Download Latest Version Release 3.0.1 source code.zip (713.4 kB)
Email in envelope

Get an email when there's a new version of Django OAuth Toolkit

Home / 2.4.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2024-05-20 3.5 kB
0
Release 2.4.0 source code.tar.gz 2024-05-20 610.7 kB
0
Release 2.4.0 source code.zip 2024-05-20 694.0 kB
0
Totals: 3 Items   1.3 MB 0

[2.4.0] - 2024-05-13

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

  1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

  2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!

Added

  • [#1304] Add OAuth2ExtraTokenMiddleware for adding access token to request. See Setup a provider in the Tutorial.
  • [#1273] Performance improvement: Add caching of loading of OIDC private key.
  • [#1285] Add post_logout_redirect_uris field in the Application Registration form
  • [#1311],#1334 (Security) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using HS256 keys. This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
  • [#1350] Support Python 3.12 and Django 5.0
  • [#1367] Add code_challenge_methods_supported property to auto discovery information, per RFC 8414 section 2
  • [#1328] Adds the ability to define how to store a user profile.

Fixed

  • [#1292] Interpret EXP in AccessToken always as UTC instead of (possibly) local timezone. Use setting AUTHENTICATION_SERVER_EXP_TIME_ZONE to enable different time zone in case the remote authentication server does not provide EXP in UTC.
  • [#1323] Fix instructions in documentation on how to create a code challenge and code verifier
  • [#1284] Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
  • [#1296] Added reverse function in migration 0006_alter_application_client_secret. Note that reversing this migration cannot undo a hashed client_secret.
  • [#1345] Fix encapsulation for Redirect URI scheme validation. Deprecates RedirectURIValidator in favor of AllowedURIValidator.
  • [#1357] Move import of setting_changed signal from test to django core modules.
  • [#1361] Fix prompt=none redirects to login screen
  • [#1380] Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
  • [#1288] Fix [#1276] which attempted to resolve [#1092] for requests that don't have a client_secret per RFC 6749 4.1.1
  • [#1337] Gracefully handle expired or deleted refresh tokens, in validate_user.
  • Various documentation improvements: [#1410], [#1408], [#1405], [#1399], [#1401], [#1396], [#1375], [#1162], [#1315], [#1307]

Removed

  • [#1350] Remove support for Python 3.7 and Django 2.2
Source: README.md, updated 2024-05-20