This MR contains the following updates:
Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.
These issues both result in
The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
Trueby default. You should use PKCE with your client or set
PKCE_REQUIRED=Falseif you are unable to fix the client.
- #1208 Add 'code_challenge_method' parameter to authorization call in documentation
- #1182 Add 'code_verifier' parameter to token requests in documentation
- #1203 Support Django 4.1.
- #1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
- #1210 Handle oauthlib errors on create token requests
prompt=loginfor the OIDC Authorization Code Flow end user Authentication Request.
- #1163 Add French (fr) translations.
- #1166 Add Spanish (es) translations.
createapplicationmanagement command enhanced to display an auto-generated secret before it gets hashed.
- #1172, #1159, #1158 documentation improvements.
This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:
- #1106 OIDC: Add "scopes_supported" to the ConnectDiscoveryInfoView. This completes the view to provide all the REQUIRED and RECOMMENDED OpenID Provider Metadata.
- #1128 Documentation: Tutorial on using Celery to automate clearing expired tokens.
#1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without
PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636
in favor of the OAuth2 Security Best Practices for Authorization Code Grants.
If you want to retain the pre-2.x behavior, set
PKCE_REQUIRED = Falsein your settings.py
#1093 (Breaking) Changed to implement hashed
client_secret values. This is a breaking change that will migrate all your existing
application.client_secretvalues to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered
client_secretbefore hitting Save.
#1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've customized OIDC responses
and want to retain the pre-2.x behavior, set
oidc_claim_scope = Nonein your subclass of
#1108 OIDC: Make the
get_oidc_claimswhen called from
#1108 OIDC: Fix
validate_bearer_token()to properly set
request.scopesto the list of granted scopes.
#1132: Fixed help text for
--skip-authorizationargument of the
#1124 (Breaking, Security) Removes support for insecure
urn:ietf:wg:oauth:2.0:oob:autowhich are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.