As part of this release we had 58 issues closed.
Next big release - after ASP.NET Core 3.1
bugs
- #4498 fix infinite loop in Token Cleanup after concurrency exception
- #4496 AuthorizeInteractionResponseGenerator : MaxAge does not respect prompt=none
- #4368 How to add a custom implementation (e.g. WsFederation) of IReturnUrlParser if everything is internal set in AuthorizationRequest class in next v4.x ?
- #4295 DefaultClientConfigurationValidator bug
- #4290 Fix cnf format for MTLS
- #4268 AddOidcStateDataFormatterCache broken with new JSON serializer
- #4173 Duplicate UserLoginSuccess/Failure events when using resource owner grant and IdentityServer4.AspNetIdentity
- #4145 Error Response with invalid redirection URI on authorize endpoint
- #4129 Fix logger category name for BackChannelLogoutHttpClient
- #4095 Return invalid_grant when redirect_uri is invalid on token endpoint
- #4075 Error Response with invalid redirection URI
- #4037 Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni…
enhancements
- #4504 Update error handling for invalid response modes
- #4502 Update form content check to reject multipart forms
- #4501 Update authorization code validation to do client binding check before deleting the code in the store
- #4499 Allow setting domain on SessionIdCookie #4406
- #4444 Make sensitive data filters configurable
- #4439 namespace cleanup/refactor in host (to support templates)
- #4428 add consumedtime to persisted grant and refresh token
- #4427 Features/bootstrap update
- #4409 Add strict JAR mode
- #4390 enhancements to add logout notification service as first class service
- #4376 Features/grants enhancements
- #4361 Extend JWT token validation to accept space separated scopes
- #4360 Adapt JWT request validation to latest JAR spec
- #4357 Add iat to access tokens
- #4352 Emit jti by default
- #4343 Add option to set SameSite mode for internal cookies
- #4342 Add option to emit scopes as space separated string in JWT (as opposed to array)
- #4245 Strict redirect uri validator app auth with path
- #4237 Make aspid profile service more extensible
- #4235 end session changes: IsActive no longer called and no longer default to a single redirect uri
- #4234 Use non-case sensitive string for any ids
- #4227 switch to named HTTP clients from factory (instead of typed)
- #4226 Reduce usage of Newtonsoft.Json
- #4210 add sid and device description to grants table
- #4208 add support for handling multiple prompt values
- #4204 Add API to interaction service to return error to client
- #4203 Improve query on cors origins. #3395
- #4202 include sid (if present) in access tokens #3955
- #4153 private_key_jwt updates
- #4026 Added AddUserSession extension method
- #4024 Add JAR support
- #4019 Add client setting to require request object
- #3979 Added notification for device code removal
- #3969 Make cnf part of Token model
- #3962 MTLS Update
- #3892 V4: Multiple signing keys
- #3761 Add a client setting to require request objects
- #3732 Remove unused SaveChanges APIs in EF DbContext Interfaces
- #3692 Removed obsolete code
- #3413 IUserSession.CreateSessionIdAsync should return sid
- #3395 Improve query on cors origins.
breaking changes