Version 1.0.0 - SSOv2 / PKCE

Warnings

  • From this version EsiPy will only use SSOv2 (JWT). If you don’t want to migrate to JWT tokens, you should keep using version 0.5.x, as migration to the new SSO is a permanent move.
  • JWT tokens are really bigger than SSOv1 token, so keep this in mind when migrating if you store these tokens in databases.

Breaking Changes

  • The following parameters have been removed from EsiSecurity.__init__(): app, esi_url, sso_url, esi_datasource.
  • EsiSecurity.__init__() does not construct URLs from either given URL or swagger spec, but makes a request to SSO endpoint discovery.
  • EsiSecurity.__get_token_auth_header() has been removed.
  • EsiSecurity.verify() now uses JWT library python-jose to get informations of the token instead of querying ESI /verify endpoint.
  • EsiSecurity.verify() may raise exceptions if a token does not validate or if it is expired.

Changes

  • EsiSecurity.__init__() has a new optional parameter sso_endpoints_url to provide the SSO discovery URL (which is different for Tranquility, Singularity and Serenity)
  • EsiSecurity.__init__() has a new optional parameter sso_endpoints which can be used to give the content (cached by the user) of the SSO discovery URL. This will prevent EsiSecurity from making a request.
  • EsiSecurity.__init__() has a new optional parameter jwks_key which can be used to give the content (cached by the user) of the JSON Web Key Set (JWKS). This will prevent EsiSecurity from making a request.
  • EsiSecurity.__init__() has a new optional parameter code_verifier which can be used for PKCE flow.
  • EsiSecurity.refresh() now accept scope_list parameter, a list of scope to only refresh a subset of scope for the token. (None by default to refresh everything)
  • New utils functions have been added in the esipy.utils module:
    • generate_code_verifier(length) to generate a code verifier for the PKCE flow that will respect the RFC requirements.
    • generate_code_challenge(code_verifier) to generate the code_challenge to be used in the PKCE flow (used in EsiSecurity)

About PKCE

  • If a secret key is provided, EsiSecurity will never use PKCE.
  • If you want to use PKCE, you need to follow the 2 requirements while instanciating your EsiSecurity object:
    • secret_key must be ignored or set to None
    • code_verifier must be provided and must follow the RFC 7636 format