Changelog History
Page 1
-
v2.2.0 Changes
October 18, 2022โ WARNING
๐ Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before โฌ๏ธ performing a MAJOR upgrade to 2.x.
These issues both result in
{"error": "invalid_client"}
:- The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
0๏ธโฃ 2.
PKCE_REQUIRED
is nowTrue
by default. You should use PKCE with your client or setPKCE_REQUIRED=False
if you are unable to fix the client.โ Added
- #1208 Add 'code_challenge_method' parameter to authorization call in documentation
- ๐ #1182 Add 'code_verifier' parameter to token requests in documentation
๐ Changed
- ๐ #1203 Support Django 4.1.
๐ Fixed
- ๐ #1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
- #1210 Handle oauthlib errors on create token requests
-
v2.1.0 Changes
June 19, 2022โ WARNING
๐ Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before โฌ๏ธ performing a MAJOR upgrade to 2.x.
These issues both result in
{"error": "invalid_client"}
:- The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
0๏ธโฃ 2.
PKCE_REQUIRED
is nowTrue
by default. You should use PKCE with your client or setPKCE_REQUIRED=False
if you are unable to fix the client.โ Added
- ๐ #1164 Support
prompt=login
for the OIDC Authorization Code Flow end user Authentication Request. - ๐ #1163 Add French (fr) translations.
- ๐ #1166 Add Spanish (es) translations.
๐ Changed
- #1152
createapplication
management command enhanced to display an auto-generated secret before it gets hashed. - ๐ #1172, #1159, #1158 documentation improvements.
๐ Fixed
- ๐ #1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.
-
v2.0.0 Changes
April 24, 2022๐ฅ This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:
โ Added
- โ #1106 OIDC: Add "scopes_supported" to the ConnectDiscoveryInfoView. This completes the view to provide all the REQUIRED and RECOMMENDED OpenID Provider Metadata.
- ๐ #1128 Documentation: Tutorial on using Celery to automate clearing expired tokens.
๐ Changed
- ๐ฅ #1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without
PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636
in favor of the OAuth2 Security Best Practices for Authorization Code Grants.
If you want to retain the pre-2.x behavior, set
PKCE_REQUIRED = False
in your settings.py - ๐ฅ #1093 (Breaking) Changed to implement hashed
client_secret values. This is a breaking change that will migrate all your existing
cleartext
application.client_secret
values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-enteredclient_secret
before hitting Save. - ๐ฅ #1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've customized OIDC responses
and want to retain the pre-2.x behavior, set
oidc_claim_scope = None
in your subclass ofOAuth2Validator
. - #1108 OIDC: Make the
access_token
available toget_oidc_claims
when called fromget_userinfo_claims
. - #1132: Added
--algorithm
argument tocreateapplication
management command
๐ Fixed
- #1108 OIDC: Fix
validate_bearer_token()
to properly setrequest.scopes
to the list of granted scopes. - ๐ #1132: Fixed help text for
--skip-authorization
argument of thecreateapplication
management command.
โ Removed
- ๐ฅ #1124 (Breaking, Security) Removes support for insecure
urn:ietf:wg:oauth:2.0:oob
andurn:ietf:wg:oauth:2.0:oob:auto
which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.
-
v1.7.1 Changes
March 19, 2022โ Removed
- โช #1126 Reverts #1070 which incorrectly added Celery auto-discovery tasks.py (as described in #1123) and because it conflicts with Huey's auto-discovery which also uses tasks.py as described in #1114. If you are using Celery or Huey, you'll need to separately implement these tasks.
-
v1.7.0 Changes
January 23, 2022โ Added
- #969 Add batching of expired token deletions in
cleartokens
management command andmodels.clear_expired()
to improve performance for removal of large numers of expired tokens. Configure withCLEAR_EXPIRED_TOKENS_BATCH_SIZE
andCLEAR_EXPIRED_TOKENS_BATCH_INTERVAL
. - โฑ #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a periodic task.
- ๐ #1062 Add Brazilian Portuguese (pt-BR) translations.
- #1069 OIDC: Add an alternate form of
get_additional_claims()
which makes the list of additional
claims_supported
available at the OIDC auto-discovery endpoint (.well-known/openid-configuration
).
๐ Fixed
- #1012 Return 200 status code with
{"active": false}
when introspecting a nonexistent token per RFC 7662. It had been incorrectly returning 401.
- #969 Add batching of expired token deletions in
-
v1.6.3 Changes
January 11, 2022๐ Fixed
- ๐ป #1085 Fix for #1083 admin UI search for idtoken results in
django.core.exceptions.FieldError: Cannot resolve keyword 'token' into field.
โ Added
- ๐ป #1085 Add admin UI search fields for additional models.
- ๐ป #1085 Fix for #1083 admin UI search for idtoken results in
-
v1.6.2 Changes
January 06, 2022๐ NOTE: This release reverts an inadvertently-added breaking change.
๐ Fixed
- ๐ #1056 Add missing migration triggered by Django 4.0 changes to the migrations autodetector.
- ๐ #1068 Revert #967 which incorrectly changed an API. See #1066.
-
v1.6.1 Changes
December 23, 2021๐ Changed
- ๐ Note: Only Django 4.0.1+ is supported due to a regression in Django 4.0.0. Explanation
๐ Fixed
- Miscellaneous 1.6.0 packaging issues.
-
v1.6.0 Changes
December 19, 2021โ Added
- #949 Provide django.contrib.auth.authenticate() with a
request
for compatibiity with more backends (like django-axes). - ๐ #968, #1039 Add support for Django 3.2 and 4.0.
- #953 Allow loopback redirect URIs using random ports as described in RFC8252 section 7.3.
- ๐ #972 Add Farsi/fa language support.
- โ #978 OIDC: Add support for rotating multiple RSA private keys.
- #978 OIDC: Add new OIDC_JWKS_MAX_AGE_SECONDS to improve
jwks_uri
caching. - โ
#967 OIDC: Add additional claims beyond
sub
to the id_token. - ๐ป #1041 Add a search field to the Admin UI (e.g. for search for tokens by email address).
๐ Changed
- #981 Require redirect_uri if multiple URIs are registered per RFC6749 section 3.1.2.3
- #991 Update documentation of REFRESH_TOKEN_EXPIRE_SECONDS to indicate it may be
int
ordatetime.timedelta
. - โก๏ธ #977 Update Tutorial to show required
include
.
โ Removed
- ๐ #968 Remove support for Django 3.0 & 3.1 and Python 3.6
- #1035 Removes default_app_config for Django Deprecation Warning
- #1023 six should be dropped
๐ Fixed
- #963 Fix handling invalid hex values in client query strings with a 400 error rather than 500.
- โก๏ธ #973 Tutorial updated to use
django-cors-headers
. - ๐ #956 OIDC: Update documentation of get_userinfo_claims to add the missing argument.
- #949 Provide django.contrib.auth.authenticate() with a
-
v1.5.0 Changes
March 18, 2021โ Added
- ๐ #915 Add optional OpenID Connect support.
๐ Changed
- #942 Help via defunct Google group replaced with using GitHub issues