Some user sessions may be invalidated, which will log the user out.
Changes
[x] Token endpoint /openidconnect/token now also
[x] returns refresh token alongside access token and id token,
[x] supports grant_type=refresh_token.
[x] supports basic client authentication (methods client_secret_basic and client_secret_post in addition to none).
[x] Client API now supports token endpoint auth methods client_secret_basic and client_secret_post. It is possible to reset the client secret using the POST /client/{client_id}/reset_secret endpoint. Caution: This is API-only! The web UI does not display client secret yet.
[x] OAuth session expiration is equal to the expiration of its refresh token.
[x] Session tokens moved to a new token collection st and are no longer part of the session object. Only their hashes are stored - this is more secure.
[x] Access tokens
[x] Refresh tokens
[x] Authorization codes
[ ] Client cookies - These will be trickier, let's handle them in a separate merge request.
[ ] SSO (root) cookies - These will be trickier, let's handle them in a separate merge request.
[x] Exceptions from seacatauth.client.exceptions moved to seacatauth.exceptions.
[x] Functions set_cookie and delete_cookie from seacatauth.cookie.utils refactored to methods of seacatauth.cookie.CookieService.
closes #154
Breaking changes
Changes
/openidconnect/tokennow alsogrant_type=refresh_token.client_secret_basicandclient_secret_postin addition tonone).client_secret_basicandclient_secret_post. It is possible to reset the client secret using thePOST /client/{client_id}/reset_secretendpoint. Caution: This is API-only! The web UI does not display client secret yet.stand are no longer part of the session object. Only their hashes are stored - this is more secure.seacatauth.client.exceptionsmoved toseacatauth.exceptions.set_cookieanddelete_cookiefromseacatauth.cookie.utilsrefactored to methods ofseacatauth.cookie.CookieService.Config
New config options and their default values:
Limitations