django-helusers: v0.13.2

0.13.2 (2025-03-03)

Continuous Integration

• Release-please automatically pushes the package to PyPi (623d889)

django-helusers: v0.13.1

0.13.1 (2025-03-03)

Bug Fixes

• Map multiple user groups to one ad group (1600579)

Documentation

• readme: Fix title level for user migration (7381cda)
• Update changelog (f0ccc44)

v0.13.0

What's Changed

• fix: improve ModelAdmins for ADGroupMapping and ADGroup by @voneiden in #101
• HP-2429 | feat: migrate old user from Tunnistamo to Keycloak by @charn in #102

Full Changelog: v0.12.0...v0.13.0

v0.12.0

What's Changed

• feat: define new setting ALLOWED_ALGORITHMS by @voneiden in #100

New Contributors

• @voneiden made their first contribution in #100

Full Changelog: v0.11.0...v0.12.0

v0.11.0

Changed

• Add Django admin logout support for Django 5.0
• Add code quality tooling: black, isort, flake8, commitlint, pre-commit
• Run code quality tools and do the necessary fixes

v0.10.0

Changed

• Drop support for Python 3.7 and older
• Add support for Python 3.12
• Require at least Django 3.2
• Add support for Django 5.0 by adding a new session serializer TunnistamoOIDCSerializer which can handle session data produced by the custom helusers.defaults.SOCIAL_AUTH_PIPELINE pipeline. Django 5.0 removed PickleSerializer.

v0.9.0

Fixed

• ApiTokenAuthentication again validates the aud claim. The aud claim wasn't validated if the drf-oidc-auth version was 1.0.0 or greater.

Added

• Ability to use "dot notation" in API_AUTHORIZATION_FIELD setting for searching api scopes from deeper in the claims
• Documentation about social auth pipeline configuration

Removed

• Removed drf-oidc-auth requirement when using ApiTokenAuthentication. Django REST framework is still required.

Changed

• API_AUTHORIZATION_FIELD and API_SCOPE_PREFIX settings now support a list of strings

• ApiTokenAuthentication is no longer a subclass of oidc_auth.authentication.JSONWebTokenAuthentication but a direct subclass of rest_framework.authentication.BaseAuthentication

• ApiTokenAuthentication uses the same JWT class as RequestJWTAuthentication for the token validation

  • Changed methods:
    • decode_jwt can raise jose.JWTError exception
    • get_oidc_config no longer returns oidc configuration dictionary but an OIDCConfig instance
    • validate_claims still exists and is called, but doesn't do anything
  • Removed methods:
    • get_audiences
    • jwks
    • jwks_data
    • oidc_config
  • Removed properties:
    • claims_options
    • issuer

• ApiTokenAuthentication now supports multiple issuers. Previously it accepted multiple issuers in the settings but could only use the first issuer.

• ApiTokenAuthentication.authenticate no longer raises AuthenticationError if authorization header contains the correct scheme but not a valid JWT-token. Now it just returns None which means the authentication didn't succeed but can be tried with the next authenticator.

• ApiTokenAuthentication now rejects tokens if they are invalidated with back-channel log out

• amr claim is no longer validated in ApiTokenAuthentication

• Issued at (iat) claim is no longer limited by the OIDC_LEEWAY oidc_auth setting (default 10 minutes) when using ApiTokenAuthentication. i.e. tokens can be generated as long ago as needed.

• User is no longer created if token is correct but is missing the required API scopes in ApiTokenAuthentication

0.8.1

Fixed

• Admin site logout view caching with Django 4
• Turn invalid string amr claim into an array in JWT

0.8.0

Added

• Support for Python 3.10 & 3.11
• Support for Django >=4.0

Removed

• Support for Python 3.6
• Support for Django 2.2

0.7.1

Changed

• Handle a list of configured issuers in ApiTokenAuthentication
• Require Django version < 4