Django-helusers

Added

- Add feature to migrate old users from Tunnistamo to Keycloak upon login. With default settings, only users using AD authentication will be migrated. Feature can be enabled with the setting `HELUSERS_USER_MIGRATE_ENABLED` which defaults to `False`.

Changed

- Improve ModelAdmins for ADGroupMapping and ADGroup

Changed

- Add new setting `ALLOWED_ALGORITHMS` with a default value of `["RS256"]`

Changed

- Add Django admin logout support for Django 5.0
- Add code quality tooling: black, isort, flake8, commitlint, pre-commit
- Run code quality tools and do the necessary fixes

Changed

- Drop support for Python 3.7 and older
- Add support for Python 3.12
- Require at least Django 3.2
- Add support for Django 5.0 by adding a new session serializer `TunnistamoOIDCSerializer` which can handle session data produced by the custom `helusers.defaults.SOCIAL_AUTH_PIPELINE` pipeline. Django 5.0 removed `PickleSerializer`.

Fixed

- `ApiTokenAuthentication` again validates the `aud` claim. The `aud` claim wasn't validated if the `drf-oidc-auth` version was 1.0.0 or greater.

Added

- Ability to use "dot notation" in `API_AUTHORIZATION_FIELD` setting for searching api scopes from deeper in the claims
- Documentation about social auth pipeline configuration

Removed

- Removed `drf-oidc-auth` requirement when using `ApiTokenAuthentication`. Django REST framework is still required.

Changed

- `API_AUTHORIZATION_FIELD` and `API_SCOPE_PREFIX` settings now support a list of strings
- `ApiTokenAuthentication` is no longer a subclass of `oidc_auth.authentication.JSONWebTokenAuthentication` but a direct subclass of `rest_framework.authentication.BaseAuthentication`
- `ApiTokenAuthentication` uses the same `JWT` class as `RequestJWTAuthentication` for the token validation
- **Changed** methods:
- `decode_jwt` can raise `jose.JWTError` exception
- `get_oidc_config` no longer returns oidc configuration dictionary but an `OIDCConfig` instance
- `validate_claims` still exists and is called, but doesn't do anything
- **Removed** methods:
- `get_audiences`
- `jwks`
- `jwks_data`
- `oidc_config`
- **Removed** properties:
- `claims_options`
- `issuer`

- `ApiTokenAuthentication` now supports multiple issuers. Previously it accepted multiple issuers in the settings but could only use the first issuer.
- `ApiTokenAuthentication.authenticate` no longer raises AuthenticationError if authorization header contains the correct scheme but not a valid JWT-token. Now it just returns None which means the authentication didn't succeed but can be tried with the next authenticator.
- `ApiTokenAuthentication` now rejects tokens if they are invalidated with back-channel log out
- `amr` claim is no longer validated in `ApiTokenAuthentication`
- Issued at (`iat`) claim is no longer limited by the OIDC_LEEWAY oidc_auth setting (default 10 minutes) when using `ApiTokenAuthentication`. i.e. tokens can be generated as long ago as needed.
- User is no longer created if token is correct but is missing the required API scopes in `ApiTokenAuthentication`

Fixed

- Admin site logout view caching with Django 4
- Turn invalid string `amr` claim into an array in JWT