You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+24-8Lines changed: 24 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,19 +15,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
15
15
-->
16
16
17
17
## [unreleased]
18
-
18
+
### Added
19
+
### Changed
20
+
### Deprecated
21
+
### Removed
19
22
### Fixed
20
-
*#1292 Interpret `EXP` in AccessToken always as UTC instead of own key
21
-
*#1292 Introduce setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case remote
22
-
authentication server doe snot provide EXP in UTC
23
+
### Security
24
+
25
+
## [2.4.0] - 2024-05-08
23
26
24
27
### WARNING
25
-
* If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted
28
+
Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
29
+
performing a MAJOR upgrade to 2.x.
30
+
31
+
These issues both result in `{"error": "invalid_client"}`:
32
+
33
+
1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.
34
+
35
+
2.`PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.
36
+
37
+
3. If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!
26
38
27
39
### Added
28
-
*#1185 Add middleware for adding access token to request
29
-
*#1273 Add caching of loading of OIDC private key.
30
-
*#1285 Add post_logout_redirect_uris field in application views.
40
+
*#1304 Add `OAuth2ExtraTokenMiddleware` for adding access token to request.
41
+
See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
42
+
*#1273 Performance improvement: Add caching of loading of OIDC private key.
43
+
*#1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
31
44
*#1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
32
45
*#1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
33
46
*#1350 Support Python 3.12 and Django 5.0
@@ -36,6 +49,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
36
49
37
50
38
51
### Fixed
52
+
*#1292 Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone.
53
+
*#1292 Introduce setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case remote
54
+
authentication server doe snot provide EXP in UTC
39
55
*#1322 Instructions in documentation on how to create a code challenge and code verifier
40
56
*#1284 Allow to logout with no id_token_hint even if the browser session already expired
41
57
*#1296 Added reverse function in migration 0006_alter_application_client_secret
0 commit comments