AspNet.Security.OpenIdConnect.Server 1.0.0 general availability

Today is a great day for me, as I just uploaded the ASOS 1.0.0 packages to, concluding a 3-year work on this library. A huge thanks to everyone – clients, sponsors, contributors, users – who helped me make this possible: ASOS wouldn't exist without your support!

Migrating to 1.0.0

Migrating from ASOS RC1 to RTM should be rather smooth as no major change was adopted in this release, but there's an important requirement you must comply with to ensure your application still works correctly after the migration: you must also update the validation/introspection middleware to the 1.0.0 RTM version (the previous beta versions won't deliberately work):

<Project Sdk="Microsoft.NET.Sdk.Web">

<PackageReference Include="AspNet.Security.OAuth.Introspection" Version="1.0.0" />
<PackageReference Include="AspNet.Security.OAuth.Validation" Version="1.0.0" />
<PackageReference Include="AspNet.Security.OpenIdConnect.Server" Version="1.0.0" />


If you use recent OpenIddict packages (that use ASOS 1.0.0) or if you explicitly downloaded AspNet.Security.OpenIdConnect.Server or AspNet.Security.OAuth.Introspection 1.0.0 from the aspnet-contrib MyGet feed, consider clearing your NuGet packages folder, as the bits published on slightly differ from the packages initially published on (e.g the ASOS package uploaded to offers ECDSA support when running on .NET Framework 4.7).

For that, close your VS instances, go to C:\Users\[username]\.nuget\packages (on Windows) or ~/.nuget/packages (on macOS) and remove the following folders:

Then, re-open VS and restore your projects or run dotnet restore to download the latest binaries from

Support lifecycle

No software can reasonably ship without a solid support lifecycle and ASOS is no exception. To keep things simple, I've decided to adopt the same support policy as the one used by Microsoft for the .NET Core platform, which means the aspnet-contrib 1.0.0 RTM packages will get critical fixes and security patches until at least July of 2018.

What's next?

The next big step is to port ASOS to the new ASP.NET Core 2.0 authentication stack I helped redesign, as the 1.0 ASOS bits won't work at all due to the massive breaking changes adopted in 2.0 (e.g authentication handlers are now registered in the DI container and a unique authentication middleware handles everything at the pipeline level, in Startup.Configure(IApplicationBuilder app).