profile
viewpoint
Hsiaoming Yang lepture @hsiaoming Japan & China https://lepture.com This guy is too lazy to introduce himself.

lepture/authlib 2039

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.

lepture/captcha 659

A captcha library that generates audio and image CAPTCHAs.

avelino/liquidluck 338

Felix Felicis (aka liquidluck) is a static blog generator in python

lepture/colorful 60

colorful environment for command line tools in node

lepture/chinalaw 44

请关注 https://github.com/cn

lepture/ansible-sentry 19

Ansible role which manage Sentry, with supervisor

authlib/example-oidc-server 18

Example for OpenID Connect 1.0 Server for Authlib.

lepture/burglar 12

Let's rob the fat guys, and publish everything into feeds.

lepture/color-patterns 10

Colors that I love.

authlib/aiohttp-oauth-client 8

Use HTTPX instead: https://docs.authlib.org/en/latest/client/httpx.html

push eventlepture/mistune

Abhilash Raj

commit sha 98ffef65f5fa414593d00212ca9c78c3ef801bc0

Use the released version in install command.

view details

Hsiaoming Yang

commit sha 7e8acda039ac0fd2bfd1dc77846386674e5bf25a

Merge pull request #254 from maxking/patch-1 Use the released version in install command.

view details

push time in 6 hours

PR merged lepture/mistune

Use the released version in install command.
+1 -1

0 comment

1 changed file

maxking

pr closed time in 6 hours

push eventlepture/authlib

Sam Bellen

commit sha 325e6e6166bcdae03c64e475072b939c6cbf9c1e

Update Auth0 sponsorship link Hey We recently launched a new page specifically geared towards developers on auth0.com. Can we change the link in the sponsorship message? Thanks again for your open-source work!

view details

Hsiaoming Yang

commit sha e78bee88c94c8bfb3b67679eda2b3968ed6ef989

Merge pull request #276 from Sambego/patch-1 Update Auth0 sponsorship link

view details

push time in 6 hours

PR merged lepture/authlib

Update Auth0 sponsorship link

What kind of change does this PR introduce? (check at least one)

  • [ ] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [x] Other, please describe:

We recently launched a new page specifically geared towards developers on auth0.com. Can we change the link in the sponsorship message?

Thanks again for your open-source work!

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+1 -1

0 comment

1 changed file

Sambego

pr closed time in 6 hours

push eventtyplog/china-indie-podcasts

ifsh

commit sha 70c6e3777e24d86943d2c40c04ccd48e6ac9d5d1

update

view details

Hsiaoming Yang

commit sha ffe3e41795ef06d4d35b2e69946bd8b52f3c5f4a

Merge pull request #171 from ifsh/patch-1 update new rss feed

view details

push time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha e4f60e94b7b3837ef2263ca538305bb80ff64565

Fix django test case

view details

push time in 9 days

MemberEvent

push eventlepture/authlib

Hsiaoming Yang

commit sha 1cebee838e398546d2e230e8619bc73e1f4a72a6

Raise invalid_grant error when refresh token is expired Fixed https://github.com/lepture/authlib/issues/112

view details

push time in 9 days

issue closedlepture/authlib

Expired refresh_token should return invalid_grant error

When a refresh token expired, the authlib reply with 400 invalid_request error: Invalid "refresh_token" in request. However, the 400 invalid_grant should be returned , see https://tools.ietf.org/html/rfc6749#section-5.2 :

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, ...

closed time in 9 days

xmedeko
IssuesEvent

issue commentlepture/python-livereload

Want another maintainer? Add me. :)

@pradyunsg thanks. I've invited you.

pradyunsg

comment created time in 9 days

issue commentlepture/python-livereload

Want another maintainer? Add me. :)

ping @bmcculley

pradyunsg

comment created time in 9 days

issue closedlepture/authlib

你好!用authlib做阿里钉钉的第三方登录功能的时候

今天做阿里钉钉的时候,, 钉钉的请求接口用的字段不是client_id而是appid字段, 这样的结果就是调用auth.dingding.authorize_redirect()生成的url中client_id在钉钉的接口中是无效的

我想寻求的帮助是。。如何把client_id变成appid

closed time in 9 days

kanhebei

issue commentlepture/authlib

你好!用authlib做阿里钉钉的第三方登录功能的时候

You can use authorize_params:

oauth.register(
  name='dingding',
  authorize_params={'appid': 'xxx'},
  ...
)

Please ask help in StackOverflow.

kanhebei

comment created time in 9 days

pull request commentlepture/authlib

Fix test if authorization should be provided to the underlying httpx client

It is already done by https://github.com/lepture/authlib/pull/270. Thanks.

asyncee

comment created time in 9 days

PR closed lepture/authlib

Fix test if authorization should be provided to the underlying httpx client

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [x] Yes, for users of very old HTTPX version (0.11.x)
  • [ ] No

In HTTPX 0.11.x auth argument to the AsyncClient.request had None as default. Since 0.12 default is changed to a sentinel object of type UnsetType. Users should upgrade their HTTPX version.

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.

We are using HTTPX 0.14 and faced the issue when authlib's AsyncOauth2Client had a token but never provided it to the underlying client because auth argument to AsyncOauth2Client.request method always had a value of httpx._config.UNSET and not None (code expects it to be None).

HTTPX version 0.14.3 Authlib version 0.14.3

+2 -2

1 comment

1 changed file

asyncee

pr closed time in 9 days

push eventlepture/authlib

Ber Zoidberg

commit sha bad200e799663deda7c007a16a4a57463680355a

py3 is no longer just async

view details

Ber Zoidberg

commit sha 12496deda44b8f048efb7bf4c014b5a5ad83553d

add support for httpx sync APIs; fix bug in httpx oauth1 support where content-length header si not specific

view details

Ber Zoidberg

commit sha 31ec53768cb60215f83e281fda2efd01d9d7e260

update to httpx 0.14.3

view details

Ber Zoidberg

commit sha ef9ef9f7885119dc9e10c4ff93904e5208ff4408

Merge branch 'master' into improve-httpx-support

view details

Ber Zoidberg

commit sha 99f6cb5dc8e0c42455504ff38488dba8e9a23d55

update to work with latest master

view details

Ber Zoidberg

commit sha f0250428775ea75a8ac52012e04fe77233750e44

py3 is no longer just async add support for httpx sync APIs; fix bug in httpx oauth1 support where content-length header si not specific update to httpx 0.14.3 Remove deprecated and purely cosmetical argument providing_args in Django integrations add test and fix for unintentional parallel token refreshes update to work with latest master

view details

Ber Zoidberg

commit sha 33c6a31c8b0fe3904102b4393ce212c75bd5218d

Merge branch 'improve-httpx-support' of ssh://github.com/berzoidberg/authlib into improve-httpx-support

view details

Ber Zoidberg

commit sha 340168b5c015562a15e472f5b41f50b9c2c109b1

remove unnecessary code duplication, use UNSET instead of UnsetType for cleaner code

view details

Hsiaoming Yang

commit sha 6a4778da663d3520874a11e00d062b97f537b246

Merge pull request #270 from berzoidberg/improve-httpx-support #268 #269 Improve HTTPX Support

view details

push time in 9 days

PR merged lepture/authlib

#268 #269 Improve HTTPX Support

Fixes #268 Fixes #269

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [x] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes

  • [x] No

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.

+842 -65

6 comments

16 changed files

berzoidberg

pr closed time in 9 days

issue closedlepture/authlib

HTTPX OAuth1 implementation does not set Content-Length header

Describe the bug The OAuth1 implementation for HTTPX does not set the content-length header, which can cause problems when using body signatures and talking to servers who block body POSTs where the length header is not specified.

Expected behavior

Content-Length header is set.

Environment:

  • OS: linux
  • Python Version: 3.8
  • Authlib Version: 0.14.3

Incoming PR fixes this.

closed time in 9 days

berzoidberg

issue closedlepture/authlib

Support for HTTPX Synchronous API

Is your feature request related to a problem? Please describe.

HTTPX has synchronous APIs as well as async, authlib should support both.

Additional context

Incoming PR supplies this.

closed time in 9 days

berzoidberg

issue closedlepture/authlib

HTTPX > 0.14.1 doesn't send Authz header in AsyncAssertionClient

Describe the bug

Authorization header is not automatically added to requests made using AsyncAssertionClient with HTTPX 0.14.2 or 0.14.3, but it does with HTTPX 0.14.1.

Error Stacks

Kinda cagey here because it's an internal endpoint.

    client = AsyncAssertionClient(...)
    await client.refresh_token()  # works as expected in either version.
    response = await client.post(
        "https://*****.com/v1/*****",
        #     headers={
        #         "Authorization": f'{client.token["token_type"]} {client.token["access_token"]}'
        #     },
        json={....},
)

With trace logging in 0.14.1

...
TRACE [2020-09-16 23:57:09] httpcore._async.connection - connection.request method=b'POST' url=(b'https', b'*****.com', None, b'/v1/*****') headers=[
    (b'host', b'*****.com'), 
    (b'user-agent', b'python-httpx/0.14.1'), 
    (b'accept', b'*/*'), 
    (b'accept-encoding', b'gzip, deflate'), 
    (b'connection', b'keep-alive'), 
    (b'content-length', b'82'), 
    (b'content-type', b'application/json'), 
    (b'authorization', b'Bearer [***access_token***]')]
TRACE [2020-09-16 23:57:09] httpcore._async.http11 - send_request method=b'POST' url=(b'https', b'*****.com', None, b'/v1/*****') headers=[(b'host', b'*****.com'), (b'user-agent', b'python-httpx/0.14.1'), (b'accept', b'*/*'), (b'accept-encoding', b'gzip, deflate'), (b'connection', b'keep-alive'), (b'content-length', b'82'), (b'content-type', b'application/json'), (b'authorization', b'Bearer [***access_token***]')]
TRACE [2020-09-16 23:57:09] httpcore._async.http11 - send_data=Data(<82 bytes>)
DEBUG [2020-09-16 23:57:10] httpx._client - HTTP Request: POST https://*****.com/v1/***** "HTTP/1.1 200 OK"
...

Swapping in 0.14.3

$ .venv/bin/python -m pip install httpx==0.14.3                                                                                                                                        
Collecting httpx==0.14.3                                                                                                                                                               
  Using cached httpx-0.14.3-py3-none-any.whl (62 kB)                                                                                                                                   
Requirement already satisfied: httpcore==0.10.* in ./.venv/lib/python3.8/site-packages (from httpx==0.14.3) (0.10.2)                                                                   
Requirement already satisfied: certifi in ./.venv/lib/python3.8/site-packages (from httpx==0.14.3) (2020.6.20)                                                                         
Requirement already satisfied: sniffio in ./.venv/lib/python3.8/site-packages (from httpx==0.14.3) (1.1.0)                                                                             
Requirement already satisfied: chardet==3.* in ./.venv/lib/python3.8/site-packages (from httpx==0.14.3) (3.0.4)                                                                        
Requirement already satisfied: rfc3986[idna2008]<2,>=1.3 in ./.venv/lib/python3.8/site-packages (from httpx==0.14.3) (1.4.0)                                                           
Requirement already satisfied: h11<0.10,>=0.8 in ./.venv/lib/python3.8/site-packages (from httpcore==0.10.*->httpx==0.14.3) (0.9.0)                                                    
Requirement already satisfied: idna; extra == "idna2008" in ./.venv/lib/python3.8/site-packages (from rfc3986[idna2008]<2,>=1.3->httpx==0.14.3) (2.10)                                 
Installing collected packages: httpx
  Attempting uninstall: httpx
    Found existing installation: httpx 0.14.1
    Uninstalling httpx-0.14.1:
      Successfully uninstalled httpx-0.14.1
Successfully installed httpx-0.14.3

In 0.14.3

TRACE [2020-09-16 23:55:16] httpcore._async.connection - connection.request method=b'POST' url=(b'https', b'*****.com', None, b'/v1/*****') headers=[
    (b'host', b'*****.com'), 
    (b'user-agent', b'python-httpx/0.14.3'), 
    (b'accept', b'*/*'), 
    (b'accept-encoding', b'gzip, deflate'), 
    (b'connection', b'keep-alive'), 
    (b'content-length', b'82'), 
    (b'content-type', b'application/json')]
TRACE [2020-09-16 23:55:16] httpcore._async.http11 - send_request method=b'POST' url=(b'https', b'*****.com', None, b'/v1/*****') headers=[(b'host', b'*****.com'), (b'user-agent', b'python-httpx/0.14.3'), (b'accept', b'*/*'), (b'accept-encoding', b'gzip, deflate'), (b'connection', b'keep-alive'), (b'content-length', b'82'), (b'content-type', b'application/json')]
TRACE [2020-09-16 23:55:16] httpcore._async.http11 - send_data=Data(<82 bytes>)
DEBUG [2020-09-16 23:55:16] httpx._client - HTTP Request: POST https://*****.com/v1/***** "HTTP/1.1 403 Forbidden"

...and the endpoint complains I didn't provide a valid Authorization key.

Expected behavior

Authorization header auto-added to request.

Environment:

  • OS: Ubuntu 18.04
  • Python Version: 3.8
  • Authlib Version: 0.14.3

closed time in 9 days

nicktimko

issue commentlepture/authlib

HTTPX > 0.14.1 doesn't send Authz header in AsyncAssertionClient

@nicktimko yes, HTTPX has breaking changes in 0.14.2. Please ping to httpx==0.14.1 until we released a new version.

https://github.com/lepture/authlib/commit/e30e653818fdaae7c6dea682ad1ea5530a5ebf7a

nicktimko

comment created time in 9 days

Pull request review commentlepture/authlib

#268 #269 Improve HTTPX Support

 def _http_post(self, url, body=None, auth=None, headers=None, **kwargs):         return self.post(             url, data=dict(url_decode(body)),             headers=headers, auth=auth, **kwargs)++class OAuth2Client(_OAuth2Client, Client):+    SESSION_REQUEST_PARAMS = HTTPX_CLIENT_KWARGS++    client_auth_class = OAuth2ClientAuth+    token_auth_class = OAuth2Auth++    def __init__(self, client_id=None, client_secret=None,+                 token_endpoint_auth_method=None,+                 revocation_endpoint_auth_method=None,+                 scope=None, redirect_uri=None,+                 token=None, token_placement='header',+                 update_token=None, **kwargs):++        # extract httpx.Client kwargs+        client_kwargs = self._extract_session_request_params(kwargs)+        Client.__init__(self, **client_kwargs)++        _OAuth2Client.__init__(+            self, session=None,+            client_id=client_id, client_secret=client_secret,+            token_endpoint_auth_method=token_endpoint_auth_method,+            revocation_endpoint_auth_method=revocation_endpoint_auth_method,+            scope=scope, redirect_uri=redirect_uri,+            token=token, token_placement=token_placement,+            update_token=update_token, **kwargs+        )++    @staticmethod+    def handle_error(error_type, error_description):+        raise OAuthError(error_type, error_description)++    def request(self, method, url, withhold_token=False, auth=None, **kwargs):+        if not withhold_token and isinstance(auth, UnsetType):+            if not self.token:+                raise MissingTokenError()++            if self.token.is_expired():+                self.ensure_active_token()++            auth = self.token_auth++        return super(OAuth2Client, self).request(+            method, url, auth=auth, **kwargs)++    def ensure_active_token(self):+        refresh_token = self.token.get('refresh_token')+        url = self.metadata.get('token_endpoint')+        if refresh_token and url:+            self.refresh_token(url, refresh_token=refresh_token)+        elif self.metadata.get('grant_type') == 'client_credentials':+            access_token = self.token['access_token']+            token = self.fetch_token(url, grant_type='client_credentials')+            if self.update_token:+                self.update_token(token, access_token=access_token)+        else:+            raise InvalidTokenError()++    def _fetch_token(self, url, body='', headers=None, auth=None,

You can check the implementation of requests, there is no need to implemented it if you have set session=self.

berzoidberg

comment created time in 16 days

Pull request review commentlepture/authlib

#268 #269 Improve HTTPX Support

 async def _refresh_token(self, data):             )         self.token = token         return self.token++class AssertionClient(_AssertionClient, Client):+    token_auth_class = OAuth2Auth+    JWT_BEARER_GRANT_TYPE = JWTBearerGrant.GRANT_TYPE+    ASSERTION_METHODS = {+        JWT_BEARER_GRANT_TYPE: JWTBearerGrant.sign,+    }+    DEFAULT_GRANT_TYPE = JWT_BEARER_GRANT_TYPE++    def __init__(self, token_endpoint, issuer, subject, audience=None, grant_type=None,+                 claims=None, token_placement='header', scope=None, **kwargs):++        client_kwargs = extract_client_kwargs(kwargs)+        Client.__init__(self, **client_kwargs)++        _AssertionClient.__init__(+            self, session=None,

if session=self, there is no need to re-write _refresh_token.

berzoidberg

comment created time in 16 days

Pull request review commentlepture/authlib

#268 #269 Improve HTTPX Support

 async def _refresh_token(self, data):             )         self.token = token         return self.token++class AssertionClient(_AssertionClient, Client):

2 lines between class.

berzoidberg

comment created time in 16 days

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentlepture/authlib

#268 #269 Improve HTTPX Support

-from httpx import AsyncClient+from httpx import AsyncClient, Client+from httpx._config import UnsetType

Is there a way to not using private module in httpx?

berzoidberg

comment created time in 16 days

PullRequestReviewEvent

pull request commentlepture/authlib

#268 #269 Improve HTTPX Support

Actually, we had HTTPX sync API before, in version 0.13. But later after we released 0.13, HTTPX removed sync API for a while.

berzoidberg

comment created time in 16 days

push eventlepture/authlib

Ber Zoidberg

commit sha 81d71e80d031f6146efb1dc4a114c03390d82677

add test and fix for unintentional parallel token refreshes

view details

Hsiaoming Yang

commit sha f780d1be1632538280759ecb6dbed56ff4349e1e

Merge pull request #267 from berzoidberg/fix-httpx-oauth #266 add test and fix for unintentional parallel token refreshes

view details

push time in 16 days

PR merged lepture/authlib

#266 add test and fix for unintentional parallel token refreshes

Fixes #266

DO NOT SEND ANY SECURITY FIX HERE. Please read "Security Reporting" section on README.

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+48 -11

1 comment

2 changed files

berzoidberg

pr closed time in 16 days

issue closedlepture/authlib

HTTPX Async client causes concurrent token refreshes when multiple coroutines are actively using client

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Incoming PR has unit test that reproduces the issue

Expected behavior

Token should "lock", preventing other coroutines from continuing until the token is refreshed

Environment:

  • OS: Linux
  • Python Version: 3.8
  • Authlib Version: 0.14.3 and master

closed time in 16 days

berzoidberg

pull request commentlepture/authlib

#266 add test and fix for unintentional parallel token refreshes

Thanks for your help.

berzoidberg

comment created time in 16 days

push eventlepture/authlib

Alexander Viklund

commit sha a1b9b8cf89673cf961f41a8cbef0e87478caf18e

Remove deprecated and purely cosmetical argument providing_args in Django integrations

view details

Hsiaoming Yang

commit sha 000219986c6a279b6182e4b4262e3babe6e31b39

Merge pull request #265 from bullfest/remove-providing_args Remove deprecated and purely documentational argument providing_args in Django integrations

view details

push time in 16 days

PR merged lepture/authlib

Remove deprecated and purely documentational argument providing_args in Django integrations

In Django 3.1 the purely documentational feature of sending in providing_args when creating a Signal was deprecated: https://docs.djangoproject.com/en/3.1/releases/3.1/#id2

The purely documentational providing_args argument for Signal is deprecated. If you rely on this argument as documentation, you can move the text to a code comment or docstring.

This removes the argument so that we don't get deprecation warnings.

The feature has been purely documentational since 1.8 so this shouldn't break anybody's code.

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes

  • [x] No

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.

+4 -4

1 comment

2 changed files

bullfest

pr closed time in 16 days

pull request commentlepture/authlib

#268 #269 Improve HTTPX Support

@berzoidberg I'm not ready to support sync mode of httpx. currently httpx is not stable, it has many breaking changes. For example, I have locked httpx version to httpx==0.14.1, because 0.14.2 will break our code. I'd like to fix test cases for httpx==0.14.2 at first.

berzoidberg

comment created time in 16 days

push eventlepture/authlib

Kyle Zhou

commit sha 6d6fd12a7044d0a668a4ed5b114ac0a34dcdc6c1

Remove token checking before load_server_metadata

view details

Hsiaoming Yang

commit sha 319eb60268e7f18f0d3e837bd3024d4c685d86fa

Merge pull request #262 from kylezhou/master Remove token checking before load_server_metadata

view details

push time in 23 days

PR merged lepture/authlib

Remove token checking before load_server_metadata

DO NOT SEND ANY SECURITY FIX HERE. Please read "Security Reporting" section on README.

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

The problem happens if server_metadata_url is used instead of manual passing access_token_url and token is not passed to request but via fetch_token callback registered in OAuth. When the token expires, and an OAuth resource is requested by invoking request/get/put, loader_server_metadata is skipped because token is not manually passed in (token=None). Thus, metadata is empty, OAuth2Auth.ensure_active_token() is unable to get token_endpoint, hence unable to refresh token, resulting in invalid token exception.


  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+2 -2

0 comment

2 changed files

kylezhou

pr closed time in 23 days

issue commentlepture/mistune

disable default paragraph tags

@sidbelbase that is depending on your usage. You can use it without Markup at first.

sidbelbase

comment created time in 24 days

created taglepture/mistune

tagv2.0.0a5

A fast yet powerful Python Markdown parser with renderers and plugins.

created time in 24 days

push eventlepture/mistune

Hsiaoming Yang

commit sha 38575f97d86af765b931b1a641551eee3087ec0f

Escape text when escape=True Fix https://github.com/lepture/mistune/issues/249

view details

Hsiaoming Yang

commit sha 463635d17c99841e4609b26e8bbd2c4163c58e96

Release v2.0.0a5

view details

push time in 24 days

issue closedlepture/mistune

Shouldn't HTML entities be escaped?

I'm not sure if this is intended, but it seems odd to me that HTML entities are not escaped with escape = True:

>>> mistune.markdown('&lt;', escape = True)
'<p>&lt;</p>\n'

I use mistune for comments, so I think of the goal of HTML escaping as not just security but "users should be able to type any non-markdown syntax and have it come out as typed", but this doesn't since the browser renders an unescaped &lt; as an actual <.

closed time in 24 days

yujiri8

issue closedlepture/mistune

Support for Python 2.6

I know Python 2.6 is old, but in the project that I working on we still use Python 2.6 I was able to port it to Python 2.6, it was not that difficult, most of the changes are related to init "set" datatypes. Would it be useful if I make a pull-request for it?

closed time in 24 days

xanok

issue commentlepture/mistune

Support for Python 2.6

Actually, we are going to remove python 2 support in the next year.

xanok

comment created time in 24 days

issue closedlepture/mistune

disable default paragraph tags

For instance, **this** is an example. gets converted into <p>For instance, <strong>this</strong> is an example.</p>, can we customize this into only For instance, <strong>this</strong> is an example.

from mistune import markdown as mistune_markdown

@core.app_template_filter('markdown')
def markthatdown(any_text, **options):
    return Markup(mistune_markdown(any_text))

I'm using mistune in flask and it is already wrapped inside <p></p> so with the default also being enabled creates a nested <p> tags breaking UI.

Can we customize or disable <p></p> tags?

closed time in 24 days

sidbelbase

issue commentlepture/mistune

disable default paragraph tags

In v1, it is mistune.Renderer.

sidbelbase

comment created time in 24 days

pull request commentauthlib/example-oauth2-server

Authorization code example

Thanks

azmeuk

comment created time in a month

push eventauthlib/example-oauth2-server

Éloi Rivard

commit sha e2156a7da35f75858f0c844a872b5d6d604e928e

Authorization code example

view details

Hsiaoming Yang

commit sha f1aade048fb44ebbfd6703b3ef8a9cdbb15a161b

Merge pull request #75 from azmeuk/readme Authorization code example

view details

push time in a month

PR merged authlib/example-oauth2-server

Authorization code example

A README example to quickly test the authorization code flow.

+23 -0

0 comment

1 changed file

azmeuk

pr closed time in a month

push eventlepture/authlib

Éloi Rivard

commit sha 8c3789f122b4f88cc24d3126547dbdf4e61498ed

Use 'is_secure_transport' in rfc8414

view details

Hsiaoming Yang

commit sha 7b97daf269d0b0851310db54cf53236146caea3e

Merge pull request #261 from azmeuk/rfc8414-is-secure-transport Use 'is_secure_transport' in rfc8414

view details

push time in a month

PR merged lepture/authlib

Use 'is_secure_transport' in rfc8414

What kind of change does this PR introduce? (check at least one)

  • [ ] Bugfix
  • [x] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

This allows to write server metadata file with insecure urls when developping locally, with the use of the AUTHLIB_INSECURE_TRANSPORT variable environment.

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+8 -7

0 comment

1 changed file

azmeuk

pr closed time in a month

push eventlepture/authlib

Hsiaoming Yang

commit sha e30e653818fdaae7c6dea682ad1ea5530a5ebf7a

Lock httpx version, 1.4.2 is a breaking change.

view details

push time in a month

issue commentlepture/mistune

disable default paragraph tags

@yujiri8 is correct.

sidbelbase

comment created time in a month

issue closedlepture/mistune

HTMLRenderer's heading cannot be customised when DirectiveToc is used

using version 2.0.0a4, HTMLRenderer's heading cannot be customised when DirectiveToc is used for example, running the code below will result in two different behaviours.

import mistune
import mistune.directives import DirectiveToc

class Renderer(mistune.HTMLRenderer):
    def heading(self, text, level):
        return 'changed_heading'

test_a = mistune.create_markdown(
        renderer=Renderer(),
        plugins=[])
test_b = mistune.create_markdown(
        renderer=Renderer(),
        plugins=[DirectiveToc()])

print(test_a("# text")) #returns 'changed_heading'
print(test_b("# text")) #returns '<h1 id="toc_1">text</h1>'

This is because when DirectiveToc is used, the rendering process uses render_html_threading (from mistune.directives.toc.py) instead. This is not necessarily an issue, since it's impossible to handle arbitrary changes in the renderer while trying to put header ids in the html. Maybe this behaviour should be documented so that people can find which method to override when using DirectiveToc.

closed time in a month

Rhahi

push eventlepture/authlib

Hsiaoming Yang

commit sha 3ca7333c10e275f05d39cf582716004946b82bee

Skip verifying nonce for Apple case Fixes https://github.com/lepture/authlib/issues/259

view details

push time in a month

issue closedlepture/authlib

Skip verifying nonce (Sign in with Apple)

Is your feature request related to a problem? Please describe.

We would like to add a "Sign in with Apple" backend to loginpass but they currently deviate from the OAuth 2.0/OIDC specification in a few ways. One of them is that they indicate you can skip verifying the nonce using their own nonce_supported claim.

A Boolean value that indicates whether the transaction is on a nonce-supported platform. If you sent a nonce in the authorization request but do not see the nonce claim in the identity token, check this claim to determine how to proceed. If this claim returns true, you should tream nonce as mandatory and fail the transaction; otherwise, you can proceed treating the nonce as options.

https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple

Describe the solution you'd like

Perhaps RemoteApp._parse_id_token could respect their nonce_supported claim?

Here's what we're doing in our project:

diff --git a/authlib/integrations/base_client/remote_app.py b/authlib/integrations/base_client/remote_app.py
index 170f2f9..0926859 100644
--- a/authlib/integrations/base_client/remote_app.py
+++ b/authlib/integrations/base_client/remote_app.py
@@ -197,5 +197,16 @@ class RemoteApp(BaseApp):
             claims_options=claims_options,
             claims_params=claims_params,
         )
+
+        # Apple can indicate that it wants us to skip verifying the nonce
+        if not claims.get('nonce_supported', True):
+            claims_params['nonce'] = None
+            claims = jwt.decode(
+                token['id_token'], key=load_key,
+                claims_cls=claims_cls,
+                claims_options=claims_options,
+                claims_params=claims_params,
+            )
+
         claims.validate(leeway=leeway)
         return UserInfo(claims)

Describe alternatives you've considered

I'm sure this isn't the first time you've encountered some backends deviating from the specification but I'm not sure how if this is something authlib or loginpass should condone.

closed time in a month

cburmeister

issue commentlepture/authlib

Supporting pre-releases on pypi

We are going to release v0.15 soon, in about 2 weeks.

Cellebyte

comment created time in a month

issue commentlepture/mistune

HTMLRenderer's heading cannot be customised when DirectiveToc is used

Try to customize with:

def theading(self, text, level, tid):
    return 'changed toc heading'
Rhahi

comment created time in a month

push eventlepture/authlib

Hsiaoming Yang

commit sha 226ed6fff01a88914433a6f6e06d025f454ff2b2

Prepare RFC7592

view details

push time in a month

push eventlepture/authlib

Hsiaoming Yang

commit sha e3712cdfa7b534db935a27e6113fe22c63be560b

Update ClientRegistrationEndpoint.authenticate_token

view details

push time in a month

issue commentlepture/authlib

Framework-Agnostic OpenID Connect Implementation

@briankzimmer I'm still not quite understand the problem. You can send a PR, I'll get what you want in the PR.

briankzimmer

comment created time in a month

issue commentlepture/authlib

Configure OAuthClient with OpenID Discovery configuration

@leonidguadalupe you can manually expose it.

lepture

comment created time in 2 months

issue commentlepture/authlib

CSRF validation failure when running in docker

This is not an Authlib bug, as you can see, you have set it in session, but you didn't get it from session. Here is how you can test the problem yourself.

@app.route('/set-session')
def set_session_value():
    session['test-data'] = 'test'
    return 'ok'

@app.route('/get-session')
def get_session_value():
    return session.get('test-data', '')

Check if it has value in the session by:

  1. visit /set-session
  2. then visit /get-session
circius

comment created time in 2 months

push eventauthlib/example-oauth2-server

Éloi Rivard

commit sha baf728f7ea43b50f585e9351d55f1fde46d00e99

curl example

view details

Hsiaoming Yang

commit sha c9038c1ffd96dcc8ecaffb3cfe0375fe2558a4c7

Merge pull request #74 from azmeuk/readme curl resource access example

view details

push time in 2 months

PR merged authlib/example-oauth2-server

curl resource access example

Another curl command in the README to access protected resources.

+7 -2

0 comment

1 changed file

azmeuk

pr closed time in 2 months

push eventauthlib/example-oauth2-server

Éloi Rivard

commit sha 7b05854e1dc838c6fc189754c2f9be349d2ce636

Use syntax highlighting everywhere in README.md

view details

Hsiaoming Yang

commit sha 2f65234bc06e3de49e191c5f84574b06b3fc1fb3

Merge pull request #73 from azmeuk/readme-syntax-highlight Use syntax highlighting everywhere in README.md

view details

push time in 2 months

issue commentlepture/authlib

Framework-Agnostic OpenID Connect Implementation

@bjmc it is not designed for RFC6749. RFC6749 is the foundation of OAuth 2.0, but the client that @briankzimmer is talking about is an OAuth 2.0 client that support many spec features.


@briankzimmer have you tried to subclass FlaskRemoteApp. For your description, the problem would be here: https://github.com/lepture/authlib/blob/master/authlib/integrations/base_client/base_app.py#L168

briankzimmer

comment created time in 2 months

pull request commentlepture/authlib

Typo: "SHA-521" --> SHA-512 in RFC7518

Thanks

crw2998

comment created time in 2 months

push eventlepture/authlib

Cole Winstanley

commit sha b7f7cc58493db431786049cb79640f7d12a8eeb2

Typo: "SHA-521" --> SHA-512 in RFC7518

view details

Hsiaoming Yang

commit sha c6e284ab960fe90b712a1eb80f3d8515a8210dd2

Merge pull request #255 from crw2998/patch-1 Typo: "SHA-521" --> SHA-512 in RFC7518

view details

push time in 2 months

PR merged lepture/authlib

Typo: "SHA-521" --> SHA-512 in RFC7518

DO NOT SEND ANY SECURITY FIX HERE. Please read "Security Reporting" section on README.

What kind of change does this PR introduce? (check at least one)

  • [ ] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [X] Other, please describe: Typo fix in spec

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [X] No

  • [X] You consent that the copyright of your pull request source code belongs to Authlib's author.
+1 -1

0 comment

1 changed file

crw2998

pr closed time in 2 months

issue commentlepture/mistune

Line under quote is not considered part of quote

@makeworld-the-better-one yes, it can be fixed. I don't have too much spare time in this library right now. But I'm happy to accept a PR.

makeworld-the-better-one

comment created time in 2 months

startedlepture/authlib

started time in 2 months

issue closedlepture/authlib

Support both JSON and form data

The actual method to handle the token endpoint according to the doc and the example server seems to be something like this:

@blueprint.route('/token', methods=['POST'])
def access_token():
    return oauth.create_token_response()

This method handles form data as it calls the create_oauth_request with the argument use_json set to False. def create_oauth_request(request, request_cls, use_json=False)

A way to handle JSON data is to override the Authorization server and its method create_oauth2_request to call the one above with use_json=True

Like this:

class AuthServer(AuthorizationServer):
    def __init__(self, query_client=None, save_token=None):
        super().__init__(
            query_client=query_client,
            save_token=save_token,
        )

    def create_oauth2_request(self, request):
        return create_oauth_request(request, OAuth2Request, use_json=True)

But handling both and switching according to the incomming request's format is complicated. Can be done in such a way:

@blueprint.route('/token', methods=['POST'])
def access_token():
    has_form = bool(request.form)
    req = create_oauth_request(request, OAuth2Request, use_json=not has_form)
    return oauth.create_token_response(request=req)

But it feels silly to call a method that will be called again 2 levels after. It would be nice to have an elegant way to achieve this, if it does not already exists.

closed time in 2 months

quaxsze

issue commentlepture/authlib

create_oauth_request should support JSON payloads out of the box

@YPCrumble Authlib respects standard. As RFC6749 stated, the payload should be in application/x-www-form-urlencoded, you can't send JSON payload to token endpoint. In this case, I will not accept such a PR.

You can always rewrite the create_oauth2_request method on your AuthorizationServer so that your provider can accept JSON payload. But Authlib won't provide it by default.

mmattax

comment created time in 2 months

issue commentlepture/authlib

Support both JSON and form data

Also, it seems a duplicate issue to https://github.com/lepture/authlib/issues/156

quaxsze

comment created time in 2 months

issue commentlepture/authlib

Support both JSON and form data

It is really not a good idea to accept json payload in OAuth token endpoint. According to https://tools.ietf.org/html/rfc6749, you should send payload in application/x-www-form-urlencoded.

With your implementation, there will be one more non-compliance OAuth 2.0 provider. Authlib respects the standard, it will not provide such a method out of the box.

However, if you want, you can still create such a non-compliance provider by re-write the create_oauth2_request method.

quaxsze

comment created time in 2 months

pull request commentlepture/authlib

Add additional specificity to Flask authorization server error messages.

@YPCrumble thanks. I've added error messages in https://github.com/lepture/authlib/commit/c4c23ae19963bf2be22404f3907dcce316994863

YPCrumble

comment created time in 2 months

push eventlepture/authlib

Hsiaoming Yang

commit sha 4754f39f0334715b16615f9d88abfc97d8ab3e15

Add custom user agent in client integrations

view details

Hsiaoming Yang

commit sha c4c23ae19963bf2be22404f3907dcce316994863

Fix raise error for unsupported grant type. close https://github.com/lepture/authlib/pull/248

view details

push time in 2 months

PR closed lepture/authlib

Add additional specificity to Flask authorization server error messages.

Please see attached a PR for #242 which adds specificity to error messages. The goal is to make it easier to debug any error messages as they happen to make configuration easier.

Please let me know if any questions or suggested improvements!

+24 -7

0 comment

2 changed files

YPCrumble

pr closed time in 2 months

push eventplateui/plateui

dependabot[bot]

commit sha 1d8e179a059ef794fabe76bceddf037fc9606a38

Bump lodash from 4.17.15 to 4.17.19 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19) Signed-off-by: dependabot[bot] <support@github.com>

view details

Hsiaoming Yang

commit sha 48022fc0d7bf7b1f153b72ffd7ead81bbf978ff2

Merge pull request #1 from plateui/dependabot/npm_and_yarn/lodash-4.17.19 Bump lodash from 4.17.15 to 4.17.19

view details

push time in 2 months

PR merged plateui/plateui

Bump lodash from 4.17.15 to 4.17.19 dependencies

Bumps lodash from 4.17.15 to 4.17.19. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lodash/lodash/releases">lodash's releases</a>.</em></p> <blockquote> <h2>4.17.16</h2> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lodash/lodash/commit/d7fbc52ee0466a6d248f047b5d5c3e6d1e099056"><code>d7fbc52</code></a> Bump to v4.17.19</li> <li><a href="https://github.com/lodash/lodash/commit/2e1c0f22f425e9c013815b2cd7c2ebd51f49a8d6"><code>2e1c0f2</code></a> Add npm-package</li> <li><a href="https://github.com/lodash/lodash/commit/1b6c282299f4e0271f932b466c67f0f822aa308e"><code>1b6c282</code></a> Bump to v4.17.18</li> <li><a href="https://github.com/lodash/lodash/commit/a370ac81408de2da77a82b3c4b61a01a3b9c2fac"><code>a370ac8</code></a> Bump to v4.17.17</li> <li><a href="https://github.com/lodash/lodash/commit/1144918f3578a84fcc4986da9b806e63a6175cbb"><code>1144918</code></a> Rebuild lodash and docs</li> <li><a href="https://github.com/lodash/lodash/commit/3a3b0fd339c2109563f7e8167dc95265ed82ef3e"><code>3a3b0fd</code></a> Bump to v4.17.16</li> <li><a href="https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12"><code>c84fe82</code></a> fix(zipObjectDeep): prototype pollution (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4759">#4759</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/e7b28ea6cb17b4ca021e7c9d66218c8c89782f32"><code>e7b28ea</code></a> Sanitize sourceURL so it cannot affect evaled code (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4518">#4518</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/0cec225778d4ac26c2bac95031ecc92a94f08bbb"><code>0cec225</code></a> Fix lodash.isEqual for circular references (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4320">#4320</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4515">#4515</a>)</li> <li><a href="https://github.com/lodash/lodash/commit/94c3a8133cb4fcdb50db72b4fd14dd884b195cd5"><code>94c3a81</code></a> Document matches* shorthands for over* methods (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4510">#4510</a>) (<a href="https://github-redirect.dependabot.com/lodash/lodash/issues/4514">#4514</a>)</li> <li>Additional commits viewable in <a href="https://github.com/lodash/lodash/compare/4.17.15...4.17.19">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~mathias">mathias</a>, a new releaser for lodash since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+5 -5

0 comment

2 changed files

dependabot[bot]

pr closed time in 2 months

push eventlepture/authlib

Hsiaoming Yang

commit sha ac8332931323892caf9669a86b2237bd48d3c990

Restructure docs. Add oauth folder to core features.

view details

Hsiaoming Yang

commit sha b6f0f775879f3983eda36525e7d63a32bd42af07

Prepare oidc docs

view details

push time in 2 months

issue closedauthlib/example-oauth2-server

request to None in token endpoint

In the Authorization server, the methodcreate_token_response called by the token endpoint processes a request object by has default request parameter set to None and nothing is passed to its call in the token endpoint in the routes file. How can it make a response token out of a none request body?

closed time in 2 months

quaxsze

issue commentauthlib/example-oauth2-server

request to None in token endpoint

Because it is Flask. You can always: from flask import request.

quaxsze

comment created time in 2 months

Pull request review commentgae-init/gae-init

Add Twitch signin

+# coding: utf-8++from __future__ import absolute_import++import flask++import auth+import config+import model+import util++from main import app+++def twitch_compliance_fix(session):+  def fix_protected_request(url, headers, data):+    headers["Client-ID"] = config.CONFIG_DB.twitch_client_id+    return url, headers, data++  session.register_compliance_hook('protected_request', fix_protected_request)+++twitch_config = dict(+  access_token_method='POST',+  access_token_url='https://id.twitch.tv/oauth2/token',+  api_base_url='https://api.twitch.tv/helix/',+  authorize_url='https://id.twitch.tv/oauth2/authorize',+  client_id=config.CONFIG_DB.twitch_client_id,+  client_secret=config.CONFIG_DB.twitch_client_secret,+  client_kwargs={+    'scope': 'user:read:email',+    'token_endpoint_auth_method': 'client_secret_post',+    'Client-ID': config.CONFIG_DB.twitch_client_id,

no need for this line

lipis

comment created time in 2 months

PR closed authlib/loginpass

add url to GitHub for PyPi

Warehouse now uses the project_urls provided to display links in the sidebar on this screen, as well as including them in API responses to help automation tool find the source code for Requests. For example, see Django's setup.cfg and PyPI listing. PyPI already support rendering project descriptions from Markdown https://dustingram.com/articles/2018/03/16/markdown-descriptions-on-pypi/

+7 -15

1 comment

3 changed files

andriyor

pr closed time in 2 months

pull request commentauthlib/loginpass

add url to GitHub for PyPi

we are not going to use README.md in pypi.

andriyor

comment created time in 2 months

issue closedauthlib/loginpass

Support using custom configuration options

Case in point, I want to do this:

AUTHLIB_OAUTH_CLIENTS = {
    'google': {
        'client_id': '...',
        'client_secret': '...',
        'client_kwargs': {
            'scope': 'https://www.googleapis.com/auth/gmail.readonly',
            'include_granted_scopes': 'true',
        },
    },
}

scope is used, as expected, but include_granted_scopes is discarded, which is unexpected.

closed time in 2 months

vmsp

issue commentauthlib/loginpass

Support using custom configuration options

@vmsp I think what you want is authorize_params:

AUTHLIB_OAUTH_CLIENTS = {
    'google': {
        'client_id': '...',
        'client_secret': '...',
        'authorize_params': {
            'include_granted_scopes': 'true',
        },
        'client_kwargs': {
            'scope': 'https://www.googleapis.com/auth/gmail.readonly',
        },
    },
}
vmsp

comment created time in 2 months

issue commentauthlib/loginpass

Loginpass + Azure - claim validation error for claim "iss"

Can you leave the discovery endpoint URL? In our code: https://github.com/authlib/loginpass/blob/master/loginpass/azure.py#L34

issuer = issuer.replace('{tenantid}', tenant)

It is replacing {tenantid} instead of {tenant}, I think this is the problem.

blackdwarf

comment created time in 2 months

issue closedauthlib/loginpass

Typo loginpass/_flask.py

The import on line 83 (https://github.com/authlib/loginpass/blob/66a5c6593f12bc4a537724d7212b1978d275b9fc/loginpass/_flask.py#L83) should read from authlib.integrations.flask_client import RemoteApp as FlaskRemoteApp instead of from authlib.integrations.flask_client import FlaskRemoteApp with authlib 0.14.

closed time in 2 months

bjonen

issue commentauthlib/loginpass

Typo loginpass/_flask.py

It is correct in the code.

bjonen

comment created time in 2 months

MemberEvent

issue closedauthlib/example-oauth2-server

Not routing to authorize after login

i am trying to run this example, able to run and get login screen. Now i am entering the details in "Alexa" which is my client for this oauth server.

Able to get the login page from Alexa, However i am not able to navigate to Authorize after proper signing in.

Please help Regards, Punit

closed time in 2 months

punitvanjani

issue commentauthlib/example-oauth2-server

Not routing to authorize after login

I can't understand your question.

punitvanjani

comment created time in 2 months

more