Allow get bodies in 3.0.2.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,24 @@
+---
+name: Bug report
+about: Create a report to help us improve
+---
+**Describe the bug**
+
+A clear and concise description of what the problem is.
+
+**How to reproduce**
+
+Steps to reproduce the behavior.
+
+**Expected behavior**
+
+A description of what you expected to happen.
+
+**Additional context**
+
+Please provide any further context here.
+
+- Are you using OAuth1, OAuth2 or OIDC?
+- Are you writing client or server side code?
+- If client, what provider are you connecting to?
+- Are you using a downstream library, such as `requests-oauthlib`, `django-oauth-toolkit`, ...?

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+---
+**Describe the feature**
+
+A clear and concise description of what you would like to see.
+
+**Additional context**
+
+Please provide any further context here.
+
+- Does the feature apply to OAuth1, OAuth2 and/or OIDC?
+- Does the feature apply to client or server side code?

.gitignore

@@ -1,4 +1,5 @@
 *.pyc
+.idea
 *.sublime-project
 *.sublime-workspace
 *.swp
@@ -22,16 +23,20 @@ develop-eggs
 pip-log.txt
 
 # Unit test / coverage reports
+.cache
 .coverage
 .tox
 coverage
+htmlcov*
 
 #Translations
 *.mo
 
 # Local file cruft/auto-backups
 .DS_Store
 *~
+**/#*#
+**/.#*
 
 # Sphinx
 docs/_build

.travis.yml

@@ -1,4 +1,6 @@
 language: python
+python: 3.7
+dist: xenial
 sudo: false
 cache: pip
 matrix:
@@ -11,18 +13,23 @@ matrix:
     env: TOXENV=py35
   - python: 3.6
     env: TOXENV=py36
-  - python: pypy-5.3
-    env: TOXENV=pypy
+  - python: 3.7
+    env: TOXENV=py37
+  - python: 3.7
+    env: TOXENV=bandit
+  - python: pypy3.5
+    env: TOXENV=pypy3
 install:
 - pip install -U setuptools
 - pip install tox coveralls
 script: tox
-after_success: coveralls
+after_success: COVERALLS_PARALLEL=true coveralls
 notifications:
   webhooks:
     urls:
+    - https://coveralls.io/webhook
     - https://webhooks.gitter.im/e/6008c872bf0ecee344f4
-    on_success: change
+    on_success: always
     on_failure: always
     on_start: never
 deploy:

CHANGELOG.rst

@@ -1,6 +1,68 @@
 Changelog
 =========
 
+3.0.2 (2019-07-04)
+------------------
+* #650: Fixed space encoding in base string URI used in the signature base string.
+* #652: Fixed OIDC /token response which wrongly returned "&state=None"
+* #654: Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
+* #656: Fixed OIDC "nonce" checks: raise errors when it's mandatory
+
+3.0.1 (2019-01-24)
+------------------
+* Fixed OAuth2.0 regression introduced in 3.0.0: Revocation with Basic auth no longer possible #644
+
+3.0.0 (2019-01-01)
+------------------
+OAuth2.0 Provider - outstanding Features
+
+* OpenID Connect Core support
+* RFC7662 Introspect support
+* RFC8414 OAuth2.0 Authorization Server Metadata support (#605)
+* RFC7636 PKCE support (#617 #624)
+
+OAuth2.0 Provider - API/Breaking Changes
+
+* Add "request" to confirm_redirect_uri #504
+* confirm_redirect_uri/get_default_redirect_uri has a bit changed #445
+* invalid_client is now a FatalError #606
+* Changed errors status code from 401 to 400:
+ - invalid_grant: #264
+ - invalid_scope: #620
+ - access_denied/unauthorized_client/consent_required/login_required #623
+ - 401 must have WWW-Authenticate HTTP Header set. #623
+
+OAuth2.0 Provider - Bugfixes
+
+* empty scopes no longer raise exceptions for implicit and authorization_code #475 / #406
+
+OAuth2.0 Client - Bugfixes / Changes:
+
+* expires_in in Implicit flow is now an integer #569
+* expires is no longer overriding expires_in #506
+* parse_request_uri_response is now required #499
+* Unknown error=xxx raised by OAuth2 providers was not understood #431
+* OAuth2's `prepare_token_request` supports sending an empty string for `client_id` (#585)
+* OAuth2's `WebApplicationClient.prepare_request_body` was refactored to better
+  support sending or omitting the `client_id` via a new `include_client_id` kwarg.
+  By default this is included. The method will also emit a DeprecationWarning if
+  a `client_id` parameter is submitted; the already configured `self.client_id`
+  is the preferred option. (#585)
+
+OAuth1.0 Client:
+
+* Support for HMAC-SHA256 #498
+
+General fixes:
+
+* $ and ' are allowed to be unencoded in query strings #564
+* Request attributes are no longer overriden by HTTP Headers #409
+* Removed unnecessary code for handling python2.6
+* Add support of python3.7 #621
+* Several minors updates to setup.py and tox
+* Set pytest as the default unittest framework
+
+
 2.1.0 (2018-05-21)
 ------------------
 

CODE_OF_CONDUCT.md

@@ -0,0 +1,28 @@
+# OAuthlib Code of Conduct
+
+Like the technical community as a whole, the OAuthlib team and community is made up of a mixture of professionals and volunteers from all over the world, working on every aspect of the mission - including mentorship, teaching, and connecting people.
+
+Diversity is one of our huge strengths, but it can also lead to communication issues and unhappiness. To that end, we have a few ground rules that we ask people to adhere to. This code applies equally to founders, mentors and those seeking help and guidance.
+
+This isn't an exhaustive list of things that you can't do. Rather, take it in the spirit in which it's intended - a guide to make it easier to enrich all of us and the technical communities in which we participate.
+
+This code of conduct applies to all spaces managed by the OAuthlib project. This includes Gitter, the mailing lists, the issue tracker, and any other forums created by the project team which the community uses for communication. In addition, violations of this code outside these spaces may affect a person's ability to participate within them.
+
+If you believe someone is violating the code of conduct, we ask that you report it by contacting us.
+
+    Be friendly and patient.
+    Be welcoming. We strive to be a community that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, colour, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.
+    Be considerate. Your work will be used by other people, and you in turn will depend on the work of others. Any decision you take will affect users and colleagues, and you should take those consequences into account when making decisions. Remember that we're a world-wide community, so you might not be communicating in someone else's primary language.
+    Be respectful. Not all of us will agree all the time, but disagreement is no excuse for poor behavior and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. It's important to remember that a community where people feel uncomfortable or threatened is not a productive one. Members of the OAuthlib community should be respectful when dealing with other members as well as with people outside the OAuthlib community.
+    Be careful in the words that you choose. We are a community of professionals, and we conduct ourselves professionally. Be kind to others. Do not insult or put down other participants. Harassment and other exclusionary behavior aren't acceptable. This includes, but is not limited to:
+        Violent threats or language directed against another person.
+        Discriminatory jokes and language.
+        Posting sexually explicit or violent material.
+        Posting (or threatening to post) other people's personally identifying information ("doxing").
+        Personal insults, especially those using racist or sexist terms.
+        Unwelcome sexual attention.
+        Advocating for, or encouraging, any of the above behavior.
+        Repeated harassment of others. In general, if someone asks you to stop, then stop.
+    When we disagree, try to understand why. Disagreements, both social and technical, happen all the time and OAuthlib is no exception. It is important that we resolve disagreements and differing views constructively. Remember that we're different. The strength of OAuthlib comes from its varied community, people from a wide range of backgrounds. Different people have different perspectives on issues. Being unable to understand why someone holds a viewpoint doesn't mean that they're wrong. Don't forget that it is human to err and blaming each other doesn't get us anywhere. Instead, focus on helping to resolve issues and learning from mistakes.
+
+For reading the original text, please visit the [Django Code of Conduct](https://www.djangoproject.com/conduct/).

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2011 Idan Gazit and contributors
+Copyright (c) 2019 The OAuthlib Community
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -24,4 +24,4 @@ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -20,6 +20,7 @@ clean: clean-eggs clean-build
 	@find . -iname '__pycache__' -delete
 	rm -rf .tox
 	rm -rf bottle-oauthlib
+	rm -rf dance
 	rm -rf django-oauth-toolkit
 	rm -rf flask-oauthlib
 	rm -rf requests-oauthlib
@@ -65,6 +66,13 @@ requests:
 	cd requests-oauthlib 2>/dev/null || git clone https://github.com/requests/requests-oauthlib.git
 	cd requests-oauthlib && sed -i.old 's,deps=,deps = --editable=file://{toxinidir}/../[signedtoken],' tox.ini && sed -i.old '/oauthlib/d' requirements.txt && tox
 
+dance:
+	#---------------------------
+	# Library singingwolfboy/flask-dance
+	# Contacts: singingwolfboy
+	cd flask-dance 2>/dev/null || git clone https://github.com/singingwolfboy/flask-dance.git
+	cd flask-dance && sed -i.old 's,deps=,deps = --editable=file://{toxinidir}/../,' tox.ini && sed -i.old '/oauthlib/d' requirements.txt && tox 
+
 .DEFAULT_GOAL := all
-.PHONY: clean test bottle django flask requests
-all: clean test bottle django flask requests
+.PHONY: clean test bottle dance django flask requests
+all: clean test bottle dance django flask requests

README.rst

@@ -1,5 +1,5 @@
-OAuthLib
-========
+OAuthLib - Python Framework for OAuth1 & OAuth2
+===============================================
 
 *A generic, spec-compliant, thorough implementation of the OAuth request-signing
 logic for Python 2.7 and 3.4+.*
@@ -12,10 +12,13 @@ logic for Python 2.7 and 3.4+.*
   :alt: Coveralls
 .. image:: https://img.shields.io/pypi/pyversions/oauthlib.svg
   :target: https://pypi.org/project/oauthlib/
-  :alt: Download from PyPi
+  :alt: Download from PyPI
 .. image:: https://img.shields.io/pypi/l/oauthlib.svg
   :target: https://pypi.org/project/oauthlib/
   :alt: License
+.. image:: https://app.fossa.io/api/projects/git%2Bgithub.com%2Foauthlib%2Foauthlib.svg?type=shield
+   :target: https://app.fossa.io/projects/git%2Bgithub.com%2Foauthlib%2Foauthlib?ref=badge_shield
+   :alt: FOSSA Status
 .. image:: https://img.shields.io/readthedocs/oauthlib.svg
   :target: https://oauthlib.readthedocs.io/en/latest/index.html
   :alt: Read the Docs
@@ -34,7 +37,7 @@ both of the following:
 .. _`OAuth 1.0 spec`: https://tools.ietf.org/html/rfc5849
 .. _`OAuth 2.0 spec`: https://tools.ietf.org/html/rfc6749
 
-OAuthLib is a generic utility which implements the logic of OAuth without
+OAuthLib is a framework which implements the logic of OAuth1 or OAuth2 without
 assuming a specific HTTP request object or web framework. Use it to graft OAuth
 client support onto your favorite HTTP library, or provide support onto your
 favourite web framework. If you're a maintainer of such a library, write a thin
@@ -104,10 +107,22 @@ License
 OAuthLib is yours to use and abuse according to the terms of the BSD license.
 Check the LICENSE file for full details.
 
+Credits
+-------
+
+OAuthLib has been started and maintained several years by Idan Gazit and other
+amazing `AUTHORS`_. Thanks to their wonderful work, the open-source `community`_
+creation has been possible and the project can stay active and reactive to users
+requests.
+
+
+.. _`AUTHORS`: https://github.com/oauthlib/oauthlib/blob/master/AUTHORS
+.. _`community`: https://github.com/oauthlib/
+
 Changelog
 ---------
 
-*OAuthLib is in active development, with the core of both OAuth 1 and 2
+*OAuthLib is in active development, with the core of both OAuth1 and OAuth2
 completed, for providers as well as clients.* See `supported features`_ for
 details.
 

bandit.json

@@ -0,0 +1,48 @@
+{
+  "errors": [],
+  "generated_at": "2018-12-13T10:39:37Z",
+  "results": [
+    {
+      "code": "182         if request.body is not None and content_type_eligible:\n183             params.append(('oauth_body_hash', base64.b64encode(hashlib.sha1(request.body.encode('utf-8')).digest()).decode('utf-8')))\n184 \n",
+      "filename": "oauthlib/oauth1/rfc5849/__init__.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "MEDIUM",
+      "issue_text": "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
+      "line_number": 183,
+      "line_range": [
+        183
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5",
+      "test_id": "B303",
+      "test_name": "blacklist"
+    },
+    {
+      "code": "45     def __init__(self, endpoints, claims={}, raise_errors=True):\n46         assert isinstance(claims, dict)\n47         for endpoint in endpoints:\n",
+      "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "LOW",
+      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
+      "line_number": 46,
+      "line_range": [
+        46
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html",
+      "test_id": "B101",
+      "test_name": "assert_used"
+    },
+    {
+      "code": "47         for endpoint in endpoints:\n48             assert isinstance(endpoint, BaseEndpoint)\n49 \n",
+      "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py",
+      "issue_confidence": "HIGH",
+      "issue_severity": "LOW",
+      "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.",
+      "line_number": 48,
+      "line_range": [
+        48
+      ],
+      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html",
+      "test_id": "B101",
+      "test_name": "assert_used"
+    }
+  ]
+}

docs/Makefile

@@ -2,7 +2,7 @@
 #
 
 # You can set these variables from the command line.
-SPHINXOPTS    =
+SPHINXOPTS    = -v
 SPHINXBUILD   = sphinx-build
 PAPER         =
 BUILDDIR      = _build