- Add support for Python 3.13 and Django 5.1
- Drop support for Python 3.8 and Django 3.2
- Add feature to migrate old users from Tunnistamo to Keycloak upon login. With default settings, only users using AD authentication will be migrated. Feature can be enabled with the setting
HELUSERS_USER_MIGRATE_ENABLED
which defaults toFalse
.
- Improve ModelAdmins for ADGroupMapping and ADGroup
- Add new setting
ALLOWED_ALGORITHMS
with a default value of["RS256"]
- Add Django admin logout support for Django 5.0
- Add code quality tooling: black, isort, flake8, commitlint, pre-commit
- Run code quality tools and do the necessary fixes
- Drop support for Python 3.7 and older
- Add support for Python 3.12
- Require at least Django 3.2
- Add support for Django 5.0 by adding a new session serializer
TunnistamoOIDCSerializer
which can handle session data produced by the customhelusers.defaults.SOCIAL_AUTH_PIPELINE
pipeline. Django 5.0 removedPickleSerializer
.
ApiTokenAuthentication
again validates theaud
claim. Theaud
claim wasn't validated if thedrf-oidc-auth
version was 1.0.0 or greater.
- Ability to use "dot notation" in
API_AUTHORIZATION_FIELD
setting for searching api scopes from deeper in the claims - Documentation about social auth pipeline configuration
- Removed
drf-oidc-auth
requirement when usingApiTokenAuthentication
. Django REST framework is still required.
-
API_AUTHORIZATION_FIELD
andAPI_SCOPE_PREFIX
settings now support a list of strings -
ApiTokenAuthentication
is no longer a subclass ofoidc_auth.authentication.JSONWebTokenAuthentication
but a direct subclass ofrest_framework.authentication.BaseAuthentication
-
ApiTokenAuthentication
uses the sameJWT
class asRequestJWTAuthentication
for the token validation- Changed methods:
decode_jwt
can raisejose.JWTError
exceptionget_oidc_config
no longer returns oidc configuration dictionary but anOIDCConfig
instancevalidate_claims
still exists and is called, but doesn't do anything
- Removed methods:
get_audiences
jwks
jwks_data
oidc_config
- Removed properties:
claims_options
issuer
- Changed methods:
-
ApiTokenAuthentication
now supports multiple issuers. Previously it accepted multiple issuers in the settings but could only use the first issuer. -
ApiTokenAuthentication.authenticate
no longer raises AuthenticationError if authorization header contains the correct scheme but not a valid JWT-token. Now it just returns None which means the authentication didn't succeed but can be tried with the next authenticator. -
ApiTokenAuthentication
now rejects tokens if they are invalidated with back-channel log out -
amr
claim is no longer validated inApiTokenAuthentication
-
Issued at (
iat
) claim is no longer limited by the OIDC_LEEWAY oidc_auth setting (default 10 minutes) when usingApiTokenAuthentication
. i.e. tokens can be generated as long ago as needed. -
User is no longer created if token is correct but is missing the required API scopes in
ApiTokenAuthentication
- Admin site logout view caching with Django 4
- Turn invalid string
amr
claim into an array in JWT
- Support for Python 3.10 & 3.11
- Support for Django >=4.0
- Support for Python 3.6
- Support for Django 2.2
- Handle a list of configured issuers in
ApiTokenAuthentication
- Require Django version < 4
- An OIDC back channel logout endpoint implementation.
- Set required Django version to 2.2 and later.
- The
key_provider
argument ofhelusers.oidc.RequestJWTAuthentication.__init__
method was removed. It existed only for test support, but tests have been modified in a way that it's not needed any more.
- Set django-heluers' default auto field to be
django.db.models.AutoField
for Django versions >=3.2 to avoid unwanted migrations.
- An authentication/JWT validation service with minimal external dependencies:
helusers.oidc.RequestJWTAuthentication
.
- Supported Python versions: 3.6-3.9.
- Previously
drf-oidc-auth
was a hard dependency indjango-helusers
. That's no longer the case. Withindjango-helusers
thedrf-oidc-auth
package is only used by thehelusers.oidc.ApiTokenAuthentication
class. If you want to keep on using that class, make sure you bringdrf-oidc-auth
into your project as an explicit dependency. django-helusers
has been very much dependent on Django REST Framework (DRF), even though the user ofdjango-helusers
wouldn't otherwise need DRF. This dependency has been removed: it's now possible to usedjango-helusers
without DRF.
- Whenever
django-helusers
returns or provides aUser
object, theuuid
field is always of typeUUID
(previously it was sometimes of typestr
).