Description
Django OAuth Toolkit ==================== *OAuth2 goodies for the Djangonauts!* .. image:: https://badge.fury.io/py/django-oauth-toolkit.svg :target: http://badge.fury.io/py/django-oauth-toolkit .. image:: https://github.com/django-oauth/django-oauth-toolkit/workflows/Test/badge.svg :target: https://github.com/django-oauth/django-oauth-toolkit/actions :alt: GitHub Actions .. image:: https://codecov.io/gh/django-oauth/django-oauth-toolkit/branch/master/graph/badge.svg :target: https://codecov.io/gh/django-oauth/django-oauth-toolkit :alt: Coverage .. image:: https://img.shields.io/pypi/pyversions/django-oauth-toolkit.svg :target: https://pypi.org/project/django-oauth-toolkit/ :alt: Supported Python versions .. image:: https://img.shields.io/pypi/djversions/django-oauth-toolkit.svg :target: https://pypi.org/project/django-oauth-toolkit/ :alt: Supported Django versions If you are facing one or more of the following: * Your Django app exposes a web API you want to protect with OAuth2 authentication, * You need to implement an OAuth2 authorization server to provide tokens management for your infrastructure, Django OAuth Toolkit can help you providing out of the box all the endpoints, data and logic needed to add OAuth2 capabilities to your Django projects. Django OAuth Toolkit makes extensive use of the excellent `OAuthLib <https://github.com/idan/oauthlib>`_, so that everything is `rfc-compliant <https://rfc-editor.org/rfc/rfc6749.html>`_. Reporting security issues ------------------------- Please report any security issues to the Django OAuth security team at <django-oauth-security@googlegroups.com>. Do not file an issue on the tracker. Requirements ------------ * Python 3.8, 3.9, 3.10, 3.11, 3.12, 3.13 or 3.14 * Django 4.2, 5.0, 5.1 or 5.2 * oauthlib 3.2.2+ Installation ------------ Install with pip:: pip install django-oauth-toolkit Add ``oauth2_provider`` to your ``INSTALLED_APPS`` .. code-block:: python INSTALLED_APPS = ( ... 'oauth2_provider', ) If you need an OAuth2 provider you'll want to add the following to your ``urls.py``. .. code-block:: python from oauth2_provider import urls as oauth2_urls urlpatterns = [ ... path('o/', include(oauth2_urls)), ] Changelog --------- See `CHANGELOG.md <https://github.com/django-oauth/django-oauth-toolkit/blob/master/CHANGELOG.md>`_. Documentation -------------- The `full documentation <https://django-oauth-toolkit.readthedocs.io/>`_ is on *Read the Docs*. License ------- django-oauth-toolkit is released under the terms of the **BSD license**. Full details in ``LICENSE`` file. Help Wanted ----------- We need help maintaining and enhancing django-oauth-toolkit (DOT). Join the team ~~~~~~~~~~~~~ There are no barriers to participation. Anyone can open an issue, pr, or review a pull request. Please dive in! How you can help ~~~~~~~~~~~~~~~~ See our `contributing <https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html>`__ info and the open `issues <https://github.com/django-oauth/django-oauth-toolkit/issues>`__ and `PRs <https://github.com/django-oauth/django-oauth-toolkit/pulls>`__, especially those labeled `help-wanted <https://github.com/django-oauth/django-oauth-toolkit/labels/help-wanted>`__. Discussions ~~~~~~~~~~~ Have questions or want to discuss the project? See `the discussions <https://github.com/django-oauth/django-oauth-toolkit/discussions>`__. Submit PRs and Perform Reviews ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PR submissions and reviews are always appreciated! Since we require an independent review of any PR before it can be merged, having your second set of eyes looking at PRs is extremely valuable. Become a Maintainer ~~~~~~~~~~~~~~~~~~~~~ If you are interested in stepping up to be a Maintainer, please open an issue. For maintainers we're looking for a positive attitude, attentiveness to the specifications, strong coding and communication skills, and a willingness to work with others. Maintainers are responsible for merging pull requests, managing issues, creating releases, and ensuring the overall health of the project.
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 3.2.0 | Imported from PyPI (3.2.0) | Low | 4/21/2026 |
| 3.1.0 | **NOTE**: This is the first release under the new [django-oauth](https://github.com/django-oauth) organization. The project moved in order to be more independent and to bypass quota limits on parallel CI jobs we were encountering in Jazzband. The project will emulateDjango Commons going forward in it's operation. We're always on the look for willing maintainers and contributors. Feel free to start participating any time. PR's are always welcome. ### Added * #1506 Support for Wildcard Origin | Low | 11/2/2025 |
| 3.0.1 | bugfix #1491 Fix migration error when there are pre-existing Access Tokens. | Low | 9/7/2024 |
| 3.0.0 | ## Release 3.0.0 ### WARNING - POTENTIAL BREAKING CHANGES * Changes to the `AbstractAccessToken` model require doing a `manage.py migrate` after upgrading. * If you use swappable models you will need to make sure your custom models are also updated (usually `m | Low | 9/6/2024 |
| 2.4.0 | ## [2.4.0] - 2024-05-13 ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or s | Low | 5/20/2024 |
| 2.3.0 | ## [2.3.0] 2023-05-31 ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or s | Low | 5/31/2023 |
| 2.2.0 | ## [2.2.0] 2022-10-18 ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or s | Low | 10/18/2022 |
| 2.1.0 | ### WARNING Issues caused by **Release 2.0.0 breaking changes** continue to be logged. Please **make sure to carefully read these release notes** before performing a MAJOR upgrade to 2.x. These issues both result in `{"error": "invalid_client"}`: 1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail. 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` | Low | 6/23/2022 |
| 2.0.0 | ## What's Changed * WIP: Hash application client secrets using Django password hashing by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1093 * OIDC: Add "scopes_supported" to openid-configuration. by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1106 * OIDC: Standard scopes to determine which claims are returned by @n2ygk in https://github.com/jazzband/django-oauth-toolkit/pull/1108 * Prevent the tests/migrations directory from getting packaged by @brianhe | Low | 4/24/2022 |
| 1.7.0 | ## [1.7.0] 2022-01-23 ### Added * #969 Add batching of expired token deletions in `cleartokens` management command and `models.clear_expired()` to improve performance for removal of large numers of expired tokens. Configure with [`CLEAR_EXPIRED_TOKENS_BATCH_SIZE`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-expired-tokens-batch-size) and [`CLEAR_EXPIRED_TOKENS_BATCH_INTERVAL`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#clear-exp | Low | 1/23/2022 |
| 1.6.3 | ## [1.6.3] 2022-01-11 ### Fixed * #1085 Fix for #1083 admin UI search for idtoken results in `django.core.exceptions.FieldError: Cannot resolve keyword 'token' into field.` ### Added * #1085 Add admin UI search fields for additional models. | Low | 1/11/2022 |
| 1.6.2 | ## [1.6.2] 2022-01-06 **NOTE: This release reverts an inadvertently-added breaking change.** ### Fixed * #1056 Add missing migration triggered by [Django 4.0 changes to the migrations autodetector](https://docs.djangoproject.com/en/4.0/releases/4.0/#migrations-autodetector-changes). * #1068 Revert #967 which incorrectly changed an API. See #1066. | Low | 1/7/2022 |
| 1.6.1 | ### Changed * Note: Only Django 4.0.1+ is supported due to a regression in Django 4.0.0. [Explanation](https://github.com/jazzband/django-oauth-toolkit/pull/1046#issuecomment-998015272) ### Fixed * Miscellaneous 1.6.0 packaging issues. | Low | 12/23/2021 |
| 1.6.0 | # Added #949 Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends (like django-axes). #968, #1039 Add support for Django 3.2 and 4.0. #953 Allow loopback redirect URIs using random ports as described in RFC8252 section 7.3. #972 Add Farsi/fa language support. #978 OIDC: Add support for rotating multiple RSA private keys. #978 OIDC: Add new OIDC_JWKS_MAX_AGE_SECONDS to improve jwks_uri caching. #967 OIDC: Add additional claims beyond sub to the id_t | Low | 12/19/2021 |
| 1.5.0 | Adding support for OPENID | Low | 3/22/2021 |
| 1.4.1 | Release 1.4.1 | Low | 3/12/2021 |
| 1.4.0 | Release 1.4.0 | Low | 2/8/2021 |
| 1.3.3 | Release 1.3.3 | Low | 10/20/2020 |
| 1.3.2 | See release 1.3.1; no changes. | Low | 3/26/2020 |
| 1.3.1 | ### Added * #725: HTTP Basic Auth support for introspection (Fix issue #709) ### Fixed * #812: Reverts #643 pass wrong request object to authenticate function. * Fix concurrency issue with refresh token requests (#[810](https://github.com/jazzband/django-oauth-toolkit/pull/810)) * #817: Reverts #734 tutorial documentation error. | Low | 3/24/2020 |
| 1.3.0 | From the [CHANGELOG](https://github.com/jazzband/django-oauth-toolkit/blob/master/CHANGELOG.md): ## [1.3.0] 2020-03-02 ### Added * Add support for Python 3.7 & 3.8 * Add support for Django>=2.1,<3.1 * Add requirement for oauthlib>=3.0.1 * Add support for [Proof Key for Code Exchange (PKCE, RFC 7636)](https://tools.ietf.org/html/rfc7636). * Add support for custom token generators (e.g. to create JWT tokens). * Add new `OAUTH2_PROVIDER` [settings](https://django-oauth-toolkit.readthedo | Low | 3/2/2020 |
| 1.0.0 | Release 1.0.0 | Low | 2/15/2018 |
| 0.11.0 | - #424: Added a ROTATE_REFRESH_TOKEN setting to control whether refresh tokens are reused or not - #315: AuthorizationView does not overwrite requests on get - #425: Added support for Django 1.10 - #396: added an IsAuthenticatedOrTokenHasScope Permission - #357: Support multiple-user clients by allowing User to be NULL for Applications - #389: Reuse refresh tokens if enabled. | Low | 12/1/2016 |
| 0.10.0 | - **#322: dropping support for python 2.6 and django 1.4, 1.5, 1.6** - #310: Fixed error that could occur sometimes when checking validity of incomplete AccessToken/Grant - #333: Added possibility to specify the default list of scopes returned when scope parameter is missing - #325: Added management views of issued tokens - #249: Added a command to clean expired tokens - #323: Application registration view uses custom application model in form class - #299: 'server_class' is now pluggable throug | Low | 12/14/2015 |
| 0.9.0 | - `oauthlib_backend_class` is now pluggable through Django settings - #127: `application/json` Content-Type is now supported using `JSONOAuthLibCore` - #238: Fixed redirect uri handling in case of error - #229: Invalidate access tokens when getting a new refresh token - added support for oauthlib 1.0 | Low | 7/28/2015 |
| 0.8.0 | Release 0.8.0 | Low | 3/27/2015 |
| 0.7.2 | Release 0.7.2 | Low | 7/3/2014 |
| 0.7.1 | Release 0.7.1 | Low | 4/27/2014 |
| 0.7.0 | Release 0.7.0 | Low | 3/1/2014 |
| 0.6.1 | - added support for scope query parameter keeping backwards compatibility for the original scopes parameter. - `__str__` method in Application model returns content of name field when available | Low | 2/5/2014 |
| 0.5.0 | **New stuff** - oauthlib 0.6.0 support **Backwards incompatible changes in 0.5.0** - backends.py module has been renamed to oauth2_backends.py so you should change your imports whether you're extending this module **Bugfixes** - Issue #54: Auth backend proposal to address #50 - Issue #61: Fix contributing page - Issue #55: Add support for authenticating confidential client with request body params - Issue #53: Quote characters in the url query that are safe for Django but not for oauthlib | Low | 9/30/2013 |