Skip to content

7.0.0 Preview 1

Pre-release
Pre-release
Compare
Choose a tag to compare
@brockallen brockallen released this 20 Sep 13:29
· 294 commits to main since this release
7.0.0-preview.1
efc3000
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Identity Server 7.0.0 Preview 1 previews support for .NET 8, as well as many other fixes and improvements.

.NET 8

IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.

  • A TimeProvider based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.

Breaking Changes

Breaking changes are organized below based on the likelihood that they will impact your implementation. In summary, IdentityServer 7 preview 1 will require that you update to .NET 8, and may require minor changes if you are using particular extensibility points.

Likely to impact most implementations

  • IdentityServer now supports .NET 8 only. See #1337.

Only impacts particular customizations or edge cases

  • The DefaultCorsPolicyService now depends on the IConfigurationDbContext directly, instead of taking a dependency on the IServiceProvider and resolving that DbContext from it. If you have a customized CORS implementation that derives from the DefaultCorsPolicyService, you need to update the constructor of your derived class to use the IConfigurationDbContext. See #1239.

  • The DPoPProofValidatonContext has been refactored. Instead of the Client property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of the IDPoPProofValidator or a class that derives from the DefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.

  • The reference token store now includes the session id when revoking reference tokens. Implementors of IReferenceTokenStore should update their implementation of token revocation to include the session id. See #1321.

  • Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.

Unlikely to impact anyone

  • The KeyManagementOptions.SigningAlgorithms is now an ICollection rather than an IEnumerable. If you are configuring signing algorithms using code, and setting the SigningAlgorithms to some type that implements IEnumerable but not ICollection, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are both ICollections). See #1375.

  • The value of the constant IdentityServerAuthenticationType has changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.

Improvements

  • Protocol endpoints use the new interface IHttpResponseWriter to write their http responses. This facilitates customization, when you need to control the way that http responses are written. This change was made in a way that was designed to be backwards compatible. Any custom IEndpointResult or IEndpointHandler should still work the way they used to. See #1342.
  • Integrate server side sessions with the user info endpoint. See #1327.
  • Local APIs now support DPoP. See #1338.
  • Reference token revocation now respects the session id. See #1321.
  • The license object is now public and available in the DI system. This allows for easier license status checks, UI that indicates that the license status, etc. See #1319.
  • Refresh tokens can now be introspected at the introspection endpoint. See #1334.
  • The sign out scheme is now inferred when external identity providers are used in combination with asp.net Identity. See #1265.
  • The admin UI in the IdentityServerEntityFramework template now supports the InitiateLoginUri client property. See #1314.
  • Improved use of nullable reference types. See #1315 and #1317.
  • Make CORS debug log message more descriptive. See #1378.
  • Use X-Frame-Options DENY to be consistent with csp frame-ancestors 'none'. See #1389.

Bug Fixes

  • Allow KeyManagementOptions to be bound from appsettings.json or other config sources. See #1375.
  • Prevent duplicated keys in Dynamic Client Registration responses. See #1369.
  • Remove the raw exception from unhandled exception events. These exceptions don't serialize cleanly and we already capture the exception message as part of the event. See #1363.
  • Fix error log message formatting from the CIBA validator. See #1346.

Full Changelog: 6.3.5...7.0.0-preview.1

Assets 2