4.2.0

This release introduces the following changes:

• 26 new providers were added to the OpenIddict.Client.WebIntegration package (that now offers a total of 45 OAuth 2.0/OpenID Connect integrations!):

Provider name
ArcGIS Online	Mailchimp
Asana	Patreon
Basecamp	QuickBooks Online
Battle.net	ServiceChannel
Bitbucket	Slack
DeviantArt	Smartsheet
Discord	Spotify
Dropbox	Strava
Epic Games	Streamlabs
Fitbit	SuperOffice
GitLab	Trovo
Harvest	Vimeo
HubSpot	Xero

• An issue affecting the OpenIddict.Validation.ServerIntegration package identified and reported by @SebastianStehle – who maintains the Squidex and Notifo projects – was fixed (see #1739 for more information). Thanks Sebastian! ❤️

• A new OpenIddictServerBuilder.SetIssuer() overload accepting a string instance was introduced to make the API consistent with the OpenIddictServerBuilder.Set*EndpointUris() methods.

• The OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages now support JSON Structured Syntax Suffixes (defined in RFC6839) for increased interoperability.

4.1.0

This release introduces the following changes:

• A new OpenIddict.Client.SystemIntegration package is now offered to easily use the OpenIddict client in Windows and Linux desktop applications. For more information, see Introducing system integration support for the OpenIddict client.

• Active Directory Federation Services (Windows 2016+) and Stripe Connect support has been added to OpenIddict.Client.WebIntegration.

• The stricter id_token_hint validation rules introduced in OpenIddict 4.0 have been relaxed to avoid rejecting authorization and logout requests that specify invalid token hints (e.g identity tokens whose database entry has been pruned and no longer exists). See #1649 (comment) for more information.

• A workaround has been added to allow the compromised tokens revocation logic to work with the Pomelo MySQL provider (see #1658 for more information).

4.0.0

For more information about this release, read OpenIddict 4.0 general availability.

4.0.0-rc2

This RC release introduces the following changes:

• The System.Net.Http integration packages for the client and validation stacks now support specifying an e-mail address that will be used in the From header of backchannel requests (for more information about the From HTTP request header, read https://datatracker.ietf.org/doc/html/rfc9110#section-10.1.2):

options.UseSystemNetHttp()
       .SetContactAddress("[email protected]")
       .SetProductInformation(typeof(Startup).Assembly);

• An issue affecting the ASP.NET Core Data Protection integration and device authorization codes was identified and fixed.

• An issue affecting the OpenIddictExtensions.AddClaims() extension and preventing userinfo and introspection responses containing complex JSON nodes in top-level array claims from being properly handled was identified and fixed (thanks @danbluhmhansen! ❤️)

4.0.0-rc1

This RC release introduces the following changes:

• While initially planned for OpenIddict 5.0, modifications introducing breaking behavior changes in the URIs handling will finally ship as part of 4.0. Since these changes affect how endpoint URIs are configured, returned and resolved, users are invited to read #1613 before migrating to OpenIddict 4.0 RC1.

• Relative redirect/post-logout-redirect URIs are now supported by the client stack, for both custom client registrations and web provider integrations:

options.UseWebProviders()
       .UseGitHub(options =>
       {
           // ...

           options.SetRedirectUri("callback/login/github");
       });

• The client stack now requires enabling flows explicitly (exactly like the server stack), which allows offering better exceptions on misconfigurations and avoids requiring registering signing/encryption credentials when only non-interactive flows like password or client_credentials are used:

options.AllowAuthorizationCodeFlow()
       .AllowRefreshTokenFlow();

• By default, the client stack now aborts challenge operations that are triggered from non-HTTPS pages with an exception message indicating that things may not work properly due to SameSite constraints when using HTTP instead of HTTPS. While not recommended, the client offers the same DisableTransportSecurityRequirement() option as the server stack to disable the HTTPS requirement.

options.UseAspNetCore()
       .DisableTransportSecurityRequirement();

options.UseOwin()
       .DisableTransportSecurityRequirement();

• New provider integrations have been added to OpenIddict.Client.WebIntegration:

  • Amazon Cognito (thanks @emanuelecastelli! ❤️)
  • Mixcloud
  • Trakt
  • WordPress
  • Yahoo

• The definitions of the existing providers have been updated to allow using the refresh_token flow for the providers that support it. Built-in support for the Google access_type and Reddit duration custom parameters has also been added to allow retrieving refresh tokens.

• References to URL or address(es) have been replaced by more generic URI/uri(s) references. While not mandatory, maintainers of third-party stores/DB integrations are invited to update their implementation of IOpenIddictApplicationStore to use uri and uris instead of address and addresses to match the new names used by OpenIddict.

4.0.0-preview6

This preview release introduces the following changes:

• The public APIs offered by OpenIddictClientService have been reworked to be much easier to use with the client credentials, resource owner password credentials and refresh token grants:

var services = new ServiceCollection();
services.AddOpenIddict()
    .AddClient(options =>
    {
        options.AddEphemeralEncryptionKey()
               .AddEphemeralSigningKey();

        options.DisableTokenStorage();

        options.UseSystemNetHttp();

        options.AddRegistration(new OpenIddictClientRegistration
        {
            Issuer = new Uri("http://localhost:58779/", UriKind.Absolute)
        });
    });

await using var provider = services.BuildServiceProvider();

var service = provider.GetRequiredService<OpenIddictClientService>();

var (response, principal) = await service.AuthenticateWithPasswordAsync(
    issuer: new Uri("https://localhost:58779/", UriKind.Absolute),
    username: "johndoe",
    password: "A3ddj3w");

var token = response.AccessToken;

• Portable.BouncyCastle was replaced by the official BouncyCastle.Cryptography package (that shipped yesterday with native .NET Standard 2.0 support). It is expected that applications referencing both the Portable.BouncyCastle and BouncyCastle.Cryptography packages - directly or indirectly - will experience type conflicts, but such conflicts should eventually disappear once all libraries are updated to use BouncyCastle.Cryptography.

• Most of the infrastructure types that are not meant to be derived/subclassed have been marked as sealed and decorated with [EditorBrowsable(EditorBrowsableState.Advanced)] or [EditorBrowsable(EditorBrowsableState.Never)] to make finding adequate hooks easier for third-party maintainers. Managers and stores - that are designed to be derived when necessary - are not affected by this change.

• New ClaimsIdentity/ClaimsPrincipal.AddClaim/SetClaim() overloads accepting bool and long values have been added.

• A regression introduced in the last preview that prevented the device authorization code flow from working properly has been fixed (thanks to the ABP team for reporting it! ❤️)

• The Quartz.NET integration was tweaked to work better in clustered environments (thanks @Suchiman!).

4.0.0-preview5

This release focuses on adding official .NET 7.0 support to OpenIddict 4.x and improving the nonce and request forgery protection implementation of the new OpenIddict client stack. As part of this release, Deezer has also been added to the list of supported providers.

Starting in 4.0 preview5, advanced users can override the default implementations (provided by the .NET BCL by default) of the cryptographic algorithms used internally by OpenIddict via the CryptoConfig.AddAlgorithm(Type, String[]) API. Doing so was already possible on .NET Framework in previous versions, but is now supported on all TFMs - including .NET Core and .NET - thanks to a new approach. For more information, read #1556.

This release also fixes a bug that affected the revamped ClaimsIdentity/ClaimsPrincipal.SetClaim(s) extensions taking a JsonElement parameter and that impacted scenarios using the ASP.NET Core Data Protection integration (thanks @trejjam! ❤️).

4.0.0-preview4

This release focuses on improving the new OpenIddict.Client.WebIntegration package by introducing built-in Microsoft.Extensions.Options support to configure the provider settings and allowing opt-in HTTP decompression for the providers that require it.

With Keycloak, LinkedIn, PayPal and StackExchange being added in preview4, OpenIddict.Client.WebIntegration now offers 10 provider integrations. To simplify registering the ECDSA signing key required for client authentication, the Apple provider now exposes options.SetSigningKey() overloads accepting PEM-encoded keys (the format used by Apple).

As part of this release, the OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages were also updated to allow configuring a ProductInformation property containing the name and version of the application optionally sent to the remote server as part of the User-Agent header, which can be useful when dealing with providers that require specifying a user agent (e.g Reddit).

4.0.0-preview3

This release introduces native support for relying party-initiated logout in the new OpenIddict client and updates the server stack to support the new (optional) client_id parameter introduced by the OpenID Connect RP-Initiated Logout 1.0 - draft 03 specification. While it's not supported yet by most client stacks (including the Microsoft OIDC handler for ASP.NET Core), it's now fully implemented in the OpenIddict client, that will become the recommended option for ASP.NET applications once it reaches RTM.

4.0.0-preview2

This release fixes a regression specific to 4.0.0-preview1 that affected the OpenIddict validation ASP.NET Core and OWIN hosts and prevented tokens specified in query strings and request forms from being correctly extracted (tokens specified in the Authorization header could still be extracted properly).

As part of this release, the OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages were updated to explicitly reference the latest Polly.Extensions.Http version to resolve a breaking change introduced between Polly 6.x and 7.x that caused a runtime issue in .NET Framework applications using Polly 7.x instead of Polly 6.x (e.g because a recent version of Microsoft.Extensions.Http.Polly was explicitly referenced by the application).

This release also bumps the referenced MongoDB C# driver package and introduces various improvements - including a breaking change - in the OpenIddict MongoDB entities. For more information, read #1487.