Skip to content

Releases: python-social-auth/social-core

5.0.2

Choose a tag to compare

@nijel nijel released this 26 Jun 07:24

Security

  • LINE backend now validates callback state before exchanging authorization
    codes, preventing login CSRF.
  • Shopify backend now sends and validates OAuth state, preventing login CSRF.

Changed

  • Updated development dependencies and CI actions.

Fixed

  • Updated the Google OAuth documentation link.

5.0.1

Choose a tag to compare

@nijel nijel released this 24 Jun 03:52

Security

  • Externally resumable partial request links now require confirmation even in
    the browser session that created the partial, preventing validation links from
    being consumed by a plain GET.

5.0.0

Choose a tag to compare

@nijel nijel released this 23 Jun 14:16

Security

  • LoginRadius backend now validates callback state to prevent login CSRF.
  • Odnoklassniki app backend now ignores untrusted callback API hosts and
    validates returned user details.
  • Partial pipeline resume now requires session ownership or explicit external
    resume confirmation to prevent login CSRF.
  • SAML responses are now validated against the original AuthnRequest when
    possible.
  • Twilio backend now preserves HTTPS callback URLs and validates callback state
    to prevent login CSRF.

Fixed

  • Auth0 OpenID Connect configuration now uses the correct base URLs.
  • Authentication now handles invalid email addresses without crashing.
  • Vend OAuth user IDs are now scoped by shop.
  • VK app authentication now requires an auth key.

Removed

  • Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef,
    Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users
    (gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist.
  • Discontinued Google+ Sign-In backend (google-plus / GooglePlusAuth).

4.9.1

Choose a tag to compare

@nijel nijel released this 30 Apr 07:15

Changed

  • GitHub backend now handles scoped email fetching deterministically.

Fixed

  • OpenID Connect missing token handling.
  • Microsoft refresh token and expiry handling.
  • Partial pipeline handling for Django QueryDict values.

4.9.0

Choose a tag to compare

@nijel nijel released this 29 Apr 13:38

This release might contain breaking changes. Review the removed backends and
stricter OAuth, OpenID Connect, and Azure AD validation before upgrading.

Added

  • OpenID Connect claim names for email, first name, last name, and full name can
    now be configured.
  • GitHub backend now stores fetched emails in pipeline data.

Changed

  • Azure AD backends now use OpenID configuration and JWKS for token validation.
  • Built-in provider URLs now consistently use HTTPS.
  • AUTH_EXTRA_ARGUMENTS values are no longer overridden by request data unless
    the key is listed in AUTH_EXTRA_ARGUMENTS_OVERRIDE_ALLOWLIST.
  • Requests now fall back to a default timeout when no timeout is configured.
  • Improved the publishing workflow.

Removed

  • Removed obsolete Rdio, Shimmering, and ThisIsMyJam backends.
  • Removed legacy OAuth1 backends for Douban and Mendeley.

Security

  • Apple ID backend now validates the ID token issuer.
  • Azure AD backends now validate ID token signatures, issuer, audience, tenant,
    and policy claims. Tokens accepted by earlier versions might now be rejected.
  • OpenID Connect backends now reject UserInfo responses whose sub does not
    match the validated ID token subject.

4.8.7

Choose a tag to compare

@nijel nijel released this 23 Apr 11:38

Added

  • OpenID Connect backends can now opt in to PKCE support

Changed

  • PKCE defaults now match RFC 7636 requirements

Security

  • Tightened redirect URL validation
  • Tightened OAuth state handling for Clever, Eventbrite, GoClio, MailChimp, SurveyMonkey and Untappd backends
  • SAML authentication now restores saved sessions only after response validation

4.8.6

Choose a tag to compare

@nijel nijel released this 20 Apr 10:52

Changed

  • storage.UserProtocol now supports read-only attributes for better type-checker compatibility
  • Improved type annotations and enabled mypy type checking in CI

Fixed

  • sanitize_redirect() now handles invalid redirect values that raise ValueError
  • Fixed timezone handling when working with dates

Security

Release 4.8.5

Choose a tag to compare

@nijel nijel released this 10 Feb 09:05

Changed

  • Fixed partial pipeline handling for unauthenticated users

Donations

This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:

Release 4.8.4

Choose a tag to compare

@nijel nijel released this 10 Feb 08:04

Changed

  • Improved type annotations
  • Code cleanups
  • Improved error handling in SAML

Added

  • Add Azure AD(Entra ID) federated client assertion support (FIC)

Donations

This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:

Release 4.8.3

Choose a tag to compare

@nijel nijel released this 18 Dec 18:44

Changed

  • Added registry to configure default strategy

Donations

This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth: