django-oauth-toolkit v2.0.0 Release Notes

Release Date: 2022-04-24 // almost 2 years ago
  • ๐Ÿ’ฅ This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:

    โž• Added

    ๐Ÿ”„ Changed

    • ๐Ÿ’ฅ #1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636 in favor of the OAuth2 Security Best Practices for Authorization Code Grants. If you want to retain the pre-2.x behavior, set PKCE_REQUIRED = False in your settings.py
    • ๐Ÿ’ฅ #1093 (Breaking) Changed to implement hashed client_secret values. This is a breaking change that will migrate all your existing cleartext application.client_secret values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered client_secret before hitting Save.
    • ๐Ÿ’ฅ #1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned. If you've customized OIDC responses and want to retain the pre-2.x behavior, set oidc_claim_scope = None in your subclass of OAuth2Validator.
    • #1108 OIDC: Make the access_token available to get_oidc_claims when called from get_userinfo_claims.
    • #1132: Added --algorithm argument to createapplication management command

    ๐Ÿ›  Fixed

    • #1108 OIDC: Fix validate_bearer_token() to properly set request.scopes to the list of granted scopes.
    • ๐Ÿ›  #1132: Fixed help text for --skip-authorization argument of the createapplication management command.

    โœ‚ Removed

    • ๐Ÿ’ฅ #1124 (Breaking, Security) Removes support for insecure urn:ietf:wg:oauth:2.0:oob and urn:ietf:wg:oauth:2.0:oob:auto which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.