Bump Duende.IdentityServer.AspNetIdentity from 5.2.4 to 6.3.3

[dependabot]

Bumps Duende.IdentityServer.AspNetIdentity from 5.2.4 to 6.3.3.

Release notes

Sourced from Duende.IdentityServer.AspNetIdentity's releases.

6.3.3

What's Changed

• Merge 6.2.x patch into 6.3.x by @​brockallen in DuendeSoftware/IdentityServer#1356

Full Changelog: DuendeSoftware/IdentityServer@6.3.2...6.3.3

6.3.2

What's Changed

• Joe/nullability fixes by @​josephdecock in DuendeSoftware/IdentityServer#1304
• Joe/one more interaction service nullability by @​josephdecock in DuendeSoftware/IdentityServer#1307

Full Changelog: DuendeSoftware/IdentityServer@6.3.1...6.3.2

6.3.1

What's Changed

• Add nullability annotation to ClientClaimsPrefix by @​brockallen in DuendeSoftware/IdentityServer#1298
• Joe/session issued time by @​josephdecock in DuendeSoftware/IdentityServer#1297
• CodeQL build improvements by @​josephdecock in DuendeSoftware/IdentityServer#1301

Full Changelog: DuendeSoftware/IdentityServer@6.3.0...6.3.1

6.3.0

Breaking Changes

• A new ITokenCleanupService interface has been extracted from the TokenCleanupService, and IdentityServer now depends on that interface, rather than the service itself. Customizations of TokenCleanupService that previously were implemented by deriving from that class and registering the derived class in the DI system need to

  • Register the derived class as an implementation of ITokenCleanupService, and
  • Remove the IServerSideSessionsMarker from any calls to the base constructor.

  See issue #981.

• The TokenCleanupService.RemoveExpiredGrantsAsync method was renamed to CleanupGrantsAsync to reflect that it performs all grant cleanup work, including removing consumed grants and expired device codes in addition to expired grants. In the strictest sense, this is a breaking change, but it is very unlikely to cause issues during an upgrade because even though RemoveExpiredGrantsAsync was public, it was not virtual. If you were using RemoveExpiredGrantsAsync elsewhere, update your code to use the new name.

  See issue #981.

• The value of the typ claim in the header of Logout tokens has changed to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0. Clients that were previously validating the typ need to be updated, or the old typ can continue to be used via the new LogoutTokenJwtType configuration option.

  See issue #1169.

• The TokenResponseGenerator.ProcessTokenRequestAsync virtual method, which generates access and refresh tokens and adds them to a response object, is now called by all token flows except the refresh token flow. This unifies the programming and extensibility model of the generator, which previously had duplicated code in some flows. If you have overridden this virtual method, be aware that it will now be called in all flows. Previously, the authorization code flow, device code flow, and CIBA flow did not invoke this method.

  See pull request: #1178.

• One time use (rotated) refresh tokens are now deleted immediately when they are used. If you rely on the existing behavior of marking refresh tokens as consumed (perhaps to allow for lenient rotations or replay detection), set the new PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse option to false.

  See issue #1102.

Schema Changes

• New InitiateLoginUri string property added to the Client model. This is a nullable string that can be left null for existing clients. This column is used for Third Party Initiated Login.

... (truncated)

Commits

• 4b41178 Merge pull request #1356 from DuendeSoftware/brock/6.3.x-check-IsAuth
• 04584ea add test to confirm IsAuthenticated check
• 5ddaf9c check for IsAuthenticated in addition to Succeeded when calling AuthenticateA...
• d933a16 Merge pull request #1307 from DuendeSoftware/joe/one-more-interaction-service...
• 8ab4c4f Allow nulls in RevokeUserConsentAsync param
• 055fc18 Merge pull request #1304 from DuendeSoftware/joe/nullability-fixes
• 4239349 Allow nulls for SessionId in PersistedGrant model
• 37c52f4 Allow null parameter to LogoutRequest ctor
• a82edb8 Allow null params in IIdentityInteractionService
• 185fbe0 Merge pull request #1301 from DuendeSoftware/joe/codeql-nohost-includeconfig
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)