What's Changed

• Add a request param to RFC7591 generate_client_info and generate_client_secret methods by @azmeuk in #825
• feat: support list params in prepare_grant_uri by @lisongmin in #827
• chore(deps): bump SonarSource/sonarqube-scan-action from 5 to 6 in /.github/workflows by @dependabot[bot] in #828
• fix(jose): add max size for JWE zip=DEF decompression by @lepture in #830

New Contributors

• @lisongmin made their first contribution in #827
• @dependabot[bot] made their first contribution in #828

Full Changelog: v1.6.4...v1.6.5

What's Changed

• fix(jose): prevent public/unprotected header overwriting protected header by @lepture in #809
• Fix InsecureTransportError raising by @azmeuk in #810
• Add conventional-commits pre-commit hook by @azmeuk in #811
• Fix response_mode=form_post with Starlette client by @azmeuk in #812
• Specify README.md as project long description by @EpicWink in #817
• Migrate tests to pytest paradigm by @azmeuk in #813
• jose/jws: Reject unprotected ‘crit’ and enforce type; add tests by @AL-Cybision in #823
• Use explicit *.test urls in unit tests by @azmeuk in #824

New Contributors

• @EpicWink made their first contribution in #817
• @AL-Cybision made their first contribution in #823

Full Changelog: v1.6.3...v1.6.4

What's Changed

• Add diff-cover check in GHA by @azmeuk in #803
• Run GHA unit tests with uv by @azmeuk in #805
• Move from pre-commit to prek by @azmeuk in #804
• Sign OIDC id_token according to id_token_signed_response_alg client metadata by @azmeuk in #802

Full Changelog: v1.6.2...v1.6.3

What's Changed

• Allow insecure transport for 127.0.0.1 for debugging by @geigerzaehler in #788
• Raise a MissingCodeError when code parameter is missing by @lepture in #786
• Temporarily restore OAuth2Request body parameter by @azmeuk in #791
• Raise MissingCodeException when code parameter is missing by @lepture in #794
• Fix id_token generation with EdDSA alg by @azmeuk in #800

Full Changelog: v1.6.1...v1.6.2

• Filter key set with additional "alg" and "use" parameters.

• Fix issue when RFC9207 is enabled and the authorization endpoint response is not a redirection. pull request #733
• Fix missing state parameter in authorization error responses. issue #525
• Support for acr and amr claims in id_token. issue #734
• Support for the none JWS algorithm.
• Fix response_types strict order during dynamic client registration. issue #760
• Implement RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR). issue #723
• OIDC UserInfo endpoint support. issue #459

Released on Apr 1, 2025

• Forbid fragments in redirect_uris. #714
• Fix invalid characters in error_description. #720
• Add claims_cls parameter for client's parse_id_token method. #725

Released on Feb 28, 2025

• Fix RFC9207 iss parameter. #715

• Fix token introspection auth method for clients. #662
• Optional typ claim in JWT tokens. #696
• JWT validation leeway. #689
• Implement server-side RFC9207. #700 #701
• generate_id_token can take a kid parameter. #702
• More detailed InvalidClientError. #706
• OpenID Connect Dynamic Client Registration implementation. #707

• Improve garbage collection on OAuth clients. #698
• Fix client parameters for httpx. #694