This release introduces the following changes:
-
OpenIddict 6.0 preview 1 now targets .NET 9.0 and references the .NET 9.0 RC1 packages on .NET 9.0 and higher.
-
The .NET 7.0 and .NET Framework 4.6.1 TFMs have been removed as these versions are no longer supported by Microsoft.
Important
While most OpenIddict 6.0 packages can still be used on these versions thanks to their .NET Standard 2.0 or 2.1 TFMs, doing that is strongly discouraged and users are instead encouraged to migrate to .NET 8.0 and .NET Framework 4.6.2 (or higher).
- Some of the server endpoints have been renamed in OpenIddict 6.0 to be more specific or more closely match the official names, which should reduce ambiguities and make migrating from other OAuth 2.0/OIDC stacks to OpenIddict easier:
Cryptography endpoint
->JSON Web Key Set endpoint
.Device endpoint
->Device authorization endpoint
.Logout endpoint
->End-session endpoint
.Userinfo endpoint
->UserInfo endpoint
.Verification endpoint
->End-user verification endpoint
.
Note
All the constants, builder methods, events and event handlers used by the OpenIddict client, core, server and validation stacks have been entirely updated to use the new names.
In most cases, reacting to this breaking change should be limited to just changing a few lines in your Startup
file:
OpenIddict 5.x | OpenIddict 6.x |
---|---|
options.SetCryptographyEndpointUris()
| options.SetJsonWebKeySetEndpointUris()
|
options.SetDeviceEndpointUris()
| options.SetDeviceAuthorizationEndpointUris()
|
options.SetLogoutEndpointUris()
| options.SetEndSessionEndpointUris()
|
options.SetUserinfoEndpointUris()
| options.SetUserInfoEndpointUris()
|
options.SetVerificationEndpointUris()
| options.SetEndUserVerificationEndpointUris()
|
OpenIddict 5.x | OpenIddict 6.x |
---|---|
OpenIddictConstants.Permissions.Endpoints.Device
| OpenIddictConstants.Permissions.Endpoints.DeviceAuthorization
|
OpenIddictConstants.Permissions.Endpoints.Logout
| OpenIddictConstants.Permissions.Endpoints.EndSession
|
Tip
While not mandatory (as the permissions containing the old endpoint names are still fully functional in 6.x for backward compatibility), you can also update your applications table/database to use the new constant values (i.e ept:device_authorization
and ept:end_session
instead of ept:device
and ept:logout
).
- A whole new client authentication method negotiation logic was introduced in the OpenIddict client. As part of this change, complete support for mTLS in the client stack was also added to allow integrating with identity providers that require using
tls_client_auth
orself_signed_tls_client_auth
.
Note
If your X.509 client certificate - self-issued or not - includes the recommended "client authentication" extended key usage, you can directly attach it to OpenIddictClientRegistration.SigningCredentials
: in this case, it will be automatically used by OpenIddict if the remote server supports tls_client_auth
or self_signed_tls_client_auth
. If it doesn't, OpenIddict will automatically use the private key it contains to build a client assertion if the server supports private_key_jwt
.
options.AddRegistration(new OpenIddictClientRegistration
{
// ...
SigningCredentials =
{
new X509SigningCredentials(certificate)
}
});
If your client certificate doesn't include the "client authentication" extended key usage, OpenIddict won't automatically use it for mTLS-based authentication. In this case, you'll need to use the OpenIddictClientSystemNetHttpBuilder.SetSelfSignedTlsClientAuthenticationCertificateSelector()
or OpenIddictClientSystemNetHttpBuilder.SetTlsClientAuthenticationCertificateSelector()
APIs to register a custom certificate selector.
Tip
Web providers known to support mTLS - like Keycloak, that supports tls_client_auth
but not self_signed_tls_client_auth
- or client assertions now offer options.SetSigningCertificate()
and/or options.SetSigningKey()
APIs that can be used to easily register a certificate/key:
options.UseWebProviders()
.AddKeycloak(options =>
{
options.SetClientId("client_id")
.SetSigningCertificate(certificate)
.SetRedirectUri("callback/login/keycloak");
});
-
For consistency, mTLS support was also added to the validation stack for introspection requests sent to a server implementation that offers mTLS support.
-
New
RevokeByApplicationIdAsync()
/RevokeBySubjectAsync()
APIs modeled after the existingRevokeByAuthorizationIdAsync()
API have been added to the authorization/token managers/stores to allow revoking authorizations and tokens based on a given application identifier or user identifier more efficiently. -
The OpenIddict server now fully supports the Initiating User Registration via OpenID Connect specification: it will now validate the
prompt
parameter to ensure the value is supported and return the supported values in the server configuration document using the new standardprompt_values_supported
node. See #2197 for more information.
Note
As part of this change, the OpenIddictConstants.Prompts
class was renamed to OpenIddictConstants.PromptValues
to match the name used in this specification.