Releases: DuendeSoftware/foss
Duende.AccessTokenManagement 4.2.0
Duende.IdentityModel.OidcClient 7.1.0
This minor release adds support for dpop in combination with client assertions. (Note, DPoP is only available in .Net 8 and higher)
Duende.IdentityModel 8.1.0
This minor release introduces foundational capability to refresh Client Assertions. This is required to support client assertions with both PAR and DPoP.
- Introduce ClientAssertionFactory to allow refreshing of Client Assertions during retries #343
Duende.AspNetCore.Authentication.OAuth2Introspection
- Updated Duende.IdentityModel dependency to 8.0.1
Duende.IdentityModel.OidcClient 7.0.1
- Update Duende.IdentityModel dependency to 8.0.1
Duende.IdentityModel 8.0.1
Update Microsoft.Bcl.Memory dependency to 10.0.4 due to a vulnerability in Microsoft.Bcl.Memory GHSA-73j8-2gch-69rq
- .NET 10 users are not affected as this transitive dependency is conditionally excluded for projects that target .NET 10.
- .NET 8 and .NET 9 users are affect and need to either explicitly reference
Microsoft.Bcl.Memory.10.0.4or update toDuende.IdentityModel.8.0.1
Duende.AccessToken 4.1.2
- Update Duende.IdentityModel dependency to version 8.0.1
Duende Access Token Management 4.1.1
What's Changed
- Include Revoke and Refresh patch in ATM 4.1.x by @pgermishuys in #314
Contributors
Assets 2
Duende.AspNetCore.Authentication.OAuth2Introspection 7.0.0
This is a major release which brings a variety of changes including support for .NET 10.
There are no changes from the Release Candidate.
Breaking Changes
- Enable nullable reference types by @damianh in #254
- Move to HybridCache in OAuth2Introspection by @bhazen in #274
- Updated Identity Model to use 8.0.0 - Preview 1 by @josephdecock in #284
- Update to .NET 10 GA Release by @bhazen in #294
- Update to IdentityModel 8 RC1 by @bhazen in #295
- Updated to IdentityModel 8.0.0 by @bhazen in #302
Move to HybridCache in OAuth2Introspection
The use of IDistributedCache in this library has been replaced with the use of HybridCache. Part of this change was the removal of the EnableCaching option. Users who wish to not have introspection results cached should set the new SetCacheEntryFlags options to the value HybridCacheEntryFlags.DisableLocalCacheWrite | HybridCacheEntryFlags.DisableDistributedCacheWrite.
The primary motivation for this change was to disable an additional breaking change in the future. HybridCache does not currently support a mechanism for controlling the cache expiration in a factory method to fetch/create the cached data. This is problematic with introspection as RFC 7662 states: If the response contains the "exp" parameter (expiration), the response MUST NOT be cached beyond the time indicated therein. The requirement of the RFC prevents this library from benefitting from features of HybridCache such as stampede protection as the result of introspection needs to be known prior to interacting with the cache. This will be revisited in the future if and when HybridCache's API surface is updated to allow controlling a cache entry's cache duration inside a factory method.
Enhancements
- .NET 10 RC1 support by @damianh in #211
- Remove SimpleJson by @damianh in #253
- Add API Verification tests by @damianh in #259
- .NET 10 RC2 by @damianh in #277
Contributors
Thanks to the Duende.AspNetCore.Authentication.OAuth2Introspection community for your involvement with issues and pull requests!
Contributors
Assets 2
Duende.IdentityModel.OidcClient 7.0.0
This is a major release which brings a variety of changes including support for .NET 10.
There are no changes from the Release Candidate.
Breaking Changes
Enhancements
- .NET 10 GA support by @bhazen in #294
- .NET 10 RC1 support by @damianh in #211
- Remove unused package references by @damianh in #242
- .NET 10 RC2 by @damianh in #277
- Updated Identity Model to use 8.0.0 - Preview 1 by @josephdecock in #284
- Update to .NET 10 GA Release by @bhazen in #294
- Update to IdentityModel 8 RC1 by @bhazen in #295
- Updated to IdentityModel 8.0.0 by @bhazen in #302
Bug Fixes
Introduction of IDPoPProofTokenFactory
This is a breaking change in that DPoPProofTokenFactory was renamed to DefaultDPoPProofTokenFactory to make it clear it is the default implementation which is provided by the library.
Previously, there was no mechanism for customizing how DPoP proof tokens were created. This caused some issues, such as making it difficult to use signing keys which are stored in a platform crypto provider (see https://github.com/orgs/DuendeSoftware/discussions/163).
To accommodate such scenarios, an IDPoPProofTokenFactory was introduced to allow for complete customization. To make use of a custom implementation of this interface, use the new extension methods to configure DPoP:
var options = new OidcClientOptions();
var myCustomProofTokenFactory = new MyCustomProofTokenFactory();
options.ConfigureDPoP(myCustomProofTokenFactory);
Code which does not require a custom implementation of IDPoPProofTokenFactory should not need to be changed.
Contributors
Thanks to the Duende.IdentityModel.OidcClient community for your involvement with issues and pull requests!
