Update dependency IdentityServer4 to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
IdentityServer4	nuget	major	2.4.0 -> 4.1.2

---

Release Notes

IdentityServer/IdentityServer4

v4.1.2

Compare Source

minor bug fixes

v4.1.1

Compare Source

As part of this release we had 6 issues closed.

bugs

• #​4951 Add null check before setting consumedTime
• #​4948 DefaultClaimsService.GetIdentityTokenClaimsAsync uses wrong Resource parameter for ProfileData
• #​4929 Typo in DefaultClaimsService.cs

enhancements

• #​4942 Obfuscate refresh token and authorization code in logs
• #​4935 Update to Message to enable deserialization in .NET 5.0-rc1
• #​4711 Allow setting SameSite mode of the SessionId cookie

v4.1.0

Compare Source

As part of this release we had 13 issues closed.

bugs

• #​4854 only re-issue session cookie when client added #​4812
• #​4852 add defensive check to fix bug for when session is expired #​4844
• #​4851 fix serialization bug on LogoutRequest.Parameters #​4655
• #​4850 ensure consumed time is utc
• #​4849 fix bug for consent is saved regardless of RememberConsent
• #​4833 Consent is saved regardless of RememberConsent checkbox value
• #​4812 Sliding Cookies not working for implicit flow in IdentityServer4 v4.x
• #​4712 fix multiple WWW-Authenticate header to one

enhancements

• #​4870 Update JAR mime type
• #​4868 Make identity server work with publish single file in .NET 5.0
• #​4853 add more defensive check on check session endpoint #​4051
• #​4794 Add missing awaits on CachingClientStore and CachingResourceStore
• #​4744 Introduce LoggingOptions.AuthorizeRequestSensitiveValuesFilter

v4.0.4

Compare Source

As part of this release we had 2 issues closed.

bug

• #​4677 make AutoMapper v10 the min version

enhancement

• #​4649 Fix 401 malformed WWW-Authenticate

v4.0.3

Compare Source

As part of this release we had 4 issues closed.

bugs

• #​4670 defer calls to perform signout work to avoid re-entry recursion issue with AspId
• #​4641 Fix exception message when no matching signing algorithm can be found

enhancements

• #​4611 Allow AutoMapper 10
• #​4575 Reduce log level for expired secrets

v4.0.2

Compare Source

As part of this release we had 2 issues closed.

bug

• #​4615 Fix custom redirect after ProcessLogin for custom authorize response generators

enhancement

• #​4616 validate filter values on db results

v4.0.1

Compare Source

As part of this release we had 1 issue closed.

bug

• #​4577 fix exception with prompt=login

v4.0.0

Compare Source

As part of this release we had 58 issues closed.
Next big release - after ASP.NET Core 3.1

bugs

• #​4498 fix infinite loop in Token Cleanup after concurrency exception
• #​4496 AuthorizeInteractionResponseGenerator : MaxAge does not respect prompt=none
• #​4368 How to add a custom implementation (e.g. WsFederation) of IReturnUrlParser if everything is internal set in AuthorizationRequest class in next v4.x ?
• #​4295 DefaultClientConfigurationValidator bug
• #​4290 Fix cnf format for MTLS
• #​4268 AddOidcStateDataFormatterCache broken with new JSON serializer
• #​4173 Duplicate UserLoginSuccess/Failure events when using resource owner grant and IdentityServer4.AspNetIdentity
• #​4145 Error Response with invalid redirection URI on authorize endpoint
• #​4129 Fix logger category name for BackChannelLogoutHttpClient
• #​4095 Return invalid_grant when redirect_uri is invalid on token endpoint
• #​4075 Error Response with invalid redirection URI
• #​4037 Bug Fix #​4036 - missing crv value when passing JsonWebKey to AddSigni…

enhancements

• #​4504 Update error handling for invalid response modes
• #​4502 Update form content check to reject multipart forms
• #​4501 Update authorization code validation to do client binding check before deleting the code in the store
• #​4499 Allow setting domain on SessionIdCookie #​4406
• #​4444 Make sensitive data filters configurable
• #​4439 namespace cleanup/refactor in host (to support templates)
• #​4428 add consumedtime to persisted grant and refresh token
• #​4427 Features/bootstrap update
• #​4409 Add strict JAR mode
• #​4390 enhancements to add logout notification service as first class service
• #​4376 Features/grants enhancements
• #​4361 Extend JWT token validation to accept space separated scopes
• #​4360 Adapt JWT request validation to latest JAR spec
• #​4357 Add iat to access tokens
• #​4352 Emit jti by default
• #​4343 Add option to set SameSite mode for internal cookies
• #​4342 Add option to emit scopes as space separated string in JWT (as opposed to array)
• #​4245 Strict redirect uri validator app auth with path
• #​4237 Make aspid profile service more extensible
• #​4235 end session changes: IsActive no longer called and no longer default to a single redirect uri
• #​4234 Use non-case sensitive string for any ids
• #​4227 switch to named HTTP clients from factory (instead of typed)
• #​4226 Reduce usage of Newtonsoft.Json
• #​4210 add sid and device description to grants table
• #​4208 add support for handling multiple prompt values
• #​4204 Add API to interaction service to return error to client
• #​4203 Improve query on cors origins. #​3395
• #​4202 include sid (if present) in access tokens #​3955
• #​4153 private_key_jwt updates
• #​4026 Added AddUserSession extension method
• #​4024 Add JAR support
• #​4019 Add client setting to require request object
• #​3979 Added notification for device code removal
• #​3969 Make cnf part of Token model
• #​3962 MTLS Update
• #​3892 V4: Multiple signing keys
• #​3761 Add a client setting to require request objects
• #​3732 Remove unused SaveChanges APIs in EF DbContext Interfaces
• #​3692 Removed obsolete code
• #​3413 IUserSession.CreateSessionIdAsync should return sid
• #​3395 Improve query on cors origins.

breaking changes

• #​4335 Remove public origin setting
• #​4199 scope validation refactor
• #​3939 Update PKCE and Consent default settings on Client
• #​3888 Cleanup SignInAsync extension methods
• #​3887 V4: Make client claims serialization friendly

v3.1.4

Compare Source

As part of this release we had 2 issues closed.

bug

• #​4240 Fix UserLoginFailureEvent raised with interactive=true in resource owner grant flow

enhancement

• #​4618 validate filter values on db results

v3.1.3

Compare Source

Bug

• #​3981 Updated cache expiration to use current time

v3.1.2

Compare Source

As part of this release we had 119 commits which resulted in 1 issue being closed.

bug

• #​4100 Fix TypeLoadException with 3.1.x and Microsoft Template

v3.1.1

Compare Source

As part of this release we had 3 issues closed.

bug

• #​3935 Fix user code param name in DeviceController

enhancements

• #​4056 Configurable JWK content type for 3.1.x
• #​4043 Add crv parameter when key is loaded from a JsonWebKey

v3.1.0

Compare Source

As part of this release we had 74 commits which resulted in 11 issues being closed.

bugs

• #​3880 Custom URI schemes for Allowed CORS Origins failing in DefaultClientConfigurationValidator
• #​3879 Append to any existing "Vary" response header when setting response header
• #​3775 /resources claim still present in IdentityServerTools

enhancements

• #​3895 use asynchronous EF methods
• #​3893 Ignore invalid post_logout_redirect_uri
• #​3891 Add option to prevent automatic lower-casing of Issuer url #​3600
• #​3885 Username with empty password - TokenRequestValidator
• #​3881 Prevent current window from processing requests in check session JS
• #​3823 Cache the CheckSessionResult Script string
• #​3756 generate and return session_state for error authorization responses that are prompt=none

breaking change

• #​3699 Make these extension methods internal

v3.0.2

Compare Source

As part of this release we had 4 issues closed.

bugs

• #​3704 Change HttpRequest/Response extension method namespace
• #​3645 Honour EnableDeviceAuthorizationEndpoint in IsEndpointEnabled

enhancements

• #​3760 Bring back /resources audience for legacy token validation scenarios
• #​3727 EF Core 3.0 Performance Fix

v3.0.1

Compare Source

Update to ASP.NET Core 3 RTM

v3.0.0

Compare Source

As part of this release we had 13 issues closed.

We didn't plan to make fundamental changes for this release - but since we had the opportunity, we added some important features and made some minor breaking changes to make IdentityServer more future proof.

Updates for ASP.NET Core 3

• #​3512 Drop netstandard2.0 and switch to netcoreapp3.0

Crypto update

Before this release, we only supported RS256 as the signing algorithm for tokens. This release adds support for RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512. We also added support for s_hash.

• #​3534 Ecdsa curve handling
• #​3527 Add support for ECDsa keys to discovery document
• #​3435 c_hash generated using wrong hashing algorithm acording to spec
• #​3511 Add support for additional signing algorithms
• #​3561 Support specific signing algorithms per validation key
• #​3584 Re-factor logic to turn Secrets into SecurityKeys

Changes

We removed the old legacy ~/resources audience from access tokens and use a typ header instead. This might cause problems with some legacy JWT validation libraries and needs some testing.

• #​1961 Consider removing ~/resources audience from access tokens
• #​3513 Set typ header for access tokens

Misc

• #​3563 Emit Integer64 for Epoch Time
• #​3415 Use same JSON.NET version as Microsoft's integration package
• #​3514 Update to IdentityModel v4
• #​3499 Remove IdentityServerPrincipal

v2.5.4

Compare Source

enhancements

• #​3602 Microsoft.AspNetCore.Authentication.Abstractions nuget package deleted
• #​3523 move logging before removal so the PromptMode is included in the logging

v2.5.3

Compare Source

As part of this release we had 8 commits.

• IdentityModel dependency was pinned to 3.x

v2.5.2

Compare Source

As part of this release we had 8 commits which resulted in 3 issues being closed.

bugs

• #​3517 Move HTTP context accessor access to a later point in JwtRequestValidator
• #​3494 Fix log exception while user authentication failed

v2.5.1

Compare Source

As part of this release we had 6 issues closed.

bug

• #​3491 fix JS for automatic signout redirect

enhancements

• #​3478 CORS validation handling normalized URIs
• #​3464 Easier support for impersonating clients
• #​3463 Easier Authorization Code extensibility
• #​3462 Introduce separate property to hold the values of the request object
• #​3442 Set client id in user login events from resource owner password validator

v2.5.0

Compare Source

As part of this release we had 44 issues closed.

bugs

• #​3404 HashedSharedSecretValidator does not catch null value
• #​3391 Added check to scope validator for missing identity and api scopes
• #​3388 repro PR for Incorrect secret type for missing secret in BasicAuth #​2975
• #​3358 DefaultTokenService - access token claims without distinct
• #​3330 Object reference not set to an instance of an object - when calling RequestClientCredentialsTokenAsync
• #​3325 ids4 configured to use external ConsentUrl duplicates path in ReturnUrl
• #​3320 Include identity resource properties in GetAllResourcesAsync
• #​3282 Add vary by origin for Cache-Control on disco endpoints
• #​3128 Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control
• #​3013 IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties
• #​2875 code flow with fragment response mode is not allowed

enhancements

• #​3422 Add claims transformation event to local API authN handler
• #​3409 add AddValidationKeys signature accepting X509Certificate2[] (#​3383)
• #​3406 add scope to all token responses
• #​3392 Added scope param to token endpoint for device grant type
• #​3382 add message store abstraction on authorization request params
• #​3298 should never cache temporary data with no expiration
• #​3276 Handle unknown idp at login
• #​3257 Make EntityFramework.Stores*Store.cs private fields accessible for derived Classes
• #​3254 Prototype for pluggable authN MW
• #​3243 Use Task.CompletedTask to reduce allocations
• #​3242 Consider global switch to disable request_uri feature
• #​3241 Add support for signed authorize requests
• #​3234 Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent
• #​3229 Make back channel signout a first class service
• #​3227 Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change
• #​3219 Add JWK support in JwtRequestValidator
• #​3215 LogInformation changed to LogDebug
• #​3201 Allowed usage of relative and absolute verification URIs for device authorization
• #​3200 Device Code Cleanup
• #​3193 Add validation for cors origins that aren't valid
• #​3183 Add support to carry an error description back to third party clients on authorize error results
• #​3160 PersistedGrants missing index on Expiration column
• #​3148 call flush async #​3096
• #​3143 Log request details on more log messages
• #​3139 Back-Channel Logout Token: Allow configuring additional claims
• #​3059 Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow
• #​2938 Provide more flexibility in the DefaultUserSession cookie management
• #​2893 Make ProtectedDataMessageStore public
• #​2884 Generate a token with claims from IdentityServerTools
• #​2859 Support HttpClientFactory for back channel signout
• #​2846 Adjust "Authentication scheme Bearer is configured for IdentityServer, but it is not a scheme that supports signin (like cookies)"
• #​2539 Consider Add or Replace Endpoint extension method
• #​1958 Add client_id to ErrorMessage when Authorization request failed

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by Mend Renovate. View repository job log here.