Release Notes

This section documents the various releases of OpenID for ASP.NET Core.

Target .NET 8, .NET 9 and .NET 10. Drop .NET 6 support.
Support non-HTTP schemes when converting relative to absolute URLs in the OpenID provider metadata.
Preserve the OpenID configuration when returning metadata with relative URLs converted to absolute URLs.
For client_secret_basic authentication, the client ID and client secret retrieved from the basic authentication header must be URL decoded.

Increase some of the default token timeouts. These may be changed through configuration.
Support logout with a new id_token_hint after a refresh.

Don’t serialize the Claims.Subject property as it isn’t required for OIDC and could cause a stack overflow.
Don’t include the idp and ver claims in the ID token as this breaks the OIDC conformance tests.
Support clearing the session state by client ID.
Include the logout request in the IOpenIDStatus.
Support multiple claims of the same type.
Add the ClientConfiguration.RedirectUrisAreRegex to specify whether redirect URIs are regular expressions.
Add IClaimFactory to support customization of the claims returned in the ID token and by the UserInfo endpoint.
Replace IOpenIDProvider.SendAuthnErrorResponseAsync(Exception) with IOpenIDProvider.ToErrorCode.
Include the optional correlationID to support multiple pending responses.

As well as .NET 6.0, target .NET 8.0.
Include .NET 8 example projects.
Expose the ClaimConverter JSON serialization/deserialization class for Claim objects to assist with refresh token implementations.

For compatibility, don’t include an empty key_ops array or other information outside the specification with the JWKs returned by GetKeysAsync.
Support GetKeysAsync returning Elliptic Curve keys.
Check the metadata claims_parameter_supported before processing any explicitly requested claims.
The UserInfo endpoint should return all claims rather than just explicitly requested claims.

Fix issue where issuer field in metadata wasn’t always being converted to an absolute URL.
If the response type is missing, invalid or unsupported, default the response mode to query.
Add IClientSecretVerifier to support custom client secret verification including the use of hashed secrets.
For private_key_jwt and client_secret_jwt client authentication, the audience should be validated against the applicable endpoint URL rather than the issuer URL.

Support specifying RedirectUris in the configuration as regular expressions to handle randomly generated port numbers and other scenarios.
Fix issue with private_key_jwt and client_secret_jwt client authentication.
Fix issue with redirect URIs that include query string parameters.
Add support for token introspection.
Include the x5t and x5c properties in the returned JWKs.

Add ITokenValidationDelegates.IssuerSigningKeyResolver for use when verifying the HMAC signature of JWT bearer tokens.
Used a typed HTTP client to provide tailored configuration of client certificates etc.
As well as .NET 6.0, target .NET 7.0.

Updates related to OpenID conformance testing.
GetUserInfoAsync no longer take a delegate argument. Claims are provided by SendAuthnResponseAsync instead.
GetStatusAsync and RevokeRefreshTokenAsync methods added to interface.