Skip to content

chore(api): update dependency django-oauth-toolkit to v3 (develop) - autoclosed

This MR contains the following updates:

Package Type Update Change
django-oauth-toolkit dependencies major 2.2.0 -> 3.0.1

Release Notes

jazzband/django-oauth-toolkit (django-oauth-toolkit)

v3.0.1

Compare Source

Fixed
  • #​1491 Fix migration error when there are pre-existing Access Tokens.

v3.0.0

Compare Source

WARNING - POTENTIAL BREAKING CHANGES
  • Changes to the AbstractAccessToken model require doing a manage.py migrate after upgrading.
  • If you use swappable models you will need to make sure your custom models are also updated (usually manage.py makemigrations).
  • Old Django versions below 4.2 are no longer supported.
  • A few deprecations warned about in 2.4.0 (#​1345) have been removed. See below.
Added
  • #​1366 Add Docker containerized apps for testing IDP and RP.
  • #​1454 Added compatibility with LoginRequiredMiddleware introduced in Django 5.1.
Changed
  • Many documentation and project internals improvements.
  • #​1446 Use generic models pk instead of id. This enables, for example, custom swapped models to have a different primary key field.
  • #​1447 Update token to TextField from CharField. Removing the 255 character limit enables supporting JWT tokens with additional claims. This adds a SHA-256 token_checksum field that is used to validate tokens.
  • #​1450 Transactions wrapping writes of the Tokens now rely on Django's database routers to determine the correct database to use instead of assuming that 'default' is the correct one.
  • #​1455 Changed minimum supported Django version to >=4.2.
Removed
Fixed
  • #​1444, #​1476 Fix several 500 errors to instead raise appropriate errors.
  • #​1469 Fix ui_locales request parameter triggers AttributeError under certain circumstances
Security

v2.4.0

Compare Source

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

  1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

  2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!

Added
Fixed
  • #​1292 Interpret EXP in AccessToken always as UTC instead of (possibly) local timezone. Use setting AUTHENTICATION_SERVER_EXP_TIME_ZONE to enable different time zone in case the remote authentication server does not provide EXP in UTC.
  • #​1323 Fix instructions in documentation on how to create a code challenge and code verifier
  • #​1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
  • #​1296 Added reverse function in migration 0006_alter_application_client_secret. Note that reversing this migration cannot undo a hashed client_secret.
  • #​1345 Fix encapsulation for Redirect URI scheme validation. Deprecates RedirectURIValidator in favor of AllowedURIValidator.
  • #​1357 Move import of setting_changed signal from test to django core modules.
  • #​1361 Fix prompt=none redirects to login screen
  • #​1380 Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
  • #​1288 Fix #​1276 which attempted to resolve #​1092 for requests that don't have a client_secret per RFC 6749 4.1.1
  • #​1337 Gracefully handle expired or deleted refresh tokens, in validate_user.
  • Various documentation improvements: #​1410, #​1408, #​1405, #​1399, #​1401, #​1396, #​1375, #​1162, #​1315, #​1307
Removed
  • #​1350 Remove support for Python 3.7 and Django 2.2

v2.3.0

Compare Source

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

  1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

  2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

Added
Changed

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

Loading