Releases: DuendeSoftware/foss
Duende.AspNetCore.Authentication.OAuth2Introspection
- Updated Duende.IdentityModel dependency to 8.0.1
Duende.IdentityModel.OidcClient 7.0.1
- Update Duende.IdentityModel dependency to 8.0.1
Duende.IdentityModel 8.0.1
Update Microsoft.Bcl.Memory dependency to 10.0.4 due to a vulnerability in Microsoft.Bcl.Memory GHSA-73j8-2gch-69rq
- .NET 10 users are not affected as this transitive dependency is conditionally excluded for projects that target .NET 10.
- .NET 8 and .NET 9 users are affect and need to either explicitly reference
Microsoft.Bcl.Memory.10.0.4or update toDuende.IdentityModel.8.0.1
Duende.AccessToken 4.1.2
- Update Duende.IdentityModel dependency to version 8.0.1
Duende Access Token Management 4.1.1
What's Changed
- Include Revoke and Refresh patch in ATM 4.1.x by @pgermishuys in #314
Contributors
Assets 2
Duende.AspNetCore.Authentication.OAuth2Introspection 7.0.0
This is a major release which brings a variety of changes including support for .NET 10.
There are no changes from the Release Candidate.
Breaking Changes
- Enable nullable reference types by @damianh in #254
- Move to HybridCache in OAuth2Introspection by @bhazen in #274
- Updated Identity Model to use 8.0.0 - Preview 1 by @josephdecock in #284
- Update to .NET 10 GA Release by @bhazen in #294
- Update to IdentityModel 8 RC1 by @bhazen in #295
- Updated to IdentityModel 8.0.0 by @bhazen in #302
Move to HybridCache in OAuth2Introspection
The use of IDistributedCache in this library has been replaced with the use of HybridCache. Part of this change was the removal of the EnableCaching option. Users who wish to not have introspection results cached should set the new SetCacheEntryFlags options to the value HybridCacheEntryFlags.DisableLocalCacheWrite | HybridCacheEntryFlags.DisableDistributedCacheWrite.
The primary motivation for this change was to disable an additional breaking change in the future. HybridCache does not currently support a mechanism for controlling the cache expiration in a factory method to fetch/create the cached data. This is problematic with introspection as RFC 7662 states: If the response contains the "exp" parameter (expiration), the response MUST NOT be cached beyond the time indicated therein. The requirement of the RFC prevents this library from benefitting from features of HybridCache such as stampede protection as the result of introspection needs to be known prior to interacting with the cache. This will be revisited in the future if and when HybridCache's API surface is updated to allow controlling a cache entry's cache duration inside a factory method.
Enhancements
- .NET 10 RC1 support by @damianh in #211
- Remove SimpleJson by @damianh in #253
- Add API Verification tests by @damianh in #259
- .NET 10 RC2 by @damianh in #277
Contributors
Thanks to the Duende.AspNetCore.Authentication.OAuth2Introspection community for your involvement with issues and pull requests!
Contributors
Assets 2
Duende.IdentityModel.OidcClient 7.0.0
This is a major release which brings a variety of changes including support for .NET 10.
There are no changes from the Release Candidate.
Breaking Changes
Enhancements
- .NET 10 GA support by @bhazen in #294
- .NET 10 RC1 support by @damianh in #211
- Remove unused package references by @damianh in #242
- .NET 10 RC2 by @damianh in #277
- Updated Identity Model to use 8.0.0 - Preview 1 by @josephdecock in #284
- Update to .NET 10 GA Release by @bhazen in #294
- Update to IdentityModel 8 RC1 by @bhazen in #295
- Updated to IdentityModel 8.0.0 by @bhazen in #302
Bug Fixes
Introduction of IDPoPProofTokenFactory
This is a breaking change in that DPoPProofTokenFactory was renamed to DefaultDPoPProofTokenFactory to make it clear it is the default implementation which is provided by the library.
Previously, there was no mechanism for customizing how DPoP proof tokens were created. This caused some issues, such as making it difficult to use signing keys which are stored in a platform crypto provider (see https://github.com/orgs/DuendeSoftware/discussions/163).
To accommodate such scenarios, an IDPoPProofTokenFactory was introduced to allow for complete customization. To make use of a custom implementation of this interface, use the new extension methods to configure DPoP:
var options = new OidcClientOptions();
var myCustomProofTokenFactory = new MyCustomProofTokenFactory();
options.ConfigureDPoP(myCustomProofTokenFactory);
Code which does not require a custom implementation of IDPoPProofTokenFactory should not need to be changed.
Contributors
Thanks to the Duende.IdentityModel.OidcClient community for your involvement with issues and pull requests!
Contributors
Assets 2
Duende.IdentityModel 8.0.0
This is a major release which brings a variety of changes including support for .NET 10.
There are no changes from the Release Candidate.
Breaking Changes
- Remove Base64Url, using SDK/Runtime provided type instead. by @damianh in #249
- Removed Obsolete DateTimeExtensions by @bhazen in #255
- Make DynamicClientRegistrationDocument.Extensions Non Nullable by @bhazen in #258
Enhancements
- Add
IDisposabletoProtocolResponseby @stefannikolei in #192 - .NET 10 RC1 support by @damianh in #211
- Add Additional Metadata Document Fields by @bhazen in #236
- Remove unused package references by @damianh in #242
- Add support for JSON claim value type originally by @taufikdev88 in #62, merged in #248
- Support POST for GetUserInfo by @bhazen in #256
- Allow Using HttpClient BaseAddress for Authority in DiscoveryCache by @bhazen in #257
- .NET 10 RC2 by @damianh in #277
- Update to .NET 10 GA Release by @bhazen in #294
Bug Fixes
- Fix broken documentation link by @StuFrankish in #213
- Fix some formatting that is causing .NET 10 PR to fail by @damianh in #238
Upgrading
Replacing Use of Base64Url
Code which was previously using the public static Base64Url class from this library, should be updated to use the Base64Url class found in the System.Buffers.Text namespace.
Uses of the Encode method should be replaced with the EncodeToString method and uses of the Decode method should be replaced with the DecodeFromChars method.
For example, code which previously looked like this:
var jsonString = Base64Url.Decode(payload);
should be updated to this:
using System.Buffers.Text;
var jsonString = Base64Url.DecodeFromChars(payload);
Replacing Use of DateTimeExtensions
Code which was previously using the public static DateTimeExtensions class from this library, should be updated to use DateTimeOffset.ToUnixTimeSeconds() instead.
For example. code which previously looked like this:
DateTime.UtcNow.ToEpochTime()
should be updated to this:
DateTimeOffset.UtcNow.ToUnixTimeSeconds()
Handling DynamicClientRegistrationDocument.Extensions Now Being Non-Nullable
Any code which was explicitly setting the Extensions property of the DynamicClientRegistrationDocument.Extensions to null, should be updated to instead set it to an empty dictionary.
Contributors
Thanks to the Duende.IdentityModel community for your involvement with issues and pull requests!
Contributors
Assets 2
Duende Access Token Management 4.1.0
This is a major release which brings a variety of changes including support for .NET 10.
In addition to target the .NET 10 GA release over the RC2 release, there have been several enhancements since the last version was released:
- Allow a default
TokenRequestCustomizerto be registered by @pgermishuys in #300 - Introduce a Token Cache Duration Store by @pgermishuys in #289
- Enable ForceTokenRenewal of OIDC User Access Token by @pgermishuys in #290
- Ensure Assertions are used during Token Refreshes by @pgermishuys in #293
Enhancements
- .NET 10 RC1 support by @damianh in #211
- Remove unused package references by @damianh in #242
- .NET 10 RC2 by @damianh in #277
- Identity Model 8.0.0 - Preview 1 by @josephdecock #284
- Identity Model 8.0.0 - Release Candidate 1 by @bhazen #295
- Introduce a Token Cache Duration Store by @pgermishuys in #289
- Enable ForceTokenRenewal of OIDC User Access Token by @pgermishuys in #290
- Ensure Assertions are used during Token Refreshes by @pgermishuys in #293
- Update to .NET 10 GA Release by @bhazen in #294
- Updated to IdentityModel 8.0.0 by @bhazen in #302
Contributors
Assets 2
Duende Access Token Management 3.3.0
This is a minor release which brings a variety of changes including support for .NET 10.
There are no changes from the Release Candidate.
Enhancements
- Update to .NET 10 GA Release by @bhazen in #294
- Include ErrorDescription in token response on error by @gjermund-stensrud [#205]
- .NET 10 Support by @josephdecock [#283]
- Update ATM 3.3.X to .NET 10 GA by @bhazen in [#296]
- Updated to IdentityModel 8 GA by @bhazen in [#303]
