Skip to content

Releases: openiddict/openiddict-core


26 Feb 19:26
Choose a tag to compare

This release introduces the following changes:

  • An issue causing end session requests missing the optional client_id parameter to be rejected when enabling end session request caching was fixed (thanks @miegir for reporting it! ❤️)


13 Feb 11:20
Choose a tag to compare

This release introduces the following changes:

  • Native support for OAuth 2.0 Pushed Authorization Requests (aka PAR) has been implemented in both the OpenIddict client and server stacks. PAR increases the security level of user-interactive grants - like the code flow - by sending the actual authorization request parameters via backchannel communication before redirecting the user agent to the regular authorization endpoint with a unique and random request_uri attached. PAR has recently gained traction and is now supported by some OAuth 2.0 services and libraries (including Keycloak and Microsoft's ASP.NET Core OpenID Connect handler starting in .NET 9.0).


For more information on how to use OAuth 2.0 Pushed Authorization Requests in OpenIddict, read Pushed Authorization Requests.

  • As part of the PAR introduction, the authorization and end session request caching feature has been completely revamped to use the same code path as pushed authorization requests and the OpenIddict-specific request_id parameter has been replaced by request_uri. While cached requests were persisted using IDistributedCache in previous versions, they are now stored in request tokens and persisted in OpenIddict's tokens table with the other tokens.


The EnableAuthorizationRequestCaching and EnableEndSessionRequestCaching options have been moved from OpenIddictServerAspNetCoreOptions and OpenIddictServerOwinOptions to OpenIddictServerOptions (the original options are no longer honored). The corresponding methods in OpenIddictServerAspNetCoreBuilder and OpenIddictServerOwinBuilder are still functional - they internally use the new properties - but are now obsolete.

  • GitCode, VK ID and Yandex are now supported by the OpenIddict.Client.WebIntegration package (thanks @gehongyan and @t1moH1ch! ❤️).


With these new providers, the OpenIddict client now supports 100 web services! 🎉

  • The InteractiveChallengeRequest and InteractiveSignOutRequest models have been updated to allow easily attaching an identity token or login hint to authorization and end session requests.

  • The OpenIddict*AuthorizationStore.PruneAsync() implementations were updated to always exclude permanent authorizations that still have tokens attached, which should reduce risks of seeing SQL exceptions when one of the pruned authorizations still has children entities attached.

  • An issue affecting the OpenIddictEntityFrameworkCoreAuthorizationStore.FindByApplicationIdAsync() API was identified and fixed (thanks @simon-wacker! ❤️)


17 Dec 17:20
Choose a tag to compare

For more information about this release, read OpenIddict 6.0 general availability.


08 Dec 17:10
Choose a tag to compare
6.0.0-rc1 Pre-release

This release introduces the following changes:

  • The OpenIddict server now automatically normalizes unique "amr" claims in identity tokens to ensure a JSON array is always returned (as required by the OpenID Connect specification), even if the developer didn't explicitly use JsonClaimValueTypes.JsonArray as the claim value type.

  • New methods allowing to register multiple certificates and keys at once have been added to the client/server/validation builders (thanks @ionite34! ❤️)

  • Zendesk and EVE Online are now supported by the OpenIddict web providers package (thanks @mozts2005 and @kalaveijo! ❤️)


An OpenIddict 5.0 to 6.0 migration guide can be found here:


13 Nov 10:28
Choose a tag to compare
6.0.0-preview4 Pre-release

This release introduces the following changes:

  • OpenIddict 6.0 preview 4 was updated to reference the .NET 9.0 RTM packages on .NET 9.0.

  • The ASP.NET Core and OWIN integrations now include the authentication properties attached to ProcessAuthenticationContext.Properties in errored authentication results, which can be used with the client stack to retrieve custom and non-custom properties attached to the state token when using the "error pass-through mode".


As part of this change, the OWIN hosts now return an AuthenticateResult instance containing an empty ClaimsIdentity with its IsAuthenticated property set to false (instead of a null identity) to represent errored authentication demands.

If you're using the error pass-through mode and are calling await AuthenticateAsync(OpenIddict*OwinDefaults.AuthenticationType), consider updating your if checks to ensure unauthenticated identities are correctly identified.

For instance, with the client stack:

var result = await context.Authentication.AuthenticateAsync(OpenIddictClientOwinDefaults.AuthenticationType);
if (result is { Identity.IsAuthenticated: true })
    // The authentication result represents an authenticated user.
  • Introspection and revocation requests started via OpenIddictClientService.IntrospectTokenAsync() and OpenIddictClientService.RevokeTokenAsync() are now eagerly aborted if the token to introspect or revoke is missing.


01 Nov 10:01
Choose a tag to compare
6.0.0-preview3 Pre-release

This release introduces the following changes:

  • The existing IOpenIddictAuthorizationManager.FindAsync(...) and IOpenIddictTokenManager.FindAsync(...) overloads have been merged and replaced by a single method where all the parameters are now optional (for instance, if a null subject value is specified when calling IOpenIddictAuthorizationManager.FindAsync(...), the returned collection will contain authorizations for all users).

  • New IOpenIddictAuthorizationManager.RevokeAsync(...) and IOpenIddictTokenManager.RevokeAsync(...) APIs have been introduced to allow easily revoking authorizations or tokens based on specific parameters. E.g:

// Revoke all the active access tokens attached to the user [email protected].
await _tokenManager.RevokeAsync(subject: "[email protected]", client: null, status: Statuses.Active, type: TokenTypeHints.AccessToken);


22 Oct 14:16
Choose a tag to compare
6.0.0-preview2 Pre-release

This release introduces the following changes:

  • OpenIddict 6.0 preview 2 was updated to reference the .NET 9.0 RC2 packages on .NET 9.0.

  • The OpenIddict.MongoDb and OpenIddict.MongoDb.Models packages now reference MongoDB.Driver and MongoDB.Bson 3.0.0 and are now strong-named.


The third iteration of the C# MongoDB driver no longer supports .NET Standard 2.0 and requires .NET Framework 4.7.2 as the minimum version: OpenIddict users relying on the MongoDB integration and using the OpenIddict.MongoDb or OpenIddict.MongoDb.Models packages in projects targeting .NET Standard 2.0 or .NET Framework < 4.7.2 will need to update their projects when bumping OpenIddict to 6.0 preview 2.

  • A new "claims issuer" option has been added to the client and validation stacks to allow controlling the value OpenIddict uses to populate the Claim.Issuer and Claim.OriginalIssuer properties. This option is specially useful when using the OpenIddict client in legacy ASP.NET 4.6.2+ applications using ASP.NET Identity, since the Claim.Issuer property is directly reflected in the user interface:
options.AddRegistration(new OpenIddictClientRegistration
    // ...

    Issuer = new Uri("https://localhost:44395/", UriKind.Absolute),
    ClaimsIssuer = "Local authorization server"
       .AddActiveDirectoryFederationServices(options =>
           // ...



To simplify migrating from the aspnet-contrib providers, the OpenIddict client now uses OpenIddictClientRegistration.ProviderName as the first fallback value when OpenIddictClientRegistration.ClaimsIssuer is not explicitly set (which is consistent with the pattern used in the OAuth 2.0-based social providers developed by Microsoft and the community).

If no provider name was set, the issuer URI is used as the claims issuer, as in previous versions.

  • To be consistent with the new prompt values name used in OpenIddict 6.0 preview 1, the GetPrompts() and HasPrompt() extension have been renamed to GetPromptValues() and HasPromptValue().


04 Oct 19:16
Choose a tag to compare
6.0.0-preview1 Pre-release

This release introduces the following changes:

  • OpenIddict 6.0 preview 1 now targets .NET 9.0 and references the .NET 9.0 RC1 packages on .NET 9.0 and higher.

  • The .NET 7.0 and .NET Framework 4.6.1 TFMs have been removed as these versions are no longer supported by Microsoft.


While most OpenIddict 6.0 packages can still be used on these versions thanks to their .NET Standard 2.0 or 2.1 TFMs, doing that is strongly discouraged and users are instead encouraged to migrate to .NET 8.0 and .NET Framework 4.6.2 (or higher).

  • Some of the server endpoints have been renamed in OpenIddict 6.0 to be more specific or more closely match the official names, which should reduce ambiguities and make migrating from other OAuth 2.0/OIDC stacks to OpenIddict easier:
    • Cryptography endpoint -> JSON Web Key Set endpoint.
    • Device endpoint -> Device authorization endpoint.
    • Logout endpoint -> End-session endpoint.
    • Userinfo endpoint -> UserInfo endpoint.
    • Verification endpoint -> End-user verification endpoint.


All the constants, builder methods, events and event handlers used by the OpenIddict client, core, server and validation stacks have been entirely updated to use the new names.

In most cases, reacting to this breaking change should be limited to just changing a few lines in your Startup file:

OpenIddict 5.x OpenIddict 6.x
options.SetCryptographyEndpointUris() options.SetJsonWebKeySetEndpointUris()
options.SetDeviceEndpointUris() options.SetDeviceAuthorizationEndpointUris()
options.SetLogoutEndpointUris() options.SetEndSessionEndpointUris()
options.SetUserinfoEndpointUris() options.SetUserInfoEndpointUris()
options.SetVerificationEndpointUris() options.SetEndUserVerificationEndpointUris()
OpenIddict 5.x OpenIddict 6.x
options.AllowDeviceCodeFlow() options.AllowDeviceAuthorizationFlow()
OpenIddict 5.x OpenIddict 6.x
options.EnableLogoutEndpointPassthrough() options.EnableEndSessionEndpointPassthrough()
options.EnableUserinfoEndpointPassthrough() options.EnableUserInfoEndpointPassthrough()
options.EnableVerificationEndpointPassthrough() options.EnableEndUserVerificationEndpointPassthrough()
OpenIddict 5.x OpenIddict 6.x
OpenIddictConstants.Permissions.Endpoints.Device OpenIddictConstants.Permissions.Endpoints.DeviceAuthorization
OpenIddictConstants.Permissions.Endpoints.Logout OpenIddictConstants.Permissions.Endpoints.EndSession


While not mandatory (as the permissions containing the old endpoint names are still fully functional in 6.x for backward compatibility), you can also update your applications table/database to use the new constant values (i.e ept:device_authorization and ept:end_session instead of ept:device and ept:logout).

  • A whole new client authentication method negotiation logic was introduced in the OpenIddict client. As part of this change, complete support for mTLS in the client stack was also added to allow integrating with identity providers that require using tls_client_auth or self_signed_tls_client_auth.


If your X.509 client certificate - self-issued or not - includes the recommended "client authentication" extended key usage, you can directly attach it to OpenIddictClientRegistration.SigningCredentials: in this case, it will be automatically used by OpenIddict if the remote server supports tls_client_auth or self_signed_tls_client_auth. If it doesn't, OpenIddict will automatically use the private key it contains to build a client assertion if the server supports private_key_jwt.

options.AddRegistration(new OpenIddictClientRegistration
    // ...

    SigningCredentials =
        new X509SigningCredentials(certificate)

If your client certificate doesn't include the "client authentication" extended key usage, OpenIddict won't automatically use it for mTLS-based authentication. In this case, you'll need to use the OpenIddictClientSystemNetHttpBuilder.SetSelfSignedTlsClientAuthenticationCertificateSelector() or OpenIddictClientSystemNetHttpBuilder.SetTlsClientAuthenticationCertificateSelector() APIs to register a custom certificate selector.


Web providers known to support mTLS - like Keycloak, that supports tls_client_auth but not self_signed_tls_client_auth - or client assertions now offer options.SetSigningCertificate() and/or options.SetSigningKey() APIs that can be used to easily register a certificate/key:

       .AddKeycloak(options =>
  • For consistency, mTLS support was also added to the validation stack for introspection requests sent to a server implementation that offers mTLS support.

  • New RevokeByApplicationIdAsync()/RevokeBySubjectAsync() APIs modeled after the existing RevokeByAuthorizationIdAsync() API have been added to the authorization/token managers/stores to allow revoking authorizations and tokens based on a given application identifier or user identifier more efficiently.

  • The OpenIddict server now fully supports the Initiating User Registration via OpenID Connect specification: it will now validate the prompt parameter to ensure the value is supported and return the supported values in the server configuration document using the new standard prompt_values_supported node. See #2197 for more information.


As part of this change, the OpenIddictConstants.Prompts class was renamed to OpenIddictConstants.PromptValues to match the name used in this specification.


22 Aug 09:13
Choose a tag to compare

This release introduces the following changes:

  • The OpenIddict client system integration now natively supports Android API 21+ (Android 5.0 and higher), iOS 12.0+, macOS 10.15+ and Mac Catalyst 13.1+. See Operating systems integration for more information.

  • Behavior change: the OpenIddict.Client.SystemIntegration package was updated to produce shorter default pipe names (which is required on macOS where strict length restrictions are enforced).

  • The OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages have been updated to anticipate a breaking change introduced in the 9.0 version of Microsoft.Extensions.Http. See dotnet/runtime#35987 (comment) for more information.

  • 6 new web providers were added to OpenIddict.Client.WebIntegration:

    • Airtable
    • Calendly
    • Pipedrive
    • Typeform
    • Twitch (thanks @mbaumanndev! ❤️)
    • Zoho
  • OpenIddict now uses Microsoft.IdentityModel 8.x on .NET 8.0 and higher.

  • The OpenIddict.EntityFramework package now uses EntityFramework 6.5.1 as the minimum version.


15 Aug 19:06
Choose a tag to compare

This release introduces the following changes:

  • The LinkedIn integration was updated to react to a breaking change introduced by LinkedIn in their discovery document and that was causing an issuer validation error in the OpenIddict client due to the issuer being changed from to (thanks @DovydasNavickas! ❤️).


If your code relies on the issuer identity, make sure you update your code/database to use instead of