Duende BFF Security Framework 4.1.1

This is a minor release for BFF that fixes two issues:

What's Changed

• Fixes: BFF will crash when openid connect options are retrieved outside of HTTP Request context. @Erwinvandervalk in #2348
• Fixes: Stackoverflow when BFF is explicitly configured with Authentication schemes, but without ForbidScheme (#2363) by @Erwinvandervalk in #2364

IdentityServer 7.4.6

This is a patch release that fixes two issues in IdentityServer.

What's Changed

• Make ServerSideSessionCleanupHost.StopAsync idempotent (prevent exceptions if it is called multiple times) by @damianh in #2345
• Do not escape '+' character in x5c of jwks by @josephdecock in #2350

Duende.AspNetCore.Authentication.JwtBearer 1.0.1

This is a patch release to update the README file of Duende.AspNetCore.Authentication.JwtBearer.

What's Changed

• Fix readme by @josephdecock in #2344

Duende.AspNetCore.Authentication.JwtBearer 1.0.0

This is the first stable release of Duende.AspNetCore.Authentication.JwtBearer, a package that provides DPoP (Demonstrating Proof of Possession) support for ASP.NET Core APIs.

Features & Improvements

• Validates DPoP proof tokens and verifies their binding to DPoP access tokens.
• Extends Microsoft.AspNetCore.Authentication.JwtBearer for compatibility with its configurations and extensions.
• Validation of client-supplied iat (issued at) timestamps to limit the possible time window of replay attacks.
• Optional Cache-based replay detection to further defend against replay attacks.
• Support for issuing and validating nonce values to defend against pre-generation attacks.
• Configurable DPoP enforcement modes (required or optional with bearer fallback).
• Configurable allowed signing algorithms for DPoP proof tokens.
• HybridCache for replay detection - Replaced IDistributedCache with HybridCache for improved replay attack detection (#2299)

API Improvements and changes from preview releases

• Renamed DPoP expiration mode for clarity - DPoPProofExpirationMode naming improved based on community feedback (#2337)
• Simplified DPoP optional mode - Easier configuration when DPoP should be optional (#2300)

Quality & Maintainability

• Internal API clarifications for IsExpired method usage (#2335)
• Removed NSubstitute test dependency (#2298)

Duende BFF Security Framework 4.1.0

This release introduces a new extensibility point.

What's Changed

• Introduce new extensibility point to enrich the claims from the user endpoint by @Erwinvandervalk in #2329

Duende BFF Security Framework 4.0.3

This is a minor release that fixes a problem in BFF 4.0.x

What's Changed

• fix issue where yarp proxying doesn't calculate htu correctly by @Erwinvandervalk in #2341

Full Changelog: bff-4.0.2...bff-4.0.3

IdentityServer 7.4.5

This is bugfix release that fixes an issue where + characters are not treated correctly in URL queries.

What's Changed

• Fixed a regression where the + character was not treated as a space in query params by @josephdecock and @adamralph in #2333

Full Changelog: is-7.4.4...is-7.4.5

Duende BFF Security Framework 4.0.2

This is a minor release that fixes a problem with BFF 4.0.1.

What's Changed

Fix nullability issues with ClaimRecord and ClaimsPrincipalRecord by @wcabus in #2323

IdentityServer 7.4.4

This is bugfix release that fixes an issue where specific service registration scenarios would fail due to constructor ambiguity.

What's Changed

• remove constructor ambiguity from SanitizedLogger by @adamralph in #2318

Full Changelog: is-7.4.3...is-7.4.4

IdentityServer 7.3.4

This is bugfix release that fixes an issue where specific service registration scenarios would fail due to constructor ambiguity.

What's Changed

• remove constructor ambiguity from SanitizedLogger by @adamralph in #2319

Full Changelog: is-7.3.3...is-7.3.4