8.0.0-preview.2
Pre-releaseThis release introduces the following changes:
- The client, core, server and validation stacks now support the new ML-DSA Post-Quantum Cryptography algorithm on both .NET 10 and .NET Framework 4.8. While ML-DSA produces larger signatures (making resulting tokens significantly larger), it provides a higher resistance against quantum attackers. Just like ECDSA and RSA signing keys, ML-DSA keys can be easily registered using the existing
AddSigningKey()API:
builder.Services.AddOpenIddict()
.AddServer(options =>
{
// ...
options.AddSigningKey(new MlDsaSecurityKey(MLDsa.GenerateKey(MLDsaAlgorithm.MLDsa44)));
});Important
ML-DSA support is still experimental and relies on .NET 10 APIs decorated with the [Experimental] attribute. While ML-DSA signing keys can now be configured in OpenIddict 8.0 preview 2, support for this algorithm in other OAuth/OpenID Connect stacks is still extremely limited at the moment. As such, implementing ML-DSA is not yet recommended if interoperability with other environments is a concern.
Note
On .NET Framework, the SHAKE256 hash algorithm needed to produce access token and authorization code hashes when ML-DSA keys are used is polyfilled using BouncyCastle.
-
The entire codebase has been updated to use the
Base64Urlclass provided by the BCL instead of theBase64UrlEncoderclass shipping with Microsoft IdentityModel. -
The
OpenIddict.Client.WebIntegrationpackage now supports Vercel and ID Austria (thanks @kescherCode! ❤️) -
The Entity Framework 6.x and Entity Framework Core stores have been updated to automatically restore the
EntityStateof token entities after failed application deletion (thanks @tedchirvasiu! ❤️) -
All the .NET and third-party dependencies have been updated to their latest version.