1.0.5

Update patch build to latest dependencies

2.0.1

Bugs Fixed

• Port SignInScheme fix to 2.0.x (#1435)

2.0.0

Features

• Provide a way to prevent AuthenticationSchemeProvider from picking a specific scheme handler (#1287)
• Remove top level methods on IServiceCollection that configure authentication (#1269)
• Revisit SchemeBuilder/AddScheme (#1186)
• Auth 2.0 Cleanup: Revisit cleanup events/context (#1181)
• Changing name of correlation and nonce cookie in OpenID Connect middleware (#1033)

Bugs Fixed

• AuthZ Regression: PolicyEvaluator always passes HttpContext for resource (#1329)
• DisplayName in new AuthN Plumbing? (#1319)
• Should auth options be using IOptionsMonitor? (#1282)
• Passing in an AuthoritizationPolicy allocates an array everytime (#1274)
• Authentication failures are not properly logged (#1265)
• Make it easier to specify a default scheme (#1264)
• OnRedirectToIdentityProvider - improve /// comments (#1200)
• Consider limiting the cookies we use for nonce and correlationId to the paths that we use them on (#1133)
• Consider revisiting OpenIdConnectOptions.PostLogoutRedirectUri in 2.0.0 (#1089)

2.0.0-preview2

Features

• Bind shared Default schemes to config (#1245)
• Auth 2.0 Part II: Revenge of AuthZ (#1190)
• Add IAuthorizationHandlerProvider interface (#1176)
• Support for Cookie "SameSite" Flag (#908)
• AuthZ 2.0 Improve failure scenarios + [401 vs 403?] (#901)

Bugs Fixed

• OAuth authentication broken due to SameSite cookie policy (#1231)
• How can you 'configure' OpenIdConnectOptions CallbackPath? (#1230)
• Consider dropping Active in AuthorizeAttribute.ActiveAuthenticationSchemes (#1199)

2.0.0-preview1

Features

• The Grand Auth Redesign of 2017 (#1179)
• Google handler should include claim for profile image url (#969)

Bugs Fixed

• Two consecutive calls to SystemClock can result in smaller values. (#1110)
• Provide an easy way to disable telemetry in the OpenID Connect middleware (#1035)
• Reduce claims in ClaimsIdentity after completing OIDC protocol legs (#1024)

1.1.1

Features

• Update IdentityModel dependencies to 5.1.2 (#1082)

Bugs Fixed

• Consider reverting #982 (#1044)

1.1.0

Bugs Fixed

• [Breaking change] Parameter was renamed on OpenIdConnectHandler.HandleSignOutAsync (#1030)
• Improper JWT used in token validation for hybrid "code id_token token" OpenId Connect flow (#1007)
• Ensuring the generated redirect URL is valid (#903)
• Can't perform custom error handling using OpenIdConnect OnAuthenticationFailed event (#884)

1.1.0-preview1

Features

• AuthZ: Add option for Fail fast (#945)
• AuthenticationTokenExtensions should have an UpdateToken (#916)
• AuthorizationHandlerContext responsibility split up & thread safety (#879)

Bugs Fixed

• How to use AuthorizationEndpoint which contains query string parameters with OAuth. (#988)
• OIDC handler bug in user info response handling for multiple claims of same type (#976)
• CookieAuthenticationHandler, in case using SessionStore, cookieOptions.Expire is not set on renewal (#973)
• Google middleware authorization should use prompt instead of approval_prompt (#971)
• Microsoft.AspNetCore.Authentication.Twitter's package description is incorrect (#962)
• CookieAuthenticationEvents.OnValidatePrincipal can result in a NullReferenceException (#949)
• Returning true from HandleUnauthorizedAsync doesn't prevent the other automatic handlers from being invoked (#930)
• Minor comment cleanup. (#891)
• OpenIdConnect with AAD does not return error_description (#883)
• Authorize(Github) may return a Facebook user (#859)
• Cookie ExpireTimeSpan not honoured using Auzure AD OpenIDConnect authentication (#855)
• Update CookieAuthenticationHandler.ApplyHeaders to honor AuthenticationProperties.RedirectUri (#800)
• Google: Need better way to discover when google+ api not enabled (#53)

1.0.0

Features

• JwtBearer does not return any useful info when failing to validate/accept a token (#776)
• Get the user's e-mail address from Twitter (#765)
• Support distributed sign-out (#423)

Bugs Fixed

• AuthorizationHandler design questions (#849)
• Authorize policy attribute not compatible with dynamic policy provider (#841)
• CookiePolicy middleware can't affect CookieAuthentication middleware (#814)
• Removed space from file name (#807)
• Clash of AuthorizationContext naming with aspnetcirelease bits rc2-* (#806)
• Authorize GitHub causes infinite redirects or Correlation failed (#801)
• OIDC argument validation (#795)
• CookieAuthenticationHandler IsPersistent with UTC dates (#780)
• Flow for authenticated but unauthorized users with OIDC is broken (infinite redirect) (#667)
• Need to do a doc pass for new AuthZ/AuthN changes (#190)

1.0.0-rc2

Features

• How can you inject a service into an implementation of IClaimsTransformer? (#718)
• Authorization infrastructure does not handle "per action permissions" use case well (#670)
• Consider adding Async version for AddAssertion sugar (#657)
• SaveTokenAsClaim for JwtBearer (#639)
• [Authorization] Consider base class to make building custom policies/requirements easier (#575)
• Implement the hybrid flow, unify code and authorization flows (#456)
• Populate returnURL on Forbidden mapping for cookie auth (#335)
• [AuthZ] Investigate if we can turn policyName overloads into extension methods (#266)

Bugs Fixed

• Update OIDC package version to be 1.0.0-rc2 (#808)
• Exception thrown when 'Microsoft.AspNetCore.Authentication.JwtBearer' tries to log a message (#794)
• AuthenticationHandler.InitializeAsync chokes when HandleAuthenticateAsync returns null (#760)
• DefaultAuthorizationService call to _logger.UserAuthorizationSucceeded always has a null user (#755)
• What should be the defaults for ResponseType for OIDC (#744)
• Auth handlers should unregister themselves after Next (#704)
• Clean up OIDC events (#690)
• Return givename and surname claims from Facebook provider by default. (#688)
• Can't find working example of getting first_name claim using Facebook rc2 (#654)
• Consider moving GenerateCorrelationId and ValidateCorrelationId to RemoteAuthenticationHandler (#647)
• TwitterHandler doesnt save all tokens as claims when SaveTokensAsClaims is true (#632)
• AuthorizationHandler: where TResource : class requirement (#630)
• Authentication cookie is badly renewed when the security stamp has been validated (#628)
• The values of Roles property in AuthorizeAttribute aren't trimmed (#627)
• Discussion for Scope being a list and not a string? (#614)
• Split Microsoft.Owin.Security.Cookies.Interop into 2 packages (#611)
• Update Twitter AuthenticationEndpoint (#600)
• JwtBearer projects targets dnx451 and dnxcore50 (#590)
• The dependency Microsoft.AspNet.Authentication.OpenIdConnect 1.0.0-rc2-16009 does not support framework .NETPlatform,Version=v5.4 (#576)
• Consider making AutomaticAuthenticate true by default for Cookies (#569)
• Update Google API endpoints (#566)
• Update facebook provider to v2.5 APIs (#565)
• Stop using AuthenticateResult.Success(ticket: null) (#555)
• AuthenticationProperties is not available from OpenIdConnectAuthenticationNotifications.RedirectToIdentityProvider (#546)
• SaveTokensAsClaims defaults (#526)
• Update the OAuth2 handler to log error_description and error_uri when receiving an error (#512)
• Can't get email claim from Facebook (#435)
• Revisit the OIDC/OAuth2 bearer middleware to stop re-throwing exceptions for invalid tokens (#411)