- 725: HTTP Basic Auth support for introspection (Fix issue #709)
- 812: Reverts #643 pass wrong request object to authenticate function.
- 817: Reverts #734 tutorial documentation error.
- 477: New feature: Add support for RFC 7662 (IntrospectTokenView, introspect scope)
- 177: Changed
idfield on Application, AccessToken, RefreshToken and Grant to BigAutoField (bigint/bigserial)
- 321: Added
updatedauto fields to Application, AccessToken, RefreshToken and Grant
- 476: Disallow empty redirect URIs
- 448: Added support for customizing applications’ allowed grant types
- 141: The
is_usable(request)method on the Application model can be overridden to dynamically enable or disable applications.
- 434: Relax URL patterns to allow for UUID primary keys
- 315: AuthorizationView does not overwrite requests on get
- 425: Added support for Django 1.10
- 396: added an IsAuthenticatedOrTokenHasScope Permission
- 357: Support multiple-user clients by allowing User to be NULL for Applications
- 389: Reuse refresh tokens if enabled.
- 310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant
- 333: Added possibility to specify the default list of scopes returned when scope parameter is missing
- 325: Added management views of issued tokens
- 249: Added a command to clean expired tokens
- 323: Application registration view uses custom application model in form class
server_classis now pluggable through Django settings
- 309: Add the py35-django19 env to travis
- 308: Use compact syntax for tox envs
- 306: Django 1.9 compatibility
- 288: Put additional information when generating token responses
- 297: Fixed doc about SessionAuthenticationMiddleware
- 273: Generic read write scope by resource
application/jsonContent-Type is now supported using
- 238: Fixed redirect uri handling in case of error
- 229: Invalidate access tokens when getting a new refresh token
- 185: fixed vulnerabilities on Basic authentication
- 173: ProtectResourceMixin now allows OPTIONS requests
- 169: hide sensitive informations in error emails
- 161: extend search to all token types when revoking a token
- 160: return empty response on successful token revocation
- 157: skip authorization form with
- 155: allow custom uri schemes
- 137: fixed base template
- 38: create access tokens not bound to a user instance for client credentials flow
All notable changes to this project will be documented in this file.
- Fixes: 1.3.1 inadvertently uploaded to pypi with an extra migration (0003…) from a dev branch.
- Fix concurrency issue with refresh token requests (#810)
- Add support for Python 3.7 & 3.8
- Add support for Django>=2.1,<3.1
- Add requirement for oauthlib>=3.0.1
- Add support for Proof Key for Code Exchange (PKCE, RFC 7636).
- Add support for custom token generators (e.g. to create JWT tokens).
- Add new
ACCESS_TOKEN_GENERATORto override the default access token generator.
REFRESH_TOKEN_GENERATORto override the default refresh token generator.
EXTRA_SERVER_KWARGSoptions dictionary for oauthlib’s Server class.
PKCE_REQUIREDto require PKCE.
createapplicationmanagement command to create an application.
idin toolkit admin console applications list.
- Add nonstandard Google support for [urn:ietf:wg:oauth:2.0:oob]
redirect_urifor Google OAuth2 “manual copy/paste”. N.B. this feature appears to be deprecated and replaced with methods described in RFC 8252: OAuth2 for Native Apps and may be deprecated and/or removed from a future release of Django-oauth-toolkit.
- Change this change log to use Keep a Changelog format.
- Backwards-incompatible squashed migrations: If you are currently on a release < 1.2.0, you will need to first install 1.2.0 then
manage.py migratebefore upgrading to >= 1.3.0.
- Improved the tutorial.
- Remove support for Python 3.4
- Remove support for Django<=2.0
- Remove requirement for oauthlib<3.0
- Fix a race condition in creation of AccessToken with external oauth2 server.
- Fix several concurrency issues. (#638)
- Fix to pass
- Fix missing
oauth2_errorproperty exception oauthlib_core.verify_request method raises exceptions in authenticate. (#633)
- Fix “django.db.utils.NotSupportedError: FOR UPDATE cannot be applied to the nullable side of an outer join” for postgresql. (#714)
- Fix to return a new refresh token during grace period rather than the recently-revoked one. (#702)
- Fix a bug in refresh token revocation. (#625)
- Compatibility: Python 3.4 is the new minimum required version.
- Compatibility: Django 2.0 is the new minimum required version.
- New feature: Added TokenMatchesOASRequirements Permissions.
- validators.URIValidator has been updated to match URLValidator behaviour more closely.
redirect_urisvalidation to the application clean() method.
- Return state with Authorization Denied error (RFC6749 section 184.108.40.206)
- Fix a crash with malformed base64 authentication headers
- Fix a crash with malformed IPv6 redirect URIs
- Critical: Django OAuth Toolkit 1.1.0 contained a migration that would revoke all existing RefreshTokens (
0006_auto_20171214_2232). This release corrects the migration. If you have already ran it in production, please see the following issue for more details: https://github.com/jazzband/django-oauth-toolkit/issues/589
- Notice: The Django OAuth Toolkit project is now hosted by JazzBand.
- Compatibility: Django 1.11 is the new minimum required version. Django 1.10 is no longer supported.
- Compatibility: This will be the last release to support Django 1.11 and Python 2.7.
- New feature: Option for RFC 7662 external AS that uses HTTP Basic Auth.
- New feature: Individual applications may now override the
ALLOWED_REDIRECT_URI_SCHEMESsetting by returning a list of allowed redirect uri schemes in
- New feature: The new setting
ERROR_RESPONSE_WITH_SCOPEScan now be set to True to include required scopes when DRF authorization fails due to improper scopes.
- New feature: The new setting
REFRESH_TOKEN_GRACE_PERIOD_SECONDScontrols a grace period during which refresh tokens may be re-used.
app_authorizedsignal is fired when a token is generated.
- New feature: AccessToken, RefreshToken and Grant models are now swappable.
- Compatibility: Django 1.10 is the new minimum required version
- Compatibility: Django 1.11 is now supported
- Backwards-incompatible: The
oauth2_provider.ext.rest_frameworkmodule has been moved to
- Fixed bad
urlparameter in some error responses.
- Django 2.0 compatibility fixes.
- The dependency on django-braces has been dropped.
- The oauthlib dependency is no longer pinned.
- New feature: Class-based scopes backends. Listing scopes, available scopes and default scopes is now done through the class that the
SCOPES_BACKEND_CLASSsetting points to. By default, this is set to
oauth2_provider.scopes.SettingsScopeswhich implements the legacy settings-based scope behaviour. No changes are necessary.
- Dropped support for Python 3.2 and Python 3.3, added support for Python 3.6
- Support for the
scopesquery parameter, deprecated in 0.6.1, has been dropped
- #322: dropping support for python 2.6 and django 1.4, 1.5, 1.6
oauthlib_backend_classis now pluggable through Django settings
- added support for oauthlib 1.0
- Fix the migrations to be two-step and allow upgrade from 0.7.2
- South migrations fixed. Added new django migrations.
- Several docs improvements and minor fixes
get_application_modelon Django 1.7
- fixed non rotating refresh tokens
- Don’t pin oauthlib
- Added database indexes to the OAuth2 related models to improve performances.
Warning: schema migration does not work for sqlite3 database, migration should be performed manually
- Created a setting for the default value for approval prompt.
- Improved docs
- Don’t pin django-braces and six versions
Backwards incompatible changes in 0.7.0
- Make Application model truly “swappable” (introduces a new non-namespaced setting
- added support for
scopequery parameter keeping backwards compatibility for the original
- str method in Application model returns content of
namefield when available
- oauthlib 0.6.1 support
- Django dev branch support
- Python 2.6 support
- Skip authorization form via
- Several fixes to the docs
- Issue #71: Fix migrations
- Issue #65: Use OAuth2 password grant with multiple devices
- Issue #84: Add information about login template to tutorial.
- Issue #64: Fix urlencode clientid secret
- oauthlib 0.6.0 support
Backwards incompatible changes in 0.5.0
backends.pymodule has been renamed to
oauth2_backends.pyso you should change your imports whether you’re extending this module
- Issue #54: Auth backend proposal to address #50
- Issue #61: Fix contributing page
- Issue #55: Add support for authenticating confidential client with request body params
- Issue #53: Quote characters in the url query that are safe for Django but not for oauthlib
- Optimize queries on access token validation
- Add Application management views, you no more need the admin to register, update and delete your application.
- Add support to configurable application model
- Add support for function based views
Backwards incompatible changes in 0.4.0
SCOPEattribute in settings is now a dictionary to store
oauth2_provideris mandatory in urls. See issue #36
- Issue #25: Bug in the Basic Auth parsing in Oauth2RequestValidator
- Issue #24: Avoid generation of
client_idwith “:” colon char when using HTTP Basic Auth
- Issue #21: IndexError when trying to authorize an application
- Issue #9:
default_redirect_uriis mandatory when
- Issue #22: Scopes need a verbose description
- Issue #33: Add django-oauth-toolkit version on example main page
- Issue #36: Add mandatory namespace to urls
- Issue #31: Add docstring to OAuthToolkitError and FatalClientError
- Issue #32: Add docstring to
- Issue #34: Documentation tutorial part1 needs corsheaders explanation
- Issue #36: Add mandatory namespace to urls
- Issue #45: Add docs for AbstractApplication
- Issue #47: Add docs for views decorators
- Bugfix #37: Error in migrations with custom user on Django 1.5
- Bugfix #27: OAuthlib refresh token refactoring
- Django REST Framework integration layer
- Bugfix #13: Populate request with client and user in
- Bugfix #12: Fix paths in documentation
Backwards incompatible changes in 0.3.0
requested_scopesparameter in ScopedResourceMixin changed to
- Core optimizations
- Add support for Django1.4 and Django1.6
- Add support for Python 3.3
- Add a default ReadWriteScoped view
- Add tutorial to docs
- Support OAuth2 Authorization Flows
- Discussion with Daniel Greenfeld at Django Circus