4.0.0-preview1

For more information about this release, read OpenIddict 4.0 preview1 is out.

3.1.1

This release addresses a minor issue that caused access tokens to be validated twice when using the pass-through mode for the userinfo endpoint if the userinfo endpoint was decorated with [Authorize(AuthenticationSchemes = OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)] or called HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme).

3.1.0

This release focuses on reducing logging overhead by changing the log level of most errors caused by users/client applications from Error to Information. For more information about this change, read #1205.

3.0.5

This minor release fixes a bug that prevented the pass-through mode from working properly for the logout endpoint in the OpenIddict server OWIN host. For more information, read #1263.

3.0.4

This minor release fixes a bug impacting scenarios using absolute URLs for the OpenIddict endpoints (relative paths like /connect/token were not affected). For more information, read #1255.

Starting with 3.0.4, both the ASP.NET Core and OWIN hosts now populate the AuthenticationProperties.IssuedUtc and AuthenticationProperties.ExpiresUtc properties to match OpenIddict 2.x's behavior.

This release also updates the authorization manager to ensure the CreateAsync() overload that doesn't take a descriptor parameter automatically attaches a creation date to the resulting authorization.

3.0.3

This minor release fixes a bug impacting an edge case where a client application is configured to require PKCE but is also allowed to use the implicit flow (a flow that can't support PKCE by definition). While not recommended, applications created with the PKCE requirement can now use the implicit flow if they have been granted the response_type=id_token, response_type=token or response_type=id_token token response type permissions.

This release also includes a work around for Oracle MySQL users (for more information, read #1234)

3.0.2

This minor release fixes a bug in the authorizations/tokens pruning logic used in the EF 6/EF Core stores and improves the development encryption/signing certificates mechanism to prevent an exception from being thrown when multiple certificates with the same name are generated concurrently by different applications.

To ensure OpenIddict-based applications don't use a version impacted by CVE-2021-26701, this release also updates the OpenIddict.Abstractions package to explicitly reference the latest System.Text.Encodings.Web patched version. For more information, read dotnet/announcements#178.

3.0.1

This minor release downgrades the minimum MongoDB version referenced by the OpenIddict MongoDB integration packages. For more information, see Downgrade MongoDB to 2.10.4.

3.0.0

For more information about this release, read OpenIddict 3.0 general availability.

3.0.0-rc2

All the changes introduced in this release can be found on GitHub.