oauthlib · JonathanHuot · Aug 17, 2025 · Jul 12, 2025 · Jul 25, 2025
diff --git a/.github/workflows/lint_python.yml b/.github/workflows/lint_python.yml
@@ -10,14 +10,11 @@ jobs:
       - uses: actions/setup-python@v5
         with:
           python-version: 3.x
-          check-latest: true
-      - run: pip install --upgrade pip setuptools wheel
-      - run: pip install codespell mypy pytest ruff safety
-      - run: ruff check --output-format=github .
-      - run: codespell --ignore-words-list="implementor,mimiced,provicers,re-use,THIRDPARTY,assertIn"  # --skip="*.css,*.js,*.lock"
-      - run: pip install -r requirements-test.txt
+      - uses: pre-commit/action@v3.0.1
+      - run: pip install --upgrade pip
+      - run: pip install mypy pytest -r requirements-test.txt
       - run: pip install --editable .
       - run: mkdir --parents --verbose .mypy_cache
       - run: mypy --ignore-missing-imports --install-types --non-interactive . || true
       - run: pytest
-      - run: safety check || true
+      - run: pipx run safety check
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,52 @@
+# Learn more about this config here: https://pre-commit.com/
+
+# To enable these pre-commit hooks run:
+# `pipx install pre-commit` or `brew install pre-commit`
+# Then in the project root directory run `pre-commit install`
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-ast
+      - id: check-builtin-literals
+      - id: check-case-conflict
+      # - id: check-docstring-first
+      - id: check-executables-have-shebangs
+      - id: check-json
+      - id: check-merge-conflict
+      - id: check-shebang-scripts-are-executable
+      - id: check-symlinks
+      - id: check-toml
+      - id: check-vcs-permalinks
+      - id: check-xml
+      - id: check-yaml
+      - id: debug-statements
+      - id: destroyed-symlinks
+      # - id: detect-private-key
+      - id: end-of-file-fixer
+      - id: file-contents-sorter
+      - id: fix-byte-order-marker
+      - id: forbid-new-submodules
+      - id: forbid-submodules
+      - id: mixed-line-ending
+        args:
+          - --fix=lf
+      - id: requirements-txt-fixer
+      - id: sort-simple-yaml
+      - id: trailing-whitespace
+
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.1
+    hooks:
+      - id: codespell # See pyproject.toml for args
+        additional_dependencies:
+          - tomli
+        args:
+          - --ignore-words-list=implementor,mimiced,provicers,re-use,THIRDPARTY,assertIn
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.12.5
+    hooks:
+      - id: ruff-check
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -101,7 +101,7 @@ General
   * #727: build isort integration
   * #734: python2 code removal
   * #735, #750: add python3.8 support
-  * #749: bump minimum versions of pyjwt and cryptography 
+  * #749: bump minimum versions of pyjwt and cryptography
 
 3.1.0 (2019-08-06)
 ------------------

diff --git a/docs/faq.rst b/docs/faq.rst
@@ -38,20 +38,20 @@ What does ValueError `Only unicode objects are escapable. Got one of type X.` me
 
    OAuthLib uses unicode everywhere and when creating a OAuth 1 signature
    a number of parameters need to be percent encoded (aka escaped). At least
-   one parameter could not be encoded. Usually because `None` or a non UTF-8 
+   one parameter could not be encoded. Usually because `None` or a non UTF-8
    encoded string was supplied.
 
 What does ValueError `Error trying to decode a non urlencoded string` mean?
 ---------------------------------------------------------------------------
 
     You are trying to decode a response which is not properly encoded, e.g.
     include non percent encoded characters such as `£`. Which could be because
-    it has already been decoded by your web framework. 
-    
+    it has already been decoded by your web framework.
+
     If you believe it contains characters that should be exempt from this
     check please open an issue and state why.
-    
-     
+
+
 What is the difference between a client and a consumer?
 -------------------------------------------------------
 
@@ -65,7 +65,7 @@ How do I use OAuthLib with Google, Twitter and other providers?
 
     Most people will be using OAuthLib indirectly. Clients will want to look at
     `requests-oauthlib`_.
-    
+
 How do I use OAuthlib as a provider with Django, Flask and other web frameworks?
 --------------------------------------------------------------------------------
 

diff --git a/docs/oauth1/client.rst b/docs/oauth1/client.rst
@@ -58,13 +58,13 @@ Using the Client
     * a dictionary
     * an iterable of 2-tuples
     * a properly-formatted x-www-url-formencoded string
-    
+
     If you are sending some other kind of data in the body, an additional
     `oauth_body_hash` parameter will be included with the request. This parameter
     provides an integrity check on non-formencoded request bodies.
-    
-    *IMPORTANT* This extension is forward compatible: Service Providers that 
-    have not implemented this extension can verify requests sent by Consumers 
+
+    *IMPORTANT* This extension is forward compatible: Service Providers that
+    have not implemented this extension can verify requests sent by Consumers
     that have implemented this extension.  If the Service Provider implements
     this specification the integrity of the body is guaranteed.  If the
     Service Provider does not check body signatures, the remainder of the

diff --git a/docs/oauth1/server.rst b/docs/oauth1/server.rst
@@ -168,7 +168,7 @@ obtain an access token.
 ^^^^^^^^^^^^^^^^
 
 Access tokens are provided to clients able to present a valid request token
-together with its associated verifier. It will allow the client to access 
+together with its associated verifier. It will allow the client to access
 protected resources and is normally not associated with an expiration. Although
 you should consider expiring them as it increases security dramatically.
 

diff --git a/docs/oauth2/endpoints/metadata.rst b/docs/oauth2/endpoints/metadata.rst
@@ -63,7 +63,7 @@ Sample response's output:
       ]
     }
 
-        
+
 .. autoclass:: oauthlib.oauth2.MetadataEndpoint
     :members:
 

diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot
@@ -14,7 +14,7 @@ digraph oauthlib {
     {
         node [ shape=hexagon ];
         edge [ style=normal ];
-        
+
         webapi_request [ label="WebFramework\nHTTP request" ];
         webapi_request:s ->
                 endpoint_authorize:top:n,
@@ -200,7 +200,7 @@ digraph oauthlib {
         f_save_authorization_code -> webapi_response;
     }
 
-    /* Implicit */ 
+    /* Implicit */
     {
         edge [ color=orange ];
 

diff --git a/docs/oauth2/oidc/userinfo.rst b/docs/oauth2/oidc/userinfo.rst
@@ -2,6 +2,6 @@
 OpenID UserInfo endpoint
 ========================
 
-        
+
 .. autoclass:: oauthlib.openid.connect.core.endpoints.userinfo.UserInfoEndpoint
     :members:
diff --git a/docs/oauth2/server.rst b/docs/oauth2/server.rst
@@ -366,58 +366,58 @@ The example using Django but should be transferable to any framework.
         def __init__(self):
             # Using the server from previous section
             self._authorization_endpoint = server
-    
+
         def get(self, request):
             # You need to define extract_params and make sure it does not
             # include file like objects waiting for input. In Django this
             # is request.META['wsgi.input'] and request.META['wsgi.errors']
             uri, http_method, body, headers = extract_params(request)
-    
+
             try:
                 scopes, credentials = self._authorization_endpoint.validate_authorization_request(
                     uri, http_method, body, headers)
-    
+
                 # Not necessarily in session but they need to be
                 # accessible in the POST view after form submit.
                 request.session['oauth2_credentials'] = credentials
-    
+
                 # You probably want to render a template instead.
                 response = HttpResponse()
                 response.write('<h1> Authorize access to %s </h1>' % client_id)
                 response.write('<form method="POST" action="/authorize">')
                 for scope in scopes or []:
-                    response.write('<input type="checkbox" name="scopes" ' + 
+                    response.write('<input type="checkbox" name="scopes" ' +
                     'value="%s"/> %s' % (scope, scope))
                     response.write('<input type="submit" value="Authorize"/>')
                 return response
-    
+
             # Errors that should be shown to the user on the provider website
             except errors.FatalClientError as e:
                 return response_from_error(e)
-    
+
             # Errors embedded in the redirect URI back to the client
             except errors.OAuth2Error as e:
                 return HttpResponseRedirect(e.in_uri(e.redirect_uri))
-    
+
         @csrf_exempt
         def post(self, request):
             uri, http_method, body, headers = extract_params(request)
-    
+
             # The scopes the user actually authorized, i.e. checkboxes
             # that were selected.
             scopes = request.POST.getlist(['scopes'])
-    
+
             # Extra credentials we need in the validator
             credentials = {'user': request.user}
-    
+
             # The previously stored (in authorization GET view) credentials
             credentials.update(request.session.get('oauth2_credentials', {}))
-    
+
             try:
                 headers, body, status = self._authorization_endpoint.create_authorization_response(
                 uri, http_method, body, headers, scopes, credentials)
                 return response_from_return(headers, body, status)
-    
+
             except errors.FatalClientError as e:
                 return response_from_error(e)
 
@@ -538,7 +538,7 @@ If you run into issues it can be helpful to enable debug logging.
     import oauthlib
     import sys
 
-    oauthlib.set_debug(True)    
+    oauthlib.set_debug(True)
     log = logging.getLogger('oauthlib')
     log.addHandler(logging.StreamHandler(sys.stdout))
     log.setLevel(logging.DEBUG)
diff --git a/docs/release_process.rst b/docs/release_process.rst
@@ -23,7 +23,7 @@ they lock the oauthlib version in ``setup.py`` and release anyway.
 Unittests might not be enough and as an extra measure we will create an
 OAuthLib release issue on Github at least 2 days prior to release detailing the
 changes and pings the primary contacts for each downstream project.  Please
-respond within those 2 days if you have major concerns. 
+respond within those 2 days if you have major concerns.
 
 How to get on the notifications list
 ------------------------------------
@@ -38,7 +38,7 @@ When is the next release?
 -------------------------
 
 Releases have been sporadic at best and I don't think that will change soon.
-However, if you think it's time for a new release don't hesitate to open a 
+However, if you think it's time for a new release don't hesitate to open a
 new issue asking about it.
 
 A note on versioning

diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,3 +1,3 @@
+readthedocs-sphinx-ext
 sphinx
 sphinx_rtd_theme
-readthedocs-sphinx-ext
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,3 @@
-pyjwt>=2.0.0,<3
 blinker==1.4
 cryptography>=3.0.0
+pyjwt>=2.0.0,<3
-Original file line number
+Diff line change
@@ Expand Up / @@ -63,7 +63,7 @@ Sample response's output: @@
           ]
         }
     .. autoclass:: oauthlib.oauth2.MetadataEndpoint
         :members:
@@ Expand Down @@