All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Security update for
python-josefrom version3.3.0to3.4.0
- 'Origin' header should NOT be present if the Azure app is not a SPA.
- Explicit compatibility with django 5.1
- Fix a migration error from version
1.1.0on a non-empty database (gitlab #26).
- Explicit compatibility with django 5.1
- Security package upgrades
- Azure tenant PKCE public app fix (Origin header was missing)
- Final fix for mysql on InnoDB with max key of 3072 by having the constraint as a lonely migration (github #21). Thanks Jurymax99 for the suggested merge request.
- Allow to logout even when using the Django
ModelBackend(github #25)
- Do not send the client secret, even if defined, with
PKCEby default (github #18) This can be overriden with theOIDC_RP_FORCE_SECRET_WITH_PKCEparameter. - Gitlab CI upgrades
- redirect after total logout could happen with a GET (#10)
- allow empty client secret (QE-625, gitlab #9)
- User logged in signal doc example, thanks @pinoatrome (github #16)
- Drop python 3.7, support python 3.12 and django 5
- Fix timestamp-awareness inside
RefreshSessionandRefreshAccessTokenmiddlewares
- Each log (debug, warning, error) is now correctly bound to the module name.
- Mypy 1.0
- Added documentation and changelog urls for PyPI
- Default value for
jwksinBearerAuthenticationBackendshould be dict, not a list. - Fix blacklist expiration for token where seconds where used as hours
- Fix
_clear_cachemethod inCacheBaseView: was not clearing the session correctly. - Configuration cannot be updated when using unit tests. This is now fixed. No impact on lib usage.
- Respect the optional
failparameter of@login_requireddecorator. - Middlewares should not inherit depraceted
MiddlewareMixin. - If user does not exist on request, should not crash in
Oauth2MiddlewareMixin.is_oidc_enabled.
- Allow to override
MIN_SECONDSinRefreshSessionMiddleware. - Use UTC time in
RefreshAccessTokenMiddleware,RefreshSessionMiddleware.
LoginRequiredMiddleware- Documentation about
@login_required
pytzremoved.datetime.timezone.utcis the only thing required.
- urls listed in
OIDC_MIDDLEWARE_NO_AUTH_URL_PATTERNSwill not be tried on authentication inauth.py
- Allow to specify
userinfoandid_tokenindividual claims to get along with the id token request if the OP supports it (Eric Plaster, mr !12).
OIDC_EXTEND_USERcallable can now takes arequestandaccess_tokenas additional arguments (compatibility is assured).- Migrate can raise an
IntegrityError(ticket #7). - All parameters that accept a function can also accept a dotted string to import the function.
- Migrate from
pipenvtopoetrysystem.
- Missing Django migration
- Allow Django 4.1+ (but not 5.0)
- Add Python 3.11 in classifier
- Dependencies upgrade
- Allow usage with Django 4.0 and update classifiers
- Make the code compatible with Python 3.7
- Allow to scramble the password only when creating an account instead of each SSO connection/renewal
- Allow
userextension with a callable usingclaims
- User
emailfield was filled with rawemailvalue instead of actual value ifOIDC_EMAIL_CLAIMwas not set.
- No error 500 on expired authentication because the database session might not be found
- Prevent infinite redirect to authenticate view when using any middleware (session was not cleared properly)
- Use
Authorizationheader forUSERINFOinstead of request param tokenfield inBlacklistedTokentable changed fromTextFieldtoCharField(max_length=15000)for MySql compatibility
- register json web keys to session only if not already registered
- fix error handling by adding required method parameter
email,first_nameandlast_namecannot be None. Fallback to empty string.- correctly check for status code ok when getting access token.
- fix doc about
SESSION_COOKIE_SECURE - fix typo in f-string
- OP.md with settings examples for multiple OIDC Providers
- Management commands were not included in the package
Initialize library