2.5.0

As part of this release we had 44 issues closed.

bugs

• #3404 HashedSharedSecretValidator does not catch null value
• #3391 Added check to scope validator for missing identity and api scopes
• #3388 repro PR for Incorrect secret type for missing secret in BasicAuth #2975
• #3358 DefaultTokenService - access token claims without distinct
• #3330 Object reference not set to an instance of an object - when calling RequestClientCredentialsTokenAsync
• #3325 ids4 configured to use external ConsentUrl duplicates path in ReturnUrl
• #3320 Include identity resource properties in GetAllResourcesAsync
• #3282 Add vary by origin for Cache-Control on disco endpoints
• #3128 Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control
• #3013 IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties
• #2875 code flow with fragment response mode is not allowed

enhancements

• #3422 Add claims transformation event to local API authN handler
• #3409 add AddValidationKeys signature accepting X509Certificate2[] (#3383)
• #3406 add scope to all token responses
• #3392 Added scope param to token endpoint for device grant type
• #3382 add message store abstraction on authorization request params
• #3298 should never cache temporary data with no expiration
• #3276 Handle unknown idp at login
• #3257 Make EntityFramework.Stores*Store.cs private fields accessible for derived Classes
• #3254 Prototype for pluggable authN MW
• #3243 Use Task.CompletedTask to reduce allocations
• #3242 Consider global switch to disable request_uri feature
• #3241 Add support for signed authorize requests
• #3234 Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent
• #3229 Make back channel signout a first class service
• #3227 Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change
• #3219 Add JWK support in JwtRequestValidator
• #3215 LogInformation changed to LogDebug
• #3201 Allowed usage of relative and absolute verification URIs for device authorization
• #3200 Device Code Cleanup
• #3193 Add validation for cors origins that aren't valid
• #3183 Add support to carry an error description back to third party clients on authorize error results
• #3160 PersistedGrants missing index on Expiration column
• #3148 call flush async #3096
• #3143 Log request details on more log messages
• #3139 Back-Channel Logout Token: Allow configuring additional claims
• #3059 Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow
• #2938 Provide more flexibility in the DefaultUserSession cookie management
• #2893 Make ProtectedDataMessageStore public
• #2884 Generate a token with claims from IdentityServerTools
• #2859 Support HttpClientFactory for back channel signout
• #2846 Adjust "Authentication scheme Bearer is configured for IdentityServer, but it is not a scheme that supports signin (like cookies)"
• #2539 Consider Add or Replace Endpoint extension method
• #1958 Add client_id to ErrorMessage when Authorization request failed