github openiddict/openiddict-core 6.0.0-preview1

pre-releaseone month ago

This release introduces the following changes:

  • OpenIddict 6.0 preview 1 now targets .NET 9.0 and references the .NET 9.0 RC1 packages on .NET 9.0 and higher.

  • The .NET 7.0 and .NET Framework 4.6.1 TFMs have been removed as these versions are no longer supported by Microsoft.

Important

While most OpenIddict 6.0 packages can still be used on these versions thanks to their .NET Standard 2.0 or 2.1 TFMs, doing that is strongly discouraged and users are instead encouraged to migrate to .NET 8.0 and .NET Framework 4.6.2 (or higher).

  • Some of the server endpoints have been renamed in OpenIddict 6.0 to be more specific or more closely match the official names, which should reduce ambiguities and make migrating from other OAuth 2.0/OIDC stacks to OpenIddict easier:
    • Cryptography endpoint -> JSON Web Key Set endpoint.
    • Device endpoint -> Device authorization endpoint.
    • Logout endpoint -> End-session endpoint.
    • Userinfo endpoint -> UserInfo endpoint.
    • Verification endpoint -> End-user verification endpoint.

Note

All the constants, builder methods, events and event handlers used by the OpenIddict client, core, server and validation stacks have been entirely updated to use the new names.

In most cases, reacting to this breaking change should be limited to just changing a few lines in your Startup file:

OpenIddict 5.x OpenIddict 6.x
options.SetCryptographyEndpointUris() options.SetJsonWebKeySetEndpointUris()
options.SetDeviceEndpointUris() options.SetDeviceAuthorizationEndpointUris()
options.SetLogoutEndpointUris() options.SetEndSessionEndpointUris()
options.SetUserinfoEndpointUris() options.SetUserInfoEndpointUris()
options.SetVerificationEndpointUris() options.SetEndUserVerificationEndpointUris()
OpenIddict 5.x OpenIddict 6.x
OpenIddictConstants.Permissions.Endpoints.Device OpenIddictConstants.Permissions.Endpoints.DeviceAuthorization
OpenIddictConstants.Permissions.Endpoints.Logout OpenIddictConstants.Permissions.Endpoints.EndSession

Tip

While not mandatory (as the permissions containing the old endpoint names are still fully functional in 6.x for backward compatibility), you can also update your applications table/database to use the new constant values (i.e ept:device_authorization and ept:end_session instead of ept:device and ept:logout).

  • A whole new client authentication method negotiation logic was introduced in the OpenIddict client. As part of this change, complete support for mTLS in the client stack was also added to allow integrating with identity providers that require using tls_client_auth or self_signed_tls_client_auth.

Note

If your X.509 client certificate - self-issued or not - includes the recommended "client authentication" extended key usage, you can directly attach it to OpenIddictClientRegistration.SigningCredentials: in this case, it will be automatically used by OpenIddict if the remote server supports tls_client_auth or self_signed_tls_client_auth. If it doesn't, OpenIddict will automatically use the private key it contains to build a client assertion if the server supports private_key_jwt.

options.AddRegistration(new OpenIddictClientRegistration
{
    // ...

    SigningCredentials =
    {
        new X509SigningCredentials(certificate)
    }
});

If your client certificate doesn't include the "client authentication" extended key usage, OpenIddict won't automatically use it for mTLS-based authentication. In this case, you'll need to use the OpenIddictClientSystemNetHttpBuilder.SetSelfSignedTlsClientAuthenticationCertificateSelector() or OpenIddictClientSystemNetHttpBuilder.SetTlsClientAuthenticationCertificateSelector() APIs to register a custom certificate selector.

Tip

Web providers known to support mTLS - like Keycloak, that supports tls_client_auth but not self_signed_tls_client_auth - or client assertions now offer options.SetSigningCertificate() and/or options.SetSigningKey() APIs that can be used to easily register a certificate/key:

options.UseWebProviders()
       .AddKeycloak(options =>
       {
           options.SetClientId("client_id")
                  .SetSigningCertificate(certificate)
                  .SetRedirectUri("callback/login/keycloak");
       });
  • For consistency, mTLS support was also added to the validation stack for introspection requests sent to a server implementation that offers mTLS support.

  • New RevokeByApplicationIdAsync()/RevokeBySubjectAsync() APIs modeled after the existing RevokeByAuthorizationIdAsync() API have been added to the authorization/token managers/stores to allow revoking authorizations and tokens based on a given application identifier or user identifier more efficiently.

  • The OpenIddict server now fully supports the Initiating User Registration via OpenID Connect specification: it will now validate the prompt parameter to ensure the value is supported and return the supported values in the server configuration document using the new standard prompt_values_supported node. See #2197 for more information.

Note

As part of this change, the OpenIddictConstants.Prompts class was renamed to OpenIddictConstants.PromptValues to match the name used in this specification.

Don't miss a new openiddict-core release

NewReleases is sending notifications on new releases.