Update dependency django-oauth-toolkit to v2 - autoclosed
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
django-oauth-toolkit | dependencies | major |
^1.4.0 -> ^2.0.0
|
Release Notes
jazzband/django-oauth-toolkit
v2.1.0
WARNING
Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.
These issues both result in {"error": "invalid_client"}
:
-
The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
-
PKCE_REQUIRED
is nowTrue
by default. You should use PKCE with your client or setPKCE_REQUIRED=False
if you are unable to fix the client.
Added
-
#1164 Support
prompt=login
for the OIDC Authorization Code Flow end user Authentication Request. - #1163 Add French (fr) translations.
- #1166 Add Spanish (es) translations.
Changed
-
#1152
createapplication
management command enhanced to display an auto-generated secret before it gets hashed. - #1172, #1159, #1158 documentation improvements.
Fixed
v2.0.0
This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:
Added
- #1106 OIDC: Add "scopes_supported" to the ConnectDiscoveryInfoView. This completes the view to provide all the REQUIRED and RECOMMENDED OpenID Provider Metadata.
- #1128 Documentation: Tutorial on using Celery to automate clearing expired tokens.
Changed
-
#1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without
PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636
in favor of the OAuth2 Security Best Practices for Authorization Code Grants.
If you want to retain the pre-2.x behavior, set
PKCE_REQUIRED = False
in your settings.py -
#1093 (Breaking) Changed to implement hashed
client_secret values. This is a breaking change that will migrate all your existing
cleartext
application.client_secret
values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-enteredclient_secret
before hitting Save. -
#1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned.
If you've customized OIDC responses
and want to retain the pre-2.x behavior, set
oidc_claim_scope = None
in your subclass ofOAuth2Validator
. -
#1108 OIDC: Make the
access_token
available toget_oidc_claims
when called fromget_userinfo_claims
. -
#1132: Added
--algorithm
argument tocreateapplication
management command
Fixed
-
#1108 OIDC: Fix
validate_bearer_token()
to properly setrequest.scopes
to the list of granted scopes. -
#1132: Fixed help text for
--skip-authorization
argument of thecreateapplication
management command.
Removed
-
#1124 (Breaking, Security) Removes support for insecure
urn:ietf:wg:oauth:2.0:oob
andurn:ietf:wg:oauth:2.0:oob:auto
which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.
Configuration
-
If you want to rebase/retry this MR, click this checkbox.
This MR has been generated by Renovate Bot.