4.1.2

minor bug fixes

4.1.1

As part of this release we had 6 issues closed.

bugs

• #4951 Add null check before setting consumedTime
• #4948 DefaultClaimsService.GetIdentityTokenClaimsAsync uses wrong Resource parameter for ProfileData
• #4929 Typo in DefaultClaimsService.cs

enhancements

• #4942 Obfuscate refresh token and authorization code in logs
• #4935 Update to Message to enable deserialization in .NET 5.0-rc1
• #4711 Allow setting SameSite mode of the SessionId cookie

4.1.0

As part of this release we had 13 issues closed.

bugs

• #4854 only re-issue session cookie when client added #4812
• #4852 add defensive check to fix bug for when session is expired #4844
• #4851 fix serialization bug on LogoutRequest.Parameters #4655
• #4850 ensure consumed time is utc
• #4849 fix bug for consent is saved regardless of RememberConsent
• #4833 Consent is saved regardless of RememberConsent checkbox value
• #4812 Sliding Cookies not working for implicit flow in IdentityServer4 v4.x
• #4712 fix multiple WWW-Authenticate header to one

enhancements

• #4870 Update JAR mime type
• #4868 Make identity server work with publish single file in .NET 5.0
• #4853 add more defensive check on check session endpoint #4051
• #4794 Add missing awaits on CachingClientStore and CachingResourceStore
• #4744 Introduce LoggingOptions.AuthorizeRequestSensitiveValuesFilter

4.0.4

As part of this release we had 2 issues closed.

bug

• #4677 make AutoMapper v10 the min version

enhancement

• #4649 Fix 401 malformed WWW-Authenticate

4.0.3

As part of this release we had 4 issues closed.

bugs

• #4670 defer calls to perform signout work to avoid re-entry recursion issue with AspId
• #4641 Fix exception message when no matching signing algorithm can be found

enhancements

• #4611 Allow AutoMapper 10
• #4575 Reduce log level for expired secrets

3.1.4

As part of this release we had 2 issues closed.

bug

• #4240 Fix UserLoginFailureEvent raised with interactive=true in resource owner grant flow

enhancement

• #4618 validate filter values on db results

4.0.2

As part of this release we had 2 issues closed.

bug

• #4615 Fix custom redirect after ProcessLogin for custom authorize response generators

enhancement

• #4616 validate filter values on db results

4.0.1

As part of this release we had 1 issue closed.

bug

• #4577 fix exception with prompt=login

4.0

As part of this release we had 58 issues closed.
Next big release - after ASP.NET Core 3.1

bugs

• #4498 fix infinite loop in Token Cleanup after concurrency exception
• #4496 AuthorizeInteractionResponseGenerator : MaxAge does not respect prompt=none
• #4368 How to add a custom implementation (e.g. WsFederation) of IReturnUrlParser if everything is internal set in AuthorizationRequest class in next v4.x ?
• #4295 DefaultClientConfigurationValidator bug
• #4290 Fix cnf format for MTLS
• #4268 AddOidcStateDataFormatterCache broken with new JSON serializer
• #4173 Duplicate UserLoginSuccess/Failure events when using resource owner grant and IdentityServer4.AspNetIdentity
• #4145 Error Response with invalid redirection URI on authorize endpoint
• #4129 Fix logger category name for BackChannelLogoutHttpClient
• #4095 Return invalid_grant when redirect_uri is invalid on token endpoint
• #4075 Error Response with invalid redirection URI
• #4037 Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni…

enhancements

• #4504 Update error handling for invalid response modes
• #4502 Update form content check to reject multipart forms
• #4501 Update authorization code validation to do client binding check before deleting the code in the store
• #4499 Allow setting domain on SessionIdCookie #4406
• #4444 Make sensitive data filters configurable
• #4439 namespace cleanup/refactor in host (to support templates)
• #4428 add consumedtime to persisted grant and refresh token
• #4427 Features/bootstrap update
• #4409 Add strict JAR mode
• #4390 enhancements to add logout notification service as first class service
• #4376 Features/grants enhancements
• #4361 Extend JWT token validation to accept space separated scopes
• #4360 Adapt JWT request validation to latest JAR spec
• #4357 Add iat to access tokens
• #4352 Emit jti by default
• #4343 Add option to set SameSite mode for internal cookies
• #4342 Add option to emit scopes as space separated string in JWT (as opposed to array)
• #4245 Strict redirect uri validator app auth with path
• #4237 Make aspid profile service more extensible
• #4235 end session changes: IsActive no longer called and no longer default to a single redirect uri
• #4234 Use non-case sensitive string for any ids
• #4227 switch to named HTTP clients from factory (instead of typed)
• #4226 Reduce usage of Newtonsoft.Json
• #4210 add sid and device description to grants table
• #4208 add support for handling multiple prompt values
• #4204 Add API to interaction service to return error to client
• #4203 Improve query on cors origins. #3395
• #4202 include sid (if present) in access tokens #3955
• #4153 private_key_jwt updates
• #4026 Added AddUserSession extension method
• #4024 Add JAR support
• #4019 Add client setting to require request object
• #3979 Added notification for device code removal
• #3969 Make cnf part of Token model
• #3962 MTLS Update
• #3892 V4: Multiple signing keys
• #3761 Add a client setting to require request objects
• #3732 Remove unused SaveChanges APIs in EF DbContext Interfaces
• #3692 Removed obsolete code
• #3413 IUserSession.CreateSessionIdAsync should return sid
• #3395 Improve query on cors origins.

breaking changes

• #4335 Remove public origin setting
• #4199 scope validation refactor
• #3939 Update PKCE and Consent default settings on Client
• #3888 Cleanup SignInAsync extension methods
• #3887 V4: Make client claims serialization friendly

4.0 Preview 6

As part of this release we had 58 issues closed.
Next big release - after ASP.NET Core 3.1

bugs

• #4498 fix infinite loop in Token Cleanup after concurrency exception
• #4496 AuthorizeInteractionResponseGenerator : MaxAge does not respect prompt=none
• #4368 How to add a custom implementation (e.g. WsFederation) of IReturnUrlParser if everything is internal set in AuthorizationRequest class in next v4.x ?
• #4295 DefaultClientConfigurationValidator bug
• #4290 Fix cnf format for MTLS
• #4268 AddOidcStateDataFormatterCache broken with new JSON serializer
• #4173 Duplicate UserLoginSuccess/Failure events when using resource owner grant and IdentityServer4.AspNetIdentity
• #4145 Error Response with invalid redirection URI on authorize endpoint
• #4129 Fix logger category name for BackChannelLogoutHttpClient
• #4095 Return invalid_grant when redirect_uri is invalid on token endpoint
• #4075 Error Response with invalid redirection URI
• #4037 Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni…

enhancements

• #4504 Update error handling for invalid response modes
• #4502 Update form content check to reject multipart forms
• #4501 Update authorization code validation to do client binding check before deleting the code in the store
• #4499 Allow setting domain on SessionIdCookie #4406
• #4444 Make sensitive data filters configurable
• #4439 namespace cleanup/refactor in host (to support templates)
• #4428 add consumedtime to persisted grant and refresh token
• #4427 Features/bootstrap update
• #4409 Add strict JAR mode
• #4390 enhancements to add logout notification service as first class service
• #4376 Features/grants enhancements
• #4361 Extend JWT token validation to accept space separated scopes
• #4360 Adapt JWT request validation to latest JAR spec
• #4357 Add iat to access tokens
• #4352 Emit jti by default
• #4343 Add option to set SameSite mode for internal cookies
• #4342 Add option to emit scopes as space separated string in JWT (as opposed to array)
• #4245 Strict redirect uri validator app auth with path
• #4237 Make aspid profile service more extensible
• #4235 end session changes: IsActive no longer called and no longer default to a single redirect uri
• #4234 Use non-case sensitive string for any ids
• #4227 switch to named HTTP clients from factory (instead of typed)
• #4226 Reduce usage of Newtonsoft.Json
• #4210 add sid and device description to grants table
• #4208 add support for handling multiple prompt values
• #4204 Add API to interaction service to return error to client
• #4203 Improve query on cors origins. #3395
• #4202 include sid (if present) in access tokens #3955
• #4153 private_key_jwt updates
• #4026 Added AddUserSession extension method
• #4024 Add JAR support
• #4019 Add client setting to require request object
• #3979 Added notification for device code removal
• #3969 Make cnf part of Token model
• #3962 MTLS Update
• #3892 V4: Multiple signing keys
• #3761 Add a client setting to require request objects
• #3732 Remove unused SaveChanges APIs in EF DbContext Interfaces
• #3692 Removed obsolete code
• #3413 IUserSession.CreateSessionIdAsync should return sid
• #3395 Improve query on cors origins.

breaking changes

• #4335 Remove public origin setting
• #4199 scope validation refactor
• #3939 Update PKCE and Consent default settings on Client
• #3888 Cleanup SignInAsync extension methods
• #3887 V4: Make client claims serialization friendly