Release 2.4.0

[2.4.0] - 2024-05-13

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!

Added

• #1304 Add OAuth2ExtraTokenMiddleware for adding access token to request.
  See Setup a provider in the Tutorial.
• #1273 Performance improvement: Add caching of loading of OIDC private key.
• #1285 Add post_logout_redirect_uris field in the Application Registration form
• #1311,#1334 (Security) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
  HS256 keys.
  This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
• #1350 Support Python 3.12 and Django 5.0
• #1367 Add code_challenge_methods_supported property to auto discovery information, per RFC 8414 section 2
• #1328 Adds the ability to define how to store a user profile.

Fixed

• #1292 Interpret EXP in AccessToken always as UTC instead of (possibly) local timezone.
  Use setting AUTHENTICATION_SERVER_EXP_TIME_ZONE to enable different time zone in case the remote
  authentication server does not provide EXP in UTC.
• #1323 Fix instructions in documentation
  on how to create a code challenge and code verifier
• #1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
• #1296 Added reverse function in migration 0006_alter_application_client_secret. Note that reversing this migration cannot undo a hashed client_secret.
• #1345 Fix encapsulation for Redirect URI scheme validation. Deprecates RedirectURIValidator in favor of AllowedURIValidator.
• #1357 Move import of setting_changed signal from test to django core modules.
• #1361 Fix prompt=none redirects to login screen
• #1380 Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
• #1288 Fix #1276 which attempted to resolve #1092 for requests that don't have a client_secret per RFC 6749 4.1.1
• #1337 Gracefully handle expired or deleted refresh tokens, in validate_user.
• Various documentation improvements: #1410, #1408, #1405, #1399, #1401, #1396, #1375, #1162, #1315, #1307

Removed

• #1350 Remove support for Python 3.7 and Django 2.2

Release 2.3.0

[2.3.0] 2023-05-31

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

Added

• Add Japanese(日本語) Language Support
• #1244 implement OIDC RP-Initiated Logout
• #1092 Allow Authorization Code flow without a client_secret per RFC 6749 2.3.1

Changed

• #1222 Remove expired ID tokens alongside access tokens in cleartokens management command
• #1267, #1253, #1251, #1250, #1224, #1212, #1211 Various documentation improvements

Release 2.2.0

[2.2.0] 2022-10-18

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

Added

• #1208 Add 'code_challenge_method' parameter to authorization call in documentation
• #1182 Add 'code_verifier' parameter to token requests in documentation

Changed

• #1203 Support Django 4.1.

Fixed

• #1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
• #1210 Handle oauthlib errors on create token requests

Release 2.1.0

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

Added

• #1164 Support prompt=login for the OIDC Authorization Code Flow end user Authentication Request.
• #1163 Add French (fr) translations.
• #1166 Add Spanish (es) translations.

Changed

• #1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
• #1172, #1159, #1158 documentation improvements.

Fixed

• #1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.

Release 2.0.0

What's Changed

• WIP: Hash application client secrets using Django password hashing by @n2ygk in #1093
• OIDC: Add "scopes_supported" to openid-configuration. by @n2ygk in #1106
• OIDC: Standard scopes to determine which claims are returned by @n2ygk in #1108
• Prevent the tests/migrations directory from getting packaged by @brianhelba in #1118
• Topic/1112 by @daffyd in #1113
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1109
• Fix broken import in doc by @CarlSchwan in #1121
• Security BCP: Remove OOB by @n2ygk in #1124
• Revert 1070 (Celery tasks.py) by @n2ygk in #1126
• Pin Jinja2 version per sphinx-doc/sphinx#10291 by @n2ygk in #1134
• Missed updating master branch version to 1.7.1 by @n2ygk in #1133
• Update createapplication command by @vector-kerr in #1132
• Add tutorial for Celery task setup. by @n2ygk in #1128
• chore: .gitignore local development files by @dopry in #1137
• feat: Update PKCE_REQUIRED to true by default by @dopry in #1129
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #1139
• sphinx-lint by @JulienPalard in #1142
• Corrections to resource server documentation by @n2ygk in #1136
• Add help wanted to the README by @n2ygk in #1144
• Release 2.0.0 by @n2ygk in #1145

New Contributors

• @brianhelba made their first contribution in #1118
• @daffyd made their first contribution in #1113
• @CarlSchwan made their first contribution in #1121
• @vector-kerr made their first contribution in #1132
• @dopry made their first contribution in #1137
• @JulienPalard made their first contribution in #1142

Full Changelog: 1.7.0...2.0.0

Release 1.7.0

[1.7.0] 2022-01-23

Added

• #969 Add batching of expired token deletions in cleartokens management command and models.clear_expired()
  to improve performance for removal of large numers of expired tokens. Configure with
  CLEAR_EXPIRED_TOKENS_BATCH_SIZE and
  CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL.
• #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a periodic task.
• #1062 Add Brazilian Portuguese (pt-BR) translations.
• #1069 OIDC: Add an alternate form of
  get_additional_claims()
  which makes the list of additional claims_supported available at the OIDC auto-discovery endpoint (.well-known/openid-configuration).

Fixed

• #1012 Return 200 status code with {"active": false} when introspecting a nonexistent token
  per RFC 7662. It had been incorrectly returning 401.

Release 1.6.3

[1.6.3] 2022-01-11

Fixed

• #1085 Fix for #1083 admin UI search for idtoken results in django.core.exceptions.FieldError: Cannot resolve keyword 'token' into field.

Added

• #1085 Add admin UI search fields for additional models.

Release 1.6.2

[1.6.2] 2022-01-06

NOTE: This release reverts an inadvertently-added breaking change.

Fixed

• #1056 Add missing migration triggered by Django 4.0 changes to the migrations autodetector.
• #1068 Revert #967 which incorrectly changed an API. See #1066.

Release 1.6.1

Changed

• Note: Only Django 4.0.1+ is supported due to a regression in Django 4.0.0. Explanation

Fixed

• Miscellaneous 1.6.0 packaging issues.

Release 1.6.0

Added

#949 Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends (like django-axes).
#968, #1039 Add support for Django 3.2 and 4.0.
#953 Allow loopback redirect URIs using random ports as described in RFC8252 section 7.3.
#972 Add Farsi/fa language support.
#978 OIDC: Add support for rotating multiple RSA private keys.
#978 OIDC: Add new OIDC_JWKS_MAX_AGE_SECONDS to improve jwks_uri caching.
#967 OIDC: Add additional claims beyond sub to the id_token.
#1041 Add a search field to the Admin UI (e.g. for search for tokens by email address).

Changed

#981 Require redirect_uri if multiple URIs are registered per RFC6749 section 3.1.2.3
#991 Update documentation of REFRESH_TOKEN_EXPIRE_SECONDS to indicate it may be int or datetime.timedelta.
#977 Update Tutorial to show required include.

Removed

#968 Remove support for Django 3.0 & 3.1 and Python 3.6
#1035 Removes default_app_config for Django Deprecation Warning
#1023 six should be dropped

Fixed

#963 Fix handling invalid hex values in client query strings with a 400 error rather than 500.
#973 Tutorial updated to use django-cors-headers.
#956 OIDC: Update documentation of get_userinfo_claims to add the missing argument.