github openiddict/openiddict-core 8.0.0-preview.1
on GitHub

pre-release5 hours ago

This release introduces the following changes:

Important

With ASP.NET Core 2.3 and Entity Framework Core 2.3 support being removed, the ASP.NET Core and Entity Framework Core integration packages are now .NET-only in OpenIddict 8.x. Developers who were previously using the Entity Framework Core stores on .NET Framework are invited to explore other options (e.g Entity Framework 6.5.2, which is still fully supported in OpenIddict 8.x).

Note

Running OpenIddict on ASP.NET 4.8/ASP.NET MVC 5.3/ASP.NET Web API 5.3 is still fully supported and only requires targeting .NET Framework 4.8 instead of 4.6.2 or 4.7.2.

Important

Developers who need to run OpenIddict on both .NET (Core) and .NET Framework are invited to update their project to target both net48 and net10 as targeting netstandard2.0 or netstandard2.1 when referencing OpenIddict 8.x packages won't be possible.

  • The OpenIddict 8.x packages now reference Microsoft.Extensions.* version 10.x on both .NET 10 and .NET Framework.

  • The OpenIddict core stack now supports re-hashing client secrets dynamically and allows configuring the PBKDF2 options via new dedicated APIs in OpenIddictCoreBuilder: 

builder.Services.AddOpenIddict()
    .AddCore(options =>
    {
        // ...

        options.SetClientSecretKeyDerivationHashAlgorithm(HashAlgorithmName.SHA512)
               .SetClientSecretKeyDerivationIterations(100_000)
               .SetClientSecretKeyDerivationOutputLength(512)
               .SetClientSecretKeyDerivationSaltLength(256);
    });
  • As part of the "client secrets overhaul", the following changes have been made to the PBKDF2-based secrets protector:
    • The default hash algorithm is now SHA512 (instead of SHA256 in previous OpenIddict versions).
    • The default number of iterations is now 100K (instead of 10K in previous OpenIddict versions).
    • The default key length is now 512 bits (instead of 256 bits in previous OpenIddict versions).
    • The default nonce length is now 256 bits (instead of 128 bits in previous OpenIddict versions).

Tip

Even after being re-hashed using the new (safer) defaults, the client secrets can still be validated by previous versions of OpenIddict, as the PBKDF2 parameters are embedded inside the "hashed" client secret that is stored in the database.

  • All the OpenIddict libraries have been updated to perform options validation in IValidateOptions<TOptions> instead of IPostConfigureOptions<TOptions> as in previous versions, making the separation between post-configuration initialization and validation clearer.

  • All the OpenIddict*Builder classes now offer a ValidateOnStart() API to force options validation when the .NET generic/web host starts (thanks @sfgserr! ❤️).

  • The IOpenIddict*Store.CountAsync() API has been updated to support flowing a state parameter, making it consistent with the other IQueryable<T>-based - i.e GetAsync() and ListAsync() - APIs.

  • The length of the string primary keys in the EF 6 and EF Core stores has been reduced to address an issue affecting MySQL (see #2366).

  • OpenIddictClientAspNetCoreOptions, OpenIddictServerAspNetCoreOptions and OpenIddictValidationAspNetCoreOptions no longer inherit from ASP.NET Core's AuthenticationSchemeOptions class in OpenIddict 8.x (for consistency, the OpenIddictClientOwinOptions, OpenIddictServerOwinOptions and OpenIddictValidationOwinOptions no longer inherit from Katana's AuthenticationOptions class). This change was made to avoid ending up with two instances of these options (a named instance - used by ASP.NET Core's authentication stack - and an unnamed instance, used by OpenIddict itself).

  • All the members obsoleted in previous versions of OpenIddict have been removed.

  • All the .NET and third-party dependencies have been updated to their latest version.

Check out latest releases or
releases around openiddict/openiddict-core 8.0.0-preview.1

Don't miss a new openiddict-core release

NewReleases is sending notifications on new releases.

Get notifications