Releases: python-social-auth/social-core
Releases · python-social-auth/social-core
Release list
5.0.2
Security
- LINE backend now validates callback state before exchanging authorization
codes, preventing login CSRF. - Shopify backend now sends and validates OAuth state, preventing login CSRF.
Changed
- Updated development dependencies and CI actions.
Fixed
- Updated the Google OAuth documentation link.
5.0.1
5.0.0
Security
- LoginRadius backend now validates callback state to prevent login CSRF.
- Odnoklassniki app backend now ignores untrusted callback API hosts and
validates returned user details. - Partial pipeline resume now requires session ownership or explicit external
resume confirmation to prevent login CSRF. - SAML responses are now validated against the original AuthnRequest when
possible. - Twilio backend now preserves HTTPS callback URLs and validates callback state
to prevent login CSRF.
Fixed
- Auth0 OpenID Connect configuration now uses the correct base URLs.
- Authentication now handles invalid email addresses without crashing.
- Vend OAuth user IDs are now scoped by shop.
- VK app authentication now requires an auth key.
Removed
- Discontinued OAuth backends: AppsFuel, Beats Music, ChangeTip, Clef,
Edmodo, 500px (five_hundred_px), legacy Google App Engine bundled Users
(gae), Jawbone, Moves, Mozilla Persona, Readability Parser API, and Wunderlist. - Discontinued Google+ Sign-In backend (
google-plus/GooglePlusAuth).
4.9.1
4.9.0
This release might contain breaking changes. Review the removed backends and
stricter OAuth, OpenID Connect, and Azure AD validation before upgrading.
Added
- OpenID Connect claim names for email, first name, last name, and full name can
now be configured. - GitHub backend now stores fetched emails in pipeline data.
Changed
- Azure AD backends now use OpenID configuration and JWKS for token validation.
- Built-in provider URLs now consistently use HTTPS.
AUTH_EXTRA_ARGUMENTSvalues are no longer overridden by request data unless
the key is listed inAUTH_EXTRA_ARGUMENTS_OVERRIDE_ALLOWLIST.- Requests now fall back to a default timeout when no timeout is configured.
- Improved the publishing workflow.
Removed
- Removed obsolete Rdio, Shimmering, and ThisIsMyJam backends.
- Removed legacy OAuth1 backends for Douban and Mendeley.
Security
- Apple ID backend now validates the ID token issuer.
- Azure AD backends now validate ID token signatures, issuer, audience, tenant,
and policy claims. Tokens accepted by earlier versions might now be rejected. - OpenID Connect backends now reject UserInfo responses whose
subdoes not
match the validated ID token subject.
4.8.7
Added
- OpenID Connect backends can now opt in to PKCE support
Changed
- PKCE defaults now match RFC 7636 requirements
Security
- Tightened redirect URL validation
- Tightened OAuth state handling for Clever, Eventbrite, GoClio, MailChimp, SurveyMonkey and Untappd backends
- SAML authentication now restores saved sessions only after response validation
4.8.6
Changed
storage.UserProtocolnow supports read-only attributes for better type-checker compatibility- Improved type annotations and enabled mypy type checking in CI
Fixed
sanitize_redirect()now handles invalid redirect values that raiseValueError- Fixed timezone handling when working with dates
Security
- Require
PyJWT >= 2.12.0to address CVE-2026-32597
Release 4.8.5
Changed
- Fixed partial pipeline handling for unauthenticated users
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:
Release 4.8.4
Changed
- Improved type annotations
- Code cleanups
- Improved error handling in SAML
Added
- Add Azure AD(Entra ID) federated client assertion support (FIC)
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth:
Release 4.8.3
Changed
- Added registry to configure default strategy
Donations
This project welcomes donations to make the development sustainable. The following platforms are available for funding Python Social Auth: