Skip to content

Update dependency django-oauth-toolkit to v2 (develop)

RenovateBot requested to merge renovate/develop-django-oauth-toolkit-2.x into develop

This MR contains the following updates:

Package Type Update Change
django-oauth-toolkit dependencies major ==1.7.1 -> ==2.2.0

Release Notes



Compare Source


Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

  1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

  2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

  • #​1208 Add 'code_challenge_method' parameter to authorization call in documentation
  • #​1182 Add 'code_verifier' parameter to token requests in documentation
  • #​1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
  • #​1210 Handle oauthlib errors on create token requests


Compare Source

  • #​1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
  • #​1172, #​1159, #​1158 documentation improvements.
  • #​1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.


Compare Source

This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:

  • #​1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636 in favor of the OAuth2 Security Best Practices for Authorization Code Grants. If you want to retain the pre-2.x behavior, set PKCE_REQUIRED = False in your
  • #​1093 (Breaking) Changed to implement hashed client_secret values. This is a breaking change that will migrate all your existing cleartext application.client_secret values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered client_secret before hitting Save.
  • #​1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned. If you've customized OIDC responses and want to retain the pre-2.x behavior, set oidc_claim_scope = None in your subclass of OAuth2Validator.
  • #​1108 OIDC: Make the access_token available to get_oidc_claims when called from get_userinfo_claims.
  • #​1132: Added --algorithm argument to createapplication management command
  • #​1108 OIDC: Fix validate_bearer_token() to properly set request.scopes to the list of granted scopes.
  • #​1132: Fixed help text for --skip-authorization argument of the createapplication management command.
  • #​1124 (Breaking, Security) Removes support for insecure urn:ietf:wg:oauth:2.0:oob and urn:ietf:wg:oauth:2.0:oob:auto which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.


📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports