7.0.0-preview.4

This release introduces the following changes:

• The OAuth 2.0 Token Exchange specification - that was by far the most requested feature by the OpenIddict community - is now fully supported by the client and server stacks:

var result = await _service.AuthenticateWithTokenExchangeAsync(new()
{
    ActorToken = actorToken,
    ActorTokenType = actorTokenType,
    CancellationToken = stoppingToken,
    ProviderName = "Local",
    RequestedTokenType = TokenTypeIdentifiers.AccessToken,
    SubjectToken = subjectToken,
    SubjectTokenType = subjectTokenType
});

var token = result.IssuedToken;
var type = result.IssuedTokenType;

[HttpPost("~/connect/token"), IgnoreAntiforgeryToken, Produces("application/json")]
public async Task<IActionResult> Exchange()
{
    var request = HttpContext.GetOpenIddictServerRequest() ??
        throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");

    if (request.IsAuthorizationCodeGrantType() || request.IsRefreshTokenGrantType())
    {
        // ...
    }

    else if (request.IsTokenExchangeGrantType())
    {
        // Retrieve the claims principal stored in the subject token.
        //
        // Note: the principal may not represent a user (e.g if the token was issued during a client credentials token
        // request and represents a client application): developers are strongly encouraged to ensure that the user
        // and client identifiers are randomly generated so that a malicious client cannot impersonate a legit user.
        //
        // See https://datatracker.ietf.org/doc/html/rfc9068#SecurityConsiderations for more information.
        var result = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);

        // If available, retrieve the claims principal stored in the actor token.
        var actor = result.Properties?.GetParameter<ClaimsPrincipal>(OpenIddictServerAspNetCoreConstants.Properties.ActorTokenPrincipal);

        // Retrieve the user profile corresponding to the subject token.
        var user = await _userManager.FindByIdAsync(result.Principal!.GetClaim(Claims.Subject)!);
        if (user is null)
        {
            return Forbid(
                authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                properties: new AuthenticationProperties(new Dictionary<string, string?>
                {
                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The token is no longer valid."
                }));
        }

        // Ensure the user is still allowed to sign in.
        if (!await _signInManager.CanSignInAsync(user))
        {
            return Forbid(
                authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                properties: new AuthenticationProperties(new Dictionary<string, string?>
                {
                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidGrant,
                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is no longer allowed to sign in."
                }));
        }

        // Note: whether the identity represents a delegated or impersonated access (or any other
        // model) is entirely up to the implementer: to support all scenarios, OpenIddict doesn't
        // enforce any specific constraint on the identity used for the sign-in operation and only
        // requires that the standard "act" and "may_act" claims be valid JSON objects if present.

        var identity = new ClaimsIdentity(
            authenticationType: TokenValidationParameters.DefaultAuthenticationType,
            nameType: Claims.Name,
            roleType: Claims.Role);

        // Add the claims that will be persisted in the issued token.
        identity.SetClaim(Claims.Subject, await _userManager.GetUserIdAsync(user))
                .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
                .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);

        // Note: IdentityModel doesn't support serializing ClaimsIdentity.Actor to the
        // standard "act" claim yet, which requires adding the "act" claim manually.
        //
        // For more information, see
        // https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/3219.
        if (!string.IsNullOrEmpty(actor?.GetClaim(Claims.Subject)) &&
            !string.Equals(identity.GetClaim(Claims.Subject), actor.GetClaim(Claims.Subject), StringComparison.Ordinal))
        {
            identity.SetClaim(Claims.Actor, new JsonObject
            {
                [Claims.Subject] = actor.GetClaim(Claims.Subject)
            });
        }

        // Note: in this sample, the granted scopes match the requested scope
        // but you may want to allow the user to uncheck specific scopes.
        // For that, simply restrict the list of scopes before calling SetScopes.
        identity.SetScopes(request.GetScopes());
        identity.SetResources(await _scopeManager.ListResourcesAsync(identity.GetScopes()).ToListAsync());
        identity.SetDestinations(GetDestinations);

        // Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.
        return SignIn(new ClaimsPrincipal(identity), OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
    }

    throw new InvalidOperationException("The specified grant type is not supported.");
}

Tip

See #1249 (comment) and #2335 (comment) for more information on the key aspects of the specification and its implementation in OpenIddict.

• OpenIddict 7.0 preview 4 implements the Updates to Audience Values for OAuth 2.0 Authorization Servers draft: while it hasn't been officially adopted yet, it fixes a vulnerability affecting the standard private_jwt_key client authentication method supported. Since this draft introduces important breaking changes in multiple OAuth 2.0 and OpenID Connect specifications to mitigate the vulnerability, implementing it proactively in OpenIddict 7.0 is a better option than having to the next major version to address this issue for good.

Warning

Due to this change, the following cases won't be supported by OpenIddict 7.0:

• The application authenticates using the OpenIddict client with a third-party server that requires the use of the token_endpoint as the audience of client assertions, even for endpoints other than the token endpoint (e.g., the "pushed authorization endpoint" or the "introspection endpoint").

• The application authenticates using the OpenIddict client with a third-party server that does not support the new client-authentication+jwt JSON Web Token type defined by the specification for client assertions.

• The application uses the OpenIddict server and allows clients to authenticate with client assertions that use token_endpoint instead of issuer as the audience.

• The application uses the OpenIddict server and allows clients to authenticate with client assertions that do not use the new client-authentication+jwt JSON Web Token type.

The OpenIddict client, server and validation stacks have all been updated to support the new requirements introduced by this specification and it is expected that other implementations will make similar changes in the future. OpenIddict 7.0 preview 4 doesn't currently allow reverting to the unsafe behavior, but I'll monitor the situation to determine whether opt-in compatibility quirks should be introduced in a future version to support unsafe client assertions.

• As part of the OAuth 2.0 Token Exchange support, the OpenIddict server now automatically validates the audience and resource parameters used in token exchange token requests and the resource parameters present in the authorization and pushed authorization requests. To ensure OpenIddict doesn't reject requests that use these parameters, the allowed audiences and resources must be registered in the server options:

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.RegisterAudiences("financial_api");
        options.RegisterResources("https://fabrikam.com/financial_api");
    });

Tip

Alternatively, audiences and resources validation can be disabled, which can be useful when implementing dynamic audiences/resources:

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.DisableAudienceValidation();
        options.DisableResourceValidation();
    });

• In the same vein, the OpenIddict server stack now supports audience and resource application permissions, that work exactly like scopes:

await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
    // ...

    Permissions =
    {
        Permissions.Prefixes.Audience + "financial_api",
        Permissions.Prefixes.Resource + "https://fabrikam.com/financial_api"
    }
});

Tip

If necessary, both audience and resource permissions can be ignored, which can be useful if custom validation - e.g implemented directly in the authorization controller, to support dynamic values - is preferred.

...

6.4.0

This release introduces the following changes:

• Support for client authentication - client_secret_basic, client_secret_post and private_key_jwt - was added to the PAR endpoint, which allows rejecting unauthenticated requests without waiting until the token request is processed.

• The OpenIddict.Client.WebIntegration package now supports Bungie.net.

• Parsing of the standard WWW-Authenticate HTTP response header by the client and validation stacks was improved.

• The OpenIddict client OWIN integration was updated to resolve the IAppBuilder instance from the DI container: when it is available, the ICookieManager attached to the application properties (by the host, typically) is automatically used instead of the default CookieManager implementation.

Note

See aspnet/AspNetKatana#486 for more information.

• The portable, non-OS specific version of the OpenIddict.Client.SystemIntegration package can now be used on macOS (in this case, ASWebAuthenticationSession is not supported and only the system browser authentication mode can be used).

• All the .NET and third-party dependencies have been updated to the latest versions.

7.0.0-preview.3

This release introduces the following changes:

• As a preliminary step to the introduction of OAuth 2.0 Token Exchange support in a future 7.0 preview, the entire OpenIddict code base was updated to use new URI-style token type identifiers to represent token types (e.g urn:ietf:params:oauth:token-type:access_token). These new identifiers will replace the token_type_hint-inspired constants that previous versions of OpenIddict were using in the core, client, server and validation stacks. For more information, read #2296.

Note

While internally massive, this change should be completely transparent for most OpenIddict users. Only advanced users who implement custom handlers for the GenerateToken/ValidateToken events or use the ClaimsPrincipal.GetTokenType()/ClaimsPrincipal.SetTokenType() extensions will need to update their code to use the new values.

• The Discord provider was updated to use the /users/@me endpoint instead of /oauth2/@me, which improves how userinfo claims are represented and returned to the application code (thanks @egans146 for suggesting this improvement! ❤️).

Important

This behavior change is breaking: developers are encouraged to review their Discord integration to determine whether their code should be updated to support the new claims representation.

• New ClaimsPrincipal.AddClaim()/ClaimsPrincipal.AddClaims()/ClaimsPrincipal.SetClaim()/ClaimsPrincipal.SetClaims() overloads accepting System.Text.Json.Nodes.JsonNode instances have been added to make working with types derived from JsonNode easier.

• An event identifier is now attached to all the logs generated by the OpenIddict core, client, server and validation stacks.

• A few properties in OpenIddictClientModels didn't have an init constraint and have been fixed in 7.0.0-preview.3.

Tip

Note: this preview also includes all the changes introduced in the OpenIddict 6.3.0 release.

6.3.0

This release introduces the following changes:

• Two new providers have been added to the list of providers already supported by the OpenIddict.Client.WebIntegration package:

  • Contentful (thanks @jerriep! ❤️)
  • Genesys Cloud (thanks @MikeAlhayek! ❤️)

• The web providers source code generator now generates constant strings for the static settings defined by some providers (e.g regions):

options.UseWebProviders()
       .AddShopify(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetClientSecret("[client secret]")
                  .SetAccessMode(OpenIddictClientWebIntegrationConstants.Shopify.AccessModes.Online);
       })
       .AddStripeConnect(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetClientSecret("[client secret]")
                  .SetAccountType(OpenIddictClientWebIntegrationConstants.StripeConnect.AccountTypes.Express);
       })
       .AddZoho(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetClientSecret("[client secret]")
                  .SetRegion(OpenIddictClientWebIntegrationConstants.Zoho.Regions.EuropeanUnion);
       });

• The X/Twitter provider was updated to use the new x.com endpoints, which avoids forcing users to authenticate on twitter.com before being redirected to x.com to continue the authorization process on the new domain.

Note

As part of this change, the default display name of the X/Twitter provider was changed to X (Twitter).
Developers who prefer a different display name can override the default one using the dedicated options.SetProviderDisplayName(...) API:

options.UseWebProviders()
       .AddTwitter(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetRedirectUri("callback/login/twitter")
                  .SetProviderDisplayName("Twitter");
       });

• The Alibaba/Battle.net/Cognito/Lark/Zoho providers now throw an exception when an invalid region is configured instead of using the default value when an unrecognized region is explicitly set.

• The Zoho provider was updated to support the new United Kingdom region (https://accounts.zoho.uk/).

6.2.1

This release introduces the following changes:

• An issue preventing server configuration responses from being correctly extracted when a partial mtls_endpoint_aliases node is returned but doesn't include all the supported endpoints (thanks @pctimhk for reporting it! ❤️).

7.0.0-preview.2

This release introduces the following changes:

• All the OpenIddict assemblies have been marked as trimming and Native AOT-compatible (only on .NET 9.0 and higher). For that, several changes had to be made to the OpenIddict core stack:

  • The store resolver interfaces (IOpenIddict*StoreResolver) and all their implementations have been removed and the managers have been updated to now directly take an IOpenIddict*Store<T> argument instead of an IOpenIddict*StoreResolver.

  • All the OpenIddictCoreOptions.Default*Type options (e.g DefaultApplicationType) have been removed and the untyped managers (IOpenIddict*Manager) no longer use options to determine the actual entity type at runtime. Instead, each store integration is now responsible for replacing the IOpenIddict*Manager services with a service descriptor pointing to the generic OpenIddict*Manager<T> implementation with the correct T argument: by default, the default entity types provided by the store are used, but the managers can be re-registered with a different type when the user decides to use different models (e.g via options.UseEntityFrameworkCore().ReplaceDefaultModels<...>()).

  • All the managers/store/store resolvers registration APIs offered by OpenIddictCoreBuilder have been removed: while they were very powerful and easy-to-use (e.g the Replace*Manager methods supported both open and closed generic types and were able to determine the entity type from the base type definition), they weren't AOT-compatible.

  • New AOT-friendly Replace*Store() and Replace*Manager() APIs have been introduced in OpenIddictCoreBuilder. The new Replace*Manager() APIs have two overloads that can be used depending on whether you need to register a closed or open generic type:

    options.ReplaceApplicationManager<
        /* TApplication: */ OpenIddictEntityFrameworkCoreApplication,
        /* TManager: */ CustomApplicationManager<OpenIddictEntityFrameworkCoreApplication>>();

    options.ReplaceApplicationManager(typeof(CustomApplicationManager<>));

  • While they are currently not functional on Native AOT due to EF Core not supporting interpreted LINQ expressions yet, the EF Core stores package has been updated to be ready for AOT: as part of this change, the signature of all the stores has been updated to remove the TContext generic argument from the definition. Similarly, the MongoDB C# driver isn't AOT (or even trimming) compatible yet, but the stores have been updated to ensure they only use statically-analyzable patterns.

  • A new IOpenIddictEntityFrameworkCoreContext interface containing a single ValueTask<DbContext> GetDbContextAsync(CancellationToken cancellationToken) method (similar to what's currently used in the MongoDB integration) has been introduced to allow each to resolve the DbContext to use. A default implementation named OpenIddictEntityFrameworkCoreContext<TContext> is used by the OpenIddictEntityFrameworkCoreBuilder.UseDbContext<TContext>() API to resolve the TContext type specified by the user.

  • The OpenIddictEntityFrameworkCoreBuilder.ReplaceDefaultEntities<...> API has been preserved - including the overload accepting a single TKey parameter but no longer use options internally. Instead, they re-register the untyped IOpenIddict*Manager to point to the correct OpenIddict*Manager<T> instances depending on the generic types set by the user.

• For consistency with the Entity Framework Core stores, the OpenIddictEntityFrameworkBuilder.UseDbContext<TContext>() API will no longer automatically register the DbContext type in the DI container.

• The authorization endpoint now uses Cache-Control: no-store instead of Cache-Control: no-cache when generating HTML auto-post form responses (thanks @matthid! ❤️)

• OpenIddict 7.0 preview 2 no longer allows dynamically overriding the prompt value when using OAuth 2.0 Pushed Authorization Requests.

Important

To prevent login endpoint -> authorization endpoint loops, developers are invited to update their authorization endpoint MVC action to use TempData to store a flag indicating whether the user has already been offered to re-authenticate and avoid triggering a new authentication challenge in that case. For instance:

// Try to retrieve the user principal stored in the authentication cookie and redirect
// the user agent to the login page (or to an external provider) in the following cases:
//
//  - If the user principal can't be extracted or the cookie is too old.
//  - If prompt=login was specified by the client application.
//  - If max_age=0 was specified by the client application (max_age=0 is equivalent to prompt=login).
//  - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough.
//
// For scenarios where the default authentication handler configured in the ASP.NET Core
// authentication options shouldn't be used, a specific scheme can be specified here.
var result = await HttpContext.AuthenticateAsync();
if (result is not { Succeeded: true } ||
    ((request.HasPromptValue(PromptValues.Login) || request.MaxAge is 0 ||
     (request.MaxAge != null && result.Properties?.IssuedUtc != null &&
      TimeProvider.System.GetUtcNow() - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))) &&
    TempData["IgnoreAuthenticationChallenge"] is null or false))
{
    // If the client application requested promptless authentication,
    // return an error indicating that the user is not logged in.
    if (request.HasPromptValue(PromptValues.None))
    {
        return Forbid(
            authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
            properties: new AuthenticationProperties(new Dictionary<string, string>
            {
                [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.LoginRequired,
                [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] = "The user is not logged in."
            }));
    }

    // To avoid endless login endpoint -> authorization endpoint redirects, a special temp data entry is
    // used to skip the challenge if the user agent has already been redirected to the login endpoint.
    //
    // Note: this flag doesn't guarantee that the user has accepted to re-authenticate. If such a guarantee
    // is needed, the existing authentication cookie MUST be deleted AND revoked (e.g using ASP.NET Core
    // Identity's security stamp feature with an extremely short revalidation time span) before triggering
    // a challenge to redirect the user agent to the login endpoint.
    TempData["IgnoreAuthenticationChallenge"] = true;

    // For scenarios where the default challenge handler configured in the ASP.NET Core
    // authentication options shouldn't be used, a specific scheme can be specified here.
    return Challenge(new AuthenticationProperties
    {
        RedirectUri = Request.PathBase + Request.Path + QueryString.Create(
            Request.HasFormContentType ? Request.Form : Request.Query)
    });
}

6.2.0

This release introduces the following changes:

• The client/server/validation ASP.NET Core/OWIN hosts now use Uri.TryCreate() instead of new Uri() to compute the base and request URIs, which avoids throwing an exception when they can't be computed ; for instance when the length of the internal buffer exceeds the limit allowed by the BCL System.Uri type (thanks to @tarunmathew12 from the Microsoft Healthcare team for reporting this issue! ❤️)

• 4 new providers have been added to OpenIddict.Client.WebIntegration:

  • Alibaba Cloud/Aliyun (thanks @gehongyan! ❤️)
  • Linear (thanks @jerriep! ❤️)
  • Miro (thanks @jerriep! ❤️)
  • Webflow (thanks @jerriep! ❤️)

7.0.0-preview.1

This release introduces the following changes:

• All the ASP.NET Core and Entity Framework Core 2.1 references used for the .NET Framework and .NET Standard TFMs have been replaced by the new 2.3 packages released mid-January (including the .NET Standard 2.1 TFM, that previously referenced unsupported ASP.NET Core 3.1 packages).

Important

ASP.NET Core 2.3 replaces ASP.NET Core 2.1: as such, it is essential that all ASP.NET Core 2.1 applications running on .NET Framework 4.6.2+ quickly migrate to 2.3 to ensure they keep receiving security patches and critical bug fixes.

Caution

While it was released as a minor version update, ASP.NET Core 2.3 is not 100% compatible with ASP.NET Core 2.2, as none of the changes or APIs introduced in 2.2 - no longer supported since December 2019 - is present in 2.3.

When migrating to OpenIddict 7.0, you'll need to carefully review your dependencies to ensure your application doesn't accidentally depend on any ASP.NET Core 2.2-specific API or package and still runs fine on 2.3.

For more information, read https://devblogs.microsoft.com/dotnet/servicing-release-advisory-aspnetcore-23/ and dotnet/aspnetcore#58598.

• All the OpenIddict packages now use 8.0 as the minimum .NET Extensions version for the .NET Framework and .NET Standard TFMs, which matches the approach used by the new ASP.NET Core/Entity Framework Core 2.3 packages (that all reference Microsoft.Extensions.* 8.0 packages instead of 2.1).

Important

Initial testing shows that OWIN/Katana or "legacy" ASP.NET 4.6.2+ applications are not negatively impacted by this change: in almost all cases, regenerating (or manually updating the binding redirects if necessary) after migrating to OpenIddict 7.0 should be enough. If you see regressions that may be caused by this change, please post in this thread: #2262.

• As part of the .NET Extensions 2.1 -> 8.0 change, the following improvements have been made:

  • The .NET Framework and .NET Standard TFMs now support TimeProvider and the associated properties in OpenIddictClientOptions, OpenIddictCoreOptions, OpenIddictQuartzOptions, OpenIddictServerOptions and OpenIddictValidationOptions are no longer nullable.

  • The .NET Framework and .NET Standard TFMs now support System.Text.Json.Nodes, which allows using JsonNode with OpenIddictParameter on older platforms.

• Several improvements have been made to the OpenIddictParameter primitive:

  • The OpenIddictParameter constructors and static operators offering string?[]? conversions have been replaced by equivalents taking ImmutableArray<string?> or ImmutableArray<string?>? parameters, which guarantees that the underlying value wrapped by OpenIddictParameter cannot be accidentally mutated after being created.

  • The OpenIddictRequest.Audiences and OpenIddictRequest.Resources properties have been updated to use ImmutableArray<string?>? instead of string?[]?, which should prevent unsupported mutations like context.Request.Audiences[2] = "overridden audience" (which may or may not work in 6.x depending on the actual CLR type of the parameter value initially wrapped).

  • For similar reasons, JsonNode instances are now cloned by OpenIddictParameter's constructor and cloned by the JsonNode? conversion operator to prevent accidental mutations. As part of this change, the OpenIddictRequest.Claims and OpenIddictRequest.Registration properties are now of type JsonObject instead of JsonElement, which should make these properties easier to use.

  • The low-level/untyped OpenIddictParameter.Value property has been removed and replaced by a new (hidden) OpenIddictParameter.GetRawValue() to encourage users to leverage the built-in conversion operators instead. New Microsoft.Extensions.Primitives.StringValues conversion operators have been added to the OpenIddictParameter primitive as part of this change.

  • The ClaimsPrincipal.GetDestinations()/ClaimsPrincipal.SetDestinations() extensions now use ImmutableDictionary<string, ImmutableArray<string>> instead of ImmutableDictionary<string, string[]> for consistency with the previous changes.

  • The OpenIddictParameter structure was updated to use the JsonNode.DeepEquals(), JsonElement.DeepEquals() or JsonElement.GetPropertyCount() APIs when available.

• The APIs obsoleted in OpenIddict 6.x have been removed.

• The net6.0 target framework monikers have been removed.

6.1.1

This release introduces the following changes:

• An issue causing end session requests missing the optional client_id parameter to be rejected when enabling end session request caching was fixed (thanks @miegir for reporting it! ❤️)

6.1.0

This release introduces the following changes:

• Native support for OAuth 2.0 Pushed Authorization Requests (aka PAR) has been implemented in both the OpenIddict client and server stacks. PAR increases the security level of user-interactive grants - like the code flow - by sending the actual authorization request parameters via backchannel communication before redirecting the user agent to the regular authorization endpoint with a unique and random request_uri attached. PAR has recently gained traction and is now supported by some OAuth 2.0 services and libraries (including Keycloak and Microsoft's ASP.NET Core OpenID Connect handler starting in .NET 9.0).

Tip

For more information on how to use OAuth 2.0 Pushed Authorization Requests in OpenIddict, read Pushed Authorization Requests.

• As part of the PAR introduction, the authorization and end session request caching feature has been completely revamped to use the same code path as pushed authorization requests and the OpenIddict-specific request_id parameter has been replaced by request_uri. While cached requests were persisted using IDistributedCache in previous versions, they are now stored in request tokens and persisted in OpenIddict's tokens table with the other tokens.

Note

The EnableAuthorizationRequestCaching and EnableEndSessionRequestCaching options have been moved from OpenIddictServerAspNetCoreOptions and OpenIddictServerOwinOptions to OpenIddictServerOptions (the original options are no longer honored). The corresponding methods in OpenIddictServerAspNetCoreBuilder and OpenIddictServerOwinBuilder are still functional - they internally use the new properties - but are now obsolete.

• GitCode, VK ID and Yandex are now supported by the OpenIddict.Client.WebIntegration package (thanks @gehongyan and @t1moH1ch! ❤️).

Note

With these new providers, the OpenIddict client now supports 100 web services! 🎉

• The InteractiveChallengeRequest and InteractiveSignOutRequest models have been updated to allow easily attaching an identity token or login hint to authorization and end session requests.

• The OpenIddict*AuthorizationStore.PruneAsync() implementations were updated to always exclude permanent authorizations that still have tokens attached, which should reduce risks of seeing SQL exceptions when one of the pruned authorizations still has children entities attached.

• An issue affecting the OpenIddictEntityFrameworkCoreAuthorizationStore.FindByApplicationIdAsync() API was identified and fixed (thanks @simon-wacker! ❤️)