Oauthlib

------------------
OAuth2.0 Provider:
* 803: Metadata endpoint support of non-HTTPS
* CVE-2022-36087

OAuth1.0:
* 818: Allow IPv6 being parsed by signature

General:
* Improved and fixed documentation warnings.
* Cosmetic changes based on isort

------------------
OAuth2.0 Client:
* 795: Add Device Authorization Flow for Web Application
* 786: Add PKCE support for Client
* 783: Fallback to none in case of wrong expires_at format.

OAuth2.0 Provider:
* 790: Add support for CORS to metadata endpoint.
* 791: Add support for CORS to token endpoint.
* 787: Remove comma after Bearer in WWW-Authenticate

OAuth2.0 Provider - OIDC:
* 755: Call save_token in Hybrid code flow
* 751: OIDC add support of refreshing ID Tokens with `refresh_id_token`
* 751: The RefreshTokenGrant modifiers now take the same arguments as the
AuthorizationCodeGrant modifiers (`token`, `token_handler`, `request`).

General:
* Added Python 3.9, 3.10, 3.11
* Improve Travis & Coverage

------------------
OAuth2.0 Provider - Bugfixes

* 753: Fix acceptance of valid IPv6 addresses in URI validation

OAuth2.0 Client - Bugfixes

* 730: Base OAuth2 Client now has a consistent way of managing the `scope`: it consistently
relies on the `scope` provided in the constructor if any, except if overridden temporarily
in a method call. Note that in particular providing a non-None `scope` in
`prepare_authorization_request` or `prepare_refresh_token` does not override anymore
`self.scope` forever, it is just used temporarily.
* 726: MobileApplicationClient.prepare_request_uri and MobileApplicationClient.parse_request_uri_response,
ServiceApplicationClient.prepare_request_body,
and WebApplicationClient.prepare_request_uri now correctly use the default `scope` provided in
constructor.
* 725: LegacyApplicationClient.prepare_request_body now correctly uses the default `scope` provided in constructor

OAuth2.0 Provider - Bugfixes
* 711: client_credentials grant: fix log message
* 746: OpenID Connect Hybrid - fix nonce not passed to add_id_token
* 756: Different prompt values are now handled according to spec (e.g. prompt=none)
* 759: OpenID Connect - fix Authorization: Basic parsing

General
* 716: improved skeleton validator for public vs private client
* 720: replace mock library with standard unittest.mock
* 727: build isort integration
* 734: python2 code removal
* 735, 750: add python3.8 support
* 749: bump minimum versions of pyjwt and cryptography

------------------
OAuth2.0 Provider - Features

* 660: OIDC add support of `nonce`, `c_hash`, `at_hash fields`
- New `RequestValidator.fill_id_token` method
- Deprecated `RequestValidator.get_id_token` method
* 677: OIDC add `UserInfo` endpoint - New `RequestValidator.get_userinfo_claims` method

OAuth2.0 Provider - Security

* 665: Enhance data leak to logs
* New default to not expose request content in logs
* New function `oauthlib.set_debug(True)`
* 666: Disabling query parameters for POST requests

OAuth2.0 Provider - Bugfixes

* 670: Fix `validate_authorization_request` to return the new PKCE fields
* 674: Fix `token_type` to be case-insensitive (`bearer` and `Bearer`)

OAuth2.0 Client - Bugfixes

* 290: Fix Authorization Code's errors processing
* 603: BackendApplicationClient.prepare_request_body use the `scope` argument as intended.
* 672: Fix edge case when `expires_in=Null`

OAuth1.0 Client

* 669: Add case-insensitive headers to oauth1 `BaseEndpoint`

OAuth1.0

* 722: Added support for HMAC-SHA512, RSA-SHA256 and RSA-SHA512 signature methods.

------------------
* 650: Fixed space encoding in base string URI used in the signature base string.
* 652: Fixed OIDC /token response which wrongly returned "&state=None"
* 654: Doc: The value `state` must not be stored by the AS, only returned in /authorize response.
* 656: Fixed OIDC "nonce" checks: raise errors when it's mandatory

------------------
* Fixed OAuth2.0 regression introduced in 3.0.0: Revocation with Basic auth no longer possible 644