DuendeSoftware/foss atm-4.0.0-RC1

Duende.AccessTokenManagment 4.0.0 - RC1

on GitHub

This release contains several important improvements and changes:

• Named key support for injecting a specific IDistributedCache instance.
• A preview feature that allows the use of HybridCache. This likely will replace the use of IDistributedCache in a future release. Note, this change set's a minimum version of dependencies on Microsoft libraries to 9.0.3. This is not a problem for our support of .Net 8, because the 9.x version of these libraries also support .Net 8.
• Support for Open Telemetry metrics, logs and traces.
• Externalized cache key generation.
• Marked several types as 'obsolete' that will be made internal in a future release. see (https://github.com/orgs/DuendeSoftware/discussions/140)
• Moved several extension methods to Duende.AccessTokenManagement namespace.

Upgrade Guide

Using a keyed version of IDistributedCache

If you wish to store data from AccessTokenManagement in a different instance of IDistributedCache, this is now supported. This would be an extensibility point if you want to:

1. encrypt your tokens
2. keep your tokens in-memory, whereas other parts of the application use a distributed cache.

        services.AddKeyedSingleton<IDistributedCache>(ServiceProviderKeys.ClientCredentialsTokenCache, replacementCache);

Using hybrid cache preview feature

Hybrid Cache brings a big benefit over the existing IDistributedCache interface. With this interface, you either use a MemoryCache, which is restricted to a single server, or a distributed cache implementation, such as Redis. The downside of this approach is that every cached operation now introduces a network call, which actually makes things slower compared to using the MemoryCache.

The hybrid cache combines both an L1 memory cache, with an optional L2 external cache.

services.AddClientCredentialsTokenManagement()
    **.UsePreviewHybridCache()**

Custom Cache key generation

If you need a custom cache key, instead of inheriting from DistributedClientCredentialsTokenCache, you should now inherit from IClientCredentialsCacheKeyGenerator

Using open telemetry

You can now opt into using OpenTelemetry.

    services.AddOpenTelemetry()
            .WithMetrics(metrics =>
            {
                metrics.AddMeter(AccessTokenManagementMetrics.MeterName);
            })
            .WithTracing(tracing =>
            {
                tracing.AddSource(ActivitySourceNames.Main);
            });

Moving away from inheritance based extensibility

The implementation of a lot of types have has been marked as 'obsolete', because it's going to be made internal. We're moving towards a model where we move from extension via inheritance to extensibility via composition.

If you've implemented a custom DistributedClientCredentialsTokenCache, this is likely because you wanted to :

1. implement a custom cache key. You can now do this by registering a custom implementation of IClientCredentialsCacheKeyGenerator
2. need to control where cache data get's stored. You can do this by either using the new HybridCache features, or by injecting a custom IDistributedCache instance with a custom key.

The following types have been marked as [Obsolete] and will be made private in the next release.

• Duende.AccessTokenManagement.ClientCredentialsTokenEndpointService
• Duende.AccessTokenManagement.ClientCredentialsTokenHandler
• Duende.AccessTokenManagement.ClientCredentialsTokenManagementService
• Duende.AccessTokenManagement.DefaultClientAssertionService
• Duende.AccessTokenManagement.DefaultDPoPKeyStore
• Duende.AccessTokenManagement.DefaultDPoPProofService
• Duende.AccessTokenManagement.DistributedClientCredentialsTokenCache
• Duende.AccessTokenManagement.DistributedDPoPNonceStore
• Duende.AccessTokenManagement.OpenIdConnect.AuthenticationSessionUserAccessTokenStore
• Duende.AccessTokenManagement.OpenIdConnect.BlazorServerUserAccessor
• Duende.AccessTokenManagement.OpenIdConnect.CircuitServicesAccessor
• Duende.AccessTokenManagement.OpenIdConnect.HttpContextUserAccessor
• Duende.AccessTokenManagement.OpenIdConnect.OpenIdConnectClientAccessTokenHandler
• Duende.AccessTokenManagement.OpenIdConnect.OpenIdConnectConfigurationService
• Duende.AccessTokenManagement.OpenIdConnect.OpenIdConnectUserAccessTokenHandler
• Duende.AccessTokenManagement.OpenIdConnect.StoreTokensInAuthenticationProperties
• Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService
• Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService

Using extension methods

Several extension methods used to be in the same namespace as the subject that was extended. IE: extension methods for IServiceCollection
where in the Microsoft.Extensions.DependencyInjection namespace. While this made discovery of the methods easier, because you didn't have to add a 'using' statement before using the methods.

Now that these extension methods have been moved to the Duende.AccessTokenManagement namespace, you'll need to explicitly add this namespace to your using statements.

Breaking Changes:

• remove async void by @Erwinvandervalk in (#173)
• add interface for cache key generation by @Erwinvandervalk in (#171)
• Make public api surface obsolete. by @Erwinvandervalk in (#170)
• Perform cache key generation via a delegate by @Erwinvandervalk in (#167)
• Apply OTEL Metrics by @Erwinvandervalk in (#165)
• Move Logging messages to source generated logs by @Erwinvandervalk in (#163)
• Add OTEL Metrics by @Erwinvandervalk in (#162)
• Apply log message code generation to log messages by @Erwinvandervalk in (#158)
• Add HybridCache to ATM by @Erwinvandervalk in (#143)
• Allow a custom IDistributedCache to be resolved by @Erwinvandervalk in (#134)
• Move extension methods to Duende.AccessTokenManagement namespace by @Erwinvandervalk in (#183)

Changes:

• Add trace source for requesting access token by @Erwinvandervalk in (#175)
• Add OTEL Spans + contextual metadata to logs by @Erwinvandervalk in (#164)
• Introduce cache key generation by @Erwinvandervalk in (#160)
• add typed client support by @Erwinvandervalk in (#155)
• Implement hybrid cache functionality as a preview feature by @Erwinvandervalk in (#154)
• Some minor cleanups for DPoP AdditionalDPoPPayloadClaims by @Erwinvandervalk in (#153)
• Add support for typed http clients to AddUserAccessTokenHttpClient by @Erwinvandervalk in (#142)
• Support additional information in DPoP proofs (according to RFC9449) by @Erwinvandervalk in (#140)
• include the ID token in the refresh token result by @Erwinvandervalk in (#137)
• Add support for additional claims in DPoP proof payload by @gjermund-stensrud in (#69)
• Fix service resolution in blazor server by @kamil-gorny in (#68)
• Add test of weird failure edge case in AuthenticationSessionUserAccessTokenStore.StoreTokenAsync by @josephdecock in (#20)
• Consider ability to control IDistributedCache instance used by @mderriey in (#50)