Missing runtime dependency to cryptography

[swaeberle]

Describe the bug

authlib depends on cryptography but only defines this in the install_requires array of the packaging configuration (setup.cfg), but not in the dependencies array.

To Reproduce

1. Install authlib, e.g. pip install authlib This would also install cryptography if not yet available.
2. Remove cryptography, e.g. pip uninstall cryptography There will be no warning about violating authlib's runtime dependencies, as it is only marked as required during install.
3. Use authlib, e.g. create a JWT This will fail due to missing dependency cryptography.

Expected behavior

• If cryptography is really required during install, keep it in install_requires and add the same to the dependencies.
• If cryptography is only required during runtime, move it from install_requires to dependencies.

Environment:

• OS: Yocto (kirkstone)
• Python Version: 3.10
• Authlib Version: 1.2.1

Additional context

I ran into this when integrating authlib into a Yocto project. The runtime dependency was not obvious from the setup.cfg, hence I made cryptography only available during installation, but not part of the target system.