All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
0.23.1 - 2025-01-07
- Test suite should now run even if port 5000 is used by another process. Thanks to
commonism
.
0.23.0 - 2025-01-07
- Bearer tokens with nested JSON string are now properly handled. Thanks to
Patrick Rodrigues
. - Client credentials auth instances will now use credentials (client_id and client_secret) as well to distinguish tokens. This was an issue when the only parameters changing were the credentials.
- Requires
httpx
==0.28.* - Exceptions issued by
httpx_auth
are now inheriting fromhttpx_auth.HttpxAuthException
, itself inheriting fromhttpx.HTTPError
, instead ofException
.
- Explicit support for python
3.13
.
0.22.0 - 2024-03-02
- Requires
httpx
==0.27.* httpx_auth.JsonTokenFileCache
andhttpx_auth.TokenMemoryCache
get_token
method does not handle kwargs anymore, theon_missing_token
callable does not expect any arguments anymore.
0.21.0 - 2024-02-19
- Publicly expose
httpx_auth.SupportMultiAuth
, allowing multiple authentication support for everyhttpx
authentication class that exists. - Publicly expose
httpx_auth.TokenMemoryCache
, allowing to create custom Oauth2 token cache based on this default implementation. - You can now provide your own HTML success (
success_html
) and failure (failure_html
) display via the newOAuth2.display
shared setting. Refer to documentation for more details. - Support for refresh tokens in the Resource Owner Password Credentials flow.
- Support for refresh tokens in the Authorization code (with and without PKCE) flow.
- Thanks to the new
redirect_uri_domain
parameter on Authorization code (with and without PKCE) and Implicit flows, you can now provide the FQDN to use in theredirect_uri
whenlocalhost
(the default) is not allowed.
- Except for
httpx_auth.testing
, only direct access viahttpx_auth.
was considered publicly exposed. This is now explicit, as inner packages are now using private prefix (_
). If you were relying on some classes or functions that are now internal, feel free to open an issue. - Browser display settings have been moved to a shared setting, see documentation for more information on
httpx_auth.OAuth2.display
. The failure page will be displayed for 10 seconds by default instead of 5 seconds previously. As a result the following classes no longer exposesuccess_display_time
andfailure_display_time
parameters.httpx_auth.OAuth2AuthorizationCode
.httpx_auth.OktaAuthorizationCode
.httpx_auth.WakaTimeAuthorizationCode
.httpx_auth.OAuth2AuthorizationCodePKCE
.httpx_auth.OktaAuthorizationCodePKCE
.httpx_auth.OAuth2Implicit
.httpx_auth.AzureActiveDirectoryImplicit
.httpx_auth.AzureActiveDirectoryImplicitIdToken
.httpx_auth.OktaImplicit
.httpx_auth.OktaImplicitIdToken
.
- The authentication success and failure displayed in the browser were revamped to be more user-friendly.
httpx_auth.testing
was modified to accommodate this change:tab.assert_success
expected_message
parameter was removed.tab.assert_failure
expected_message
parameter should not be prefixed withUnable to properly perform authentication:
anymore and\n
in the message should be replaced with<br>
.
httpx_auth.JsonTokenFileCache
does not exposetokens_path
orlast_save_time
attributes anymore and is also allowingpathlib.Path
instances as cache location.httpx_auth.TokenMemoryCache
does not exposeforbid_concurrent_cache_access
orforbid_concurrent_missing_token_function_call
attributes anymore.httpx_auth.JsonTokenFileCache
andhttpx_auth.TokenMemoryCache
get_token
method now handles a new optional parameter namedon_expired_token
.
httpx_auth.OktaClientCredentials
scope
parameter is now mandatory and does not default toopenid
anymore.httpx_auth.OktaClientCredentials
will now display a more user-friendly error message in case Okta instance is not provided.- Tokens cache
DEBUG
logs will not display tokens anymore.
0.20.0 - 2024-02-12
- Remove deprecation warnings due to usage of
utcnow
andutcfromtimestamp
. Thanks toRaphael Krupinski
. httpx_auth.AWS4Auth.default_include_headers
value kept growing in size every time a newhttpx_auth.AWS4Auth
instance was created withsecurity_token
parameter provided. Thanks toMiikka Koskinen
.httpx_auth.AWS4Auth
is now based almost entirely on AWS documentation, diverging from the original implementation based onrequests-aws4auth
and solving implementation issues in the process.- As the AWS documentation might be wrong or not exhaustive enough, feel free to open issues, should you encounter edge cases.
httpx_auth.AWS4Auth.default_include_headers
is not available anymore, usehttpx_auth.AWS4Auth
include_headers
parameter instead to include additional headers if the default does not fit your need (refer to documentation for an exhaustive list).httpx_auth.AWS4Auth
include_headers
values will not be stripped anymore, meaning that you can now include headers prefixed and/or suffixed with blank spaces.httpx_auth.AWS4Auth
does not includesdate
header by default anymore. You will have to provide it viainclude_headers
yourself if you need to.- Note that it should not be required as
httpx_auth.AWS4Auth
is sendingx-amz-date
by default and AWS documentation states that the request date can be specified by using either the HTTPDate
or thex-amz-date
header. If both headers are present,x-amz-date
takes precedence.
- Note that it should not be required as
httpx_auth.AWS4Auth
include_headers
does not needs to includehost
,content-type
orx-amz-*
anymore as those headers will always be included. It is now expected to be provided as a list of additional headers.httpx_auth.AWS4Auth
will not modify the headers values spaces when computing the canonical headers, only trim leading and trailing whitespaces as per AWS documentation.
0.19.0 - 2024-01-09
- Explicit support for Python 3.12
- Requires
httpx
==0.26.*- Note that this changes the signature sent via AWS auth for URLs containing %. Feel free to open an issue if this is one.
0.18.0 - 2023-09-11
- Requires
httpx
==0.25.*
- Python 3.8 is no longer supported.
0.17.0 - 2023-04-26
httpx_auth.OAuth2ResourceOwnerPasswordCredentials
does not send basic authentication by default.
client_auth
as a parameter ofhttpx_auth.OAuth2ResourceOwnerPasswordCredentials
. Allowing to provide any kind of optional authentication.httpx_auth.OktaResourceOwnerPasswordCredentials
providing Okta resource owner password credentials flow easy setup.
0.16.0 - 2023-04-25
- Requires
httpx
==0.24.*
- Handle
text/html; charset=utf-8
content-type in token responses. Thanks toMarcelo Trylesinski
.
httpx_auth.WakaTimeAuthorizationCode
handling access to the WakaTime API.
- Python 3.7 is no longer supported.
0.15.0 - 2022-06-01
- Requires
httpx
==0.23.*
0.14.1 - 2022-02-05
- Type information is now provided following PEP 561
- Allow for users to run
mypy --strict
.
0.14.0 - 2022-01-26
- Requires
httpx
==0.22.*
- Python 3.6 is no longer supported.
0.13.0 - 2021-11-16
- Requires
httpx
==0.21.*
0.12.0 - 2021-11-01
- Requires
httpx
==0.20.* OAuth2ResourceOwnerPasswordCredentials.client
attribute is now set to None in case it was not provided as parameter.OAuth2ClientCredentials.client
attribute is now set to None in case it was not provided as parameter.OktaClientCredentials.client
attribute is now set to None in case it was not provided as parameter.OAuth2AuthorizationCode.client
attribute is now set to None in case it was not provided as parameter.OktaAuthorizationCode.client
attribute is now set to None in case it was not provided as parameter.OAuth2AuthorizationCodePKCE.client
attribute is now set to None in case it was not provided as parameter.OktaAuthorizationCodePKCE.client
attribute is now set to None in case it was not provided as parameter.httpx.Client
provided asclient
parameter toOAuth2ResourceOwnerPasswordCredentials
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.httpx.Client
provided asclient
parameter toOAuth2ClientCredentials
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.httpx.Client
provided asclient
parameter toOktaClientCredentials
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.httpx.Client
provided asclient
parameter toOAuth2AuthorizationCode
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.httpx.Client
provided asclient
parameter toOktaAuthorizationCode
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.httpx.Client
provided asclient
parameter toOAuth2AuthorizationCodePKCE
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.httpx.Client
provided asclient
parameter toOktaAuthorizationCodePKCE
is not closed anymore. You are now responsible for closing it when no more requests are expected to be issued.
- A new client is created (if not provided as
client
parameter) upon request of a new token forOAuth2ResourceOwnerPasswordCredentials
flow. Re-using previously closed client was raising an issue upon token expiry. - A new client is created (if not provided as
client
parameter) upon request of a new token forOAuth2ClientCredentials
flow. Re-using previously closed client was raising an issue upon token expiry. - A new client is created (if not provided as
client
parameter) upon request of a new token forOktaClientCredentials
flow. Re-using previously closed client was raising an issue upon token expiry. - A new client is created (if not provided as
client
parameter) upon request of a new token forOAuth2AuthorizationCode
flow. Re-using previously closed client was raising an issue upon token expiry. - A new client is created (if not provided as
client
parameter) upon request of a new token forOktaAuthorizationCode
flow. Re-using previously closed client was raising an issue upon token expiry. - A new client is created (if not provided as
client
parameter) upon request of a new token forOAuth2AuthorizationCodePKCE
flow. Re-using previously closed client was raising an issue upon token expiry. - A new client is created (if not provided as
client
parameter) upon request of a new token forOktaAuthorizationCodePKCE
flow. Re-using previously closed client was raising an issue upon token expiry.
0.11.0 - 2021-08-19
- Requires
httpx
==0.19.*
- Tild character (
~
) is not URL encoded anymore.
0.10.0 - 2021-04-27
- Requires
httpx
==0.18.*
0.9.0 - 2021-03-01
- Requires
httpx
==0.17.*
0.8.0 - 2020-11-15
- Do not expose
httpx_auth.oauth2_tokens.decode_base64
function anymore as it supposed to be used internally only. - Do not expose
add_bearer_token
token cache method anymore as it supposed to be used internally only. - Do not expose
add_access_token
token cache method anymore as it supposed to be used internally only.
get_token
cache method now requireson_missing_token
function args to be provided as kwargs instead of args.get_token
cache method now requireson_missing_token
parameter to be provided as a non-positional argument.get_token
cache method now exposeearly_expiry
parameter, defaulting to 30 seconds.
- OAuth2 token will now be considered as expired 30 seconds before actual expiry. To ensure it is still valid when received by the actual server.
httpx_auth.OAuth2ResourceOwnerPasswordCredentials
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OAuth2ClientCredentials
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OktaClientCredentials
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OAuth2AuthorizationCode
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OktaAuthorizationCode
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OAuth2AuthorizationCodePKCE
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OktaAuthorizationCodePKCE
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OAuth2Implicit
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.AzureActiveDirectoryImplicit
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.AzureActiveDirectoryImplicitIdToken
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OktaImplicit
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.httpx_auth.OktaImplicitIdToken
contains a newearly_expiry
parameter allowing to tweak the number of seconds before actual token expiry where the token will be considered as already expired. Default to 30s.
0.7.0 - 2020-10-06
- Explicit support for Python 3.9
- Document
httpx_auth.AWS4Auth
authentication class.
- Requires
httpx
==0.16.* - Code now follow
black==20.8b1
formatting instead of the git master version.
0.6.0 - 2020-09-22
- Requires
httpx
==0.15.*
0.5.1 - 2020-08-31
AWSAuth
authentication class now handles empty path. Thanks toMichael E. Martinka
. This class is still considered as under development and subject to breaking changes without notice.
- All methods within
AWSAuth
are now private. They were never meant to be exposed anyway.
0.5.0 - 2020-08-19
- Allow to provide an
httpx.Client
instance for*AuthorizationCode
flows (evenPKCE
),*ClientCredentials
and*ResourceOwnerPasswordCredentials
flows.
0.4.0 - 2020-08-07
- Mock an access token by default in
httpx_auth.testing.token_cache_mock
. Getting rid ofpyjwt
default dependency for testing. - Requires
httpx
==0.14.*
- Still under development, subject to breaking changes without notice:
AWS4Auth
authentication class for AWS. Ported fromrequests-aws4auth
byMichael E. Martinka
. Note that a few changes were made:- Deprecated
amz_date
attribute has been removed. - It is not possible to provide an
AWSSigningKey
instance, use explicit parameters instead. - It is not possible to provide a
date
. It will default to now. - It is not possible to provide
raise_invalid_date
parameter anymore as the date will always be valid. include_hdrs
parameter was renamed intoinclude_headers
host
is not considered as a specific Amazon service anymore (no test specific code).- Each request now has its own signing key and
x-amz-date
. Meaning you can use the same auth instance for more than one request. session_token
was renamed intosecurity_token
for consistency with the underlying name at Amazon.
- Deprecated
0.3.0 - 2020-05-26
- Requires
httpx
==0.13.*
0.2.0 - 2020-03-23
- Deprecated
httpx_auth.Auths
class has been removed.
0.1.0 - 2020-03-09
- Requires
httpx
==0.12.*
0.0.2 - 2020-02-10
- Port of requests_auth 5.0.2 for httpx
0.0.1 - 2020-02-04
- Placeholder for port of requests_auth to httpx