django-oauth-toolkit v2.1.0 Release NotesRelease Date: 2022-06-19 // 2 months ago
🚀 Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before ⬆️ performing a MAJOR upgrade to 2.x.
These issues both result in
- The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
Trueby default. You should use PKCE with your client or set
PKCE_REQUIRED=Falseif you are unable to fix the client.
- 👍 #1164 Support
prompt=loginfor the OIDC Authorization Code Flow end user Authentication Request.
- 🌐 #1163 Add French (fr) translations.
- 🌐 #1166 Add Spanish (es) translations.
createapplicationmanagement command enhanced to display an auto-generated secret before it gets hashed.
- 📚 #1172, #1159, #1158 documentation improvements.
- 🛠 #1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.
Previous changes from v2.0.0
💥 This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:
- ✅ #1106 OIDC: Add "scopes_supported" to the ConnectDiscoveryInfoView. This completes the view to provide all the REQUIRED and RECOMMENDED OpenID Provider Metadata.
- 📚 #1128 Documentation: Tutorial on using Celery to automate clearing expired tokens.
- 💥 #1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without
PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636
in favor of the OAuth2 Security Best Practices for Authorization Code Grants.
If you want to retain the pre-2.x behavior, set
PKCE_REQUIRED = Falsein your settings.py
- 💥 #1093 (Breaking) Changed to implement hashed
client_secret values. This is a breaking change that will migrate all your existing
application.client_secretvalues to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered
client_secretbefore hitting Save.
- 💥 #1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've customized OIDC responses
and want to retain the pre-2.x behavior, set
oidc_claim_scope = Nonein your subclass of
- #1108 OIDC: Make the
get_oidc_claimswhen called from
- #1132: Added
- #1108 OIDC: Fix
validate_bearer_token()to properly set
request.scopesto the list of granted scopes.
- 🛠 #1132: Fixed help text for
--skip-authorizationargument of the
- 💥 #1124 (Breaking, Security) Removes support for insecure
urn:ietf:wg:oauth:2.0:oob:autowhich are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.