Merge branch 'master' into add-self-service-profiles-api

nzetzl · web-flow · commit 1b0a2de88e03 · 2025-02-24T19:08:22.000-06:00
diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml
@@ -31,7 +31,7 @@ runs:
     - name: Install RL Wrapper
       shell: bash
       run: |
-        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+        pip install rl-wrapper>=1.0.6 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
 
     - name: Run RL Scanner
       shell: bash
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
 
       - name: Configure Python
         uses: actions/setup-python@v5
@@ -42,7 +42,7 @@ jobs:
           sphinx-build ./docs/source ./docs/build --keep-going -n -a -b html
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v2
+        uses: actions/upload-pages-artifact@v3
         with:
           path: "./docs/build"
 
@@ -56,4 +56,4 @@ jobs:
     steps:
       - id: deployment
         name: Deploy to GitHub Pages
-        uses: actions/deploy-pages@v3
+        uses: actions/deploy-pages@v4
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,17 +12,17 @@ permissions:
 
 jobs:
   rl-scanner:
-  uses: ./.github/workflows/rl-scanner.yml
-  with:
-    node-version: 18
-    artifact-name: "auth0-python.tgz"
-  secrets:
-    RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-    RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-    SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-    PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-    PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-    PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    uses: ./.github/workflows/rl-scanner.yml
+    with:
+      python-version: "3.10"
+      artifact-name: "auth0-python.tgz"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
   publish-pypi:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"
diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml
@@ -1,5 +1,4 @@
 name: RL-Secure Workflow
-name: RL-Secure Workflow
 
 on:
   workflow_call:
@@ -25,13 +24,12 @@ on:
         required: true
 
 jobs:
-  checkout-build-scan-only:
+  rl-scanner:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
-
-    permissions:
-      pull-requests: write
-      id-token: write
-
+    outputs:
+      scan-status: ${{ steps.rl-scan-conclusion.outcome }}
+      
     steps:
       - uses: actions/checkout@v4
         with:
@@ -65,7 +63,7 @@ jobs:
 
       - name: Get Artifact Version
         id: get_version
-        run: echo "version=$(cat .version)" >> $GITHUB_ENV
+        uses: ./.github/actions/get-version
 
       - name: Run RL Scanner
         id: rl-scan-conclusion
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -34,7 +34,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
-      - uses: snyk/actions/python-3.8@4a528b5c534bb771b6e3772656a8e0e9dc902f8b # pinned 2023-06-13
+      - uses: snyk/actions/python-3.8@cdb760004ba9ea4d525f2e043745dfe85bb9077e # pinned 2023-06-13
         continue-on-error: true # Make sure the SARIF upload is called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -61,7 +61,7 @@ jobs:
           pipx install poetry
           poetry config virtualenvs.in-project true
           poetry install --with dev
-          poetry self add "poetry-dynamic-versioning[plugin]==1.1.1"
+          poetry self add "poetry-dynamic-versioning[plugin]"
 
       - name: Run tests
         run: |
@@ -80,4 +80,6 @@ jobs:
 
       - if: ${{ matrix.python-version == '3.10' }}
         name: Upload coverage
-        uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # pin@3.1.5
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # pin@5.3.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.version b/.version
@@ -1 +1 @@
-4.7.2
+4.8.1
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,28 @@
 # Change Log
 
+## [4.8.1](https://github.com/auth0/auth0-python/tree/4.8.1) (2025-02-24)
+[Full Changelog](https://github.com/auth0/auth0-python/compare/4.8.0...4.8.1)
+
+**Fixed**
+- Fix: Unauthorized Access Error For PAR [\#671](https://github.com/auth0/auth0-python/pull/671) ([kishore7snehil](https://github.com/kishore7snehil))
+
+## [4.8.0](https://github.com/auth0/auth0-python/tree/4.8.0) (2025-01-29)
+[Full Changelog](https://github.com/auth0/auth0-python/compare/4.7.2...4.8.0)
+
+**Added**
+- Adding Support For RAR and JAR Requests [\#659](https://github.com/auth0/auth0-python/pull/659) ([kishore7snehil](https://github.com/kishore7snehil))
+- Adding Support For Back Channel Login [\#643](https://github.com/auth0/auth0-python/pull/643) ([kishore7snehil](https://github.com/kishore7snehil))
+
+**Fixed**
+- Consolidated Community PRs and Dependency Upgrades [\#660](https://github.com/auth0/auth0-python/pull/660) ([kishore7snehil](https://github.com/kishore7snehil))
+  - [fix typo in docstring](https://github.com/auth0/auth0-python/pull/637) ([@CarlosEduR ](https://github.com/CarlosEduR))
+  - [Added support for "include_totals" to all_organization_member_roles](https://github.com/auth0/auth0-python/pull/635) ([@jpayton-cx](https://github.com/jpayton-cx))
+  - [Fixed Version Table](https://github.com/auth0/auth0-python/pull/633) ([@sanchez](https://github.com/sanchez))
+  - [Remove upper bounds on all python dependency versions](https://github.com/auth0/auth0-python/pull/628) ([@ngfeldman](https://github.com/ngfeldman))
+  - [Adding secrets to Codecov Action Upload](https://github.com/auth0/auth0-python/pull/624) ([@developerkunal](https://github.com/developerkunal))
+- Updating Dependancies And Workflow Action Versions [\#653](https://github.com/auth0/auth0-python/pull/653) ([kishore7snehil](https://github.com/kishore7snehil))
+- Fixing the Github Workflow Issues [\#644](https://github.com/auth0/auth0-python/pull/644) ([kishore7snehil](https://github.com/kishore7snehil))
+
 ## [4.7.2](https://github.com/auth0/auth0-python/tree/4.7.2) (2024-09-10)
 [Full Changelog](https://github.com/auth0/auth0-python/compare/4.7.1...4.7.2)
 
diff --git a/README.md b/README.md
@@ -88,7 +88,9 @@ For more code samples on how to integrate the auth0-python SDK in your Python ap
 - Delegated ( `authentication.Delegated` )
 - Enterprise ( `authentication.Enterprise` )
 - API Authorization - Get Token ( `authentication.GetToken`)
+- BackChannelLogin ( `authentication.BackChannelLogin`)
 - Passwordless ( `authentication.Passwordless` )
+- PushedAuthorizationRequests ( `authentication.PushedAuthorizationRequests` )
 - RevokeToken ( `authentication.RevokeToken` )
 - Social ( `authentication.Social` )
 - Users ( `authentication.Users` )
@@ -146,7 +148,7 @@ The following is a list of unsupported Python versions, and the last SDK version
 
 | Python Version | Last SDK Version Supporting |
 |----------------|-----------------------------|
-| <= 3.7         | 4.6.1                       |
+| >= 3.7         | 4.6.1                       |
 | >= 2.0, <= 3.6 | 3.x                         |
 
 You can determine what version of Python you have installed by running:
diff --git a/auth0/authentication/async_token_verifier.py b/auth0/authentication/async_token_verifier.py
@@ -176,7 +176,7 @@ async def verify(
             token (str): The JWT to verify.
             nonce (str, optional): The nonce value sent during authentication.
             max_age (int, optional): The max_age value sent during authentication.
-            organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified
+            organization (str, optional): The expected organization ID (org_id) or organization name (org_name) claim value. This should be specified
             when logging in to an organization.
 
         Returns:
diff --git a/auth0/authentication/back_channel_login.py b/auth0/authentication/back_channel_login.py
@@ -0,0 +1,37 @@
+from typing import Any
+
+from .base import AuthenticationBase
+
+
+class BackChannelLogin(AuthenticationBase):
+    """Back-Channel Login endpoint"""
+
+    def back_channel_login(
+        self, binding_message: str, login_hint: str, scope: str, **kwargs
+    ) -> Any:
+        """Send a Back-Channel Login.
+
+        Args:
+             binding_message (str): Human-readable string displayed on both the device calling /bc-authorize and the user’s 
+             authentication device to ensure the user is approves the correct request.
+
+             login_hint (str): String containing information about the user to contact for authentication.
+
+             scope(str): "openid" is a required scope.Multiple scopes are separated 
+             with whitespace.
+
+             **kwargs: Other fields to send along with the PAR.
+
+        Returns:
+            auth_req_id, expires_in, interval
+        """
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/bc-authorize",
+            data={
+                "client_id": self.client_id,
+                "binding_message": binding_message,
+                "login_hint": login_hint,
+                "scope": scope,
+                **kwargs,
+            },
+        )
diff --git a/auth0/authentication/get_token.py b/auth0/authentication/get_token.py
@@ -253,3 +253,27 @@ def passwordless_login(
                 "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp",
             },
         )
+
+    def backchannel_login(
+        self, auth_req_id: str, grant_type: str = "urn:openid:params:grant-type:ciba",
+    ) -> Any:
+        """Calls /oauth/token endpoint with "urn:openid:params:grant-type:ciba" grant type
+
+        Args:
+            auth_req_id (str): The id received from /bc-authorize
+
+            grant_type (str): Denotes the flow you're using.For Back Channel login
+            use urn:openid:params:grant-type:ciba
+
+        Returns:
+            access_token, id_token
+        """
+
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/oauth/token",
+            data={
+                "client_id": self.client_id,
+                "auth_req_id": auth_req_id,
+                "grant_type": grant_type,
+            },
+        )
diff --git a/auth0/authentication/pushed_authorization_requests.py b/auth0/authentication/pushed_authorization_requests.py
@@ -3,6 +3,7 @@
 from .base import AuthenticationBase
 
 
+
 class PushedAuthorizationRequests(AuthenticationBase):
     """Pushed Authorization Request (PAR) endpoint"""
 
@@ -16,15 +17,19 @@ def pushed_authorization_request(
              redirect_uri (str): The URL to which Auth0 will redirect the browser after authorization has been granted
              by the user.
              **kwargs: Other fields to send along with the PAR.
+             For RAR requests, authorization_details parameter should be added in a proper format. See:https://datatracker.ietf.org/doc/html/rfc9396
+             For JAR requests, requests parameter should be send with the JWT as the value. See: https://datatracker.ietf.org/doc/html/rfc9126#name-the-request-request-paramet
 
         See: https://www.rfc-editor.org/rfc/rfc9126.html
         """
         return self.authenticated_post(
             f"{self.protocol}://{self.domain}/oauth/par",
             data={
-                "client_id": self.client_id,
+                "client_id":self.client_id,
+                "client_secret":self.client_secret,
                 "response_type": response_type,
                 "redirect_uri": redirect_uri,
                 **kwargs,
             },
-        )
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
diff --git a/auth0/authentication/token_verifier.py b/auth0/authentication/token_verifier.py
@@ -299,7 +299,7 @@ def verify(
             token (str): The JWT to verify.
             nonce (str, optional): The nonce value sent during authentication.
             max_age (int, optional): The max_age value sent during authentication.
-            organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified
+            organization (str, optional): The expected organization ID (org_id) or organization name (org_name) claim value. This should be specified
             when logging in to an organization.
 
         Returns:
diff --git a/auth0/management/organizations.py b/auth0/management/organizations.py
@@ -329,6 +329,7 @@ def all_organization_member_roles(
         user_id: str,
         page: int | None = None,
         per_page: int | None = None,
+        include_totals: bool = False,
     ) -> list[dict[str, Any]]:
         """Retrieves a list of all the roles from the given organization member.
 
@@ -343,9 +344,16 @@ def all_organization_member_roles(
            per_page (int, optional): The amount of entries per page. When not set,
               the default value is up to the server.
 
+           include_totals (bool, optional): True if the query summary is
+              to be included in the result, False otherwise. Defaults to False.
+
         See: https://auth0.com/docs/api/management/v2#!/Organizations/get_organization_member_roles
         """
-        params = {"page": page, "per_page": per_page}
+        params = {
+            "page": page,
+            "per_page": per_page,
+            "include_totals": str(include_totals).lower()
+        }
         return self.client.get(
             self._url(id, "members", user_id, "roles"), params=params
         )
diff --git a/auth0/management/users.py b/auth0/management/users.py
@@ -537,4 +537,4 @@ def delete_authentication_method_by_id(
         """
 
         url = self._url(f"{user_id}/authentication-methods/{authentication_method_id}")
-        return self.client.delete(url)
+        return self.client.delete(url)
diff --git a/auth0/rest.py b/auth0/rest.py
@@ -7,6 +7,7 @@
 from random import randint
 from time import sleep
 from typing import TYPE_CHECKING, Any, Mapping
+from urllib.parse import urlencode
 
 import requests
 
@@ -152,6 +153,12 @@ def _request(
         # Reset the metrics tracker
         self._metrics = {"retries": 0, "backoff": []}
 
+        if data is None and json is not None and headers:
+            content_type = headers.get("Content-Type", "").lower()  # Get Content-Type 
+            if "application/x-www-form-urlencoded" in content_type:
+                data = urlencode(json)  # Copy JSON data into data
+                json = None  # Prevent JSON from being sent
+
         kwargs = {
             k: v
             for k, v in {
diff --git a/auth0/test/authentication/test_back_channel_login.py b/auth0/test/authentication/test_back_channel_login.py
diff --git a/auth0/test/authentication/test_get_token.py b/auth0/test/authentication/test_get_token.py
diff --git a/auth0/test/authentication/test_pushed_authorization_requests.py b/auth0/test/authentication/test_pushed_authorization_requests.py
diff --git a/auth0/test/management/test_organizations.py b/auth0/test/management/test_organizations.py
diff --git a/auth0/test/management/test_users.py b/auth0/test/management/test_users.py
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
diff --git a/requirements.txt b/requirements.txt
