Skip to content

8.0.0-preview.2

Pre-release
Pre-release

Choose a tag to compare

@kevinchalet kevinchalet released this 15 Jul 15:06

This release introduces the following changes:

  • The client, core, server and validation stacks now support the new ML-DSA Post-Quantum Cryptography algorithm on both .NET 10 and .NET Framework 4.8. While ML-DSA produces larger signatures (making resulting tokens significantly larger), it provides a higher resistance against quantum attackers. Just like ECDSA and RSA signing keys, ML-DSA keys can be easily registered using the existing AddSigningKey() API:
builder.Services.AddOpenIddict()
    .AddServer(options =>
    {
        // ...

        options.AddSigningKey(new MlDsaSecurityKey(MLDsa.GenerateKey(MLDsaAlgorithm.MLDsa44)));
    });

Important

ML-DSA support is still experimental and relies on .NET 10 APIs decorated with the [Experimental] attribute. While ML-DSA signing keys can now be configured in OpenIddict 8.0 preview 2, support for this algorithm in other OAuth/OpenID Connect stacks is still extremely limited at the moment. As such, implementing ML-DSA is not yet recommended if interoperability with other environments is a concern.

Note

On .NET Framework, the SHAKE256 hash algorithm needed to produce access token and authorization code hashes when ML-DSA keys are used is polyfilled using BouncyCastle.

  • The entire codebase has been updated to use the Base64Url class provided by the BCL instead of the Base64UrlEncoder class shipping with Microsoft IdentityModel.

  • The OpenIddict.Client.WebIntegration package now supports Vercel and ID Austria (thanks @kescherCode! ❤️)

  • The Entity Framework 6.x and Entity Framework Core stores have been updated to automatically restore the EntityState of token entities after failed application deletion (thanks @tedchirvasiu! ❤️)

  • All the .NET and third-party dependencies have been updated to their latest version.