4.4.0

This release introduces the following changes:

• Due to a breaking change in Microsoft's IdentityModel library causing issues in applications using OpenIddict and ASP.NET Core's OIDC/JWT bearer handlers, the IdentityModel dependencies were downgraded to 6.25.1. For more information, see #1766 and AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2059.

• Breaking behavior change: the LinkedIn integration was updated to target the new OpenID Connect-based service introduced earlier this year. Developers who use the LinkedIn integration are invited to ensure the Sign In with LinkedIn V2 service is enabled for all their LinkedIn applications before migrating to OpenIddict 4.4.0:

Warning

If applicable, developers are also invited to review and update their code to use the standard OpenID Connect claims returned by the new LinkedIn userinfo endpoint instead of the custom claims that were previously returned when targeting the OAuth 2.0-only service. To avoid a binary breaking change, the Fields option wasn't removed but is now obsolete and will be removed in a future major version.

• Facebook is now supported by the OpenIddict web integration package (thanks @runxc1 for your contribution! ❤️)

• The Microsoft Account provider was updated to support the special "consumers" and "organizations" tenants and disable userinfo retrieval when a Xbox scope was requested.

4.3.0

This release introduces the following changes:

• Preview support for the device authorization grant was added to the OpenIddict client stack, whose OpenIddictClientService now offers dedicated ChallengeUsingDeviceAsync()/AuthenticateWithDeviceAsync() APIs:

// Ask OpenIddict to send a device authorization request and write
// the complete verification endpoint URI to the console output.
var response = await _service.ChallengeUsingDeviceAsync("Local", cancellationToken: stoppingToken);
if (response.VerificationUriComplete is not null)
{
    AnsiConsole.MarkupLineInterpolated(
        $"[yellow]Please visit [link]{response.VerificationUriComplete}[/] and confirm the displayed code is '{response.UserCode}' to complete the authentication demand.[/]");
}

else
{
    AnsiConsole.MarkupLineInterpolated(
        $"[yellow]Please visit [link]{response.VerificationUri}[/] and enter '{response.UserCode}' to complete the authentication demand.[/]");
}

using var cancellationTokenSource = CancellationTokenSource.CreateLinkedTokenSource(stoppingToken);
cancellationTokenSource.CancelAfter(response.ExpiresIn < TimeSpan.FromMinutes(5) ?
    response.ExpiresIn : TimeSpan.FromMinutes(5));

// Wait for the user to complete the demand on the other device.
(_, var principal) = await _service.AuthenticateWithDeviceAsync("Local",
    response.DeviceCode, cancellationToken: cancellationTokenSource.Token);

• The GitHub and Google integrations were updated to allow using the device authorization grant with these providers.

• PingOne was added to the list of supported providers.

• New ConfigureHttpClient() and ConfigureHttpClientHandler() APIs have been added to the System.Net.Http integration packages to allow customizing the HTTP clients and HTTP client handlers used by the OpenIddict client and validation services:

options.UseSystemNetHttp()
       .ConfigureHttpClient(client => client.DefaultRequestHeaders.Add("Custom-Header", "Custom-Value"))
       .ConfigureHttpClientHandler(handler =>
       {
           handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
       });

• The validation stack was optimized to avoid resolving the server configuration when no access token was sent (thanks @2d1a0ec3! ❤️).

• To improve the developer experience, exceptions thrown while trying to retrieve the server configuration are now caught by the OpenIddict validation handler and surfaced by the ASP.NET Core and OWIN hosts as WWW-Authenticate: Bearer error="server_error", error_description="The remote authorization server is currently unavailable or returned an invalid configuration.", error_uri="https://documentation.openiddict.com/errors/ID2170 errors.

• DbContextOptionsBuilder<TContext> helpers have been added to the EF Core stores (thanks @verdie-g! ❤️)

4.2.0

This release introduces the following changes:

• 26 new providers were added to the OpenIddict.Client.WebIntegration package (that now offers a total of 45 OAuth 2.0/OpenID Connect integrations!):

Provider name
ArcGIS Online	Mailchimp
Asana	Patreon
Basecamp	QuickBooks Online
Battle.net	ServiceChannel
Bitbucket	Slack
DeviantArt	Smartsheet
Discord	Spotify
Dropbox	Strava
Epic Games	Streamlabs
Fitbit	SuperOffice
GitLab	Trovo
Harvest	Vimeo
HubSpot	Xero

• An issue affecting the OpenIddict.Validation.ServerIntegration package identified and reported by @SebastianStehle – who maintains the Squidex and Notifo projects – was fixed (see #1739 for more information). Thanks Sebastian! ❤️

• A new OpenIddictServerBuilder.SetIssuer() overload accepting a string instance was introduced to make the API consistent with the OpenIddictServerBuilder.Set*EndpointUris() methods.

• The OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages now support JSON Structured Syntax Suffixes (defined in RFC6839) for increased interoperability.

4.1.0

This release introduces the following changes:

• A new OpenIddict.Client.SystemIntegration package is now offered to easily use the OpenIddict client in Windows and Linux desktop applications. For more information, see Introducing system integration support for the OpenIddict client.

• Active Directory Federation Services (Windows 2016+) and Stripe Connect support has been added to OpenIddict.Client.WebIntegration.

• The stricter id_token_hint validation rules introduced in OpenIddict 4.0 have been relaxed to avoid rejecting authorization and logout requests that specify invalid token hints (e.g identity tokens whose database entry has been pruned and no longer exists). See #1649 (comment) for more information.

• A workaround has been added to allow the compromised tokens revocation logic to work with the Pomelo MySQL provider (see #1658 for more information).

4.0.0

For more information about this release, read OpenIddict 4.0 general availability.

4.0.0-rc2

This RC release introduces the following changes:

• The System.Net.Http integration packages for the client and validation stacks now support specifying an e-mail address that will be used in the From header of backchannel requests (for more information about the From HTTP request header, read https://datatracker.ietf.org/doc/html/rfc9110#section-10.1.2):

options.UseSystemNetHttp()
       .SetContactAddress("[email protected]")
       .SetProductInformation(typeof(Startup).Assembly);

• An issue affecting the ASP.NET Core Data Protection integration and device authorization codes was identified and fixed.

• An issue affecting the OpenIddictExtensions.AddClaims() extension and preventing userinfo and introspection responses containing complex JSON nodes in top-level array claims from being properly handled was identified and fixed (thanks @danbluhmhansen! ❤️)

4.0.0-rc1

This RC release introduces the following changes:

• While initially planned for OpenIddict 5.0, modifications introducing breaking behavior changes in the URIs handling will finally ship as part of 4.0. Since these changes affect how endpoint URIs are configured, returned and resolved, users are invited to read #1613 before migrating to OpenIddict 4.0 RC1.

• Relative redirect/post-logout-redirect URIs are now supported by the client stack, for both custom client registrations and web provider integrations:

options.UseWebProviders()
       .UseGitHub(options =>
       {
           // ...

           options.SetRedirectUri("callback/login/github");
       });

• The client stack now requires enabling flows explicitly (exactly like the server stack), which allows offering better exceptions on misconfigurations and avoids requiring registering signing/encryption credentials when only non-interactive flows like password or client_credentials are used:

options.AllowAuthorizationCodeFlow()
       .AllowRefreshTokenFlow();

• By default, the client stack now aborts challenge operations that are triggered from non-HTTPS pages with an exception message indicating that things may not work properly due to SameSite constraints when using HTTP instead of HTTPS. While not recommended, the client offers the same DisableTransportSecurityRequirement() option as the server stack to disable the HTTPS requirement.

options.UseAspNetCore()
       .DisableTransportSecurityRequirement();

options.UseOwin()
       .DisableTransportSecurityRequirement();

• New provider integrations have been added to OpenIddict.Client.WebIntegration:

  • Amazon Cognito (thanks @emanuelecastelli! ❤️)
  • Mixcloud
  • Trakt
  • WordPress
  • Yahoo

• The definitions of the existing providers have been updated to allow using the refresh_token flow for the providers that support it. Built-in support for the Google access_type and Reddit duration custom parameters has also been added to allow retrieving refresh tokens.

• References to URL or address(es) have been replaced by more generic URI/uri(s) references. While not mandatory, maintainers of third-party stores/DB integrations are invited to update their implementation of IOpenIddictApplicationStore to use uri and uris instead of address and addresses to match the new names used by OpenIddict.

4.0.0-preview6

This preview release introduces the following changes:

• The public APIs offered by OpenIddictClientService have been reworked to be much easier to use with the client credentials, resource owner password credentials and refresh token grants:

var services = new ServiceCollection();
services.AddOpenIddict()
    .AddClient(options =>
    {
        options.AddEphemeralEncryptionKey()
               .AddEphemeralSigningKey();

        options.DisableTokenStorage();

        options.UseSystemNetHttp();

        options.AddRegistration(new OpenIddictClientRegistration
        {
            Issuer = new Uri("http://localhost:58779/", UriKind.Absolute)
        });
    });

await using var provider = services.BuildServiceProvider();

var service = provider.GetRequiredService<OpenIddictClientService>();

var (response, principal) = await service.AuthenticateWithPasswordAsync(
    issuer: new Uri("https://localhost:58779/", UriKind.Absolute),
    username: "johndoe",
    password: "A3ddj3w");

var token = response.AccessToken;

• Portable.BouncyCastle was replaced by the official BouncyCastle.Cryptography package (that shipped yesterday with native .NET Standard 2.0 support). It is expected that applications referencing both the Portable.BouncyCastle and BouncyCastle.Cryptography packages - directly or indirectly - will experience type conflicts, but such conflicts should eventually disappear once all libraries are updated to use BouncyCastle.Cryptography.

• Most of the infrastructure types that are not meant to be derived/subclassed have been marked as sealed and decorated with [EditorBrowsable(EditorBrowsableState.Advanced)] or [EditorBrowsable(EditorBrowsableState.Never)] to make finding adequate hooks easier for third-party maintainers. Managers and stores - that are designed to be derived when necessary - are not affected by this change.

• New ClaimsIdentity/ClaimsPrincipal.AddClaim/SetClaim() overloads accepting bool and long values have been added.

• A regression introduced in the last preview that prevented the device authorization code flow from working properly has been fixed (thanks to the ABP team for reporting it! ❤️)

• The Quartz.NET integration was tweaked to work better in clustered environments (thanks @Suchiman!).

4.0.0-preview5

This release focuses on adding official .NET 7.0 support to OpenIddict 4.x and improving the nonce and request forgery protection implementation of the new OpenIddict client stack. As part of this release, Deezer has also been added to the list of supported providers.

Starting in 4.0 preview5, advanced users can override the default implementations (provided by the .NET BCL by default) of the cryptographic algorithms used internally by OpenIddict via the CryptoConfig.AddAlgorithm(Type, String[]) API. Doing so was already possible on .NET Framework in previous versions, but is now supported on all TFMs - including .NET Core and .NET - thanks to a new approach. For more information, read #1556.

This release also fixes a bug that affected the revamped ClaimsIdentity/ClaimsPrincipal.SetClaim(s) extensions taking a JsonElement parameter and that impacted scenarios using the ASP.NET Core Data Protection integration (thanks @trejjam! ❤️).

4.0.0-preview4

This release focuses on improving the new OpenIddict.Client.WebIntegration package by introducing built-in Microsoft.Extensions.Options support to configure the provider settings and allowing opt-in HTTP decompression for the providers that require it.

With Keycloak, LinkedIn, PayPal and StackExchange being added in preview4, OpenIddict.Client.WebIntegration now offers 10 provider integrations. To simplify registering the ECDSA signing key required for client authentication, the Apple provider now exposes options.SetSigningKey() overloads accepting PEM-encoded keys (the format used by Apple).

As part of this release, the OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages were also updated to allow configuring a ProductInformation property containing the name and version of the application optionally sent to the remote server as part of the User-Agent header, which can be useful when dealing with providers that require specifying a user agent (e.g Reddit).