Django-oauth-toolkit

Latest version: v2.3.0

Safety actively analyzes 613649 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 8

2.3.0

WARNING

Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
performing a MAJOR upgrade to 2.x.

These issues both result in `{"error": "invalid_client"}`:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.

Added
* Add Japanese(日本語) Language Support
* 1244 implement [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
* 1092 Allow Authorization Code flow without a client_secret per [RFC 6749 2.3.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1)

Changed
* 1222 Remove expired ID tokens alongside access tokens in `cleartokens` management command
* 1267, 1253, 1251, 1250, 1224, 1212, 1211 Various documentation improvements

2.2.0

Added
* 1208 Add 'code_challenge_method' parameter to authorization call in documentation
* 1182 Add 'code_verifier' parameter to token requests in documentation

Changed
* 1203 Support Django 4.1.

Fixed
* 1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
* 1210 Handle oauthlib errors on create token requests

2.1.0

Added
* 1164 Support `prompt=login` for the OIDC Authorization Code Flow end user [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
* 1163 Add French (fr) translations.
* 1166 Add Spanish (es) translations.

Changed
* 1152 `createapplication` management command enhanced to display an auto-generated secret before it gets hashed.
* 1172, 1159, 1158 documentation improvements.

Fixed
* 1147 Fixed 2.0.0 implementation of [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/) client secret to work with swapped models.

2.0.0

This is a major release with **BREAKING** changes. Please make sure to review these changes before upgrading:

Added
* 1106 OIDC: Add "scopes_supported" to the [ConnectDiscoveryInfoView](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#connectdiscoveryinfoview).
This completes the view to provide all the REQUIRED and RECOMMENDED [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
* 1128 Documentation: [Tutorial](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_05.html)
on using Celery to automate clearing expired tokens.

Changed
* 1129 (**Breaking**) Changed default value of PKCE_REQUIRED to True. This is a **breaking change**. Clients without
PKCE enabled will fail to authenticate. This breaks with [section 5 of RFC7636](https://datatracker.ietf.org/doc/html/rfc7636)
in favor of the [OAuth2 Security Best Practices for Authorization Code Grants](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1).
If you want to retain the pre-2.x behavior, set `PKCE_REQUIRED = False` in your settings.py
* 1093 (**Breaking**) Changed to implement [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/)
client_secret values. This is a **breaking change** that will migrate all your existing
cleartext `application.client_secret` values to be hashed with Django's default password hashing algorithm
and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the
auto-generated or manually-entered `client_secret` before hitting Save.
* 1108 OIDC: (**Breaking**) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've [customized OIDC responses](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses)
and want to retain the pre-2.x behavior, set `oidc_claim_scope = None` in your subclass of `OAuth2Validator`.
* 1108 OIDC: Make the `access_token` available to `get_oidc_claims` when called from `get_userinfo_claims`.
* 1132: Added `--algorithm` argument to `createapplication` management command

Fixed
* 1108 OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes.
* 1132: Fixed help text for `--skip-authorization` argument of the `createapplication` management command.

Removed
* 1124 (**Breaking**, **Security**) Removes support for insecure `urn:ietf:wg:oauth:2.0:oob` and `urn:ietf:wg:oauth:2.0:oob:auto` which are replaced
by [RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252) "OAuth 2.0 for Native Apps" BCP. Google has
[deprecated use of oob](https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html?m=1#disallowed-oob) with
a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.

1.7.1

Removed
* 1126 Reverts 1070 which incorrectly added Celery auto-discovery tasks.py (as described in 1123) and because it conflicts
with Huey's auto-discovery which also uses tasks.py as described in 1114. If you are using Celery or Huey, you'll need
to separately implement these tasks.

1.7.0

Added
* 969 Add batching of expired token deletions in `cleartokens` management command and `models.clear_expired()`
to improve performance for removal of large numers of expired tokens. Configure with
[`CLEAR_EXPIRED_TOKENS_BATCH_SIZE`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-size) and
[`CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-interval).
* 1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a [periodic task](https://docs.celeryproject.org/en/stable/userguide/periodic-tasks.html).
* 1062 Add Brazilian Portuguese (pt-BR) translations.
* 1069 OIDC: Add an alternate form of
[get_additional_claims()](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#adding-claims-to-the-id-token)
which makes the list of additional `claims_supported` available at the OIDC auto-discovery endpoint (`.well-known/openid-configuration`).

Fixed
* 1012 Return 200 status code with `{"active": false}` when introspecting a nonexistent token
per [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2). It had been incorrectly returning 401.

Page 1 of 8

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.