From c7caea195b0a4c7dc5df49182b7053cd98522ef7 Mon Sep 17 00:00:00 2001
From: Alan Crosswell <alan@columbia.edu>
Date: Mon, 13 May 2024 10:22:53 -0400
Subject: [PATCH 1/4] in-process release 2.4.0 pending some late PR merges.

---
 CHANGELOG.md                | 32 ++++++++++++++++++++++++--------
 oauth2_provider/__init__.py |  2 +-
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d9fe0ac91..a4cbfb61d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,19 +15,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   -->
 
 ## [unreleased]
-
+### Added
+### Changed
+### Deprecated
+### Removed
 ### Fixed
-* #1292 Interpret `EXP` in AccessToken always as UTC instead of own key
-* #1292 Introduce setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case remote
-  authentication server doe snot provide EXP in UTC
+### Security
+
+## [2.4.0] - 2024-05-08
 
 ### WARNING
-* If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted
+Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
+performing a MAJOR upgrade to 2.x.
+
+These issues both result in `{"error": "invalid_client"}`:
+
+1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
+
+2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.
+
+3. If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
 
 ### Added
-* #1185 Add middleware for adding access token to request
-* #1273 Add caching of loading of OIDC private key.
-* #1285 Add post_logout_redirect_uris field in application views.
+* #1304 Add `OAuth2ExtraTokenMiddleware` for adding access token to request.
+  See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
+* #1273 Performance improvement: Add caching of loading of OIDC private key.
+* #1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
 * #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
@@ -36,6 +49,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 ### Fixed
+* #1292 Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone.
+* #1292 Introduce setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case remote
+  authentication server doe snot provide EXP in UTC
 * #1322 Instructions in documentation on how to create a code challenge and code verifier
 * #1284 Allow to logout with no id_token_hint even if the browser session already expired
 * #1296 Added reverse function in migration 0006_alter_application_client_secret
diff --git a/oauth2_provider/__init__.py b/oauth2_provider/__init__.py
index 55e470907..3d67cd6bb 100644
--- a/oauth2_provider/__init__.py
+++ b/oauth2_provider/__init__.py
@@ -1 +1 @@
-__version__ = "2.3.0"
+__version__ = "2.4.0"

From 685a7b00265c874df20f27b69e9cf034f026bbb5 Mon Sep 17 00:00:00 2001
From: Alan Crosswell <alan@columbia.edu>
Date: Mon, 13 May 2024 11:12:49 -0400
Subject: [PATCH 2/4] Update #1311 documentation to recommend using RS256
 rather than HS256.

---
 CHANGELOG.md             | 4 +++-
 docs/getting_started.rst | 7 ++++++-
 docs/oidc.rst            | 4 ++--
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a4cbfb61d..bd8211487 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,7 +41,9 @@ These issues both result in `{"error": "invalid_client"}`:
   See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
 * #1273 Performance improvement: Add caching of loading of OIDC private key.
 * #1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
-* #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
+* #1311 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
+  [HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
+  This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
 * #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
 * #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
diff --git a/docs/getting_started.rst b/docs/getting_started.rst
index 2a0ff500d..80ff9ed71 100644
--- a/docs/getting_started.rst
+++ b/docs/getting_started.rst
@@ -246,7 +246,12 @@ Point your browser to http://127.0.0.1:8000/o/applications/register/ lets create
 
 Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret``, we will use it in a minute.
 
-If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's.
+If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's with ``HS256``.
+
+.. note::
+    ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
+    Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
+
 
 .. image:: _images/application-register-auth-code.png
    :alt: Authorization code application registration
diff --git a/docs/oidc.rst b/docs/oidc.rst
index ac9c97161..1669a00d4 100644
--- a/docs/oidc.rst
+++ b/docs/oidc.rst
@@ -149,8 +149,8 @@ scopes in your ``settings.py``::
     }
 
 .. note::
-    If you want to enable ``RS256`` at a later date, you can do so - just add
-    the private key as described above.
+    ``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
+    Using ``RS256`` will allow you to keep your ``client_secret`` hashed.
 
 
 RP-Initiated Logout

From bdb3afaea91985e79d12079175f11287372558c3 Mon Sep 17 00:00:00 2001
From: Alan Crosswell <alan@columbia.edu>
Date: Mon, 13 May 2024 13:26:02 -0400
Subject: [PATCH 3/4] editorial changes to CHANGELOG

---
 CHANGELOG.md | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd8211487..c965bc21b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,7 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 ### Security
 
-## [2.4.0] - 2024-05-08
+## [2.4.0] - 2024-05-13
 
 ### WARNING
 Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
@@ -34,34 +34,35 @@ These issues both result in `{"error": "invalid_client"}`:
 
 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.
 
-3. If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
+If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
 
 ### Added
 * #1304 Add `OAuth2ExtraTokenMiddleware` for adding access token to request.
   See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
 * #1273 Performance improvement: Add caching of loading of OIDC private key.
 * #1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
-* #1311 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
+* #1311,#1334 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
   [HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
   This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
-* #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
 * #1350 Support Python 3.12 and Django 5.0
-* #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
-* #1328 Adds the ability to define how to store a user profile
-
+* #1367 Add `code_challenge_methods_supported` property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
+* #1328 Adds the ability to [define how to store a user profile](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#define-where-to-store-the-profile).
 
 ### Fixed
 * #1292 Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone.
-* #1292 Introduce setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case remote
-  authentication server doe snot provide EXP in UTC
-* #1322 Instructions in documentation on how to create a code challenge and code verifier
-* #1284 Allow to logout with no id_token_hint even if the browser session already expired
-* #1296 Added reverse function in migration 0006_alter_application_client_secret
-* #1336 Fix encapsulation for Redirect URI scheme validation
-* #1357 Move import of setting_changed signal from test to django core modules
-* #1268 fix prompt=none redirects to login screen
-* #1381 fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used
-* #1288 fixes #1276 which attempt to resolve #1092 for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
+  Use setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case the remote
+  authentication server does not provide EXP in UTC.
+* #1323 Fix instructions in [documentation](https://django-oauth-toolkit.readthedocs.io/en/latest/getting_started.html#authorization-code)
+  on how to create a code challenge and code verifier
+* #1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
+* #1296 Added reverse function in migration `0006_alter_application_client_secret`. Note that reversing this migration cannot undo a hashed `client_secret`.
+* #1345 Fix encapsulation for Redirect URI scheme validation. Deprecates `RedirectURIValidator` in favor of `AllowedURIValidator`.
+* #1357 Move import of setting_changed signal from test to django core modules.
+* #1361 Fix prompt=none redirects to login screen
+* #1380 Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
+* #1288 Fix #1276 which attempted to resolve #1092 for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
+* #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
+* Various documentation improvements: #1410, #1408, #1405, #1399, #1401, #1396, #1375, #1162, #1315, #1307
 
 ### Removed
 * #1350 Remove support for Python 3.7 and Django 2.2

From 280d7a74031c25fbd4f450bb8d2b1086531e1a4c Mon Sep 17 00:00:00 2001
From: Alan Crosswell <alan@columbia.edu>
Date: Mon, 13 May 2024 13:48:54 -0400
Subject: [PATCH 4/4] fix line too long

---
 oauth2_provider/oauth2_validators.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
index 829cde25f..47d65e851 100644
--- a/oauth2_provider/oauth2_validators.py
+++ b/oauth2_provider/oauth2_validators.py
@@ -335,7 +335,8 @@ def get_default_redirect_uri(self, client_id, request, *args, **kwargs):
 
     def get_or_create_user_from_content(self, content):
         """
-        An optional layer to define where to store the profile in `UserModel` or a separate model. For example `UserOAuth`, where `user = models.OneToOneField(UserModel)` .
+        An optional layer to define where to store the profile in `UserModel` or a separate model.
+        For example `UserOAuth`, where `user = models.OneToOneField(UserModel)` .
 
         The function is called after checking that username is in the content.