IdentityServer3 Versions Save

Fixed a bug in TokenValidator that got introduced in 2.2.2

bug fixes

• scrubbed more sensitive data from token request logs
• fixed a bug in DefaultTokenSigningService where an internalized type was exposed
• JS error on permissions page (#2259)
• Parallel calls to client store causes problems for EF (#2253)

As part of this release we had 3 issues closed.

bug fixs

• #2229 Invalid markup for signout iframes?
• #2227 Switch to new token signing service
• #2226 Unexpected character encountered while parsing value: C. Path '', line 0, position 0.

As part of this release we had 19 issues closed.

bug fixs

• #2110 IE Support for CSP
• #2084 Permissions web page: If no logoUri is specified, the frame for the logoUri is still displayed
• #2063 RememberMeDuration Ignored During Partial Signin
• #1904 Secure mode on all IdSvr cookies
• #1619 IIS Multibinding causes automatic IssuerUri to take random name
• #1238 Fix max-age param in HSTS header
• #1000 PostLogoutRedirectUri "lost" when signing out using an external IdP

new features

• #2181 Provide support for federation signout cleanup callback
• #2100 Update validation middleware to support Introspection endpoint
• #1986 Add a cookie to track clients the user logged in
• #1639 Introspection endpoint
• #922 Implement HTTP-based Logout spec

enhancements

• #2175 Add reference token handle to event
• #2174 Add events for client authentication success/failure
• #2105 Enhanced token signing service
• #2085 Allow POST on EndSession endpoint
• #1837 Don't issue XFO on response_mode post on authorization endpoint
• #1641 Add tests for introspection endpoint
• #1640 Add introspection specific events

As part of this release we had 2 issues closed.

bug fix

• #2068 code id_token response type returns all claims in identity token - but shouldn't

enhancement

• #2064 Added XmlDoc
  comments to Constants.ClaimTypes

As part of this release we had 29 commits which resulted in 12 issues being closed.

new feature

• #1839 Add support for cookie session store

enhancements

• #2042 Scrub user passwords from logs
• #2041 Add more length restrictions
• #2038 Scrub passwords from logs
• #2006 Add OWIN extensions to set PublicOrigin and get PublicOrigin from request
• #1981 Make length restrictions configurable
• #1975 Consider adding viewport meta tag to default layout asset
• #1899 Scope length should be configurable or allow further extensible request validation.
• #1842 Configurable MaxInputParamLength
• #1811 Make public OWIN extension for Resolve<T>()
• #1683 Server sessions in Identity Server 3
• #815 Add validation to incoming handles

As part of this release we had 1 commit which resulted in 4 issues being closed.

bug fix

• #1576 Switch to Katana APIs for all body reading code

enhancements

• #2032 add client id to signout context
• #1979 Call to Revocation endpoint from Javascript client fails with 405
• #1543 Remove disabled endpoints from routing table (like welcome endpoint)
• #1991 Allow img-src to be set in CSP options

As part of this release we had 7 issues closed.

bugs

• #1817 Quick fix to turn amr claim into an array
• #1723 LibLog no longer public?
• #1721 Incompatibility with OpenID Connect implementation of Google OAuth Client Library
• #1672 AntiForgery validation failed -- returning error page

enhancements

• #1778 use Autofac's extension Assembly.GetLoadableTypes() instead of .GetTy…
• #1443 Fix for mono.. Use Assembly.GetLoadableTypes() instead of .GetTypes()
• #1373 X509Certificate2Extensions.IsPrivateAccessAllowed() destroys PrivateKey on Mono

Breaking changes:

• NuGet location changed to: https://www.nuget.org/packages/IdentityServer3
• Top level namespace changed to "IdentityServer3".
• Parameters to user service interface changed to context objects
• All return values on the user service APIs moved to the context parameters
• Script tag in the default view service layout template changed to "script.2.0.0.js"
• OWIN extensions:
  • GetIdentityServerFullLogin renamed w/ Async
  • GetIdentityServerPartialLogin renamed w/ Async
• New PostAuthenticateAsync added to user service. This is called prior to issuing a full login cookie for IdentityServer and allows a consolidated location to check if a partial login is needed for users logging in.
• Removed InMemoryFactory - use new extension methods instead
• Removed TraceLog and TraceSource providers - use Serilog (or any other LibLog supported library) instead
• CorsPolicy removed on main options
• Client configuration: ScopeRestrictions changed to AllowedScopes. We now require opt-in to allowing scopes to clients.
• Event service APIs changed to return Task
• Default view service's HTML files folder changed to "templates"

Changes

• When choosing an external IdP from the login screen, we no longer redirect back to IdSvr before we redirect to the external IdP
• Revoking a refresh token also revokes associated access tokens
• AuthenticateResult now allows anonymous partial logins
• Client configuration now has collection for origins to allow CORS
• Client certificates supported on token endpoint
• Support POST on token validation endpoints
• When the Welcome page is disabled, the route will not be registered
• Added several new OWIN environment extension methods related to partial logins
• Added new URL in partial logins to restart the login process
• When IdP passed to login page then we immediately redirect to IdP, rather than redirecting to our own external login page (which then redirects to the IdP)
• Password field gets focus if username provided
• Partial logins no longer remove the primary login cookie.
• Logging:
  • added support for capturing Katana logs
  • removed "IncludeSensitiveData" feature
• Reworked custom grant validators
  • one custom grant validator per type
  • can register multiple
• Reworked client validation - split into:
  • secret parsers (parse the environment and turn something into an authenticable secret)
  • secret validators (validate the secret to confirm the associated id is correct)

Bug fixes:

• Default view service's layout html has changed slightly
  • https://github.com/IdentityServer/IdentityServer3/commit/7356981016bd86f68ef8e58658a98f042bdfe5e1
  • https://github.com/IdentityServer/IdentityServer3/commit/3db723e23bfd5b155fd937abcf991554557109d5

• fixed autofac bug/limitation when multiple copies of IdentityServer registered in same OWIN pipeline (#1464)
• fixed erroneous CORS warning in logs when POSTing to login/logout/consent pages from Chrome (#1293)
• cleaned up some cookie related formatting messages in logs