Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.
These issues both result in {"error": "invalid_client"}:
The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.
If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
Added
#1304 Add OAuth2ExtraTokenMiddleware for adding access token to request.
See Setup a provider in the Tutorial.
#1273 Performance improvement: Add caching of loading of OIDC private key.
#1311,#1334 (Security) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
HS256 keys.
This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
#1292 Interpret EXP in AccessToken always as UTC instead of (possibly) local timezone.
Use setting AUTHENTICATION_SERVER_EXP_TIME_ZONE to enable different time zone in case the remote
authentication server does not provide EXP in UTC.
#1323 Fix instructions in documentation
on how to create a code challenge and code verifier
#1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
#1296 Added reverse function in migration 0006_alter_application_client_secret. Note that reversing this migration cannot undo a hashed client_secret.
#1345 Fix encapsulation for Redirect URI scheme validation. Deprecates RedirectURIValidator in favor of AllowedURIValidator.
#1357 Move import of setting_changed signal from test to django core modules.
Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.
These issues both result in {"error": "invalid_client"}:
The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.
If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
Added
#1304 Add OAuth2ExtraTokenMiddleware for adding access token to request.
See Setup a provider in the Tutorial.
#1273 Performance improvement: Add caching of loading of OIDC private key.
#1311,#1334 (Security) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
HS256 keys.
This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
#1292 Interpret EXP in AccessToken always as UTC instead of (possibly) local timezone.
Use setting AUTHENTICATION_SERVER_EXP_TIME_ZONE to enable different time zone in case the remote
authentication server does not provide EXP in UTC.
#1323 Fix instructions in documentation
on how to create a code challenge and code verifier
#1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
#1296 Added reverse function in migration 0006_alter_application_client_secret. Note that reversing this migration cannot undo a hashed client_secret.
#1345 Fix encapsulation for Redirect URI scheme validation. Deprecates RedirectURIValidator in favor of AllowedURIValidator.
#1357 Move import of setting_changed signal from test to django core modules.
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
Updates the requirements on django-oauth-toolkit to permit the latest version.
Release notes
Sourced from django-oauth-toolkit's releases.
Changelog
Sourced from django-oauth-toolkit's changelog.
... (truncated)
Commits
f34ba7c
Release 2 4 0 (#1420)a34be99
Adds the ability to define how to store a user (#1328)2ef14c5
Update urls.py (#1410)1c33bfc
Document OIDC_ENABLED in settings.rst (#1408)bdc578f
Update url for RP initiated logout (#1405)b1a2bb3
Add codespell support: config + workflow to catch new typos, let it fix some ...30efd79
Expect the remote exp to be defined in time zone UTC conform rfc (Fix… (#1292)6ae8197
Fix the invalid_client error when request token without the client_secret fie...0aa27a0
Remove duplicate OAuthLibMixin from base classes (#1191)ea51411
Update middleware.py (#1380)You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show