All Versions
44
Latest Version
Avg Release Cycle
78 days
Latest Release
527 days ago

Changelog History
Page 1

  • v2.2.0 Changes

    October 18, 2022

    โš  WARNING

    ๐Ÿš€ Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before โฌ†๏ธ performing a MAJOR upgrade to 2.x.

    These issues both result in {"error": "invalid_client"}:

    1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

    0๏ธโƒฃ 2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

    โž• Added

    • #1208 Add 'code_challenge_method' parameter to authorization call in documentation
    • ๐Ÿ“š #1182 Add 'code_verifier' parameter to token requests in documentation

    ๐Ÿ”„ Changed

    • ๐Ÿ‘ #1203 Support Django 4.1.

    ๐Ÿ›  Fixed

    • ๐Ÿ›  #1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
    • #1210 Handle oauthlib errors on create token requests
  • v2.1.0 Changes

    June 19, 2022

    โš  WARNING

    ๐Ÿš€ Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before โฌ†๏ธ performing a MAJOR upgrade to 2.x.

    These issues both result in {"error": "invalid_client"}:

    1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

    0๏ธโƒฃ 2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

    โž• Added

    • ๐Ÿ‘ #1164 Support prompt=login for the OIDC Authorization Code Flow end user Authentication Request.
    • ๐ŸŒ #1163 Add French (fr) translations.
    • ๐ŸŒ #1166 Add Spanish (es) translations.

    ๐Ÿ”„ Changed

    • #1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
    • ๐Ÿ“š #1172, #1159, #1158 documentation improvements.

    ๐Ÿ›  Fixed

    • ๐Ÿ›  #1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.
  • v2.0.0 Changes

    April 24, 2022

    ๐Ÿ’ฅ This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:

    โž• Added

    ๐Ÿ”„ Changed

    • ๐Ÿ’ฅ #1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636 in favor of the OAuth2 Security Best Practices for Authorization Code Grants. If you want to retain the pre-2.x behavior, set PKCE_REQUIRED = False in your settings.py
    • ๐Ÿ’ฅ #1093 (Breaking) Changed to implement hashed client_secret values. This is a breaking change that will migrate all your existing cleartext application.client_secret values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered client_secret before hitting Save.
    • ๐Ÿ’ฅ #1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned. If you've customized OIDC responses and want to retain the pre-2.x behavior, set oidc_claim_scope = None in your subclass of OAuth2Validator.
    • #1108 OIDC: Make the access_token available to get_oidc_claims when called from get_userinfo_claims.
    • #1132: Added --algorithm argument to createapplication management command

    ๐Ÿ›  Fixed

    • #1108 OIDC: Fix validate_bearer_token() to properly set request.scopes to the list of granted scopes.
    • ๐Ÿ›  #1132: Fixed help text for --skip-authorization argument of the createapplication management command.

    โœ‚ Removed

    • ๐Ÿ’ฅ #1124 (Breaking, Security) Removes support for insecure urn:ietf:wg:oauth:2.0:oob and urn:ietf:wg:oauth:2.0:oob:auto which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.
  • v1.7.1 Changes

    March 19, 2022

    โœ‚ Removed

    • โช #1126 Reverts #1070 which incorrectly added Celery auto-discovery tasks.py (as described in #1123) and because it conflicts with Huey's auto-discovery which also uses tasks.py as described in #1114. If you are using Celery or Huey, you'll need to separately implement these tasks.
  • v1.7.0 Changes

    January 23, 2022

    โž• Added

    • #969 Add batching of expired token deletions in cleartokens management command and models.clear_expired() to improve performance for removal of large numers of expired tokens. Configure with CLEAR_EXPIRED_TOKENS_BATCH_SIZE and CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL.
    • โฑ #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a periodic task.
    • ๐ŸŒ #1062 Add Brazilian Portuguese (pt-BR) translations.
    • #1069 OIDC: Add an alternate form of get_additional_claims() which makes the list of additional claims_supported available at the OIDC auto-discovery endpoint (.well-known/openid-configuration).

    ๐Ÿ›  Fixed

    • #1012 Return 200 status code with {"active": false} when introspecting a nonexistent token per RFC 7662. It had been incorrectly returning 401.
  • v1.6.3 Changes

    January 11, 2022

    ๐Ÿ›  Fixed

    • ๐Ÿ’ป #1085 Fix for #1083 admin UI search for idtoken results in django.core.exceptions.FieldError: Cannot resolve keyword 'token' into field.

    โž• Added

    • ๐Ÿ’ป #1085 Add admin UI search fields for additional models.
  • v1.6.2 Changes

    January 06, 2022

    ๐Ÿš€ NOTE: This release reverts an inadvertently-added breaking change.

    ๐Ÿ›  Fixed

  • v1.6.1 Changes

    December 23, 2021

    ๐Ÿ”„ Changed

    • ๐Ÿ‘ Note: Only Django 4.0.1+ is supported due to a regression in Django 4.0.0. Explanation

    ๐Ÿ›  Fixed

    • Miscellaneous 1.6.0 packaging issues.
  • v1.6.0 Changes

    December 19, 2021

    โž• Added

    • #949 Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends (like django-axes).
    • ๐Ÿ‘ #968, #1039 Add support for Django 3.2 and 4.0.
    • #953 Allow loopback redirect URIs using random ports as described in RFC8252 section 7.3.
    • ๐Ÿ‘ #972 Add Farsi/fa language support.
    • โœ… #978 OIDC: Add support for rotating multiple RSA private keys.
    • #978 OIDC: Add new OIDC_JWKS_MAX_AGE_SECONDS to improve jwks_uri caching.
    • โœ… #967 OIDC: Add additional claims beyond sub to the id_token.
    • ๐Ÿ’ป #1041 Add a search field to the Admin UI (e.g. for search for tokens by email address).

    ๐Ÿ”„ Changed

    โœ‚ Removed

    • ๐Ÿšš #968 Remove support for Django 3.0 & 3.1 and Python 3.6
    • #1035 Removes default_app_config for Django Deprecation Warning
    • #1023 six should be dropped

    ๐Ÿ›  Fixed

    • #963 Fix handling invalid hex values in client query strings with a 400 error rather than 500.
    • โšก๏ธ #973 Tutorial updated to use django-cors-headers.
    • ๐Ÿ‘‰ #956 OIDC: Update documentation of get_userinfo_claims to add the missing argument.
  • v1.5.0 Changes

    March 18, 2021

    โž• Added

    • ๐Ÿ‘ #915 Add optional OpenID Connect support.

    ๐Ÿ”„ Changed

    • #942 Help via defunct Google group replaced with using GitHub issues