Some user sessions may be invalidated, which will log the user out.
Changes
[x] Token endpoint /openidconnect/token now also
[x] returns refresh token alongside access token and id token,
[x] supports grant_type=refresh_token.
[x] supports basic client authentication (methods client_secret_basic and client_secret_post in addition to none).
[x] Client API now supports token endpoint auth methods client_secret_basic and client_secret_post. It is possible to reset the client secret using the POST /client/{client_id}/reset_secret endpoint. Caution: This is API-only! The web UI does not display client secret yet.
[x] OAuth session expiration is equal to the expiration of its refresh token.
[x] Session tokens moved to a new token collection st and are no longer part of the session object. Only their hashes are stored - this is more secure.
[x] Access tokens
[x] Refresh tokens
[x] Authorization codes
[ ] Client cookies - These will be trickier, let's handle them in a separate merge request.
[ ] SSO (root) cookies - These will be trickier, let's handle them in a separate merge request.
[x] Exceptions from seacatauth.client.exceptions moved to seacatauth.exceptions.
[x] Functions set_cookie and delete_cookie from seacatauth.cookie.utils refactored to methods of seacatauth.cookie.CookieService.
closes #154
Breaking changes
Changes
/openidconnect/token
now alsogrant_type=refresh_token
.client_secret_basic
andclient_secret_post
in addition tonone
).client_secret_basic
andclient_secret_post
. It is possible to reset the client secret using thePOST /client/{client_id}/reset_secret
endpoint. Caution: This is API-only! The web UI does not display client secret yet.st
and are no longer part of the session object. Only their hashes are stored - this is more secure.seacatauth.client.exceptions
moved toseacatauth.exceptions
.set_cookie
anddelete_cookie
fromseacatauth.cookie.utils
refactored to methods ofseacatauth.cookie.CookieService
.Config
New config options and their default values:
Limitations