Moauthlib

------------------
OAuth2.0 Client - Bugfixes

* 730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
relies on the `scope` provided in the constructor if any, except if overridden temporarily
in a method call. Note that in particular providing a non-None `scope` in
`prepare_authorization_request` or `prepare_refresh_token` does not override anymore
`self.scope` forever, it is just used temporarily.
* 726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
ServiceApplicationClient.prepare_request_body,
and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
constructor.
* 725: LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor

------------------
OAuth2.0 Provider - Features

* 660: OIDC add support of `nonce`, `c_hash`, `at_hash fields`
- New `RequestValidator.fill_id_token` method
- Deprecated `RequestValidator.get_id_token` method
* 677: OIDC add `UserInfo` endpoint - New `RequestValidator.get_userinfo_claims` method

OAuth2.0 Provider - Security

* 665: Enhance data leak to logs
* New default to not expose request content in logs
* New function `oauthlib.set_debug(True)`
* 666: Disabling query parameters for POST requests

OAuth2.0 Provider - Bugfixes

* 670: Fix `validate_authorization_request` to return the new PKCE fields
* 674: Fix `token_type` to be case-insensitive (`bearer` and `Bearer`)

OAuth2.0 Client - Bugfixes

* 290: Fix Authorization Code's errors processing
* 603: BackendApplicationClient.prepare_request_body use the `scope` argument as intended.
* 672: Fix edge case when `expires_in=Null`

OAuth1.0 Client

* 669: Add case-insensitive headers to oauth1 `BaseEndpoint`

OAuth1.0

* 722: Added support for HMAC-SHA512, RSA-SHA256 and RSA-SHA512 signature methods.

------------------
* 650: Fixed space encoding in base string URI used in the signature base string.
* 652: Fixed OIDC /token response which wrongly returned "&state=None"
* 654: Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
* 656: Fixed OIDC "nonce" checks: raise errors when it's mandatory

------------------
* Fixed OAuth2.0 regression introduced in 3.0.0: Revocation with Basic auth no longer possible 644

------------------
OAuth2.0 Provider - outstanding Features

* OpenID Connect Core support
* RFC7662 Introspect support
* RFC8414 OAuth2.0 Authorization Server Metadata support (605)
* RFC7636 PKCE support (617 624)

OAuth2.0 Provider - API/Breaking Changes

* Add "request" to confirm_redirect_uri 504
* confirm_redirect_uri/get_default_redirect_uri has a bit changed 445
* invalid_client is now a FatalError 606
* Changed errors status code from 401 to 400:
- invalid_grant: 264
- invalid_scope: 620
- access_denied/unauthorized_client/consent_required/login_required 623
- 401 must have WWW-Authenticate HTTP Header set. 623

OAuth2.0 Provider - Bugfixes

* empty scopes no longer raise exceptions for implicit and authorization_code 475 / 406

OAuth2.0 Client - Bugfixes / Changes:

* expires_in in Implicit flow is now an integer 569
* expires is no longer overriding expires_in 506
* parse_request_uri_response is now required 499
* Unknown error=xxx raised by OAuth2 providers was not understood 431
* OAuth2's `prepare_token_request` supports sending an empty string for `client_id` (585)
* OAuth2's `WebApplicationClient.prepare_request_body` was refactored to better
support sending or omitting the `client_id` via a new `include_client_id` kwarg.
By default this is included. The method will also emit a DeprecationWarning if
a `client_id` parameter is submitted; the already configured `self.client_id`
is the preferred option. (585)

OAuth1.0 Client:

* Support for HMAC-SHA256 498

General fixes:

* $ and ' are allowed to be unencoded in query strings 564
* Request attributes are no longer overriden by HTTP Headers 409
* Removed unnecessary code for handling python2.6
* Add support of python3.7 621
* Several minors updates to setup.py and tox
* Set pytest as the default unittest framework

------------------

* Fixed some copy and paste typos (535)
* Use secrets module in Python 3.6 and later (533)
* Add request argument to confirm_redirect_uri (504)
* Avoid populating spurious token credentials (542)
* Make populate attributes API public (546)