django-oauth-toolkit v2.0.0 Release Notes
Release Date: 2022-04-24 // almost 2 years ago-
๐ฅ This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:
โ Added
- โ #1106 OIDC: Add "scopes_supported" to the ConnectDiscoveryInfoView. This completes the view to provide all the REQUIRED and RECOMMENDED OpenID Provider Metadata.
- ๐ #1128 Documentation: Tutorial on using Celery to automate clearing expired tokens.
๐ Changed
- ๐ฅ #1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without
PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636
in favor of the OAuth2 Security Best Practices for Authorization Code Grants.
If you want to retain the pre-2.x behavior, set
PKCE_REQUIRED = False
in your settings.py - ๐ฅ #1093 (Breaking) Changed to implement hashed
client_secret values. This is a breaking change that will migrate all your existing
cleartext
application.client_secret
values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-enteredclient_secret
before hitting Save. - ๐ฅ #1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've customized OIDC responses
and want to retain the pre-2.x behavior, set
oidc_claim_scope = None
in your subclass ofOAuth2Validator
. - #1108 OIDC: Make the
access_token
available toget_oidc_claims
when called fromget_userinfo_claims
. - #1132: Added
--algorithm
argument tocreateapplication
management command
๐ Fixed
- #1108 OIDC: Fix
validate_bearer_token()
to properly setrequest.scopes
to the list of granted scopes. - ๐ #1132: Fixed help text for
--skip-authorization
argument of thecreateapplication
management command.
โ Removed
- ๐ฅ #1124 (Breaking, Security) Removes support for insecure
urn:ietf:wg:oauth:2.0:oob
andurn:ietf:wg:oauth:2.0:oob:auto
which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.