python · donbarbos · May 9, 2026 · srittau · May 9, 2026 · srittau
diff --git a/stubs/Authlib/METADATA.toml b/stubs/Authlib/METADATA.toml
@@ -1,3 +1,3 @@
-version = "1.6.11"
+version = "1.7.1"
 upstream-repository = "https://github.com/authlib/authlib"
 dependencies = ["cryptography"]
diff --git a/stubs/Authlib/authlib/deprecate.pyi b/stubs/Authlib/authlib/deprecate.pyi
@@ -1,5 +1,3 @@
 class AuthlibDeprecationWarning(DeprecationWarning): ...
 
-def deprecate(
-    message: str, version: str | None = None, link_uid: str | None = None, link_file: str | None = None, stacklevel: int = 3
-) -> None: ...
+def deprecate(message: str, version: str | None = None, stacklevel: int = 3) -> None: ...
diff --git a/stubs/Authlib/authlib/integrations/base_client/async_openid.pyi b/stubs/Authlib/authlib/integrations/base_client/async_openid.pyi
@@ -1,3 +1,4 @@
+from authlib.integrations.base_client.sync_openid import _LogoutData
 from authlib.oidc.core.claims import UserInfo
 
 __all__ = ["AsyncOpenIDMixin"]
@@ -6,3 +7,6 @@ class AsyncOpenIDMixin:
     async def fetch_jwk_set(self, force: bool = False): ...
     async def userinfo(self, **kwargs) -> UserInfo: ...
     async def parse_id_token(self, token, nonce, claims_options=None, claims_cls=None, leeway: int = 120) -> UserInfo: ...
+    async def create_logout_url(
+        self, post_logout_redirect_uri=None, id_token_hint=None, state=None, *, client_id=None, logout_hint=None, ui_locales=None
+    ) -> _LogoutData: ...
diff --git a/stubs/Authlib/authlib/integrations/base_client/sync_openid.pyi b/stubs/Authlib/authlib/integrations/base_client/sync_openid.pyi
@@ -1,7 +1,17 @@
+from _typeshed import Incomplete
+from typing import TypedDict, type_check_only
+
 from authlib.oidc.core.claims import UserInfo
 
+@type_check_only
+class _LogoutData(TypedDict):
+    url: str
+    state: Incomplete
+
 class OpenIDMixin:
     def fetch_jwk_set(self, force: bool = False): ...
     def userinfo(self, **kwargs) -> UserInfo: ...
     def parse_id_token(self, token, nonce, claims_options=None, claims_cls=None, leeway: int = 120) -> UserInfo | None: ...
-    def create_load_key(self): ...
+    def create_logout_url(
+        self, post_logout_redirect_uri=None, id_token_hint=None, state=None, *, client_id=None, logout_hint=None, ui_locales=None
+    ) -> _LogoutData: ...
diff --git a/stubs/Authlib/authlib/integrations/django_client/apps.pyi b/stubs/Authlib/authlib/integrations/django_client/apps.pyi
@@ -1,6 +1,11 @@
+from _typeshed import Incomplete
+from typing import TypeAlias
+
 from ..base_client import BaseApp, OAuth1Mixin, OAuth2Mixin, OpenIDMixin
 from ..requests_client import OAuth1Session, OAuth2Session
 
+_HttpResponseRedirect: TypeAlias = Incomplete  # actual type is django.http.response.HttpResponseRedirect
+
 class DjangoAppMixin:
     def save_authorize_data(self, request, **kwargs) -> None: ...
     def authorize_redirect(self, request, redirect_uri=None, **kwargs): ...
@@ -11,4 +16,16 @@ class DjangoOAuth1App(DjangoAppMixin, OAuth1Mixin, BaseApp):
 
 class DjangoOAuth2App(DjangoAppMixin, OAuth2Mixin, OpenIDMixin, BaseApp):
     client_cls = OAuth2Session
+    def logout_redirect(
+        self,
+        request,
+        post_logout_redirect_uri=None,
+        id_token_hint=None,
+        *,
+        state=None,
+        client_id=None,
+        logout_hint=None,
+        ui_locales=None,
+    ) -> _HttpResponseRedirect: ...
+    def validate_logout_response(self, request): ...
     def authorize_access_token(self, request, **kwargs): ...
diff --git a/stubs/Authlib/authlib/integrations/flask_client/apps.pyi b/stubs/Authlib/authlib/integrations/flask_client/apps.pyi
@@ -1,6 +1,11 @@
+from _typeshed import Incomplete
+from typing import TypeAlias
+
 from ..base_client import BaseApp, OAuth1Mixin, OAuth2Mixin, OpenIDMixin
 from ..requests_client import OAuth1Session, OAuth2Session
 
+_Response: TypeAlias = Incomplete  # actual type is werkzeug.wrappers.Response
+
 class FlaskAppMixin:
     @property
     def token(self): ...
@@ -15,4 +20,8 @@ class FlaskOAuth1App(FlaskAppMixin, OAuth1Mixin, BaseApp):
 
 class FlaskOAuth2App(FlaskAppMixin, OAuth2Mixin, OpenIDMixin, BaseApp):
     client_cls = OAuth2Session
+    def logout_redirect(
+        self, post_logout_redirect_uri=None, id_token_hint=None, *, state=None, client_id=None, logout_hint=None, ui_locales=None
+    ) -> _Response: ...
+    def validate_logout_response(self): ...
     def authorize_access_token(self, **kwargs): ...
diff --git a/stubs/Authlib/authlib/integrations/starlette_client/apps.pyi b/stubs/Authlib/authlib/integrations/starlette_client/apps.pyi
@@ -1,16 +1,33 @@
+from _typeshed import Incomplete
+from typing import TypeAlias
+
 from ..base_client import BaseApp
 from ..base_client.async_app import AsyncOAuth1Mixin, AsyncOAuth2Mixin
 from ..base_client.async_openid import AsyncOpenIDMixin
 from ..httpx_client import AsyncOAuth1Client, AsyncOAuth2Client
 
+_RedirectResponse: TypeAlias = Incomplete  # actual type is starlette.responses.RedirectResponse
+
 class StarletteAppMixin:
     async def save_authorize_data(self, request, **kwargs) -> None: ...
-    async def authorize_redirect(self, request, redirect_uri=None, **kwargs): ...
+    async def authorize_redirect(self, request, redirect_uri=None, **kwargs) -> _RedirectResponse: ...
 
 class StarletteOAuth1App(StarletteAppMixin, AsyncOAuth1Mixin, BaseApp):
     client_cls = AsyncOAuth1Client
     async def authorize_access_token(self, request, **kwargs): ...
 
 class StarletteOAuth2App(StarletteAppMixin, AsyncOAuth2Mixin, AsyncOpenIDMixin, BaseApp):
     client_cls = AsyncOAuth2Client
+    async def logout_redirect(
+        self,
+        request,
+        post_logout_redirect_uri=None,
+        id_token_hint=None,
+        *,
+        state=None,
+        client_id=None,
+        logout_hint=None,
+        ui_locales=None,
+    ) -> _RedirectResponse: ...
+    async def validate_logout_response(self, request): ...
     async def authorize_access_token(self, request, **kwargs): ...
diff --git a/stubs/Authlib/authlib/jose/rfc7519/claims.pyi b/stubs/Authlib/authlib/jose/rfc7519/claims.pyi
@@ -12,11 +12,11 @@ class BaseClaims(dict[str, Any]):  # dict values are key-dependent
     def get_registered_claims(self) -> dict[str, Incomplete]: ...
 
 class JWTClaims(BaseClaims):
-    def validate(self, now=None, leeway: int = 0) -> None: ...
+    def validate(self, now: int | None = None, leeway: int = 0) -> None: ...
     def validate_iss(self) -> None: ...
     def validate_sub(self) -> None: ...
     def validate_aud(self) -> None: ...
-    def validate_exp(self, now, leeway) -> None: ...
-    def validate_nbf(self, now, leeway) -> None: ...
-    def validate_iat(self, now, leeway) -> None: ...
+    def validate_exp(self, now: int, leeway: int) -> None: ...
+    def validate_nbf(self, now: int, leeway: int) -> None: ...
+    def validate_iat(self, now: int, leeway: int) -> None: ...
     def validate_jti(self) -> None: ...
diff --git a/stubs/Authlib/authlib/oauth2/claims.pyi b/stubs/Authlib/authlib/oauth2/claims.pyi
@@ -0,0 +1,31 @@
+from _typeshed import Incomplete
+from collections.abc import Callable
+from typing import Any, TypedDict
+
+class ClaimsOption(TypedDict, total=False):
+    essential: bool
+    allow_blank: bool | None
+    value: str | int | bool
+    values: list[str | int | bool] | list[str] | list[int] | list[bool]
+    validate: Callable[[BaseClaims, Any], bool]
+
+class BaseClaims(dict[str, Incomplete]):
+    registry_cls: Incomplete
+    REGISTERED_CLAIMS: list[str]
+    header: dict[str, Any]
+    options: dict[str, ClaimsOption]
+    params: dict[str, Any]
+    def __init__(
+        self,
+        claims: dict[str, Any],
+        header: dict[str, Any],
+        options: dict[str, ClaimsOption] | None = None,
+        params: dict[str, Any] | None = None,
+    ) -> None: ...
+    def get_registered_claims(self) -> dict[str, Incomplete]: ...
+    def validate(self, now: int | Callable[[], int] | None = None, leeway: int = 0) -> None: ...
+
+class JWTClaims(BaseClaims):
+    registry_cls: Incomplete
+    REGISTERED_CLAIMS: list[str]
+    def validate(self, now: int | Callable[[], int] | None = None, leeway: int = 0) -> None: ...
diff --git a/stubs/Authlib/authlib/oauth2/rfc6749/__init__.pyi b/stubs/Authlib/authlib/oauth2/rfc6749/__init__.pyi
@@ -1,5 +1,6 @@
 from .authenticate_client import ClientAuthentication as ClientAuthentication
 from .authorization_server import AuthorizationServer as AuthorizationServer
+from .endpoint import Endpoint, EndpointRequest
 from .errors import (
     AccessDeniedError as AccessDeniedError,
     InsecureTransportError as InsecureTransportError,
@@ -69,6 +70,8 @@ __all__ = [
     "AuthorizationServer",
     "ResourceProtector",
     "TokenValidator",
+    "Endpoint",
+    "EndpointRequest",
     "TokenEndpoint",
     "BaseGrant",
     "AuthorizationEndpointMixin",

diff --git a/stubs/Authlib/authlib/oauth2/rfc6749/authorization_server.pyi b/stubs/Authlib/authlib/oauth2/rfc6749/authorization_server.pyi
@@ -6,6 +6,7 @@ from authlib.oauth2 import JsonRequest, OAuth2Error, OAuth2Request
 from authlib.oauth2.rfc6749 import BaseGrant, ClientMixin
 from authlib.oauth2.rfc6750 import BearerTokenGenerator
 
+from .endpoint import Endpoint, EndpointRequest
 from .hooks import Hookable
 
 _ServerResponse: TypeAlias = tuple[int, str, list[tuple[str, str]]]
@@ -37,10 +38,11 @@ class AuthorizationServer(Hookable):
     def register_grant(
         self, grant_cls: type[BaseGrant], extensions: Collection[Callable[[BaseGrant], None]] | None = None
     ) -> None: ...
-    def register_endpoint(self, endpoint) -> None: ...
+    def register_endpoint(self, endpoint: type[Endpoint] | Endpoint) -> None: ...
     def get_authorization_grant(self, request: OAuth2Request) -> BaseGrant: ...
     def get_consent_grant(self, request=None, end_user=None): ...
     def get_token_grant(self, request: OAuth2Request) -> BaseGrant: ...
+    def validate_endpoint_request(self, name, request=None) -> EndpointRequest: ...
     def create_endpoint_response(self, name, request=None): ...
     @overload
     @deprecated("The 'grant' parameter will become mandatory.")

diff --git a/stubs/Authlib/authlib/oauth2/rfc6749/endpoint.pyi b/stubs/Authlib/authlib/oauth2/rfc6749/endpoint.pyi
@@ -0,0 +1,20 @@
+from _typeshed import Incomplete
+from dataclasses import dataclass
+from typing import Any
+
+from .requests import OAuth2Request
+
+@dataclass
+class EndpointRequest:
+    request: OAuth2Request
+    client: Any = None
+
+class Endpoint:
+    ENDPOINT_NAME: str | None
+    server: Incomplete
+    def __init__(self, server=None) -> None: ...
+    def create_endpoint_request(self, request): ...
+    def validate_request(self, request: OAuth2Request) -> EndpointRequest: ...
+    def create_response(self, validated_request: EndpointRequest) -> tuple[int, Any, list[Incomplete]] | None: ...
+    def create_endpoint_response(self, request: OAuth2Request) -> tuple[int, Any, list[Incomplete]] | None: ...
+    def __call__(self, request: OAuth2Request) -> tuple[int, Any, list[Incomplete]] | None: ...
diff --git a/stubs/Authlib/authlib/oauth2/rfc6749/requests.pyi b/stubs/Authlib/authlib/oauth2/rfc6749/requests.pyi
@@ -69,8 +69,9 @@ class OAuth2Request(OAuth2Payload):
     @deprecated("'request.redirect_uri' is deprecated in favor of 'request.payload.redirect_uri'")
     def redirect_uri(self) -> str: ...
     @property
-    @deprecated("'request.scope' is deprecated in favor of 'request.payload.scope'")
     def scope(self) -> str: ...
+    @scope.setter
+    def scope(self, value: str) -> None: ...
     @property
     @deprecated("'request.state' is deprecated in favor of 'request.payload.state'")
     def state(self) -> str | None: ...

diff --git a/stubs/Authlib/authlib/oauth2/rfc6749/token_endpoint.pyi b/stubs/Authlib/authlib/oauth2/rfc6749/token_endpoint.pyi
@@ -1,13 +1,11 @@
 from _typeshed import Incomplete
 
-class TokenEndpoint:
-    ENDPOINT_NAME: Incomplete
+from .endpoint import Endpoint
+
+class TokenEndpoint(Endpoint):
+    ENDPOINT_NAME: str | None
     SUPPORTED_TOKEN_TYPES: Incomplete
     CLIENT_AUTH_METHODS: Incomplete
-    server: Incomplete
-    def __init__(self, server) -> None: ...
-    def __call__(self, request): ...
-    def create_endpoint_request(self, request): ...
     def authenticate_endpoint_client(self, request): ...
     def authenticate_token(self, request, client): ...
     def create_endpoint_response(self, request): ...
diff --git a/stubs/Authlib/authlib/oauth2/rfc6750/errors.pyi b/stubs/Authlib/authlib/oauth2/rfc6750/errors.pyi
@@ -9,8 +9,16 @@ class InvalidTokenError(OAuth2Error):
     description: str
     status_code: int
     realm: Incomplete
-    extra_attributes: Incomplete
-    def __init__(self, description=None, uri=None, status_code=None, state=None, realm=None, **extra_attributes) -> None: ...
+    extra_attributes: dict[str, Incomplete]
+    def __init__(
+        self,
+        description=None,
+        uri=None,
+        status_code=None,
+        state=None,
+        realm=None,
+        extra_attributes: dict[str, Incomplete] | None = None,
+    ) -> None: ...
     def get_headers(self) -> list[tuple[str, str]]: ...
 
 class InsufficientScopeError(OAuth2Error):

diff --git a/stubs/Authlib/authlib/oauth2/rfc7523/assertion.pyi b/stubs/Authlib/authlib/oauth2/rfc7523/assertion.pyi
@@ -1,5 +1,27 @@
 def sign_jwt_bearer_assertion(
-    key, issuer, audience, subject=None, issued_at=None, expires_at=None, claims=None, header=None, **kwargs
-) -> bytes: ...
-def client_secret_jwt_sign(client_secret, client_id, token_endpoint, alg: str = "HS256", claims=None, **kwargs) -> bytes: ...
-def private_key_jwt_sign(private_key, client_id, token_endpoint, alg: str = "RS256", claims=None, **kwargs) -> bytes: ...
+    key, issuer, audience, subject=None, issued_at=None, expires_at=None, claims=None, header=None, *, alg=None, expires_in=3600
+) -> str: ...
+def client_secret_jwt_sign(
+    client_secret,
+    client_id,
+    token_endpoint,
+    alg: str = "HS256",
+    claims=None,
+    *,
+    issued_at=None,
+    expires_at=None,
+    header=None,
+    expires_in=3600,
+) -> str: ...
+def private_key_jwt_sign(
+    private_key,
+    client_id,
+    token_endpoint,
+    alg: str = "RS256",
+    claims=None,
+    *,
+    issued_at=None,
+    expires_at=None,
+    header=None,
+    expires_in=3600,
+) -> str: ...
diff --git a/stubs/Authlib/authlib/oauth2/rfc7523/auth.pyi b/stubs/Authlib/authlib/oauth2/rfc7523/auth.pyi
@@ -7,10 +7,10 @@ class ClientSecretJWT:
     claims: Incomplete
     headers: Incomplete
     def __init__(self, token_endpoint=None, claims=None, headers=None, alg=None) -> None: ...
-    def sign(self, auth, token_endpoint) -> bytes: ...
+    def sign(self, auth, token_endpoint) -> str: ...
     def __call__(self, auth, method, uri, headers, body): ...
 
 class PrivateKeyJWT(ClientSecretJWT):
     name: str
     alg: str
-    def sign(self, auth, token_endpoint) -> bytes: ...
+    def sign(self, auth, token_endpoint) -> str: ...
diff --git a/stubs/Authlib/authlib/oauth2/rfc7523/client.pyi b/stubs/Authlib/authlib/oauth2/rfc7523/client.pyi
@@ -1,21 +1,26 @@
+from _typeshed import Incomplete
 from logging import Logger
-from typing import Final
-
-from authlib.jose.rfc7519.claims import JWTClaims
+from typing import Final, overload
+from typing_extensions import deprecated
 
 ASSERTION_TYPE: Final[str]
 log: Logger
 
 class JWTBearerClientAssertion:
     CLIENT_ASSERTION_TYPE: Final[str]
     CLIENT_AUTH_METHOD: Final[str]
-    token_url: str
+    token_url: str | None
     leeway: int
-    def __init__(self, token_url: str, validate_jti: bool = True, leeway: int = 60) -> None: ...
+    @overload
+    @deprecated("The `token_url` parameter is deprecated. Override `get_audiences` instead.")
+    def __init__(self, token_url: str = ..., validate_jti: bool = True, leeway: int = 60) -> None: ...
+    @overload
+    def __init__(self, token_url: None = None, validate_jti: bool = True, leeway: int = 60) -> None: ...
     def __call__(self, query_client, request): ...
-    def create_claims_options(self): ...
-    def process_assertion_claims(self, assertion, resolve_key) -> JWTClaims: ...
+    def verify_claims(self, claims: dict[str, Incomplete]) -> None: ...
+    def get_audiences(self) -> list[str]: ...
+    def process_assertion_claims(self, assertion, resolve_key) -> dict[str, Incomplete]: ...
     def authenticate_client(self, client): ...
-    def create_resolve_key_func(self, query_client, request): ...
+    def extract_assertion(self, assertion: str) -> tuple[dict[str, Incomplete], Incomplete]: ...
     def validate_jti(self, claims, jti): ...
-    def resolve_client_public_key(self, client, headers): ...
+    def resolve_client_public_key(self, client): ...
diff --git a/stubs/Authlib/authlib/oauth2/rfc7523/jwt_bearer.pyi b/stubs/Authlib/authlib/oauth2/rfc7523/jwt_bearer.pyi
@@ -1,7 +1,7 @@
+from _typeshed import Incomplete
 from logging import Logger
 from typing import ClassVar, Final
 
-from authlib.jose.rfc7519.claims import JWTClaims
 from authlib.oauth2.rfc6749 import BaseGrant, TokenEndpointMixin
 
 log: Logger
@@ -13,11 +13,13 @@ class JWTBearerGrant(BaseGrant, TokenEndpointMixin):
     LEEWAY: ClassVar[int]
     @staticmethod
     def sign(key, issuer, audience, subject=None, issued_at=None, expires_at=None, claims=None, **kwargs): ...
-    def process_assertion_claims(self, assertion) -> JWTClaims: ...
-    def resolve_public_key(self, headers, payload): ...
+    def verify_claims(self, claims: dict[str, Incomplete]) -> None: ...
+    def process_assertion_claims(self, assertion) -> dict[str, Incomplete]: ...
+    def extract_assertion(self, assertion: str) -> tuple[dict[str, Incomplete], Incomplete]: ...
     def validate_token_request(self) -> None: ...
     def create_token_response(self): ...
     def resolve_issuer_client(self, issuer): ...
-    def resolve_client_key(self, client, headers, payload): ...
+    def resolve_client_public_key(self, client): ...
     def authenticate_user(self, subject): ...
+    def get_audiences(self) -> list[str]: ...
     def has_granted_permission(self, client, user) -> bool: ...