Skip to content

Latest commit

 

History

History
334 lines (226 loc) · 11.4 KB

CHANGELOG.rst

File metadata and controls

334 lines (226 loc) · 11.4 KB
Raw

Changelog

0.21.1 (2024-12-10)

A bugfix for the django-setup-configuration YAML format: * Move oidc_op_jwks_endpoint and oidc_op_logout_endpoint to the endpoint_config key

0.21.0 (2024-12-09)

Some changes to prepare the django-setup-configuration YAML format for when support for multiple configurations is added: * Add identifier field to YAML data to setup configuration * Modify format of YAML data to accept list of configurations

0.20.0 (2024-12-03)

New Features:

0.19.0 (2024-07-02)

Bugfix and cleanup release

  • Fixed broken SessionRefresh middleware
  • Removed oidc_exempt_urls config model fields - these turn out not to be used and you typically want to specify them in django settings as they are tied to the session refresh middleware.

0.18.1 (2024-06-18)

Bugfix release

  • Redirect responses from the OP_LOGOUT request are no longer followed automatically.

0.18.0 (2024-06-12)

Small feature release

  • Added mozilla_django_oidc_db.fields.ClaimFieldDefault to specify default values for ClaimField in a less verbose way.

0.17.0 (2024-05-28)

This release is a big rewrite and refactor of the library internals.

💥 There are a number of breaking changes, please review the notes further down.

Why the rework?

mozilla-django-oidc-db originated in being able to change OpenID Provider configuration (such as the endpoints, client ID...) on the fly rather than at deploy time. So, we implemented looking up the settings from a database model rather than the Django settings, and this worked for a while. The scope was limited to logging in to the admin interface with OpenID Connect.

Then, authentication flows also relying on OpenID Connect for different types of users became relevant - one or more different configurations, with different client IDs etc. This was further complicated that not every configuration should result in a Django user record being created/updated.

Implementing this in projects was possible, but it involved custom authentication backends, custom authentication request views and custom callback views to achieve the desired behaviour, resulting in quite a lot of spread-out code, duplication and annoyances for the administrators on the OpenID Provider side (adding yet another new Redirect URI for every configuration flavour...).

The rework addresses all this - customization and extension is still possible through (custom or proxy) models, but our authentication request view now makes sure to store which configuration to use in the callback view and authentication backend(s). Customizing behaviour on the authentication backend level is now also much more in line with standard Django practices, by using settings.AUTHENTICATION_BACKENDS.

This is a big internal rewrite and mostly affects people that were doing these sort of customizations. We've incorporated our experiences from the Open Forms and Open Inwoner projects in this rework and applied "lessons learned".

💥 Breaking changes

While we were able to perform most of the changes without breaking public API, some aspects could not be avoided. The majority are related to customization - for more details, please read the customization documentation.

  • Dropped support for Django 3.2 (and thus also mozilla-django-oidc 3.x). These are no longer maintained.

  • The attributes OIDCAuthenticationBackend.sensitive_claim_names and OIDCAuthenticationBackend.config_identifier_field are removed. This affects you if you were subclassing this backend to override these attributes.

    You can provide these in your custom configuration model(s) as the oidcdb_sensitive_claims and oidcdb_username_claim model fields or properties. See the implementation of the OpenIDConnectConfigBase model for more details.

  • The GetAttributeMixin, SoloConfigMixin and generic type support for OIDCAuthenticationBackend are removed. Instead of the dynamic attribute lookups, you can use mozilla_django_oidc_db.config.dynamic_setting. The solo config mixin is no longer relevant, because the config_class attribute is set during the authenticate method call, and that also removed the necessity for generic types.

  • Custom callback views should generally not be necessary anymore to modify user authentication/creation/updating behaviour. Instead, you should probably use a custom authentication backend and add that to your Django settings. However, if you modify the authentication views to add error handling or different redirect behaviour on success/error, you should subclass mozilla_django_oidc_db.views.OIDCAuthenticationCallbackView rather than OIDCCallbackView (the latter now acts as a router). You can point from the config model to the view to use for this.

  • The GetAttributeMixin and SoloConfigMixin for SessionRefresh are removed, instead you can use the dynamic_setting descriptor (similar to the authentication backend change).

  • The django-solo caching mixin is removed from the models. The configuration is only retrieved when authenticating, and the regular django-solo cache settings apply. We do however modify the cache key so that it points to a unique django model to look up.

  • The fields oidc_kc_idp_hint and oidc_op_logout_endpoint are added to the base model. If you specify these yourself, remove them from your own models. You'll need to run makemigrations to update your own models.

New features

  • [#99] Improved support for customizing authentication behaviour. See the new section in the documentation for details.
  • [#102] Added system checks.
  • [#42] Added keycloak IDP hint configuration field and logout endpoint.

Project maintenance

  • Added more (technical) documentation - both user-guide style and API reference docs.
  • Improved quality of tests - we avoid mocks and favour testing against real OpenID Providers (using VCR.py).

0.16.0 (2024-05-02)

  • [#84] Updated usage section in README
  • [#88] Set up Sphinx documentation on readthedocs
  • [#94] Claims with "." characters in them are now supported
  • [#92] Fixed a crash when validating the user claim mapping

0.15.0 (2024-02-07)

Breaking changes

  • Dropped support for Django 4.1
  • Dropped support for Python 3.8 and 3.9
  • Dropped support for mozilla-django-oidc 2.0

New features

  • Confirmed support for mozilla-django-oidc 4.0
  • Confirmed support for Python 3.12
  • [#80] Added configuration to call token endpoint with HTTP Basic Auth
  • [#83] Support application/jwt responses from userinfo endpoint

Project maintenance/refactors

  • Added more typehints
  • Added docker-compose setup for Keycloak OIDC Provider
  • Added VCR for testing against real OIDC provider(s)

0.14.1 (2024-01-12)

  • [#76] Make groups_claim optional (to allow disabling of group assignment)

0.14.0 (2024-01-05)

Django 4.2+ compatibility update

  • Replaced django-better-admin-arrayfield with django-jsonform, the former does not work on modern Django versions.

0.13.0 (2023-12-21)

  • [#65] Add functionality to make users superuser based on groups
  • [#68] More clear label/helptext for sync_groups

0.12.0 (2022-12-14)

  • [#59] Config option to get user info from ID token

0.11.0 (2022-08-09)

  • [#56] Add default_groups option to OIDC config
  • Catch validation errors during auth process and display the message on error page

0.10.1 (2022-07-27)

Bugfixes

  • [#51] Use defaults from SessionRefresh if variable not provided

Project maintenance/refactors

  • [#48] Document claim obfuscation in README

0.10.0 (2022-04-25)

Breaking changes

  • Dropped support for Django < 3.2
  • Dropped support for Python 3.6

New features

  • Migrated from django.contrib.postgres.fields.JSONField to models.JSONField, so you can use databases other than PostgreSQL.
  • Added support for Django 4.0

Project maintenance/refactors

  • Cleaned up test suite and solved deprecation warnings/runtime warnings
  • Updated support python/django versions in CI configuration

0.9.0 (2022-04-21)

New features

  • Added support for mozilla-django-oidc 2.x (#16)
  • Added ability to obfuscate claim values for logging output (#42)
  • Added ability to specify (nested) identifier claim to extract (#42)
  • Customizable SoloModel cache prefix via CachingMixin
  • Add views to properly handle admin login failure (#33)

Project maintenance/refactors

  • Define generic base class for OIDC config fields
  • Removed unused Travis CI config
  • Explicitly return None for empty values from config
  • Added typehints

0.8.0 (2022-02-15)

  • Allow usage of other config classes in SoloConfigMixin

0.7.2 (2022-01-11)

  • Fix caching issues caused by OpenIDConnectConfig.get_solo in backend initialization (#30)
  • Rename imported SessionRefresh in middleware to avoid conflicting names

0.7.1 (2021-11-29)

  • Fix verbose_name/help_text in username_claim migration

0.7.0 (2021-11-29) YANKED

  • Add configurable username claim (defaults to sub)

0.6.0 (2021-11-26)

  • Add configurable glob pattern for groups sync, to only sync groups that match the pattern
  • Fix OIDC config form for users with readonly access

0.5.0 (2021-09-13)

  • Pin mozilla-django-oidc to >=1.0.0, <2.0.0 (due to compatibility issues)
  • Adapt admin form to allow configurable endpoints that must be derived from discovery endpoint

0.4.0 (2021-08-16)

  • Allow claim mappings to be configured via admin.
  • Allow group synchronization between role claims and Django groups.
  • Allow added users to be promoted to staff users directly.
  • Fixed missing INSTALLED_APP in the testproject.

0.3.0 (2021-07-19)

  • Add derivation of endpoints via OpenID Connect discovery endpoint
  • Add fieldsets for OpenID Connect configuration admin page

0.2.1 (2021-07-06)

  • Fix variable name MOZILLA_DJANGO_OIDC_DB_CACHE_TIMEOUT to be the same as in the README

0.2.0 (2021-07-06)

  • Initial release