fix(deps): update dependency django-oauth-toolkit to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
django-oauth-toolkit	1.7.1 -> 3.0.1

---

Release Notes

jazzband/django-oauth-toolkit (django-oauth-toolkit)

v3.0.1

Compare Source

Fixed

• #​1491 Fix migration error when there are pre-existing Access Tokens.

v3.0.0

Compare Source

WARNING - POTENTIAL BREAKING CHANGES

• Changes to the AbstractAccessToken model require doing a manage.py migrate after upgrading.
• If you use swappable models you will need to make sure your custom models are also updated (usually manage.py makemigrations).
• Old Django versions below 4.2 are no longer supported.
• A few deprecations warned about in 2.4.0 (#​1345) have been removed. See below.

Added

• #​1366 Add Docker containerized apps for testing IDP and RP.
• #​1454 Added compatibility with LoginRequiredMiddleware introduced in Django 5.1.

Changed

• Many documentation and project internals improvements.
• #​1446 Use generic models pk instead of id. This enables, for example, custom swapped models to have a different primary key field.
• #​1447 Update token to TextField from CharField. Removing the 255 character limit enables supporting JWT tokens with additional claims.
  This adds a SHA-256 token_checksum field that is used to validate tokens.
• #​1450 Transactions wrapping writes of the Tokens now rely on Django's database routers to determine the correct
  database to use instead of assuming that 'default' is the correct one.
• #​1455 Changed minimum supported Django version to >=4.2.

Removed

• #​1425 Remove deprecated RedirectURIValidator, WildcardSet per #​1345; validate_logout_request per #​1274

Fixed

• #​1444, #​1476 Fix several 500 errors to instead raise appropriate errors.
• #​1469 Fix ui_locales request parameter triggers AttributeError under certain circumstances

Security

• #​1452 Add a new setting REFRESH_TOKEN_REUSE_PROTECTION.
  In combination with ROTATE_REFRESH_TOKEN,
  this prevents refresh tokens from being used more than once. See more at
  OAuth 2.0 Security Best Current Practice
• #​1481 Bump oauthlib version required to 3.2.2 and above to address CVE-2022-36087.

v2.4.0

Compare Source

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

If you are going to revert migration 0006 make note that previously hashed client_secret cannot be reverted!

Added

• #​1304 Add OAuth2ExtraTokenMiddleware for adding access token to request.
  See Setup a provider in the Tutorial.
• #​1273 Performance improvement: Add caching of loading of OIDC private key.
• #​1285 Add post_logout_redirect_uris field in the Application Registration form
• #​1311,#​1334 (Security) Add option to disable client_secret hashing to allow verifying JWTs' signatures when using
  HS256 keys.
  This means your client secret will be stored in cleartext but is the only way to successfully use HS256 signed JWT's.
• #​1350 Support Python 3.12 and Django 5.0
• #​1367 Add code_challenge_methods_supported property to auto discovery information, per RFC 8414 section 2
• #​1328 Adds the ability to define how to store a user profile.

Fixed

• #​1292 Interpret EXP in AccessToken always as UTC instead of (possibly) local timezone.
  Use setting AUTHENTICATION_SERVER_EXP_TIME_ZONE to enable different time zone in case the remote
  authentication server does not provide EXP in UTC.
• #​1323 Fix instructions in documentation
  on how to create a code challenge and code verifier
• #​1284 Fix a 500 error when trying to logout with no id_token_hint even if the browser session already expired.
• #​1296 Added reverse function in migration 0006_alter_application_client_secret. Note that reversing this migration cannot undo a hashed client_secret.
• #​1345 Fix encapsulation for Redirect URI scheme validation. Deprecates RedirectURIValidator in favor of AllowedURIValidator.
• #​1357 Move import of setting_changed signal from test to django core modules.
• #​1361 Fix prompt=none redirects to login screen
• #​1380 Fix AttributeError in OAuth2ExtraTokenMiddleware when a custom AccessToken model is used.
• #​1288 Fix #​1276 which attempted to resolve #​1092 for requests that don't have a client_secret per RFC 6749 4.1.1
• #​1337 Gracefully handle expired or deleted refresh tokens, in validate_user.
• Various documentation improvements: #​1410, #​1408, #​1405, #​1399, #​1401, #​1396, #​1375, #​1162, #​1315, #​1307

Removed

• #​1350 Remove support for Python 3.7 and Django 2.2

v2.3.0

Compare Source

WARNING

Issues caused by Release 2.0.0 breaking changes continue to be logged. Please make sure to carefully read these release notes before
performing a MAJOR upgrade to 2.x.

These issues both result in {"error": "invalid_client"}:

1. The application client secret is now hashed upon save. You must copy it before it is saved. Using the hashed value will fail.

2. PKCE_REQUIRED is now True by default. You should use PKCE with your client or set PKCE_REQUIRED=False if you are unable to fix the client.

Added

• Add Japanese(日本語) Language Support
• #​1244 implement OIDC RP-Initiated Logout
• #​1092 Allow Authorization Code flow without a client_secret per RFC 6749 2.3.1
• #​1264 Support Django 4.2.

Changed

• #​1222 Remove expired ID tokens alongside access tokens in cleartokens management command
• #​1267, #​1253, #​1251, #​1250, #​1224, #​1212, #​1211 Various documentation improvements

v2.2.0

Compare Source

Added

• #​1208 Add 'code_challenge_method' parameter to authorization call in documentation
• #​1182 Add 'code_verifier' parameter to token requests in documentation

Changed

• #​1203 Support Django 4.1.

Fixed

• #​1203 Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
• #​1210 Handle oauthlib errors on create token requests

v2.1.0

Compare Source

Added

• #​1164 Support prompt=login for the OIDC Authorization Code Flow end user Authentication Request.
• #​1163 Add French (fr) translations.
• #​1166 Add Spanish (es) translations.

Changed

• #​1152 createapplication management command enhanced to display an auto-generated secret before it gets hashed.
• #​1172, #​1159, #​1158 documentation improvements.

Fixed

• #​1147 Fixed 2.0.0 implementation of hashed client secret to work with swapped models.

v2.0.0

Compare Source

This is a major release with BREAKING changes. Please make sure to review these changes before upgrading:

Added

• #​1106 OIDC: Add "scopes_supported" to the ConnectDiscoveryInfoView.
  This completes the view to provide all the REQUIRED and RECOMMENDED OpenID Provider Metadata.
• #​1128 Documentation: Tutorial
  on using Celery to automate clearing expired tokens.

Changed

• #​1129 (Breaking) Changed default value of PKCE_REQUIRED to True. This is a breaking change. Clients without
  PKCE enabled will fail to authenticate. This breaks with section 5 of RFC7636
  in favor of the OAuth2 Security Best Practices for Authorization Code Grants.
  If you want to retain the pre-2.x behavior, set PKCE_REQUIRED = False in your settings.py
• #​1093 (Breaking) Changed to implement hashed
  client_secret values. This is a breaking change that will migrate all your existing
  cleartext application.client_secret values to be hashed with Django's default password hashing algorithm
  and can not be reversed. When adding or modifying an Application in the Admin console, you must copy the
  auto-generated or manually-entered client_secret before hitting Save.
• #​1108 OIDC: (Breaking) Add default configurable OIDC standard scopes that determine which claims are returned.
  If you've customized OIDC responses
  and want to retain the pre-2.x behavior, set oidc_claim_scope = None in your subclass of OAuth2Validator.
• #​1108 OIDC: Make the access_token available to get_oidc_claims when called from get_userinfo_claims.
• #​1132: Added --algorithm argument to createapplication management command

Fixed

• #​1108 OIDC: Fix validate_bearer_token() to properly set request.scopes to the list of granted scopes.
• #​1132: Fixed help text for --skip-authorization argument of the createapplication management command.

Removed

• #​1124 (Breaking, Security) Removes support for insecure urn:ietf:wg:oauth:2.0:oob and urn:ietf:wg:oauth:2.0:oob:auto which are replaced
  by RFC 8252 "OAuth 2.0 for Native Apps" BCP. Google has
  deprecated use of oob with
  a final end date of 2022-10-03. If you still rely on oob support in django-oauth-toolkit, do not upgrade to this release.

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[asadali145]

Closing this one, As I won't be able to work and too many renovate PRs are causing delay in checks.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 3.x releases. But if you manually upgrade to 3.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.