django-oauth-toolkit v2.1.0 Release Notes

Release Date: 2022-06-19 // 2 months ago
  • โš  WARNING

    ๐Ÿš€ Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before โฌ†๏ธ performing a MAJOR upgrade to 2.x.

    These issues both result in {"error": "invalid_client"}:

    1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

    0๏ธโƒฃ 2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

    โž• Added

    • ๐Ÿ‘ #1164 Support prompt=login for the OIDC Authorization Code Flow end user Authentication Request.
    • ๐ŸŒ #1163 Add French (fr) translations.
    • ๐ŸŒ #1166 Add Spanish (es) translations.

    ๐Ÿ”„ Changed

    • #1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
    • ๐Ÿ“š #1172, #1159, #1158 documentation improvements.

    ๐Ÿ›  Fixed

    • ๐Ÿ›  #1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.

Previous changes from v2.0.0

  • ๐Ÿ’ฅ This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:

    โž• Added

    ๐Ÿ”„ Changed

    • ๐Ÿ’ฅ #1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636 in favor of the OAuth2 Security Best Practices for Authorization Code Grants. If you want to retain the pre-2.x behavior, set PKCE_REQUIRED = False in your
    • ๐Ÿ’ฅ #1093 (Breaking) Changed to implement hashed client_secret values. This is a breaking change that will migrate all your existing cleartext application.client_secret values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered client_secret before hitting Save.
    • ๐Ÿ’ฅ #1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned. If you've customized OIDC responses and want to retain the pre-2.x behavior, set oidc_claim_scope = None in your subclass of OAuth2Validator.
    • #1108 OIDC: Make the access_token available to get_oidc_claims when called from get_userinfo_claims.
    • #1132: Added --algorithm argument to createapplication management command

    ๐Ÿ›  Fixed

    • #1108 OIDC: Fix validate_bearer_token() to properly set request.scopes to the list of granted scopes.
    • ๐Ÿ›  #1132: Fixed help text for --skip-authorization argument of the createapplication management command.

    โœ‚ Removed

    • ๐Ÿ’ฅ #1124 (Breaking, Security) Removes support for insecure urn:ietf:wg:oauth:2.0:oob and urn:ietf:wg:oauth:2.0:oob:auto which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.