Skip to content

Releases: DuendeSoftware/Duende.AccessTokenManagement

3.0.0

12 Aug 21:50
@josephdecock josephdecock
3.0.0
b0f2ac0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
3.0.0 Latest
Latest

This is a major release of Duende.AccessTokenManagement and Duende.AccessTokenManagement.OpenIdConnect. Highlights include

  • Improved support for Blazor Server
  • Updates to dependencies
  • Bug fixes and improvements

Breaking Changes

  • Support for .NET 6 and 7 has been dropped, as Microsoft either no longer supports or soon will no longer support those versions in the coming months. Duende.AccessTokenManagement Version 2.1 (which supports .NET 6 and 7) will continue to be supported until .NET 6 reaches end of life in November.
  • The OpenIdConnectUserAccessTokenHandler no longer depends on HttpContext, and instead depends on the new IUserAccessor interface. This change allows us to use the handler in Blazor Server projects. If you have customized the handler in a derived class, update your derived class's constructor to depend on the IUserAccessor and pass that to the handler's constructor. You probably don't need to implement IUserAccessor - the default implementation of the IUserAccessor is registered automatically and accesses the current user from the HttpContext, and a blazor server specific implementation is also available.
  • The OpenIdConnectUserAccessTokenHandler also now takes a direct dependency on the IUserTokenManagementService, rather than resolving it from the HttpContext. Again, if you have customized the handler in a derived class, you'll need to update constructors.

Blazor Server Support

This release improves our support for Blazor Server. We've added a new method to use when registering services: AddBlazorServerAccessTokenManagement. This method sets up dependencies needed specifically in a Blazor Server environment, including retrieving the current user without using HttpContext when it is not available. This simplifies creating HttpClients that use the current user's access token.

Blazor Server implementations have always required a server side token store (an implementation of ITokenStore). You should pass your implementation of ITokenStore to AddBlazorServerAccessTokenManagement's type parameter.

We've also exposed the logic related to storage of tokens in an AuthenticationTicket as a new service.

Dependencies

  • We now depend on:
    • version 7.0.0 or later of IdentityModel
    • version 8.0.1 or later of the ASP.NET OpenIdConnect Authentication Handler (Microsoft.AspNetCore.Authentication.OpenIdConnect)
    • version 7.1.2 or later of the Microsoft JWT Handler (System.IdentityModel.Tokens.Jwt)

Our approach for dependencies is to depend on the minimum patch version that accomplishes
the following:

  • Avoid depending on a version of a package that has a known security vulnerability
  • Avoid depending on a version that has a transitive dependency on a version of a package that has a known vulnerability
  • Depend on the same version of the Microsoft JWT handler as the ASP.NET OpenIdConnect Authentication Handler

Full Changelog

Blazor Support

Bugs and Improvements

Dependencies

  • Updated System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to latest to address CVEs by @chgl in #53
  • Updateed System.IdentityModel.Tokens.Jwt and Microsoft.AspNetCore.Authentication.* by @josephdecock in #92
  • Update IdentityModel to v7.0.0 by @josephdecock in #93
  • Drop support for .NET 6/7 by @josephdecock in #98

Dependabot

New Contributors

Full Changelog: 2.1.2...3.0.0

Contributors

paulomorgado, josephdecock, and 8 other contributors
Assets 2
Loading

3.0.0-preview.3

08 May 01:50
@josephdecock josephdecock
3.0.0-preview.3
f55ae98
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
3.0.0-preview.3 Pre-release
Pre-release

This updated preview includes a bug fix for the Blazor Server token management extensions.

New Contributors

Full Changelog: 3.0.0-preview.2...3.0.0-preview.3

Contributors

maxmantz
Assets 2
Loading

3.0.0-preview.2

08 May 01:48
@josephdecock josephdecock
3.0.0-preview.2
5c41c64
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
3.0.0-preview.2 Pre-release
Pre-release

This release was accidentally built from the same commit as 3.0.0-preview.1 and should be ignored.

Assets 2
Loading

3.0.0-preview.1

06 May 23:25
@josephdecock josephdecock
3.0.0-preview.1
5c41c64
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
3.0.0-preview.1 Pre-release
Pre-release

This is a preview release of Duende.AccessTokenManagement and Duende.AccessTokenManagement.OpenIdConnect v3.0.0. The highlights of this major release include

  • Improved support for Blazor Server
  • Updates to dependencies
  • Bug fixes and improvements

Breaking Changes

  • Support for .NET 6 and 7 has been dropped, as Microsoft will no longer be supporting those versions in the coming weeks or months. Duende.AccessTokenManagement Version 2.1 (which supports .NET 6 and 7) will continue to be supported until .NET 6 reaches end of life in November.
  • The OpenIdConnectUserAccessTokenHandler no longer depends on HttpContext, and instead depends on the new IUserAccessor interface. This change allows us to use the handler in Blazor Server projects. If you have customized the handler in a derived class, update your derived class's constructor to depend on the IUserAccessor and pass that to the handler's constructor. You probably don't need to implement IUserAccessor - the default implementation of the IUserAccessor is registered automatically and accesses the current user from the HttpContext, and a blazor server specific implementation is also available.
  • The OpenIdConnectUserAccessTokenHandler also now takes a direct dependency on the IUserTokenManagementService, rather than resolving it from the HttpContext. Again, if you have customized the handler in a derived class, you'll need to update constructors.

Blazor Server Support

This release improves our support for Blazor Server. We've added a new method to use when registering services: AddBlazorServerAccessTokenManagement. This method sets up dependencies needed specifically in a Blazor Server environment, including retrieving the current user without using HttpContext when it is not available. This simplifies creating HttpClients that use the current user's access token.

Blazor Server implementations have always required a server side token store (an implementation of ITokenStore). You should pass your implementation of ITokenStore to AddBlazorServerAccessTokenManagement a type parameter.

We've also exposed the logic related to storage of tokens in an AuthenticationTicket as a new service.

Dependencies

  • We now depend on:
    • version 7.0.0 or later of IdentityModel
    • version 8.0.1 or later of the ASP.NET OpenIdConnect Authentication Handler (Microsoft.AspNetCore.Authentication.OpenIdConnect)
    • version 7.1.2 or later of the Microsoft JWT Handler (System.IdentityModel.Tokens.Jwt)

Our approach for dependencies is to depend on the minimum patch version that accomplishes
the following:

  • Avoid depending on a version of a package that has a known security vulnerability
  • Avoid depending on a version that has a transitive dependency on a version of a package that has a known vulnerability
  • Depend on the same version of the Microsoft JWT handler as the ASP.NET OpenIdConnect Authentication Handler

Full Changelog

Blazor Support

Bugs and Improvements

  • Keep previous refresh token if not updated during refresh by @hybrid2102 in #46
  • Add a specific exception when the clientId is empty by @kallayj in #73
  • Remove space from closing a tag in Index.cshtml by @RolandGuijt in #72

Dependencies

  • Updated System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to latest to address CVEs by @chgl in #53
  • Updateed System.IdentityModel.Tokens.Jwt and Microsoft.AspNetCore.Authentication.* by @josephdecock in #92
  • Update IdentityModel to v7.0.0 by @josephdecock in #93
  • Drop support for .NET 6/7 by @josephdecock in #98

Dependabot

Contributors

josephdecock, hybrid2102, and 5 other contributors
Assets 2
Loading

2.1.2

19 Apr 14:25
@josephdecock josephdecock
2.1.2
a92cadd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
2.1.2

This is a patch release that fixes a bug when using DPoP and Resource Indicators together.

What's Changed

Full Changelog: 2.1.1...2.1.2

Contributors

josephdecock
Assets 2
Loading

2.1.1

04 Apr 21:34
@brockallen brockallen
2.1.1
db3ac68
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
2.1.1

This is a patch release that fixes a DPoP bug and updates our dependency on ASP.NET framework packages.

What's Changed

  • update dependencies to latest patches by @brockallen in #78
    Updated dependency on ASP.NET framework packages from version 8.0.0 to version 8.0.3. This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.
  • Fix handling of dpop nonce sent during token exchange by @josephdecock in #79
    Fixes a bug where DPoP nonces provided by authorization servers were not processed correctly.

Full Changelog: 2.1.0...2.1.1

Contributors

brockallen and josephdecock
Assets 2
Loading

2.1.0

04 Jan 17:43
@brockallen brockallen
2.1.0
bc89429
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
2.1.0

What's Changed

New Contributors

Full Changelog: 2.0.3...2.1.0

Contributors

josephdecock and hybrid2102
Assets 2
Loading

2.1.0-preview.1

29 Nov 15:11
@josephdecock josephdecock
2.1.0-preview.1
bc89429
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
2.1.0-preview.1 Pre-release
Pre-release

This is a preview release that adds support for .NET 8 while keeping support for .NET 6. Also included in this preview is support for explicitly passing scopes on refresh.

What's Changed

New Contributors

Full Changelog: 2.0.3...2.1.0-preview.1

Contributors

josephdecock and hybrid2102
Assets 2
Loading

2.0.3

20 Jul 21:26
@brockallen brockallen
2.0.3
4fce219
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
2.0.3

What's Changed

New Contributors

Full Changelog: 2.0.2...2.0.3

Contributors

brockallen, espenekvang, and tvoracek
Assets 2
Loading

2.0.0

26 Apr 14:28
@brockallen brockallen
2.0.0
b156257
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
2.0.0

What's Changed

Full Changelog: 1.1.0...2.0.0

Contributors

brockallen
Assets 2
Loading