth2/rfc6749/clients/test_web_application.py
--- old/oauthlib-3.2.0/tests/oauth2/rfc6749/clients/test_web_application.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/tests/oauth2/rfc6749/clients/test_web_application.py
2022-09-06 22:10:05.000000000 +0200
@@ -45,7 +45,7 @@
body_code =
"not=empty&grant_type=authorization_code&code={}&client_id={}".format(code,
client_id)
body_redirect = body_code +
"&redirect_uri=http%3A%2F%2Fmy.page.com%2Fcallback"
- bode_code_verifier = body_code + "&code_verifier=code_verifier"
+ body_code_verifier = body_code + "&code_verifier=code_verifier"
body_kwargs = body_code + "&some=providers&require=extra+arguments"
response_uri = "https://client.example.com/cb?code=zzzzaaaa&state=xyz";
@@ -115,7 +115,7 @@
# With code verifier
body = client.prepare_request_body(body=self.body,
code_verifier=self.code_verifier)
- self.assertFormBodyEqual(body, self.bode_code_verifier)
+ self.assertFormBodyEqual(body, self.body_code_verifier)
# With extra parameters
body = client.prepare_request_body(body=self.body, **self.kwargs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/tests/oauth2/rfc6749/endpoints/test_metadata.py
new/oauthlib-3.2.1/tests/oauth2/rfc6749/endpoints/test_metadata.py
--- old/oauthlib-3.2.0/tests/oauth2/rfc6749/endpoints/test_metadata.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/tests/oauth2/rfc6749/endpoints/test_metadata.py
2022-09-06 22:10:05.000000000 +0200
@@ -1,7 +1,8 @@
# -*- coding: utf-8 -*-
+import json
+
from oauthlib.oauth2 import MetadataEndpoint, Server, TokenEndpoint
-import json
from tests.unittest import TestCase
@@ -135,3 +136,13 @@
sort_list(metadata.claims)
sort_list(expected_claims)
self.assertEqual(sorted(metadata.claims.items()),
sorted(expected_claims.items()))
+
+ def test_metadata_validate_issuer(self):
+ with self.assertRaises(ValueError):
+ endpoint = TokenEndpoint(
+ None, None, grant_types={"password": None},
+ )
+ metadata = MetadataEndpoint([endpoint], {
+ "issuer": 'http://foo.bar',
+ "token_endpoint": "https://foo.bar/token";,
+ })
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oauthlib-3.2.0/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
new/oauthlib-3.2.1/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
--- old/oauthlib-3.2.0/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
2022-01-29 22:58:41.000000000 +0100
+++ new/oauthlib-3.2.1/tests/oauth2/rfc6749/grant_types/test_refresh_token.py
2022-02-18 21:33:05.000000000 +0100
@@ -18,6 +18,7 @@
self.request = Request('http://a.b/path')
self.request.grant_type = 'refresh_token'
self.request.refresh_token = 'lsdkfhj230'
+ self.request.client_id = 'abcdef'
self.request.client = mock_client
self.request.scope = 'foo'
self.mock_validator = mock.MagicMock()
@@ -168,3 +169,43 @@
del self.request.scope
self.auth.validate_token_request(self.request)
self.assertEqual(self.request.scopes, 'foo bar baz'.split())
+
+ # CORS
+
+ def test_create_cors_headers(self):
+ bearer = BearerToken(self.mock_validator)
+ self.request.headers['origin'] = 'https://foo.bar'
+ self.mock_validator.is_origin_allowed.return_value = True
+
+ headers = self.auth.create_token_response(self.request, bearer)[0]
+ self.assertEqual(
+ headers['Access-Control-Allow-Origin'], 'https://foo.bar'
+ )
+ self.mock_validator.is_origin_allowed.assert_called_once_with(
+ 'abcdef', 'https://foo.bar', self.request
+ )
+
+ def test_create_cors_headers_no_origin(self):
+ bearer = BearerToken(self.mock_validator)
+ headers = self.auth.create_token_response(self.request, bearer)[0]
+ self.assertNotIn('Access-Control-Allow-Origin', headers)
+ self.mock_validator.is_origin_allowed.assert_not_called()
+
+ def test_create_cors_headers_insecure_origin(self):
+ bearer = BearerToken(self.mock_validator)
+ self.request.headers['origin'] = 'http://foo.bar'
+
+ headers = self.auth.create_token_response(self.request, bearer)[0]
+ self.assertNotIn('Access-Control-Allow-Origin', headers)
+ self.mock_validator.is_origin_allowed.assert_not_called()
+
+ def test_create_cors_headers_invalid_origin(self):
+ bearer = BearerToken(self.mock_validator)
+ self.request.headers['origin'] = 'https://foo.bar'
+ self.mock_validator.is_origin_allowed.return_value = False
+
+ headers = self.auth.create_token_response(self.request, bearer)[0]
+ self.assertNotIn('Access-Control-Allow-Origin', headers)
+ self.mock_validator.is_origin_allowed.assert_called_once_with(
+ 'abcdef', 'https://foo.bar', self.request
+ )
