- Added PKCE support in the authorization code flow.
- Gracefully handle
www-authenticate
header with missingerror_description
. Thanks @vinitsharswat and @adamj9431 - Lint project with
black
. - Add support for Django 4
- Document OIDC_OP_JWKS_ENDPOINT. Thanks @yoctozepto
- Update typo in comments. Thanks @rabbit-aaron
- LOGIN_REDIRECT_URL now accepts a named url pattern. Thanks @dispiste
- Pass OIDC_AUTH_REQUEST_EXTRA_PARAMS to SessionRefresh Thanks @melanger
- Remove state from from session after failed authentication attempts Thanks @cfra
- Do not call auth.login() on session refresh. Thanks crgwbr
Backwards-incompatible changes:
- Drop Python 3.6 support
- Drop Django 2.x Support
- Drop Django 3.1 support
- Make get_or_create_user compatible with custom scope configuration by moving scope specific code to describe_user_by_claims Thanks @cfra
- Add support for Django 3.2 Thanks @jannh
- Add configuration to opt in logout using GET
- Fix url encoding using escaped space characters
- Pass email as named argument in create_user
- Do not fail if JWK does not have a key ID Thanks @cfra
- Update middleware init to configure settings Thanks @dreynolds
- Add SessionAuthentication to DRF auth class Thanks @SpyTec
Backwards-incompatible changes:
- Drop Django 1.x support
- Drop Python2 support
- Fix error in README.rst Thanks @der-gabe
- Fix JWKS handling when the same kid value is used across JWKs with different alg specified Thanks @davidjb
- Support regex patterns in
OIDC_EXEMPT_URLS
, to allow exempting session refreshes inSessionMiddleware
for URLs matching the pattern Thanks @jwhitlock - Move nonce outside of add_state_and_noce_to_session method.
- Change log level to info for the add_state_and_verifier_and_nonce_to_session.
- Session save/load management Thanks @Flor1an-dev
- Allow multiple parallel login sessions Thanks @istreeter
- Add support for Django 3.x Thanks @jaap3
- Use new E2E testing images from mozilla namespace
- Remove support for EOL'ed Django versions
- Add Mozilla code of conduct
- Allow overriding OIDC settings per class
- Make verify_claims compatible with custom scope configuration.
- Improve travis automation for PyPI releases
- Allow basic auth for OIDC token endpoint requests Thanks @anttipalola
- Replace phantomjs with firefox headless for e2e testing
- Add default email verification claim check Thanks @kerrermanisNL
- Remove compatibility code for unsupported Django versions
- Add settings to control redirect behavior Thanks @chrisbrantley
- Fix JWKS handling when OP returns multiple keys Thanks @JustinAzoff
- Fix is_safe_url on Django 2.1
- Fix signature in authenticate method to be compatible with Django 2.1
- Remove legacy code for unsupported Django < 1.11 Thanks @SirTyson
- Installation doc fixes Thanks @mklan
- Drop support for unsupported Django 1.8 and Python 3.3.
- Refactor authentication backend to make it easier to extend Required by DRF support feature.
- Add DRF support Thanks @anlutro
- Improve local docker environment setup
- Add flag to allow using unsecured tokens
- Allow using JWK with optional
alg
Thanks @Algogator
- Add OIDC_AUTHENTICATION_CALLBACK_URL as a new configuration parameter
- Fail earlier when JWS algorithm does not OIDC_RP_SIGN_ALGO. Thanks @anlutro
- RS256 verification through
settings.OIDC_OP_JWKS_ENDPOINT
Thanks @GermanoGuerrini - Refactor OIDCAuthenticationBackend so that token retrieval methods can be overridden in a subclass when you need to.
Backwards-incompatible changes:
OIDC_OP_LOGOUT_URL_METHOD
takes arequest
parameter now.- Changed name of
RefreshIDToken
middleware toSessionRefresh
.
- Add e2e tests and automation
- Add caching for exempt URLs
- Fix logout when session refresh fails
- Add Django 2.0 support
- Fix tox configuration
Backwards-incompatible changes:
- Drop Django 1.10 support
- Fix OIDC_USERNAME_ALGO to actually load dotted import path of callback.
- Add verify_claims method for advanced authentication checks
- Send bytes to josepy. Fixes python3 support.
Security issues:
- High: Replace python-jose with josepy and use pyca/cryptography instead of pycrypto (CVE-2013-7459).
Backwards-incompatible changes:
OIDC_RP_IDP_SIGN_KEY
no longer uses the JWK json asdict
but PEM or DER keys instead.
Features:
- Implement RS256 verification Thanks @puiterwijk
Bugs:
- Use
settings.OIDC_VERIFY_SSL
also when validating the token. Thanks @GermanoGuerrini - Make OpenID Connect scope configurable. Thanks @puiterwijk
- Add path host injection unit-test (#171)
- Revisit OIDC_STORE_{ACCESS,ID}_TOKEN config entries
- Allow configuration of additional auth parameters
Security issues:
- Medium: Sanitize next url for authentication view
Security issues:
- Low: Logout using POST not GET (#126)
Backwards-incompatible changes:
- The
settings.SITE_URL
is no longer used. Instead the absolute URL is derived from the request'sget_host()
. - Only log out by HTTP POST allowed.
Bugs:
- Test suite maintenance (#108, #109, #142)
Backwards-incompatible changes:
Drop support for Django 1.9 (#130)
If you're using Django 1.9, you should update Django first.
Move middleware to
mozilla_django_oidc.middleware
and change it to use authentication endpoint withprompt=none
(#94)You'll need to update your
MIDDLEWARE_CLASSES
/MIDDLEWARE
setting accordingly.Remove legacy
base64
handling of OIDC secret. Now RP secret should be plaintext.
Features:
- Add support for Django 1.11 and Python 3.6 (#85)
- Update middleware to work with Django 1.10+ (#90)
- Documentation updates
- Rework test infrastructure so it's tox-based (#100)
Bugs:
- always decode verified token before
json.load()
(#116) - always redirect to logout_url even when logged out (#121)
- Change email matching to be case-insensitive (#102)
- Allow combining OIDCAuthenticationBackend with other backends (#87)
- fix is_authenticated usage for Django 1.10+ (#125)
- First release on PyPI.