Unpinned Dependency on cryptography Breaks Installation Due to Rust Requirement

[oscarasco]

Hello,

We have encountered an issue with the Authlib library's dependency management, specifically related to the cryptography package. The current setup.py includes an "unpinned" version specification for cryptography, as shown below:

from setuptools import setup

# Metadata goes in setup.cfg. These are here for GitHub's dependency graph.

setup(
    name="Authlib",
    install_requires=[
        "cryptography>=3.2",
    ],
)

This configuration does not restrict the cryptography package to a specific version. As a result, the installation may attempt to use any version starting from 3.2. However, starting from version 3.4, cryptography requires Rust to build from source, which introduces additional dependencies and complications for users who do not have Rust installed on their systems.

Proposed Solution:

To mitigate this issue, we recommend pinning the cryptography version to the latest version that does not require Rust (version 3.3.2). The updated setup.py should look like this:

from setuptools import setup

# Metadata goes in setup.cfg. These are here for GitHub's dependency graph.

setup(
    name="Authlib",
    install_requires=[
        "cryptography>=3.2,<3.4",
    ],
)

This change will ensure compatibility and avoid the Rust dependency issue for users.

Thank you for your attention to this matter. We look forward to the resolution.

[lepture]

The setup.py only used for local development. Actually, we didn't pin any version for cryptography. https://github.com/lepture/authlib/blob/master/pyproject.toml#L6

When you encounter an installation issue of cryptography, we recommend you to follow cryptography's installation guide.