Earlier today, I pushed new packages for all the aspnet-contrib projects. This is the first release since July (and probably one of the most exciting so far).
What's new?
New OAuth 2.0 social providers
Thanks to our amazing contributors, 10 new providers have been added in this release:
- Automatic (by Jesse Mandel)
- Cisco Spark (by Robert Shade)
- EVE Online (by Mariusz Zieliński)
- MailChimp (by Igor Simovic)
- MYOB (by Jordan Knight)
- StackExchange (by Andrew Lock)
- Strava (by James Holcomb)
- Untapped (by Albert Zakiev)
- Visual Studio Online (by Albert Zakiev)
- Yammer (by Albert Zakiev)
New primitives for the OpenID Connect server middleware
Starting with beta7, the OpenID Connect server middleware (ASOS) no longer relies on IdentityModel's OpenIdConnectMessage, that proved to be way too limited to represent complex JSON payloads and wasn't able to preserve non-string parameters types.
Instead, ASOS now comes with its own primitives: OpenIdConnectMessage, OpenIdConnectRequest and OpenIdConnectResponse. Unlike their IdentityModel equivalent, these types are backed by JSON.NET's primitives, which means that code like this will now work flawlessly:
1 | var response = new OpenIdConnectResponse(); |
The other good news is that these primitives are part of a whole new .NET Standard 1.0 package (AspNet.Security.OpenIdConnect.Primitives) that is shared between the OWIN/Katana and the ASP.NET Core flavors of ASOS, which helps reduce code duplication between the two projects.
Proof Key for Code Exchange (PKCE) is now supported
In August, ASOS was updated to support the Proof Key for Code Exchange specification:
OAuth 2.0 [RFC6749] public clients are susceptible to the authorization code interception attack.
In this attack, the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS), such as inter-application communication within the client's operating system.
Once the attacker has gained access to the authorization code, it can use it to obtain the access token.
This change makes ASOS fully compatible with client libraries supporting PKCE, like AppAuth for iOS.
All ASOS' endpoints are now disabled by default
To reduce ASOS' attack surface, all its endpoints – except the discovery endpoints – are now disabled by default. This means that you now have to explicitly assign a path to enable an endpoint:
1 | app.UseOpenIdConnectServer(options => |
This change makes ASOS consistent with how OAuthAuthorizationServerMiddleware used to work.
The automatic RSA key generation feature was removed
Starting with beta7, ASOS will no longer generate and register a signing key for you if you don't explicitly add one and will throw an exception if no signing credentials have been registered:
At least one signing key must be registered. Consider registering a X.509 certificate or call
options.SigningCredentials.AddEphemeralKey()to generate and register an ephemeral signing key.
Though very convenient, this feature proved to be unreliable so I've decided to remove it and replace it by an opt-in ephemeral key generation extension:
1 | app.UseOpenIdConnectServer(options => |
ECDSA signing keys support
When running ASOS on .NET Core, you can now use ECDSA keys/certificates to sign your identity tokens:
1 | app.UseOpenIdConnectServer(options => |
Though ASOS exposes ECDSA keys via the discovery endpoint, this feature is not yet supported by the JWT bearer middleware. You can track the progress here.
ASOS is now fully unit-tested
A huge effort has been made to add unit tests for all the ASOS primitives and endpoints (1955 tests at the time of writing).
What's next?
This release will be the last ASOS beta, as we're now done with the important design changes.
A first release candidate version should be released in March and ASOS should RTM in April.