File python-django-oauth-toolkit.changes of Package python-django-oauth-toolkit
-------------------------------------------------------------------
Fri May 16 08:06:40 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 3.0.1:
* Security
+ Add a new setting REFRESH_TOKEN_REUSE_PROTECTION.
+ Bump oauthlib version required to 3.2.2 and above.
* Added
+ Added compatibility with LoginRequiredMiddleware introduced in Django
5.1.
+ Add OAuth2ExtraTokenMiddleware for adding access token to request.
+ Add option to disable client_secret hashing to allow verifying JWTs'
signatures when using HS256 keys.
+ Support Python 3.12 and Django 5.0
+ Adds the ability to define how to store a user profile.
+ implement OIDC RP-Initiated Logout
+ Allow Authorization Code flow without a client_secret.
+ Support Django 4.2.
+ Support prompt=login for the OIDC Authorization Code Flow end user
Authentication Request.
+ Add "scopes_supported" to the ConnectDiscoveryInfoView.
* Changed
+ createapplication management command enhanced to display an
auto-generated secret before it gets hashed.
+ Changed default value of PKCE_REQUIRED to True.
+ Changed to implement hashed client_secret values.
+ Add default configurable OIDC standard scopes that determine which
claims are returned.
+ Make the access_token available to get_oidc_claims when called from
get_userinfo_claims.
+ Added --algorithm argument to createapplication management command
* Fixed
+ Fix migration error when there are pre-existing Access Tokens.
+ Interpret EXP in AccessToken always as UTC instead of (possibly) local
timezone.
+ Fix a 500 error when trying to logout with no id_token_hint even if the
browser session already expired.
+ Fix prompt=none redirects to login screen
+ Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom
AccessToken model is used.
+ Handle oauthlib errors on create token requests
+ Fix validate_bearer_token() to properly set request.scopes to the list
of granted scopes.
+ Fixed help text for --skip-authorization argument of the
createapplication management command.
* Removed
+ Remove support for Python 3.7 and Django 2.2
+ Removes support for insecure urn:ietf:wg:oauth:2.0:oob and
urn:ietf:wg:oauth:2.0:oob:auto which are replaced by RFC 8252
"OAuth 2.0 for Native Apps" BCP.
- Switch to pyproject macros.
- No more greedy globs in %files.
- Drop patch stop-using-pk-to-reference-tokens.patch, no longer required.
-------------------------------------------------------------------
Sat Jan 18 15:20:48 UTC 2025 - ecsos <ecsos@opensuse.org>
- Add %{?sle15_python_module_pythons}
- Add missing build require python-pytz.
-------------------------------------------------------------------
Thu Feb 3 05:55:13 UTC 2022 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 1.7.0:
* #969 Add batching of expired token deletions in cleartokens management command and models.clear_expired() to improve performance for removal of large numers of expired tokens.
* #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a periodic task.
* #1062 Add Brazilian Portuguese (pt-BR) translations.
* #1069 OIDC: Add an alternate form of get_additional_claims()
* #1012 Return 200 status code with {"active": false} when introspecting a nonexistent token per RFC 7662. It had been incorrectly returning 401.
* #1085 Fix for #1083 admin UI search for idtoken results in django.core.exceptions.FieldError: Cannot resolve keyword 'token' into field.
* #1085 Add admin UI search fields for additional models.
* #1056 Add missing migration triggered by Django 4.0 changes to the migrations autodetector.
* #1068 Revert #967 which incorrectly changed an API. See #1066.
* #949 Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends (like django-axes).
* #968, #1039 Add support for Django 3.2 and 4.0.
* #953 Allow loopback redirect URIs using random ports as described in RFC8252 section 7.3.
* #972 Add Farsi/fa language support.
* #978 OIDC: Add support for rotating multiple RSA private keys.
* #978 OIDC: Add new OIDC_JWKS_MAX_AGE_SECONDS to improve jwks_uri caching.
* #967 OIDC: Add additional claims beyond sub to the id_token.
* #1041 Add a search field to the Admin UI (e.g. for search for tokens by email address).
* #981 Require redirect_uri if multiple URIs are registered per RFC6749 section 3.1.2.3
* #991 Update documentation of REFRESH_TOKEN_EXPIRE_SECONDS to indicate it may be int or datetime.timedelta.
* #977 Update Tutorial to show required include.
* #968 Remove support for Django 3.0 & 3.1 and Python 3.6
* #1035 Removes default_app_config for Django Deprecation Warning
* #1023 six should be dropped
* #963 Fix handling invalid hex values in client query strings with a 400 error rather than 500.
* #973 Tutorial updated to use django-cors-headers.
* #956 OIDC: Update documentation of get_userinfo_claims to add the missing argument.
* Adding support for OPENID
- Add patch stop-using-pk-to-reference-tokens.patch:
* Use direct object references to fix a truculent test.
-------------------------------------------------------------------
Fri Apr 3 10:35:36 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
- Update to 1.3.2:
* #725: HTTP Basic Auth support for introspection (Fix issue #709)
* #812: Reverts #643 pass wrong request object to authenticate function.
* Fix concurrency issue with refresh token requests (#810)
* #817: Reverts #734 tutorial documentation error.
* Add support for Python 3.7 & 3.8
* Add support for Django>=2.1,<3.1
* Add requirement for oauthlib>=3.0.1
* Add support for Proof Key for Code Exchange (PKCE, RFC 7636).
* Add support for custom token generators (e.g. to create JWT tokens).
* Add new OAUTH2_PROVIDER settings:
* ACCESS_TOKEN_GENERATOR to override the default access token generator.
* REFRESH_TOKEN_GENERATOR to override the default refresh token generator.
* EXTRA_SERVER_KWARGS options dictionary for oauthlib's Server class.
* Add id in toolkit admin console applications list.
* Add nonstandard Google support for [urn:ietf:wg:oauth:2.0:oob] redirect_uri
for Google OAuth2 "manual copy/paste".
- Remove no longer needed test-response-401.patch
-------------------------------------------------------------------
Thu Oct 3 08:19:37 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
- Skip tests that return 200 instead of 400, even in upstream git
* recheck with the next release
-------------------------------------------------------------------
Mon Sep 16 09:24:25 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com>
- Update to 1.2.0:
* Compatibility: Python 3.4 is the new minimum required version.
* Compatibility: Django 2.0 is the new minimum required version.
* New feature: Added TokenMatchesOASRequirements Permissions.
* validators.URIValidator has been updated to match URLValidator behaviour more closely.
* Moved redirect_uris validation to the application clean() method.
-------------------------------------------------------------------
Tue Mar 5 07:50:55 UTC 2019 - John Vandenberg <jayvdb@gmail.com>
- Increase minimum Django to 1.11
- Add %doc and %license
- Add %check and use test-response-401.patch to workaround test failures
- Update URLs to new repository
- Drop unnecessary build dependency on devel
- Fix %fdupes
- Update to v1.1.3
* Fix a concurrency issue with Refresh Tokens
* Fix Refresh Token revocation when the Access Token does not exist
- from 1.1.2
* Return state with Authorization Denied error (RFC6749 section 4.1.2.1)
* Fix a crash with malformed base64 authentication headers
* Fix a crash with malformed IPv6 redirect URIs
- from 1.1.1
* **Critical**: v1.1.0 contained a migration that would revoke all
existing RefreshTokens (`0006_auto_20171214_2232`). This release
corrects the migration. If you have already ran it in production,
please see the following issue for more details:
https://github.com/jazzband/django-oauth-toolkit/issues/589
-------------------------------------------------------------------
Thu Oct 5 11:40:07 UTC 2017 - chhuang@suse.de
- Add version 1.0.0 for python2 and 3
-------------------------------------------------------------------
Mon Oct 2 13:50:45 UTC 2017 - cherry@localhost
- Add for #85: API authentication
-------------------------------------------------------------------
Mon Oct 2 10:14:48 UTC 2017 - cherry@localhost
- Add latest version 1.0.0
