The new ASOS and OpenIddict packages are now on NuGet.org

Development

Today's the day: new ASOS and OpenIddict packages (compatible with ASP.NET Core 1.0 and 2.0) have just been pushed to NuGet.org:

What's new?

In AspNet.Security.OpenIdConnect.Server and Owin.Security.OpenIdConnect.Server 1.0.2

  • Calling context.HandleResponse() from the SerializeAuthorizationCode, SerializeAccessToken, SerializeIdentityToken and SerializeRefreshToken events no longer throws an exception if the authentication ticket is not explicitly set (c734c6f).
  • An invalid exception message mentioning OpenIddict was reworded (cd83912).
  • The authorization code/access token/identity token/refresh token deserialization methods are no longer called twice for introspection and revocation requests that specify a token_type_hint that doesn't match the actual token type (c561a34).
  • A standard-compliant Expires HTTP header is now returned by the non-interactive ASOS endpoints (5af1d44).
  • New constants have been added to OpenIdConnectConstants (0980fb8) (461ecd4).
  • New events allowing to control the sign-in, sign-out and challenge operations have been introduced (d95810b) (3801427).

In AspNet.Security.OpenIdConnect.Server 2.0.0-rc1-final

OpenIdConnectServerProvider can now be resolved from the DI container

Good news: OpenIdConnectServerProvider can now be used with dependency injection thanks to a huge refactoring of the ASP.NET Core 2.0 authentication stack, that now implements the options-based pattern I recommended.

To use constructor-injected dependencies in your provider, you can ask ASOS to resolve the provider instance at request-time by setting the new OpenIdConnectServerOptions.ProviderType option (which is a wrapper around AuthenticationSchemeOptions.EventsType):

1
2
3
4
5
6
7
8
9
10
11
public class AuthorizationProvider : OpenIdConnectServerProvider
{
    private readonly ApplicationContext _database;

    public AuthorizationProvider(ApplicationContext database)
    {
        _database = database;
    }

    // ...
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        // Register your custom provider in the DI container.
        services.AddScoped<AuthorizationProvider>();

        services.AddAuthentication()
            .AddOpenIdConnectServer(options =>
            {
                // ...

                // Ask ASOS to resolve the provider instance corresponding
                // to the specified type when an OIDC request is received.
                options.ProviderType = typeof(AuthorizationProvider);
            });
    }
}

Such feature requires built-in support in the authentication stack and thus, is unfortunately not available in the OWIN/Katana version of ASOS 2.x.

In Owin.Security.OpenIdConnect.Server 2.0.0-rc1-final

The OWIN/Katana version of ASOS 2.x now requires targeting the Microsoft.Owin 4.0.0-alpha1 packages, which are natively compatible with IdentityModel 5.2.0-preview1 (unlike the previous iteration).

In OpenIddict 1.0.0-rc1-final and 2.0.0-rc1-final

OpenIddict 1.0.0-rc1-final/2.0.0-rc1-final is the first public version of OpenIddict. To learn more about the changes added since the first betas, don't hesitate to take a look at the GitHub repository.

What package(s) should I reference?

Depending on whether your application targets OWIN/Katana 1.x/2.x or ASP.NET Core 1.x/2.x, you'll need to reference different versions of the ASOS/OpenIddict packages as the authentication stack has been completely revamped in ASP.NET Core 2.0. For more information about these changes, read the Auth 2.0 Changes / Migration announcement on GitHub.

Your application uses the low-level OpenID Connect server handler (aka ASOS)

Your application is an ASP.NET Core 1.x/2.x project

ASP.NET Core versionPackage namePackage versionPackage description
1.xAspNet.Security.OpenIdConnect.Server1.0.2Contains the OpenID Connect server middleware.
2.xAspNet.Security.OpenIdConnect.Server2.0.0-rc1-finalContains the OpenID Connect server middleware.

Your application is an OWIN/Katana (legacy ASP.NET) project

OWIN/Katana versionPackage namePackage versionPackage description
3.xOwin.Security.OpenIdConnect.Server1.0.2Contains the OpenID Connect server middleware.
4.xOwin.Security.OpenIdConnect.Server2.0.0-rc1-finalContains the OpenID Connect server middleware.

Your application uses OpenIddict

ASP.NET Core versionPackage namePackage versionPackage description
1.xOpenIddict1.0.0-rc1-finalContains the OpenID Connect server component that is needed to handle OAuth 2.0 and OIDC requests.
1.xOpenIddict.EntityFramework1.0.0-rc1-finalContains the Entity Framework 6.x stores (only compatible with .NET Framework 4.5.1).
1.xOpenIddict.EntityFrameworkCore1.0.0-rc1-finalContains the Entity Framework Core stores.
2.xOpenIddict2.0.0-rc1-finalContains the OpenID Connect server component that is needed to handle OAuth 2.0 and OIDC requests.
2.xOpenIddict.EntityFramework2.0.0-rc1-finalContains the Entity Framework 6.x stores (only compatible with .NET Framework 4.6.1).
2.xOpenIddict.EntityFrameworkCore2.0.0-rc1-finalContains the Entity Framework Core stores.

When using OpenIddict, the appropriate ASOS version will be automatically chosen by NuGet: you don't need to explicitly reference the AspNet.Security.OpenIdConnect.Server package.