Version 1.7.2

-------------

**Released on May 6, 2026**

- Fix ``PrivateKeyJWT`` rejecting ``ECKey`` private keys (e.g. for ``ES256``).
  The client private key is no longer forcibly imported as an ``RSAKey``;
  ``joserfc``'s key auto-detection is used instead. :pr:`852`
- Allow ``ClientSecretJWT`` and ``PrivateKeyJWT`` to sign client assertions
  with non-recommended algorithms (e.g. ``RS384``) when explicitly set via the
  ``alg`` parameter. :issue:`883`
- Validate BCP 47 language tags in ``ui_locales_supported``, ``claims_locales_supported``
  and ``UserInfo.locale``. :pr:`873`

Version 1.7.1

-------------

**Released on may 4, 2026**

- Fix ``AuthlibDeprecationWarning`` being emitted on import when using integrations
  that do not use ``authlib.jose`` directly. :issue:`880`
- Fix redirecting to unvalidated ``redirect_uri`` on ``InvalidScopeError``
  in ``OpenIDImplicitGrant`` and ``OpenIDHybridGrant``.

Version 1.6.12

--------------

**Released on may 4, 2026**

- Fix redirecting to unvalidated ``redirect_uri`` on ``InvalidScopeError``
  in ``OpenIDImplicitGrant`` and ``OpenIDHybridGrant``.

Version 1.7.1

-------------

**Released on may 4, 2026**

- Fix ``AuthlibDeprecationWarning`` being emitted on import when using integrations
  that do not use ``authlib.jose`` directly. :issue:`880`
- Fix redirecting to unvalidated ``redirect_uri`` on ``InvalidScopeError``
  in ``OpenIDImplicitGrant`` and ``OpenIDHybridGrant``.

Version 1.6.12

--------------

**Released on may 4, 2026**

- Fix redirecting to unvalidated ``redirect_uri`` on ``InvalidScopeError``
  in ``OpenIDImplicitGrant`` and ``OpenIDHybridGrant``.

chore: release 1.7.0

Version 1.6.11

--------------

**Released on Apr 16, 2026**

- Fix CSRF vulnerability in the Starlette OAuth client when a ``cache`` is
  configured.

chore: release 1.6.10

chore: release 1.6.9

chore: release 1.6.8