django-allauth 65.13.0 released

Posted by Raymond Penners on 2025-10-31

Note worthy changes

IdP: Added support for RP-Initiated Logout.
Headless: added JWT token strategy.
Added support for "Trust this browser?" functionality for logging in by code. See ACCOUNT_LOGIN_BY_CODE_TRUST_ENABLED.
OpenID Connect: to avoid issues with client IDs containing colons, client_secret_post is now preferred above client_secret_basic.

Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed -- the access/refresh tokens are now rejected. Thanks to Joshua Rogers for reporting this and the previous issue.

Headless now requires the headless extra to be installed. For example: pip install django-allauth[headless].
Okta and NetIQ: see the security notice on Okta and NetIQ. Already existing SocialAccount records will no longer be linked due to the switch to sub. You will need to manually handle this situation either, by populating SocialAccount.uid based on sub located in SocialAccount.extra_data,or, if you are absolutely certain the security notice is of no concern for your use case, by setting "uid_field": "preferred_username" in the relevant SocialApp.settings.