github openiddict/openiddict-core 4.7.0
on GitHub

latest releases: 5.8.0, 5.7.1, 5.7.0...
13 months ago

This release introduces the following changes:

Note
These changes are expected to drastically simplify using the OpenIddict client and its web integration companion package as drop-in replacements for the Microsoft OIDC/OAuth 2.0 handlers and the aspnet-contrib social providers. The aspnet-contrib providers are still supported, but the OpenIddict providers are now the recommended option for most scenarios.

  • A built-in authentication scheme forwarding feature was added to the OpenIddict client: starting in OpenIddict 4.7, an authentication scheme will now be dynamically created for each client registration that has a non-null OpenIddictClientRegistration.ProviderName attached, which allows calling the ASP.NET Core IAuthenticationService APIs (or the equivalents in IAuthenticationManager for OWIN) directly using the provider name instead of having to specify it as an authentication property: 
app.MapGet("redirect-to-github", () => Results.Challenge(properties: null, authenticationSchemes: new[] { Providers.GitHub }));
  • Client registrations with a non-null OpenIddictClientRegistration.ProviderDisplayName attached - which is the case for all the built-in web providers by default - will now be returned by ASP.NET Core Identity's SignInManager.GetExternalAuthenticationSchemesAsync() API and will automatically appear in the "external providers" list that is part of the default Identity UI:

image

  • If necessary, this new authentication scheme forwarding feature can be disabled in the ASP.NET Core or OWIN options using the dedicated methods: 
services.AddOpenIddict()
    .AddClient(options =>
    {
        options.UseAspNetCore()
               .DisableAutomaticAuthenticationSchemeForwarding();
    });
services.AddOpenIddict()
    .AddClient(options =>
    {
        options.UseOwin()
               .DisableAutomaticAuthenticationTypeForwarding();
    });
  • To unify the claim types returned by standard OpenID Connect servers and custom OAuth 2.0 implementations, a native claims mapping feature was added to the OpenIddict client to map the standard and non-standard claims to their ClaimTypes.Name, ClaimTypes.NameIdentifier and ClaimTypes.Email equivalent, which will improve the compatibility with libraries like ASP.NET Core Identity that use hardcoded ClaimTypes/WS-Federation claims (note: unlike the Microsoft/aspnet-contrib handlers, the original claim types are not removed from the final principal). This feature is enabled by default and can be disabled manually if necessary: 
services.AddOpenIddict()
    .AddClient(options =>
    {
        options.DisableWebServicesFederationClaimsMapping();
    });

  • To match the logic used by the Microsoft ASP.NET Core OIDC handler, the expiration dates of the backchannel and frontchannel access tokens (when available) are now stored as special properties in AuthenticationProperties.

  • 3 new providers have been added to OpenIddict.Client.WebIntegration:

    • Nextcloud (thanks @EMostafaAli! ❤️)
    • SubscribeStar
    • Tumblr

  • The Shopify provider now allows setting a static shop name that will be used if no shop name is attached to the challenge properties, which is useful for scenarios where only one shop is used and doesn't need to be set dynamically (e.g employees authentication). 

options.UseWebProviders()
    .AddShopify(options =>
    {
        // ...

        options.SetShopName("shopname");
    });

  • The ADFS provider no longer uses the userinfo endpoint to avoid errors happening when a non-default resource is configured.

  • An issue preventing user-defined parameters attached to AuthenticationProperties.Parameters (or ProcessChallengeContext.Parameters by a custom event handler) from being correctly added to sign-out requests has been identified and fixed (thanks @stasnocap!).

  • Behavior breaking change: the userinfo claims returned by the Patreon and Streamlabs providers are no longer flattened. Users of these providers are invited to update their callback action to ensure the claims are correctly extracted.

Known issues:

  • OpenIddict 4.7.0 references MongoDB 2.20 on .NET 6 and .NET 7. Unfortunately, an unresolved bug affecting IQueryable<T> support in the new MongoDB LINQ v3 provider may prevent certain APIs like IOpenIddictMongoDb*Store.GetAsync() or IOpenIddictMongoDb*Store.ListAsync() from working correctly. While OpenIddict itself doesn't use these APIs, applications that require them can manually downgrade the MongoDB LINQ v3 provider version used for the OpenIddict database (thanks @Nfactor26! ❤️): 
services.AddOpenIddict()
    .AddCore(options =>
    {
        var client = new MongoClient(new MongoClientSettings
        {
            LinqProvider = LinqProvider.V2
        });

        options.UseMongoDb()
               .UseDatabase(client.GetDatabase("openiddict"));
    });
Check out latest releases or
releases around openiddict/openiddict-core 4.7.0

Don't miss a new openiddict-core release

NewReleases is sending notifications on new releases.

Get notifications