Bump django-oauth-toolkit from 2.3.0 to 3.0.1

[dependabot[bot]]

Bumps django-oauth-toolkit from 2.3.0 to 3.0.1.

Release notes

Sourced from django-oauth-toolkit's releases.

Release 3.0.1

bugfix #1491 Fix migration error when there are pre-existing Access Tokens.

Release 3.0.0

WARNING - POTENTIAL BREAKING CHANGES

• Changes to the AbstractAccessToken model require doing a manage.py migrate after upgrading.
• If you use swappable models you will need to make sure your custom models are also updated (usually manage.py makemigrations).
• Old Django versions below 4.2 are no longer supported.
• A few deprecations warned about in 2.4.0 (#1345) have been removed. See below.

Added

• #1366 Add Docker containerized apps for testing IDP and RP.
• #1454 Added compatibility with LoginRequiredMiddleware introduced in Django 5.1.

Changed

• Many documentation and project internals improvements.
• #1446 Use generic models pk instead of id. This enables, for example, custom swapped models to have a different primary key field.
• #1447 Update token to TextField from CharField. Removing the 255 character limit enables supporting JWT tokens with additional claims.
  This adds a SHA-256 token_checksum field that is used to validate tokens.
• #1450 Transactions wrapping writes of the Tokens now rely on Django's database routers to determine the correct
  database to use instead of assuming that 'default' is the correct one.
• #1455 Changed minimum supported Django version to >=4.2.

Removed

• #1425 Remove deprecated RedirectURIValidator, WildcardSet per #1345; validate_logout_request per #1274

Fixed

• #1444, #1476 Fix several 500 errors to instead raise appropriate errors.
• #1469 Fix ui_locales request parameter triggers AttributeError under certain circumstances

Security

• #1452 Add a new setting REFRESH_TOKEN_REUSE_PROTECTION.
  In combination with ROTATE_REFRESH_TOKEN,
  this prevents refresh tokens from being used more than once. See more at
  OAuth 2.0 Security Best Current Practice
• #1481 Bump oauthlib version required to 3.2.2 and above to address CVE-2022-36087.

Release 2.4.0

[2.4.0] - 2024-05-13

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

... (truncated)

Changelog

Sourced from django-oauth-toolkit's changelog.

[3.0.1] - 2024-09-07

Fixed

• #1491 Fix migration error when there are pre-existing Access Tokens.

[3.0.0] - 2024-09-05

WARNING - POTENTIAL BREAKING CHANGES

• Changes to the AbstractAccessToken model require doing a manage.py migrate after upgrading.
• If you use swappable models you will need to make sure your custom models are also updated (usually manage.py makemigrations).
• Old Django versions below 4.2 are no longer supported.
• A few deprecations warned about in 2.4.0 (#1345) have been removed. See below.

Added

• #1366 Add Docker containerized apps for testing IDP and RP.
• #1454 Added compatibility with LoginRequiredMiddleware introduced in Django 5.1.

Changed

• Many documentation and project internals improvements.
• #1446 Use generic models pk instead of id. This enables, for example, custom swapped models to have a different primary key field.
• #1447 Update token to TextField from CharField. Removing the 255 character limit enables supporting JWT tokens with additional claims. This adds a SHA-256 token_checksum field that is used to validate tokens.
• #1450 Transactions wrapping writes of the Tokens now rely on Django's database routers to determine the correct database to use instead of assuming that 'default' is the correct one.
• #1455 Changed minimum supported Django version to >=4.2.

Removed

• #1425 Remove deprecated RedirectURIValidator, WildcardSet per #1345; validate_logout_request per #1274

Fixed

• #1444, #1476 Fix several 500 errors to instead raise appropriate errors.
• #1469 Fix ui_locales request parameter triggers AttributeError under certain circumstances

Security

• #1452 Add a new setting REFRESH_TOKEN_REUSE_PROTECTION. In combination with ROTATE_REFRESH_TOKEN, this prevents refresh tokens from being used more than once. See more at OAuth 2.0 Security Best Current Practice
• #1481 Bump oauthlib version required to 3.2.2 and above to address CVE-2022-36087.

[2.4.0] - 2024-05-13

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

... (truncated)

Commits

• 1d19e54 3.0.1: fix for migration error on upgrade to 3.0.0 (#1491)
• f220235 Fix test for changed error message from newer Django (djmain) (#1486)
• 5ce5e7f Release 3.0.0 Changlelog, version and minor version dependency updates. See a...
• 72d0551 add link to new gh discussions (#1480)
• 9561866 Honor database assignment from router (#1450)
• 1d19e3d bump oauthlib to 3.2.2 (#1481)
• 62508b4 Raise InvalidGrantError if no grant associated with auth code exists (#1476)
• aede24b [pre-commit.ci] pre-commit autoupdate (#1475)
• 3b429c9 Bump svelte from 4.2.18 to 4.2.19 in /tests/app/rp (#1473)
• e63999d Work around double parsing of ui_locales (#1469)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot[bot]]

Looks like django-oauth-toolkit is no longer a dependency, so this is no longer needed.