2.3.0

As part of this release we had 71 issues closed.
next feature release

note
The EntityFramework library contains schema changes to previous version. You need to run migrations (see here).

bugs

• #2778 Invalid code on device flow user code page throws
• #2752 Endpoint returns wrong WwwAuthentication header
• #2742 Fix a typo in TokenErrorResult.cs
• #2729 Add null check on Consent page
• #2658 Corrected internal value for ParsedSecretTypes.JwtBearer
• #2604 Create jwk document when signing with JsonWebKey
• #2561 Update path to SQL scripts
• #2533 DistributedCacheStateDataFormatter should handle failed Unprotect workflows
• #2523 CorsService doesn't handle null for origin
• #2504 DistributedCacheStateDataFormatter tries to unprotect null string
• #2499 fix ??-operator priority
• #2492 Refresh token is not redacted
• #2446 ReturnUrl in CustomRedirectResult?
• #2441 CloneWithScopes in ApiResource does not clone DisplayName
• #2358 Filter identity scopes and offline_access when no explicit scopes are specificed in client credentials
• #2336 Fix incorrect log message
• #2251 IdentityServer might log tokens in case of error

new features

• #2597 Add strong name
• #2440 Add built-in support for Confirmation (cnf)

enhancements

• #2783 Add AddPersistedGrantStore extension method for IIdentityServerBuilder
• #2780 Document device flow
• #2779 Document UserSsoLifetime
• #2745 Enhance object logging
• #2730 Unify empty string
• #2695 Changed level from error to warn on refresh token
• #2661 Be compatible with iOS 12 breaking changes
• #2646 Emit more logging and errors around authentication scheme at startup
• #2641 Support idp:local in host
• #2617 Change: error code in TokenValidator class
• #2611 Update secrets.rst
• #2609 Add per-client SSO lifetime
• #2607 Change: Made DefaultUserSession.AuthenticateAsync overrideable
• #2593 Switch to new cake build version
• #2582 redundant one line of code.
• #2577 Make sure all nugets publish the repo URL
• #2560 Consider making EndSessionRequestValidator public
• #2554 Should SessionId Cookies be considered "Essential"
• #2545 Make some internal types public to facilitate custom service implementations
• #2540 resolve login/logout url, et al from named options
• #2532 Consider resolving login url, et al from named options
• #2525 enable default client validator by default
• #2518 Add AsNoTracking for readonly queries
• #2517 Add explicit FK properties in EF entities to allow EF Core DataSeeding
• #2514 Add more strict cache control headers when softer headers are already added by HttpContext.SignInAsync
• #2513 Make AddScriptCspHeaders and AddStyleCspHeaders public
• #2512 Add parameters to IntrospectionRequestValidationResult - #2388
• #2509 Update all projects
• #2508 Move all repos to ASP.NET Core 2.1
• #2506 add invalid uri scheme validation
• #2489 IdentityServerAuthenticationService doesn't work well with the new dynamic/policy auth schemes in 2.1
• #2469 EndSession class should be public?
• #2460 Create abstractions package for Storage models and interfaces
• #2434 Consider redirect uri scheme blocked list
• #2402 IdentityServer4.AspNetIdentity's ProfileService readonly filelds should be protected
• #2393 Add details to logError in TokenRequestValidator
• #2374 Make client secret optional while parsing basic authentication secret
• #2359 During the cleanup token process, add support for an event when token is expired.
• #2357 Dont log SecurityTokenExpiredException as error, since it is not
• #2353 Sign nuget packages
• #2300 update the generated EF sql files
• #2299 Extract JWT payload creation to extension method
• #2298 Extension Grant flows need all the data of the request at the final build of the claims.
• #2285 Consider more metadata for clients and resources
• #2284 Add support for OAuth 2.0 Device Flow [WIP]
• #2280 Client missing description while EF Client has it.
• #2271 AdminUI Custom Database Tables
• #2264 ClientSecret exceeds the MaxLength value
• #2249 Consider Properties on ApiResource and IdentityResource EF models
• #2218 GetErrorContextAsync does not always return description.
• #2055 Consider create datetime on ClientSecret

breaking change

• #2524 Remove obsolete constructor on DefaultCustomTokenValidator

2.3 Preview 2

As part of this release we had 65 issues closed.
next feature release

bugs

• #2752 Endpoint returns wrong WwwAuthentication header
• #2742 Fix a typo in TokenErrorResult.cs
• #2729 Add null check on Consent page
• #2658 Corrected internal value for ParsedSecretTypes.JwtBearer
• #2604 Create jwk document when signing with JsonWebKey
• #2561 Update path to SQL scripts
• #2533 DistributedCacheStateDataFormatter should handle failed Unprotect workflows
• #2523 CorsService doesn't handle null for origin
• #2504 DistributedCacheStateDataFormatter tries to unprotect null string
• #2499 fix ??-operator priority
• #2492 Refresh token is not redacted
• #2446 ReturnUrl in CustomRedirectResult?
• #2441 CloneWithScopes in ApiResource does not clone DisplayName
• #2358 Filter identity scopes and offline_access when no explicit scopes are specificed in client credentials
• #2336 Fix incorrect log message
• #2251 IdentityServer might log tokens in case of error

new features

• #2597 Add strong name
• #2440 Add built-in support for Confirmation (cnf)

enhancements

• #2745 Enhance object logging
• #2730 Unify empty string
• #2695 Changed level from error to warn on refresh token
• #2661 Be compatible with iOS 12 breaking changes
• #2641 Support idp:local in host
• #2617 Change: error code in TokenValidator class
• #2611 Update secrets.rst
• #2609 Add per-client SSO lifetime
• #2607 Change: Made DefaultUserSession.AuthenticateAsync overrideable
• #2593 Switch to new cake build version
• #2582 redundant one line of code.
• #2560 Consider making EndSessionRequestValidator public
• #2554 Should SessionId Cookies be considered "Essential"
• #2545 Make some internal types public to facilitate custom service implementations
• #2540 resolve login/logout url, et al from named options
• #2532 Consider resolving login url, et al from named options
• #2525 enable default client validator by default
• #2518 Add AsNoTracking for readonly queries
• #2517 Add explicit FK properties in EF entities to allow EF Core DataSeeding
• #2514 Add more strict cache control headers when softer headers are already added by HttpContext.SignInAsync
• #2513 Make AddScriptCspHeaders and AddStyleCspHeaders public
• #2512 Add parameters to IntrospectionRequestValidationResult - #2388
• #2509 Update all projects
• #2508 Move all repos to ASP.NET Core 2.1
• #2506 add invalid uri scheme validation
• #2489 IdentityServerAuthenticationService doesn't work well with the new dynamic/policy auth schemes in 2.1
• #2469 EndSession class should be public?
• #2460 Create abstractions package for Storage models and interfaces
• #2434 Consider redirect uri scheme blocked list
• #2402 IdentityServer4.AspNetIdentity's ProfileService readonly filelds should be protected
• #2393 Add details to logError in TokenRequestValidator
• #2374 Make client secret optional while parsing basic authentication secret
• #2359 During the cleanup token process, add support for an event when token is expired.
• #2357 Dont log SecurityTokenExpiredException as error, since it is not
• #2353 Sign nuget packages
• #2300 update the generated EF sql files
• #2299 Extract JWT payload creation to extension method
• #2298 Extension Grant flows need all the data of the request at the final build of the claims.
• #2285 Consider more metadata for clients and resources
• #2284 Add support for OAuth 2.0 Device Flow [WIP]
• #2280 Client missing description while EF Client has it.
• #2271 AdminUI Custom Database Tables
• #2264 ClientSecret exceeds the MaxLength value
• #2249 Consider Properties on ApiResource and IdentityResource EF models
• #2218 GetErrorContextAsync does not always return description.
• #2055 Consider create datetime on ClientSecret

breaking change

• #2524 Remove obsolete constructor on DefaultCustomTokenValidator

2.3 Preview 1

As part of this release we had 40 issues closed.
next feature release

bugs

• #2533 DistributedCacheStateDataFormatter should handle failed Unprotect workflows
• #2523 CorsService doesn't handle null for origin
• #2504 DistributedCacheStateDataFormatter tries to unprotect null string
• #2499 fix ??-operator priority
• #2492 Refresh token is not redacted
• #2446 ReturnUrl in CustomRedirectResult?
• #2441 CloneWithScopes in ApiResource does not clone DisplayName
• #2358 Filter identity scopes and offline_access when no explicit scopes are specificed in client credentials
• #2336 Fix incorrect log message
• #2251 IdentityServer might log tokens in case of error

new feature

• #2440 Add built-in support for Confirmation (cnf)

enhancements

• #2525 enable default client validator by default
• #2518 Add AsNoTracking for readonly queries
• #2517 Add explicit FK properties in EF entities to allow EF Core DataSeeding
• #2514 Add more strict cache control headers when softer headers are already added by HttpContext.SignInAsync
• #2513 Make AddScriptCspHeaders and AddStyleCspHeaders public
• #2512 Add parameters to IntrospectionRequestValidationResult - #2388
• #2509 Update all projects
• #2508 Move all repos to ASP.NET Core 2.1
• #2506 add invalid uri scheme validation
• #2489 IdentityServerAuthenticationService doesn't work well with the new dynamic/policy auth schemes in 2.1
• #2469 EndSession class should be public?
• #2460 Create abstractions package for Storage models and interfaces
• #2434 Consider redirect uri scheme blocked list
• #2402 IdentityServer4.AspNetIdentity's ProfileService readonly filelds should be protected
• #2393 Add details to logError in TokenRequestValidator
• #2374 Make client secret optional while parsing basic authentication secret
• #2359 During the cleanup token process, add support for an event when token is expired.
• #2357 Dont log SecurityTokenExpiredException as error, since it is not
• #2353 Sign nuget packages
• #2300 update the generated EF sql files
• #2299 Extract JWT payload creation to extension method
• #2298 Extension Grant flows need all the data of the request at the final build of the claims.
• #2285 Consider more metadata for clients and resources
• #2280 Client missing description while EF Client has it.
• #2264 ClientSecret exceeds the MaxLength value
• #2249 Consider Properties on ApiResource and IdentityResource EF models
• #2218 GetErrorContextAsync does not always return description.
• #2055 Consider create datetime on ClientSecret

breaking change

• #2524 Remove obsolete constructor on DefaultCustomTokenValidator

2.2

As part of this release we had 16 issues closed.

bugs

• #2224 RequireCspFrameSrcForSignout = false does not sign out websites using front channel
• #2214 GetAcrValues() should call ToArray() internally
• #2176 Allow client ids with spaces in check session endpoint
• #2173 PublicOrigin with the value empty string results in invalid Issuer
• #2121 explicitly set the default value of base target in html response from AuthorizeResult
• #2080 Potential URL host encoding

enhancements

• #2220 Add ws-fed wsignoutcleanup support to front-channel signout notification
• #2219 Move IsPkceClient to UI
• #2211 Hide index view when not in development
• #2210 Add Events for grant management
• #2204 Split controllers in local login/logout and external challenge/callback
• #2200 Add client configuration validation infrastructure
• #2199 Added events for granted/denied consent
• #2194 Enhance scope validation to detect duplicates
• #2035 Add Content-Security-Policy options
• #1609 Consider adding events for introspection events

2.1.3

As part of this release we had 5 issues closed.

bug

• #2164 Encode redirect uri on authorization response
• #2127 Fix invalid grant type validation result

enhancements

• #2099 Use HttpMethods.IsGet() and HttpMethods.IsPost() instead of string comparison
• #2091 Update unhandled exception logging
• #2095 Better exception logging in TokenValidator

1.5.3

As part of this release we had 1 issue closed.

bug

• #2164 Encode redirect uri on authorization response

2.1.2

As part of this release we had 3 issues closed.

bug

• #2052 Fix Basic Authentication encoding to fully comply with RFC6749

enhancements

• #2054 Updates fluent assertions to v5 and fixes complile errors
• #2050 Make DistributedCacheStateDataFormatter public

2.1.1

As part of this release we had 3 issues closed.

bugs

• #1955 Authorization response prevented in some iframe scenarios
• #1948 Log full exceptions when available to aid in debugging

enhancement

• #1965 Update to latest ASP.NET Core packages (security patch)

2.1

As part of this release we had 13 issues closed.

bug

• #1936 Fix string concat problem in log messages

enhancements

• #1909 Support external SAML2-P providers
• #1903 only emit session id cookie if check session endpoint is enabled
• #1879 Unlimited refresh lifetime
• #1817 Pass requested resources to profile service (where available)
• #1798 Allows overriding methods in default services
• #1780 Remove EnableWindowsAuth flag on QS AccountOptions
• #1766 add flag to relax frame-src csp header on signout response #1647
• #1736 Add redirect_uri parameter to ErrorUrl #1564
• #1733 detect non-unique scope names #1583
• #1718 Move the IsActive call from the custom token validator to the core token validatator
• #1684 Allow IdentityServerTools to not depend on HttpContext
• #1480 Include ui_locales to error page

2.0.6

As part of this release we had 7 issues closed.

bugs

• #1882 IdentityServerBuilder unnecessarily created twice
• #1880 Add button for noscript on authorize response form
• #1870 Make ExternalLoginScheme in quickstart UI more defensive
• #1861 Allow disabling resource owner password validation
• #1854 Problems with form-action CSP behind load palancer
• #1834 PublicOrigin should be used by UI code
• #1831 Refresh token response does not contain custom fields from custom token request validator