This release marks a significant evolution of the internals of the Duende.AccessTokenManagement library. The public API signature for basic use cases has been mostly kept the same, but the extensibility model of the library has been significantly improved. This does mean that if you have made significant customizations to this library, you’ll likely need to revisit how those customizations have been implemented. We'll ship an upgrade guide for the most common scenarios as part of the documentation.
Because we realize that this is a big change and not everybody is able to adopt these changes immediately, we will continue to support Duende.AccessTokenManagement V3 until the release of .NET 10.
Major Changes
New Features
- Support for OpenTelemetry metrics, logs, and traces.
- Externalized cache key generation.
- Support for Hybrid Cache.
- ID token included in the refresh token result.
Moving Towards HybridCache Implementation and Away from Distributed Cache
ATM 4.0 uses the recently released HybridCache, which brings significant performance improvements while maintaining backward compatibility with .NET 8 and the IDistributedCache interface.
If you wish to encrypt cached access tokens, you can do so by implementing a custom serializer.
We have also added support for using distinct instances of HybridCache for different purposes via keyed services.
Complete Internal Refactoring
The library has undergone extensive internal changes—so much so that it can be considered a new implementation under the same conceptual umbrella. Despite this, the public API surface remains mostly compatible with earlier versions.
- New extensibility model (see below).
- All async methods now support cancellation tokens.
- Renaming of certain classes and interfaces (see below).
- Implementation logic is now internal.
Reduced Public API Surface
All internal implementation details are now marked as internal, reducing accidental coupling and clarifying the intended extension points. In V3, all classes were public and most public methods were marked as virtual. This meant you could override any class by inheriting from it and overriding a single method.
While this was very convenient for our consumers, it made it very difficult for us to introduce changes to the library without making breaking changes.
We still want to ensure our users' extensibility needs are met, but via more controlled mechanisms. If you find that you have an extensibility need that is not covered by the new model, please raise a discussion in our discussion board. If this is a scenario we want to support, we'll do our best to accommodate it.
Explicit Extension Model
Instead of relying on implicit behaviors or inheritance, V4 introduces clearly defined extension points, making it easier to customize behavior without relying on internal details.
Composition Over Inheritance
The AccessTokenHandler has been restructured to use composition rather than inheritance, simplifying the customization of token handling and increasing testability.
If you wish to implement a custom access token handling process, for example to implement token exchange, you can now implement your own AccessTokenRequestHandler.ITokenRetriever.
Strongly Typed Configuration
Configuration is now represented by strongly typed objects, improving validation, discoverability, and IDE support.
This means that where before you could assign strings to the configuration system, you'll now have to explicitly parse the string values.
For example:
var scheme = Scheme.Parse("oidc");Renamed classes
Several classes have been renamed, either to make their usage clearer or to drop the 'service' suffix, which only adds noise:
AccessTokenHandler => AccessTokenRequestHandler
ClientCredentialsTokenManagementService => IClientIClientCredentialsTokenManager
IClientCredentialsTokenEndpointService => IClientCredentialsTokenEndpoint
IUserTokenManagementService => IUserTokenManager
ITokenRequestSynchronization => IUserTokenRequestConcurrencyControl
IUserTokenEndpointService => IUserTokenEndpoint