openiddict/openiddict-core 7.5.0 on GitHub

Caution

Earlier today, the ASP.NET team released an out-of-band 10.0.7 update to fix a critical vulnerability in the ASP.NET Core Data Protection library used by OpenIddict and multiple components in ASP.NET Core itself (including the cookie authentication handler). For more information about the CVE-2026-40372 vulnerability and to determine whether your application is affected, read dotnet/announcements#395 and https://devblogs.microsoft.com/dotnet/dotnet-10-0-7-oob-security-update/. Additional information can also be found in dotnet/aspnetcore#66335.

If your application is affected by the CVE-2026-40372 vulnerability, immediate action is strongly advised: not updating impacted applications will leave them vulnerable to chosen-ciphertext and padding oracle attacks, resulting in elevation of privilege attacks being possible.

Recommended actions:

If possible, review your application/web server/reverse proxy logs to determine whether the security flaw was actively used by malicious actors to leak sensitive cryptographic material or to manipulate legitimate authentication cookies/tokens by changing specific bits in the ciphertext.
Apply the recommendations listed in dotnet/announcements#395 by revoking all the existing ASP.NET Core Data Protection master keys (e.g using the IKeyManager.RevokeAllKeys() API): doing so will ensure secrets protected before migrating to the fixed Microsoft.AspNetCore.DataProtection version - including authentication cookies produced by the ASP.NET Core cookie authentication handler (and ASP.NET Core Data Protection tokens generated by OpenIddict if the JWT format was opted out) - will be immediately rejected when trying to unprotect them.
Even if you're not using ASP.NET Core Data Protection as the token format for any type of token in OpenIddict, revoke all the existing OpenIddict tokens using the IOpenIddictTokenManager.RevokeAsync() API to force client applications to acquire new sets of tokens for all their users: doing so will ensure refresh tokens generated by the OpenIddict server will be rejected when trying to redeem them. While this will force users to re-execute an authorization flow and re-authenticate, this step is essential to ensure tokens generated from ClaimsPrincipal instances whose claims were directly copied or indirectly inferred from ambient user identities (typically persisted in authentication cookies protected by ASP.NET Core Data Protection) will be rejected when trying to redeem them.

await using (var scope = app.Services.CreateAsyncScope())
{
    // Revoke all the existing tokens, independently of their current status or type.
    //
    // Note: on EF Core 8.0+ and MongoDB, the process should be very efficient as batch
    // updates are used by default to change the status of the tokens in the database.
    var manager = scope.ServiceProvider.GetRequiredService<IOpenIddictTokenManager>();
    await manager.RevokeAsync(subject: null, client: null, status: null, type: null);
}

This release introduces the following changes:

The ClaimTypes.NameIdentifier, ClaimTypes.Name and ClaimTypes.Email WS-Federation claims manually added to ProcessAuthenticationContext.MergedPrincipal are now preserved instead of being overwritten by OpenIddict when mapping OpenID Connect/non-standard claims to their WS-Federation equivalent (thanks @ax0l0tl! ❤️)
The net8.0, net9.0 and net10.0 versions of the OpenIddict.Client.DataProtection, OpenIddict.Server.DataProtection and OpenIddict.Validation.DataProtection packages now reference the Microsoft.AspNetCore.DataProtection package instead of the Microsoft.AspNetCore.App framework.
Configuration delegates registered by the web provider integrations now run earlier to ensure invalid options are caught without waiting for IOptionsMonitor<OpenIddictClientOptions>.CurrentValue to be called.
All the .NET and third-party dependencies have been updated to their latest version.

Note

The ASP.NET team recently announced that ASP.NET Core 2.3 will no longer be supported after April 2027, which will result in important TFM and dependencies changes in the next version of OpenIddict. Developers using the OpenIddict packages in .NET Framework applications or in .NET Standard libraries are invited to read these threads and evaluate whether their applications may be affected by these changes: