Description
OAuthLib - Python Framework for OAuth1 & OAuth2 =============================================== *A generic, spec-compliant, thorough implementation of the OAuth request-signing logic for Python 3.8+* .. image:: https://github.com/oauthlib/oauthlib/actions/workflows/python-build.yml/badge.svg :target: https://github.com/oauthlib/oauthlib/actions :alt: GitHub Actions .. image:: https://coveralls.io/repos/oauthlib/oauthlib/badge.svg?branch=master :target: https://coveralls.io/r/oauthlib/oauthlib :alt: Coveralls .. image:: https://img.shields.io/pypi/pyversions/oauthlib.svg :target: https://pypi.org/project/oauthlib/ :alt: Download from PyPI .. image:: https://img.shields.io/pypi/l/oauthlib.svg :target: https://pypi.org/project/oauthlib/ :alt: License .. image:: https://app.fossa.io/api/projects/git%2Bgithub.com%2Foauthlib%2Foauthlib.svg?type=shield :target: https://app.fossa.io/projects/git%2Bgithub.com%2Foauthlib%2Foauthlib?ref=badge_shield :alt: FOSSA Status .. image:: https://img.shields.io/readthedocs/oauthlib.svg :target: https://oauthlib.readthedocs.io/en/latest/index.html :alt: Read the Docs .. image:: https://badges.gitter.im/oauthlib/oauthlib.svg :target: https://gitter.im/oauthlib/Lobby :alt: Chat on Gitter .. image:: https://raw.githubusercontent.com/oauthlib/oauthlib/8d71b161fd145d11c40d55c9ab66ac134a303253/docs/logo/oauthlib-banner-700x192.png :target: https://github.com/oauthlib/oauthlib/ :alt: OAuth + Python = OAuthlib Python Framework OAuth often seems complicated and difficult-to-implement. There are several prominent libraries for handling OAuth requests, but they all suffer from one or both of the following: 1. They predate the `OAuth 1.0 spec`_, AKA RFC 5849. 2. They predate the `OAuth 2.0 spec`_, AKA RFC 6749. 3. They assume the usage of a specific HTTP request library. .. _`OAuth 1.0 spec`: https://tools.ietf.org/html/rfc5849 .. _`OAuth 2.0 spec`: https://tools.ietf.org/html/rfc6749 OAuthLib is a framework which implements the logic of OAuth1 or OAuth2 without assuming a specific HTTP request object or web framework. Use it to graft OAuth client support onto your favorite HTTP library, or provide support onto your favourite web framework. If you're a maintainer of such a library, write a thin veneer on top of OAuthLib and get OAuth support for very little effort. Documentation -------------- Full documentation is available on `Read the Docs`_. All contributions are very welcome! The documentation is still quite sparse, please open an issue for what you'd like to know, or discuss it in our `Gitter community`_, or even better, send a pull request! .. _`Gitter community`: https://gitter.im/oauthlib/Lobby .. _`Read the Docs`: https://oauthlib.readthedocs.io/en/latest/index.html Interested in making OAuth requests? ------------------------------------ Then you might be more interested in using `requests`_ which has OAuthLib powered OAuth support provided by the `requests-oauthlib`_ library. .. _`requests`: https://github.com/requests/requests .. _`requests-oauthlib`: https://github.com/requests/requests-oauthlib Which web frameworks are supported? ----------------------------------- The following packages provide OAuth support using OAuthLib. - For Django there is: - `django-oauth-toolkit`_, which includes `Django REST framework`_ support. - `django-allauth`_, which includes `Django REST framework`_ as well as `Django Ninja`_ support. - For Flask there is `flask-oauthlib`_ and `Flask-Dance`_. - For Pyramid there is `pyramid-oauthlib`_. - For Bottle there is `bottle-oauthlib`_. If you have written an OAuthLib package that supports your favorite framework, please open a Pull Request, updating the documentation. .. _`django-oauth-toolkit`: https://github.com/evonove/django-oauth-toolkit .. _`flask-oauthlib`: https://github.com/lepture/flask-oauthlib .. _`Django REST framework`: http://django-rest-framework.org .. _`Flask-Dance`: https://github.com/singingwolfboy/flask-dance .. _`pyramid-oauthlib`: https://github.com/tilgovi/pyramid-oauthlib .. _`bottle-oauthlib`: https://github.com/thomsonreuters/bottle-oauthlib .. _`django-allauth`: https://allauth.org/ .. _`Django Ninja`: https://django-ninja.dev/ Using OAuthLib? Please get in touch! ------------------------------------ Patching OAuth support onto an http request framework? Creating an OAuth provider extension for a web framework? Simply using OAuthLib to Get Things Done or to learn? No matter which we'd love to hear from you in our `Gitter community`_ or if you have anything in particular you would like to have, change or comment on don't hesitate for a second to send a pull request or open an issue. We might be quite busy and therefore slow to reply but we love feedback! Chances are you have run into something annoying that you wish there was documentation for, if you wish to gain eternal fame and glory, and a drink if we have the pleasure to run into each other, please send a docs
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 3.3.1 | Imported from PyPI (3.3.1) | Low | 4/21/2026 |
| v3.3.1 | ## What's Changed * Stop installing `examples` into `site-packages` by @mgorny in https://github.com/oauthlib/oauthlib/pull/904 * Add explicit GHSA for vuln disclosure by @JonathanHuot in https://github.com/oauthlib/oauthlib/pull/903 * Add mandatory RTD configuration by @JonathanHuot in https://github.com/oauthlib/oauthlib/pull/908 * Fix 3.3.0 regression of expires_in by @JonathanHuot in https://github.com/oauthlib/oauthlib/pull/907 **Full Changelog**: https://github.com/oauthlib/oauthli | Low | 6/20/2025 |
| v3.3.0 | ## What's Changed See also CHANGELOG.md * Use proper SPDX identifier by @Shortfinga in https://github.com/oauthlib/oauthlib/pull/836 * Upgrade GitHub Actions and make bandit, codespell, and pytest mandatory by @cclauss in https://github.com/oauthlib/oauthlib/pull/835 * OAuth2Error: Allow falsy values as state by @TiphaineLAURENT in https://github.com/oauthlib/oauthlib/pull/815 * Update pre-configured OIDC server to use OIDC flavor of Refresh Token grant type by @burkel24 in https://gith | Low | 6/17/2025 |
| v3.2.2 | ## OAuth2.0 Provider: * CVE-2022-36087 | Low | 1/10/2023 |
| v3.2.1 | ## In short OAuth2.0 Provider: * #803 : Metadata endpoint support of non-HTTPS OAuth1.0: * #818 : Allow IPv6 being parsed by signature General: * Improved and fixed documentation warnings. * Cosmetic changes based on isort ## What's Changed * add missing slots to TokenBase by @ariebovenberg in https://github.com/oauthlib/oauthlib/pull/804 * Add CORS support for Refresh Token Grant. by @luhn in https://github.com/oauthlib/oauthlib/pull/806 * GitHub Action to lint Python code by @ | Low | 9/9/2022 |
| v3.2.0 | ## Changelog OAuth2.0 Client: * #795: Add Device Authorization Flow for Web Application * #786: Add PKCE support for Client * #783: Fallback to none in case of wrong expires_at format. OAuth2.0 Provider: * #790: Add support for CORS to metadata endpoint. * #791: Add support for CORS to token endpoint. * #787: Remove comma after Bearer in WWW-Authenticate OAuth2.0 Provider - OIDC: * #755: Call save_token in Hybrid code flow * #751: OIDC add support of refreshing ID Tokens with | Low | 1/29/2022 |
| v3.1.1 | OAuth2.0 Provider - Bugfixes * #753: Fix acceptance of valid IPv6 addresses in URI validation OAuth2.0 Client - Bugfixes * #730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently relies on the `scope` provided in the constructor if any, except if overridden temporarily in a method call. Note that in particular providing a non-None `scope` in `prepare_authorization_request` or `prepare_refresh_token` does not override anymore `se | Low | 6/2/2021 |
| v3.1.0 | 3.1.0 is an feature release including improvement to OIDC and security enhancements. Check-it out ! OAuth2.0 Provider - Features - #660: OIDC add support of nonce, c_hash, at_hash fields - New RequestValidator.fill_id_token method - Deprecated RequestValidator.get_id_token method - #677: OIDC add UserInfo endpoint - New RequestValidator.get_userinfo_claims method OAuth2.0 Provider - Security - #665: Enhance data leak to logs - New default to not expose request content | Low | 8/6/2019 |
| v3.0.2 | Bug fix release - #650: OAuth1: Fixed space encoding in base string URI used in the signature base string. - #654: OAuth2: Doc: The value state must not be stored by the AS, only returned in /authorize response. - #652: OIDC: Fixed /token response which wrongly returned "&state=None" - #656: OIDC: Fixed "nonce" checks: raise errors when it's mandatory | Low | 7/4/2019 |
| v3.0.1 | Fix regression introduced in 3.0.0 - #644 Fixed Revocation & Introspection Endpoints when using Client Authentication with HTTP Basic Auth. | Low | 1/24/2019 |
| v3.0.0 | This is a major release containing API Breaking changes, and new major features. See the full list below: OAuth2.0 Provider - outstanding Features * OpenID Connect Core support * RFC7662 Introspect support * RFC8414 OAuth2.0 Authorization Server Metadata support (#605) * RFC7636 PKCE support (#617 #624) OAuth2.0 Provider - API/Breaking Changes * Add "request" to confirm_redirect_uri #504 * confirm_redirect_uri/get_default_redirect_uri has a bit changed #445 * invalid_client is | Low | 1/8/2019 |
| v2.1.0 | This minor release includes the following changes: * Fixed some copy and paste typos (#535) * Use secrets module in Python 3.6 and later (#533) * Add request argument to confirm_redirect_uri (#504) * Avoid populating spurious token credentials (#542) * Make populate attributes API public (#546) | Low | 5/22/2018 |
| v2.0.7 | :tada: First oauthlib community release. :tada: * Moved oauthlib into new organization on GitHub. * Include license file in the generated wheel package. (#494) * When deploying a release to PyPI, include the wheel distribution. (#496) * Check access token in self.token dict. (#500) * Added bottle-oauthlib to docs. (#509) * Update repository location in Travis. (#514) * Updated docs for organization change. (#515) * Replace G+ with Gitter. (#517) * Update requirements. (#518) * Add s | Low | 3/19/2018 |
| v2.0.6 | Fix-up release, since 2.0.5 contained breaking changes. | Low | 3/18/2018 |
| v2.0.5 | This was a bad release; don't use. * Fix OAuth2Error.response_mode for #463. * Documentation improvement. | Low | 3/18/2018 |
| v2.0.4 | - Fixed typo that caused OAuthlib to crash because of the fix in "Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception". | Low | 3/18/2018 |
| v2.0.3 | * Address missing OIDC errors and fix a typo in the AccountSelectionRequired exception. * Update proxy keys on CaseInsensitiveDict.update(). * Redirect errors according to OIDC's response_mode. * Added universal wheel support. * Added log statements to except clauses. * According to RC7009 Section 2.1, a client should include authentication credentials when revoking its tokens. As discussed in #339, this is not make sense for public clients. However, in that case, the public client sh | Low | 9/7/2017 |
| v2.0.2 | * Dropped support for Python 2.6, 3.2 & 3.3. * (FIX) `OpenIDConnector` will no longer raise an AttributeError when calling `openid_authorization_validator()` twice. | Low | 9/7/2017 |
| v2.0.1 | - (FIX) Normalize handling of request.scopes list | Low | 11/23/2016 |
| v2.0.0 | - (New Feature) **OpenID** support. - Documentation improvements and fixes. | Low | 9/3/2016 |
| v1.1.2 | - (Fix) Query strings should be able to include colons. - (Fix) Cast body to a string to ensure that we can perform a regex substitution on it. | Low | 9/3/2016 |
| 1.1.1 | - (Enhancement) Better sanitisation of Request objects `__repr__`. | Low | 5/1/2016 |
| 1.1.0 | - (Fix) '(', ')', '/' and '?' are now safe characters in url encoded strings. - (Enhancement) Added support for specifying if refresh tokens should be created on authorization code grants. - (Fix) OAuth2Token now handles None scopes correctly. - (Fix) Request token is now available for OAuth 1. - (Enhancement) OAuth2Token is declared with `__slots__` for smaller memory footprint. - (Enhancement) RefreshTokenGrant now allows to set issue_new_refresh_tokens. - Documentation improvements and fixes. | Low | 4/11/2016 |
| 1.0.3 | - (Fix) Changed the documented return type of the `invalidate_request_token()` method from the RSA key to None since nobody is using the return type. - (Enhancement) Added a validator log that will store what the endpoint has computed for debugging and logging purposes (OAuth 1 only for now). | Low | 8/16/2015 |
| 1.0.2 | - (Fix) Allow client secret to be null for public applications that do not mandate it's specification in the query parameters. - (Fix) Encode request body before hashing in order to prevent encoding errors in Python 3. | Low | 8/16/2015 |
| 1.0.1 | - (Fix) Added token_type_hint to the list of default Request parameters. | Low | 7/25/2015 |
| 0.1.4 | Soft dependency on PyCrypto. | Low | 7/25/2015 |
| 0.2.0 | OAuth provider support. | Low | 7/25/2015 |
| 0.2.1 | Exclude non urlencoded bodies during request verification. | Low | 7/25/2015 |
| 0.3.0 | Initial OAuth 2 client support. | Low | 7/25/2015 |
| 0.3.1 | Python 3.1, 3.2, 3.3 support (experimental). | Low | 7/25/2015 |
| 0.3.2 | Fixed #62, all Python 3 tests pass. | Low | 7/25/2015 |
| 0.3.3 | OAuth 1 Provider verify now return useful params. | Low | 7/25/2015 |
| 0.3.4 | A number of small features and bug fixes. | Low | 7/25/2015 |
| 0.3.5 | Default unicode conversion (utf-8) and urlencoding of input. | Low | 7/25/2015 |
| 0.3.6 | Revert default urlencoding. | Low | 7/25/2015 |
| 0.3.7 | OAuth 1 optional encoding of Client.sign return values. | Low | 7/25/2015 |
| 0.3.8 | OAuth 2 Client now uses custom errors and raise on expire. | Low | 7/25/2015 |
| 0.4.0 | OAuth 2 Provider support (experimental). | Low | 7/25/2015 |
| 0.4.1 | Documentation corrections and various small code fixes. | Low | 7/25/2015 |
| 0.4.2 | OAuth 2 draft to RFC. Removed OAuth 2 framework decorators. | Low | 7/25/2015 |
| 0.5.0 | OAuth 1 provider refactor. OAuth 2 refresh token validation fix. | Low | 7/25/2015 |
| 0.5.1 | - OAuth 1 provider fix for incorrect token param in nonce validation. | Low | 7/25/2015 |
| 0.6.0 | OAuth 1 & 2 provider API refactor with breaking changes: - All endpoint methods change contract to return 3 values instead of 4. The new signature is `headers`, `body`, `status code` where the initial `redirect_uri` has been relocated to its rightful place inside headers as `Location`. - OAuth 1 Access Token Endpoint has a new required validator method `invalidate_request_token`. - OAuth 1 Authorization Endpoint now returns a 200 response instead of 302 on `oob` callbacks. | Low | 7/25/2015 |
| 0.6.1 | Draft revocation endpoint features and numerous fixes including: - (OAuth 2 Provider) is_within_original_scope to check whether a refresh token is trying to aquire a new set of scopes that are a subset of the original scope. - (OAuth 2 Provider) expires_in token lifetime can be set per request. - (OAuth 2 Provider) client_authentication_required method added to differentiate between public and confidential clients. - (OAuth 2 Provider) rotate_refresh_token now indicates whether a new refresh | Low | 7/25/2015 |
| 0.6.2 | - Numerous OAuth2 provider errors now suggest a status code of 401 instead of 400 (#247). - Added support for JSON web tokens with oauthlib.common.generate_signed_token. Install extra dependency with oauthlib[signedtoken](#237). - OAuth2 scopes can be arbitrary objects with **str** defined (#240). - OAuth 1 Clients can now register custom signature methods (#239). - Exposed new method oauthlib.oauth2.is_secure_transport that checks whether the given URL is HTTPS. Checks using this method c | Low | 7/25/2015 |
| 0.6.3 | - (Quick fix) OAuth 1 client repr in 0.6.2 overwrote secrets when scrubbing for print. | Low | 7/25/2015 |
| 0.7.0 | - (Change) OAuth2 clients will not raise a Warning on scope change if the environment variable `OAUTHLIB_RELAX_TOKEN_SCOPE` is set. The token will now be available as an attribute on the error, `error.token`. Token changes will now also be announced using blinker. - (Fix/Feature) Automatic fixes of non-compliant OAuth2 provider responses (e.g. Facebook). - (Fix) Logging is now tiered (per file) as opposed to logging all under `oauthlib`. - (Fix) Error messages should now include a descript | Low | 7/25/2015 |
| 0.7.1 | - (Quick fix) Add oauthlib.common.log object back in for libraries using it. | Low | 7/25/2015 |
| 0.7.2 | - (Quick fix) Unpushed locally modified files got included in the PyPI 0.7.1 release. Doing a new clean release to address this. Please upgrade quickly and report any issues you are running into. | Low | 7/25/2015 |
| 1.0.0 | - (Breaking Change) Replace pycrypto with cryptography from https://cryptography.io - (Breaking Change) Update jwt to 1.0.0 (which is backwards incompatible) no oauthlib api changes were made. - (Breaking Change) Raise attribute error for non-existing attributes in the Request object. - (Fix) Strip whitespace off of scope string. - (Change) Don't require to return the state in the access token response. - (Change) Hide password in logs. - (Fix) Fix incorrect invocation of prepare_refresh_body | Low | 7/25/2015 |