Skip to main content

Latest Version: 65.14.3 (2026-02-13)

💙 Is django-allauth’s authentication the entrance to your business? Please consider supporting its continued development by becoming a sponsor at https://allauth.org/sponsors/. Your support helps keep this project thriving!

Fixes

  • Version 65.14.2 was not compatible with Python 3.8/3.9 due to use of an unsupported typing construct, fixed.

65.14.2 (2026-02-13)

Security Notice: Rate limiting and IP address detectionAs Django applications cannot reliably determine client IP addresses out of the box, you must override get_client_ip() to match your deployment architecture. If you omitted to do so, the default implementation trusted X-Forwarded-For, which can be spoofed to bypass rate limits. Now, X-Forwarded-For is distrusted by default. You must either:
  • Configure ALLAUTH_TRUSTED_PROXY_COUNT
  • Rely on ALLAUTH_TRUSTED_CLIENT_IP_HEADER
  • Override get_client_ip()
Thanks to Ayato Shitomi for reporting.

65.14.1 (2026-02-07)

Fixes

  • When using ACCOUNT_CHANGE_EMAIL = True, if the user initiating the change email process had no verified email address, user.email would still reflect the old email address while the verification process was pending.
Security Notice: SAML RelayState vulnerabilityWhen IdP initiated SSO was enabled (it is by default disabled), any URL found in the SAML RelayState parameter would be used to redirect to, potentially redirecting the authenticated user to a wrong site. Thanks to Ayato Shitomi and Funabiki Keisuke for reporting.

65.14.0 (2026-01-17)

Notable Changes

  • Steam: The provider now supports initiating headless logins per redirect
  • Shopify: If email_verified is present in the user payload, it will be used to mark the email address retrieved as verified accordingly
  • IdP: Added support for JWT based access tokens (see IDP_OIDC_ACCESS_TOKEN_FORMAT)
  • IdP: Added support for pointing to a custom userinfo endpoint (see IDP_OIDC_USERINFO_ENDPOINT)
  • OpenID Connect: You can now configure the field to be used as the account ID by setting "uid_field" in the relevant SocialApp.settings
  • Headless: The JWT algorithm is now configurable, supporting HS256

Fixes

  • IdP: Access tokens without a user attached (client credentials) were no longer recognized in DRF/Ninja endpoints
  • requests sessions are now disposed of after use to avoid resource leaks

65.13.1 (2025-11-20)

Notable Changes

  • Django 6.0 is now officially supported

Fixes

  • Internal imports related to headless token strategies were causing (harmless) deprecation warnings, fixed

Version History

For the complete version history, please visit the ChangeLog.rst file in the source repository.

How to Read This Changelog

Each release includes:
  • Notable Changes: New features and enhancements
  • Fixes: Bug fixes and issue resolutions
  • Security Notices: Critical security updates (marked with warning boxes)
  • Breaking Changes: Changes that may require code updates (see Breaking Changes)
Subscribe to release notifications on GitHub to stay updated with the latest changes.

Release Frequency

Django Allauth follows semantic versioning and releases updates regularly:
  • Major versions: Breaking changes and significant new features
  • Minor versions: New features and enhancements
  • Patch versions: Bug fixes and security updates

Next Steps

Upgrade Guide

Learn how to upgrade to the latest version

Breaking Changes

Review breaking changes between versions