It seems like there are multi ways to achieve that, all of them highliting
the importance of maintain a single source of truth for the version number.
More info: https://packaging.python.org/guides/single-sourcing-package-version/.
This PR includes one possible approach, open to discussion.
Added a new doc page related to Token Introspection Endpoint.
The documentation includes some introduction with links to the related RFCs and examples.
It seems like many lead institutions related with security are
recommending a minimum key length of 112-bits since 2013.
In order to achieve that, a RSA key size of 2048 (or more) is required.
To make it easier to change the AuthorizeEndpoint and Client we set them as class variables. Then people inheriting from the view are able to easily change them. In my personal case this helps with skipping consent more explicitly as defined in issue https://github.com/juanifioren/django-oidc-provider/issues/278
Have the option to use the more readable response type value rather than
the ResponseType id integer in fixtures and dumpdata output.
Prior to this change dumpdata represents response types like so:
"response_types": [2]
And after this change when using `dumpdata --natural-foreign`:
"response_types": [["code"]]
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.
This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
We ran into a client that blindly takes the value of token_type, which
is lowercase "bearer", and passes that back in the Authorization header.
In an earlier PR #99 there seemed to be some support for this change to
simply accept "bearer" in addition to "Bearer".
Django 1.11 deprecated the django.contrib.auth.views.logout
function-based view, which django-oidc-provider relied on. This
patchset instead subclasses the new LogoutView.
LogoutView was introduced in Django 1.11. logout() was deprecated in
1.11 and removed in 2.1. Accordingly, this patch adds Django 2.1 to
CI and removes 1.8, 1.9, and 1.10.
Resolves#258
