jazzband/django-oauth-toolkit (django-oauth-toolkit)
### [`v2.4.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#240---2024-05-13)
[Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.3.0...2.4.0)
##### WARNING
Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
performing a MAJOR upgrade to 2.x.
These issues both result in `{"error": "invalid_client"}`:
1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.
If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
##### Added
- [#1304](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1304) Add `OAuth2ExtraTokenMiddleware` for adding access token to request.
See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial\_03.html#setup-a-provider) in the Tutorial.
- [#1273](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1273) Performance improvement: Add caching of loading of OIDC private key.
- [#1285](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1285) Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
- [#1311](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1311),[#1334](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1334) (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
[HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
- [#1350](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1350) Support Python 3.12 and Django 5.0
- [#1367](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1367) Add `code_challenge_methods_supported` property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
- [#1328](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1328) Adds the ability to [define how to store a user profile](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#define-where-to-store-the-profile).
##### Fixed
- [#1292](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1292) Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone.
Use setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case the remote
authentication server does not provide EXP in UTC.
- [#1323](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1323) Fix instructions in [documentation](https://django-oauth-toolkit.readthedocs.io/en/latest/getting_started.html#authorization-code)
on how to create a code challenge and code verifier
- [#1284](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1284) Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
- [#1296](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1296) Added reverse function in migration `0006_alter_application_client_secret`. Note that reversing this migration cannot undo a hashed `client_secret`.
- [#1345](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1345) Fix encapsulation for Redirect URI scheme validation. Deprecates `RedirectURIValidator` in favor of `AllowedURIValidator`.
- [#1357](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1357) Move import of setting_changed signal from test to django core modules.
- [#1361](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1361) Fix prompt=none redirects to login screen
- [#1380](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1380) Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
- [#1288](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1288) Fix [#1276](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1276) which attempted to resolve [#1092](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1092) for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
- [#1337](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1337) Gracefully handle expired or deleted refresh tokens, in `validate_user`.
- Various documentation improvements: [#1410](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1410), [#1408](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1408), [#1405](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1405), [#1399](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1399), [#1401](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1401), [#1396](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1396), [#1375](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1375), [#1162](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1162), [#1315](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1315), [#1307](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1307)
##### Removed
- [#1350](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1350) Remove support for Python 3.7 and Django 2.2
### [`v2.3.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#230-2023-05-31)
[Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.2.0...2.3.0)
##### WARNING
Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
performing a MAJOR upgrade to 2.x.
These issues both result in `{"error": "invalid_client"}`:
1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.
##### Added
- Add Japanese(日本語) Language Support
- [#1244](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1244) implement [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1\_0.html)
- [#1092](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1092) Allow Authorization Code flow without a client_secret per [RFC 6749 2.3.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1)
- [#1264](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1264) Support Django 4.2.
##### Changed
- [#1222](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1222) Remove expired ID tokens alongside access tokens in `cleartokens` management command
- [#1267](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1267), [#1253](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1253), [#1251](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1251), [#1250](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1250), [#1224](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1224), [#1212](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1212), [#1211](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1211) Various documentation improvements
### [`v2.2.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#220-2022-10-18)
[Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.1.0...2.2.0)
##### Added
- [#1208](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1208) Add 'code_challenge_method' parameter to authorization call in documentation
- [#1182](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1182) Add 'code_verifier' parameter to token requests in documentation
##### Changed
- [#1203](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1203) Support Django 4.1.
##### Fixed
- [#1203](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1203) Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
- [#1210](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1210) Handle oauthlib errors on create token requests
### [`v2.1.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#210-2022-06-19)
[Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.0.0...2.1.0)
##### Added
- [#1164](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1164) Support `prompt=login` for the OIDC Authorization Code Flow end user [Authentication Request](https://openid.net/specs/openid-connect-core-1\_0.html#AuthRequest).
- [#1163](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1163) Add French (fr) translations.
- [#1166](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1166) Add Spanish (es) translations.
##### Changed
- [#1152](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1152) `createapplication` management command enhanced to display an auto-generated secret before it gets hashed.
- [#1172](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1172), [#1159](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1159), [#1158](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1158) documentation improvements.
##### Fixed
- [#1147](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1147) Fixed 2.0.0 implementation of [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/) client secret to work with swapped models.
### [`v2.0.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#200-2022-04-24)
[Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/1.7.1...2.0.0)
This is a major release with **BREAKING** changes. Please make sure to review these changes before upgrading:
##### Added
- [#1106](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1106) OIDC: Add "scopes_supported" to the [ConnectDiscoveryInfoView](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#connectdiscoveryinfoview).
This completes the view to provide all the REQUIRED and RECOMMENDED [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1\_0.html#ProviderMetadata).
- [#1128](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1128) Documentation: [Tutorial](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial\_05.html)
on using Celery to automate clearing expired tokens.
##### Changed
- [#1129](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1129) (**Breaking**) Changed default value of PKCE_REQUIRED to True. This is a **breaking change**. Clients without
PKCE enabled will fail to authenticate. This breaks with [section 5 of RFC7636](https://datatracker.ietf.org/doc/html/rfc7636)
in favor of the [OAuth2 Security Best Practices for Authorization Code Grants](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1).
If you want to retain the pre-2.x behavior, set `PKCE_REQUIRED = False` in your settings.py
- [#1093](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1093) (**Breaking**) Changed to implement [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/)
client_secret values. This is a **breaking change** that will migrate all your existing
cleartext `application.client_secret` values to be hashed with Django's default password hashing algorithm
and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the
auto-generated or manually-entered `client_secret` before hitting Save.
- [#1108](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1108) OIDC: (**Breaking**) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've [customized OIDC responses](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses)
and want to retain the pre-2.x behavior, set `oidc_claim_scope = None` in your subclass of `OAuth2Validator`.
- [#1108](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1108) OIDC: Make the `access_token` available to `get_oidc_claims` when called from `get_userinfo_claims`.
- [#1132](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1132): Added `--algorithm` argument to `createapplication` management command
##### Fixed
- [#1108](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1108) OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes.
- [#1132](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1132): Fixed help text for `--skip-authorization` argument of the `createapplication` management command.
##### Removed
- [#1124](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1124) (**Breaking**, **Security**) Removes support for insecure `urn:ietf:wg:oauth:2.0:oob` and `urn:ietf:wg:oauth:2.0:oob:auto` which are replaced
by [RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252) "OAuth 2.0 for Native Apps" BCP. Google has
[deprecated use of oob](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html?m=1#disallowed-oob) with
a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.
Configuration
📅 Schedule: Branch creation - "every weekend" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^1.7.0->^2.0.0Release Notes
jazzband/django-oauth-toolkit (django-oauth-toolkit)
### [`v2.4.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#240---2024-05-13) [Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.3.0...2.4.0) ##### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client. If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted! ##### Added - [#1304](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1304) Add `OAuth2ExtraTokenMiddleware` for adding access token to request. See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial\_03.html#setup-a-provider) in the Tutorial. - [#1273](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1273) Performance improvement: Add caching of loading of OIDC private key. - [#1285](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1285) Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html) - [#1311](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1311),[#1334](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1334) (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using [HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys). This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's. - [#1350](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1350) Support Python 3.12 and Django 5.0 - [#1367](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1367) Add `code_challenge_methods_supported` property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7) - [#1328](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1328) Adds the ability to [define how to store a user profile](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#define-where-to-store-the-profile). ##### Fixed - [#1292](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1292) Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone. Use setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case the remote authentication server does not provide EXP in UTC. - [#1323](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1323) Fix instructions in [documentation](https://django-oauth-toolkit.readthedocs.io/en/latest/getting_started.html#authorization-code) on how to create a code challenge and code verifier - [#1284](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1284) Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired. - [#1296](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1296) Added reverse function in migration `0006_alter_application_client_secret`. Note that reversing this migration cannot undo a hashed `client_secret`. - [#1345](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1345) Fix encapsulation for Redirect URI scheme validation. Deprecates `RedirectURIValidator` in favor of `AllowedURIValidator`. - [#1357](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1357) Move import of setting_changed signal from test to django core modules. - [#1361](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1361) Fix prompt=none redirects to login screen - [#1380](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1380) Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used. - [#1288](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1288) Fix [#1276](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1276) which attempted to resolve [#1092](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1092) for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1) - [#1337](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1337) Gracefully handle expired or deleted refresh tokens, in `validate_user`. - Various documentation improvements: [#1410](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1410), [#1408](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1408), [#1405](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1405), [#1399](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1399), [#1401](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1401), [#1396](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1396), [#1375](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1375), [#1162](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1162), [#1315](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1315), [#1307](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1307) ##### Removed - [#1350](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1350) Remove support for Python 3.7 and Django 2.2 ### [`v2.3.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#230-2023-05-31) [Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.2.0...2.3.0) ##### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client. ##### Added - Add Japanese(日本語) Language Support - [#1244](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1244) implement [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1\_0.html) - [#1092](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1092) Allow Authorization Code flow without a client_secret per [RFC 6749 2.3.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1) - [#1264](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1264) Support Django 4.2. ##### Changed - [#1222](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1222) Remove expired ID tokens alongside access tokens in `cleartokens` management command - [#1267](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1267), [#1253](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1253), [#1251](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1251), [#1250](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1250), [#1224](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1224), [#1212](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1212), [#1211](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1211) Various documentation improvements ### [`v2.2.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#220-2022-10-18) [Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.1.0...2.2.0) ##### Added - [#1208](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1208) Add 'code_challenge_method' parameter to authorization call in documentation - [#1182](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1182) Add 'code_verifier' parameter to token requests in documentation ##### Changed - [#1203](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1203) Support Django 4.1. ##### Fixed - [#1203](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1203) Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release. - [#1210](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1210) Handle oauthlib errors on create token requests ### [`v2.1.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#210-2022-06-19) [Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/2.0.0...2.1.0) ##### Added - [#1164](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1164) Support `prompt=login` for the OIDC Authorization Code Flow end user [Authentication Request](https://openid.net/specs/openid-connect-core-1\_0.html#AuthRequest). - [#1163](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1163) Add French (fr) translations. - [#1166](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1166) Add Spanish (es) translations. ##### Changed - [#1152](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1152) `createapplication` management command enhanced to display an auto-generated secret before it gets hashed. - [#1172](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1172), [#1159](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1159), [#1158](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1158) documentation improvements. ##### Fixed - [#1147](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1147) Fixed 2.0.0 implementation of [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/) client secret to work with swapped models. ### [`v2.0.0`](https://redirect.github.com/jazzband/django-oauth-toolkit/blob/HEAD/CHANGELOG.md#200-2022-04-24) [Compare Source](https://redirect.github.com/jazzband/django-oauth-toolkit/compare/1.7.1...2.0.0) This is a major release with **BREAKING** changes. Please make sure to review these changes before upgrading: ##### Added - [#1106](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1106) OIDC: Add "scopes_supported" to the [ConnectDiscoveryInfoView](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#connectdiscoveryinfoview). This completes the view to provide all the REQUIRED and RECOMMENDED [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1\_0.html#ProviderMetadata). - [#1128](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1128) Documentation: [Tutorial](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial\_05.html) on using Celery to automate clearing expired tokens. ##### Changed - [#1129](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1129) (**Breaking**) Changed default value of PKCE_REQUIRED to True. This is a **breaking change**. Clients without PKCE enabled will fail to authenticate. This breaks with [section 5 of RFC7636](https://datatracker.ietf.org/doc/html/rfc7636) in favor of the [OAuth2 Security Best Practices for Authorization Code Grants](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1). If you want to retain the pre-2.x behavior, set `PKCE_REQUIRED = False` in your settings.py - [#1093](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1093) (**Breaking**) Changed to implement [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/) client_secret values. This is a **breaking change** that will migrate all your existing cleartext `application.client_secret` values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered `client_secret` before hitting Save. - [#1108](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1108) OIDC: (**Breaking**) Add default configurable OIDC standard scopes that determine which claims are returned. If you've [customized OIDC responses](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) and want to retain the pre-2.x behavior, set `oidc_claim_scope = None` in your subclass of `OAuth2Validator`. - [#1108](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1108) OIDC: Make the `access_token` available to `get_oidc_claims` when called from `get_userinfo_claims`. - [#1132](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1132): Added `--algorithm` argument to `createapplication` management command ##### Fixed - [#1108](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1108) OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes. - [#1132](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1132): Fixed help text for `--skip-authorization` argument of the `createapplication` management command. ##### Removed - [#1124](https://redirect.github.com/jazzband/django-oauth-toolkit/issues/1124) (**Breaking**, **Security**) Removes support for insecure `urn:ietf:wg:oauth:2.0:oob` and `urn:ietf:wg:oauth:2.0:oob:auto` which are replaced by [RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252) "OAuth 2.0 for Native Apps" BCP. Google has [deprecated use of oob](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html?m=1#disallowed-oob) with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.Configuration
📅 Schedule: Branch creation - "every weekend" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.