Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.2.0→7.3.07.2.0→7.3.07.2.0→7.3.07.2.0→7.3.07.2.0→7.3.0Release Notes
openiddict/openiddict-core (OpenIddict.AspNetCore)
v7.3.0Compare Source
This release introduces the following changes:
Mutual TLS authentication is now fully supported by the server and validation stacks for both OAuth 2.0 client authentication and token binding (mTLS support in the client stack was introduced in OpenIddict 6.0). For more information on how to set up mTLS, read Mutual TLS authentication.
Client secrets are still fully supported but the XML documentation was updated to discourage using them when possible. Instead, developers are encouraged to use either assertion-based client authentication or mTLS-based client authentication, as both offer a higher security level than shared secrets.
Client-side mTLS support was moved from
OpenIddict.Client.SystemNetHttptoOpenIddict.Clientand is now a first-class citizen. As part of this task, the existingTlsClientAuthenticationCertificateSelectorandSelfSignedTlsClientAuthenticationCertificateSelectoroptions present inOpenIddictClientSystemNetHttpOptionsandOpenIddictValidationSystemNetHttpOptionshave been marked as deprecated and are no longer used as they didn't allow flowing certificates dynamically (which is required for mTLS token binding using certificates generated on-the-fly). Instead, developers who need to dynamically override the default TLS client certificates selection logic are now invited to create custom event handlers for theProcessAuthenticationContextevent and use the new*EndpointClientCertificateproperties.OpenIddictClientServicenow allows attaching custom token request parameters viaInteractiveAuthenticationRequest.AdditionalTokenRequestParameters. As part of this change, handling of redirection and post-logout redirection requests by theOpenIddict.Client.SystemIntegrationhas been improved: token and userinfo requests are no longer sent as part of the callback request itself but whenOpenIddictClientService.AuthenticateInteractivelyAsync()is called by the application to finalize the authentication process.OpenIddict now uses 4096-bit RSA keys for development certificates and ephemeral keys (see #2415 for more information).
A new token validation check has been introduced in the client, server and validation stacks to detect when the payload associated with a reference token entry - stolen by a malicious actor from the server database - is directly used instead of the expected reference identifier.
The
osu!service is now supported by theOpenIddict.Client.WebIntegrationpackage (thanks @gehongyan! ❤️).A dedicated
promptsetting was added to the Google web provider (thanks @StellaAlexis! ❤️).An incorrect exception message reference was fixed (thanks @JarieTimmer! ❤️)
The entire code base was updated to use polyfills when targeting older .NET/.NET Framework/.NET Standard targets.
All the .NET and third-party dependencies have been updated to the latest versions.
Configuration
📅 Schedule: Branch creation - "before 5:00am,before 10am,before 3pm,before 8pm" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.