Sourced from authlib's releases.

v1.6.2

What's Changed

• Allow insecure transport for 127.0.0.1 for debugging by @​geigerzaehler in authlib/authlib#788
• Raise a MissingCodeError when code parameter is missing by @​lepture in authlib/authlib#786
• Temporarily restore OAuth2Request body parameter by @​azmeuk in authlib/authlib#791
• Raise MissingCodeException when code parameter is missing by @​lepture in authlib/authlib#794
• Fix id_token generation with EdDSA alg by @​azmeuk in authlib/authlib#800

Full Changelog: https://github.com/authlib/authlib/compare/v1.6.1...v1.6.2

Version 1.6.1

• Filter key set with additional "alg" and "use" parameters.

Version 1.6.0

• Fix issue when RFC9207 is enabled and the authorization endpoint response is not a redirection. [pull request #733](authlib/authlib#733)
• Fix missing state parameter in authorization error responses. [issue #525](authlib/authlib#525)
• Support for acr and amr claims in id_token. [issue #734](authlib/authlib#734)
• Support for the none JWS algorithm.
• Fix response_types strict order during dynamic client registration. [issue #760](authlib/authlib#760)
• Implement RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR). [issue #723](authlib/authlib#723)
• OIDC UserInfo endpoint support. [issue #459](authlib/authlib#459)

Sourced from authlib's changelog.

Version 1.6.2

Released on Aug 23, 2025

• Temporarily restore OAuth2Request body parameter. :issue:781 :pr:791
• Allow 127.0.0.1 in insecure transport mode. :pr:788
• Raise MissingCodeException when the code parameter is missing. :issue:793 :pr:794
• Fix id_token generation with EdDSA algs. :issue:799 :pr:800

Version 1.6.1

Released on Jul 20, 2025

• Filter key set with additional "alg" and "use" parameters.
• Restore and deprecate OAuth2Request body parameter. :issue:781

Version 1.6.0

Released on May 22, 2025

• Fix issue when :rfc:RFC9207 <9207> is enabled and the authorization endpoint response is not a redirection. :pr:733
• Fix missing state parameter in authorization error responses. :issue:525
• Support for acr and amr claims in id_token. :issue:734
• Support for the none JWS algorithm.
• Fix response_types strict order during dynamic client registration. :issue:760
• Implement :rfc:RFC9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) <9101>. :issue:723
• OIDC :class:UserInfo endpoint <authlib.oidc.core.userinfo.UserInfoEndpoint> support. :issue:459

• 3385fbf chore: bump to 1.6.2
• c5cb682 doc: changelog
• 746eb32 Merge pull request #800 from azmeuk/799-create-half-hash
• 53315e2 chore: update pull request template
• 6fa7195 fix: id_token generation with EdDSA algs
• 731f618 fix: linters
• c9890da Merge pull request #794 from authlib/fix-missing-code
• 0668d81 chore: use GH types instead of labels in ticket templates
• 7092587 Merge pull request #791 from azmeuk/781-jar-compatibility
• 95e7d33 chore: update readme
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)