Skip to content

Update dependency django-oauth-toolkit to v2 - autoclosed

Tine Wittler requested to merge renovate/django-oauth-toolkit-2.x into master

This MR contains the following updates:

Package Type Update Change
django-oauth-toolkit dependencies major ^1.4.0 -> ^2.0.0

Release Notes

jazzband/django-oauth-toolkit

v2.1.0

Compare Source

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

  1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

  2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

Added
Changed
  • #​1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
  • #​1172, #​1159, #​1158 documentation improvements.
Fixed
  • #​1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.

v2.0.0

Compare Source

This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:

Added
Changed
  • #​1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636 in favor of the OAuth2 Security Best Practices for Authorization Code Grants. If you want to retain the pre-2.x behavior, set PKCE_REQUIRED = False in your settings.py
  • #​1093 (Breaking) Changed to implement hashed client_secret values. This is a breaking change that will migrate all your existing cleartext application.client_secret values to be hashed with Django's default password hashing algorithm and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the auto-generated or manually-entered client_secret before hitting Save.
  • #​1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned. If you've customized OIDC responses and want to retain the pre-2.x behavior, set oidc_claim_scope = None in your subclass of OAuth2Validator.
  • #​1108 OIDC: Make the access_token available to get_oidc_claims when called from get_userinfo_claims.
  • #​1132: Added --algorithm argument to createapplication management command
Fixed
  • #​1108 OIDC: Fix validate_bearer_token() to properly set request.scopes to the list of granted scopes.
  • #​1132: Fixed help text for --skip-authorization argument of the createapplication management command.
Removed
  • #​1124 (Breaking, Security) Removes support for insecure urn:ietf:wg:oauth:2.0:oob and urn:ietf:wg:oauth:2.0:oob:auto which are replaced by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has deprecated use of oob with a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Edited by Tine Wittler

Merge request reports

Loading