All notable changes to this project will be documented in this file.
- #725: HTTP Basic Auth support for introspection (Fix issue #709)
- Add support for Python 3.7 & 3.8
- Add support for Django>=2.1,<3.1
- Add requirement for oauthlib>=3.0.1
- Add support for Proof Key for Code Exchange (PKCE, RFC 7636).
- Add support for custom token generators (e.g. to create JWT tokens).
- Add new
ACCESS_TOKEN_GENERATORto override the default access token generator.
REFRESH_TOKEN_GENERATORto override the default refresh token generator.
EXTRA_SERVER_KWARGSoptions dictionary for oauthlib’s Server class.
PKCE_REQUIREDto require PKCE.
createapplicationmanagement command to create an application.
idin toolkit admin console applications list.
- Add nonstandard Google support for [urn:ietf:wg:oauth:2.0:oob]
redirect_urifor Google OAuth2 “manual copy/paste”. N.B. this feature appears to be deprecated and replaced with methods described in RFC 8252: OAuth2 for Native Apps and may be deprecated and/or removed from a future release of Django-oauth-toolkit.
- Remove support for Python 3.4
- Remove support for Django<=2.0
- Remove requirement for oauthlib<3.0
- Fix a race condition in creation of AccessToken with external oauth2 server.
- Fix several concurrency issues. (#638)
- Fix to pass
- Fix missing
oauth2_errorproperty exception oauthlib_core.verify_request method raises exceptions in authenticate. (#633)
- Fix “django.db.utils.NotSupportedError: FOR UPDATE cannot be applied to the nullable side of an outer join” for postgresql. (#714)
- Fix to return a new refresh token during grace period rather than the recently-revoked one. (#702)
- Fix a bug in refresh token revocation. (#625)
- Compatibility: Python 3.4 is the new minimum required version.
- Compatibility: Django 2.0 is the new minimum required version.
- New feature: Added TokenMatchesOASRequirements Permissions.
- validators.URIValidator has been updated to match URLValidator behaviour more closely.
redirect_urisvalidation to the application clean() method.
- Return state with Authorization Denied error (RFC6749 section 126.96.36.199)
- Fix a crash with malformed base64 authentication headers
- Fix a crash with malformed IPv6 redirect URIs
- Critical: Django OAuth Toolkit 1.1.0 contained a migration that would revoke all existing
0006_auto_20171214_2232). This release corrects the migration. If you have already ran it in production, please see the following issue for more details: https://github.com/jazzband/django-oauth-toolkit/issues/589
- Notice: The Django OAuth Toolkit project is now hosted by JazzBand.
- Compatibility: Django 1.11 is the new minimum required version. Django 1.10 is no longer supported.
- Compatibility: This will be the last release to support Django 1.11 and Python 2.7.
- New feature: Option for RFC 7662 external AS that uses HTTP Basic Auth.
- New feature: Individual applications may now override the
ALLOWED_REDIRECT_URI_SCHEMESsetting by returning a list of allowed redirect uri schemes in
- New feature: The new setting
ERROR_RESPONSE_WITH_SCOPEScan now be set to True to include required scopes when DRF authorization fails due to improper scopes.
- New feature: The new setting
REFRESH_TOKEN_GRACE_PERIOD_SECONDScontrols a grace period during which refresh tokens may be re-used.
app_authorizedsignal is fired when a token is generated.
- New feature: AccessToken, RefreshToken and Grant models are now swappable.
- #477: New feature: Add support for RFC 7662 (IntrospectTokenView, introspect scope)
- Compatibility: Django 1.10 is the new minimum required version
- Compatibility: Django 1.11 is now supported
- Backwards-incompatible: The
oauth2_provider.ext.rest_frameworkmodule has been moved to
- #177: Changed
idfield on Application, AccessToken, RefreshToken and Grant to BigAutoField (bigint/bigserial)
- #321: Added
updatedauto fields to Application, AccessToken, RefreshToken and Grant
- #476: Disallow empty redirect URIs
- Fixed bad
urlparameter in some error responses.
- Django 2.0 compatibility fixes.
- The dependency on django-braces has been dropped.
- The oauthlib dependency is no longer pinned.
- New feature: Class-based scopes backends. Listing scopes, available scopes and default scopes
is now done through the class that the
SCOPES_BACKEND_CLASSsetting points to. By default, this is set to
oauth2_provider.scopes.SettingsScopeswhich implements the legacy settings-based scope behaviour. No changes are necessary.
- Dropped support for Python 3.2 and Python 3.3, added support for Python 3.6
- Support for the
scopesquery parameter, deprecated in 0.6.1, has been dropped
- #448: Added support for customizing applications’ allowed grant types
- #141: The
is_usable(request)method on the Application model can be overridden to dynamically enable or disable applications.
- #434: Relax URL patterns to allow for UUID primary keys
- #315: AuthorizationView does not overwrite requests on get
- #425: Added support for Django 1.10
- #396: added an IsAuthenticatedOrTokenHasScope Permission
- #357: Support multiple-user clients by allowing User to be NULL for Applications
- #389: Reuse refresh tokens if enabled.
- #322: dropping support for python 2.6 and django 1.4, 1.5, 1.6
- #310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant
- #333: Added possibility to specify the default list of scopes returned when scope parameter is missing
- #325: Added management views of issued tokens
- #249: Added a command to clean expired tokens
- #323: Application registration view uses custom application model in form class
server_classis now pluggable through Django settings
- #309: Add the py35-django19 env to travis
- #308: Use compact syntax for tox envs
- #306: Django 1.9 compatibility
- #288: Put additional information when generating token responses
- #297: Fixed doc about SessionAuthenticationMiddleware
- #273: Generic read write scope by resource
oauthlib_backend_classis now pluggable through Django settings
application/jsonContent-Type is now supported using
- #238: Fixed redirect uri handling in case of error
- #229: Invalidate access tokens when getting a new refresh token
- added support for oauthlib 1.0
- Fix the migrations to be two-step and allow upgrade from 0.7.2
- South migrations fixed. Added new django migrations.
- Several docs improvements and minor fixes
- #185: fixed vulnerabilities on Basic authentication
- #173: ProtectResourceMixin now allows OPTIONS requests
- #169: hide sensitive informations in error emails
- #161: extend search to all token types when revoking a token
- #160: return empty response on successful token revocation
- #157: skip authorization form with
- #155: allow custom uri schemes
get_application_modelon Django 1.7
- fixed non rotating refresh tokens
- #137: fixed base template
- #38: create access tokens not bound to a user instance for client credentials flow
- Don’t pin oauthlib
- Added database indexes to the OAuth2 related models to improve performances.
Warning: schema migration does not work for sqlite3 database, migration should be performed manually
- Created a setting for the default value for approval prompt.
- Improved docs
- Don’t pin django-braces and six versions
Backwards incompatible changes in 0.7.0
- Make Application model truly “swappable” (introduces a new non-namespaced setting
- added support for
scopequery parameter keeping backwards compatibility for the original
- str method in Application model returns content of
namefield when available
- oauthlib 0.6.1 support
- Django dev branch support
- Python 2.6 support
- Skip authorization form via
- Several fixes to the docs
- Issue #71: Fix migrations
- Issue #65: Use OAuth2 password grant with multiple devices
- Issue #84: Add information about login template to tutorial.
- Issue #64: Fix urlencode clientid secret
- oauthlib 0.6.0 support
Backwards incompatible changes in 0.5.0
backends.pymodule has been renamed to
oauth2_backends.pyso you should change your imports whether you’re extending this module
- Issue #54: Auth backend proposal to address #50
- Issue #61: Fix contributing page
- Issue #55: Add support for authenticating confidential client with request body params
- Issue #53: Quote characters in the url query that are safe for Django but not for oauthlib
- Optimize queries on access token validation
- Add Application management views, you no more need the admin to register, update and delete your application.
- Add support to configurable application model
- Add support for function based views
Backwards incompatible changes in 0.4.0
SCOPEattribute in settings is now a dictionary to store
oauth2_provideris mandatory in urls. See issue #36
- Issue #25: Bug in the Basic Auth parsing in Oauth2RequestValidator
- Issue #24: Avoid generation of
client_idwith “:” colon char when using HTTP Basic Auth
- Issue #21: IndexError when trying to authorize an application
- Issue #9:
default_redirect_uriis mandatory when
- Issue #22: Scopes need a verbose description
- Issue #33: Add django-oauth-toolkit version on example main page
- Issue #36: Add mandatory namespace to urls
- Issue #31: Add docstring to OAuthToolkitError and FatalClientError
- Issue #32: Add docstring to
- Issue #34: Documentation tutorial part1 needs corsheaders explanation
- Issue #36: Add mandatory namespace to urls
- Issue #45: Add docs for AbstractApplication
- Issue #47: Add docs for views decorators
- Bugfix #37: Error in migrations with custom user on Django 1.5
- Bugfix #27: OAuthlib refresh token refactoring
- Django REST Framework integration layer
- Bugfix #13: Populate request with client and user in
- Bugfix #12: Fix paths in documentation
Backwards incompatible changes in 0.3.0
requested_scopesparameter in ScopedResourceMixin changed to
- Core optimizations
- Add support for Django1.4 and Django1.6
- Add support for Python 3.3
- Add a default ReadWriteScoped view
- Add tutorial to docs
- Support OAuth2 Authorization Flows
- Discussion with Daniel Greenfeld at Django Circus