Skip to content

4.0.0-rc1

Pre-release
Pre-release
Compare
Choose a tag to compare
@kevinchalet kevinchalet released this 07 Dec 10:11

This RC release introduces the following changes:

  • While initially planned for OpenIddict 5.0, modifications introducing breaking behavior changes in the URIs handling will finally ship as part of 4.0. Since these changes affect how endpoint URIs are configured, returned and resolved, users are invited to read #1613 before migrating to OpenIddict 4.0 RC1.

  • Relative redirect/post-logout-redirect URIs are now supported by the client stack, for both custom client registrations and web provider integrations:

options.UseWebProviders()
       .UseGitHub(options =>
       {
           // ...

           options.SetRedirectUri("callback/login/github");
       });
  • The client stack now requires enabling flows explicitly (exactly like the server stack), which allows offering better exceptions on misconfigurations and avoids requiring registering signing/encryption credentials when only non-interactive flows like password or client_credentials are used:
options.AllowAuthorizationCodeFlow()
       .AllowRefreshTokenFlow();
  • By default, the client stack now aborts challenge operations that are triggered from non-HTTPS pages with an exception message indicating that things may not work properly due to SameSite constraints when using HTTP instead of HTTPS. While not recommended, the client offers the same DisableTransportSecurityRequirement() option as the server stack to disable the HTTPS requirement.
options.UseAspNetCore()
       .DisableTransportSecurityRequirement();

options.UseOwin()
       .DisableTransportSecurityRequirement();
  • New provider integrations have been added to OpenIddict.Client.WebIntegration:

  • The definitions of the existing providers have been updated to allow using the refresh_token flow for the providers that support it. Built-in support for the Google access_type and Reddit duration custom parameters has also been added to allow retrieving refresh tokens.

  • References to URL or address(es) have been replaced by more generic URI/uri(s) references. While not mandatory, maintainers of third-party stores/DB integrations are invited to update their implementation of IOpenIddictApplicationStore to use uri and uris instead of address and addresses to match the new names used by OpenIddict.