Skip to content

Releases: City-of-Helsinki/django-helusers

v0.12.0

20 May 12:22
@voneiden voneiden
v0.12.0
dc3e452
Compare
Choose a tag to compare
v0.12.0 Latest
Latest

What's Changed

  • feat: define new setting ALLOWED_ALGORITHMS by @voneiden in #100

New Contributors

Full Changelog: v0.11.0...v0.12.0

Contributors

voneiden
Assets 2

v0.11.0

15 Mar 07:32
@charn charn
v0.11.0
48369cf
Compare
Choose a tag to compare
v0.11.0

Changed

  • Add Django admin logout support for Django 5.0
  • Add code quality tooling: black, isort, flake8, commitlint, pre-commit
  • Run code quality tools and do the necessary fixes
Assets 2

v0.10.0

07 Mar 13:36
@charn charn
v0.10.0
29e4b2a
Compare
Choose a tag to compare
v0.10.0

Changed

  • Drop support for Python 3.7 and older
  • Add support for Python 3.12
  • Require at least Django 3.2
  • Add support for Django 5.0 by adding a new session serializer TunnistamoOIDCSerializer which can handle session data produced by the custom helusers.defaults.SOCIAL_AUTH_PIPELINE pipeline. Django 5.0 removed PickleSerializer.
Assets 2

v0.9.0

09 Aug 14:52
@mikkokeskinen mikkokeskinen
v0.9.0
67c6bb8
Compare
Choose a tag to compare
v0.9.0

Fixed

  • ApiTokenAuthentication again validates the aud claim. The aud claim wasn't validated if the drf-oidc-auth version was 1.0.0 or greater.

Added

  • Ability to use "dot notation" in API_AUTHORIZATION_FIELD setting for searching api scopes from deeper in the claims
  • Documentation about social auth pipeline configuration

Removed

  • Removed drf-oidc-auth requirement when using ApiTokenAuthentication. Django REST framework is still required.

Changed

  • API_AUTHORIZATION_FIELD and API_SCOPE_PREFIX settings now support a list of strings

  • ApiTokenAuthentication is no longer a subclass of oidc_auth.authentication.JSONWebTokenAuthentication but a direct subclass of rest_framework.authentication.BaseAuthentication

  • ApiTokenAuthentication uses the same JWT class as RequestJWTAuthentication for the token validation

    • Changed methods:
      • decode_jwt can raise jose.JWTError exception
      • get_oidc_config no longer returns oidc configuration dictionary but an OIDCConfig instance
      • validate_claims still exists and is called, but doesn't do anything
    • Removed methods:
      • get_audiences
      • jwks
      • jwks_data
      • oidc_config
    • Removed properties:
      • claims_options
      • issuer

  • ApiTokenAuthentication now supports multiple issuers. Previously it accepted multiple issuers in the settings but could only use the first issuer.

  • ApiTokenAuthentication.authenticate no longer raises AuthenticationError if authorization header contains the correct scheme but not a valid JWT-token. Now it just returns None which means the authentication didn't succeed but can be tried with the next authenticator.

  • ApiTokenAuthentication now rejects tokens if they are invalidated with back-channel log out

  • amr claim is no longer validated in ApiTokenAuthentication

  • Issued at (iat) claim is no longer limited by the OIDC_LEEWAY oidc_auth setting (default 10 minutes) when using ApiTokenAuthentication. i.e. tokens can be generated as long ago as needed.

  • User is no longer created if token is correct but is missing the required API scopes in ApiTokenAuthentication

Assets 2

0.8.1

04 Apr 13:14
@akikoskinen akikoskinen
v0.8.1
1f70717
Compare
Choose a tag to compare
0.8.1

Fixed

  • Admin site logout view caching with Django 4
  • Turn invalid string amr claim into an array in JWT
Assets 2

0.8.0

17 Mar 07:18
@akikoskinen akikoskinen
v0.8.0
2493957
Compare
Choose a tag to compare
0.8.0

Added

  • Support for Python 3.10 & 3.11
  • Support for Django >=4.0

Removed

  • Support for Python 3.6
  • Support for Django 2.2
Assets 2

0.7.1

12 Apr 12:53
@akikoskinen akikoskinen
v0.7.1
2fad0b2
Compare
Choose a tag to compare
0.7.1

Changed

  • Handle a list of configured issuers in ApiTokenAuthentication
  • Require Django version < 4
Assets 2

0.7.0

16 Aug 06:04
@akikoskinen akikoskinen
v0.7.0
e384890
Compare
Choose a tag to compare
0.7.0

Added

Changed

  • Set required Django version to 2.2 and later.

Removed

  • The key_provider argument of helusers.oidc.RequestJWTAuthentication.__init__ method was removed. It existed only for test support, but tests have been modified in a way that it's not needed any more.
Assets 2

0.6.1

15 Jun 13:05
@akikoskinen akikoskinen
v0.6.1
71b200d
Compare
Choose a tag to compare
0.6.1

Added

  • Set django-heluers' default auto field to be django.db.models.AutoField for Django versions >=3.2 to avoid unwanted migrations.
Assets 2

0.6.0

19 Jan 07:55
@akikoskinen akikoskinen
v0.6.0
29f04ba
Compare
Choose a tag to compare
0.6.0

Added

  • An authentication/JWT validation service with minimal external dependencies: helusers.oidc.RequestJWTAuthentication.

Changed

  • Supported Python versions: 3.6-3.9.
  • Previously drf-oidc-auth was a hard dependency in django-helusers. That's no longer the case. Within django-helusers the drf-oidc-auth package is only used by the helusers.oidc.ApiTokenAuthentication class. If you want to keep on using that class, make sure you bring drf-oidc-auth into your project as an explicit dependency.
  • django-helusers has been very much dependent on Django REST Framework (DRF), even though the user of django-helusers wouldn't otherwise need DRF. This dependency has been removed: it's now possible to use django-helusers without DRF.

Fixed

  • Whenever django-helusers returns or provides a User object, the uuid field is always of type UUID (previously it was sometimes of type str).
Assets 2