github openiddict/openiddict-core 7.3.0
on GitHub

7 hours ago

This release introduces the following changes:

  • Mutual TLS authentication is now fully supported by the server and validation stacks for both OAuth 2.0 client authentication and token binding (mTLS support in the client stack was introduced in OpenIddict 6.0). For more information on how to set up mTLS, read Mutual TLS authentication.

  • Client secrets are still fully supported but the XML documentation was updated to discourage using them when possible. Instead, developers are encouraged to use either assertion-based client authentication or mTLS-based client authentication, as both offer a higher security level than shared secrets.

  • Client-side mTLS support was moved from OpenIddict.Client.SystemNetHttp to OpenIddict.Client and is now a first-class citizen. As part of this task, the existing TlsClientAuthenticationCertificateSelector and SelfSignedTlsClientAuthenticationCertificateSelector options present in OpenIddictClientSystemNetHttpOptions and OpenIddictValidationSystemNetHttpOptions have been marked as deprecated and are no longer used as they didn't allow flowing certificates dynamically (which is required for mTLS token binding using certificates generated on-the-fly). Instead, developers who need to dynamically override the default TLS client certificates selection logic are now invited to create custom event handlers for the ProcessAuthenticationContext event and use the new *EndpointClientCertificate properties.

  • OpenIddictClientService now allows attaching custom token request parameters via InteractiveAuthenticationRequest.AdditionalTokenRequestParameters. As part of this change, handling of redirection and post-logout redirection requests by the OpenIddict.Client.SystemIntegration has been improved: token and userinfo requests are no longer sent as part of the callback request itself but when OpenIddictClientService.AuthenticateInteractivelyAsync() is called by the application to finalize the authentication process.

  • OpenIddict now uses 4096-bit RSA keys for development certificates and ephemeral keys (see #2415 for more information).

  • A new token validation check has been introduced in the client, server and validation stacks to detect when the payload associated with a reference token entry - stolen by a malicious actor from the server database - is directly used instead of the expected reference identifier.

  • The osu! service is now supported by the OpenIddict.Client.WebIntegration package (thanks @gehongyan! ❤️).

  • A dedicated prompt setting was added to the Google web provider (thanks @StellaAlexis! ❤️).

  • An incorrect exception message reference was fixed (thanks @JarieTimmer! ❤️)

  • The entire code base was updated to use polyfills when targeting older .NET/.NET Framework/.NET Standard targets.

  • All the .NET and third-party dependencies have been updated to the latest versions.

Warning

Multiple reports indicate that Google is progressively applying a breaking change affecting the Google web provider offered by the OpenIddict.Client.WebIntegration package. For more information on the root cause and the recommended workaround, see #2428 and https://issuetracker.google.com/issues/479882107.

Check out latest releases or
releases around openiddict/openiddict-core 7.3.0

Don't miss a new openiddict-core release

NewReleases is sending notifications on new releases.

Get notifications