Duende.AspNetCore.Authentication.OAuth2Introspection 7.0.0 Preview 2

This is a preview release which contains enhancements, a breaking change, and support for .NET 10 RC2.

Breaking Changes

• Enable nullable reference types by @damianh in #254
• Move to HybridCache in OAuth2Introspection by @bhazen in #274
• Updated Identity Model to use 8.0.0 - Preview 1 in #284

Move to HybridCache in OAuth2Introspection

The use of IDistributedCache in this library has been replaced with the use of HybridCache. Part of this change was the removal of the EnableCaching option. Users who wish to not have introspection results cached should set the new SetCacheEntryFlags options to the value HybridCacheEntryFlags.DisableLocalCacheWrite | HybridCacheEntryFlags.DisableDistributedCacheWrite.

The primary motivation for this change was to disable an additional breaking change in the future. HybridCache does not currently support a mechanism for controlling the cache expiration in a factory method to fetch/create the cached data. This is problematic with introspection as RFC 7662 states: If the response contains the "exp" parameter (expiration), the response MUST NOT be cached beyond the time indicated therein. The requirement of the RFC prevents this library from benefitting from features of HybridCache such as stampede protection as the result of introspection needs to be known prior to interacting with the cache. This will be revisited in the future if and when HybridCache's API surface is updated to allow controlling a cache entry's cache duration inside a factory method.

Enhancements

• .NET 10 RC1 support by @damianh in #211
• Remove SimpleJson by @damianh in #253
• Add API Verification tests by @damianh in #259
• .NET 10 RC2 by @damianh in #277

Contributors

Thanks to the Duende.AspNetCore.Authentication.OAuth2Introspection community for your involvement with issues and pull requests!

• @damianh
• @bhazen

Duende.IdentityModel.OidcClient 7.0.0 Preview 2

This is a preview release which contains a bug fix, a new feature/breaking change, and support for .NET 10 RC2.

Breaking Changes

• Introduce IDPoPProofTokenFactory by @bhazen in a #267

Enhancements

• .NET 10 RC1 support by @damianh in #211
• Remove unused package references by @damianh in #242
• .NET 10 RC2 by @damianh in #277
• Updated Identity Model to use 8.0.0 - Preview 1 in #284

Bug Fixes

• Fix typo in AuthorizeState.cs by @Tornhoof in #233

Introduction of IDPoPProofTokenFactory

This is a breaking change in that DPoPProofTokenFactory was renamed to DefaultDPoPProofTokenFactory to make it clear it is the default implementation which is provided by the library.

Previously, there was no mechanism for customizing how DPoP proof tokens were created. This caused some issues, such as making it difficult to use signing keys which are stored in a platform crypto provider (see https://github.com/orgs/DuendeSoftware/discussions/163).

To accommodate such scenarios, an IDPoPProofTokenFactory was introduced to allow for complete customization. To make use of a custom implementation of this interface, use the new extension methods to configure DPoP:

var options = new OidcClientOptions();
var myCustomProofTokenFactory = new MyCustomProofTokenFactory();
options.ConfigureDPoP(myCustomProofTokenFactory);

Code which does not require a custom implementation of IDPoPProofTokenFactory should not need to be changed.

Contributors

Thanks to the Duende.IdentityModel.OidcClient community for your involvement with issues and pull requests!

• @Tornhoof
• @bhazen

Duende Access Token Management 4.1.0 Preview 2

This is a preview release which contains a new feature and support for .NET 10 RC2.

This corrects the version of Identity Model to use the latest preview 8.0.0 - preview 1.

Enhancements

• .NET 10 RC1 support by @damianh in #211
• Remove unused package references by @damianh in #242
• .NET 10 RC2 by @damianh in #277
• Identity Model 8.0.0 - Preview 1 by @josephdecock #284

Duende Access Token Management 3.3.0 Preview 1

This is a preview release of Duende Access Token Management 3.3.0 that includes support for .NET 10 RC2.

Enhancements

• Include ErrorDescription in token response on error by @gjermund-stensrud [#205]
• .NET 10 Support by @josephdecock [#283]

Duende.AspNetCore.Authentication.OAuth2Introspection 7.0.0 Preview 1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

This is a preview release which contains enhancements, a breaking change, and support for .NET 10 RC2.

Breaking Changes

• Enable nullable reference types by @damianh in #254
• Move to HybridCache in OAuth2Introspection by @bhazen in #274

Move to HybridCache in OAuth2Introspection

The use of IDistributedCache in this library has been replaced with the use of HybridCache. Part of this change was the removal of the EnableCaching option. Users who wish to not have introspection results cached should set the new SetCacheEntryFlags options to the value HybridCacheEntryFlags.DisableLocalCacheWrite | HybridCacheEntryFlags.DisableDistributedCacheWrite.

The primary motivation for this change was to disable an additional breaking change in the future. HybridCache does not currently support a mechanism for controlling the cache expiration in a factory method to fetch/create the cached data. This is problematic with introspection as RFC 7662 states: If the response contains the "exp" parameter (expiration), the response MUST NOT be cached beyond the time indicated therein. The requirement of the RFC prevents this library from benefitting from features of HybridCache such as stampede protection as the result of introspection needs to be known prior to interacting with the cache. This will be revisited in the future if and when HybridCache's API surface is updated to allow controlling a cache entry's cache duration inside a factory method.

Enhancements

• .NET 10 RC1 support by @damianh in #211
• Remove SimpleJson by @damianh in #253
• Add API Verification tests by @damianh in #259
• .NET 10 RC2 by @damianh in #277

Contributors

Thanks to the Duende.AspNetCore.Authentication.OAuth2Introspection community for your involvement with issues and pull requests!

• @damianh
• @bhazen

Duende.IdentityModel.OidcClient 7.0.0 Preview 1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

This is a preview release which contains a bug fix, a new feature/breaking change, and support for .NET 10 RC2.

Breaking Changes

• Introduce IDPoPProofTokenFactory by @bhazen in a #267

Enhancements

• .NET 10 RC1 support by @damianh in #211
• Remove unused package references by @damianh in #242
• .NET 10 RC2 by @damianh in #277

Bug Fixes

• Fix typo in AuthorizeState.cs by @Tornhoof in #233

Introduction of IDPoPProofTokenFactory

This is a breaking change in that DPoPProofTokenFactory was renamed to DefaultDPoPProofTokenFactory to make it clear it is the default implementation which is provided by the library.

Previously, there was no mechanism for customizing how DPoP proof tokens were created. This caused some issues, such as making it difficult to use signing keys which are stored in a platform crypto provider (see https://github.com/orgs/DuendeSoftware/discussions/163).

To accommodate such scenarios, an IDPoPProofTokenFactory was introduced to allow for complete customization. To make use of a custom implementation of this interface, use the new extension methods to configure DPoP:

var options = new OidcClientOptions();
var myCustomProofTokenFactory = new MyCustomProofTokenFactory();
options.ConfigureDPoP(myCustomProofTokenFactory);

Code which does not require a custom implementation of IDPoPProofTokenFactory should not need to be changed.

Contributors

Thanks to the Duende.IdentityModel.OidcClient community for your involvement with issues and pull requests!

• @Tornhoof
• @bhazen

Duende.IdentityModel 8.0.0 Preview 1

This is a preview release which contains a mix of bug fixes, enhancements, a few breaking changes, and support for .NET 10 RC2.

Breaking Changes

• Remove Base64Url, using SDK/Runtime provided type instead. by @damianh in #249
• Removed Obsolete DateTimeExtensions by @bhazen in #255
• Make DynamicClientRegistrationDocument.Extensions Non Nullable by @bhazen in #258

Enhancements

• Add IDisposable to ProtocolResponse by @stefannikolei in #192
• .NET 10 RC1 support by @damianh in #211
• Add Additional Metadata Document Fields by @bhazen in #236
• Remove unused package references by @damianh in #242
• Add support for JSON claim value type originally by @taufikdev88 in #62, merged in #248
• Support POST for GetUserInfo by @bhazen in #256
• Allow Using HttpClient BaseAddress for Authority in DiscoveryCache by @bhazen in #257
• .NET 10 RC2 by @damianh in #277

Bug Fixes

• Fix broken documentation link by @StuFrankish in #213
• Fix some formatting that is causing .NET 10 PR to fail by @damianh in #238

Upgrading

Replacing Use of Base64Url

Code which was previously using the public static Base64Url class from this library, should be updated to use the Base64Url class found in the System.Buffers.Text namespace.

Uses of the Encode method should be replaced with the EncodeToString method and uses of the Decode method should be replaced with the DecodeFromChars method.

For example, code which previously looked like this:

var jsonString = Base64Url.Decode(payload);

should be updated to this:

using System.Buffers.Text;

var jsonString = Base64Url.DecodeFromChars(payload);

Replacing Use of DateTimeExtensions

Code which was previously using the public static DateTimeExtensions class from this library, should be updated to use DateTimeOffset.ToUnixTimeSeconds() instead.

For example. code which previously looked like this:

DateTime.UtcNow.ToEpochTime()

should be updated to this:

DateTimeOffset.UtcNow.ToUnixTimeSeconds()

Handling DynamicClientRegistrationDocument.Extensions Now Being Non-Nullable

Any code which was explicitly setting the Extensions property of the DynamicClientRegistrationDocument.Extensions to null, should be updated to instead set it to an empty dictionary.

Contributors

Thanks to the Duende.IdentityModel community for your involvement with issues and pull requests!

• @stefannikolei
• @damianh
• @bhazen
• @taufikdev88
• @StuFrankish

Duende Access Token Management 4.1.0 Preview 1

Note:

There were minor issues with this release, please use Duende Access Token Management 4.1.0 Preview 2 instead.

This is a preview release which contains a new feature and support for .NET 10 RC2.

Enhancements

• .NET 10 RC1 support by @damianh in #211
• Remove unused package references by @damianh in #242
• .NET 10 RC2 by @damianh in #277

Introduction of Token Request Customization

Previously there was no ability to modify the token request parameters before a request is made to retrieve a token. This restricted the ability for users to scope tokens based on a particular request context.

We have provided the above mentioned capability by introducing an ITokenRequestCustomizer. Given the HttpRequestMessage as well as the TokenRequestParameters the user can customize the TokenRequestParameters that will be used to make the token request.

• ITokenRequestCustomizer interface - Service for customizing token request parameters based on HTTP request context
• New overloads for token handler extension methods that accept an optional ITokenRequestCustomizer parameter:
  • AddClientCredentialsTokenHandler(ITokenRequestCustomizer?, ClientCredentialsClientName)
  • AddClientAccessTokenHandler(ITokenRequestCustomizer?, UserTokenRequestParameters?)
  • AddUserAccessTokenHandler(ITokenRequestCustomizer?, UserTokenRequestParameters?)

Example usage:

public class ByPartitionIdTokenRequestCustomizer : ITokenRequestCustomizer
{
    public Task<TokenRequestParameters> Customize(
        HttpRequestMessage httpRequest,
        TokenRequestParameters baseParameters,
        CancellationToken cancellationToken = default)
    {
        var partitionId = httpRequest.Headers.GetValues("X-Partition-Id").FirstOrDefault();
        
        var customizedParams = baseParameters with
        {
            Scope = Scope.Parse($"api.{partitionId}")
        };
        
        return Task.FromResult(customizedParams);
    }
}

services.AddHttpClient("clientApi")
    .ConfigureHttpClient(client => client.BaseAddress = new Uri("https://api.example.com"))
    .AddClientCredentialsTokenHandler(
        new ByPartitionIdTokenRequestCustomizer(),
        ClientCredentialsClientName.Parse("example-client"));

Duende.AccessTokenManagement 4.0.1

Notable changes in Duende Access Token Management 4.0.1

• Addressed an issue where the Scope Parsing Regex was too strict. #263
• Removed DateTimeExtensions that have been marked as Obsolete: #255

Duende.AccessTokenManagement 4.0.0

This release marks a significant evolution of the internals of the Duende.AccessTokenManagement library. The public API signature for basic use cases has been mostly kept the same, but the extensibility model of the library has been significantly improved. This does mean that if you have made significant customizations to this library, you’ll likely need to revisit how those customizations have been implemented. We'll ship an upgrade guide for the most common scenarios as part of the documentation.

Because we realize that this is a big change and not everybody is able to adopt these changes immediately, we will continue to support Duende.AccessTokenManagement V3 until end of life of .NET 8.0 LTS.

Major Changes

New Features

• Support for OpenTelemetry metrics, logs, and traces.
• Externalized cache key generation.
• Support for HybridCache.
• ID token included in the refresh token result.

Moving Towards HybridCache Implementation and Away from Distributed Cache

ATM 4.0 uses the recently released HybridCache, which brings significant performance improvements while maintaining backward compatibility with .NET 8 and the IDistributedCache interface.

If you wish to encrypt cached access tokens, you can do so by implementing a custom serializer.

We have also added support for using distinct instances of HybridCache for different purposes via keyed services.

Complete Internal Refactoring

The library has undergone extensive internal changes such that it can be considered a new implementation under the same conceptual umbrella. The public API surface remains mostly compatible with earlier versions.

• New extensibility model (see below).
• All async methods now support cancellation tokens.
• Renaming of certain classes and interfaces (see below).
• Implementation logic is now internal.

Reduced Public API Surface

All internal implementation details are now marked as internal, reducing accidental coupling and clarifying the intended extension points. In V3, all classes were public and most public methods were marked as virtual. This meant you could override any class by inheriting from it and overriding a single method.

While this was very convenient for our consumers, it made it very difficult for us to introduce changes to the library without making breaking changes.

We still want to ensure our users' extensibility needs are met. If you find that you have an extensibility need that is not covered by the new model, please raise a discussion in our discussion board. If this is a scenario we want to support, we'll do our best to accommodate it.

Explicit Extension Model

Instead of relying on implicit behaviors or inheritance, V4 introduces clearly defined extension points, making it easier to customize behavior without relying on internal details.

Composition Over Inheritance

The AccessTokenHandler has been restructured to use composition rather than inheritance, simplifying the customization of token handling and increasing testability.

If you wish to implement a custom access token handling process, for example to implement token exchange, you can now implement your own AccessTokenRequestHandler.ITokenRetriever.

Strongly Typed Configuration

Configuration is now represented by strongly typed objects, improving validation, discoverability, and IDE support.

This means that where before you could assign strings to the configuration system, you'll now have to explicitly parse the string values.

For example:

var scheme = Scheme.Parse("oidc");

Renamed classes

Several classes have been renamed, either to make their usage clearer or to drop the 'service' suffix, which only adds noise:

AccessTokenHandler => AccessTokenRequestHandler
ClientCredentialsTokenManagementService => IClientCredentialsTokenManager
IClientCredentialsTokenEndpointService => IClientCredentialsTokenEndpoint
IUserTokenManagementService => IUserTokenManager
ITokenRequestSynchronization => IUserTokenRequestConcurrencyControl
IUserTokenEndpointService => IUserTokenEndpoint

Changes since Duende.AccessTokenManagement 4.0.0-rc2

Some (breaking) changes have been made since rc2, based on feedback from the community:

• Removed the ForceTokenRenewal strongly typed object: #235
• Fixed the calculation for cache invalidation: #231 with thanks to @anoordover
• Added support for cache invalidation via HybridCache tags: #214

Changes since Duende.AccessTokenManagement 4.0.0-rc1.5

After the release of ATM 4.0.0-rc1.5, based on customer feedback and our own internal design review, we decided to withdraw this release from nuget and perform quite intensive internal changes. Most of these are the breaking changes mentioned above.

OpenIdConnectClientConfiguration.Authority: This property has been removed. It wasn't actually used by the library as only the tokenendpoint was used. This property was intended to be used to automatically fetch the tokenendpoint from the authority by retrieving the discovery document. We decided not to implement this feature as it had unintended sideeffects. At that point, we decided to remove this property.