News
django-allauth 65.15.0 released
Posted by Raymond Penners on 2026-03-09
Note worthy changes All user facing codes (e.g. those that the user needs to manually input over at password reset, email/phone verification, login code, OIDC device codes) now follow the recommendations over at RFC 8628, Section 6.1. It uses dashed codes, such as "WDJB-MJHT", by default.
Read moredjango-allauth 65.14.3 released
Posted by Raymond Penners on 2026-02-13
Fixes Version 65.14.2 was not compatible with Python 3.8/3.9 due to use of an unsupported typing construct, fixed.
django-allauth 65.14.2 released
Posted by Raymond Penners on 2026-02-13
Security notice Rate limiting and IP address detection: as Django applications cannot reliably determine client IP addresses out of the box, you must override get_client_ip() to match your deployment architecture. If you omitted to do so, the default implementation trusted X-Forwarded-For, which can be spoofed to bypass rate limits.
Read moredjango-allauth 65.14.1 released
Posted by Raymond Penners on 2026-02-07
Fixes When using ACCOUNT_CHANGE_EMAIL = True, if the user initiating the change email process had no verified email address, user.email would still reflect the old email address while the verification process was pending. Security notice SAML: When IdP initiated SSO was enabled (it is by default disabled), any URL found in the SAML RelayState parameter would be used to redirect to, potentially redirecting the authenticated user to a wrong site.
Read moredjango-allauth 65.14.0 released
Posted by Raymond Penners on 2026-01-17
Note worthy changes Steam: the provider now supports initiating headless logins per redirect. Shopify: if email_verified is present in the user payload, it will be used to mark the email address retrieved as verified accordingly. IdP: added support for JWT based access tokens (see IDP_OIDC_ACCESS_TOKEN_FORMAT).
Read more