django-allauth 0.61.1 released
Posted by Raymond Penners on 2024-02-09
Fixes
- Fixed a RuntimeWarning that could occur when running inside an async environment ('SyncToAsync' was never awaited).
Security notice
- As part of the Google OAuth handshake, an ID token is obtained by direct machine to machine communication between the server running django-allauth and Google. Because of this direct communication, we are allowed to skip checking the token signature according to the OpenID Connect Core 1.0 specification. However, as django-allauth is used and built upon by third parties, this is an implementation detail with security implications that is easily overlooked. To mitigate potential issues, verifying the signature is now only skipped if it was django-allauth that actually fetched the access token.
Next: Grand Plans for 2024 Previous: django-allauth 0.61.0 released