Releases: DuendeSoftware/Duende.AccessTokenManagement
3.0.1
This is a security hotfix that addresses CVE-2024-51987, a medium-severity vulnerability that causes refreshed user-centric tokens to be captured in pooled HttpClient instances, which may then be used by a different user. See the security advisory for more details.
3.0.0
This is a major release of Duende.AccessTokenManagement and Duende.AccessTokenManagement.OpenIdConnect. Highlights include
- Improved support for Blazor Server
- Updates to dependencies
- Bug fixes and improvements
Breaking Changes
- Support for .NET 6 and 7 has been dropped, as Microsoft either no longer supports or soon will no longer support those versions in the coming months. Duende.AccessTokenManagement Version 2.1 (which supports .NET 6 and 7) will continue to be supported until .NET 6 reaches end of life in November.
- The
OpenIdConnectUserAccessTokenHandler
no longer depends onHttpContext
, and instead depends on the newIUserAccessor
interface. This change allows us to use the handler in Blazor Server projects. If you have customized the handler in a derived class, update your derived class's constructor to depend on theIUserAccessor
and pass that to the handler's constructor. You probably don't need to implementIUserAccessor
- the default implementation of theIUserAccessor
is registered automatically and accesses the current user from theHttpContext
, and a blazor server specific implementation is also available. - The
OpenIdConnectUserAccessTokenHandler
also now takes a direct dependency on theIUserTokenManagementService
, rather than resolving it from theHttpContext
. Again, if you have customized the handler in a derived class, you'll need to update constructors.
Blazor Server Support
This release improves our support for Blazor Server. We've added a new method to use when registering services: AddBlazorServerAccessTokenManagement
. This method sets up dependencies needed specifically in a Blazor Server environment, including retrieving the current user without using HttpContext
when it is not available. This simplifies creating HttpClient
s that use the current user's access token.
Blazor Server implementations have always required a server side token store (an implementation of ITokenStore
). You should pass your implementation of ITokenStore
to AddBlazorServerAccessTokenManagement
's type parameter.
We've also exposed the logic related to storage of tokens in an AuthenticationTicket
as a new service.
Dependencies
- We now depend on:
- version 7.0.0 or later of IdentityModel
- version 8.0.1 or later of the ASP.NET OpenIdConnect Authentication Handler (Microsoft.AspNetCore.Authentication.OpenIdConnect)
- version 7.1.2 or later of the Microsoft JWT Handler (System.IdentityModel.Tokens.Jwt)
Our approach for dependencies is to depend on the minimum patch version that accomplishes
the following:
- Avoid depending on a version of a package that has a known security vulnerability
- Avoid depending on a version that has a transitive dependency on a version of a package that has a known vulnerability
- Depend on the same version of the Microsoft JWT handler as the ASP.NET OpenIdConnect Authentication Handler
Full Changelog
Blazor Support
- Add accessor for current principal by @josephdecock in #99
- Add service for storage of tokens in auth properties by @josephdecock in #100
Bugs and Improvements
- Keep previous refresh token if not updated during refresh by @hybrid2102 in #46
- Add a specific exception when the clientId is empty by @kallayj in #73
- Remove space from closing a tag in Index.cshtml by @RolandGuijt in #72
- make constructor of ServicesAccessorCircuitHandler public by @maxmantz in #104
- Remove unknown client error message by @josephdecock in #106
- Fix typo in docs by @willibrandon in #107
- Final polish for release by @josephdecock in #126
Dependencies
- Updated System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to latest to address CVEs by @chgl in #53
- Updateed System.IdentityModel.Tokens.Jwt and Microsoft.AspNetCore.Authentication.* by @josephdecock in #92
- Update IdentityModel to v7.0.0 by @josephdecock in #93
- Drop support for .NET 6/7 by @josephdecock in #98
Dependabot
- added dependabot.yml by @goldsam in #56
- Bump coverlet.collector from 3.1.2 to 6.0.1 by @dependabot in #57
- Bump coverlet.collector from 6.0.1 to 6.0.2 by @dependabot in #83
- Bump Microsoft.NET.Test.Sdk from 17.1.0 to 17.9.0 by @dependabot in #60
- Bump Microsoft.NET.Test.Sdk from 17.9.0 to 17.10.0 by @dependabot in #111
- Bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 by @dependabot in #68
- Bump MinVer from 4.0.0 to 4.3.0 by @dependabot in #62
- Bump MinVer from 4.3.0 to 5.0.0 by @dependabot in #71
- Bump NuGetKeyVaultSignTool from 3.1.6 to 3.2.3 by @dependabot in #59
- Bump RichardSzalay.MockHttp from 6.0.0 to 7.0.0 by @dependabot in #63
- Bump Serilog.AspNetCore from 8.0.0 to 8.0.1 by @dependabot in #58
- Bump Shouldly from 4.0.3 to 4.2.1 by @dependabot in #70
- Bump xunit from 2.4.1 to 2.7.0 by @dependabot in #66
- Bump xunit from 2.7.0 to 2.7.1 by @dependabot in #88
- Bump xunit from 2.7.1 to 2.8.0 by @dependabot in #96
- Bump xunit from 2.8.0 to 2.8.1 by @dependabot in #110
- Bump xunit.runner.visualstudio from 2.4.3 to 2.5.7 by @dependabot in #65
- Bump xunit.runner.visualstudio from 2.5.7 to 2.8.0 by @dependabot in #97
- Bump xunit.runner.visualstudio from 2.8.0 to 2.8.1 by @dependabot in #112
- Bump IdentityServerVersion from 7.0.4 to 7.0.5 by @dependabot in #116
New Contributors
- @goldsam made their first contribution in #56
- @chgl made their first contribution in #53
- @paulomorgado made their first contribution in #52
- @dependabot made their first contribution in #58
- @RolandGuijt made their first contribution in #72
- @kallayj made their first contribution in #73
- @maxmantz made their first contribution in #104
- @willibrandon made their first contribution in #107
Full Changelog: 2.1.2...3.0.0
3.0.0-preview.3
This updated preview includes a bug fix for the Blazor Server token management extensions.
New Contributors
Full Changelog: 3.0.0-preview.2...3.0.0-preview.3
3.0.0-preview.2
This release was accidentally built from the same commit as 3.0.0-preview.1 and should be ignored.
3.0.0-preview.1
This is a preview release of Duende.AccessTokenManagement and Duende.AccessTokenManagement.OpenIdConnect v3.0.0. The highlights of this major release include
- Improved support for Blazor Server
- Updates to dependencies
- Bug fixes and improvements
Breaking Changes
- Support for .NET 6 and 7 has been dropped, as Microsoft will no longer be supporting those versions in the coming weeks or months. Duende.AccessTokenManagement Version 2.1 (which supports .NET 6 and 7) will continue to be supported until .NET 6 reaches end of life in November.
- The
OpenIdConnectUserAccessTokenHandler
no longer depends onHttpContext
, and instead depends on the newIUserAccessor
interface. This change allows us to use the handler in Blazor Server projects. If you have customized the handler in a derived class, update your derived class's constructor to depend on theIUserAccessor
and pass that to the handler's constructor. You probably don't need to implementIUserAccessor
- the default implementation of theIUserAccessor
is registered automatically and accesses the current user from theHttpContext
, and a blazor server specific implementation is also available. - The
OpenIdConnectUserAccessTokenHandler
also now takes a direct dependency on theIUserTokenManagementService
, rather than resolving it from theHttpContext
. Again, if you have customized the handler in a derived class, you'll need to update constructors.
Blazor Server Support
This release improves our support for Blazor Server. We've added a new method to use when registering services: AddBlazorServerAccessTokenManagement
. This method sets up dependencies needed specifically in a Blazor Server environment, including retrieving the current user without using HttpContext
when it is not available. This simplifies creating HttpClient
s that use the current user's access token.
Blazor Server implementations have always required a server side token store (an implementation of ITokenStore
). You should pass your implementation of ITokenStore
to AddBlazorServerAccessTokenManagement
a type parameter.
We've also exposed the logic related to storage of tokens in an AuthenticationTicket
as a new service.
Dependencies
- We now depend on:
- version 7.0.0 or later of IdentityModel
- version 8.0.1 or later of the ASP.NET OpenIdConnect Authentication Handler (Microsoft.AspNetCore.Authentication.OpenIdConnect)
- version 7.1.2 or later of the Microsoft JWT Handler (System.IdentityModel.Tokens.Jwt)
Our approach for dependencies is to depend on the minimum patch version that accomplishes
the following:
- Avoid depending on a version of a package that has a known security vulnerability
- Avoid depending on a version that has a transitive dependency on a version of a package that has a known vulnerability
- Depend on the same version of the Microsoft JWT handler as the ASP.NET OpenIdConnect Authentication Handler
Full Changelog
Blazor Support
- Add accessor for current principal by @josephdecock in #99
- Add service for storage of tokens in auth properties by @josephdecock in #100
Bugs and Improvements
- Keep previous refresh token if not updated during refresh by @hybrid2102 in #46
- Add a specific exception when the clientId is empty by @kallayj in #73
- Remove space from closing a tag in Index.cshtml by @RolandGuijt in #72
Dependencies
- Updated System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to latest to address CVEs by @chgl in #53
- Updateed System.IdentityModel.Tokens.Jwt and Microsoft.AspNetCore.Authentication.* by @josephdecock in #92
- Update IdentityModel to v7.0.0 by @josephdecock in #93
- Drop support for .NET 6/7 by @josephdecock in #98
Dependabot
- added dependabot.yml by @goldsam in #56
- Bump coverlet.collector from 3.1.2 to 6.0.1 by @dependabot in #57
- Bump coverlet.collector from 6.0.1 to 6.0.2 by @dependabot in #83
- Bump Microsoft.NET.Test.Sdk from 17.1.0 to 17.9.0 by @dependabot in #60
- Bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 by @dependabot in #68
- Bump MinVer from 4.0.0 to 4.3.0 by @dependabot in #62
- Bump MinVer from 4.3.0 to 5.0.0 by @dependabot in #71
- Bump NuGetKeyVaultSignTool from 3.1.6 to 3.2.3 by @dependabot in #59
- Bump RichardSzalay.MockHttp from 6.0.0 to 7.0.0 by @dependabot in #63
- Bump Serilog.AspNetCore from 8.0.0 to 8.0.1 by @dependabot in #58
- Bump Shouldly from 4.0.3 to 4.2.1 by @dependabot in #70
- Bump xunit from 2.4.1 to 2.7.0 by @dependabot in #66
- Bump xunit from 2.7.0 to 2.7.1 by @dependabot in #88
- Bump xunit from 2.7.1 to 2.8.0 by @dependabot in #96
- Bump xunit.runner.visualstudio from 2.4.3 to 2.5.7 by @dependabot in #65
- Bump xunit.runner.visualstudio from 2.5.7 to 2.8.0 by @dependabot in #97
2.1.2
This is a patch release that fixes a bug when using DPoP and Resource Indicators together.
What's Changed
- Fix DPoP proof token creation when resources are used by @josephdecock in #90
Full Changelog: 2.1.1...2.1.2
2.1.1
This is a patch release that fixes a DPoP bug and updates our dependency on ASP.NET framework packages.
What's Changed
- update dependencies to latest patches by @brockallen in #78
Updated dependency on ASP.NET framework packages from version 8.0.0 to version 8.0.3. This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability. - Fix handling of dpop nonce sent during token exchange by @josephdecock in #79
Fixes a bug where DPoP nonces provided by authorization servers were not processed correctly.
Full Changelog: 2.1.0...2.1.1
2.1.0
What's Changed
- Respect explicitly passed scopes on refresh by @hybrid2102 in #43
- Support for .NET 8 by @josephdecock in #44
New Contributors
- @hybrid2102 made their first contribution in #43
- @josephdecock made their first contribution in #44
Full Changelog: 2.0.3...2.1.0
2.1.0-preview.1
This is a preview release that adds support for .NET 8 while keeping support for .NET 6. Also included in this preview is support for explicitly passing scopes on refresh.
What's Changed
- Support for .NET 8 by @josephdecock in #44
- Respect explicitly passed scopes on refresh by @hybrid2102 in #43
New Contributors
- @hybrid2102 made their first contribution in #43
- @josephdecock made their first contribution in #44
Full Changelog: 2.0.3...2.1.0-preview.1
2.0.3
What's Changed
- Log exception from distributed cache by @espenekvang in #33
- Fixed typo by @tvoracek in #37
- use case sensitive values for authorization scheme by @brockallen in #39
New Contributors
- @espenekvang made their first contribution in #33
- @tvoracek made their first contribution in #37
Full Changelog: 2.0.2...2.0.3