Workflow

Django-oauth-toolkit

Latest version: v3.0.1

Safety actively analyzes 682244 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 8

3.0.1

Fixed
* 1491 Fix migration error when there are pre-existing Access Tokens.

3.0.0

WARNING - POTENTIAL BREAKING CHANGES
* Changes to the `AbstractAccessToken` model require doing a `manage.py migrate` after upgrading.
* If you use swappable models you will need to make sure your custom models are also updated (usually `manage.py makemigrations`).
* Old Django versions below 4.2 are no longer supported.
* A few deprecations warned about in 2.4.0 (1345) have been removed. See below.

Added
* 1366 Add Docker containerized apps for testing IDP and RP.
* 1454 Added compatibility with `LoginRequiredMiddleware` introduced in Django 5.1.

Changed
* Many documentation and project internals improvements.
* 1446 Use generic models `pk` instead of `id`. This enables, for example, custom swapped models to have a different primary key field.
* 1447 Update token to TextField from CharField. Removing the 255 character limit enables supporting JWT tokens with additional claims.
This adds a SHA-256 `token_checksum` field that is used to validate tokens.
* 1450 Transactions wrapping writes of the Tokens now rely on Django's database routers to determine the correct
database to use instead of assuming that 'default' is the correct one.
* 1455 Changed minimum supported Django version to >=4.2.

Removed
* 1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per 1345; `validate_logout_request` per 1274

Fixed
* 1444, 1476 Fix several 500 errors to instead raise appropriate errors.
* 1469 Fix `ui_locales` request parameter triggers `AttributeError` under certain circumstances

Security
* 1452 Add a new setting [`REFRESH_TOKEN_REUSE_PROTECTION`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#refresh-token-reuse-protection).
In combination with [`ROTATE_REFRESH_TOKEN`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#rotate-refresh-token),
this prevents refresh tokens from being used more than once. See more at
[OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations)
* 1481 Bump oauthlib version required to 3.2.2 and above to address [CVE-2022-36087](https://github.com/advisories/GHSA-3pgj-pg6c-r5p7).

2.4.0

Not secure
WARNING
Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
performing a MAJOR upgrade to 2.x.

These issues both result in `{"error": "invalid_client"}`:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.

If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!

Added
* 1304 Add `OAuth2ExtraTokenMiddleware` for adding access token to request.
See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
* 1273 Performance improvement: Add caching of loading of OIDC private key.
* 1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
* 1311,1334 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
[HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
* 1350 Support Python 3.12 and Django 5.0
* 1367 Add `code_challenge_methods_supported` property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
* 1328 Adds the ability to [define how to store a user profile](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#define-where-to-store-the-profile).

Fixed
* 1292 Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone.
Use setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case the remote
authentication server does not provide EXP in UTC.
* 1323 Fix instructions in [documentation](https://django-oauth-toolkit.readthedocs.io/en/latest/getting_started.html#authorization-code)
on how to create a code challenge and code verifier
* 1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
* 1296 Added reverse function in migration `0006_alter_application_client_secret`. Note that reversing this migration cannot undo a hashed `client_secret`.
* 1345 Fix encapsulation for Redirect URI scheme validation. Deprecates `RedirectURIValidator` in favor of `AllowedURIValidator`.
* 1357 Move import of setting_changed signal from test to django core modules.
* 1361 Fix prompt=none redirects to login screen
* 1380 Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
* 1288 Fix 1276 which attempted to resolve 1092 for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
* 1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
* Various documentation improvements: 1410, 1408, 1405, 1399, 1401, 1396, 1375, 1162, 1315, 1307

Removed
* 1350 Remove support for Python 3.7 and Django 2.2

2.3.0

Not secure
WARNING

Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
performing a MAJOR upgrade to 2.x.

These issues both result in `{"error": "invalid_client"}`:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.

Added
* Add Japanese(日本語) Language Support
* 1244 implement [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
* 1092 Allow Authorization Code flow without a client_secret per [RFC 6749 2.3.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1)
* 1264 Support Django 4.2.

Changed
* 1222 Remove expired ID tokens alongside access tokens in `cleartokens` management command
* 1267, 1253, 1251, 1250, 1224, 1212, 1211 Various documentation improvements

2.2.0

Not secure
Added
* 1208 Add 'code_challenge_method' parameter to authorization call in documentation
* 1182 Add 'code_verifier' parameter to token requests in documentation

Changed
* 1203 Support Django 4.1.

Fixed
* 1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
* 1210 Handle oauthlib errors on create token requests

2.1.0

Not secure
Added
* 1164 Support `prompt=login` for the OIDC Authorization Code Flow end user [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
* 1163 Add French (fr) translations.
* 1166 Add Spanish (es) translations.

Changed
* 1152 `createapplication` management command enhanced to display an auto-generated secret before it gets hashed.
* 1172, 1159, 1158 documentation improvements.

Fixed
* 1147 Fixed 2.0.0 implementation of [hashed](https://docs.djangoproject.com/en/stable/topics/auth/passwords/) client secret to work with swapped models.

Page 1 of 8

Links

Releases

Has known vulnerabilities

Next

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.