- Add new setting
ALLOWED_ALGORITHMS
with a default value of["RS256"]
- Add Django admin logout support for Django 5.0
- Add code quality tooling: black, isort, flake8, commitlint, pre-commit
- Run code quality tools and do the necessary fixes
- Drop support for Python 3.7 and older
- Add support for Python 3.12
- Require at least Django 3.2
- Add support for Django 5.0 by adding a new session serializer
TunnistamoOIDCSerializer
which can handle session data produced by the customhelusers.defaults.SOCIAL_AUTH_PIPELINE
pipeline. Django 5.0 removedPickleSerializer
.
ApiTokenAuthentication
again validates theaud
claim. Theaud
claim wasn't validated if thedrf-oidc-auth
version was 1.0.0 or greater.
- Ability to use "dot notation" in
API_AUTHORIZATION_FIELD
setting for searching api scopes from deeper in the claims - Documentation about social auth pipeline configuration
- Removed
drf-oidc-auth
requirement when usingApiTokenAuthentication
. Django REST framework is still required.
-
API_AUTHORIZATION_FIELD
andAPI_SCOPE_PREFIX
settings now support a list of strings -
ApiTokenAuthentication
is no longer a subclass ofoidc_auth.authentication.JSONWebTokenAuthentication
but a direct subclass ofrest_framework.authentication.BaseAuthentication
-
ApiTokenAuthentication
uses the sameJWT
class asRequestJWTAuthentication
for the token validation- Changed methods:
decode_jwt
can raisejose.JWTError
exceptionget_oidc_config
no longer returns oidc configuration dictionary but anOIDCConfig
instancevalidate_claims
still exists and is called, but doesn't do anything
- Removed methods:
get_audiences
jwks
jwks_data
oidc_config
- Removed properties:
claims_options
issuer
- Changed methods:
-
ApiTokenAuthentication
now supports multiple issuers. Previously it accepted multiple issuers in the settings but could only use the first issuer. -
ApiTokenAuthentication.authenticate
no longer raises AuthenticationError if authorization header contains the correct scheme but not a valid JWT-token. Now it just returns None which means the authentication didn't succeed but can be tried with the next authenticator. -
ApiTokenAuthentication
now rejects tokens if they are invalidated with back-channel log out -
amr
claim is no longer validated inApiTokenAuthentication
-
Issued at (
iat
) claim is no longer limited by the OIDC_LEEWAY oidc_auth setting (default 10 minutes) when usingApiTokenAuthentication
. i.e. tokens can be generated as long ago as needed. -
User is no longer created if token is correct but is missing the required API scopes in
ApiTokenAuthentication
- Admin site logout view caching with Django 4
- Turn invalid string
amr
claim into an array in JWT
- Support for Python 3.10 & 3.11
- Support for Django >=4.0
- Support for Python 3.6
- Support for Django 2.2
- Handle a list of configured issuers in
ApiTokenAuthentication
- Require Django version < 4
- An OIDC back channel logout endpoint implementation.
- Set required Django version to 2.2 and later.
- The
key_provider
argument ofhelusers.oidc.RequestJWTAuthentication.__init__
method was removed. It existed only for test support, but tests have been modified in a way that it's not needed any more.
- Set django-heluers' default auto field to be
django.db.models.AutoField
for Django versions >=3.2 to avoid unwanted migrations.
- An authentication/JWT validation service with minimal external dependencies:
helusers.oidc.RequestJWTAuthentication
.
- Supported Python versions: 3.6-3.9.
- Previously
drf-oidc-auth
was a hard dependency indjango-helusers
. That's no longer the case. Withindjango-helusers
thedrf-oidc-auth
package is only used by thehelusers.oidc.ApiTokenAuthentication
class. If you want to keep on using that class, make sure you bringdrf-oidc-auth
into your project as an explicit dependency. django-helusers
has been very much dependent on Django REST Framework (DRF), even though the user ofdjango-helusers
wouldn't otherwise need DRF. This dependency has been removed: it's now possible to usedjango-helusers
without DRF.
- Whenever
django-helusers
returns or provides aUser
object, theuuid
field is always of typeUUID
(previously it was sometimes of typestr
).