+1

.gitignore

··· 1 1 + venv

+21

LICENSE

··· 1 1 + MIT License 2 2 + 3 3 + Copyright (c) 2025 Nick Gerakines 4 4 + 5 5 + Permission is hereby granted, free of charge, to any person obtaining a copy 6 6 + of this software and associated documentation files (the "Software"), to deal 7 7 + in the Software without restriction, including without limitation the rights 8 8 + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 9 + copies of the Software, and to permit persons to whom the Software is 10 10 + furnished to do so, subject to the following conditions: 11 11 + 12 12 + The above copyright notice and this permission notice shall be included in all 13 13 + copies or substantial portions of the Software. 14 14 + 15 15 + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 16 + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 17 + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 18 + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 19 + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 20 + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 21 + SOFTWARE.

+72

README.md

··· 1 1 + # OAuth Masterclass Python 2 2 + 3 3 + A Flask application demonstrating ATProtocol OAuth with DPoP (Demonstrating Proof-of-Possession) and PKCE (Proof Key for Code Exchange). 4 4 + 5 5 + Part of the **OAuth Masterclass** by [Nick Gerakines](https://github.com/ngerakines). 6 6 + 7 7 + ## Prerequisites 8 8 + 9 9 + - Python 3.7 or higher 10 10 + - pip 11 11 + 12 12 + ## Setup and Installation 13 13 + 14 14 + 1. Create a virtual environment: 15 15 + ```bash 16 16 + python -m venv venv 17 17 + ``` 18 18 + 19 19 + 2. Activate the virtual environment: 20 20 + ```bash 21 21 + # On macOS/Linux: 22 22 + source venv/bin/activate 23 23 + 24 24 + # On Windows: 25 25 + venv\Scripts\activate 26 26 + ``` 27 27 + 28 28 + 3. Install dependencies: 29 29 + ```bash 30 30 + pip install flask requests pyjwt cryptography dnspython 31 31 + ``` 32 32 + 33 33 + ## Running the Application 34 34 + 35 35 + 1. Ensure your virtual environment is activated (see step 2 above) 36 36 + 37 37 + 2. Run the Flask application: 38 38 + ```bash 39 39 + python app.py 40 40 + ``` 41 41 + 42 42 + 3. The application will start on port 5000. Access it at: 43 43 + - Local development: `http://localhost:5000` 44 44 + - Production: `https://oauth-py.smokesignal.tools` 45 45 + 46 46 + ## Features 47 47 + 48 48 + - ATProtocol OAuth authentication 49 49 + - DPoP token binding 50 50 + - PKCE for enhanced security 51 51 + - Handle resolution with HTTP fallback to DNS (following ATProtocol specification) 52 52 + - DID document resolution (did:plc and did:web) 53 53 + - Token refresh handling 54 54 + - Protected routes with automatic token refresh 55 55 + 56 56 + ## Deactivating the Virtual Environment 57 57 + 58 58 + When you're done, deactivate the virtual environment: 59 59 + ```bash 60 60 + deactivate 61 61 + ``` 62 62 + 63 63 + # Demo 64 64 + 65 65 + 1. Start the application 66 66 + 2. Start the proxy 67 67 + 3. Visit https://oauth-py.smokesignal.tools/ 68 68 + 4. Example records at https://pdsls.dev/at://did:plc:cbkjy5n7bk3ax2wplmtjofq2/garden.lexicon.oauth-masterclass.now 69 69 + 70 70 + ## License 71 71 + 72 72 + This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

+507

app.py

··· 1 1 + from flask import Flask, render_template_string, request, redirect, session, jsonify, url_for 2 2 + import secrets 3 3 + import hashlib 4 4 + import base64 5 5 + import urllib.parse 6 6 + import requests 7 7 + import json 8 8 + from datetime import datetime, timedelta, timezone 9 9 + import jwt 10 10 + from cryptography.hazmat.primitives import serialization 11 11 + from cryptography.hazmat.primitives.asymmetric import rsa 12 12 + from cryptography.hazmat.backends import default_backend 13 13 + import dns.resolver 14 14 + 15 15 + app = Flask(__name__) 16 16 + app.secret_key = secrets.token_hex(32) 17 17 + 18 18 + # In-memory storage 19 19 + identities = {} 20 20 + oauth_requests = {} 21 21 + oauth_sessions = {} 22 22 + 23 23 + # Generate RSA key pair for signing 24 24 + private_key = rsa.generate_private_key( 25 25 + public_exponent=65537, 26 26 + key_size=2048, 27 27 + backend=default_backend() 28 28 + ) 29 29 + public_key = private_key.public_key() 30 30 + 31 31 + # OAuth client configuration 32 32 + CLIENT_ID = "https://oauth-py.smokesignal.tools/client-metadata.json" 33 33 + REDIRECT_URI = "https://oauth-py.smokesignal.tools/login/callback" 34 34 + 35 35 + def get_jwk(): 36 36 + """Convert public key to JWK format""" 37 37 + public_numbers = public_key.public_numbers() 38 38 + 39 39 + def int_to_base64(n): 40 40 + hex_n = hex(n)[2:] 41 41 + if len(hex_n) % 2: 42 42 + hex_n = '0' + hex_n 43 43 + return base64.urlsafe_b64encode(bytes.fromhex(hex_n)).rstrip(b'=').decode('ascii') 44 44 + 45 45 + return { 46 46 + "kty": "RSA", 47 47 + "use": "sig", 48 48 + "alg": "RS256", 49 49 + "kid": "key1", 50 50 + "n": int_to_base64(public_numbers.n), 51 51 + "e": int_to_base64(public_numbers.e) 52 52 + } 53 53 + 54 54 + def create_dpop_proof(htm, htu, ath=None, nonce=None): 55 55 + """Create a DPoP proof JWT""" 56 56 + jti = secrets.token_urlsafe(16) 57 57 + # Subtract 10 seconds to account for clock skew between client and server 58 58 + iat = int(datetime.now(timezone.utc).timestamp()) - 10 59 59 + 60 60 + header = { 61 61 + "typ": "dpop+jwt", 62 62 + "alg": "RS256", 63 63 + "jwk": get_jwk() 64 64 + } 65 65 + 66 66 + payload = { 67 67 + "jti": jti, 68 68 + "htm": htm, 69 69 + "htu": htu, 70 70 + "iat": iat 71 71 + } 72 72 + 73 73 + if ath: 74 74 + payload["ath"] = ath 75 75 + 76 76 + if nonce: 77 77 + payload["nonce"] = nonce 78 78 + 79 79 + token = jwt.encode( 80 80 + payload, 81 81 + private_key, 82 82 + algorithm="RS256", 83 83 + headers=header 84 84 + ) 85 85 + 86 86 + return token 87 87 + 88 88 + def generate_pkce_verifier(): 89 89 + """Generate PKCE code verifier""" 90 90 + return base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b'=').decode('ascii') 91 91 + 92 92 + def generate_pkce_challenge(verifier): 93 93 + """Generate PKCE code challenge from verifier""" 94 94 + digest = hashlib.sha256(verifier.encode('ascii')).digest() 95 95 + return base64.urlsafe_b64encode(digest).rstrip(b'=').decode('ascii') 96 96 + 97 97 + def resolve_handle_to_did(handle): 98 98 + """Resolve ATProtocol handle to DID using HTTP then DNS""" 99 99 + # Try HTTPS well-known first 100 100 + try: 101 101 + response = requests.get(f"https://{handle}/.well-known/atproto-did", timeout=5) 102 102 + if response.status_code == 200: 103 103 + did = response.text.strip() 104 104 + if did.startswith('did:'): 105 105 + return did 106 106 + except Exception: 107 107 + pass 108 108 + 109 109 + # Try DNS resolution as fallback 110 110 + try: 111 111 + answers = dns.resolver.resolve(f"_atproto.{handle}", 'TXT') 112 112 + for rdata in answers: 113 113 + # TXT records return a tuple of byte strings 114 114 + for txt_string in rdata.strings: 115 115 + txt_value = txt_string.decode('utf-8') if isinstance(txt_string, bytes) else txt_string 116 116 + if txt_value.startswith('did='): 117 117 + did = txt_value.removeprefix('did=') 118 118 + if did.startswith('did:'): 119 119 + return did 120 120 + except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer, Exception): 121 121 + pass 122 122 + 123 123 + return None 124 124 + 125 125 + @app.route('/') 126 126 + def home(): 127 127 + """Home page displaying current time""" 128 128 + current_time = datetime.now().strftime("%Y-%m-%d %H:%M:%S") 129 129 + html = """ 130 130 + <!DOCTYPE html> 131 131 + <html> 132 132 + <head><title>OAuth Masterclass</title></head> 133 133 + <body> 134 134 + <h1>Welcome to OAuth Masterclass</h1> 135 135 + <p>Current time: {{ time }}</p> 136 136 + <p><a href="/login">Login</a></p> 137 137 + {% if session.get('handle') %} 138 138 + <p>Logged in as: {{ session['handle'] }}</p> 139 139 + <p><a href="/now">Go to protected page</a></p> 140 140 + {% endif %} 141 141 + </body> 142 142 + </html> 143 143 + """ 144 144 + return render_template_string(html, time=current_time) 145 145 + 146 146 + @app.route('/login', methods=['GET']) 147 147 + def login_get(): 148 148 + """Login page with form""" 149 149 + html = """ 150 150 + <!DOCTYPE html> 151 151 + <html> 152 152 + <head><title>Login</title></head> 153 153 + <body> 154 154 + <h1>Login with ATProtocol</h1> 155 155 + <form method="POST" action="/login"> 156 156 + <label for="handle">Handle:</label> 157 157 + <input type="text" id="handle" name="handle" placeholder="user.bsky.social" required> 158 158 + <button type="submit">Login</button> 159 159 + </form> 160 160 + </body> 161 161 + </html> 162 162 + """ 163 163 + return render_template_string(html) 164 164 + 165 165 + @app.route('/login', methods=['POST']) 166 166 + def login_post(): 167 167 + """Initiate ATProtocol OAuth flow""" 168 168 + handle = request.form.get('handle') 169 169 + if not handle: 170 170 + return "Handle required", 400 171 171 + 172 172 + # Resolve handle to DID 173 173 + if handle.startswith('did:'): 174 174 + did = handle 175 175 + else: 176 176 + did = resolve_handle_to_did(handle) 177 177 + if not did: 178 178 + return "Could not resolve handle", 400 179 179 + 180 180 + # Get DID document 181 181 + if did.startswith('did:plc:'): 182 182 + plc_url = f"https://plc.directory/{did}" 183 183 + response = requests.get(plc_url) 184 184 + did_doc = response.json() 185 185 + elif did.startswith('did:web:'): 186 186 + # Simplified did:web resolution 187 187 + domain = did.replace('did:web:', '') 188 188 + response = requests.get(f"https://{domain}/.well-known/did.json") 189 189 + did_doc = response.json() 190 190 + else: 191 191 + return "Unsupported DID method", 400 192 192 + 193 193 + # Find PDS endpoint 194 194 + pds_endpoint = None 195 195 + for service in did_doc.get('service', []): 196 196 + if service.get('type') == 'AtprotoPersonalDataServer': 197 197 + pds_endpoint = service.get('serviceEndpoint') 198 198 + break 199 199 + 200 200 + if not pds_endpoint: 201 201 + return "No PDS found for user", 400 202 202 + 203 203 + # Get authorization server metadata 204 204 + response = requests.get(f"{pds_endpoint}/.well-known/oauth-authorization-server") 205 205 + auth_metadata = response.json() 206 206 + 207 207 + # Check if PKCE is required 208 208 + pkce_required = 'S256' in auth_metadata.get('code_challenge_methods_supported', []) 209 209 + 210 210 + # Generate state and PKCE 211 211 + state = secrets.token_urlsafe(32) 212 212 + verifier = generate_pkce_verifier() 213 213 + challenge = generate_pkce_challenge(verifier) 214 214 + 215 215 + # Store OAuth request 216 216 + oauth_requests[state] = { 217 217 + 'handle': handle, 218 218 + 'did': did, 219 219 + 'pds_endpoint': pds_endpoint, 220 220 + 'auth_metadata': auth_metadata, 221 221 + 'verifier': verifier, 222 222 + 'created_at': datetime.now(timezone.utc) 223 223 + } 224 224 + 225 225 + # Build authorization URL 226 226 + auth_params = { 227 227 + 'response_type': 'code', 228 228 + 'client_id': CLIENT_ID, 229 229 + 'redirect_uri': REDIRECT_URI, 230 230 + 'state': state, 231 231 + 'scope': 'atproto repo:garden.lexicon.oauth-masterclass.now', 232 232 + } 233 233 + 234 234 + if pkce_required: 235 235 + auth_params['code_challenge'] = challenge 236 236 + auth_params['code_challenge_method'] = 'S256' 237 237 + 238 238 + auth_url = f"{auth_metadata['authorization_endpoint']}?{urllib.parse.urlencode(auth_params)}" 239 239 + 240 240 + return redirect(auth_url) 241 241 + 242 242 + @app.route('/login/callback') 243 243 + def login_callback(): 244 244 + """OAuth callback handler""" 245 245 + code = request.args.get('code') 246 246 + state = request.args.get('state') 247 247 + error = request.args.get('error') 248 248 + 249 249 + if error: 250 250 + return f"OAuth error: {error}", 400 251 251 + 252 252 + if not code or not state: 253 253 + return "Missing code or state", 400 254 254 + 255 255 + # Retrieve OAuth request 256 256 + oauth_req = oauth_requests.get(state) 257 257 + if not oauth_req: 258 258 + return "Invalid state", 400 259 259 + 260 260 + # Exchange code for tokens 261 261 + auth_metadata = oauth_req['auth_metadata'] 262 262 + 263 263 + # Create DPoP proof for token request 264 264 + dpop_proof = create_dpop_proof("POST", auth_metadata['token_endpoint']) 265 265 + 266 266 + token_data = { 267 267 + 'grant_type': 'authorization_code', 268 268 + 'code': code, 269 269 + 'redirect_uri': REDIRECT_URI, 270 270 + 'client_id': CLIENT_ID, 271 271 + } 272 272 + 273 273 + if oauth_req.get('verifier'): 274 274 + token_data['code_verifier'] = oauth_req['verifier'] 275 275 + 276 276 + headers = { 277 277 + 'Content-Type': 'application/x-www-form-urlencoded', 278 278 + 'DPoP': dpop_proof 279 279 + } 280 280 + 281 281 + response = requests.post( 282 282 + auth_metadata['token_endpoint'], 283 283 + data=token_data, 284 284 + headers=headers 285 285 + ) 286 286 + 287 287 + # Handle DPoP nonce requirement 288 288 + if response.status_code == 400: 289 289 + error_data = response.json() 290 290 + if error_data.get('error') == 'use_dpop_nonce': 291 291 + # Get nonce from response header 292 292 + dpop_nonce = response.headers.get('DPoP-Nonce') 293 293 + if dpop_nonce: 294 294 + # Retry with nonce 295 295 + dpop_proof = create_dpop_proof("POST", auth_metadata['token_endpoint'], nonce=dpop_nonce) 296 296 + headers['DPoP'] = dpop_proof 297 297 + response = requests.post( 298 298 + auth_metadata['token_endpoint'], 299 299 + data=token_data, 300 300 + headers=headers 301 301 + ) 302 302 + 303 303 + if response.status_code != 200: 304 304 + return f"Token exchange failed: {response.text}", 400 305 305 + 306 306 + tokens = response.json() 307 307 + 308 308 + # Store session 309 309 + session_id = secrets.token_urlsafe(32) 310 310 + oauth_sessions[session_id] = { 311 311 + 'handle': oauth_req['handle'], 312 312 + 'did': oauth_req['did'], 313 313 + 'pds_endpoint': oauth_req['pds_endpoint'], 314 314 + 'access_token': tokens['access_token'], 315 315 + 'refresh_token': tokens.get('refresh_token'), 316 316 + 'expires_at': datetime.now(timezone.utc) + timedelta(seconds=tokens.get('expires_in', 3600)), 317 317 + 'auth_metadata': auth_metadata 318 318 + } 319 319 + 320 320 + # Store in Flask session 321 321 + session['session_id'] = session_id 322 322 + session['handle'] = oauth_req['handle'] 323 323 + 324 324 + # Clean up OAuth request 325 325 + del oauth_requests[state] 326 326 + 327 327 + return redirect('/') 328 328 + 329 329 + @app.route('/client-metadata.json') 330 330 + def client_metadata(): 331 331 + """Serve OAuth client metadata""" 332 332 + metadata = { 333 333 + "client_id": CLIENT_ID, 334 334 + "client_name": "OAuth Masterclass App", 335 335 + "client_uri": "https://oauth-py.smokesignal.tools", 336 336 + "redirect_uris": [REDIRECT_URI], 337 337 + "scope": "atproto repo:garden.lexicon.oauth-masterclass.now", 338 338 + "grant_types": ["authorization_code", "refresh_token"], 339 339 + "response_types": ["code"], 340 340 + "token_endpoint_auth_method": "none", 341 341 + "application_type": "web", 342 342 + "dpop_bound_access_tokens": True, 343 343 + "jwks": { 344 344 + "keys": [get_jwk()] 345 345 + } 346 346 + } 347 347 + return jsonify(metadata) 348 348 + 349 349 + def refresh_token_if_needed(session_data): 350 350 + """Refresh access token if expired""" 351 351 + if datetime.now(timezone.utc) >= session_data['expires_at'] - timedelta(minutes=5): 352 352 + if not session_data.get('refresh_token'): 353 353 + return False 354 354 + 355 355 + auth_metadata = session_data['auth_metadata'] 356 356 + dpop_proof = create_dpop_proof("POST", auth_metadata['token_endpoint']) 357 357 + 358 358 + token_data = { 359 359 + 'grant_type': 'refresh_token', 360 360 + 'refresh_token': session_data['refresh_token'], 361 361 + 'client_id': CLIENT_ID, 362 362 + } 363 363 + 364 364 + headers = { 365 365 + 'Content-Type': 'application/x-www-form-urlencoded', 366 366 + 'DPoP': dpop_proof 367 367 + } 368 368 + 369 369 + response = requests.post( 370 370 + auth_metadata['token_endpoint'], 371 371 + data=token_data, 372 372 + headers=headers 373 373 + ) 374 374 + 375 375 + # Handle DPoP nonce requirement 376 376 + if response.status_code == 400: 377 377 + error_data = response.json() 378 378 + if error_data.get('error') == 'use_dpop_nonce': 379 379 + # Get nonce from response header 380 380 + dpop_nonce = response.headers.get('DPoP-Nonce') 381 381 + if dpop_nonce: 382 382 + # Retry with nonce 383 383 + dpop_proof = create_dpop_proof("POST", auth_metadata['token_endpoint'], nonce=dpop_nonce) 384 384 + headers['DPoP'] = dpop_proof 385 385 + response = requests.post( 386 386 + auth_metadata['token_endpoint'], 387 387 + data=token_data, 388 388 + headers=headers 389 389 + ) 390 390 + 391 391 + if response.status_code == 200: 392 392 + tokens = response.json() 393 393 + session_data['access_token'] = tokens['access_token'] 394 394 + if 'refresh_token' in tokens: 395 395 + session_data['refresh_token'] = tokens['refresh_token'] 396 396 + session_data['expires_at'] = datetime.now(timezone.utc) + timedelta(seconds=tokens.get('expires_in', 3600)) 397 397 + return True 398 398 + 399 399 + return False 400 400 + 401 401 + return True 402 402 + 403 403 + @app.route('/now', methods=['GET']) 404 404 + def now_get(): 405 405 + """Protected page for authenticated users only""" 406 406 + session_id = session.get('session_id') 407 407 + if not session_id or session_id not in oauth_sessions: 408 408 + return redirect('/login') 409 409 + 410 410 + session_data = oauth_sessions[session_id] 411 411 + 412 412 + # Refresh token if needed 413 413 + if not refresh_token_if_needed(session_data): 414 414 + session.clear() 415 415 + return redirect('/login') 416 416 + 417 417 + html = """ 418 418 + <!DOCTYPE html> 419 419 + <html> 420 420 + <head><title>Now</title></head> 421 421 + <body> 422 422 + <h1>Protected Page</h1> 423 423 + <p>Hello, {{ handle }}!</p> 424 424 + <form method="POST" action="/now"> 425 425 + <label for="message">Message:</label> 426 426 + <input type="text" id="message" name="message" required> 427 427 + <button type="submit">Submit to ATProtocol</button> 428 428 + </form> 429 429 + <p><a href="/">Home</a></p> 430 430 + </body> 431 431 + </html> 432 432 + """ 433 433 + return render_template_string(html, handle=session_data['handle']) 434 434 + 435 435 + @app.route('/now', methods=['POST']) 436 436 + def now_post(): 437 437 + """Submit ATProtocol record via XRPC""" 438 438 + session_id = session.get('session_id') 439 439 + if not session_id or session_id not in oauth_sessions: 440 440 + return redirect('/login') 441 441 + 442 442 + session_data = oauth_sessions[session_id] 443 443 + message = request.form.get('message') 444 444 + 445 445 + if not message: 446 446 + return "Message required", 400 447 447 + 448 448 + # Refresh token if needed 449 449 + if not refresh_token_if_needed(session_data): 450 450 + session.clear() 451 451 + return redirect('/login') 452 452 + 453 453 + # Prepare record 454 454 + record = { 455 455 + "$type": "garden.lexicon.oauth-masterclass.now", 456 456 + "now": message, 457 457 + "createdAt": datetime.now(timezone.utc).isoformat() + "Z" 458 458 + } 459 459 + 460 460 + # Prepare XRPC request 461 461 + xrpc_url = f"{session_data['pds_endpoint']}/xrpc/com.atproto.repo.createRecord" 462 462 + 463 463 + # Create DPoP proof with access token hash 464 464 + access_token_hash = base64.urlsafe_b64encode( 465 465 + hashlib.sha256(session_data['access_token'].encode()).digest() 466 466 + ).rstrip(b'=').decode('ascii') 467 467 + 468 468 + dpop_proof = create_dpop_proof("POST", xrpc_url, access_token_hash) 469 469 + 470 470 + headers = { 471 471 + 'Authorization': f"DPoP {session_data['access_token']}", 472 472 + 'DPoP': dpop_proof, 473 473 + 'Content-Type': 'application/json' 474 474 + } 475 475 + 476 476 + body = { 477 477 + 'repo': session_data['did'], 478 478 + 'collection': 'garden.lexicon.oauth-masterclass.now', 479 479 + 'record': record, 480 480 + 'validate': False 481 481 + } 482 482 + 483 483 + response = requests.post(xrpc_url, json=body, headers=headers) 484 484 + 485 485 + # Handle DPoP nonce requirement 486 486 + if response.status_code == 400 or response.status_code == 401: 487 487 + try: 488 488 + error_data = response.json() 489 489 + if error_data.get('error') == 'use_dpop_nonce': 490 490 + # Get nonce from response header 491 491 + dpop_nonce = response.headers.get('DPoP-Nonce') 492 492 + if dpop_nonce: 493 493 + # Retry with nonce 494 494 + dpop_proof = create_dpop_proof("POST", xrpc_url, access_token_hash, dpop_nonce) 495 495 + headers['DPoP'] = dpop_proof 496 496 + response = requests.post(xrpc_url, json=body, headers=headers) 497 497 + except: 498 498 + pass 499 499 + 500 500 + if response.status_code == 200: 501 501 + result = response.json() 502 502 + return f"Record created successfully! URI: {result.get('uri', 'unknown')}" 503 503 + else: 504 504 + return f"Failed to create record: {response.text}", 400 505 505 + 506 506 + if __name__ == '__main__': 507 507 + app.run(debug=True, port=5000)

+5

requirements.txt

··· 1 1 + flask==3.0.3 2 2 + requests==2.32.3 3 3 + PyJWT==2.8.0 4 4 + cryptography==42.0.8 5 5 + dnspython==2.7.0