Releases: openiddict/openiddict-core
4.0.0-preview3
This release introduces native support for relying party-initiated logout in the new OpenIddict client and updates the server stack to support the new (optional) client_id parameter introduced by the OpenID Connect RP-Initiated Logout 1.0 - draft 03 specification. While it's not supported yet by most client stacks (including the Microsoft OIDC handler for ASP.NET Core), it's now fully implemented in the OpenIddict client, that will become the recommended option for ASP.NET applications once it reaches RTM.
4.0.0-preview2
This release fixes a regression specific to 4.0.0-preview1 that affected the OpenIddict validation ASP.NET Core and OWIN hosts and prevented tokens specified in query strings and request forms from being correctly extracted (tokens specified in the Authorization header could still be extracted properly).
As part of this release, the OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages were updated to explicitly reference the latest Polly.Extensions.Http version to resolve a breaking change introduced between Polly 6.x and 7.x that caused a runtime issue in .NET Framework applications using Polly 7.x instead of Polly 6.x (e.g because a recent version of Microsoft.Extensions.Http.Polly was explicitly referenced by the application).
This release also bumps the referenced MongoDB C# driver package and introduces various improvements - including a breaking change - in the OpenIddict MongoDB entities. For more information, read #1487.
4.0.0-preview1
For more information about this release, read OpenIddict 4.0 preview1 is out.
3.1.1
This release addresses a minor issue that caused access tokens to be validated twice when using the pass-through mode for the userinfo endpoint if the userinfo endpoint was decorated with [Authorize(AuthenticationSchemes = OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)] or called HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme).
3.1.0
3.0.5
3.0.4
This minor release fixes a bug impacting scenarios using absolute URLs for the OpenIddict endpoints (relative paths like /connect/token were not affected). For more information, read #1255.
Starting with 3.0.4, both the ASP.NET Core and OWIN hosts now populate the AuthenticationProperties.IssuedUtc and AuthenticationProperties.ExpiresUtc properties to match OpenIddict 2.x's behavior.
This release also updates the authorization manager to ensure the CreateAsync() overload that doesn't take a descriptor parameter automatically attaches a creation date to the resulting authorization.
3.0.3
This minor release fixes a bug impacting an edge case where a client application is configured to require PKCE but is also allowed to use the implicit flow (a flow that can't support PKCE by definition). While not recommended, applications created with the PKCE requirement can now use the implicit flow if they have been granted the response_type=id_token, response_type=token or response_type=id_token token response type permissions.
This release also includes a work around for Oracle MySQL users (for more information, read #1234)
3.0.2
This minor release fixes a bug in the authorizations/tokens pruning logic used in the EF 6/EF Core stores and improves the development encryption/signing certificates mechanism to prevent an exception from being thrown when multiple certificates with the same name are generated concurrently by different applications.
To ensure OpenIddict-based applications don't use a version impacted by CVE-2021-26701, this release also updates the OpenIddict.Abstractions package to explicitly reference the latest System.Text.Encodings.Web patched version. For more information, read dotnet/announcements#178.
3.0.1
This minor release downgrades the minimum MongoDB version referenced by the OpenIddict MongoDB integration packages. For more information, see Downgrade MongoDB to 2.10.4.