April 26th, 2013
· URL encoding/decoding workaround to ensure the query parameters are being processed correctly.
· Bug fix: Deleting a client (consumer) no longer prevents user from managing their list of issued tokens.
· Depends on oauthlib 0.4.0
February 1st, 2013
· Pin the minimum supported oauthlib version to 0.3.5 to maintain consistency of the require_callback parameter.
January 31st, 2013
· Security Fix: Correctly apply CSRF protection to all forms.
· Denying a non-existent token will no longer show a stack trace.
January 22nd, 2013Major architectural changes:
· Removal of python-oauth2 and use oauthlib. Significant changes to the PAS OAuthPlugin, including the removal of all private methods, replacement of the OAuthUtility with an adapter, with nearly all authentication and verification functions moved into this adapter, which extends the oauthlib server class.
· Scope manager completely redefined to accept any identifiers, which can be client (consumer), temporary or access keys. Specific implementations can then make use of this change.
· Default scope manager no longer manages permitted URIs based directly on regex, but views and subpaths within specific content types.
· Consumer keys now randomly generated. For identification purposes the title and domain fields are introduced. Domain field serves an additional purpose for verification of callbacks by the default callback manager.
· Introduction of callback manager. This manages permitted targets for callbacks, so that resource owners will not be redirected to untrusted hosts especially for oob clients.
· Default scope manager provides the concept of scope profiles, which are concise representations of access that will be granted by the resource owner to clients.
· Base classes for extending/replacing provided functionalities.
· An index of all valid endpoints (views) made available by this add-on.
Bugs (and maybe fixes):
· The missing permissions.zcml is now included. (noted by ngi644)
· Translations are not included with this release as there were too many new and modified text.
December 22nd, 2012
· Completing i18n coverage and added Italian support. [giacomos]
· Added intermediate form class to eliminate the neeed to define wrapper classes for compatibility between Plone and z3c.form.
October 20th, 2011
· Provide the core functionality of OAuth into Zope/Plone, through the use of custom forms and the Pluggable Authentication System.
· Contain just the basic storage for all associated data types, but extensibility is allowed.