5.1.0

This release introduces the following changes:

• Behavior change: the ClaimsIdentity.GetClaim()/ClaimsPrincipal.GetClaim() extension now throws an InvalidOperationException when multiple claims of the same type were found in the identity/principal (instead of returning the first value and ignoring the other ones as in previous versions). See #1957 for more information.

• Behavior change: the server stack now automatically aborts sign-in operations that specify a ClaimsPrincipal containing a well-known claim with an invalid cardinality or an incorrect value type attached (e.g multiple sub claims or a sub claim created with ClaimValueTypes.Integer instead of ClaimValueTypes.String). See #1956 for more information.

• Client assertions that don't specify an optional iat claim are no longer rejected by the server stack.

• A new OpenIddictClientService.GetClientRegistrationsAsync() API was introduced to allow resolving the client registrations in a dynamic way, which can be used in non-ASP.NET Core/OWIN applications (e.g console or desktop applications) to easily list the supported web providers:

var provider = AnsiConsole.Prompt(new SelectionPrompt<OpenIddictClientRegistration>()
    .Title("Select the authentication provider you'd like to log in with.")
    .AddChoices(from registration in await _service.GetClientRegistrationsAsync(stoppingToken)
                where !string.IsNullOrEmpty(registration.ProviderName)
                where !string.IsNullOrEmpty(registration.ProviderDisplayName)
                select registration)
    .UseConverter(registration => registration.ProviderDisplayName!)).ProviderName!;

• A new DisableUserinfo property was added to RefreshTokenAuthenticationRequest to allow disabling userinfo for specific refresh token requests (e.g when using refresh tokens with the client credentials grant).

• The client and server stacks have been updated to automatically restore the authentication properties initially set by the application (via ProcessChallengeContext.Properties or ProcessSignOutContext.Properties) and attach them to the authentication context (ProcessAuthenticationContext.Properties). This scenario was already supported by the ASP.NET Core and OWIN hosts, but is now supported for all integrations, including OpenIddict.Client.SystemIntegration and OpenIddict.Client.WebIntegration:

// Ask OpenIddict to initiate the authentication flow (typically, by starting the system browser).
var result = await _service.ChallengeInteractivelyAsync(new()
{
    CancellationToken = stoppingToken,
    ProviderName = provider,
    Properties = new()
    {
        ["custom_property"] = "value"
    }
});

// Wait for the user to complete the authorization process.
var response = await _service.AuthenticateInteractivelyAsync(new()
{
    CancellationToken = stoppingToken,
    Nonce = result.Nonce
});

var property = response.Properties["custom_property"];

• The following providers have been added to the OpenIddict.Client.WebIntegration package:

  • Okta
  • Orange France
  • World ID (by Worldcoin)

• The Twitter integration now automatically maps the name userinfo claim to its ClaimTypes.Name equivalent.

• The Microsoft.IdentityModel.* packages have been updated to 7.2.0 to address a security issue. See GHSA-8g9c-28fc-mcx2 for more information.

• References to Azure Active Directory in the code documentation have been replaced by "Microsoft Entra ID" to match the new name of the service (see https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436 for more information).