It's been a long time since the last Django OAuth Toolkit release, I think almost a year has passed. We have been pretty busy here at Evonove but we've always kept an eye on our opensource projects, trying to support them in our spare time.

But a few months ago we decided to breath life back into them, with some major renewed efforts. We brought in the whole team to work together on the common goal of maintaining Evonove's opensource projects. This is a great opportunity for the growth of Evonove developers and the projects, as opensource offers a wide range of challenges not found in day to day projects.

So, we've been sprinting on a regular basis, every other Thursday during the past few weeks, and the result is the release of Django OAuth Toolkit 0.11.0!!!!

In this version we finally added support for Django 1.10, that a lot of you have been asking for. We updated the test matrix to test against the latest supported versions of Django and the master branch.

Next, PR #358 relaxed the constraint on the AbstractApplication model making the user optional. This was asked for quite a bit for various reasons and that fix should be helpful to a lot of you. A big thank you to Paul Oswald for his PR and to all the guys that fed the discussion on this topic.

We merged a big PR (#389) which solves a race condition when using a refresh token. We want to thank pySilver for providing the base code and Jim Graham for setting up the PR properly. Thank you guys!

And working on their code, we found space for an improvement. We added a new setting ROTATE_REFRESH_TOKEN that allows you to control whether a new refresh token is issued to the client when an access token is refreshed. If you set this setting to False the refresh token used to renew an access token is never revoked and lasts until its expire date. This is explained in detail at the end of the OAuth 2 RFC Section 6.

A lot of other smaller improvements have been merged and you can read the details in the changelog.

Sure we know we have a lot of work to do on the documentation, which we have abandoned in the wasteland during the last few years. A good project needs a good documentation, so we'll write more tutorials, FAQs and we will refresh the docs in general.

There are also a couple of features we want to focus on.

The only way to customize scopes in DOT to this date, is to customize the SCOPES and DEFAULT_SCOPES settings. This may be enough for a basic application but it lacks in flexibility. What if you want to get the available scopes from a model for instance? or from another service?? Well, I'll be honest this can be a mess.

For the last couple of months I have been working on adding a new backend that exposes a minimal API to work with scopes. I provided a default implementation that uses the above mentioned settings and plugged it into the system through a new setting that accepts an import string, like the OAUTH2_VALIDATOR_CLASS setting. That way, one could write its own implementation of a scope backend and plug it easily into DOT.

This feature should help to rewrite the PR on App specific scope in a cleaner way. If you're interested give a look at my scopes-backend branch.

A lot of people would love to see all DOT models made swappable. And I think it's a great idea.
On the other hand we had a lot of trouble maintaining and providing support for the swappable Application model, mostly because of issues with migrations. We learned that there are a lot of corner cases and we can hardly cover all of them.

The Django Documentation is now much clearer on how you should behave with a swappable model when starting a project and also points out that changing a swappable model after the initial makemigration is painful.

We need to investigate this topic further before doing something we might regret and that could be a hard strike for the project.

Well, Django OAuth Toolkit 0.11.0 is out, now distributed as python wheels too. You can install it with
pip install --upgrade django-oauth-toolkit

A big thank you to all our contributors and our team in Evonove!