5.1.0

This release introduces the following changes:

• Behavior change: the ClaimsIdentity.GetClaim()/ClaimsPrincipal.GetClaim() extension now throws an InvalidOperationException when multiple claims of the same type were found in the identity/principal (instead of returning the first value and ignoring the other ones as in previous versions). See #1957 for more information.

• Behavior change: the server stack now automatically aborts sign-in operations that specify a ClaimsPrincipal containing a well-known claim with an invalid cardinality or an incorrect value type attached (e.g multiple sub claims or a sub claim created with ClaimValueTypes.Integer instead of ClaimValueTypes.String). See #1956 for more information.

• Client assertions that don't specify an optional iat claim are no longer rejected by the server stack.

• A new OpenIddictClientService.GetClientRegistrationsAsync() API was introduced to allow resolving the client registrations in a dynamic way, which can be used in non-ASP.NET Core/OWIN applications (e.g console or desktop applications) to easily list the supported web providers:

var provider = AnsiConsole.Prompt(new SelectionPrompt<OpenIddictClientRegistration>()
    .Title("Select the authentication provider you'd like to log in with.")
    .AddChoices(from registration in await _service.GetClientRegistrationsAsync(stoppingToken)
                where !string.IsNullOrEmpty(registration.ProviderName)
                where !string.IsNullOrEmpty(registration.ProviderDisplayName)
                select registration)
    .UseConverter(registration => registration.ProviderDisplayName!)).ProviderName!;

• A new DisableUserinfo property was added to RefreshTokenAuthenticationRequest to allow disabling userinfo for specific refresh token requests (e.g when using refresh tokens with the client credentials grant).

• The client and server stacks have been updated to automatically restore the authentication properties initially set by the application (via ProcessChallengeContext.Properties or ProcessSignOutContext.Properties) and attach them to the authentication context (ProcessAuthenticationContext.Properties). This scenario was already supported by the ASP.NET Core and OWIN hosts, but is now supported for all integrations, including OpenIddict.Client.SystemIntegration and OpenIddict.Client.WebIntegration:

// Ask OpenIddict to initiate the authentication flow (typically, by starting the system browser).
var result = await _service.ChallengeInteractivelyAsync(new()
{
    CancellationToken = stoppingToken,
    ProviderName = provider,
    Properties = new()
    {
        ["custom_property"] = "value"
    }
});

// Wait for the user to complete the authorization process.
var response = await _service.AuthenticateInteractivelyAsync(new()
{
    CancellationToken = stoppingToken,
    Nonce = result.Nonce
});

var property = response.Properties["custom_property"];

• The following providers have been added to the OpenIddict.Client.WebIntegration package:

  • Okta
  • Orange France
  • World ID (by Worldcoin)

• The Twitter integration now automatically maps the name userinfo claim to its ClaimTypes.Name equivalent.

• The Microsoft.IdentityModel.* packages have been updated to 7.2.0 to address a security issue. See GHSA-8g9c-28fc-mcx2 for more information.

• References to Azure Active Directory in the code documentation have been replaced by "Microsoft Entra ID" to match the new name of the service (see https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436 for more information).

5.0.1

This release introduces the following changes:

• A regression preventing introspection requests from being correctly handled by the server stack was identified and fixed (thanks Thomas Sauter for reporting it! ❤️).

5.0.0

For more information about this release, read OpenIddict 5.0 general availability.

5.0.0-rc1

This release introduces the following changes:

• TokenValidationParameters.ClockSkew is now supported by OpenIddict, that will honor it when validating the expiration date of a token.

• A bug preventing the OpenIddictClientService.ChallengeUsingDeviceAsync() and OpenIddictClientService.AuthenticateWithDeviceAsync() APIs from flowing the additional device authorization request/token request parameters set by the application was identified and fixed (thanks @hangy for reporting it! ❤️)

• A bug preventing signing/encryption certificates from being correctly sorted was identified and fixed (thanks Stefan Chiriac for reporting the issue and suggesting the fix!)

Note: 5.0.0-rc1 is the last preview before RTM ships next week. As such, OpenIddict users are invited to start testing 5.0.0-rc1 and share their feedback to ensure no regression affects their applications.

4.10.1

This release introduces the following changes:

• A bug preventing the OpenIddictClientService.ChallengeUsingDeviceAsync() and OpenIddictClientService.AuthenticateWithDeviceAsync() APIs from flowing the additional device authorization request/token request parameters set by the application was identified and fixed (thanks @hangy for reporting it! ❤️)

5.0.0-preview3

This release introduces the following changes:

• On .NET 7.0 and higher, the Entity Framework Core stores now use bulk updates and bulk deletes when large amounts of entities are expected to be updated/removed. If necessary, bulk operations can be disabled by calling options.DisableBulkOperations() in the OpenIddict EF Core stores options.

• A new IOpenIddictTokenManager.RevokeByAuthorizationIdAsync() API was introduced to dramatically improve the performance of token revocation when using the Entity Framework Core (.NET 7.0+-only) or MongoDB stores.

• The Entity Framework Core stores that use IDbTransaction were updated to run these operations inside execution strategies, which allows using the built-in stores with options.EnableRetryOnFailure() without having to override them.

• The IOpenIddictAuthorizationManager.PruneAsync() and IOpenIddictTokenManager.PruneAsync() APIs (and the corresponding stores methods) now return the number of authorizations/tokens that were removed.

• Constants for the standard claim request members were added (thanks @davhdavh! ❤️)

Note: 5.0.0-preview3 is likely one of the very last previews before RTM ships later this month. As such, OpenIddict users will be invited to start testing 5.0.0-preview3 and share their feedback during the next few weeks.

5.0.0-preview2

This release introduces the following changes:

• All the OpenIddict packages now target .NET 8.0 (.NET Standard 2.0/2.1, .NET 6.0/7.0 and .NET Framework 4.6.1+ are still fully supported).

• A Zoom.us integration was added to OpenIddict.Client.WebIntegration.

• The authentication results returned by OpenIddictClientService now expose the expiration date of access tokens (thanks @davhdavh! ❤️)

• To support advanced scenarios (e.g custom grants), the OWIN and ASP.NET Core hosts have been updated to return an AuthenticateResult with an empty main principal - and the additional principals attached to AuthenticateResult.Properties - instead of a null result (see #1912 for more information).

4.10.0

This release introduces the following changes:

• All the OpenIddict packages now target .NET 8.0 (.NET Standard 2.0/2.1, .NET Core 3.1, .NET 6.0/7.0 and .NET Framework 4.6.1+ are still fully supported).

• A Zoom.us integration was added to OpenIddict.Client.WebIntegration.

• The authentication results returned by OpenIddictClientService now expose the expiration date of access tokens (thanks @davhdavh! ❤️)

5.0.0-preview1

For more information about this release, read Introducing native applications, per-client token lifetimes and client assertions support in OpenIddict 5.0 preview1.

4.9.0

This release introduces the following changes:

• An Auth0 provider integration was added to OpenIddict.Client.WebIntegration (thanks @pableess! ❤️)

• OpenIddictClientService.AuthenticateWithDeviceAsync() was fixed to honor DeviceAuthenticationRequest.Scopes.

• The userinfo validation logic was improved to be compatible with more OAuth 2.0-only scenarios.