This release introduces the following changes:
-
Behavior change: the
ClaimsIdentity.GetClaim()/ClaimsPrincipal.GetClaim()extension now throws anInvalidOperationExceptionwhen multiple claims of the same type were found in the identity/principal (instead of returning the first value and ignoring the other ones as in previous versions). See #1957 for more information. -
Behavior change: the server stack now automatically aborts sign-in operations that specify a
ClaimsPrincipalcontaining a well-known claim with an invalid cardinality or an incorrect value type attached (e.g multiplesubclaims or asubclaim created withClaimValueTypes.Integerinstead ofClaimValueTypes.String). See #1956 for more information. -
Client assertions that don't specify an optional
iatclaim are no longer rejected by the server stack. -
A new
OpenIddictClientService.GetClientRegistrationsAsync()API was introduced to allow resolving the client registrations in a dynamic way, which can be used in non-ASP.NET Core/OWIN applications (e.g console or desktop applications) to easily list the supported web providers:
var provider = AnsiConsole.Prompt(new SelectionPrompt<OpenIddictClientRegistration>()
.Title("Select the authentication provider you'd like to log in with.")
.AddChoices(from registration in await _service.GetClientRegistrationsAsync(stoppingToken)
where !string.IsNullOrEmpty(registration.ProviderName)
where !string.IsNullOrEmpty(registration.ProviderDisplayName)
select registration)
.UseConverter(registration => registration.ProviderDisplayName!)).ProviderName!;-
A new
DisableUserinfoproperty was added toRefreshTokenAuthenticationRequestto allow disabling userinfo for specific refresh token requests (e.g when using refresh tokens with the client credentials grant). -
The client and server stacks have been updated to automatically restore the authentication properties initially set by the application (via
ProcessChallengeContext.PropertiesorProcessSignOutContext.Properties) and attach them to the authentication context (ProcessAuthenticationContext.Properties). This scenario was already supported by the ASP.NET Core and OWIN hosts, but is now supported for all integrations, includingOpenIddict.Client.SystemIntegrationandOpenIddict.Client.WebIntegration:
// Ask OpenIddict to initiate the authentication flow (typically, by starting the system browser).
var result = await _service.ChallengeInteractivelyAsync(new()
{
CancellationToken = stoppingToken,
ProviderName = provider,
Properties = new()
{
["custom_property"] = "value"
}
});
// Wait for the user to complete the authorization process.
var response = await _service.AuthenticateInteractivelyAsync(new()
{
CancellationToken = stoppingToken,
Nonce = result.Nonce
});
var property = response.Properties["custom_property"];-
The following providers have been added to the
OpenIddict.Client.WebIntegrationpackage:- Okta
- Orange France
- World ID (by Worldcoin)
-
The Twitter integration now automatically maps the
nameuserinfo claim to itsClaimTypes.Nameequivalent. -
The
Microsoft.IdentityModel.*packages have been updated to 7.2.0 to address a security issue. See GHSA-8g9c-28fc-mcx2 for more information. -
References to Azure Active Directory in the code documentation have been replaced by "Microsoft Entra ID" to match the new name of the service (see https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-is-becoming-microsoft-entra-id/ba-p/2520436 for more information).