Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 - autoclosed #55

Closed

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 3, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Duende.IdentityServer.AspNetIdentity 6.1.1 -> 6.3.10 age adoption passing confidence

Release Notes

DuendeSoftware/IdentityServer (Duende.IdentityServer.AspNetIdentity)

v6.3.10

Compare Source

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

v6.3.9

Compare Source

This is a patch release that updates our dependency on ASP.NET framework packages from version 6.0.0 (or 7.00) to version 6.0.26 (or 7.0.15). This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.

What's Changed

Full Changelog: DuendeSoftware/products@6.3.8...6.3.9

v6.3.8

Compare Source

This is a minor release that improves error handling of grant deserialization.

What's Changed

Full Changelog: DuendeSoftware/products@6.3.7...6.3.8

v6.3.7

Compare Source

This is a minor release that fixes two bugs.

What's Changed

Full Changelog: DuendeSoftware/products@6.3.6...6.3.7

v6.3.6

Compare Source

This is a minor release that allows a method in the server side session store to be overridden.

What's Changed
  • Make ServerSideSessionStore.GetAndRemoveExpiredSessionsAsync virtual. See #​1435.

Full Changelog: DuendeSoftware/products@6.3.5...6.3.6

v6.3.5

Compare Source

This is a minor release that fixes a bug related to serialization of exceptions in the UnhandledExceptionEvent.

What's Changed
  • Fixed a bug where the UnhandledExceptionEvent fails to serialize (Yo dawg, I heard you like errors, so I threw an error in your error event...) See #​1422.

v6.3.4

Compare Source

This is a minor release that fixes two bugs.

What's Changed
  • Fixed nullability annotation on IReturnUrlParser.ParseAsync. See #​1344
  • Fixed a bug where refreshing tokens would fail. See #​1403

Full Changelog: DuendeSoftware/products@6.3.3...6.3.4

v6.3.3

Compare Source

This is a minor release that fixes a bug in some narrow edge cases related to disabling server side sessions. The same fix was applied to the 6.2.x release branch in 6.2.4.

What's Changed
  • Check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync. See #​1356.

Full Changelog: DuendeSoftware/products@6.3.2...6.3.3

v6.3.2

Compare Source

This is a minor release that fixes bugs related to nullable reference type annotations.

What's Changed
  • Allow null return values from IIdentityInteractionService.GetErrorContextAsync and IIdentityInteractionService.GetLogoutContextAsync. See #​1304.
  • Allow null parameter to IIdentityInteractionService.RevokeUserConsentAsync. See #​1307.
  • Allow null parameter to LogoutRequest. See #​1304.
  • Allow null session id in the PersistedGrant model. See #​1304.

Full Changelog: DuendeSoftware/products@6.3.1...6.3.2

v6.3.1

Compare Source

This is a minor release with small bug fixes.

What's Changed
  • Added nullability annotation to ClientClaimsPrefix. See #​1298.
  • Fixed a bug where server side sessions had incorrect issuance times. See #​1297.

Full Changelog: DuendeSoftware/products@6.3.0...6.3.1

v6.3.0

Compare Source

This is a significant release that adds support for DPoP, Dynamic Client Registration, improves refresh token handling, and adds many other new features and bug fixes.

Breaking Changes
  • A new ITokenCleanupService interface has been extracted from the TokenCleanupService, and IdentityServer now depends on that interface, rather than the service itself. Customizations of TokenCleanupService that previously were implemented by deriving from that class and registering the derived class in the DI system need to

    • Register the derived class as an implementation of ITokenCleanupService, and
    • Remove the IServerSideSessionsMarker from any calls to the base constructor.
      See issue #​981.
  • The TokenCleanupService.RemoveExpiredGrantsAsync method was renamed to CleanupGrantsAsync to reflect that it performs all grant cleanup work, including removing consumed grants and expired device codes in addition to expired grants. In the strictest sense, this is a breaking change, but it is very unlikely to cause issues during an upgrade because even though RemoveExpiredGrantsAsync was public, it was not virtual. If you were using RemoveExpiredGrantsAsync elsewhere, update your code to use the new name.

    See issue #​981.

  • The value of the typ claim in the header of Logout tokens has changed to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0. Clients that were previously validating the typ need to be updated, or the old typ can continue to be used via the new LogoutTokenJwtType configuration option.

    See issue #​1169.

  • The TokenResponseGenerator.ProcessTokenRequestAsync virtual method, which generates access and refresh tokens and adds them to a response object, is now called by all token flows except the refresh token flow. This unifies the programming and extensibility model of the generator, which previously had duplicated code in some flows. If you have overridden this virtual method, be aware that it will now be called in all flows. Previously, the authorization code flow, device code flow, and CIBA flow did not invoke this method.

    See pull request: #​1178.

  • One time use (rotated) refresh tokens are now deleted immediately when they are used. If you rely on the existing behavior of marking refresh tokens as consumed (perhaps to allow for lenient rotations or replay detection), set the new PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse option to false.

    See issue #​1102.

Schema Changes
  • New InitiateLoginUri string property added to the Client model. This is a nullable string that can be left null for existing clients. This column is used for Third Party Initiated Login.

  • New properties added to the Client Model for DPoP support:

    • RequireDPoP is a non-nullable boolean flag that requires a client to use DPoP. Existing clients can set this to false, unless you want the client to start using DPoP.
    • DPoPValidationMode is a non-nullable column that stores a "flags"-style enum that controls the DPoP validation mechanism. In most databases, this is represented as an integer. Existing clients that are not using DPoP can set its value to 0.
    • DPoPClockSkew is a non-nullable timespan that controls how much clock skew is allowed for a particular DPoP client. Existing clients that are not using DPoP can set its value to 0.
DPoP

IdentityServer 6.3 adds support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) , a new OAuth specification for sender-constraining refresh tokens and access tokens. DPoP tokens can only be used by the client application that they are issued to, which provides a strong defense against replay attacks.

Our blog post announcing the feature is here, and detailed documentation is here.

See issues #​1116 and #​1266.

Configuration API/Dynamic Client Registration

IdentityServer 6.3 begins an effort to add programmatic configuration capabilities to IdentityServer. This configuration capability will take the form of a Configuration API that can be hosted either separately or within the IdentityServer implementation, and is distributed through the separate Duende.IdentityServer.Configuration nuget package.

This initial version of the Configuration API supports the OAuth and OIDC Dynamic Client Registration specifications, which allow a client or relying party to register their configuration details with IdentityServer dynamically by making standardized API requests. You could also use Dynamic Client Registration to provision environments automatically, perhaps in a deployment pipeline.

Our blog post announcing the feature is here, and detailed documentation is here.

See issue #​111.

Client Application Portal

InitiateLoginUri is a new optional property added to the IdentityServer Client model that can be used to initiate login from the IdentityServer host. Typically this is used to create an application portal within the IdentityServer host, with links to the registered client applications. The UI templates now include an example of this portal.

See issue #​1124.

Initiate User Registration via OIDC

OIDC Relying Parties can now indicate that user registration is needed using the standardized prompt=create parameter. To use this parameter, set the UserInteraction.CreateAccountUrl option to the location of your account creation page. The UI templates now include an example user registration page.

See issues #​1029 and #​432.

Step-up Error Handling

OIDC Relying Parties can request particular requirements during authentication using the step-up process. For example, they might require two factor authentication before allowing a highly sensitive transaction. IdentityServer now supports the unmet_authentication_requirements error response code during step-up, which can be returned if IdentityServer is unable to fullfil the step-up requirements. If you set the Error property of a ConsentResponse or AuthorizeResponse to "unmet_authentication_requirements" (you can use IdentityModel.OidcConstants.AuthorizeErrors.UnmetAuthenticationRequirements), IdentityServer will return the error to the client.

See issue #​1133.

Refresh Token Cleanup

New configuration options (see below) have been added to control what happens to single use refresh tokens when they are used. If the new DeleteOneTimeOnlyRefreshTokensOnUse flag is set, they will be immediately deleted. If you wish to keep consumed tokens for a period time for replay detection or to allow for leniency in the rotation policy, you can now add a delay using the ConsumedTokenCleanupDelay, guaranteeing that consumed tokens will not be deleted for that amount of time.

See issues #​1102, #​1065, and #​982.

New Configuration Options
  • PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse controls what happens to RefreshTokenUsage.OneTime refresh tokens when they are used. They can now be either marked as consumed or deleted immediately. The intent is that if you aren't making use of the consumed tokens you can safely delete them immediately. The default is to immediately delete.

    See issue #​1102.

  • OperationalStoreOptions.ConsumedTokenCleanupDelay delays deletion of consumed tokens in the token cleanup job. The intent of the delay is to allow users to keep tokens for some period of time to be used in some custom process. Custom code in the RefreshTokenService could allow "lenient" one-time use refresh tokens that can be reused for a short interval or detect token replay attacks by checking if a token is reused inappropriately. The default value for this new option is 0.

    See issue #​1102.

  • LogoutTokenJwtType sets the typ claim in the header of logout tokens. Defaults to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0.

    See issue #​1029.

  • UserInteraction.CreateAccountUrl controls where the user is sent when the prompt=create parameter is sent as part of an OIDC login flow. Setting this option enables support for that parameter and is reflected in the prompt_values_supported property of the discovery document. If it is not set, prompt=create will be ignored.

    See issue: #​432.

  • DPoP.ProofTokenValidityDuration sets the duration that DPoP proof tokens are considered valid. Defaults to 1 minute.

    See issue #​1116

  • DPoP.ServerClockSkew sets the clock skew used when validating DPoP proof token expiration using a server-generated nonce value. Defaults to 0.

    See issue #​1116

Extensibility and Other Miscellaneous Improvements
  • IdentityServerConstants.ProtocolRoutePaths constants are now publicly accessible

    See issue #​1201.

  • Added IdentityServerConstants.ContentSecurityPolicyHashes constants to facilitate creation of content security policies.

    See issue #​1183.

  • Added ITokenCleanupService interface extracted from TokenCleanupService, which can be used to customize token cleanup.

    See issue #​981.

  • Added virtual method ServerSideSessionStore.ApplyFilter, which can be used to customize how server side sessions are queried.

  • Added logout_reason claim to back-channel logout tokens, which describes why the logout token is being sent using the following values:

    • user_logout - the user interactively logged out
    • session_expiration - the user's session expired due to inactivity
    • terminated - the user's session was explicitly terminated by some other means (e.g. an admin)

    See issue #​1198.

  • Added new overload of IsRedirectUriValidAsync to IRedirectUriValidator that is passed an object containing additional contextual information. The context contains the requested uri, the client making the request, the complete request parameters, and, if the request parameters were sent as a signed request object, the claims from the validated request object.

    See issue #​44.

  • Endpoint names are now public constants in IdentityServerConstants.EndpointNames, and the JWKS endpoint now has the unique name IdentityServerConstants.EndpointNames.Jwks. Referencing endpoints by name is useful when invoking endpoints programmatically, for example, from a health check. It also facilitates the creation of a custom IEndpointRouter.

    See issues #​584 and #​731.

  • Added nullable reference type annotations to many public APIs.

    See issue #​749.

Logging Improvements
  • Data protection failures now log a more detailed message.

    See issues #​973 and #​851

  • Back-channel logout error responses now include more details in their log messages.

    See issue #​1026.

  • Licensing log messages related to multiple issuers (commonly caused by misconfigured gateways) and automatic key management are now more descriptive.

    See issues #​918 and #​1017.

  • Logs generated in the CIBA flow now have sensitive values scrubbed by the BackchannelAuthenticationRequestSensitiveValuesFilter option, which scrubs client_secret, client_assertion, and id_token_hint parameters from the logs. Previously these logs were filtered by TokenRequestSensitiveValuesFilter, which did not include id_token_hint.

    See issue #​1168.

  • Logs generated by the token endpoint now redact authorization codes from the raw request values that are logged. This is for consistency with the parsed value, which is logged as an obfuscated value. Previous logs that included codes should not be a concern, since codes are one time use only - by the time they are logged, they are not likely to be useful anymore.

    See issue #​1240.

Bug Fixes
  • Filtering sessions in the server side session quickstart UI uses the different filter fields properly

    See issue #​1111.

  • Requests to ~/federation with no additional segments returns not found instead of throwing an exception

    See issue #​1171.

  • Basic authorization header input length restrictions now account for base64-url encoding of client id and secret. The restrictions now apply to the length of those values before encoding.

    See issue #​1173.

  • Removed dependency on IHttpContextAccessor in several services, making it possible to use them when no there is no HTTP request, such as in a customized background job. The updated services are DefaultEventService, PostConfigureApplicationCookieTicketStore, ConfigureAuthenticationOptions, OidcConfigureOptions, CachingIdentityProviderStore and NonCachingIdentityProviderStore.

    See issue #​874.

v6.2.5

Compare Source

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

v6.2.4

Compare Source

This is a minor release that fixes a bug in some narrow edge cases related to disabling server side sessions. The same fix was applied to the 6.3.x release branch in 6.3.3.

What's Changed
  • Check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync. See #​1353.

Full Changelog: DuendeSoftware/products@6.2.3...6.2.4

v6.2.3

Compare Source

What's Changed

Full Changelog: DuendeSoftware/products@6.2.2...6.2.3

v6.2.2

Compare Source

What's Changed
New Contributors

Full Changelog: DuendeSoftware/products@6.2.1...6.2.2

v6.2.1

Compare Source

Full Changelog: DuendeSoftware/products@6.2.0...6.2.1

Bug Fixes
Issue #​1127 EmitIssuerIdentificationResponseParameter is reflected in discovery

v6.2.0

Compare Source

What's Changed

Duende IdentityServer 6.2 adds:

  • Support for .NET 7.0
  • A new option that can help filter unhandled exceptions out of the logs
  • Bug fixes and ongoing maintenance
.NET 7 Support
Filter Unhandled Exceptions
Bug Fixes
Updates to Dependencies
Samples and Documentation
Build, Test, Etc

New Contributors

Full Changelog: DuendeSoftware/products@6.1.7...6.2.0

v6.1.8

Compare Source

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

v6.1.7

Compare Source

What's Changed

Full Changelog: DuendeSoftware/products@6.1.6...6.1.7

v6.1.6

Compare Source

What's Changed

Full Changelog: DuendeSoftware/products@6.1.5...6.1.6

v6.1.5

Compare Source

What's Changed

Full Changelog: DuendeSoftware/products@6.1.4...6.1.5

v6.1.4

Compare Source

What's Changed

Full Changelog: DuendeSoftware/products@6.1.3...6.1.4

v6.1.3

Compare Source

What's Changed

Full Changelog: DuendeSoftware/products@6.1.2...6.1.3

v6.1.2

Compare Source

What's Changed

New Contributors

Full Changelog: DuendeSoftware/products@6.1.1...6.1.2


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 2a97e1a to 11f103e Compare August 8, 2022 14:58
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.2 Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.3 Aug 8, 2022
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 11f103e to ed8d3a0 Compare August 15, 2022 17:50
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.3 Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.4 Aug 15, 2022
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from ed8d3a0 to 025e063 Compare August 31, 2022 22:19
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.4 Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.5 Aug 31, 2022
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 025e063 to 075f8cf Compare November 20, 2022 12:39
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.5 Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.7 Nov 20, 2022
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.1.7 Update dependency Duende.IdentityServer.AspNetIdentity to v6.2.3 Mar 17, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 075f8cf to 719c184 Compare March 17, 2023 00:01
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.2.3 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.1 May 30, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 719c184 to 67a6822 Compare May 30, 2023 15:11
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.1 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.2 Jun 1, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 67a6822 to 983d665 Compare June 1, 2023 00:11
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.2 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.3 Jul 6, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 983d665 to e2de15c Compare July 6, 2023 18:56
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from e2de15c to d87874b Compare September 8, 2023 22:59
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.3 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.4 Sep 8, 2023
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.4 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.5 Sep 20, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from d87874b to bae3fd7 Compare September 20, 2023 15:58
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.5 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.6 Nov 1, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from bae3fd7 to c7dd161 Compare November 1, 2023 15:47
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.6 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.7 Dec 15, 2023
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from c7dd161 to 431d3ec Compare December 15, 2023 17:03
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 431d3ec to 65fc355 Compare January 5, 2024 16:32
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.7 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.8 Jan 5, 2024
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from 65fc355 to fa9be96 Compare June 4, 2024 20:02
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.8 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.9 Jun 4, 2024
@renovate renovate bot force-pushed the renovate/duende.identityserver.aspnetidentity-6.x branch from fa9be96 to 72d36a1 Compare July 31, 2024 19:04
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.9 Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.10 Jul 31, 2024
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to v6.3.10 Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 Aug 28, 2024
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 - autoclosed Sep 25, 2024
@renovate renovate bot closed this Sep 25, 2024
@renovate renovate bot deleted the renovate/duende.identityserver.aspnetidentity-6.x branch September 25, 2024 15:01
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 - autoclosed Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 Sep 25, 2024
@renovate renovate bot reopened this Sep 25, 2024
@renovate renovate bot restored the renovate/duende.identityserver.aspnetidentity-6.x branch September 25, 2024 18:21
@renovate renovate bot changed the title Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 Update dependency Duende.IdentityServer.AspNetIdentity to 6.3.10 - autoclosed Sep 26, 2024
@renovate renovate bot closed this Sep 26, 2024
@renovate renovate bot deleted the renovate/duende.identityserver.aspnetidentity-6.x branch September 26, 2024 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants