Releases: descope/python-sdk
Releases · descope/python-sdk
1.6.8
Enhancements
- Project tags: Projects now have a
tags
attribute - a list of strings that can be used to distinguish your projects. Those can be updated using theupdate_tags
command.
Bug fixes
- JWT rotation enablement: We fixed a bug that we found that caused the JWT rotation feature not to work with this specific SDK. This gap was fixed and now the feature is working properly.
1.6.7
Enhancements
- Access key descriptions and permitted IPs list: Access key descriptions can now be set - both from the console as well as the SDK. This also applies for permitted IPs (the source IP that is used by the access key upon request) - which supports both single IP addresses as well as CIDRs.
- Application sign-out URL: We've added an option to configure a specific application sign-out URL using the
logout_redirect_url
param in SAML related functions. This is useful when Descope is your IdP, and you want to sign a user out of Descope when they sign out from their SP. - User interaction override: With the
force_authentication
flag in applications, you can force end user to interact in a specific way with Descope (as IdP), regardless of the SP's settings.
Bug fixes
- Audit timestamps weren't datetimes: the
from
andto
audit parameters were fixed to be returned as proper datetime (timestamp) objects.
1.6.6
Enhancements
- Custom audit events: We've added the function
create_event
to ouraudit
object, that allows you to generate your own custom audit events. You can also create your custom audit event to provide different data than that provided by Descope. - Option to automatically delete related users/access keys when deleting their associated tenant: We've added an option to handle auto-deletion of 'orphaned' users and access keys when their last tenant is deleted. When deleting a tenant, you can use the new
cascade
flag to indicate that if part of the tenant's users/access keys are left with no tenant association - they will also be deleted from the project. - ReBAC relationship checker: We added a new function
what_can_target_access_with_relation
to check what resources a user has access, per the application's ReBAC schema. Search is recursive. - TOTP seed migration: When batch importing users into Descope, you can specify collecting their TOTP seed as part of the migration. If provided in the data, that seed will now be associated with the user and the next authentication will be seamless.
- Force refresh of OAuth/OIDC provider token: Current refresh of provider token is based on its expiration time. There are some cases in which the provider doesn't return the expiration, and for that we aded the
forceRefresh
parameter when using theuser_get_provider_token
function - to force refreshing the provider token.
1.6.5
1.6.4
Enhancements
- Custom claims for access keys: You can define custom claims that will be added upon creation or exchange of access key tokens. See our example on how to use it in the exchange process in our README.
- Search over roles: We've added a new
search
function roles, to allow easy searching over them. This function works both for project level roles as well as tenant level roles (depending on the used filter).
1.6.3
Breaking changes
- Set an active password for a user: You can set a new active password for a user, with the
set_active_password
function , which they can then use to sign in. It will be applied with the project's password expiration settings, after which the user will have to update it to their own.
Notice that we deprecated theset_password
function, and now offer aset_temporary_password
function instead. The functionality is the same as before (automatically expires the password, making the user reset it upon first authentication) - we just wanted to make sure it's clearer!
Enhancements
- Tenant-level roles: Tenants can require having their own set of roles on top of the default roles provided in your application. For that, we enhanced existing roles function (
create
,update
,delete
) to support association with a specifictenant_id
. - User impersonation: Using the
impersonate
function, you can decide which user you would want to temporarily sign in on behalf of. Please make sure to read our SDK's README on impersonation, as well as our KB article on the topic to fully understand this feature and how to securely use it.
1.6.2
Enhancements
- Support Bcrypt and Firebase encoding: Some systems encode passwords with the Bcrypt hashing mechanism, so we added support for importing those hashes into Descope using the InviteBatch function. We also added support for the Firebase hashing mechanism.
- User authentication activity log: Using the new
history
command, you can find out more information (such as IP address, country, etc) on your users' authentications. Read more about this in the SDK's README. - Associate an access key with a specific user: We've added the
user_id
parameter to the access keycreate
function, so that upon creation that key will be associated with the user. This means that if the user's status is change (for example - the user is disabled) - then the access key's status changes accordingly (gets deactivated).
1.6.1
Enhancements
- 😮 Tenant SSO - supporting SAML and OIDC: We've recently expanded our tenant SSO support to both SAML and OIDC configurations, so we created a set of generic SSO commands that replace the existing SAML ones.
Using the dedicatedSSOSAMLSettings
,SSOSAMLSettingsByMetadata
andSSOOIDCSettings
objects, along with their matching functions, you can define a tenant's SSO configuration settings.
This also means that dedicated SAML authentication commands are now deprecated, and we encourage you to update your code to use the new commands:saml.exchange_token
>>sso.exchange_token
saml.start
>>sso.start
- Use external information in email/text message templates: Just like custom flow inputs, you can now provide custom template inputs that can be added to the email/text message template upon runtime. For example, you can choose to pass the user's IP into the template, to present upon verification.
- Applications management: Applications, also known as SSO Applications, are used to integrate with an application using SAML or OIDC. Under the
sso_application
object, you can find an option to create, load, update and delete applications in a specific project. Find out more about applications in our documentation. - Associate an application to a user: You can decide to associate one or more application to a user, thus controlling which of your users has access to those apps. If the user doesn't have access - no JWT will be generated and the authentication to that application will fail.
- Delete a flow: Using the
delete_flows
function, you can delete one or more flows. - Free search and sorting in users: Two new parameters were added to the
search_all
users function:text
will allow searching any text value in all user attributes;sort
will allow sorting the returned values alphabetically by attribute name. - Get recent changes in Authz schema definition: We added the
get_modified
authz function, to be able to understand which new targets and resources were created or updated since a certain time.
1.6.0
Breaking changes
- Support multiple domains for tenant: There's an option to automatically associated a user to a tenant based on the user's email domain. Sometimes the same tenant can 'accept' multiple domains - so that's supported now!
Please notice that this breaks compilation - considering this value is now an array and not a string.
Enhancements
- Appending user login IDs: We've added the option to assign multiple login IDs to a user, using the
additional_login_ids
parameter, upon creation and/or invitation of the user. - First, middle and last names of a user: We added system attributes for first (
given_name
), middle (middle_name
) and last (family_name
) of a user. - Control audience claim in access keys: With the new
audience
parameter in theexchange_access_key
function - you can control theaud
claim in the JWT that's created for the access key. - Set the user's roles: We now support the option to set an existing user's roles. Instead of fetching existing roles, removing all of them and adding new ones 'from scratch' - use the
set_roles
user function. - Check roles or permissions of a user: Check if the user has at least one of the roles in a provided list, using the
get_matched_roles
function. This also applies for checking permissions (get_matched_permissions
), and also for checking the existence on a project level and a specific tenant level (get_matched_tenant_roles
,get_matched_tenant_permissions
). - Batch user invitation: You can now use the
invite_batch
function to add multiple users to your project. - Remove a user's passkey login IDs: Using the
remove_all_passkeys
management function, the Descoper can decide to remove all passkeys associated with a specific user. - Delete a user by its user ID: Support to delete a user by its userId property, using the new
delete_by_user_id
function.
Bug fixes
- Support embedded delivery method and login options in test users: Some functionalities were left out from the test users' support, so we made sure those are quickly added.
1.5.9
Enhancements
- ReBAC support: Descope now supports an advanced and more elaborate concept of authorization, known as ReBAC. ReBAC, Relation-Based Access Control, allows defining the user's permissions based on its relationship to various objects, using a directed graph of connections between them. Read more in our README.
- Search users by email or phone: We enabled the option to search over the user email and phone attributes - regardless if those are used as Login IDs or not.
- Flask decorators as extra package: We've added Flask as an extra package to the SDK. This means that it is not installed by default, but only when setting the relevant flag appropriately, and installing all relevant Flask dependencies.
- Search over tenants: Using the
search_all
tenants command, you can now search for all tenants based on their attribute values, such as name, self-provisioning domains, custom attributes and more. - Logout all user sessions: Descopers can now decide to terminate a specific user's sessions across existing devices, using the management SDK. You can do so by providing the user's Login ID (
logout_user_by_user_id
) or their User ID (logout_user
). - Invitation of users using their phone number: If needed, upon inviting a user - you can configure that the invitation is sent via SMS using the sendSMS boolean flag.
- Cloning a project: Projects can be programmatically cloned using the new
clone
project command. Note that this action is supported for pro and enterprise licensed customers. - README enhancements: Making our README more informative and full of examples for better explainability!
Bug fixes
- Improved exception type catches: To provide as much information as we can on token validation exceptions, we've changed our existing encapsulated errors to be more specific.