Changelog

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Released on Apr 18, 2026

• Add support for OpenID Connect RP-Initiated Logout 1.0. See OpenID Connect RP-Initiated Logout 1.0 for details. issue #500

• Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. issue #845

• Stop support for Python 3.9, start support Python 3.14. pull request #850

• Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.

• Fix expires_at=0 being incorrectly treated as None. issue #530

• Allow ResourceProtector decorator to be used without parentheses. issue #604

• Implement RFC9700 PKCE downgrade countermeasure.

• Set User-Agent header when fetching server metadata and JWKs. issue #704

• RFC7523 accepts the issuer URL as a valid audience. issue #730

• Fix InvalidTokenError extra attributes being wrapped instead of passed as individual key=value pairs in the WWW-Authenticate header. pull request #872

Upgrade Guide: joserfc migration.

Version 1.6.11

Released on Apr 16, 2026

• Fix CSRF vulnerability in the Starlette OAuth client when a cache is configured.

Version 1.6.10

Released on Apr 13, 2026

• Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.

Version 1.6.9

Released on Mar 2, 2026

• Not using header’s jwk automatically.

• Add ES256K into default jwt algorithms.

• Remove deprecated algorithm from default registry.

• Generate random cek when cek length doesn’t match.

Version 1.6.8

Released on Feb 17, 2026

• Add EdDSA to default jwt instance.

Version 1.6.7

Released on Feb 6, 2026

• Set supported algorithms for the default jwt instance.

Version 1.6.6

Released on Jan 9, 2026

• get_jwt_config takes a client parameter, pull request #844.

• Fix incorrect signature when Content-Type is x-www-form-urlencoded for OAuth 1.0 Client, pull request #778.

• Use expires_in in OAuth2Token when expires_at is unparsable, pull request #842.

• Always track state in session for OAuth client integrations.

Version 1.6.5

Released on Oct 2, 2025

• RFC7591 generate_client_info and generate_client_secret take a request parameter.

• Add size limitation when decode JWS/JWE to prevent DoS.

• Add size limitation for DEF JWE zip algorithm.

Version 1.6.4

Released on Sep 17, 2025

• Fix InsecureTransportError error raising. issue #795

• Fix response_mode=form_post with Starlette client. issue #793

• Validate crit header value, reject unprotected header in crit header.

Version 1.6.3

Released on Aug 26, 2025

• OIDC id_token are signed according to id_token_signed_response_alg client metadata. issue #755

Version 1.6.2

Released on Aug 23, 2025

• Temporarily restore OAuth2Request body parameter. issue #781 pull request #791

• Allow 127.0.0.1 in insecure transport mode. pull request #788

• Raise MissingCodeException when the code parameter is missing. issue #793 pull request #794

• Fix id_token generation with EdDSA algs. issue #799 pull request #800

Version 1.6.1

Released on Jul 20, 2025

• Filter key set with additional “alg” and “use” parameters.

• Restore and deprecate OAuth2Request body parameter. issue #781

Version 1.6.0

Released on May 22, 2025

• Fix issue when RFC9207 is enabled and the authorization endpoint response is not a redirection. pull request #733

• Fix missing state parameter in authorization error responses. issue #525

• Support for the none JWS algorithm.

• Fix response_types strict order during dynamic client registration. issue #760

• Implement RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR). issue #723

• OIDC UserInfo endpoint support. issue #459

Breaking changes:

• Support for acr and amr claims in id_token. issue #734 The OAuth2AuthorizationCodeMixin must have a migration to support the new fields.

Version 1.5.2

Released on Apr 1, 2025

• Forbid fragments in redirect_uris. issue #714

• Fix invalid characters in error_description. issue #720

• Add claims_cls parameter for client’s parse_id_token method. issue #725

Version 1.5.1

Released on Feb 28, 2025

• Fix RFC9207 iss parameter. pull request #715

Version 1.5.0

Released on Feb 25, 2025

• Fix token introspection auth method for clients. pull request #662

• Optional typ claim in JWT tokens. pull request #696

• JWT validation leeway. pull request #689

• Implement server-side RFC9207. issue #700 pull request #701

• generate_id_token can take a kid parameter. pull request #702

• More detailed InvalidClientError. pull request #706

• OpenID Connect Dynamic Client Registration implementation. pull request #707

Version 1.4.1

Released on Jan 28, 2025

• Improve garbage collection on OAuth clients. issue #698

• Fix client parameters for httpx. issue #694

Version 1.4.0

Released on Dec 20, 2024

• Fix id_token decoding when kid is null. pull request #659

• Support for Python 3.13. pull request #682

• Force login if the prompt parameter value is login. pull request #637

• Support for httpx 0.28, pull request #695

Breaking changes:

• Stop support for Python 3.8. pull request #682

Version 1.3.2

Released on Aug 30 2024

• Prevent ever-growing session size for OAuth clients.

• Revert quote client id and secret.

• unquote basic auth header for authorization server.

Version 1.3.1

Released on June 4, 2024

• Prevent OctKey to import ssh and PEM strings.

Version 1.3.0

Released on Dec 17, 2023

• Restore AuthorizationServer.create_authorization_response behavior, via pull request #558

• Include leeway in validate_iat() for JWT, via pull request #565

• Fix encode_client_secret_basic, via pull request #594

• Use single key in JWK if JWS does not specify kid, via pull request #596

• Fix error when RFC9068 JWS has no scope field, via pull request #598

• Get werkzeug version using importlib, via pull request #591

New features:

• RFC9068 implementation, via pull request #586, by @azmeuk.

Breaking changes:

• End support for python 3.7

Version 1.2.1

Released on Jun 25, 2023

• Apply headers in ClientSecretJWT.sign method, via pull request #552

• Allow falsy but non-None grant uri params, via pull request #544

• Fixed authorize_redirect for Starlette v0.26.0, via pull request #533

• Removed has_client_secret method and documentation, via pull request #513

• Removed request_invalid and token_revoked remaining occurrences and documentation. pull request #514

• Fixed RFC7591 grant_types and response_types default values, via pull request #509.

• Add support for python 3.12, via pull request #590.

Version 1.2.0

Released on Dec 6, 2022

• Not passing request.body to ResourceProtector, via issue #485.

• Use flask.g instead of _app_ctx_stack, via issue #482.

• Add headers parameter back to ClientSecretJWT, via issue #457.

• Always passing realm parameter in OAuth 1 clients, via issue #339.

• Implemented RFC7592 Dynamic Client Registration Management Protocol, via pull request #505.

• Add default_timeout for requests OAuth2Session and AssertionSession.

• Deprecate jwk.loads and jwk.dumps

Version 1.1.0

Released on Sep 13, 2022

This release contains breaking changes and security fixes.

• Allow to pass claims_options to Framework OpenID Connect clients, via pull request #446.

• Fix .stream with context for HTTPX OAuth clients, via pull request #465.

• Fix Starlette OAuth client for cache store, via pull request #478.

Breaking changes:

• Raise InvalidGrantError for invalid code, redirect_uri and no user errors in OAuth 2.0 server.

• The default authlib.jose.jwt would only work with JSON Web Signature algorithms, if you would like to use JWT with JWE algorithms, please pass the algorithms parameter:

  jwt = JsonWebToken(['A128KW', 'A128GCM', 'DEF'])
  

Security fixes: CVE-2022-39175 and CVE-2022-39174, both related to JOSE.

Version 1.0.1

Released on Apr 6, 2022

• Fix authenticate_none method, via issue #438.

• Allow to pass in alternative signing algorithm to RFC7523 authentication methods via pull request #447.

• Fix missing_token for Flask OAuth client, via issue #448.

• Allow openid in any place of the scope, via issue #449.

• Security fix for validating essential value on blank value in JWT, via issue #445.

Version 1.0.0

Released on Mar 15, 2022.

We have dropped support for Python 2 in this release. We have removed built-in SQLAlchemy integration.

OAuth Client Changes:

The whole framework client integrations have been restructured, if you are using the client properly, e.g. oauth.register(...), it would work as before.

OAuth Provider Changes:

In Flask OAuth 2.0 provider, we have removed the deprecated OAUTH2_JWT_XXX configuration, instead, developers should define .get_jwt_config on OpenID extensions and grant types.

SQLAlchemy integrations has been removed from Authlib. Developers should define the database by themselves.

JOSE Changes

• JWS has been renamed to JsonWebSignature

• JWE has been renamed to JsonWebEncryption

• JWK has been renamed to JsonWebKey

• JWT has been renamed to JsonWebToken

The “Key” model has been re-designed, checkout the JSON Web Key (JWK) for updates.

Added ES256K algorithm for JWS and JWT.

Breaking Changes: find how to solve the deprecate issues via https://git.io/JkY4f

Old Versions

Find old changelog at https://github.com/authlib/authlib/releases

• Version 0.15.5: Released on Oct 18, 2021

• Version 0.15.4: Released on Jul 17, 2021

• Version 0.15.3: Released on Jan 15, 2021

• Version 0.15.2: Released on Oct 18, 2020

• Version 0.15.1: Released on Oct 14, 2020

• Version 0.15.0: Released on Oct 10, 2020

• Version 0.14.3: Released on May 18, 2020

• Version 0.14.2: Released on May 6, 2020

• Version 0.14.1: Released on Feb 12, 2020

• Version 0.14.0: Released on Feb 11, 2020

• Version 0.13.0: Released on Nov 11, 2019

• Version 0.12.0: Released on Sep 3, 2019

• Version 0.11.0: Released on Apr 6, 2019

• Version 0.10.0: Released on Oct 12, 2018

• Version 0.9.0: Released on Aug 12, 2018

• Version 0.8.0: Released on Jun 17, 2018

• Version 0.7.0: Released on Apr 28, 2018

• Version 0.6.0: Released on Mar 20, 2018

• Version 0.5.1: Released on Feb 11, 2018

• Version 0.5.0: Released on Feb 11, 2018

• Version 0.4.1: Released on Feb 2, 2018

• Version 0.4.0: Released on Jan 31, 2018

• Version 0.3.0: Released on Dec 24, 2017

• Version 0.2.1: Released on Dec 6, 2017

• Version 0.2.0: Released on Nov 25, 2017

• Version 0.1.0: Released on Nov 18, 2017