News
django-allauth 65.4.0 released
Posted by Raymond Penners on 2025-02-06
Note worthy changes The setting ACCOUNT_AUTHENTICATION_METHOD: str (with values "username", "username_email", "email") has been replaced by ACCOUNT_LOGIN_METHODS: set[str]. which is a set of values including "username" or "email". This change is performed in a backwards compatible manner. Headless: when HEADLESS_SERVE_SPECIFICATION is set to True, the API specification will be served dynamically, over at /_allauth/openapi.
Read moredjango-allauth 65.3.1 released
Posted by Raymond Penners on 2024-12-25
Fixes Headless: When using email verification by code, you could incorrectly encounter a 409 when attempting to add a new email address while logged in. Headless: In contrast to the headed version, it was possible to remove the last 3rd party account from a user that has no usable password.
Read moredjango-allauth 65.3.0 released
Posted by Raymond Penners on 2024-11-30
Note worthy changes Added support for TOTP code tolerance (see MFA_TOTP_TOLERANCE). Security notice Authentication by email/password was vulnerable to account enumeration by means of a timing attack. Thanks to Julie Rymer for the report and the patch.
django-allauth 65.2.0 released
Posted by Raymond Penners on 2024-11-08
Note worthy changes OIDC: You can now configure whether or not PKCE is enabled per app by including "oauth_pkce_enabled": True in the app settings. The OpenStreetMap provider is deprecated. You can set it up as an OpenID Connect provider instead.
Read moredjango-allauth 65.1.0 released
Posted by Raymond Penners on 2024-10-23
Note worthy changes OAuth2/OIDC: When setting up multiple apps for the same provider, you can now configure a different scope per app by including "scope": [...] in the app settings. Facebook login: Facebook Limited Login is now supported via the Headless API.
Read more