openiddict/openiddict-core 5.3.0 on GitHub

This release introduces the following changes:

Native support for interactive sign-out was added to the OpenIddict.Client.SystemIntegration package. To support this new feature, a new SignOutInteractivelyAsync() API (similar to the existing ChallengeInteractivelyAsync() API used to start a new authentication flow) has been added to OpenIddictClientService:

// Ask OpenIddict to initiate the logout flow (typically, by starting the system browser).
var result = await _service.SignOutInteractivelyAsync(new()
{
    CancellationToken = stoppingToken,
    ProviderName = provider
});

The client stack now natively supports OAuth 2.0 introspection, which allows querying the authorization server to determine the set of metadata for a given token - typically an access or refresh token - and, depending on the server policy, retrieve its actual content:

var result = await _service.IntrospectTokenAsync(new()
{
    CancellationToken = stoppingToken,
    ProviderName = provider,
    Token = response.BackchannelAccessToken,
    TokenTypeHint = TokenTypeHints.AccessToken
});

Important

As part of this change, the introspection implementation of the validation stack was reworked to be consistent with its new client counterpart. Most notably, the ValidateToken event is no longer invoked for introspected tokens (a change that had been introduced in OpenIddict 5.0): developers who want to apply custom logic to introspected tokens/principals are invited to use the ProcessAuthentication event instead.

Support for OAuth 2.0 revocation was also added to the client stack to allow revoking an access or refresh token (and, depending on the server policy, the associated authorization grant):

var result = await _service.RevokeTokenAsync(new()
{
    CancellationToken = stoppingToken,
    ProviderName = provider,
    Token = response.BackchannelAccessToken,
    TokenTypeHint = TokenTypeHints.AccessToken
});

Note

The Apple, DeviantArt, Discord, Reddit, Trakt and Zoom web providers have been updated to support token revocation.

On .NET 8.0 and higher, the OpenIddict.Client.SystemNetHttp and OpenIddict.Validation.SystemNetHttp packages now natively support Microsoft.Extensions.Http.Resilience and use a ResiliencePipeline<HttpResponseMessage> by default (unless an IAsyncPolicy<HttpResponseMessage> was explicitly configured by the user).

Tip

If necessary, the default resilience pipeline can be easily overridden using the SetHttpResiliencePipeline() API:

options.UseSystemNetHttp(options => options.SetHttpResiliencePipeline(options =>
{
    options.AddRetry(new HttpRetryStrategyOptions
    {
        BackoffType = DelayBackoffType.Exponential,
        Delay = TimeSpan.FromSeconds(1),
        MaxRetryAttempts = 2
    });

    options.AddCircuitBreaker(new HttpCircuitBreakerStrategyOptions
    {
        BreakDuration = TimeSpan.FromSeconds(10),
        FailureRatio = 0.9,
        MinimumThroughput = 5,
        SamplingDuration = TimeSpan.FromSeconds(5)
    });
}));

10 new web providers have been added to the OpenIddict.Client.WebIntegration package:
- Bitly
- Box
- Dailymotion
- Disqus
- DocuSign
- Mastodon
- Meetup
- MusicBrainz
- OpenStreetMap
- Tidal
The Spotify provider was updated to use PKCE (OAuth 2.0 Proof Key for Code Exchange).
UWP support in OpenIddict.Client.SystemIntegration is now provided via a dedicated uap10.0.17763 TFM.

Important

As part of this change, the netstandard2.0 and netstandard2.1 versions of OpenIddict.Client.SystemIntegration have been updated to stop using the Windows Runtime APIs (internally used to launch the system browser, integrate with the web authentication broker or handle protocol activations).

The net461, net472, net48, net6.0-windows10.0.17763, net7.0-windows10.0.17763 or net8.0-windows10.0.17763 versions of OpenIddict.Client.SystemIntegration still use these APIs internally - with runtime checks in place to ensure older platforms are still supported - so non-UWP Windows applications should behave the same way as in previous versions.