Releases: openiddict/openiddict-core
5.1.0
This release introduces the following changes:
-
Behavior change: the
ClaimsIdentity.GetClaim()
/ClaimsPrincipal.GetClaim()
extension now throws anInvalidOperationException
when multiple claims of the same type were found in the identity/principal (instead of returning the first value and ignoring the other ones as in previous versions). See #1957 for more information. -
Behavior change: the server stack now automatically aborts sign-in operations that specify a
ClaimsPrincipal
containing a well-known claim with an invalid cardinality or an incorrect value type attached (e.g multiplesub
claims or asub
claim created withClaimValueTypes.Integer
instead ofClaimValueTypes.String
). See #1956 for more information. -
Client assertions that don't specify an optional
iat
claim are no longer rejected by the server stack. -
A new
OpenIddictClientService.GetClientRegistrationsAsync()
API was introduced to allow resolving the client registrations in a dynamic way, which can be used in non-ASP.NET Core/OWIN applications (e.g console or desktop applications) to easily list the supported web providers:
var provider = AnsiConsole.Prompt(new SelectionPrompt<OpenIddictClientRegistration>()
.Title("Select the authentication provider you'd like to log in with.")
.AddChoices(from registration in await _service.GetClientRegistrationsAsync(stoppingToken)
where !string.IsNullOrEmpty(registration.ProviderName)
where !string.IsNullOrEmpty(registration.ProviderDisplayName)
select registration)
.UseConverter(registration => registration.ProviderDisplayName!)).ProviderName!;
-
A new
DisableUserinfo
property was added toRefreshTokenAuthenticationRequest
to allow disabling userinfo for specific refresh token requests (e.g when using refresh tokens with the client credentials grant). -
The client and server stacks have been updated to automatically restore the authentication properties initially set by the application (via
ProcessChallengeContext.Properties
orProcessSignOutContext.Properties
) and attach them to the authentication context (ProcessAuthenticationContext.Properties
). This scenario was already supported by the ASP.NET Core and OWIN hosts, but is now supported for all integrations, includingOpenIddict.Client.SystemIntegration
andOpenIddict.Client.WebIntegration
:
// Ask OpenIddict to initiate the authentication flow (typically, by starting the system browser).
var result = await _service.ChallengeInteractivelyAsync(new()
{
CancellationToken = stoppingToken,
ProviderName = provider,
Properties = new()
{
["custom_property"] = "value"
}
});
// Wait for the user to complete the authorization process.
var response = await _service.AuthenticateInteractivelyAsync(new()
{
CancellationToken = stoppingToken,
Nonce = result.Nonce
});
var property = response.Properties["custom_property"];
-
The following providers have been added to the
OpenIddict.Client.WebIntegration
package:- Okta
- Orange France
- World ID (by Worldcoin)
-
The Twitter integration now automatically maps the
name
userinfo claim to itsClaimTypes.Name
equivalent. -
The
Microsoft.IdentityModel.*
packages have been updated to 7.2.0 to address a security issue. See GHSA-8g9c-28fc-mcx2 for more information. -
References to Azure Active Directory in the code documentation have been replaced by "Microsoft Entra ID" to match the new name of the service (see https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436 for more information).
5.0.1
This release introduces the following changes:
- A regression preventing introspection requests from being correctly handled by the server stack was identified and fixed (thanks Thomas Sauter for reporting it! ❤️).
5.0.0
For more information about this release, read OpenIddict 5.0 general availability.
5.0.0-rc1
This release introduces the following changes:
-
TokenValidationParameters.ClockSkew
is now supported by OpenIddict, that will honor it when validating the expiration date of a token. -
A bug preventing the
OpenIddictClientService.ChallengeUsingDeviceAsync()
andOpenIddictClientService.AuthenticateWithDeviceAsync()
APIs from flowing the additional device authorization request/token request parameters set by the application was identified and fixed (thanks @hangy for reporting it! ❤️) -
A bug preventing signing/encryption certificates from being correctly sorted was identified and fixed (thanks Stefan Chiriac for reporting the issue and suggesting the fix!)
Note: 5.0.0-rc1 is the last preview before RTM ships next week. As such, OpenIddict users are invited to start testing 5.0.0-rc1 and share their feedback to ensure no regression affects their applications.
4.10.1
This release introduces the following changes:
- A bug preventing the
OpenIddictClientService.ChallengeUsingDeviceAsync()
andOpenIddictClientService.AuthenticateWithDeviceAsync()
APIs from flowing the additional device authorization request/token request parameters set by the application was identified and fixed (thanks @hangy for reporting it! ❤️)
5.0.0-preview3
This release introduces the following changes:
-
On .NET 7.0 and higher, the Entity Framework Core stores now use bulk updates and bulk deletes when large amounts of entities are expected to be updated/removed. If necessary, bulk operations can be disabled by calling
options.DisableBulkOperations()
in the OpenIddict EF Core stores options. -
A new
IOpenIddictTokenManager.RevokeByAuthorizationIdAsync()
API was introduced to dramatically improve the performance of token revocation when using the Entity Framework Core (.NET 7.0+-only) or MongoDB stores. -
The Entity Framework Core stores that use
IDbTransaction
were updated to run these operations inside execution strategies, which allows using the built-in stores withoptions.EnableRetryOnFailure()
without having to override them. -
The
IOpenIddictAuthorizationManager.PruneAsync()
andIOpenIddictTokenManager.PruneAsync()
APIs (and the corresponding stores methods) now return the number of authorizations/tokens that were removed. -
Constants for the standard claim request members were added (thanks @davhdavh! ❤️)
Note: 5.0.0-preview3
is likely one of the very last previews before RTM ships later this month. As such, OpenIddict users will be invited to start testing 5.0.0-preview3
and share their feedback during the next few weeks.
5.0.0-preview2
This release introduces the following changes:
-
All the OpenIddict packages now target .NET 8.0 (.NET Standard 2.0/2.1, .NET 6.0/7.0 and .NET Framework 4.6.1+ are still fully supported).
-
A Zoom.us integration was added to
OpenIddict.Client.WebIntegration
. -
The authentication results returned by
OpenIddictClientService
now expose the expiration date of access tokens (thanks @davhdavh! ❤️) -
To support advanced scenarios (e.g custom grants), the OWIN and ASP.NET Core hosts have been updated to return an
AuthenticateResult
with an empty main principal - and the additional principals attached toAuthenticateResult.Properties
- instead of a null result (see #1912 for more information).
4.10.0
This release introduces the following changes:
-
All the OpenIddict packages now target .NET 8.0 (.NET Standard 2.0/2.1, .NET Core 3.1, .NET 6.0/7.0 and .NET Framework 4.6.1+ are still fully supported).
-
A Zoom.us integration was added to
OpenIddict.Client.WebIntegration
. -
The authentication results returned by
OpenIddictClientService
now expose the expiration date of access tokens (thanks @davhdavh! ❤️)
5.0.0-preview1
For more information about this release, read Introducing native applications, per-client token lifetimes and client assertions support in OpenIddict 5.0 preview1.
4.9.0
This release introduces the following changes:
-
An Auth0 provider integration was added to
OpenIddict.Client.WebIntegration
(thanks @pableess! ❤️) -
OpenIddictClientService.AuthenticateWithDeviceAsync()
was fixed to honorDeviceAuthenticationRequest.Scopes
. -
The userinfo validation logic was improved to be compatible with more OAuth 2.0-only scenarios.