Skip to content

chore(deps): bump authlib from 1.4.1 to 1.6.8#22

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/authlib-1.6.8
Open

chore(deps): bump authlib from 1.4.1 to 1.6.8#22
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/pip/authlib-1.6.8

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 28, 2026

Bumps authlib from 1.4.1 to 1.6.8.

Release notes

Sourced from authlib's releases.

v1.6.8

Full Changelog: authlib/authlib@v1.6.7...v1.6.8

  • Add EdDSA to default jwt instance.

v1.6.7

Full Changelog: authlib/authlib@v1.6.6...v1.6.7

Set supported algorithms for the default jwt instance.

v1.6.6

What's Changed

New Contributors

Full Changelog: authlib/authlib@v1.6.5...v1.6.6

v1.6.5

What's Changed

New Contributors

Full Changelog: authlib/authlib@v1.6.4...v1.6.5

v1.6.4

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from authlib's changelog.

Changelog

.. meta:: :description: The full list of changes between each Authlib release.

Here you can see the full list of changes between each Authlib release.

Version 1.7.0

Unreleased

  • Add support for OpenID Connect RP-Initiated Logout 1.0 <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>_. See :ref:specs/rpinitiated for details. :issue:500
  • Per RFC 6749 Section 3.3, the scope parameter is now optional at both authorization and token endpoints. client.get_allowed_scope() is called to determine the default scope when omitted. :issue:845
  • Stop support for Python 3.9, start support Python 3.14. :pr:850
  • Allow AuthorizationServerMetadata.validate() to compose with RFC extension classes.
  • Fix expires_at=0 being incorrectly treated as None. :issue:530
  • Allow ResourceProtector decorator to be used without parentheses. :issue:604
  • Implement RFC9700 PKCE downgrade countermeasure.

Upgrade Guide: :ref:joserfc_upgrade.

Version 1.6.6

Released on Dec 12, 2025

  • get_jwt_config takes a client parameter, :pr:844.
  • Fix incorrect signature when Content-Type is x-www-form-urlencoded for OAuth 1.0 Client, :pr:778.
  • Use expires_in in OAuth2Token when expires_at is unparsable, :pr:842.
  • Always track state in session for OAuth client integrations.

Version 1.6.5

Released on Oct 2, 2025

  • RFC7591 generate_client_info and generate_client_secret take a request parameter.
  • Add size limitation when decode JWS/JWE to prevent DoS.
  • Add size limitation for DEF JWE zip algorithm.

Version 1.6.4

Released on Sep 17, 2025

... (truncated)

Commits
  • a769f34 chore: release 1.6.8
  • 84f3fa2 fix: add EdDSA to default jwt algorithms
  • 38e872a chore: release 1.6.7
  • b87c32e fix: remove "none" algorithm from default jwt instance
  • bb7a315 chore: release 1.6.6
  • 0a423d4 Merge pull request #844 from azmeuk/806-get-jwt-config-client
  • 2808378 Merge commit from fork
  • 714502a feat: get_jwt_config takes a client parameter
  • 260d04e Fix: Use expires_in when expires_at is unparsable
  • eb37124 Merge pull request #778 from shc261392/fix-httpx-oauth1-form-data-incorrect-s...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump authlib from 1.4.1 to 1.6.8
aeab7a2 
Bumps [authlib](https://github.com/authlib/authlib) from 1.4.1 to 1.6.8.
- [Release notes](https://github.com/authlib/authlib/releases)
- [Changelog](https://github.com/authlib/authlib/blob/main/docs/changelog.rst)
- [Commits](authlib/authlib@v1.4.1...v1.6.8)

---
updated-dependencies:
- dependency-name: authlib
  dependency-version: 1.6.8
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Feb 28, 2026

Labels

The following labels could not be found: backend. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 28, 2026
@dependabot dependabot bot requested a review from ReNothingg as a code owner February 28, 2026 06:03
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ReNothingg ReNothingg Awaiting requested review from ReNothingg ReNothingg is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants