Update README.md

kevinchalet · kevinchalet · commit a32988fd93ea · 2017-08-26T15:59:11.000+02:00
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 AspNet.Security.OpenIdConnect.Server
 ==================================
 
-**AspNet.Security.OpenIdConnect.Server** is an **advanced OAuth2/OpenID Connect server framework** for both ASP.NET Core 1.0 (previously known as ASP.NET 5) and OWIN/Katana, designed to offer a low-level, protocol-first approach.
+**AspNet.Security.OpenIdConnect.Server** is an **advanced OAuth2/OpenID Connect server framework** for both ASP.NET Core 1.x/2.x and OWIN/Katana 3.x/4.x, designed to offer a low-level, protocol-first approach.
 
 **The latest official release can be found on [NuGet](https://www.nuget.org/packages/AspNet.Security.OpenIdConnect.Server) and the nightly builds on [MyGet](https://www.myget.org/gallery/aspnet-contrib)**.
 
@@ -10,113 +10,119 @@ AspNet.Security.OpenIdConnect.Server
 
 ## Get started
 
-Based on `OAuthAuthorizationServerMiddleware` from **Katana 3**, **AspNet.Security.OpenIdConnect.Server** exposes similar primitives and can be directly registered in **Startup.cs** using the `UseOpenIdConnectServer` extension method:
+Based on `OAuthAuthorizationServerMiddleware` from **Katana**, **AspNet.Security.OpenIdConnect.Server** exposes similar primitives and can be directly registered in **Startup.cs** using the `UseOpenIdConnectServer` extension method:
 
 ```csharp
-app.UseOpenIdConnectServer(options =>
+public void ConfigureServices(IServiceCollection services)
 {
-    // Enable the token endpoint.
-    options.TokenEndpointPath = "/connect/token";
-
-    // Implement OnValidateTokenRequest to support flows using the token endpoint.
-    options.Provider.OnValidateTokenRequest = context =>
+    services.AddAuthentication().AddOpenIdConnectServer(options =>
     {
-        // Reject token requests that don't use grant_type=password or grant_type=refresh_token.
-        if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
-        {
-            context.Reject(
-                error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
-                description: "Only grant_type=password and refresh_token " +
-                             "requests are accepted by this server.");
-
-            return Task.FromResult(0);
-        }
-
-        // Note: you can skip the request validation when the client_id
-        // parameter is missing to support unauthenticated token requests.
-        // if (string.IsNullOrEmpty(context.ClientId))
-        // {
-        //     context.Skip();
-        // 
-        //     return Task.FromResult(0);
-        // }
-
-        // Note: to mitigate brute force attacks, you SHOULD strongly consider applying
-        // a key derivation function like PBKDF2 to slow down the secret validation process.
-        // You SHOULD also consider using a time-constant comparer to prevent timing attacks.
-        if (string.Equals(context.ClientId, "client_id", StringComparison.Ordinal) &&
-            string.Equals(context.ClientSecret, "client_secret", StringComparison.Ordinal))
+        // Enable the token endpoint.
+        options.TokenEndpointPath = "/connect/token";
+    
+        // Implement OnValidateTokenRequest to support flows using the token endpoint.
+        options.Provider.OnValidateTokenRequest = context =>
         {
-            context.Validate();
-        }
-
-        // Note: if Validate() is not explicitly called,
-        // the request is automatically rejected.
-        return Task.FromResult(0);
-    };
-
-    // Implement OnHandleTokenRequest to support token requests.
-    options.Provider.OnHandleTokenRequest = context =>
-    {
-        // Only handle grant_type=password token requests and let the
-        // OpenID Connect server middleware handle the other grant types.
-        if (context.Request.IsPasswordGrantType())
-        {
-            // Implement context.Request.Username/context.Request.Password validation here.
-            // Note: you can call context Reject() to indicate that authentication failed.
-            // Using password derivation and time-constant comparer is STRONGLY recommended.
-            if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
-                !string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal))
+            // Reject token requests that don't use grant_type=password or grant_type=refresh_token.
+            if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
             {
                 context.Reject(
-                    error: OpenIdConnectConstants.Errors.InvalidGrant,
-                    description: "Invalid user credentials.");
-
-                return Task.FromResult(0);
+                    error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
+                    description: "Only grant_type=password and refresh_token " +
+                                 "requests are accepted by this server.");
+    
+                return Task.CompletedTask;
             }
-
-            var identity = new ClaimsIdentity(context.Options.AuthenticationScheme,
-                OpenIdConnectConstants.Claims.Name,
-                OpenIdConnectConstants.Claims.Role);
-
-            // Add the mandatory subject/user identifier claim.
-            identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]");
-
-            // By default, claims are not serialized in the access/identity tokens.
-            // Use the overload taking a "destinations" parameter to make sure
-            // your claims are correctly inserted in the appropriate tokens.
-            identity.AddClaim("urn:customclaim", "value",
-                OpenIdConnectConstants.Destinations.AccessToken,
-                OpenIdConnectConstants.Destinations.IdentityToken);
-
-            var ticket = new AuthenticationTicket(
-                new ClaimsPrincipal(identity),
-                new AuthenticationProperties(),
-                context.Options.AuthenticationScheme);
-
-            // Call SetScopes with the list of scopes you want to grant
-            // (specify offline_access to issue a refresh token).
-            ticket.SetScopes(
-                OpenIdConnectConstants.Scopes.Profile,
-                OpenIdConnectConstants.Scopes.OfflineAccess);
-
-            context.Validate(ticket);
-        }
-
-        return Task.FromResult(0);
-    };
-});
+    
+            // Note: you can skip the request validation when the client_id
+            // parameter is missing to support unauthenticated token requests.
+            // if (string.IsNullOrEmpty(context.ClientId))
+            // {
+            //     context.Skip();
+            // 
+            //     return Task.CompletedTask;
+            // }
+    
+            // Note: to mitigate brute force attacks, you SHOULD strongly consider applying
+            // a key derivation function like PBKDF2 to slow down the secret validation process.
+            // You SHOULD also consider using a time-constant comparer to prevent timing attacks.
+            if (string.Equals(context.ClientId, "client_id", StringComparison.Ordinal) &&
+                string.Equals(context.ClientSecret, "client_secret", StringComparison.Ordinal))
+            {
+                context.Validate();
+            }
+    
+            // Note: if Validate() is not explicitly called,
+            // the request is automatically rejected.
+            return Task.CompletedTask;
+        };
+    
+        // Implement OnHandleTokenRequest to support token requests.
+        options.Provider.OnHandleTokenRequest = context =>
+        {
+            // Only handle grant_type=password token requests and let
+            // the OpenID Connect server handle the other grant types.
+            if (context.Request.IsPasswordGrantType())
+            {
+                // Implement context.Request.Username/context.Request.Password validation here.
+                // Note: you can call context Reject() to indicate that authentication failed.
+                // Using password derivation and time-constant comparer is STRONGLY recommended.
+                if (!string.Equals(context.Request.Username, "Bob", StringComparison.Ordinal) ||
+                    !string.Equals(context.Request.Password, "P@ssw0rd", StringComparison.Ordinal))
+                {
+                    context.Reject(
+                        error: OpenIdConnectConstants.Errors.InvalidGrant,
+                        description: "Invalid user credentials.");
+    
+                    return Task.CompletedTask;
+                }
+    
+                var identity = new ClaimsIdentity(context.Scheme.Name,
+                    OpenIdConnectConstants.Claims.Name,
+                    OpenIdConnectConstants.Claims.Role);
+    
+                // Add the mandatory subject/user identifier claim.
+                identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "[unique id]");
+    
+                // By default, claims are not serialized in the access/identity tokens.
+                // Use the overload taking a "destinations" parameter to make sure
+                // your claims are correctly inserted in the appropriate tokens.
+                identity.AddClaim("urn:customclaim", "value",
+                    OpenIdConnectConstants.Destinations.AccessToken,
+                    OpenIdConnectConstants.Destinations.IdentityToken);
+    
+                var ticket = new AuthenticationTicket(
+                    new ClaimsPrincipal(identity),
+                    new AuthenticationProperties(),
+                    context.Scheme.Name);
+    
+                // Call SetScopes with the list of scopes you want to grant
+                // (specify offline_access to issue a refresh token).
+                ticket.SetScopes(
+                    OpenIdConnectConstants.Scopes.Profile,
+                    OpenIdConnectConstants.Scopes.OfflineAccess);
+    
+                context.Validate(ticket);
+            }
+    
+            return Task.CompletedTask;
+        };
+    });
+}
 ```
 
-> Note: in order for the OpenID Connect server middleware to work properly, **the authentication services must be registered in the DI container**:
+> Note: in order for the OpenID Connect server to work properly, **the authentication middleware must be registered in the ASP.NET Core 2.0 pipeline**:
 
 ```csharp
-public void ConfigureServices(IServiceCollection services)
+public void Configure(IApplicationBuilder app)
 {
-    services.AddAuthentication();
+    app.UseAuthentication();
 }
 ```
 
+> Note: **the AspNet.Security.OpenIdConnect.Server 2.x packages are only compatible with ASP.NET Core 2.x**.
+> If your application targets ASP.NET Core 1.x, use the AspNet.Security.OpenIdConnect.Server 1.x packages.
+
 ## Resources
 
 **Looking for additional resources to help you get started?** Don't miss these interesting blog posts:
@@ -127,9 +133,9 @@ public void ConfigureServices(IServiceCollection services)
 
 The samples found [in the current project](./samples/) directory always target the latest ASP.NET Core releases and are mainly meant to ease its testing.
 
-**Official samples targetting ASP.NET Core 1.0 RTM** can be found on [aspnet-contrib/AspNet.Security.OpenIdConnect.Samples](https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples). 
+**Official samples targetting ASP.NET Core** can be found on [aspnet-contrib/AspNet.Security.OpenIdConnect.Samples](https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples). 
 
-**Looking for something simpler?** Don't miss **[OpenIddict](https://github.com/openiddict/core)**, the **simple and easy-to-use OpenID Connect server for ASP.NET Core 1.0** based on AspNet.Security.OpenIdConnect.Server and ASP.NET Core Identity.
+**Looking for something simpler?** Don't miss **[OpenIddict](https://github.com/openiddict/core)**, the **simple and easy-to-use OpenID Connect server for ASP.NET Core 1.x and 2.0** based on AspNet.Security.OpenIdConnect.Server.
 
 ## Support
 
