Django-helusers

Changed

- Add Django admin logout support for Django 5.0
- Add code quality tooling: black, isort, flake8, commitlint, pre-commit
- Run code quality tools and do the necessary fixes

Changed

- Drop support for Python 3.7 and older
- Add support for Python 3.12
- Require at least Django 3.2
- Add support for Django 5.0 by adding a new session serializer `TunnistamoOIDCSerializer` which can handle session data produced by the custom `helusers.defaults.SOCIAL_AUTH_PIPELINE` pipeline. Django 5.0 removed `PickleSerializer`.

Fixed

- `ApiTokenAuthentication` again validates the `aud` claim. The `aud` claim wasn't validated if the `drf-oidc-auth` version was 1.0.0 or greater.

Added

- Ability to use "dot notation" in `API_AUTHORIZATION_FIELD` setting for searching api scopes from deeper in the claims
- Documentation about social auth pipeline configuration

Removed

- Removed `drf-oidc-auth` requirement when using `ApiTokenAuthentication`. Django REST framework is still required.

Changed

- `API_AUTHORIZATION_FIELD` and `API_SCOPE_PREFIX` settings now support a list of strings
- `ApiTokenAuthentication` is no longer a subclass of `oidc_auth.authentication.JSONWebTokenAuthentication` but a direct subclass of `rest_framework.authentication.BaseAuthentication`
- `ApiTokenAuthentication` uses the same `JWT` class as `RequestJWTAuthentication` for the token validation
- **Changed** methods:
- `decode_jwt` can raise `jose.JWTError` exception
- `get_oidc_config` no longer returns oidc configuration dictionary but an `OIDCConfig` instance
- `validate_claims` still exists and is called, but doesn't do anything
- **Removed** methods:
- `get_audiences`
- `jwks`
- `jwks_data`
- `oidc_config`
- **Removed** properties:
- `claims_options`
- `issuer`

- `ApiTokenAuthentication` now supports multiple issuers. Previously it accepted multiple issuers in the settings but could only use the first issuer.
- `ApiTokenAuthentication.authenticate` no longer raises AuthenticationError if authorization header contains the correct scheme but not a valid JWT-token. Now it just returns None which means the authentication didn't succeed but can be tried with the next authenticator.
- `ApiTokenAuthentication` now rejects tokens if they are invalidated with back-channel log out
- `amr` claim is no longer validated in `ApiTokenAuthentication`
- Issued at (`iat`) claim is no longer limited by the OIDC_LEEWAY oidc_auth setting (default 10 minutes) when using `ApiTokenAuthentication`. i.e. tokens can be generated as long ago as needed.
- User is no longer created if token is correct but is missing the required API scopes in `ApiTokenAuthentication`

Fixed

- Admin site logout view caching with Django 4
- Turn invalid string `amr` claim into an array in JWT

Added

- Support for Python 3.10 & 3.11
- Support for Django >=4.0

Removed

- Support for Python 3.6
- Support for Django 2.2

Changed

- Handle a list of configured issuers in `ApiTokenAuthentication`
- Require Django version < 4