Full set of changes are in [github](https://github.com/requests/requests-oauthlib/milestone/4?closed=1).
Additions & changes:
OAuth2Sessionnow correctly uses theself.verifyvalue ifverifyis not overridden infetch_tokenandrefresh_token. Fixes #404.OAuth2Sessionconstructor now uses itsclient.scopewhen aclientis provided andscopeis not overridden. Fixes #408- Add
refresh_token_requestandaccess_token_requestcompliance hooks - Add PKCE support and Auth0 example
- Add support for Python 3.8-3.12
- Remove support of Python 2.x, <3.7
- Migrated to Github Action
- Updated dependencies
- Cleanup some docs and examples
- Version 2.0.0 published initially as 1.4.0, it was yanked eventually.
- Add initial support for OAuth Mutual TLS (draft-ietf-oauth-mtls)
- Removed outdated LinkedIn Compliance Fixes
- Add eBay compliance fix
- Add Spotify OAuth 2 Tutorial
- Add support for python 3.8, 3.9
- Fixed LinkedIn Compliance Fixes
- Fixed ReadTheDocs Documentation and sphinx errors
- Moved pipeline to GitHub Actions
- Instagram compliance fix
- Added
force_querystringargument to fetch_token() method on OAuth2Session
- This project now depends on OAuthlib 3.0.0 and above. It does not support versions of OAuthlib before 3.0.0.
- Updated oauth2 tests to use 'sess' for an OAuth2Session instance instead of auth because OAuth2Session objects and methods acceept an auth paramether which is typically an instance of requests.auth.HTTPBasicAuth
- OAuth2Session.fetch_token previously tried to guess how and where to provide "client" and "user" credentials incorrectly. This was incompatible with some OAuth servers and incompatible with breaking changes in oauthlib that seek to correctly provide the client_id. The older implementation also did not raise the correct exceptions when username and password are not present on Legacy clients.
- Avoid automatic netrc authentication for OAuth2Session.
- Adjusted version specifier for
oauthlibdependency: this project is not yet compatible withoauthlib3.0.0. - Dropped dependency on
nose. - Minor changes to clean up the code and make it more readable/maintainable.
- Removed support for Python 2.6 and Python 3.3. This project now supports Python 2.7, and Python 3.4 and above.
- Added several examples to the documentation.
- Added plentymarkets compliance fix.
- Added a
tokenproperty to OAuth1Session, to match the correspondingtokenproperty on OAuth2Session.
- Added Fitbit compliance fix.
- Fixed an issue where newlines in the response body for the access token request would cause errors when trying to extract the token.
- Fixed an issue introduced in v0.7.0 where users passing
authto several methods would encounter conflicts with theclient_idandclient_secret-derived auth. The user-suppliedauthargument is now used in preference to those options.
- Allowed
OAuth2Session.requestto take theclient_idandclient_secretparameters for the purposes of automatic token refresh, which may need them.
- Use
client_idandclient_secretfor the Authorization header if provided. - Allow explicit bypass of the Authorization header by setting
auth=False. - Pass through the
proxieskwarg when refreshing tokens. - Miscellaneous cleanups.
- Fixed a bug when sending authorization in headers with no username and password present.
- Make sure we clear the session token before obtaining a new one.
- Some improvements to the Slack compliance fix.
- Avoid timing problems around token refresh.
- Allow passing arbitrary arguments to requests when calling
fetch_request_tokenandfetch_access_token.
- Add compliance fix for Slack.
- Add compliance fix for Mailchimp.
TokenRequestDeniedexceptions now carry the entire response, not just the status code.- Pass through keyword arguments when refreshing tokens automatically.
- Send authorization in headers, not just body, to maximize compatibility.
- More getters/setters available for OAuth2 session client values.
- Allow sending custom headers when refreshing tokens, and set some defaults.
- Fix
TypeErrorbeing raised instead ofTokenMissingerror. - Raise requests exceptions on 4XX and 5XX responses in the OAuth2 flow.
- Avoid
AttributeErrorwhen initializing theOAuth2Sessionclass without complete client information.
- New
authorizedproperty on OAuth1Session and OAuth2Session, which allows you to easily determine if the session is already authorized with OAuth tokens or not. - New
TokenMissingandVerifierMissingexception classes for OAuth1Session: this will make it easier to catch and identify these exceptions.
- New install target
[rsa]for people using OAuth1 RSA-SHA1 signature method. - Fixed bug in OAuth2 where supplied state param was not used in auth url.
- OAuth2 HTTPS checking can be disabled by setting environment variable
OAUTHLIB_INSECURE_TRANSPORT. - OAuth1 now re-authorize upon redirects.
- OAuth1 token fetching now raise a detailed error message when the response body is incorrectly encoded or the request was denied.
- Added support for custom OAuth1 clients.
- OAuth2 compliance fix for Sina Weibo.
- Multiple fixes to facebook compliance fix.
- Compliance fixes now re-encode body properly as bytes in Python 3.
- Logging now properly done under
requests_oauthlibnamespace instead of piggybacking on oauthlib namespace. - Logging introduced for OAuth1 auth and session.
- OAuth1Session methods only return unicode strings. #55.
- Renamed requests_oauthlib.core to requests_oauthlib.oauth1_auth for consistency. #79.
- Added Facebook compliance fix and access_token_response hook to OAuth2Session. #63.
- Added LinkedIn compliance fix.
- Added refresh_token_response compliance hook, invoked before parsing the refresh token.
- Correctly limit compliance hooks to running only once!
- Content type guessing should only be done when no content type is given
- OAuth1 now updates r.headers instead of replacing it with non case insensitive dict
- Remove last use of Response.content (in OAuth1Session). #44.
- State param can now be supplied in OAuth2Session.authorize_url