What's Changed

• Fix the readme links by @azmeuk in #886
• Allow non-recommended algorithms in ClientSecretJWT and PrivateKey by @azmeuk in #887
• Validate BCP47 language tags with a regex by @azmeuk in #873
• Fix RFC7523 signing with non RSA keys by @azmeuk in #884

Full Changelog: v1.7.1...v1.7.2

What's Changed

• Fix authlib.jose deprecation warning poping from _joserfc_helpers by @azmeuk in #881
• Fix redirecting to unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant and OpenIDHybridGrant.

Full Changelog: v1.7.0...v1.7.1

• • Fix redirecting to unvalidated redirect_uri on InvalidScopeError in OpenIDImplicitGrant and OpenIDHybridGrant.
    Full Changelog: v1.6.11...v1.6.12

What's Changed

• Authorization and token endpoints request empty scope parameter management by @azmeuk in #847
• Support from Python 3.10 to 3.14 by @azmeuk in #850
• Allow composition of AuthorizationServerMetadata by @azmeuk in #853
• Make require_oauth parenthesis optional by @azmeuk in #855
• Fix expires_at behavior when its value is 0 by @azmeuk in #854
• Migration to joserfc by @lepture in #852
• RP-initiated logout by @frohrlich in #849
• Fix get_jwt_config by @lepture in #858
• chore(ci): Update PyPy version from 3.10 to 3.11 by @cclauss in #863
• fix: remove "none" from default authlib.jose.jwt algorithms by @lepture in #860
• fix: normalize resolve_client_public_key method by @lepture in #861
• Implement rfc9700 PKCE downgrade countermeasure by @azmeuk in #864
• Use correct syntax for tox.requires in tox.ini by @alex-ball in #868
• Set client session User-Agent when fetching server metadata and JWKs by @alex-ball in #867
• fix: use the real application object for Flask by @nblock in #869
• Accept the issuer URL as a valid audience by @azmeuk in #865
• Don't nest InvalidTokenError extra attribute by @azmeuk in #872
• Documentation overhaul by @azmeuk in #875
• Update README.md docs.authlib.org/en/latest => docs.authlib.org/en/stable by @guillett in #876
• Merge release/1.6 branch by @lepture in #877

New Contributors

• @frohrlich made their first contribution in #849
• @cclauss made their first contribution in #863
• @alex-ball made their first contribution in #868
• @nblock made their first contribution in #869
• @guillett made their first contribution in #876

Full Changelog: v1.6.10...v1.7.0

Full Changelog: v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

Full Changelog: v1.6.9...v1.6.10

• Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.

Full Changelog: v1.6.8...v1.6.9

Changes in jose module

• Not using header's jwk automatically
• Add ES256K into default jwt algorithms
• Remove deprecated algorithm from default registry
• Generate random cek when cek length doesn't match

Full Changelog: v1.6.7...v1.6.8

• Add EdDSA to default jwt instance.

Full Changelog: v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

What's Changed

• fix(ClientAuth): fix incorrect signature when Content-Type is x-www-form-urlencoded by @shc261392 in #778
• Fix: Use expires_in when expires_at is unparsable by @bendavis78 in #842
• get_jwt_config takes a client parameter. by @azmeuk in #844

New Contributors

• @shc261392 made their first contribution in #778
• @bendavis78 made their first contribution in #842

Full Changelog: v1.6.5...v1.6.6