News
django-allauth 65.14.2 released
Posted by Raymond Penners on 2026-02-13
Security notice Rate limiting and IP address detection: as Django applications cannot reliably determine client IP addresses out of the box, you must override get_client_ip() to match your deployment architecture. If you omitted to do so, the default implementation trusted X-Forwarded-For, which can be spoofed to bypass rate limits.
Read moredjango-allauth 65.14.1 released
Posted by Raymond Penners on 2026-02-07
Fixes When using ACCOUNT_CHANGE_EMAIL = True, if the user initiating the change email process had no verified email address, user.email would still reflect the old email address while the verification process was pending. Security notice SAML: When IdP initiated SSO was enabled (it is by default disabled), any URL found in the SAML RelayState parameter would be used to redirect to, potentially redirecting the authenticated user to a wrong site.
Read moredjango-allauth 65.14.0 released
Posted by Raymond Penners on 2026-01-17
Note worthy changes Steam: the provider now supports initiating headless logins per redirect. Shopify: if email_verified is present in the user payload, it will be used to mark the email address retrieved as verified accordingly. IdP: added support for JWT based access tokens (see IDP_OIDC_ACCESS_TOKEN_FORMAT).
Read moredjango-allauth 65.13.1 released
Posted by Raymond Penners on 2025-11-20
Note worthy changes Django 6.0 is now officially supported. Fixes Internal imports related to headless token strategies were causing (harmless) deprecation warnings, fixed. Pending social signups stored in the session by allauth versions prior to 65.5.0 are not resumable by newer versions.
Read moredjango-allauth 65.13.0 released
Posted by Raymond Penners on 2025-10-31
Note worthy changes IdP: Added support for RP-Initiated Logout. Headless: added JWT token strategy. Added support for "Trust this browser?" functionality for logging in by code. See ACCOUNT_LOGIN_BY_CODE_TRUST_ENABLED. OpenID Connect: to avoid issues with client IDs containing colons, client_secret_post is now preferred above client_secret_basic.
Read more