django-oauth · n2ygk · Mar 28, 2022 · Mar 26, 2022 · Mar 26, 2022 · Mar 26, 2022
diff --git a/AUTHORS b/AUTHORS
@@ -23,6 +23,7 @@ Bart Merenda
 Bas van Oostveen
 Brian Helba
 Carl Schwan
+Daniel 'Vector' Kerr
 Dave Burkholder
 David Fischer
 David Smith

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -32,9 +32,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   If you've [customized OIDC responses](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses)
   and want to retain the pre-2.x behavior, set `oidc_claim_scope = None` in your subclass of `OAuth2Validator`.
 * #1108 OIDC: Make the `access_token` available to `get_oidc_claims` when called from `get_userinfo_claims`.
+* Added `--algorithm` argument to `createapplication` management command
 
 ### Fixed
 * #1108 OIDC: Fix `validate_bearer_token()` to properly set `request.scopes` to the list of granted scopes.
+* Fixed help text for `--skip-authorization` argument of the `createapplication` management command
 
 ### Removed
 * #1124 (**Breaking**, **Security**) Removes support for insecure `urn:ietf:wg:oauth:2.0:oob` and `urn:ietf:wg:oauth:2.0:oob:auto` which are replaced

diff --git a/oauth2_provider/management/commands/createapplication.py b/oauth2_provider/management/commands/createapplication.py
@@ -49,7 +49,12 @@ def add_arguments(self, parser):
         parser.add_argument(
             "--skip-authorization",
             action="store_true",
-            help="The ID of the new application",
+            help="If set, completely bypass the authorization form, even on the first use of the application",
+        )
+        parser.add_argument(
+            "--algorithm",
+            type=str,
+            help="The OIDC token signing algorithm for this application (e.g., 'RS256' or 'HS256')",
         )
 
     def handle(self, *args, **options):

diff --git a/tests/test_commands.py b/tests/test_commands.py
@@ -1,5 +1,6 @@
 from io import StringIO
 
+import pytest
 from django.contrib.auth import get_user_model
 from django.contrib.auth.hashers import check_password
 from django.core.management import call_command
@@ -8,6 +9,8 @@
 
 from oauth2_provider.models import get_application_model
 
+from . import presets
+
 
 Application = get_application_model()
 
@@ -112,6 +115,20 @@ def test_application_created_with_user(self):
 
         self.assertEqual(app.user, user)
 
+    @pytest.mark.usefixtures("oauth2_settings")
+    @pytest.mark.oauth2_settings(presets.OIDC_SETTINGS_RW)
+    def test_application_created_with_algorithm(self):
+        call_command(
+            "createapplication",
+            "confidential",
+            "authorization-code",
+            "--redirect-uris=http://example.com http://example2.com",
+            "--algorithm=RS256",
+        )
+        app = Application.objects.get()
+
+        self.assertEqual(app.algorithm, "RS256")
+
     def test_validation_failed_message(self):
         output = StringIO()
         call_command(