diff --git a/Authlib-1.3.0.tar.gz b/Authlib-1.3.0.tar.gz deleted file mode 100644 index 67c3215a85ef445658eccc7552386c63c2556336..0000000000000000000000000000000000000000 Binary files a/Authlib-1.3.0.tar.gz and /dev/null differ diff --git a/authlib-1.6.3.tar.gz b/authlib-1.6.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..e8316f04cd80122fdb30ce20089a642e8205f894 Binary files /dev/null and b/authlib-1.6.3.tar.gz differ diff --git a/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch b/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch deleted file mode 100644 index f9d75d1cf35fc4f4e6d29b438581ab5476c9b4fd..0000000000000000000000000000000000000000 --- a/backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001 -From: Hsiaoming Yang -Date: Tue, 4 Jun 2024 11:34:43 +0900 -Subject: [PATCH] fix: prevent OctKey to import ssh/rsa/pem keys - -https://github.com/lepture/authlib/issues/654 ---- - authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py -index 1db321a..44e1f72 100644 ---- a/authlib/jose/rfc7518/oct_key.py -+++ b/authlib/jose/rfc7518/oct_key.py -@@ -6,6 +6,16 @@ from authlib.common.security import generate_token - from ..rfc7517 import Key - - -+POSSIBLE_UNSAFE_KEYS = ( -+ b"-----BEGIN ", -+ b"---- BEGIN ", -+ b"ssh-rsa ", -+ b"ssh-dss ", -+ b"ssh-ed25519 ", -+ b"ecdsa-sha2-", -+) -+ -+ - class OctKey(Key): - """Key class of the ``oct`` key type.""" - -@@ -65,6 +75,11 @@ class OctKey(Key): - key._dict_data = raw - else: - raw_key = to_bytes(raw) -+ -+ # security check -+ if raw_key.startswith(POSSIBLE_UNSAFE_KEYS): -+ raise ValueError("This key may not be safe to import") -+ - key = cls(raw_key=raw_key, options=options) - return key - --- -2.33.0 - diff --git a/python-Authlib.spec b/python-Authlib.spec index d57d020f2835a5dcecc6bb55a0c174548d317758..0ba03d27f7ca5f8f306ae7c17a678ee429f13f97 100644 --- a/python-Authlib.spec +++ b/python-Authlib.spec @@ -1,14 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-Authlib -Version: 1.3.0 +Version: 1.6.3 Release: 1 Summary: The ultimate Python library in building OAuth and OpenID Connect servers and clients. License: BSD 3-Clause License URL: https://authlib.org/ -Source0: https://files.pythonhosted.org/packages/source/A/Authlib/Authlib-1.3.0.tar.gz -BuildArch: noarch +Source0: https://files.pythonhosted.org/packages/5d/c6/d9a9db2e71957827e23a34322bde8091b51cb778dcc38885b84c772a1ba9/authlib-1.6.3.tar.gz -Patch0001: backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch +BuildArch: noarch Requires: python3-cryptography @@ -34,7 +33,7 @@ The ultimate Python library in building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included. %prep -%autosetup -p1 -n Authlib-1.3.0 +%autosetup -p1 -n authlib-%{version} %build %py3_build @@ -74,6 +73,31 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Fri Aug 29 2025 wangqia - 1.6.3-1 +- Update package with version 1.6.3 + SEC: Fix security issues in OAuth 1.0a client implementation + SEC: Address cryptographic timing attacks in token validation + FEAT: Add support for OAuth 2.0 Token Exchange RFC 8693 + FEAT: Add support for OIDC Client Initiated Backchannel Authentication + FEAT: Add support for JWT Secured Authorization Response Mode + FEAT: Add support for RFC 9449 OAuth 2.0 Demonstration of Proof-of-Possession + FEAT: Add support for RFC 7636 PKCE code_challenge_method 'plain' + ENH: Improve JWT claims validation with new validation options + ENH: Add support for multiple signing algorithms in JWT backend + ENH: Improve OAuth client session management with better timeout handling + ENH: Add support for custom token revocation endpoints + BUG: Fix token endpoint authentication for OAuth 2.0 clients + BUG: Fix JSON Web Key Set (JWKS) loading from remote URLs + BUG: Fix nonce validation in OIDC authentication flows + BUG: Fix scope parameter handling in authorization requests + BUG: Fix redirect_uri validation in OAuth 2.0 authorization code flow + BUG: Fix error response handling for OAuth 2.0 token requests + BUG: Fix datetime handling in token expiration validation + Drop support for Python 3.6 and 3.7 + Add support for Python 3.11 and 3.12 + Update cryptographic dependencies to latest versions + Improve documentation with new OAuth 2.0 features and examples + * Fri Feb 28 2025 gongzhengtang - 1.3.0-1 - update to v1.3.0