Authlib

This is a bug fix version. Here are the fixes:

1. ensure `client.get_allowed_scope` on every grant types
2. add `request.client` before `validate_requested_scope`

**Released on Sep 3, 2019.**

**Breaking Change**: Authlib Grant system has been redesigned. If you
are creating OpenID Connect providers, please read the new documentation
for OpenID Connect.

**Important Update**: Django OAuth 2.0 server integration is ready now.
You can create OAuth 2.0 provider and OpenID Connect 1.0 with Django
framework.

RFC implementations and updates in this release:

- RFC6749: Fixed scope validation, omit the invalid scope
- RFC7521: Added a common ``AssertionClient`` for the assertion framework
- RFC7662: Added ``IntrospectionToken`` for introspection token endpoint
- OpenID Connect Discover: Added discovery model based on RFC8414

Refactor and bug fixes in this release:

- **Breaking Change**: add ``RefreshTokenGrant.revoke_old_credential`` method
- Rewrite lots of code for ``authlib.client``, no breaking changes
- Refactor ``OAuth2Request``, use explicit query and form
- Change ``requests`` to optional dependency
- Add ``AsyncAssertionClient`` for aiohttp

**Deprecate Changes**: find how to solve the deprecate issues via <https://git.io/fjPsV>

Code Changes: <https://github.com/lepture/authlib/compare/v0.11...v0.12>

**BIG NEWS**: Authlib has changed its open source license from _AGPL to BSD_.

**Important Changes**: Authlib specs module has been split into `jose`, `oauth1`, `oauth2`, and `oidc`. Find how to solve the deprecate issues via <https://git.io/fjvpt>.

RFC implementations and updates in this release:

- RFC7518: Added A128GCMKW, A192GCMKW, A256GCMKW algorithms for JWE.
- RFC5849: Removed draft-eaton-oauth-bodyhash-00 spec for OAuth 1.0.

Small changes and bug fixes in this release:

- Fixed missing scope on password and client_credentials grant types of OAuth2Session via [issue96](https://github.com/lepture/authlib/issues/96).
- Fixed Flask OAuth client cache detection via[ issue98](https://github.com/lepture/authlib/issues/98).
- Enabled ssl certificates for OAuth2Session via [PR100](https://github.com/lepture/authlib/pull/100), thanks to pingz.
- Fixed error response for invalid/expired refresh token via [issue112](https://github.com/lepture/authlib/issues/112).
- Fixed error handle for invalid redirect uri via [issue113](https://github.com/lepture/authlib/issues/113).
- Fixed error response redirect to fragment via [issue114](https://github.com/lepture/authlib/issues/114).
- Fixed non-compliant responses from RFC7009 via [issue119](https://github.com/lepture/authlib/issues/119).

**Experiment Features**: There is an experiment `aiohttp` client for OAuth1 and OAuth2 in `authlib.client.aiohttp`.

Code Changes: <https://github.com/lepture/authlib/compare/v0.10...v0.11>

The most important change in this version is grant extension system. When registering a grant, developers can pass extensions to the grant:


authorization_server.register_grant(GrantClass, [extension])


Find Flask [Grant Extensions](https://docs.authlib.org/en/latest/flask/2/grants.html#flask-oauth2-grant-extensions) implementation.

RFC implementations and updates in this release:

- RFC8414: OAuth 2.0 Authorization Server Metadata
- RFC7636: make [CodeChallenge](https://docs.authlib.org/en/latest/specs/rfc7636.html) a grant extension
- OIDC: make OpenIDCode a grant extension

Besides that, there are other improvements:

- Export `save_authorize_state` method on Flask and Django client
- Add `fetch_token` to Django OAuth client
- Add scope operator for `require_oauth` [Multiple Scopes](https://docs.authlib.org/en/latest/flask/2/resource-server.html#flask-oauth2-multiple-scopes)
- Fix two OAuth clients in the same Flask route [PR85](https://github.com/lepture/authlib/pull/85)

**Deprecate Changes**: find how to solve the deprecate issues via <https://git.io/fAmW1>

Code Changes: <https://github.com/lepture/authlib/compare/v0.9...v0.10>

Code Changes: <https://github.com/lepture/authlib/compare/v0.8...v0.9>

- RFC7523: Add JWTs for Client Authentication of [**JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants**](https://docs.authlib.org/en/latest/specs/rfc7523.html).
- OIDC: Add `response_mode=form_post` support for OpenID Connect.

**Improvement** in this release:

- A new redesigned error system. All errors are subclasses of a `AuthlibBaseError`.
- I18N support for error descriptions.
- Separate AuthorizationCodeMixin in `authlib.flask.oauth2.sqla` via issue57.
- Add context information when generate token via issue58.
- Improve JWT key handles, auto load JWK and JWK set.
- Add `require_oauth.acquire` with statement, get example on [**Flask OAuth 2.0 Server**](https://docs.authlib.org/en/latest/flask/2/).

**Deprecate Changes**: find how to solve the deprecate issues via <https://git.io/vhL75>

Code Changes: <https://github.com/lepture/authlib/compare/v0.7...v0.8>