Skip to content
This repository has been archived by the owner before Nov 9, 2022. It is now read-only.


Choose a tag to compare
@brockallen brockallen released this 12 Aug 19:58
· 458 commits to master since this release

Breaking changes:

  • NuGet location changed to:
  • Top level namespace changed to "IdentityServer3".
  • Parameters to user service interface changed to context objects
  • All return values on the user service APIs moved to the context parameters
  • Script tag in the default view service layout template changed to "script.2.0.0.js"
  • OWIN extensions:
    • GetIdentityServerFullLogin renamed w/ Async
    • GetIdentityServerPartialLogin renamed w/ Async
  • New PostAuthenticateAsync added to user service. This is called prior to issuing a full login cookie for IdentityServer and allows a consolidated location to check if a partial login is needed for users logging in.
  • Removed InMemoryFactory - use new extension methods instead
  • Removed TraceLog and TraceSource providers - use Serilog (or any other LibLog supported library) instead
  • CorsPolicy removed on main options
  • Client configuration: ScopeRestrictions changed to AllowedScopes. We now require opt-in to allowing scopes to clients.
  • Event service APIs changed to return Task
  • Default view service's HTML files folder changed to "templates"


  • When choosing an external IdP from the login screen, we no longer redirect back to IdSvr before we redirect to the external IdP
  • Revoking a refresh token also revokes associated access tokens
  • AuthenticateResult now allows anonymous partial logins
  • Client configuration now has collection for origins to allow CORS
  • Client certificates supported on token endpoint
  • Support POST on token validation endpoints
  • When the Welcome page is disabled, the route will not be registered
  • Added several new OWIN environment extension methods related to partial logins
  • Added new URL in partial logins to restart the login process
  • When IdP passed to login page then we immediately redirect to IdP, rather than redirecting to our own external login page (which then redirects to the IdP)
  • Password field gets focus if username provided
  • Partial logins no longer remove the primary login cookie.
  • Logging:
    • added support for capturing Katana logs
    • removed "IncludeSensitiveData" feature
  • Reworked custom grant validators
    • one custom grant validator per type
    • can register multiple
  • Reworked client validation - split into:
    • secret parsers (parse the environment and turn something into an authenticable secret)
    • secret validators (validate the secret to confirm the associated id is correct)

Bug fixes:

  • Default view service's layout html has changed slightly