django-allauth 65.10.0 released

Posted by Raymond Penners on 2025-07-10

Note worthy changes

  • IdP: Added support for the device authorization grant.
  • Headless: custom user payloads can now be properly reflected in the OpenAPI specification by provider a user dataclass. See the newly introduced get_user_dataclass() and user_as_dataclass() adapter methods.
  • Added a new signal (authentication_step_completed) that is emitted when an individual authentication step is completed.
  • MFA: Added a setting (MFA_ALLOW_UNVERIFIED_EMAIL) to allow unverified email addresses in combination with MFA.

Backwards incompatible changes

  • Soundcloud: as per https://developers.soundcloud.com/blog/urn-num-to-string, the provider now uses the user urn instead of the id as the ID for social accounts. This change is backward incompatible. Instructions on how to migrate existing social accounts can be found in the allauth provider documentation for SoundCloud.

Fixes

  • Phone: The recently added support for phone (SMS) authentication did fully integrate with third-party provider signups. For example, whether or not the phone number is required was not respected during signup. Fixed.
  • IdP: Token revocation failed when a single token_type_hint was passed, fixed.
  • The verified_email_required decorator did not support email verification by code. Additionally, it did not rate limit verification emails in case of GET requests. Both are fixed.
  • The account adapter clean_email() method was not called when a social account auto signup took place, fixed.
Previous: django-allauth 65.9.0 released
Archives