openiddict/openiddict-core 6.1.0

on GitHub

This release introduces the following changes:

• Native support for OAuth 2.0 Pushed Authorization Requests (aka PAR) has been implemented in both the OpenIddict client and server stacks. PAR increases the security level of user-interactive grants - like the code flow - by sending the actual authorization request parameters via backchannel communication before redirecting the user agent to the regular authorization endpoint with a unique and random request_uri attached. PAR has recently gained traction and is now supported by some OAuth 2.0 services and libraries (including Keycloak and Microsoft's ASP.NET Core OpenID Connect handler starting in .NET 9.0).

• As part of the PAR introduction, the authorization and end session request caching feature has been completely revamped to use the same code path as pushed authorization requests and the OpenIddict-specific request_id parameter has been replaced by request_uri. While cached requests were persisted using IDistributedCache in previous versions, they are now stored in request tokens and persisted in OpenIddict's tokens table with the other tokens.

• GitCode, VK ID and Yandex are now supported by the OpenIddict.Client.WebIntegration package (thanks @gehongyan and @t1moH1ch! ❤️).

• The InteractiveChallengeRequest and InteractiveSignOutRequest models have been updated to allow easily attaching an identity token or login hint to authorization and end session requests.

• The OpenIddict*AuthorizationStore.PruneAsync() implementations were updated to always exclude permanent authorizations that still have tokens attached, which should reduce risks of seeing SQL exceptions when one of the pruned authorizations still has children entities attached.

• An issue affecting the OpenIddictEntityFrameworkCoreAuthorizationStore.FindByApplicationIdAsync() API was identified and fixed (thanks @simon-wacker! ❤️)