7.0.0 Preview 1
Pre-releaseIdentity Server 7.0.0 Preview 1 previews support for .NET 8, as well as many other fixes and improvements.
.NET 8
IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.
- A
TimeProvider
based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.
Breaking Changes
Breaking changes are organized below based on the likelihood that they will impact your implementation. In summary, IdentityServer 7 preview 1 will require that you update to .NET 8, and may require minor changes if you are using particular extensibility points.
Likely to impact most implementations
- IdentityServer now supports .NET 8 only. See #1337.
Only impacts particular customizations or edge cases
-
The
DefaultCorsPolicyService
now depends on theIConfigurationDbContext
directly, instead of taking a dependency on theIServiceProvider
and resolving that DbContext from it. If you have a customized CORS implementation that derives from theDefaultCorsPolicyService
, you need to update the constructor of your derived class to use theIConfigurationDbContext
. See #1239. -
The
DPoPProofValidatonContext
has been refactored. Instead of theClient
property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of theIDPoPProofValidator
or a class that derives from theDefaultDPoPProofValidator
, update your usage of the context appropriately. See #1338. -
The reference token store now includes the session id when revoking reference tokens. Implementors of
IReferenceTokenStore
should update their implementation of token revocation to include the session id. See #1321. -
Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.
Unlikely to impact anyone
-
The
KeyManagementOptions.SigningAlgorithms
is now anICollection
rather than anIEnumerable
. If you are configuring signing algorithms using code, and setting theSigningAlgorithms
to some type that implementsIEnumerable
but notICollection
, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are both ICollections). See #1375. -
The value of the constant
IdentityServerAuthenticationType
has changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.
Improvements
- Protocol endpoints use the new interface
IHttpResponseWriter
to write their http responses. This facilitates customization, when you need to control the way that http responses are written. This change was made in a way that was designed to be backwards compatible. Any customIEndpointResult
orIEndpointHandler
should still work the way they used to. See #1342. - Integrate server side sessions with the user info endpoint. See #1327.
- Local APIs now support DPoP. See #1338.
- Reference token revocation now respects the session id. See #1321.
- The license object is now public and available in the DI system. This allows for easier license status checks, UI that indicates that the license status, etc. See #1319.
- Refresh tokens can now be introspected at the introspection endpoint. See #1334.
- The sign out scheme is now inferred when external identity providers are used in combination with asp.net Identity. See #1265.
- The admin UI in the
IdentityServerEntityFramework
template now supports theInitiateLoginUri
client property. See #1314. - Improved use of nullable reference types. See #1315 and #1317.
- Make CORS debug log message more descriptive. See #1378.
- Use X-Frame-Options DENY to be consistent with csp frame-ancestors 'none'. See #1389.
Bug Fixes
- Allow
KeyManagementOptions
to be bound from appsettings.json or other config sources. See #1375. - Prevent duplicated keys in Dynamic Client Registration responses. See #1369.
- Remove the raw exception from unhandled exception events. These exceptions don't serialize cleanly and we already capture the exception message as part of the event. See #1363.
- Fix error log message formatting from the CIBA validator. See #1346.
Full Changelog: 6.3.5...7.0.0-preview.1