News
django-allauth 65.16.1 released
Posted by Raymond Penners on 2026-04-17
Security notice The state parameter is a critical part of the OAuth2 handshake, used to prevent CSRF attacks. The Edx, AngelList and Questrade providers were originally added without state support, as these providers did not support it at the time.
Read moredjango-allauth 65.16.0 released
Posted by Raymond Penners on 2026-04-13
Note worthy changes MFA: You can now configure recovery codes to be only shown once (MFA_RECOVERY_CODES_SHOW_ONCE = True). New signals for audit trail purposes: login_code_rejected, password_reset_code_rejected, email_verification_code_rejected (in allauth.account.signals) and authentication_failed (in allauth.mfa.signals).
django-allauth 65.15.1 released
Posted by Raymond Penners on 2026-04-02
Fixes The context data for the various entrance views was inconsistent, e.g. some where missing site or login_url. Ensured all entrance views are now handed over the same base context. MFA: accessing the WebAuthn login view while already being authenticated resulted in a 500, fixed.
Read moredjango-allauth 65.15.0 released
Posted by Raymond Penners on 2026-03-09
Note worthy changes All user facing codes (e.g. those that the user needs to manually input over at password reset, email/phone verification, login code, OIDC device codes) now follow the recommendations over at RFC 8628, Section 6.1. It uses dashed codes, such as "WDJB-MJHT", by default.
Read moredjango-allauth 65.14.3 released
Posted by Raymond Penners on 2026-02-13
Fixes Version 65.14.2 was not compatible with Python 3.8/3.9 due to use of an unsupported typing construct, fixed.