Bump AspNetCore.Identity.MongoDbCore and 6 others

[dependabot]

Updated AspNetCore.Identity.MongoDbCore from 3.1.2 to 6.0.0.

Release notes

Sourced from AspNetCore.Identity.MongoDbCore's releases.

6.0.0

• Target .net6
• Upgraded dependency MongoDbGenericRepository to version 1.6.2 (with MongoDB driver 2.28)
• Fix tests - big thanks to Upgrade Package to dotnet 6 alexandre-spieser/AspNetCore.Identity.MongoDbCore#58 for making the upgrade super smooth.

Commits viewable in compare view.

Updated Microsoft.AspNetCore.Authentication.OpenIdConnect from 7.0.2 to 8.0.18.

Release notes

Sourced from Microsoft.AspNetCore.Authentication.OpenIdConnect's releases.

8.0.18

Release

What's Changed

• Update branding to 8.0.18 by @​vseanreesermsft in Update branding to 8.0.18 dotnet/aspnetcore#62241
• [release/8.0] Update Alpine helix references by @​github-actions in [release/8.0] Update Alpine helix references dotnet/aspnetcore#62243
• [release/8.0] (deps): Bump src/submodules/googletest from 04ee1b4 to e9092b1 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from 04ee1b4 to e9092b1 dotnet/aspnetcore#62201
• [8.0] Delete src/arcade directory by @​akoeplinger in [8.0] Delete src/arcade directory dotnet/aspnetcore#61994
• [Backport 8.0] [IIS] Manually parse exe bitness (#​61894) by @​BrennanConroy in [Backport 8.0] [IIS] Manually parse exe bitness (#61894) dotnet/aspnetcore#62037
• [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-reference-packages dotnet/aspnetcore#62006
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#61944
• [release/8.0] Associate tagged keys with entries so replacements are not evicted by @​github-actions in [release/8.0] Associate tagged keys with entries so replacements are not evicted dotnet/aspnetcore#62247
• [release/8.0] Block test that is failing after switching to latest-chrome by @​github-actions in [release/8.0] Block test that is failing after switching to latest-chrome dotnet/aspnetcore#62284
• backport(net8.0): http.sys on-demand TLS client hello retrieval by @​DeagleGross in backport(net8.0): http.sys on-demand TLS client hello retrieval dotnet/aspnetcore#62290
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#62302

Full Changelog: dotnet/aspnetcore@v8.0.17...v8.0.18

8.0.17

Bug Fixes

• Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy (#​61623)
  The Forwarded Headers Middleware now ignores X-Forwarded-Headers sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence the forwarded headers, preventing potential spoofing or misrouting of requests.

Dependency Updates

• Update dependencies from dotnet/arcade (#​61832)
  This update brings in the latest changes from the dotnet/arcade repository, ensuring that ASP.NET Core benefits from recent improvements, bug fixes, and security patches in the shared build infrastructure.

• Bump src/submodules/googletest from 52204f7 to 04ee1b4 (#​61761)
  The GoogleTest submodule has been updated to a newer commit, providing the latest testing features, bug fixes, and performance improvements for the project's C++ test components.

Miscellaneous

• Update branding to 8.0.17 (#​61830)
  The project version branding has been updated to reflect the new 8.0.17 release, ensuring consistency across build outputs and documentation.

• Merging internal commits for release/8.0 (#​61924)
  This change merges various internal commits into the release/8.0 branch, incorporating minor fixes, documentation updates, and other non-user-facing improvements to keep the release branch up to date.

---

This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests.

Full Changelog: dotnet/aspnetcore@v8.0.16...v8.0.17

8.0.16

Release

What's Changed

• Update branding to 8.0.16 by @​vseanreesermsft in Update branding to 8.0.16 dotnet/aspnetcore#61283
• [release/8.0] (deps): Bump src/submodules/googletest from 24a9e94 to 52204f7 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from 24a9e94 to 52204f7 dotnet/aspnetcore#61260
• [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-externals dotnet/aspnetcore#61281
• [release/8.0] Upgrade to Ubuntu 22 by @​wtgodbe in [release/8.0] Upgrade to Ubuntu 22 dotnet/aspnetcore#61216
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#60901
• [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-reference-packages dotnet/aspnetcore#60926
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#61404
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#61398
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#61411
• Revert "Revert "[release/8.0] Update remnants of azureedge.net"" by @​wtgodbe in Revert "Revert "[release/8.0] Update remnants of azureedge.net"" dotnet/aspnetcore#60352
• [release/8.0] Fix preserving messages for stateful reconnect with backplane by @​BrennanConroy in [release/8.0] Fix preserving messages for stateful reconnect with backplane dotnet/aspnetcore#61375
• [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-reference-packages dotnet/aspnetcore#61442
• fetch TLS client hello message from HTTP.SYS by @​BrennanConroy in fetch TLS client hello message from HTTP.SYS dotnet/aspnetcore#61494

Full Changelog: dotnet/aspnetcore@v8.0.15...v8.0.16

8.0.15

Release

What's Changed

• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#60355
• Update branding to 8.0.15 by @​vseanreesermsft in Update branding to 8.0.15 dotnet/aspnetcore#60784
• Add partitioned to cookie for SignalR browser testing by @​BrennanConroy in Add partitioned to cookie for SignalR browser testing dotnet/aspnetcore#60728
• [release/8.0] (deps): Bump src/submodules/googletest from e235eb3 to 24a9e94 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from e235eb3 to 24a9e94 dotnet/aspnetcore#60677
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#60879

Full Changelog: dotnet/aspnetcore@v8.0.14...v8.0.15

8.0.14

Release

What's Changed

• Update branding to 8.0.14 by @​vseanreesermsft in Update branding to 8.0.14 dotnet/aspnetcore#60197
• [release/8.0] (deps): Bump src/submodules/googletest from 7d76a23 to e235eb3 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from 7d76a23 to e235eb3 dotnet/aspnetcore#60150
• [release/8.0] Fix java discovery in IdentityModel pipeline by @​wtgodbe in [release/8.0] Fix java discovery in IdentityModel pipeline dotnet/aspnetcore#60075
• [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-externals dotnet/aspnetcore#60199
• [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-reference-packages dotnet/aspnetcore#59922
• [release/8.0] Readd DiagnosticSource to KestrelServerImpl by @​github-actions in [release/8.0] Readd DiagnosticSource to KestrelServerImpl dotnet/aspnetcore#60203
• [release/8.0] Update to MacOS 15 in Helix by @​github-actions in [release/8.0] Update to MacOS 15 in Helix dotnet/aspnetcore#60239
• [release/8.0] Use the latest available JDK by @​wtgodbe in [release/8.0] Use the latest available JDK dotnet/aspnetcore#60233
• [release/8.0] Fix skip condition for java tests by @​github-actions in [release/8.0] Fix skip condition for java tests dotnet/aspnetcore#60243
• [release/8.0] Update list of helix queues to skip by @​wtgodbe in [release/8.0] Update list of helix queues to skip dotnet/aspnetcore#60231
• [release/8.0] [Blazor] Allow cascading value subscribers to get added and removed during change notification by @​github-actions in [release/8.0] [Blazor] Allow cascading value subscribers to get added and removed during change notification dotnet/aspnetcore#57288
• [release/8.0] Update remnants of azureedge.net by @​sebastienros in [release/8.0] Update remnants of azureedge.net dotnet/aspnetcore#60264
• [release/8.0] Centralize on one docker container by @​wtgodbe in [release/8.0] Centralize on one docker container dotnet/aspnetcore#60299
• Revert "[release/8.0] Update remnants of azureedge.net" by @​wtgodbe in Revert "[release/8.0] Update remnants of azureedge.net" dotnet/aspnetcore#60324
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#60316

Full Changelog: dotnet/aspnetcore@v8.0.13...v8.0.14

8.0.13

Release

What's Changed

• [release/8.0] Update dotnetbuilds CDN to new endpoint by @​mmitche in [release/8.0] Update dotnetbuilds CDN to new endpoint dotnet/aspnetcore#59575
• Update branding to 8.0.13 by @​vseanreesermsft in Update branding to 8.0.13 dotnet/aspnetcore#59756
• [release/8.0] Skip MVC template tests on HelixQueueArmDebian12 by @​wtgodbe in [release/8.0] Skip MVC template tests on HelixQueueArmDebian12 dotnet/aspnetcore#59295
• [release/8.0] Update OSX helix queue by @​github-actions in [release/8.0] Update OSX helix queue dotnet/aspnetcore#59742
• [release/8.0] (deps): Bump src/submodules/googletest from d144031 to 7d76a23 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from d144031 to 7d76a23 dotnet/aspnetcore#59678
• [release/8.0] Skip tests on internal queues too by @​github-actions in [release/8.0] Skip tests on internal queues too dotnet/aspnetcore#59579
• [release/8.0] Fix Kestrel host header mismatch handling when port in Url by @​BrennanConroy in [release/8.0] Fix Kestrel host header mismatch handling when port in Url dotnet/aspnetcore#59403
• Migrate off of Debian 11 by @​v-firzha in Migrate off of Debian 11 dotnet/aspnetcore#59584
• [release/8.0] Pin to S.T.J 8.0.5 in Analyzers by @​wtgodbe in [release/8.0] Pin to S.T.J 8.0.5 in Analyzers dotnet/aspnetcore#59777
• [release/8.0] [Blazor WASM standalone] Avoid caching index.html during development by @​github-actions in [release/8.0] [Blazor WASM standalone] Avoid caching index.html during development dotnet/aspnetcore#59349
• Update to Fedora 41 by @​BrennanConroy in Update to Fedora 41 dotnet/aspnetcore#59817
• [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-externals dotnet/aspnetcore#59811
• [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-reference-packages dotnet/aspnetcore#59825
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#59864
• [release/8.0] Fix/update docker tags by @​wtgodbe in [release/8.0] Fix/update docker tags dotnet/aspnetcore#59867
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#59872

Full Changelog: dotnet/aspnetcore@v8.0.12...v8.0.13

8.0.12

Release

What's Changed

• Update branding to 8.0.12 by @​vseanreesermsft in Update branding to 8.0.12 dotnet/aspnetcore#58800
• [release/8.0] (deps): Bump src/submodules/googletest from 6dae7eb to 1204d63 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from 6dae7eb to 1204d63 dotnet/aspnetcore#58741
• Add scope for internal npm packages by @​BrennanConroy in Add scope for internal npm packages dotnet/aspnetcore#58512
• [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-externals dotnet/aspnetcore#58477
• [release/8.0] Upgrade serialize-javascript transient dependency by @​MackinnonBuck in [release/8.0] Upgrade serialize-javascript transient dependency dotnet/aspnetcore#58466
• [release/8.0] Update Messagepack dependency by @​wtgodbe in [release/8.0] Update Messagepack dependency dotnet/aspnetcore#58676
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#58898
• [release/8.0] Use MacOS-13 in CI by @​wtgodbe in [release/8.0] Use MacOS-13 in CI dotnet/aspnetcore#58549
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#59065
• [release/8.0] Fix java discovery in helix-matrix by @​wtgodbe in [release/8.0] Fix java discovery in helix-matrix dotnet/aspnetcore#59181
• [release/8.0] Update dependencies from dotnet/roslyn by @​wtgodbe in [release/8.0] Update dependencies from dotnet/roslyn dotnet/aspnetcore#59184
• [release/8.0] (deps): Bump src/submodules/googletest from 1204d63 to d144031 by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from 1204d63 to d144031 dotnet/aspnetcore#59033

Full Changelog: dotnet/aspnetcore@v8.0.11...v8.0.12

8.0.11

Release

What's Changed

• Update branding to 8.0.11 by @​vseanreesermsft in Update branding to 8.0.11 dotnet/aspnetcore#58198
• [release/8.0] (deps): Bump src/submodules/googletest from ff233bd to 6dae7eb by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from ff233bd to 6dae7eb dotnet/aspnetcore#58180
• [release/8.0] Add explicit conversion for value-type returning handlers with filters by @​captainsafia in [release/8.0] Add explicit conversion for value-type returning handlers with filters dotnet/aspnetcore#57966
• [release/8.0] Stop using Mac 11 in Helix by @​wtgodbe in [release/8.0] Stop using Mac 11 in Helix dotnet/aspnetcore#58063
• [release/8.0] Enable TSA/Policheck by @​github-actions in [release/8.0] Enable TSA/Policheck dotnet/aspnetcore#58124
• [release/8.0] (deps): Bump src/submodules/MessagePack-CSharp from ecc4e18 to 9511905 by @​dependabot in [release/8.0] (deps): Bump src/submodules/MessagePack-CSharp from ecc4e18 to 9511905 dotnet/aspnetcore#58179
• [Backport] Http.Sys: Clean up Request parsing errors by @​BrennanConroy in [Backport] Http.Sys: Clean up Request parsing errors dotnet/aspnetcore#57819
• [release/8.0] Update the Microsoft.Identity.Web versions used by project templates by @​halter73 in [release/8.0] Update the Microsoft.Identity.Web versions used by project templates dotnet/aspnetcore#58229
• Add registry search for upgrade policy keys, update dependencies from Arcade by @​dotnet-maestro in Add registry search for upgrade policy keys, update dependencies from Arcade dotnet/aspnetcore#58278
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#58300
• [release/8.0] Remove ProviderKey from Hosting Bundle by @​github-actions in [release/8.0] Remove ProviderKey from Hosting Bundle dotnet/aspnetcore#58294
• [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-externals dotnet/aspnetcore#58352
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#58347
• [release/8.0] Improve dev-certs export error message by @​amcasey in [release/8.0] Improve dev-certs export error message dotnet/aspnetcore#58470
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#58474

Full Changelog: dotnet/aspnetcore@v8.0.10...v8.0.11

8.0.10

Release

8.0.8

Release

8.0.7

Release

8.0.6

Release

8.0.5

Release

What's Changed

• [release/8.0] Update dependencies from dotnet/source-build-externals by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/source-build-externals dotnet/aspnetcore#54744
• Update branding to 8.0.5 by @​vseanreesermsft in Update branding to 8.0.5 dotnet/aspnetcore#54907
• [release/8.0] Convert to 1ES templates by @​RussKie in [release/8.0] Convert to 1ES templates dotnet/aspnetcore#54660
• Increase logs and delays in CanLaunchPhotinoWebViewAndClickButton by @​Eilon in Increase logs and delays in CanLaunchPhotinoWebViewAndClickButton dotnet/aspnetcore#54608
• [release/8.0] (deps): Bump src/submodules/googletest from 31993df to 77afe8e by @​dependabot in [release/8.0] (deps): Bump src/submodules/googletest from 31993df to 77afe8e dotnet/aspnetcore#54872
• [release/8.0] Reduce helix-matrix timeout to 5 hours by @​github-actions in [release/8.0] Reduce helix-matrix timeout to 5 hours dotnet/aspnetcore#54778
• [release/8.0] Preserve RemoteAuthenticationContext during trimming if used in JS interop by @​halter73 in [release/8.0] Preserve RemoteAuthenticationContext during trimming if used in JS interop dotnet/aspnetcore#54655
• [release/8.0] Improve usage of Type.GetType when activating types in data protection by @​github-actions in [release/8.0] Improve usage of Type.GetType when activating types in data protection dotnet/aspnetcore#54762
• [release/8.0] Fix route analyzer performance with highly concatenated strings by @​github-actions in [release/8.0] Fix route analyzer performance with highly concatenated strings dotnet/aspnetcore#54763
• [release/8.0] Suppress .ps1 SDL errors by @​wtgodbe in [release/8.0] Suppress .ps1 SDL errors dotnet/aspnetcore#54915
• [release/8.0] Backport test fixes by @​MackinnonBuck in [release/8.0] Backport test fixes dotnet/aspnetcore#54912
• [release/8.0] Skip SpotBugs for now by @​wtgodbe in [release/8.0] Skip SpotBugs for now dotnet/aspnetcore#54952
• Merging internal commits for release/8.0 by @​vseanreesermsft in Merging internal commits for release/8.0 dotnet/aspnetcore#55034
• [release/8.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/8.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#55061
• [release/8.0] Update Wix version by @​github-actions in [release/8.0] Update Wix version dotnet/aspnetcore#55101

Full Changelog: dotnet/aspnetcore@v8.0.4...v8.0.5

8.0.4

Release

8.0.3

Release

8.0.2

Release

8.0.1

Release

8.0.0

Release

8.0.0-rc.2.23480.2

Release

8.0.0-rc.1.23421.29

Release

8.0.0-preview.7.23375.9

Release

8.0.0-preview.6.23329.11

Release

8.0.0-preview.5.23302.2

Release

8.0.0-preview.4.23260.4

Release

8.0.0-preview.3.23177.8

Release

8.0.0-preview.2.23153.2

Release

8.0.0-preview.1.23112.2

Release

7.0.20

Release

7.0.19

Release

7.0.18

Release

7.0.17

Release

7.0.16

Release

7.0.15

Release

7.0.14

Release

What's Changed

• [release/7.0] Update jquery-validation to v1.19.5 by @​github-actions in [release/7.0] Update jquery-validation to v1.19.5 dotnet/aspnetcore#50483
• Merging internal commits for release/7.0 by @​vseanreesermsft in Merging internal commits for release/7.0 dotnet/aspnetcore#50660
• [release/7.0] Fix 6.0 SiteExtension version by @​wtgodbe in [release/7.0] Fix 6.0 SiteExtension version dotnet/aspnetcore#50708
• Update branding to 7.0.13 by @​vseanreesermsft in Update branding to 7.0.13 dotnet/aspnetcore#51116
• [release/7.0] (deps): Bump src/submodules/googletest from 8a6feab to e47544a by @​dependabot in [release/7.0] (deps): Bump src/submodules/googletest from 8a6feab to e47544a dotnet/aspnetcore#51051
• [release/7.0] Fix DragDrop_CanTrigger() flakiness by @​MackinnonBuck in [release/7.0] Fix DragDrop_CanTrigger() flakiness dotnet/aspnetcore#51141
• [release/7.0] Dispose CTS in HubConnection streaming by @​github-actions in [release/7.0] Dispose CTS in HubConnection streaming dotnet/aspnetcore#51138
• Merging internal commits for release/7.0 by @​vseanreesermsft in Merging internal commits for release/7.0 dotnet/aspnetcore#51266
• [release/7.0] Update dependencies from dotnet/arcade by @​dotnet-maestro in [release/7.0] Update dependencies from dotnet/arcade dotnet/aspnetcore#51327
• Update branding to 7.0.14 by @​vseanreesermsft in Update branding to 7.0.14 dotnet/aspnetcore#51479

Full Changelog: dotnet/aspnetcore@v7.0.13...v7.0.14

7.0.13

Release

7.0.12

Release

7.0.11

Release

7.0.10

Release

7.0.9

Release

7.0.8

Release

7.0.7

Release

7.0.5

Release

7.0.4

Release

7.0.3

Release

Commits viewable in compare view.

Updated OpenIddict.Abstractions from 4.0.0 to 7.0.0.

Release notes

Sourced from OpenIddict.Abstractions's releases.

7.0.0

For more information about this release, read OpenIddict 7.0 is out.

7.0.0-preview.4

This release introduces the following changes:

• The OAuth 2.0 Token Exchange specification - that was by far the most requested feature by the OpenIddict community - is now fully supported by the client and server stacks:

var result = await _service.AuthenticateWithTokenExchangeAsync(new() { ActorToken = actorToken, ActorTokenType = actorTokenType, CancellationToken = stoppingToken, ProviderName = "Local", RequestedTokenType = TokenTypeIdentifiers.AccessToken, SubjectToken = subjectToken, SubjectTokenType = subjectTokenType }); var token = result.IssuedToken; var type = result.IssuedTokenType;

[HttpPost("~/connect/token"), IgnoreAntiforgeryToken, Produces("application/json")] public async Task<IActionResult> Exchange() { var request = HttpContext.GetOpenIddictServerRequest() ?? throw new InvalidOperationException("The OpenID Connect request cannot be retrieved."); if (request.IsAuthorizationCodeGrantType() || request.IsRefreshTokenGrantType()) { // ... } else if (request.IsTokenExchangeGrantType()) { // Retrieve the claims principal stored in the subject token. // // Note: the principal may not represent a user (e.g if the token was issued during a client credentials token // request and represents a client application): developers are strongly encouraged to ensure that the user // and client identifiers are randomly generated so that a malicious client cannot impersonate a legit user. // // See https://datatracker.ietf.org/doc/html/rfc9068#SecurityConsiderations for more information. var result = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); // If available, retrieve the claims principal stored in the actor token. var actor = result.Properties?.GetParameter<ClaimsPrincipal>(OpenIddictServerAspNetCoreConstants.Properties.ActorTokenPrincipal); // Retrieve the user profile corresponding to the subject token. var user = await _userManager.FindByIdAsync(result.Principal!.GetClaim(Claims.Subject)!); if (user is null) { ... (truncated) ## 7.0.0-preview.3 This release introduces the following changes: - As a preliminary step to the introduction of OAuth 2.0 Token Exchange support in a future 7.0 preview, the entire OpenIddict code base was updated to use new URI-style token type identifiers to represent token types (e.g `urn:ietf:params:oauth:token-type:access_token`). These new identifiers will replace the `token_type_hint`-inspired constants that previous versions of OpenIddict were using in the core, client, server and validation stacks. For more information, read https://github.com/openiddict/openiddict-core/issues/2296. > [!NOTE] > While internally massive, this change should be completely transparent for most OpenIddict users. Only advanced users who implement custom handlers for the `GenerateToken`/`ValidateToken` events or use the `ClaimsPrincipal.GetTokenType()`/`ClaimsPrincipal.SetTokenType()` extensions will need to update their code to use the new values. - The Discord provider was updated to use the `/users/@​me` endpoint instead of `/oauth2/@​me`, which improves how userinfo claims are represented and returned to the application code (thanks @​egans146 for suggesting this improvement! ❤️). > [!IMPORTANT] > This behavior change is breaking: developers are encouraged to review their Discord integration to determine whether their code should be updated to support the new claims representation. - New `ClaimsPrincipal.AddClaim()`/`ClaimsPrincipal.AddClaims()`/`ClaimsPrincipal.SetClaim()`/`ClaimsPrincipal.SetClaims()` overloads accepting `System.Text.Json.Nodes.JsonNode` instances have been added to make working with types derived from `JsonNode` easier. - An event identifier is now attached to all the logs generated by the OpenIddict core, client, server and validation stacks. - A few properties in `OpenIddictClientModels` didn't have an `init` constraint and have been fixed in 7.0.0-preview.3. > [!TIP] > Note: this preview also includes all the changes introduced in the OpenIddict 6.3.0 release. ## 7.0.0-preview.2 This release introduces the following changes: - All the OpenIddict assemblies have been marked as trimming and Native AOT-compatible (only on .NET 9.0 and higher). For that, several changes had to be made to the OpenIddict core stack: - The store resolver interfaces (`IOpenIddict*StoreResolver`) and all their implementations have been removed and the managers have been updated to now directly take an `IOpenIddict*Store<T>` argument instead of an `IOpenIddict*StoreResolver`. - All the `OpenIddictCoreOptions.Default*Type` options (e.g `DefaultApplicationType`) have been removed and the untyped managers (`IOpenIddict*Manager`) no longer use options to determine the actual entity type at runtime. Instead, each store integration is now responsible for replacing the `IOpenIddict*Manager` services with a service descriptor pointing to the generic `OpenIddict*Manager<T>` implementation with the correct `T` argument: by default, the default entity types provided by the store are used, but the managers can be re-registered with a different type when the user decides to use different models (e.g via `options.UseEntityFrameworkCore().ReplaceDefaultModels<...>()`). - All the managers/store/store resolvers registration APIs offered by `OpenIddictCoreBuilder` have been removed: while they were very powerful and easy-to-use (e.g the `Replace*Manager` methods supported both open and closed generic types and were able to determine the entity type from the base type definition), they weren't AOT-compatible. - New AOT-friendly `Replace*Store()` and `Replace*Manager()` APIs have been introduced in `OpenIddictCoreBuilder`. The new `Replace*Manager()` APIs have two overloads that can be used depending on whether you need to register a closed or open generic type: ```csharp options.ReplaceApplicationManager< /* TApplication: */ OpenIddictEntityFrameworkCoreApplication, /* TManager: */ CustomApplicationManager<OpenIddictEntityFrameworkCoreApplication>>(); ``` ```csharp options.ReplaceApplicationManager(typeof(CustomApplicationManager<>)); ``` - While they are currently not functional on Native AOT due to EF Core not supporting interpreted LINQ expressions yet, the EF Core stores package has been updated to be ready for AOT: as part of this change, the signature of all the stores has been updated to remove the `TContext` generic argument from the definition. Similarly, the MongoDB C# driver isn't AOT (or even trimming) compatible yet, but the stores have been updated to ensure they only use statically-analyzable patterns. - A new `IOpenIddictEntityFrameworkCoreContext` interface containing a single `ValueTask<DbContext> GetDbContextAsync(CancellationToken cancellationToken)` method (similar to what's currently used in the MongoDB integration) has been introduced to allow each to resolve the `DbContext` to use. A default implementation named `OpenIddictEntityFrameworkCoreContext<TContext>` is used by the `OpenIddictEntityFrameworkCoreBuilder.UseDbContext<TContext>()` API to resolve the `TContext` type specified by the user. - The `OpenIddictEntityFrameworkCoreBuilder.ReplaceDefaultEntities<...>` API has been preserved - including the overload accepting a single `TKey` parameter but no longer use options internally. Instead, they re-register the untyped `IOpenIddict*Manager` to point to the correct `OpenIddict*Manager<T>` instances depending on the generic types set by the user. - For consistency with the Entity Framework Core stores, the `OpenIddictEntityFrameworkBuilder.UseDbContext<TContext>()` API will no longer automatically register the `DbContext` type in the DI container. - The authorization endpoint now uses `Cache-Control: no-store` instead of `Cache-Control: no-cache` when generating HTML auto-post form responses (thanks @​matthid! ❤️) - OpenIddict 7.0 preview 2 no longer allows dynamically overriding the `prompt` value when using OAuth 2.0 Pushed Authorization Requests. > [!IMPORTANT] > To prevent login endpoint -> authorization endpoint loops, developers are invited to update their authorization endpoint MVC action to use `TempData` to store a flag indicating whether the user has already been offered to re-authenticate and avoid triggering a new authentication challenge in that case. For instance: > > ```csharp > // Try to retrieve the user principal stored in the authentication cookie and redirect > // the user agent to the login page (or to an external provider) in the following cases: > // > // - If the user principal can't be extracted or the cookie is too old. > // - If prompt=login was specified by the client application. > // - If max_age=0 was specified by the client application (max_age=0 is equivalent to prompt=login). > // - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough. > // > // For scenarios where the default authentication handler configured in the ASP.NET Core > // authentication options shouldn't be used, a specific scheme can be specified here. > var result = await HttpContext.AuthenticateAsync(); > if (result is not { Succeeded: true } || ... (truncated) ## 7.0.0-preview.1 This release introduces the following changes: - All the ASP.NET Core and Entity Framework Core 2.1 references used for the .NET Framework and .NET Standard TFMs have been replaced by the new 2.3 packages released mid-January (including the .NET Standard 2.1 TFM, that previously referenced unsupported ASP.NET Core 3.1 packages). > [!IMPORTANT] > ASP.NET Core 2.3 replaces ASP.NET Core 2.1: as such, it is essential that all ASP.NET Core 2.1 applications running on .NET Framework 4.6.2+ quickly migrate to 2.3 to ensure they keep receiving security patches and critical bug fixes. > [!CAUTION] > While it was released as a minor version update, **ASP.NET Core 2.3 is not 100% compatible with ASP.NET Core 2.2**, as none of the changes or APIs introduced in 2.2 - no longer supported since December 2019 - is present in 2.3. > > When migrating to OpenIddict 7.0, you'll need to carefully review your dependencies to ensure your application doesn't accidentally depend on any ASP.NET Core 2.2-specific API or package and still runs fine on 2.3. > > For more information, read https://devblogs.microsoft.com/dotnet/servicing-release-advisory-aspnetcore-23/ and https://github.com/dotnet/aspnetcore/issues/58598. - All the OpenIddict packages now use 8.0 as the minimum .NET Extensions version for the .NET Framework and .NET Standard TFMs, which matches the approach used by the new ASP.NET Core/Entity Framework Core 2.3 packages (that all reference `Microsoft.Extensions.*` 8.0 packages instead of 2.1). > [!IMPORTANT] > Initial testing shows that OWIN/Katana or "legacy" ASP.NET 4.6.2+ applications are not negatively impacted by this change: in almost all cases, regenerating (or manually updating the binding redirects if necessary) after migrating to OpenIddict 7.0 should be enough. If you see regressions that may be caused by this change, please post in this thread: https://github.com/openiddict/openiddict-core/issues/2262. - As part of the .NET Extensions 2.1 -> 8.0 change, the following improvements have been made: - The .NET Framework and .NET Standard TFMs now support `TimeProvider` and the associated properties in `OpenIddictClientOptions`, `OpenIddictCoreOptions`, `OpenIddictQuartzOptions`, `OpenIddictServerOptions` and `OpenIddictValidationOptions` are no longer nullable. - The .NET Framework and .NET Standard TFMs now support `System.Text.Json.Nodes`, which allows using `JsonNode` with `OpenIddictParameter` on older platforms. - Several improvements have been made to the `OpenIddictParameter` primitive: - The `OpenIddictParameter` constructors and static operators offering `string?[]?` conversions have been replaced by equivalents taking `ImmutableArray<string?>` or `ImmutableArray<string?>?` parameters, which guarantees that the underlying value wrapped by `OpenIddictParameter` cannot be accidentally mutated after being created. - The `OpenIddictRequest.Audiences` and `OpenIddictRequest.Resources` properties have been updated to use `ImmutableArray<string?>?` instead of `string?[]?`, which should prevent unsupported mutations like `context.Request.Audiences[2] = "overridden audience"` (which may or may not work in 6.x depending on the actual CLR type of the parameter value initially wrapped). - For similar reasons, `JsonNode` instances are now cloned by `OpenIddictParameter`'s constructor and cloned by the `JsonNode?` conversion operator to prevent accidental mutations. As part of this change, the `OpenIddictRequest.Claims` and `OpenIddictRequest.Registration` properties are now of type `JsonObject` instead of `JsonElement`, which should make these properties easier to use. - The low-level/untyped `OpenIddictParameter.Value` property has been removed and replaced by a new (hidden) `OpenIddictParameter.GetRawValue()` to encourage users to leverage the built-in conversion operators instead. New `Microsoft.Extensions.Primitives.StringValues` conversion operators have been added to the `OpenIddictParameter` primitive as part of this change. - The `ClaimsPrincipal.GetDestinations()`/`ClaimsPrincipal.SetDestinations()` extensions now use `ImmutableDictionary<string, ImmutableArray<string>>` instead of `ImmutableDictionary<string, string[]>` for consistency with the previous changes. - The `OpenIddictParameter` structure was updated to use the `JsonNode.DeepEquals()`, `JsonElement.DeepEquals()` or `JsonElement.GetPropertyCount()` APIs when available. - The APIs obsoleted in OpenIddict 6.x have been removed. - The `net6.0` target framework monikers have been removed. ## 6.4.0 This release introduces the following changes: - Support for client authentication - `client_secret_basic`, `client_secret_post` and `private_key_jwt` - was added to the PAR endpoint, which allows rejecting unauthenticated requests without waiting until the token request is processed. - The `OpenIddict.Client.WebIntegration` package now supports Bungie.net. - Parsing of the standard `WWW-Authenticate` HTTP response header by the client and validation stacks was improved. - The OpenIddict client OWIN integration was updated to resolve the `IAppBuilder` instance from the DI container: when it is available, the `ICookieManager` attached to the application properties (by the host, typically) is automatically used instead of the default `CookieManager` implementation. > [!NOTE] > See https://github.com/aspnet/AspNetKatana/pull/486 for more information. - The portable, non-OS specific version of the `OpenIddict.Client.SystemIntegration` package can now be used on macOS (in this case, `ASWebAuthenticationSession` is not supported and only the system browser authentication mode can be used). - All the .NET and third-party dependencies have been updated to the latest versions. ## 6.3.0 This release introduces the following changes: - Two new providers have been added to the list of providers already supported by the `OpenIddict.Client.WebIntegration` package: - Contentful (thanks @​jerriep! ❤️) - Genesys Cloud (thanks @​MikeAlhayek! ❤️) - The web providers source code generator now generates constant strings for the static settings defined by some providers (e.g regions): ```csharp options.UseWebProviders() .AddShopify(options => { options.SetClientId("[client identifier]") .SetClientSecret("[client secret]") .SetAccessMode(OpenIddictClientWebIntegrationConstants.Shopify.AccessModes.Online); }) .AddStripeConnect(options => { options.SetClientId("[client identifier]") .SetClientSecret("[client secret]") .SetAccountType(OpenIddictClientWebIntegrationConstants.StripeConnect.AccountTypes.Express); }) .AddZoho(options => { options.SetClientId("[client identifier]") .SetClientSecret("[client secret]") .SetRegion(OpenIddictClientWebIntegrationConstants.Zoho.Regions.EuropeanUnion); });

• The X/Twitter provider was updated to use the new x.com endpoints, which avoids forcing users to authenticate on twitter.com before being redirected to x.com to continue the authorization process on the new domain.

[!NOTE]
As part of this change, the default display name of the X/Twitter provider was changed to X (Twitter).
Developers who prefer a different display name can override the default one using the dedicated options.SetProviderDisplayName(...) API:

options.UseWebProviders() .AddTwitter(options => { options.SetClientId("[client identifier]") .SetRedirectUri("callback/login/twitter") .SetProviderDisplayName("Twitter"); });

• The Alibaba/Battle.net/Cognito/Lark/Zoho providers now throw an exception when an invalid region is configured instead of using the default value when an unrecognized region is explicitly set.

• The Zoho provider was updated to support the new United Kingdom region (https://accounts.zoho.uk/).

6.2.1

This release introduces the following changes:

• An issue preventing server configuration responses from being correctly extracted when a partial mtls_endpoint_aliases node is returned but doesn't include all the supported endpoints (thanks @​pctimhk for reporting it! ❤️).

6.2.0

This release introduces the following changes:

• The client/server/validation ASP.NET Core/OWIN hosts now use Uri.TryCreate() instead of new Uri() to compute the base and request URIs, which avoids throwing an exception when they can't be computed ; for instance when the length of the internal buffer exceeds the limit allowed by the BCL System.Uri type (thanks to @​tarunmathew12 from the Microsoft Healthcare team for reporting this issue! ❤️)

• 4 new providers have been added to OpenIddict.Client.WebIntegration:

  • Alibaba Cloud/Aliyun (thanks @​gehongyan! ❤️)
  • Linear (thanks @​jerriep! ❤️)
  • Miro (thanks @​jerriep! ❤️)
  • Webflow (thanks @​jerriep! ❤️)

6.1.1

This release introduces the following changes:

• An issue causing end session requests missing the optional client_id parameter to be rejected when enabling end session request caching was fixed (thanks @​miegir for reporting it! ❤️)

6.1.0

This release introduces the following changes:

• Native support for OAuth 2.0 Pushed Authorization Requests (aka PAR) has been implemented in both the OpenIddict client and server stacks. PAR increases the security level of user-interactive grants - like the code flow - by sending the actual authorization request parameters via backchannel communication before redirecting the user agent to the regular authorization endpoint with a unique and random request_uri attached. PAR has recently gained traction and is now supported by some OAuth 2.0 services and libraries (including Keycloak and Microsoft's ASP.NET Core OpenID Connect handler starting in .NET 9.0).

[!TIP]
For more information on how to use OAuth 2.0 Pushed Authorization Requests in OpenIddict, read Pushed Authorization Requests.

• As part of the PAR introduction, the authorization and end session request caching feature has been completely revamped to use the same code path as pushed authorization requests and the OpenIddict-specific request_id parameter has been replaced by request_uri. While cached requests were persisted using IDistributedCache in previous versions, they are now stored in request tokens and persisted in OpenIddict's tokens table with the other tokens.

[!NOTE]
The EnableAuthorizationRequestCaching and EnableEndSessionRequestCaching options have been moved from OpenIddictServerAspNetCoreOptions and OpenIddictServerOwinOptions to OpenIddictServerOptions (the original options are no longer honored). The corresponding methods in OpenIddictServerAspNetCoreBuilder and OpenIddictServerOwinBuilder are still functional - they internally use the new properties - but are now obsolete.

• GitCode, VK ID and Yandex are now supported by the OpenIddict.Client.WebIntegration package (thanks @​gehongyan and @​t1moH1ch! ❤️).

[!NOTE]
With these new providers, the OpenIddict client now supports 100 web services! 🎉

• The InteractiveChallengeRequest and InteractiveSignOutRequest models have been updated to allow easily attaching an identity token or login hint to authorization and end session requests.

• The OpenIddict*AuthorizationStore.PruneAsync() implementations were updated to always exclude permanent authorizations that still have tokens attached, which should reduce risks of seeing SQL exceptions when one of the pruned authorizations still has children entities attached.

• An issue affecting the OpenIddictEntityFrameworkCoreAuthorizationStore.FindByApplicationIdAsync() API was identified and fixed (thanks @​simon-wacker! ❤️)

6.0.0

For more information about this release, read OpenIddict 6.0 general availability.

6.0.0-rc1

This release introduces the following changes:

• The OpenIddict server now automatically normalizes unique "amr" claims in identity tokens to ensure a JSON array is always returned (as required by the OpenID Connect specification), even if the developer didn't explicitly use JsonClaimValueTypes.JsonArray as the claim value type.

• New methods allowing to register multiple certificates and keys at once have been added to the client/server/validation builders (thanks @​ionite34! ❤️)

• Zendesk and EVE Online are now supported by the OpenIddict web providers package (thanks @​mozts2005 and @​kalaveijo! ❤️)

[!TIP]
An OpenIddict 5.0 to 6.0 migration guide can be found here: https://documentation.openiddict.com/guides/migration/50-to-60.

6.0.0-preview4

This release introduces the following changes:

• OpenIddict 6.0 preview 4 was updated to reference the .NET 9.0 RTM packages on .NET 9.0.

• The ASP.NET Core and OWIN integrations now include the authentication properties attached to ProcessAuthenticationContext.Properties in errored authentication results, which can be used with the client stack to retrieve custom and non-custom properties attached to the state token when using the "error pass-through mode".

[!IMPORTANT]
As part of this change, the OWIN hosts now return an AuthenticateResult instance containing an empty ClaimsIdentity with its IsAuthenticated property set to false (instead of a null identity) to represent errored authentication demands.

If you're using the error pass-through mode and are calling await AuthenticateAsync(OpenIddict*OwinDefaults.AuthenticationType), consider updating your if checks to ensure unauthenticated identities are correctly identified.

For instance, with the client stack:

var result = await context.Authentication.AuthenticateAsync(OpenIddictClientOwinDefaults.AuthenticationType); if (result is { Identity.IsAuthenticated: true }) { // The authentication result represents an authenticated user. }

• Introspection and revocation requests started via OpenIddictClientService.IntrospectTokenAsync() and OpenIddictClientService.RevokeTokenAsync() are now eagerly aborted if the token to introspect or revoke is missing.

6.0.0-preview3

This release introduces the following changes:

• The existing IOpenIddictAuthorizationManager.FindAsync(...) and IOpenIddictTokenManager.FindAsync(...) overloads have been merged and replaced by a single method where all the parameters are now optional (for instance, if a null subject value is specified when calling IOpenIddictAuthorizationManager.FindAsync(...), the returned collection will contain authorizations for all users).

• New IOpenIddictAuthorizationManager.RevokeAsync(...) and IOpenIddictTokenManager.RevokeAsync(...) APIs have been introduced to allow easily revoking authorizations or tokens based on specific parameters. E.g:

// Revoke all the active access tokens attached to the user alice@​wonderland.com. await _tokenManager.RevokeAsync(subject: "alice@​wonderland.com", client: null, status: Statuses.Active, type: TokenTypeHints.AccessToken);

6.0.0-preview2

This release introduces the following changes:

• OpenIddict 6.0 preview 2 was updated to reference the .NET 9.0 RC2 packages on .NET 9.0.

• The OpenIddict.MongoDb and OpenIddict.MongoDb.Models packages now reference MongoDB.Driver and MongoDB.Bson 3.0.0 and are now strong-named.

[!IMPORTANT]
The third iteration of the C# MongoDB driver no longer supports .NET Standard 2.0 and requires .NET Framework 4.7.2 as the minimum version: OpenIddict users relying on the MongoDB integration and using the OpenIddict.MongoDb or OpenIddict.MongoDb.Models packages in projects targeting .NET Standard 2.0 or .NET Framework < 4.7.2 will need to update their projects when bumping OpenIddict to 6.0 preview 2.

• A new "claims issuer" option has been added to the client and validation stacks to allow controlling the value OpenIddict uses to populate the Claim.Issuer and Claim.OriginalIssuer properties. This option is specially useful when using the OpenIddict client in legacy ASP.NET 4.6.2+ applications using ASP.NET Identity, since the Claim.Issuer property is directly reflected in the user interface:

options.AddRegistration(new OpenIddictClientRegistration { // ... Issuer = new Uri("https://localhost:44395/", UriKind.Absolute), ClaimsIssuer = "Local authorization server" });

options.UseWebProviders() .AddActiveDirectoryFederationServices(options => { // ... options.SetClaimsIssuer("Contoso"); });

[!IMPORTANT]
To simplify migrating from the aspnet-contrib providers, the OpenIddict client now uses OpenIddictClientRegistration.ProviderName as the first fallback value when OpenIddictClientRegistration.ClaimsIssuer is not explicitly set (which is consistent with the pattern used in the OAuth 2.0-based social providers developed by Microsoft and the community).

If no provider name was set, the issuer URI is used as the claims issuer, as in previous versions.

• To be consistent with the new prompt values name used in OpenIddict 6.0 preview 1, the GetPrompts() and HasPrompt() extension have been renamed to GetPromptValues() and HasPromptValue().

6.0.0-preview1

This release introduces the following changes:

• OpenIddict 6.0 preview 1 now targets .NET 9.0 and references the .NET 9.0 RC1 packages on .NET 9.0 and higher.

• The .NET 7.0 and .NET Framework 4.6.1 TFMs have been removed as these versions are no longer supported by Microsoft.

[!IMPORTANT]
While most OpenIddict 6.0 packages can still be used on these versions thanks to their .NET Standard 2.0 or 2.1 TFMs, doing that is strongly discouraged and users are instead encouraged to migrate to .NET 8.0 and .NET Framework 4.6.2 (or higher).

• Some of the server endpoints have been renamed in OpenIddict 6.0 to be more specific or more closely match the official names, which should reduce ambiguities and make migrating from other OAuth 2.0/OIDC stacks to OpenIddict easier:
  • Cryptography endpoint -> JSON Web Key Set endpoint.
  • Device endpoint -> Device authorization endpoint.
  • Logout endpoint -> End-session endpoint.
  • Userinfo endpoint -> UserInfo endpoint.
  • Verification endpoint -> End-user verification endpoint.

[!NOTE]
All the constants, builder methods, events and event handlers used by the OpenIddict client, core, server and validation stacks have been entirely updated to use the new names.

In most cases, reacting to this breaking change should be limited to just changing a few lines in your Startup file:

OpenIddict 5.x	OpenIddict 6.x
options.SetCryptographyEndpointUris()	options.SetJsonWebKeySetEndpointUris()
options.SetDeviceEndpointUris()	options.SetDeviceAuthorizationEndpointUris()
options.SetLogoutEndpointUris()	options.SetEndSessionEndpointUris()
options.SetUserinfoEndpointUris()	options.SetUserInfoEndpointUris()
options.SetVerificationEndpointUris()	options.SetEndUserVerificationEndpointUris()

OpenIddict 5.x	OpenIddict 6.x
options.AllowDeviceCodeFlow()	options.AllowDeviceAuthorizationFlow()

OpenIddict 5.x	OpenIddict 6.x
options.EnableLogoutEndpointPassthrough()	options.EnableEndSessionEndpointPassthrough()
options.EnableUserinfoEndpointPassthrough()	options.EnableUserInfoEndpointPassthrough()
options.EnableVerificationEndpointPassthrough()	options.EnableEndUserVerificationEndpointPassthrough()

OpenIddict 5.x	OpenIddict 6.x
OpenIddictConstants.Permissions.Endpoints.Device	OpenIddictConstants.Permissions.Endpoints.DeviceAuthorization
OpenIddictConstants.Permissions.Endpoints.Logout	OpenIddictConstants.Permissions.Endpoints.EndSession

[!TIP]
While not mandatory (as the permissions containing the old endpoint names are still fully functional in 6.x for backward compatibility), you can also update your applications table/database to use the new constant values (i.e ept:device_authorization and ept:end_session instead of ept:device and ept:logout).

• A whole new client authentication method negotiation logic was introduced in the OpenIddict client. As part of this change, complete support for mTLS in the client stack was also added to allow integrating with identity providers that require using tls_client_auth or self_signed_tls_client_auth.

... (truncated)

5.8.0

This release introduces the following changes:

• The OpenIddict client system integration now natively supports Android API 21+ (Android 5.0 and higher), iOS 12.0+, macOS 10.15+ and Mac Catalyst 13.1+. See Operating systems integration for more information.

• Behavior change: the OpenIddict.Client.SystemIntegration package was updated to produce shorter default pipe names (which is required on macOS where strict length restrictions are enforced).

• The OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages have been updated to anticipate a breaking change introduced in the 9.0 version of Microsoft.Extensions.Http. See Consider updating HttpClientFactory defaults to leverage SocketsHttpHandler dotnet/runtime#35987 (comment) for more information.

• 6 new web providers were added to OpenIddict.Client.WebIntegration:

  • Airtable
  • Calendly
  • Pipedrive
  • Typeform
  • Twitch (thanks @​mbaumanndev! ❤️)
  • Zoho

• OpenIddict now uses Microsoft.IdentityModel 8.x on .NET 8.0 and higher.

• The OpenIddict.EntityFramework package now uses EntityFramework 6.5.1 as the minimum version.

5.7.1

This release introduces the following changes:

• The LinkedIn integration was updated to react to a breaking change introduced by LinkedIn in their discovery document and that was causing an issuer validation error in the OpenIddict client due to the issuer being changed from https://www.linkedin.com/ to https://www.linkedin.com/oauth (thanks @​DovydasNavickas! ❤️).

[!IMPORTANT]
If your code relies on the issuer identity, make sure you update your code/database to use https://www.linkedin.com/oauth instead of https://www.linkedin.com/.

5.7.0

This release introduces the following changes:

• To increase interoperability and support advanced scenarios, the OpenIddict server now allows using OAuth 2.0 Proof Key for Code Exchange with response_type combinations containing token when response type permissions are not disabled and the appropriate response type permissions are granted to the client application. See Allow using response_type=token with PKCE when response type permissions are enforced openiddict/openiddict-core#2088 for more information about this change.

• The embedded web server that is part of the OpenIddict client system integration package now natively supports POST callbacks, allowing to use the implicit and hybrid flows - that require response_mode=form_post - in desktop applications.

• response_mode=fragment is now fully supported by the system integration package when using protocol activations or the UWP web authentication broker.

• The OpenIddict client and its ASP.NET Core/OWIN integrations now support setting a specific code_challenge_method/grant_type/response_mode/response_type for each challenge operation:

// Ask OpenIddict to initiate the authentication flow (typically, by starting the system browser). var result = await _service.ChallengeInteractivelyAsync(new() { // Note: both the grant type and the response type MUST be set when using a specific flow: GrantType = GrantTypes.AuthorizationCode, ResponseType = ResponseTypes.Code + ' ' + ResponseTypes.IdToken });

var properties = new AuthenticationProperties(new Dictionary<string, string> { // Note: both the grant type and the response type MUST be set when using a specific flow: [OpenIddictClientAspNetCoreConstants.Properties.GrantType] = GrantTypes.AuthorizationCode, [OpenIddictClientAspNetCoreConstants.Properties.ResponseType] = ResponseTypes.Code + ' ' + ResponseTypes.IdToken }) { RedirectUri = Url.IsLocalUrl(returnUrl) ? returnUrl : "/" }; return Challenge(properties, OpenIddictClientAspNetCoreDefaults.AuthenticationScheme);

• The following providers are now supported by the OpenIddict.Client.WebIntegration package:

  • Gitee (thanks @​gehongyan! ❤️)
  • Huawei (thanks @​gehongyan! ❤️)
  • KOOK (thanks @​gehongyan! ❤️)
  • Lark/Feishu (thanks @​gehongyan! ❤️)
  • Weibo (thanks @​gehongyan! ❤️)

• Behavior change: for boolean values, OpenIddictParameter.ToString() and the string?/string?[]? conversion operators now return true and false instead of True and False.

• The OpenIddict client was updated to detect incorrect uses of its system integration package in non-desktop applications and return proper errors.

5.6.0

This release introduces the following changes:

• The core, client, server and validation stacks now use System.TimeProvider on .NET 8.0+ (thanks @​trejjam! ❤️).

• While manually setting OpenIddictClientRegistration.CodeChallengeMethods, OpenIddictClientRegistration.GrantTypes, OpenIddictClientRegistration.ResponseModes or OpenIddictClientRegistration.ResponseTypes is not necessary or recommended in most cases (as OpenIddict automatically negotiates the best values automatically), specific scenarios sometimes require restricting the allowed values. To make that easier, new (advanced) APIs were added to the web provider builders:

options.UseWebProviders() .AddMicrosoft(options => { // ... options.AddCodeChallengeMethods(CodeChallengeMethods.Sha256) .AddGrantTypes(GrantTypes.AuthorizationCode, GrantTypes.Implicit) .AddResponseModes(ResponseModes.FormPost) .AddResponseTypes(ResponseTypes.Code + ' ' + ResponseTypes.IdToken); });

• The OpenIddict validation ASP.NET Core and OWIN hosts now allow tweaking how access tokens are extracted:

options.UseAspNetCore() .DisableAccessTokenExtractionFromAuthorizationHeader() .DisableAccessTokenExtractionFromBodyForm() .DisableAccessTokenExtractionFromQueryString();

options.UseOwin() .DisableAccessTokenExtractionFromAuthorizationHeader() .DisableAccessTokenExtractionFromBodyForm() .DisableAccessTokenExtractionFromQueryString();

• Behavior change: the claim value type validation logic was fixed to support JSON_ARRAY claims. As part of this change, the ClaimsIdentity.GetClaims()/ClaimsPrincipal.GetClaims() extensions have been updated to support JSON_ARRAY claims and return all the values contained in the array.

• A bug preventing the OpenIddict client from using the OpenID Connect implicit flow was fixed.

• The Clever provider was updated to not require a backchannel identity token (thanks @​anarian! ❤️).

• The Auth0 and Microsoft Account/Entra ID providers were fixed to list implicit as a supported grant type.

5.5.0

This release introduces the following changes:

• Similarly to what was already possible with the OpenIddict client system integration, the ASP.NET Core (and OWIN) hosts now allow overriding the requested scopes dynamically/per challenge. For that, an OpenIddictClientAspNetCoreConstants.Properties.Scope property must be added to the AuthenticationProperties.Items collection with the space-separated list of scopes that should be attached to the authorization request:

var properties = new AuthenticationProperties(); // Override the scopes configured globally for this challenge operation. properties.SetString(OpenIddictClientAspNetCoreConstants.Properties.Scope, "api_1_scope api_2_scope"); return Challenge(properties, Providers.GitHub);

• FACEIT is now supported by OpenIddict.Client.WebIntegration.

5.4.0

This release introduces the following changes:

• The client stack now allows configuring and using custom grant types for advanced scenarios:

options.AllowCustomFlow("my-custom-grant-type");

var result = await _service.AuthenticateWithCustomGrantAsync(new() { AdditionalTokenRequestParameters = new() { ["my-custom-parameter"] = "value" }, CancellationToken = stoppingToken, GrantType = "my-custom-grant-type", ProviderName = provider, Scopes = [Scopes.OfflineAccess] });

[!NOTE]
When using a custom grant type, the following logic is enforced by default:

• A token request is always sent.
• An access token MUST be returned by the authorization server as part of the token response.
• An identity token MAY be returned by the authorization server as part of the token response but it's not mandatory (in this case, OpenIddict will resolve it and extract the principal it contains, but won't reject the response if it's invalid).
• A refresh token MAY be returned by the authorization server as part of the token response but it's not mandatory.
• A userinfo request is always sent when an access token was returned and a userinfo endpoint is available, unless userinfo retrieval was explicitly disabled when calling AuthenticateWithCustomGrantAsync().

• The length of user codes - used in the OAuth 2.0 device authorization flow - can now be configured in the server options:

options.SetUserCodeLength(7);

[!IMPORTANT]
For security reasons, OpenIddict will throw an ArgumentOutOfRangeException if you try to configure a length that is less than 6 characters.

• The charset used by OpenIddict to create random user codes can now be configured in the server options:

options.SetUserCodeCharset( [ "B", "C", "D", "F", "G", "H", "J", "K", "L", "M", "N", "P", "Q", "R", "S", "T", "V", "W", "X", "Z" ]);

[!TIP]
All characters are allowed - including emojis - as long as they represent exactly one extended grapheme cluster (note: non-ASCII characters are only supported on .NET 6.0 and higher).
... (truncated)

5.3.0

This release introduces the following changes:

• Native support for interactive sign-out was added to the OpenIddict.Client.SystemIntegration package. To support this new feature, a new SignOutInteractivelyAsync() API (similar to the existing ChallengeInteractivelyAsync() API used to start a new authentication flow) has been added to OpenIddictClientService:

// Ask OpenIddict to initiate the logout flow (typically, by starting the system browser). var result = await _service.SignOutInteractivelyAsync(new() { CancellationToken = stoppingToken, ProviderName = provider });

• The client stack now natively supports OAuth 2.0 introspection, which allows querying the authorization server to determine the set of metadata for a given token - typically an access or refresh token - and, depending on the server policy, retrieve its actual content:

var result = await _service.IntrospectTokenAsync(new() { CancellationToken = stoppingToken, ProviderName = provider, Token = response.BackchannelAccessToken, TokenTypeHint = TokenTypeHints.AccessToken });

[!IMPORTANT]
As part of this change, the introspection implementation of the validation stack was reworked to be consistent with its new client counterpart. Most notably, the ValidateToken event is no longer invoked for introspected tokens (a change that had been introduced in OpenIddict 5.0): developers who want to apply custom logic to introspected tokens/principals are invited to use the ProcessAuthentication event instead.

• Support for OAuth 2.0 revocation was also added to the client stack to allow revoking an access or refresh token (and, depending on the server policy, the associated authorization grant):

var result = await _service.RevokeTokenAsync(new() { CancellationToken = stoppingToken, ProviderName = provider, Token = response.BackchannelAccessToken, TokenTypeHint = TokenTypeHints.AccessToken });

[!NOTE]
The Apple, DeviantArt, Discord, Reddit, Trakt and Zoom web providers have been updated to support token revocation.

• On .NET 8.0 and higher, the OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages now natively support Microsoft.Extensions.Http.Resilience and use a ResiliencePipeline<HttpResponseMessage> by default (unless an IAsyncPolicy<HttpResponseMessage> was explicitly configured by the user).

[!TIP]
If necessary, the defau....

Description has been truncated

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.