OAuth2 goodies for the Djangonauts!

Overview

Django OAuth Toolkit

Jazzband

OAuth2 goodies for the Djangonauts!

GitHub Actions Coverage
If you are facing one or more of the following:
  • Your Django app exposes a web API you want to protect with OAuth2 authentication,
  • You need to implement an OAuth2 authorization server to provide tokens management for your infrastructure,

Django OAuth Toolkit can help you providing out of the box all the endpoints, data and logic needed to add OAuth2 capabilities to your Django projects. Django OAuth Toolkit makes extensive use of the excellent OAuthLib, so that everything is rfc-compliant.

Contributing

We love contributions, so please feel free to fix bugs, improve things, provide documentation. Just follow the guidelines and submit a PR.

Reporting security issues

Please report any security issues to the JazzBand security team at <[email protected]>. Do not file an issue on the tracker.

Requirements

  • Python 3.5+
  • Django 2.1+
  • oauthlib 3.1+

Installation

Install with pip:

pip install django-oauth-toolkit

Add oauth2_provider to your INSTALLED_APPS

INSTALLED_APPS = (
    ...
    'oauth2_provider',
)

If you need an OAuth2 provider you'll want to add the following to your urls.py. Notice that oauth2_provider namespace is mandatory.

urlpatterns = [
    ...
    path('o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
]

Changelog

See CHANGELOG.md.

Documentation

The full documentation is on Read the Docs.

License

django-oauth-toolkit is released under the terms of the BSD license. Full details in LICENSE file.

Comments
  • Openid Connect Core support

    Openid Connect Core support

    This PR add OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html support.

    To run the tests do:

    Django OAuth Toolkit cloned repository

    git remote add [email protected]:wiliamsouza/django-oauth-toolkit.git wiliamsouza
    git checkout -b openid-connect wiliamsouza/openid-connect
    tox
    

    Usage examples:

    Authorization-code

    http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

    token and id_token

    http://127.0.0.1:8000/o/authorize?response_type=code&client_id=HCSTniKnHNj6qP6Dkms39q6IT4pahzfXws2uwTkS&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    Only token

    http://127.0.0.1:8000/o/authorize?response_type=code&client_id=HCSTniKnHNj6qP6Dkms39q6IT4pahzfXws2uwTkS&redirect_uri=http://localhost/callback&scope=read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    
    curl -X POST \
        -H "Cache-Control: no-cache" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        "http://127.0.0.1:8000/o/token/" \
        -d "client_id=HCSTniKnHNj6qP6Dkms39q6IT4pahzfXws2uwTkS" \
        -d "client_secret=Ay1rH78PChsOG4mshfdp2oJnomdpu5Vgtdz6jCmDkEM8mKHzcaKo5GEYNGK42KTN8XqEWbbpn1vdHJKYcBgawONx4S1xXY7GtEP9mvsMw593DeXH0aRpWlgySuxeDfe2" \
        -d "code=89BRsh4kQqrwlNMLj4coVZbrpDm0Mh" \
        -d "redirect_uri=http://localhost/callback" \
        -d "grant_type=authorization_code"
    

    implicit

    http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

    token

    http://127.0.0.1:8000/o/authorize?response_type=token&client_id=Ktn0Sh4hO2gA8PKC2aqsauY4ZCxNyIdF1wNfFfJ3&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    id_token

    http://127.0.0.1:8000/o/authorize?response_type=id_token&client_id=Ktn0Sh4hO2gA8PKC2aqsauY4ZCxNyIdF1wNfFfJ3&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    token and id_token

    http://127.0.0.1:8000/o/authorize?response_type=id_token%20token&client_id=Ktn0Sh4hO2gA8PKC2aqsauY4ZCxNyIdF1wNfFfJ3&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    openid-hybrid

    http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth

    code, id_token and token

    http://127.0.0.1:8000/o/authorize?response_type=code%20id_token%20token&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    code and id_token

    http://127.0.0.1:8000/o/authorize?response_type=code%20id_token&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    code and token

    http://127.0.0.1:8000/o/authorize?response_type=code%20token&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    

    code

    http://127.0.0.1:8000/o/authorize?response_type=code&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj
    
    curl -X POST \
        -H "Cache-Control: no-cache" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        "http://127.0.0.1:8000/o/token/" \
        -d "client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj" \
        -d "client_secret=eiBw6IIQ4zzWFP9gSszEHZwexjCDhJjMtRxoOYQexCJMjQ6gdyN2ME9aUzbGkVopx3NSZRPUb4SV9yKpbVwwW9NKdEpkoyGmcTni7G4KTPqtJrsI9HPubFnDDzsvAf89" \
        -d "code=VQGv7tzYGO13jrRnv6oYT7jHbDSGJZ" \
        -d "redirect_uri=http://localhost/callback" \
        -d "grant_type=authorization_code"
    

    TODO:

    • [ ] Create/Update docs
    • [x] Merge OAuthLib PR https://github.com/idan/oauthlib/pull/488
    opened by wiliamsouza 64
  • User foreign key is required in Application model

    User foreign key is required in Application model

    It would be convenient for me to not tied a User to Application for credentials grant this way the access token could be associated to None or AnonymousUser (I've applied a hack in my validate_bearer_token validator in the meantime).

    why the User is required in this model?

    enhancement 
    opened by stephane 33
  • OpenID Connect

    OpenID Connect

    Hello,

    I was waiting for the approval of the OpenID Connect spec, and now it's approved, I wonder if you would like a pull request with that feature (the "OpenID connector" part on your roadmap refers to that, right?)

    I'm already learning the Core spec to figure out how it can be implemented. It seems like a thin layer on top of OAuth2, for example the authentication part is done by a request to /o/authorize with "openid" as one of the scopes, and the token exchange now returns one more parameter, the ID Token.

    There's two more (optional) specs, but my intent is implement the core on top of django-oauth-toolkit, since it seems enough to be an OpenID provider. I'm already reading django-oauth-toolkit's source code, but any tips are welcome.

    So, what do you think?

    enhancement 
    opened by lsmag 30
  • Add claims_supported to discovery info, without breaking the API

    Add claims_supported to discovery info, without breaking the API

    ** Please do not squash the commits. I analyse my FOSS contributions automatically and really want to track commits I made.**

    Description of the Change

    This is a second shot at #967, after the drama with #1066 and #1068 ;).

    It re-introduces the same change @AndreaGreco proposed, and in fact, it supports their exact desired API for get_additional_claims. In addition, it supports the "traditional" API for get_additional_claims getting passed a request directly and producing data directly.

    I chose to support both due to the rationale explained in the docs in this PR.

    Checklist

    • [x] PR only contains one change (considered splitting up PR)
    • [x] unit-test added
    • [x] documentation updated
    • [x] CHANGELOG.md updated (only for user relevant changes)
    • [x] author name in AUTHORS
    opened by Natureshadow 26
  • Add support for Dj40, drop Py36 and Dj31

    Add support for Dj40, drop Py36 and Dj31

    Fixes #1037

    Description of the Change

    Add support for Dj40, drop Py36 and Dj31

    Dj31 and Py36 will be EOL end of this December of 2021. I do not want to hold back any PRs that need to support old versions of stuff, thus I have dropped those two.

    Checklist

    • [X] PR only contains one change (considered splitting up PR)
    • [ ] unit-test added
    • [ ] documentation updated
    • [ ] CHANGELOG.md updated (only for user relevant changes)
    • [X] author name in AUTHORS
    enhancement 
    opened by Andrew-Chen-Wang 26
  • Do there any blockers to bump new release?

    Do there any blockers to bump new release?

    We are looking forward to using django-auth-toolkit with Django 3.2

    Required PR is already merged into master branch #968. Do there any chance a new version will be bumped soon?

    If any blockers with the release I would be happy to help.

    Thank you in advance.

    question 
    opened by idegtiarov 25
  • add TokenHasMethodScopeAlternative

    add TokenHasMethodScopeAlternative

    These add a couple more permission classes for scope matching. TokenHasMethodScope allows specifying required scope(s) on a per-method basis (in the case where READ_SCOPE and WRITE_SCOPE are not granular enough) and TokenHasMethodPathScope adds regex path matching and alternative lists of required scopes for a given regex match which is aligned with OpenAPI Spec (OAS) security requirement object list of alternative matching:

    "When a list of Security Requirement Objects is defined on the Open API object or Operation Object, only one of Security Requirement Objects in the list needs to be satisfied to authorize the request."

    opened by n2ygk 24
  • OAuth2TokenMiddleware does not work with Django 1.10

    OAuth2TokenMiddleware does not work with Django 1.10

    Adding the OAuth2TokenMiddleware to the MIDDLEWARE array will break the application: Traceback (most recent call last): ... File "/var/www/brownpapersession/dev/env-brownpapersession/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 82, in load_middleware mw_instance = middleware(handler) TypeError: object.__new__() takes no parameters

    Mitigation described here: https://docs.djangoproject.com/en/1.10/topics/http/middleware/

    opened by bastbnl 23
  • {

    {"error":"invalid_client"}

    Hello,

    I'm following the tutorial for Django Rest Framework. I set up my application in the admin and I'm sending a POST request just like in the tutorial, but always get

    {"error": "invalid_client"}
    

    as a response:

    $ curl -vK user -X POST -d "grant_type=password&username=myuser&password=mypass" http://localhost:8000/o/token/
    * About to connect() to localhost port 8000 (#0)
    *   Trying 127.0.0.1...
    * connected
    * Connected to localhost (127.0.0.1) port 8000 (#0)
    * Server auth using Basic with user 'RgmI&_Y A5mdjuAh2T/]m_ZeD|u'[8`$r|`k'!'
    > POST /o/token/ HTTP/1.1
    > Authorization: Basic UmdtSSZfWSBBNW1kanVBaDJUL11tX1plRHx1J1s4YCRyfGBrJyE6dnZdWWw/LUB3YWNBI2Q+NEcyNWEkbkZCclogJGQ/e1ZtYm4rMl5GYnRNSl9ZTitiVHB6b3UjXkRdaFhMeGxNL28jJz95MCV0ZXQ8Z3w8OEZTZHVPMkIvN3Y6dG5EUz99ZGxla3B2dTchWTssJDA8VEQ1UmwucA==
    > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
    > Host: localhost:8000
    > Accept: */*
    > Content-Length: 55
    > Content-Type: application/x-www-form-urlencoded
    > 
    * upload completely sent off: 55 out of 55 bytes
    * HTTP 1.0, assume close after body
    < HTTP/1.0 400 BAD REQUEST
    < Date: Sun, 08 Sep 2013 17:30:37 GMT
    < Server: WSGIServer/0.1 Python/2.7.5
    < Content-Language: it
    < Vary: Accept-Language, Cookie
    < Pragma: no-cache
    < Cache-Control: no-store
    < X-Frame-Options: SAMEORIGIN
    < Content-Type: application/json;charset=UTF-8
    < 
    * Closing connection #0
    {"error": "invalid_client"}
    
    opened by lucacorti 23
  • Avoid finding passwords by brute force

    Avoid finding passwords by brute force

    Consider an oauth-toolkit setup using password for grant_type. A user can brute force the password and oauth toolkit has no mechanism to avoid brute force (at least I didn't find anything.) I guess we should add a throttling or something similar.

    wontfix 
    opened by sassanh 20
  • New feature: Configurable AccessToken and RefreshToken

    New feature: Configurable AccessToken and RefreshToken

    Because I want to be able to implement custom AccessToken and RefreshToken models, I've implemented a customizable AccessToken and RefreshToken, in the same way that the Application model was already configurable via the settings

    opened by dirkmoors 19
  • tox whitelist_externals deprecated and replaced with allowlist_externals

    tox whitelist_externals deprecated and replaced with allowlist_externals

    Description of the Change

    Replaces deprecated tox.ini whitelist_externals with allowlist_externals. This is breaking any new PR as of the tox version upgrade.

    Checklist

    • [x] PR only contains one change (considered splitting up PR)
    • [ ] unit-test added
    • [ ] documentation updated
    • [ ] CHANGELOG.md updated (only for user relevant changes)
    • [x] author name in AUTHORS
    opened by n2ygk 1
  • ROTATE_REFRESH_TOKEN Known Bug

    ROTATE_REFRESH_TOKEN Known Bug

    I am working with Django Oauth2 on a freelancing project and used the username and password to handle authenticate users.

    However, when I tried to refresh the access token I noticed that the refresh_token itself was revoked, and I found on the documentation that we can use ROTATE_REFRESH_TOKEN to disable this behavior.

    But, the docs are talking about a known bug that I do not fully understand, why would setting this setting to False because the tokens are to be revoked, I debugged the code locally and didn't see anything that would cause this.

    I suspect that the docs could be old, and a bit outdated in that regard, but not sure.

    image

    Can someone please explain it to me, and if it is safe to use when going into production or not?

    question 
    opened by hamza-sabri 0
  • Invalid JWT signature because of hashed client secret

    Invalid JWT signature because of hashed client secret

    Describe the bug

    I'm using next-auth on the frontend and the latest django-oauth-toolkit with OIDC enabled and HS256 as the algorithm on the backend. After authorizing my oauth application I get the error "failed to validate JWT signature" in next-auth.

    The JWT token provided by django-oauth-toolkit seems to be incorrect. It's prepared in oauth2_provider.oauth2_validators.finalize_id_token. The culprit is the jwk_key that's used for signing the token. It's generated with the client secret, which is being hashed since v2.0.0.

    https://github.com/jazzband/django-oauth-toolkit/blob/04b5b3e49020168d8decc2c536f3287ad40bcfc3/oauth2_provider/oauth2_validators.py#L845

    I'm assuming that hashing was added under the assumption that the raw secret isn't needed anymore after it's created, but that doesn't seem to be the case (see line 224).

    https://github.com/jazzband/django-oauth-toolkit/blob/04b5b3e49020168d8decc2c536f3287ad40bcfc3/oauth2_provider/models.py#L217-L225

    To Reproduce

    I've created a test repo: https://github.com/dnsv/auth-test

    1. Setup Django (I'm using Python 3.11):

      1. poetry install
      2. poetry run python manage.py runserver
      3. poetry run python manage.py migrate
      4. poetry run python manage.py createsuperuser.
    2. Login into admin.

    3. Create a new Oauth application:

    4. Create the file frontend/.env:

      OAUTH_CLIENT_ID=...
      OAUTH_CLIENT_SECRET=...
      
    5. Setup Next.js (I'm using node v18.12.1, but i probably works the same with lower versions).

      1. cd frontend
      2. yarn install
      3. yarn dev
    6. Go to http://localhost:3000/ and try to sign it. You'll get the error shown in the console after the authorization step.

    Highlights from the backend setup:

    # backend/base/settings.py
    
    OAUTH2_PROVIDER = {
        "OIDC_ENABLED": True,
        "OAUTH2_VALIDATOR_CLASS": "backend.oauth2.utils.CustomOAuth2Validator",
        "SCOPES": {
            "openid": "OpenID Connect scope",
        },
    }
    
    # backend/oauth2/utils.py
    
    from oauth2_provider.oauth2_validators import OAuth2Validator
    
    class CustomOAuth2Validator(OAuth2Validator):
        oidc_claim_scope = None
    
        def get_additional_claims(self, request):
            return {
                "id": request.user.id,
                "given_name": request.user.first_name,
                "family_name": request.user.last_name,
                "name": f"{request.user.first_name} {request.user.last_name}",
                "email": request.user.email,
            }
    
    

    Expected behavior

    Being able to login :)

    Version

    • [x] I have tested with the latest published release and it's still a problem.
    • [ ] I have tested with the master branch and it's still a problem.

    Additional context

    N/A

    bug 
    opened by dnsv 0
  • Documentation is still missing w.r.t. hashed secrets

    Documentation is still missing w.r.t. hashed secrets

    Describe the bug

    In DOT 2.x the client_secret is now stored hashed. Documentation (including warning text in the HTML template) was added for the admin UI but was missed for the documentation and non-admin UI endpoints as documented in getting_started

    To Reproduce

    1. Run a DOT-using app
    2. Go to http://127.0.0.1:8000/o/applications/register/
    3. Note that there's no clear warning about copying the client_secret before save as there is in the admin UI.

    Expected behavior

    The user should be warned to copy the secret before save as is done at http://127.0.0.1:8000/admin/oauth2_provider/application/add/

    Version

    2.2.0

    • [x] I have tested with the latest published release and it's still a problem.
    • [x] I have tested with the master branch and it's still a problem.

    Additional context

    See #1235 although that issue says the unhashed secret was used so the error may be unrelated.

    bug 
    opened by n2ygk 0
  • Duplicate key error: source_refresh_token_id, id_token_id

    Duplicate key error: source_refresh_token_id, id_token_id

    Hello. I have an error. Maybe django-oauth-toolkit's error.

    1. Create a token.
    2. And a re-create a token.
    3. But second token occur a duplicate key error.
    pymongo.errors.BulkWriteError: batch op errors occurred, full error: {'writeErrors': [{'index': 0, 'code': 11000, 'keyPattern': {'source_refresh_token_id': 1}, 'keyValue': {'source_refresh_token_id': None}, 'errmsg': 'E11000 duplicate key error collection: test.oauth2_provider_accesstoken index: source_refresh_token_id dup key: { source_refresh_token_id: null }', 'op': {'id': 29, 'user_id': ObjectId('63aa59667ef2477a5517c897'), 'source_refresh_token_id': None, 'token': 'GD8Uq4vupSPV2t0BbZ5D0joTbQrIhH', 'id_token_id': None, 'application_id': 1, 'expires': datetime.datetime(2022, 12, 27, 12, 52, 50, 819549), 'scope': 'read write groups', 'created': datetime.datetime(2022, 12, 27, 2, 52, 50, 820066), 'updated': datetime.datetime(2022, 12, 27, 2, 52, 50, 820081), '_id': ObjectId('63aa5e027ef2477a5517c8ac')}}], 'writeConcernErrors': [], 'nInserted': 0, 'nUpserted': 0, 'nMatched': 0, 'nModified': 0, 'nRemoved': 0, 'upserted': []}
    

    Error field is a oauth2_provider_accesstoken.source_refresh_token_id.

    First token: source_refresh_token_id = null Second token: source_refresh_token_id = null
    But oauth2_provider_accesstoken has a unique index. It name is a source_refresh_token_id.
    Therefore, a key error occurs when generating the second token.
    And same problem have a oauth2_provider_accesstoken.id_token_id index / oauth2_provider_refreshtoken.access_token_id_1 index.

    The solution is to delete the unique index. But I want to avoid deleting.

    Is this a bug? Or my mistake? And What is a purpose id_token_id field?

    Please, help me.

    question 
    opened by sig003 0
Releases(2.2.0)
  • 2.2.0(Oct 18, 2022)

    [2.2.0] 2022-10-18

    WARNING

    Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

    These issues both result in {"error": "invalid_client"}:

    1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

    2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

    Added

    • #1208 Add 'code_challenge_method' parameter to authorization call in documentation
    • #1182 Add 'code_verifier' parameter to token requests in documentation

    Changed

    • #1203 Support Django 4.1.

    Fixed

    • #1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
    • #1210 Handle oauthlib errors on create token requests
    Source code(tar.gz)
    Source code(zip)
  • 2.1.0(Jun 23, 2022)

    WARNING

    Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before performing a MAJOR upgrade to 2.x.

    These issues both result in {"error": "invalid_client"}:

    1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

    2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

    Added

    • #1164 Support prompt=login for the OIDC Authorization Code Flow end user Authentication Request.
    • #1163 Add French (fr) translations.
    • #1166 Add Spanish (es) translations.

    Changed

    • #1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
    • #1172, #1159, #1158 documentation improvements.

    Fixed

    • #1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.
    Source code(tar.gz)
    Source code(zip)
  • 2.0.0(Apr 24, 2022)

    What's Changed

    • WIP: Hash application client secrets using Django password hashing by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1093
    • OIDC: Add "scopes_supported" to openid-configuration. by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1106
    • OIDC: Standard scopes to determine which claims are returned by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1108
    • Prevent the tests/migrations directory from getting packaged by @brianhelba in https://github.com/jazzband/django-oauth-toolkit/pull/1118
    • Topic/1112 by @daffyd in https://github.com/jazzband/django-oauth-toolkit/pull/1113
    • [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in https://github.com/jazzband/django-oauth-toolkit/pull/1109
    • Fix broken import in doc by @CarlSchwan in https://github.com/jazzband/django-oauth-toolkit/pull/1121
    • Security BCP: Remove OOB by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1124
    • Revert 1070 (Celery tasks.py) by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1126
    • Pin Jinja2 version per https://github.com/sphinx-doc/sphinx/issues/10291 by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1134
    • Missed updating master branch version to 1.7.1 by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1133
    • Update createapplication command by @vector-kerr in https://github.com/jazzband/django-oauth-toolkit/pull/1132
    • Add tutorial for Celery task setup. by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1128
    • chore: .gitignore local development files by @dopry in https://github.com/jazzband/django-oauth-toolkit/pull/1137
    • feat: Update PKCE_REQUIRED to true by default by @dopry in https://github.com/jazzband/django-oauth-toolkit/pull/1129
    • [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in https://github.com/jazzband/django-oauth-toolkit/pull/1139
    • sphinx-lint by @JulienPalard in https://github.com/jazzband/django-oauth-toolkit/pull/1142
    • Corrections to resource server documentation by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1136
    • Add help wanted to the README by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1144
    • Release 2.0.0 by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1145

    New Contributors

    • @brianhelba made their first contribution in https://github.com/jazzband/django-oauth-toolkit/pull/1118
    • @daffyd made their first contribution in https://github.com/jazzband/django-oauth-toolkit/pull/1113
    • @CarlSchwan made their first contribution in https://github.com/jazzband/django-oauth-toolkit/pull/1121
    • @vector-kerr made their first contribution in https://github.com/jazzband/django-oauth-toolkit/pull/1132
    • @dopry made their first contribution in https://github.com/jazzband/django-oauth-toolkit/pull/1137
    • @JulienPalard made their first contribution in https://github.com/jazzband/django-oauth-toolkit/pull/1142

    Full Changelog: https://github.com/jazzband/django-oauth-toolkit/compare/1.7.0...2.0.0

    Source code(tar.gz)
    Source code(zip)
  • 1.7.0(Jan 23, 2022)

    [1.7.0] 2022-01-23

    Added

    • #969 Add batching of expired token deletions in cleartokens management command and models.clear_expired() to improve performance for removal of large numers of expired tokens. Configure with CLEAR_EXPIRED_TOKENS_BATCH_SIZE and CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL.
    • #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a periodic task.
    • #1062 Add Brazilian Portuguese (pt-BR) translations.
    • #1069 OIDC: Add an alternate form of get_additional_claims() which makes the list of additional claims_supported available at the OIDC auto-discovery endpoint (.well-known/openid-configuration).

    Fixed

    • #1012 Return 200 status code with {"active": false} when introspecting a nonexistent token per RFC 7662. It had been incorrectly returning 401.
    Source code(tar.gz)
    Source code(zip)
  • 1.6.3(Jan 11, 2022)

    [1.6.3] 2022-01-11

    Fixed

    • #1085 Fix for #1083 admin UI search for idtoken results in django.core.exceptions.FieldError: Cannot resolve keyword 'token' into field.

    Added

    • #1085 Add admin UI search fields for additional models.
    Source code(tar.gz)
    Source code(zip)
  • 1.6.2(Jan 7, 2022)

  • 1.6.1(Dec 23, 2021)

  • 1.6.0(Dec 19, 2021)

    Added

    #949 Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends (like django-axes). #968, #1039 Add support for Django 3.2 and 4.0. #953 Allow loopback redirect URIs using random ports as described in RFC8252 section 7.3. #972 Add Farsi/fa language support. #978 OIDC: Add support for rotating multiple RSA private keys. #978 OIDC: Add new OIDC_JWKS_MAX_AGE_SECONDS to improve jwks_uri caching. #967 OIDC: Add additional claims beyond sub to the id_token. #1041 Add a search field to the Admin UI (e.g. for search for tokens by email address).

    Changed

    #981 Require redirect_uri if multiple URIs are registered per RFC6749 section 3.1.2.3 #991 Update documentation of REFRESH_TOKEN_EXPIRE_SECONDS to indicate it may be int or datetime.timedelta. #977 Update Tutorial to show required include.

    Removed

    #968 Remove support for Django 3.0 & 3.1 and Python 3.6 #1035 Removes default_app_config for Django Deprecation Warning #1023 six should be dropped

    Fixed

    #963 Fix handling invalid hex values in client query strings with a 400 error rather than 500. #973 Tutorial updated to use django-cors-headers. #956 OIDC: Update documentation of get_userinfo_claims to add the missing argument.

    Source code(tar.gz)
    Source code(zip)
  • 1.5.0(Mar 22, 2021)

  • 1.3.2(Mar 26, 2020)

  • 1.3.1(Mar 24, 2020)

    Added

    • #725: HTTP Basic Auth support for introspection (Fix issue #709)

    Fixed

    • #812: Reverts #643 pass wrong request object to authenticate function.
    • Fix concurrency issue with refresh token requests (#810)
    • #817: Reverts #734 tutorial documentation error.
    Source code(tar.gz)
    Source code(zip)
  • 1.3.0(Mar 2, 2020)

    From the CHANGELOG:

    [1.3.0] 2020-03-02

    Added

    • Add support for Python 3.7 & 3.8
    • Add support for Django>=2.1,<3.1
    • Add requirement for oauthlib>=3.0.1
    • Add support for Proof Key for Code Exchange (PKCE, RFC 7636).
    • Add support for custom token generators (e.g. to create JWT tokens).
    • Add new OAUTH2_PROVIDER settings:
      • ACCESS_TOKEN_GENERATOR to override the default access token generator.
      • REFRESH_TOKEN_GENERATOR to override the default refresh token generator.
      • EXTRA_SERVER_KWARGS options dictionary for oauthlib's Server class.
      • PKCE_REQUIRED to require PKCE.
    • Add createapplication management command to create an application.
    • Add id in toolkit admin console applications list.
    • Add nonstandard Google support for [urn:ietf:wg:oauth:2.0:oob] redirect_uri for Google OAuth2 "manual copy/paste". N.B. this feature appears to be deprecated and replaced with methods described in RFC 8252: OAuth2 for Native Apps and may be deprecated and/or removed from a future release of Django-oauth-toolkit.

    Changed

    • Change this change log to use Keep a Changelog format.
    • Backwards-incompatible squashed migrations: If you are currently on a release < 1.2.0, you will need to first install 1.2.0 then manage.py migrate before upgrading to >= 1.3.0.
    • Improved the tutorial.

    Removed

    • Remove support for Python 3.4
    • Remove support for Django<=2.0
    • Remove requirement for oauthlib<3.0

    Fixed

    • Fix a race condition in creation of AccessToken with external oauth2 server.
    • Fix several concurrency issues. (#638)
    • Fix to pass request to django.contrib.auth.authenticate() (#636)
    • Fix missing oauth2_error property exception oauthlib_core.verify_request method raises exceptions in authenticate. (#633)
    • Fix "django.db.utils.NotSupportedError: FOR UPDATE cannot be applied to the nullable side of an outer join" for postgresql. (#714)
    • Fix to return a new refresh token during grace period rather than the recently-revoked one. (#702)
    • Fix a bug in refresh token revocation. (#625)
    Source code(tar.gz)
    Source code(zip)
  • 0.11.0(Dec 1, 2016)

    • #424: Added a ROTATE_REFRESH_TOKEN setting to control whether refresh tokens are reused or not
    • #315: AuthorizationView does not overwrite requests on get
    • #425: Added support for Django 1.10
    • #396: added an IsAuthenticatedOrTokenHasScope Permission
    • #357: Support multiple-user clients by allowing User to be NULL for Applications
    • #389: Reuse refresh tokens if enabled.
    Source code(tar.gz)
    Source code(zip)
  • 0.10.0(Dec 14, 2015)

    • #322: dropping support for python 2.6 and django 1.4, 1.5, 1.6
    • #310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant
    • #333: Added possibility to specify the default list of scopes returned when scope parameter is missing
    • #325: Added management views of issued tokens
    • #249: Added a command to clean expired tokens
    • #323: Application registration view uses custom application model in form class
    • #299: 'server_class' is now pluggable through Django settings
    • #309: Add the py35-django19 env to travis
    • #308: Use compact syntax for tox envs
    • #306: Django 1.9 compatibility
    • #288: Put additional information when generating token responses
    • #297: Fixed doc about SessionAuthenticationMiddleware
    • #273: Generic read write scope by resource
    Source code(tar.gz)
    Source code(zip)
  • 0.9.0(Jul 28, 2015)

    • oauthlib_backend_class is now pluggable through Django settings
    • #127: application/json Content-Type is now supported using JSONOAuthLibCore
    • #238: Fixed redirect uri handling in case of error
    • #229: Invalidate access tokens when getting a new refresh token
    • added support for oauthlib 1.0
    Source code(tar.gz)
    Source code(zip)
  • 0.6.1(Feb 5, 2014)

    • added support for scope query parameter keeping backwards compatibility for the original scopes parameter.
    • __str__ method in Application model returns content of name field when available
    Source code(tar.gz)
    Source code(zip)
  • 0.5.0(Sep 30, 2013)

    New stuff

    • oauthlib 0.6.0 support

    Backwards incompatible changes in 0.5.0

    • backends.py module has been renamed to oauth2_backends.py so you should change your imports whether you're extending this module

    Bugfixes

    • Issue #54: Auth backend proposal to address #50
    • Issue #61: Fix contributing page
    • Issue #55: Add support for authenticating confidential client with request body params
    • Issue #53: Quote characters in the url query that are safe for Django but not for oauthlib
    Source code(tar.gz)
    Source code(zip)
Flask App With Login

Flask App With Login by FranciscoCharles Este projeto basico é o resultado do estudos de algumas funcionalidades do micro framework Flask do Python. O

Charles 3 Nov 14, 2021
A flask extension for managing permissions and scopes

Flask-Pundit A simple flask extension to organize resource authorization and scoping. This extension is heavily inspired by the ruby Pundit library. I

Anurag Chaudhury 49 Dec 23, 2022
Extending the Django authentication system with a phone verification step.

Extending the Django authentication system with a phone verification step.

Miguel Grinberg 50 Dec 04, 2022
Connect-4-AI - AI that plays Connect-4 using the minimax algorithm

Connect-4-AI Brief overview I coded up the Connect-4 (or four-in-a-row) game in

Favour Okeke 1 Feb 15, 2022
Authentication Module for django rest auth

django-rest-knox Authentication Module for django rest auth Knox provides easy to use authentication for Django REST Framework The aim is to allow for

James McMahon 878 Jan 04, 2023
Creation & manipulation of PyPI tokens

PyPIToken: Manipulate PyPI API tokens PyPIToken is an open-source Python 3.6+ library for generating and manipulating PyPI tokens. PyPI tokens are ver

Joachim Jablon 8 Nov 01, 2022
Kube OpenID Connect is an application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster

Kube OpenID Connect is an application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster. Kubernetes supports OpenID Connect Tokens as a way to identify users wh

7 Nov 20, 2022
REST implementation of Django authentication system.

djoser REST implementation of Django authentication system. djoser library provides a set of Django Rest Framework views to handle basic actions such

Sunscrapers 2.2k Jan 01, 2023
Quick and simple security for Flask applications

Note This project is non maintained anymore. Consider the Flask-Security-Too project as an alternative. Flask-Security It quickly adds security featur

Matt Wright 1.6k Dec 19, 2022
Library - Recent and favorite documents

Thingy Thingy is used to quickly access recent and favorite documents. It's an XApp so it can work in any distribution and many desktop environments (

Linux Mint 23 Sep 11, 2022
Graphical Password Authentication System.

Graphical Password Authentication System. This is used to increase the protection/security of a website. Our system is divided into further 4 layers of protection. Each layer is totally different and

Hassan Shahzad 12 Dec 16, 2022
Boilerplate/Starter Project for building RESTful APIs using Flask, SQLite, JWT authentication.

auth-phyton Boilerplate/Starter Project for building RESTful APIs using Flask, SQLite, JWT authentication. Setup Step #1 - Install dependencies $ pip

sandhika 0 Aug 03, 2022
Brute force a JWT token. Script uses multithreading.

JWT BF Brute force a JWT token. Script uses multithreading. Tested on Kali Linux v2021.4 (64-bit). Made for educational purposes. I hope it will help!

Ivan Šincek 5 Dec 02, 2022
This program automatically logs you into a Zoom session at your alloted time

This program automatically logs you into a Zoom session at your alloted time. Optionally you can choose to have end the session at your allotted time.

9 Sep 19, 2022
Simple implementation of authentication in projects using FastAPI

Fast Auth Facilita implementação de um sistema de autenticação básico e uso de uma sessão de banco de dados em projetos com tFastAPi. Instalação e con

3 Jan 08, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script that allows an at

Optiv Security 76 Jan 02, 2023
A module making it easier to manage Discord oAuth with Quart

quart_discord A module making it easier to manage Discord oAuth with Quart Install pip install git+https://github.com/xelA/ 5 Oct 27, 2022

Social auth made simple

Python Social Auth Python Social Auth is an easy-to-setup social authentication/registration mechanism with support for several frameworks and auth pr

Matías Aguirre 2.8k Dec 24, 2022
Generate payloads that force authentication against an attacker machine

Hashgrab Generates scf, url & lnk payloads to put onto a smb share. These force authentication to an attacker machine in order to grab hashes (for exa

xct 35 Dec 20, 2022
This script helps you log in to your LMS account and enter the currently running session

This script helps you log in to your LMS account and enter the currently running session, all in a second

Ali Ebrahimi 5 Sep 01, 2022