5.3.0
This release introduces the following changes:
- Native support for interactive sign-out was added to the
OpenIddict.Client.SystemIntegrationpackage. To support this new feature, a newSignOutInteractivelyAsync()API (similar to the existingChallengeInteractivelyAsync()API used to start a new authentication flow) has been added toOpenIddictClientService:
// Ask OpenIddict to initiate the logout flow (typically, by starting the system browser).
var result = await _service.SignOutInteractivelyAsync(new()
{
CancellationToken = stoppingToken,
ProviderName = provider
});- The client stack now natively supports OAuth 2.0 introspection, which allows querying the authorization server to determine the set of metadata for a given token - typically an access or refresh token - and, depending on the server policy, retrieve its actual content:
var result = await _service.IntrospectTokenAsync(new()
{
CancellationToken = stoppingToken,
ProviderName = provider,
Token = response.BackchannelAccessToken,
TokenTypeHint = TokenTypeHints.AccessToken
});Important
As part of this change, the introspection implementation of the validation stack was reworked to be consistent with its new client counterpart. Most notably, the ValidateToken event is no longer invoked for introspected tokens (a change that had been introduced in OpenIddict 5.0): developers who want to apply custom logic to introspected tokens/principals are invited to use the ProcessAuthentication event instead.
- Support for OAuth 2.0 revocation was also added to the client stack to allow revoking an access or refresh token (and, depending on the server policy, the associated authorization grant):
var result = await _service.RevokeTokenAsync(new()
{
CancellationToken = stoppingToken,
ProviderName = provider,
Token = response.BackchannelAccessToken,
TokenTypeHint = TokenTypeHints.AccessToken
});Note
The Apple, DeviantArt, Discord, Reddit, Trakt and Zoom web providers have been updated to support token revocation.
- On .NET 8.0 and higher, the
OpenIddict.Client.SystemNetHttpandOpenIddict.Validation.SystemNetHttppackages now natively supportMicrosoft.Extensions.Http.Resilienceand use aResiliencePipeline<HttpResponseMessage>by default (unless anIAsyncPolicy<HttpResponseMessage>was explicitly configured by the user).
Tip
If necessary, the default resilience pipeline can be easily overridden using the SetHttpResiliencePipeline() API:
options.UseSystemNetHttp(options => options.SetHttpResiliencePipeline(options =>
{
options.AddRetry(new HttpRetryStrategyOptions
{
BackoffType = DelayBackoffType.Exponential,
Delay = TimeSpan.FromSeconds(1),
MaxRetryAttempts = 2
});
options.AddCircuitBreaker(new HttpCircuitBreakerStrategyOptions
{
BreakDuration = TimeSpan.FromSeconds(10),
FailureRatio = 0.9,
MinimumThroughput = 5,
SamplingDuration = TimeSpan.FromSeconds(5)
});
}));
-
10 new web providers have been added to the
OpenIddict.Client.WebIntegrationpackage:- Bitly
- Box
- Dailymotion
- Disqus
- DocuSign
- Mastodon
- Meetup
- MusicBrainz
- OpenStreetMap
- Tidal
-
The Spotify provider was updated to use PKCE (OAuth 2.0 Proof Key for Code Exchange).
-
UWP support in
OpenIddict.Client.SystemIntegrationis now provided via a dedicateduap10.0.17763TFM.
Important
As part of this change, the netstandard2.0 and netstandard2.1 versions of OpenIddict.Client.SystemIntegration have been updated to stop using the Windows Runtime APIs (internally used to launch the system browser, integrate with the web authentication broker or handle protocol activations).
The net461, net472, net48, net6.0-windows10.0.17763, net7.0-windows10.0.17763 or net8.0-windows10.0.17763 versions of OpenIddict.Client.SystemIntegration still use these APIs internally - with runtime checks in place to ensure older platforms are still supported - so non-UWP Windows applications should behave the same way as in previous versions.