Earlier today, the OpenIddict 7.0 packages were pushed to NuGet.org 🎉
For those familiar with OpenIddict's release cadence, this may sound surprising (as major versions typically ship in December), but there are two reasons for that:
- OpenIddict 7.0 replaces ASP.NET Core 2.1 by ASP.NET Core 2.3 as the new minimal version, which has important implications.
- OpenIddict 7.0 introduces OAuth 2.0 Token Exchange support in both the client and server stacks: since it was by far the most requested feature, I didn't want to wait December for users to be able to play with it 😊
This blog post will highlight the most important changes, but the complete list can be found in the release notes of the four 7.0 preview releases:
What's new?
ASP.NET Core 2.3 replaces 2.1 as the minimal version on .NET Framework
If you're using ASP.NET Core 2.1 (or 2.2) on .NET Framework, you're probably already aware that the ASP.NET team re-released ASP.NET Core 2.1 as ASP.NET Core 2.3 in January.
That move may sound surprising, but the ASP.NET team realized that a lot of users were still using ASP.NET Core 2.2 (the latest ASP.NET Core version compatible with .NET Framework). Unlike ASP.NET Core 2.1, 2.2 is longer supported, but since it's listed as the latest 2.x version available on NuGet.org, many people use it thinking it is the supported version. By rebranding 2.1 to 2.3, the unsupported 2.2 packages no longer appear as the latest 2.x packages.
The thing is: while it was released as a minor version update, ASP.NET Core 2.3 is not 100% compatible with ASP.NET Core 2.2, as none of the changes or APIs introduced in 2.2 – no longer supported since December 2019 – is present in 2.3. Unfortunately, since security fixes for the ASP.NET Core 2.x branch now exclusively ship as 2.3.x packages, updating the version referenced by OpenIddict was essential to ensure OpenIddict users are always running a supported and secure version.
When migrating to OpenIddict 7.0, you'll need to carefully review your dependencies to ensure your application doesn't accidentally depend on any ASP.NET Core 2.2-specific API or package and still runs fine on 2.3.
OpenIddict 7.0 now references .NET Extensions 8.0 on .NET Framework 4.6.2+ and .NET Standard 2.0/2.1
While ASP.NET Core 2.1 referenced the 2.1 version of the Microsoft.Extensions.*
packages, ASP.NET Core 2.3 now references the 8.0 version: as such, all the OpenIddict packages – even those who don't reference ASP.NET Core – have been updated to use the 8.0 version, which allowed introducing some significant improvements
Canary testing has confirmed that OWIN/Katana or "legacy" ASP.NET 4.6.2+ applications are not negatively impacted by this change: in almost all cases, regenerating (or manually updating the binding redirects if necessary) after migrating to OpenIddict 7.0 is enough to ensure the application will still work fine after the migration.
For more information, see Update the .NET Framework/.NET Standard TFMs to reference ASP.NET Core/Entity Framework Core 2.3 and the .NET Extensions version 8.0.