This repository has been archived by the owner on Jul 31, 2024. It is now read-only.
Releases: IdentityServer/IdentityServer4
Releases · IdentityServer/IdentityServer4
3.0
As part of this release we had 13 issues closed.
We didn't plan to make fundamental changes for this release - but since we had the opportunity, we added some important features and made some minor breaking changes to make IdentityServer more future proof.
Updates for ASP.NET Core 3
- #3512 Drop netstandard2.0 and switch to netcoreapp3.0
Crypto update
Before this release, we only supported RS256 as the signing algorithm for tokens. This release adds support for RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512. We also added support for s_hash.
- #3534 Ecdsa curve handling
- #3527 Add support for ECDsa keys to discovery document
- #3435 c_hash generated using wrong hashing algorithm acording to spec
- #3511 Add support for additional signing algorithms
- #3561 Support specific signing algorithms per validation key
- #3584 Re-factor logic to turn Secrets into SecurityKeys
Changes
We removed the old legacy ~/resources audience from access tokens and use a typ header instead. This might cause problems with some legacy JWT validation libraries and needs some testing.
- #1961 Consider removing ~/resources audience from access tokens
- #3513 Set typ header for access tokens
Misc
2.5.3
2.5.2
2.5.1
2.5.0
As part of this release we had 44 issues closed.
bugs
- #3404 HashedSharedSecretValidator does not catch null value
- #3391 Added check to scope validator for missing identity and api scopes
- #3388 repro PR for Incorrect secret type for missing secret in BasicAuth #2975
- #3358 DefaultTokenService - access token claims without distinct
- #3330 Object reference not set to an instance of an object - when calling RequestClientCredentialsTokenAsync
- #3325 ids4 configured to use external ConsentUrl duplicates path in ReturnUrl
- #3320 Include identity resource properties in GetAllResourcesAsync
- #3282 Add vary by origin for Cache-Control on disco endpoints
- #3128 Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control
- #3013 IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties
- #2875 code flow with fragment response mode is not allowed
enhancements
- #3422 Add claims transformation event to local API authN handler
- #3409 add AddValidationKeys signature accepting X509Certificate2[] (#3383)
- #3406 add scope to all token responses
- #3392 Added scope param to token endpoint for device grant type
- #3382 add message store abstraction on authorization request params
- #3298 should never cache temporary data with no expiration
- #3276 Handle unknown idp at login
- #3257 Make EntityFramework.Stores*Store.cs private fields accessible for derived Classes
- #3254 Prototype for pluggable authN MW
- #3243 Use Task.CompletedTask to reduce allocations
- #3242 Consider global switch to disable request_uri feature
- #3241 Add support for signed authorize requests
- #3234 Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent
- #3229 Make back channel signout a first class service
- #3227 Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change
- #3219 Add JWK support in JwtRequestValidator
- #3215 LogInformation changed to LogDebug
- #3201 Allowed usage of relative and absolute verification URIs for device authorization
- #3200 Device Code Cleanup
- #3193 Add validation for cors origins that aren't valid
- #3183 Add support to carry an error description back to third party clients on authorize error results
- #3160 PersistedGrants missing index on Expiration column
- #3148 call flush async #3096
- #3143 Log request details on more log messages
- #3139 Back-Channel Logout Token: Allow configuring additional claims
- #3059 Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow
- #2938 Provide more flexibility in the DefaultUserSession cookie management
- #2893 Make ProtectedDataMessageStore public
- #2884 Generate a token with claims from IdentityServerTools
- #2859 Support HttpClientFactory for back channel signout
- #2846 Adjust "Authentication scheme Bearer is configured for IdentityServer, but it is not a scheme that supports signin (like cookies)"
- #2539 Consider Add or Replace Endpoint extension method
- #1958 Add client_id to ErrorMessage when Authorization request failed
2.5 Preview 2
As part of this release we had 22 issues closed.
bugs
- #3128 Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control
- #3013 IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties
- #2875 code flow with fragment response mode is not allowed
enhancements
- #3241 Add support for signed authorize requests
- #3234 Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent
- #3229 Make back channel signout a first class service
- #3227 Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change
- #3219 Add JWK support in JwtRequestValidator
- #3215 LogInformation changed to LogDebug
- #3201 Allowed usage of relative and absolute verification URIs for device authorization
- #3193 Add validation for cors origins that aren't valid
- #3183 Add support to carry an error description back to third party clients on authorize error results
- #3160 PersistedGrants missing index on Expiration column
- #3148 call flush async #3096
- #3143 Log request details on more log messages
- #3139 Back-Channel Logout Token: Allow configuring additional claims
- #3059 Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow
- #2938 Provide more flexibility in the DefaultUserSession cookie management
- #2884 Generate a token with claims from IdentityServerTools
- #2859 Support HttpClientFactory for back channel signout
- #2539 Consider Add or Replace Endpoint extension method
- #1958 Add client_id to ErrorMessage when Authorization request failed
2.5 Preview 1
As part of this release we had 20 issues closed.
bugs
- #3128 Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control
- #3013 IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties
- #2875 code flow with fragment response mode is not allowed
enhancements
- #3234 Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent
- #3229 Make back channel signout a first class service
- #3227 Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change
- #3215 LogInformation changed to LogDebug
- #3201 Allowed usage of relative and absolute verification URIs for device authorization
- #3193 Add validation for cors origins that aren't valid
- #3183 Add support to carry an error description back to third party clients on authorize error results
- #3160 PersistedGrants missing index on Expiration column
- #3148 call flush async #3096
- #3143 Log request details on more log messages
- #3139 Back-Channel Logout Token: Allow configuring additional claims
- #3059 Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow
- #2938 Provide more flexibility in the DefaultUserSession cookie management
- #2884 Generate a token with claims from IdentityServerTools
- #2859 Support HttpClientFactory for back channel signout
- #2539 Consider Add or Replace Endpoint extension method
- #1958 Add client_id to ErrorMessage when Authorization request failed
2.4
As part of this release we had 49 commits which resulted in 7 issues being closed.
bugs
- #3066 Fix StringExtensions.GetOrigin throws for malformed URI #3065
- #3024 Added OIDC check to Default Client Config Validator
- #2972 TokenRequestValidator.ValidateAuthorizationCodeRequestAsync: Bad logging for invalid redirect_uri
new features
enhancement
- #2880 AddDeviceFlowStore extension
2.3.2
Added explicit references to dependent assemblies.