This release introduces the following changes:
-
The core, client, server and validation stacks now use
System.TimeProvideron .NET 8.0+ (thanks @trejjam! ❤️). -
While manually setting
OpenIddictClientRegistration.CodeChallengeMethods,OpenIddictClientRegistration.GrantTypes,OpenIddictClientRegistration.ResponseModesorOpenIddictClientRegistration.ResponseTypesis not necessary or recommended in most cases (as OpenIddict automatically negotiates the best values automatically), specific scenarios sometimes require restricting the allowed values. To make that easier, new (advanced) APIs were added to the web provider builders:
options.UseWebProviders()
.AddMicrosoft(options =>
{
// ...
options.AddCodeChallengeMethods(CodeChallengeMethods.Sha256)
.AddGrantTypes(GrantTypes.AuthorizationCode, GrantTypes.Implicit)
.AddResponseModes(ResponseModes.FormPost)
.AddResponseTypes(ResponseTypes.Code + ' ' + ResponseTypes.IdToken);
});- The OpenIddict validation ASP.NET Core and OWIN hosts now allow tweaking how access tokens are extracted:
options.UseAspNetCore()
.DisableAccessTokenExtractionFromAuthorizationHeader()
.DisableAccessTokenExtractionFromBodyForm()
.DisableAccessTokenExtractionFromQueryString();options.UseOwin()
.DisableAccessTokenExtractionFromAuthorizationHeader()
.DisableAccessTokenExtractionFromBodyForm()
.DisableAccessTokenExtractionFromQueryString();-
Behavior change: the claim value type validation logic was fixed to support
JSON_ARRAYclaims. As part of this change, theClaimsIdentity.GetClaims()/ClaimsPrincipal.GetClaims()extensions have been updated to supportJSON_ARRAYclaims and return all the values contained in the array. -
A bug preventing the OpenIddict client from using the OpenID Connect implicit flow was fixed.
-
The Clever provider was updated to not require a backchannel identity token (thanks @anarian! ❤️).
-
The Auth0 and Microsoft Account/Entra ID providers were fixed to list
implicitas a supported grant type.