Earlier today, I pushed new packages for all the aspnet-contrib projects. This is the first release since July (and probably one of the most exciting so far).
What's new?
New OAuth 2.0 social providers
Thanks to our amazing contributors, 10 new providers have been added in this release:
- Automatic (by Jesse Mandel)
- Cisco Spark (by Robert Shade)
- EVE Online (by Mariusz Zieliński)
- MailChimp (by Igor Simovic)
- MYOB (by Jordan Knight)
- StackExchange (by Andrew Lock)
- Strava (by James Holcomb)
- Untapped (by Albert Zakiev)
- Visual Studio Online (by Albert Zakiev)
- Yammer (by Albert Zakiev)
New primitives for the OpenID Connect server middleware
Starting with beta7, the OpenID Connect server middleware (ASOS) no longer relies on IdentityModel's OpenIdConnectMessage
, that proved to be way too limited to represent complex JSON payloads and wasn't able to preserve non-string parameters types.
Instead, ASOS now comes with its own primitives: OpenIdConnectMessage
, OpenIdConnectRequest
and OpenIdConnectResponse
. Unlike their IdentityModel equivalent, these types are backed by JSON.NET's primitives, which means that code like this will now work flawlessly:
1 | var response = new OpenIdConnectResponse(); |
The other good news is that these primitives are part of a whole new .NET Standard 1.0 package (AspNet.Security.OpenIdConnect.Primitives
) that is shared between the OWIN/Katana and the ASP.NET Core flavors of ASOS, which helps reduce code duplication between the two projects.
Proof Key for Code Exchange (PKCE) is now supported
In August, ASOS was updated to support the Proof Key for Code Exchange specification:
OAuth 2.0 [RFC6749] public clients are susceptible to the authorization code interception attack.
In this attack, the attacker intercepts the authorization code returned from the authorization endpoint within a communication path not protected by Transport Layer Security (TLS), such as inter-application communication within the client's operating system.
Once the attacker has gained access to the authorization code, it can use it to obtain the access token.
This change makes ASOS fully compatible with client libraries supporting PKCE, like AppAuth for iOS.