Release Notes
This section documents the various releases of OpenID for ASP.NET Core.
4.0.0 – January 5, 2026
- Target .NET 8, .NET 9 and .NET 10. Drop .NET 6 support.
- Support non-HTTP schemes when converting relative to absolute URLs in the OpenID provider metadata.
- Preserve the OpenID configuration when returning metadata with relative URLs converted to absolute URLs.
- For client_secret_basic authentication, the client ID and client secret retrieved from the basic authentication header must be URL decoded.
3.8.0 – February 21, 2025
- Increase some of the default token timeouts. These may be changed through configuration.
- Support logout with a new id_token_hint after a refresh.
3.7.0 – January 10, 2025
- As well as .NET 6.0 and .NET 8.0, target .NET 9.0.
- Include .NET 9 example projects.
3.6.0 – July 23, 2024
- Don’t serialize the Claims.Subject property as it isn’t required for OIDC and could cause a stack overflow.
- Don’t include the idp and ver claims in the ID token as this breaks the OIDC conformance tests.
- Support clearing the session state by client ID.
- Include the logout request in the IOpenIDStatus.
- Support multiple claims of the same type.
- Add the ClientConfiguration.RedirectUrisAreRegex to specify whether redirect URIs are regular expressions.
- Add IClaimFactory to support customization of the claims returned in the ID token and by the UserInfo endpoint.
- Replace IOpenIDProvider.SendAuthnErrorResponseAsync(Exception) with IOpenIDProvider.ToErrorCode.
- Include the optional correlationID to support multiple pending responses.
3.5.0 – March 1, 2024
- As well as .NET 6.0, target .NET 8.0.
- Include .NET 8 example projects.
- Expose the ClaimConverter JSON serialization/deserialization class for Claim objects to assist with refresh token implementations.
3.4.0 – November 7, 2023
- For compatibility, don’t include an empty key_ops array or other information outside the specification with the JWKs returned by GetKeysAsync.
- Support GetKeysAsync returning Elliptic Curve keys.
- Check the metadata claims_parameter_supported before processing any explicitly requested claims.
- The UserInfo endpoint should return all claims rather than just explicitly requested claims.
3.3.0 – September 7, 2023
- Fix issue where issuer field in metadata wasn’t always being converted to an absolute URL.
- If the response type is missing, invalid or unsupported, default the response mode to query.
- Add IClientSecretVerifier to support custom client secret verification including the use of hashed secrets.
- For private_key_jwt and client_secret_jwt client authentication, the audience should be validated against the applicable endpoint URL rather than the issuer URL.
3.2.0 – May 19, 2023
- Support specifying RedirectUris in the configuration as regular expressions to handle randomly generated port numbers and other scenarios.
- Fix issue with private_key_jwt and client_secret_jwt client authentication.
- Fix issue with redirect URIs that include query string parameters.
- Add support for token introspection.
- Include the x5t and x5c properties in the returned JWKs.
3.1.0 – March 15, 2023
- Add ITokenValidationDelegates.IssuerSigningKeyResolver for use when verifying the HMAC signature of JWT bearer tokens.
- Used a typed HTTP client to provide tailored configuration of client certificates etc.
- As well as .NET 6.0, target .NET 7.0.
3.0.0 – January 11, 2023
- Fix issue converting relative to absolute URLs.
- Add support for JWT access tokens.
- Improve support for refresh tokens.
- Add support for client_credentials grant type.
- Add support for password grant type.
- Use IOptionsMonitor rather than IOptionsSnapshot as more performant.
- When verifying signatures, don’t use expired certificates.
- When generating signatures, use a non-expired certificate if available.
- Include the AddConfigurationResolver convenience method.
2.0.0 – August 25, 2022
- Updates related to OpenID conformance testing.
- GetUserInfoAsync no longer take a delegate argument. Claims are provided by SendAuthnResponseAsync instead.
- GetStatusAsync and RevokeRefreshTokenAsync methods added to interface.
1.0.0 – July 29, 2022
- Initial release.