Skip to content

Commit

Permalink
Release 2 4 0 (#1420)
Browse files Browse the repository at this point in the history
* in-process release 2.4.0 pending some late PR merges.

* Update #1311 documentation to recommend using RS256 rather than HS256.

* editorial changes to CHANGELOG

* fix line too long
  • Loading branch information
n2ygk authored May 19, 2024
1 parent a34be99 commit f34ba7c
Show file tree
Hide file tree
Showing 5 changed files with 51 additions and 26 deletions.
61 changes: 40 additions & 21 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,35 +15,54 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
-->

## [unreleased]

### Added
### Changed
### Deprecated
### Removed
### Fixed
* #1292 Interpret `EXP` in AccessToken always as UTC instead of own key
* #1292 Introduce setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case remote
authentication server doe snot provide EXP in UTC
### Security

## [2.4.0] - 2024-05-13

### WARNING
* If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted
Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before
performing a MAJOR upgrade to 2.x.

These issues both result in `{"error": "invalid_client"}`:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.

If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!

### Added
* #1185 Add middleware for adding access token to request
* #1273 Add caching of loading of OIDC private key.
* #1285 Add post_logout_redirect_uris field in application views.
* #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
* #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
* #1304 Add `OAuth2ExtraTokenMiddleware` for adding access token to request.
See [Setup a provider](https://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_03.html#setup-a-provider) in the Tutorial.
* #1273 Performance improvement: Add caching of loading of OIDC private key.
* #1285 Add `post_logout_redirect_uris` field in the [Application Registration form](https://django-oauth-toolkit.readthedocs.io/en/latest/templates.html#application-registration-form-html)
* #1311,#1334 (**Security**) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
[HS256 keys](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-hs256-keys).
This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
* #1350 Support Python 3.12 and Django 5.0
* #1249 Add code_challenge_methods_supported property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
* #1328 Adds the ability to define how to store a user profile

* #1367 Add `code_challenge_methods_supported` property to auto discovery information, per [RFC 8414 section 2](https://www.rfc-editor.org/rfc/rfc8414.html#page-7)
* #1328 Adds the ability to [define how to store a user profile](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#define-where-to-store-the-profile).

### Fixed
* #1322 Instructions in documentation on how to create a code challenge and code verifier
* #1284 Allow to logout with no id_token_hint even if the browser session already expired
* #1296 Added reverse function in migration 0006_alter_application_client_secret
* #1336 Fix encapsulation for Redirect URI scheme validation
* #1357 Move import of setting_changed signal from test to django core modules
* #1268 fix prompt=none redirects to login screen
* #1381 fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used
* #1288 fixes #1276 which attempt to resolve #1092 for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
* #1292 Interpret `EXP` in AccessToken always as UTC instead of (possibly) local timezone.
Use setting `AUTHENTICATION_SERVER_EXP_TIME_ZONE` to enable different time zone in case the remote
authentication server does not provide EXP in UTC.
* #1323 Fix instructions in [documentation](https://django-oauth-toolkit.readthedocs.io/en/latest/getting_started.html#authorization-code)
on how to create a code challenge and code verifier
* #1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
* #1296 Added reverse function in migration `0006_alter_application_client_secret`. Note that reversing this migration cannot undo a hashed `client_secret`.
* #1345 Fix encapsulation for Redirect URI scheme validation. Deprecates `RedirectURIValidator` in favor of `AllowedURIValidator`.
* #1357 Move import of setting_changed signal from test to django core modules.
* #1361 Fix prompt=none redirects to login screen
* #1380 Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
* #1288 Fix #1276 which attempted to resolve #1092 for requests that don't have a client_secret per [RFC 6749 4.1.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
* #1337 Gracefully handle expired or deleted refresh tokens, in `validate_user`.
* Various documentation improvements: #1410, #1408, #1405, #1399, #1401, #1396, #1375, #1162, #1315, #1307

### Removed
* #1350 Remove support for Python 3.7 and Django 2.2
Expand Down
7 changes: 6 additions & 1 deletion docs/getting_started.rst
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,12 @@ Point your browser to http://127.0.0.1:8000/o/applications/register/ lets create

Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret``, we will use it in a minute.

If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's.
If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's with ``HS256``.

.. note::
``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
Using ``RS256`` will allow you to keep your ``client_secret`` hashed.


.. image:: _images/application-register-auth-code.png
:alt: Authorization code application registration
Expand Down
4 changes: 2 additions & 2 deletions docs/oidc.rst
Original file line number Diff line number Diff line change
Expand Up @@ -149,8 +149,8 @@ scopes in your ``settings.py``::
}

.. note::
If you want to enable ``RS256`` at a later date, you can do so - just add
the private key as described above.
``RS256`` is the more secure algorithm for signing your JWTs. Only use ``HS256`` if you must.
Using ``RS256`` will allow you to keep your ``client_secret`` hashed.


RP-Initiated Logout
Expand Down
2 changes: 1 addition & 1 deletion oauth2_provider/__init__.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "2.3.0"
__version__ = "2.4.0"
3 changes: 2 additions & 1 deletion oauth2_provider/oauth2_validators.py
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,8 @@ def get_default_redirect_uri(self, client_id, request, *args, **kwargs):

def get_or_create_user_from_content(self, content):
"""
An optional layer to define where to store the profile in `UserModel` or a separate model. For example `UserOAuth`, where `user = models.OneToOneField(UserModel)` .
An optional layer to define where to store the profile in `UserModel` or a separate model.
For example `UserOAuth`, where `user = models.OneToOneField(UserModel)` .
The function is called after checking that username is in the content.
Expand Down

0 comments on commit f34ba7c

Please sign in to comment.