Recent releases for IdentityServer4

IdentityServer4 1.4.0

2017-03-27T15:16:01+00:00

As part of this release we had [9 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=19&state=closed) closed. __bug__ - [__#932__](https://github.com/IdentityServer/IdentityServer4/pull/932) Fix typo in the X-Frame-Options directive. __new feature__ - [__#953__](https://github.com/IdentityServer/IdentityServer4/pull/953) New Events Design __enhancements__ - [__#985__](https://github.com/IdentityServer/IdentityServer4/issues/985) Add XML code comments - [__#957__](https://github.com/IdentityServer/IdentityServer4/pull/957) Add option to persists temp key - [__#934__](https://github.com/IdentityServer/IdentityServer4/issues/934) Improve PKCE logging messages - [__#907__](https://github.com/IdentityServer/IdentityServer4/issues/907) Add IdentityServerBuilder extensions for client and resources stores - [__#887__](https://github.com/IdentityServer/IdentityServer4/pull/887) Pass LoginUrl/LogoutUrl from IdentityServerOptions to auth cookie - [__#738__](https://github.com/IdentityServer/IdentityServer4/issues/738) Log the tokens generated for debugging purposes - [__#540__](https://github.com/IdentityServer/IdentityServer4/issues/540) Finish off eventing programming model

IdentityServer4 1.4.1

2017-03-30T16:04:44+00:00

As part of this release we had [1 issue](https://github.com/IdentityServer/IdentityServer4/issues?milestone=20&state=closed) closed.

IdentityServer4 1.4.2

2017-03-31T08:20:49+00:00

As part of this release we had [1 issue](https://github.com/IdentityServer/IdentityServer4/issues?milestone=21&state=closed) closed. __bug__ - [__#1006__](https://github.com/IdentityServer/IdentityServer4/issues/1006) Client JWT assertion should read client_id from sub claim only

IdentityServer4 1.5.0

2017-04-11T13:27:30+00:00

As part of this release we had [7 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=22&state=closed) closed. __bugs__ - [__#1036__](https://github.com/IdentityServer/IdentityServer4/issues/1036) ids4 configured to use external Login page and hosted in an application within iis produces duplicated path in the returnUrl - [__#1030__](https://github.com/IdentityServer/IdentityServer4/pull/1030) Create new collection when implying all scopes if none requested __enhancements__ - [__#1048__](https://github.com/IdentityServer/IdentityServer4/issues/1048) Resolve ICorsPolicyProvider dynamically from DI from CorsPolicyProvider - [__#1025__](https://github.com/IdentityServer/IdentityServer4/issues/1025) DefaultGrantStore checking expiration, logging expired grants as not found - [__#965__](https://github.com/IdentityServer/IdentityServer4/issues/965) AuthorizeResult and ErrorMessage discard the ErrorDescription in AuthorizeResponse - [__#810__](https://github.com/IdentityServer/IdentityServer4/issues/810) Consider ability to define cache-control header for discovery endpoint - [__#579__](https://github.com/IdentityServer/IdentityServer4/issues/579) Consider cors caching

IdentityServer4 1.5.1

2017-05-04T17:15:05+00:00

As part of this release we had [4 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=23&state=closed) closed. __bugs__ - [__#1132__](https://github.com/IdentityServer/IdentityServer4/issues/1132) Disable default caching for discovery - [__#1126__](https://github.com/IdentityServer/IdentityServer4/issues/1126) invalid join logic on GetAllGrantsAsync in DefaultPersistedGrantService - [__#1119__](https://github.com/IdentityServer/IdentityServer4/pull/1119) Fixed AddDeveloperSigningCredential on full framework - [__#1075__](https://github.com/IdentityServer/IdentityServer4/issues/1075) Test user profile service throws on invalid sub

IdentityServer4 2.0.0

2017-10-05T13:10:58+00:00

As part of this release we had [68 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=14&state=closed) closed. __bugs__ - [__#1580__](https://github.com/IdentityServer/IdentityServer4/pull/1580) add options validation at startup time - [__#1574__](https://github.com/IdentityServer/IdentityServer4/issues/1574) Decorators in DI should wrap last service in DI (not first) - [__#1477__](https://github.com/IdentityServer/IdentityServer4/issues/1477) Don't use default signin scheme -- be explicit and use auth scheme - [__#1453__](https://github.com/IdentityServer/IdentityServer4/issues/1453) Error: Collection was modified; enumeration operation may not execute. - [__#1370__](https://github.com/IdentityServer/IdentityServer4/issues/1370) dotnet core 2.0 cookie authentication uses samesite = lax as default - [__#1283__](https://github.com/IdentityServer/IdentityServer4/issues/1283) ICustomAuthorizeRequestValidator ErrorDescription not bubbled up - [__#1276__](https://github.com/IdentityServer/IdentityServer4/issues/1276) Remove Enabled check from InMemoryClientStore - [__#1258__](https://github.com/IdentityServer/IdentityServer4/issues/1258) Client secret stilling being logged in 1.5.1/1.5.2 - [__#1250__](https://github.com/IdentityServer/IdentityServer4/issues/1250) idp:Negotiate on acr_values does not work! - [__#1217__](https://github.com/IdentityServer/IdentityServer4/pull/1217) Removed duplicate scopes - [__#1144__](https://github.com/IdentityServer/IdentityServer4/pull/1144) Add condition to logging in IntrospectionResponseGenerator.AreExpectedScopesPresent - [__#1101__](https://github.com/IdentityServer/IdentityServer4/issues/1101) CorsPolicyService implementation not being picked up... __enhancements__ - [__#1576__](https://github.com/IdentityServer/IdentityServer4/pull/1576) Separate callback route endpoints from base route endpoints - [__#1571__](https://github.com/IdentityServer/IdentityServer4/issues/1571) Add PairWiseSubjectSalt to Client - [__#1523__](https://github.com/IdentityServer/IdentityServer4/issues/1523) Consider adding IsActive to TestUser - [__#1518__](https://github.com/IdentityServer/IdentityServer4/issues/1518) Consider ISystemClock? - [__#1514__](https://github.com/IdentityServer/IdentityServer4/issues/1514) Make Endpoint class public to allow custom routing - [__#1482__](https://github.com/IdentityServer/IdentityServer4/issues/1482) Add authN scheme diagnostics logging at startup - [__#1475__](https://github.com/IdentityServer/IdentityServer4/pull/1475) user session rework to allow changing user from custom authorize logic - [__#1473__](https://github.com/IdentityServer/IdentityServer4/pull/1473) support using configuration binder - [__#1471__](https://github.com/IdentityServer/IdentityServer4/issues/1471) Add ICorsPolicyService caching layer - [__#1457__](https://github.com/IdentityServer/IdentityServer4/issues/1457) Consider properties collection on Client - [__#1443__](https://github.com/IdentityServer/IdentityServer4/issues/1443) Install .NET Core 2.0 in Travis Builds - [__#1438__](https://github.com/IdentityServer/IdentityServer4/issues/1438) [Feature] Allow to manually override host and base path with custom values - [__#1431__](https://github.com/IdentityServer/IdentityServer4/issues/1431) Make InputLengthRestrictions.TokenHandle configurable - [__#1401__](https://github.com/IdentityServer/IdentityServer4/issues/1401) Enable Tests for both netcoreapp2.0 and net461 - [__#1395__](https://github.com/IdentityServer/IdentityServer4/pull/1395) make it easier to reject an authorization request from the login page… - [__#1391__](https://github.com/IdentityServer/IdentityServer4/pull/1391) make endpoint router extensible #1364 - [__#1389__](https://github.com/IdentityServer/IdentityServer4/pull/1389) remove XFO from end session callback iframe #1224 - [__#1367__](https://github.com/IdentityServer/IdentityServer4/pull/1367) Propagate parsed secret throughout token validation pipeline - [__#1354__](https://github.com/IdentityServer/IdentityServer4/pull/1354) automatically add store implementations to DI when adding cached stores - [__#1326__](https://github.com/IdentityServer/IdentityServer4/pull/1326) added "alg" to JsonWebKey and DiscoveryResponseGenerator - [__#1272__](https://github.com/IdentityServer/IdentityServer4/issues/1272) Move PersistedGrantTypes to public constants - [__#1270__](https://github.com/IdentityServer/IdentityServer4/pull/1270) Feature: Allow PKCE on demand - [__#1252__](https://github.com/IdentityServer/IdentityServer4/issues/1252) Add copyright to check_session_iframe code - [__#1246__](https://github.com/IdentityServer/IdentityServer4/issues/1246) Consider better UTC now helper - [__#1235__](https://github.com/IdentityServer/IdentityServer4/issues/1235) Change DefaultGrantStore.GetHashedKey to virtual - [__#1228__](https://github.com/IdentityServer/IdentityServer4/issues/1228) Allow PKCE on demand (without explicit configuration) - [__#1165__](https://github.com/IdentityServer/IdentityServer4/issues/1165) Consider enforcing unique names in InMem stores - [__#1138__](https://github.com/IdentityServer/IdentityServer4/issues/1138) add same overloads for validation keys as signing keys - [__#1135__](https://github.com/IdentityServer/IdentityServer4/pull/1135) Consistent expiration handling - [__#1084__](https://github.com/IdentityServer/IdentityServer4/issues/1084) Consistent expiration handling - [__#1081__](https://github.com/IdentityServer/IdentityServer4/issues/1081) Add helper to register IRedirectUriValidator - [__#1066__](https://github.com/IdentityServer/IdentityServer4/issues/1066) Deal with Azure AD federation gateway problem - [__#1060__](https://github.com/IdentityServer/IdentityServer4/pull/1060) make resource base class for api and identity resources - [__#1002__](https://github.com/IdentityServer/IdentityServer4/issues/1002) Add support for getting IdentityServer error details in ErrorMessage - [__#951__](https://github.com/IdentityServer/IdentityServer4/issues/951) Consider a Client setting to set a consent expiration - [__#870__](https://github.com/IdentityServer/IdentityServer4/issues/870) New Feature: Allow the ability to validate a refresh_token - [__#846__](https://github.com/IdentityServer/IdentityServer4/issues/846) consider decoupling GetIdentityServerUser APIs from cookie middleware __breaking changes__ - [__#1534__](https://github.com/IdentityServer/IdentityServer4/issues/1534) Consider making client claims prefix value configurable - [__#1487__](https://github.com/IdentityServer/IdentityServer4/pull/1487) Add refresh token validator as part of ITokenValidator - [__#1446__](https://github.com/IdentityServer/IdentityServer4/pull/1446) Use default schemes plumbing - [__#1402__](https://github.com/IdentityServer/IdentityServer4/issues/1402) consider using default authN scheme - [__#1394__](https://github.com/IdentityServer/IdentityServer4/pull/1394) Update to ASP.NET Core v2 - [__#1375__](https://github.com/IdentityServer/IdentityServer4/pull/1375) Only revoke specific refresh token (not all for client) - [__#1344__](https://github.com/IdentityServer/IdentityServer4/issues/1344) Consider RequireConsent = false by default - [__#1277__](https://github.com/IdentityServer/IdentityServer4/issues/1277) GetAllResources on IResourceStore should be named "Async" - [__#1139__](https://github.com/IdentityServer/IdentityServer4/issues/1139) Remove AddTemporarySigningCredential in 2.0 - [__#1073__](https://github.com/IdentityServer/IdentityServer4/pull/1073) Token revocation cleanup - [__#1055__](https://github.com/IdentityServer/IdentityServer4/issues/1055) Support ASP.NET Core 2.0 - [__#1049__](https://github.com/IdentityServer/IdentityServer4/issues/1049) Check extensibility points for v2 rework - [__#1044__](https://github.com/IdentityServer/IdentityServer4/issues/1044) Change AddFilteredClaims to AddClaims on the ProfileContext - [__#1042__](https://github.com/IdentityServer/IdentityServer4/pull/1042) Refactor token response generator for cleaner extensibility - [__#1003__](https://github.com/IdentityServer/IdentityServer4/pull/1003) Removed redundant client parameter from IClaimsService - [__#1001__](https://github.com/IdentityServer/IdentityServer4/pull/1001) Introspection re-work - [__#874__](https://github.com/IdentityServer/IdentityServer4/pull/874) Change client allowed grant types to ICollection - [__#848__](https://github.com/IdentityServer/IdentityServer4/issues/848) Change ICustomAuthorizeRequestValidator.ValidateAsync to not return AuthorizeRequestValidationResult - [__#746__](https://github.com/IdentityServer/IdentityServer4/issues/746) Update logout implementations

IdentityServer4 2.0.1

2017-10-11T20:30:54+00:00

As part of this release we had [2 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=25&state=closed) closed. __bugs__ - [__#1605__](https://github.com/IdentityServer/IdentityServer4/issues/1605) When client allows local login, yet client has idp restrictions, local login not actually allowed - [__#1604__](https://github.com/IdentityServer/IdentityServer4/pull/1604) Moving IdentityServerMiddleware IEventService parameter from constructor to Invoke

IdentityServer4 2.0.2

2017-10-26T05:31:31+00:00

As part of this release we had [3 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=27&state=closed) closed. __bugs__ - [__#1673__](https://github.com/IdentityServer/IdentityServer4/issues/1673) Name claim no longer required when signing-in a user. - [__#1665__](https://github.com/IdentityServer/IdentityServer4/issues/1665) No refresh token returned with TokenUsage.ReUse - [__#1662__](https://github.com/IdentityServer/IdentityServer4/issues/1662) UserInfo should call IsActive

IdentityServer4 2.0.3

2017-11-11T09:40:15+00:00

As part of this release we had [1 issue](https://github.com/IdentityServer/IdentityServer4/issues?milestone=28&state=closed) closed. __bug__ - [__#1732__](https://github.com/IdentityServer/IdentityServer4/issues/1732) Upgrade to 2.0.2 causes amr claim to default to external

IdentityServer4 2.0.4

2017-11-20T17:26:51+00:00

As part of this release we had [7 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=29&state=closed) closed. __bugs__ - [__#1778__](https://github.com/IdentityServer/IdentityServer4/issues/1778) Update ASP.NET Core dependnecy for recent Url.IsLocal vulnerability fix - [__#1748__](https://github.com/IdentityServer/IdentityServer4/issues/1748) Remove unsafe-inline for Edge from CSP - [__#1715__](https://github.com/IdentityServer/IdentityServer4/issues/1715) Consider if Referrer-Policy is useful in QS host - [__#1710__](https://github.com/IdentityServer/IdentityServer4/issues/1710) Fix default caching code comments - [__#1697__](https://github.com/IdentityServer/IdentityServer4/issues/1697) Parameters twisted for GetConsentKey - [__#1607__](https://github.com/IdentityServer/IdentityServer4/issues/1607) Http.Sys implementation with Windows Integrated Authentication - [__#1598__](https://github.com/IdentityServer/IdentityServer4/pull/1598) Set NoCache headers for discovery document if CacheInterval is set to 0

IdentityServer4 2.0.5

2017-12-04T18:09:18+00:00

As part of this release we had [3 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=30&state=closed) closed. __bugs__ - [__#1829__](https://github.com/IdentityServer/IdentityServer4/pull/1829) BackchannelLogoutClient throws exception while generating the logout token - [__#1827__](https://github.com/IdentityServer/IdentityServer4/pull/1827) fix incorrect comment about default grant type - [__#1709__](https://github.com/IdentityServer/IdentityServer4/issues/1709) Do not show claims_supported items for 'hidden' resource / scope in Discovery Document

IdentityServer4 2.0.6

2017-12-19T18:52:04+00:00

As part of this release we had [7 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=31&state=closed) closed. __bugs__ - [__#1882__](https://github.com/IdentityServer/IdentityServer4/issues/1882) IdentityServerBuilder unnecessarily created twice - [__#1880__](https://github.com/IdentityServer/IdentityServer4/issues/1880) Add button for noscript on authorize response form - [__#1870__](https://github.com/IdentityServer/IdentityServer4/issues/1870) Make ExternalLoginScheme in quickstart UI more defensive - [__#1861__](https://github.com/IdentityServer/IdentityServer4/issues/1861) Allow disabling resource owner password validation - [__#1854__](https://github.com/IdentityServer/IdentityServer4/issues/1854) Problems with form-action CSP behind load palancer - [__#1834__](https://github.com/IdentityServer/IdentityServer4/issues/1834) PublicOrigin should be used by UI code - [__#1831__](https://github.com/IdentityServer/IdentityServer4/issues/1831) Refresh token response does not contain custom fields from custom token request validator

IdentityServer4 2.1.0

2018-01-05T16:56:36+00:00

As part of this release we had [13 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=24&state=closed) closed. __bug__ - [__#1936__](https://github.com/IdentityServer/IdentityServer4/pull/1936) Fix string concat problem in log messages __enhancements__ - [__#1909__](https://github.com/IdentityServer/IdentityServer4/issues/1909) Support external SAML2-P providers - [__#1903__](https://github.com/IdentityServer/IdentityServer4/pull/1903) only emit session id cookie if check session endpoint is enabled - [__#1879__](https://github.com/IdentityServer/IdentityServer4/pull/1879) Unlimited refresh lifetime - [__#1817__](https://github.com/IdentityServer/IdentityServer4/pull/1817) Pass requested resources to profile service (where available) - [__#1798__](https://github.com/IdentityServer/IdentityServer4/pull/1798) Allows overriding methods in default services - [__#1780__](https://github.com/IdentityServer/IdentityServer4/issues/1780) Remove EnableWindowsAuth flag on QS AccountOptions - [__#1766__](https://github.com/IdentityServer/IdentityServer4/pull/1766) add flag to relax frame-src csp header on signout response #1647 - [__#1736__](https://github.com/IdentityServer/IdentityServer4/pull/1736) Add redirect_uri parameter to ErrorUrl #1564 - [__#1733__](https://github.com/IdentityServer/IdentityServer4/pull/1733) detect non-unique scope names #1583 - [__#1718__](https://github.com/IdentityServer/IdentityServer4/pull/1718) Move the IsActive call from the custom token validator to the core token validatator - [__#1684__](https://github.com/IdentityServer/IdentityServer4/issues/1684) Allow IdentityServerTools to not depend on HttpContext - [__#1480__](https://github.com/IdentityServer/IdentityServer4/issues/1480) Include ui_locales to error page

IdentityServer4 2.1.1

2018-01-10T14:11:33+00:00

As part of this release we had [3 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=34&state=closed) closed. __bugs__ - [__#1955__](https://github.com/IdentityServer/IdentityServer4/issues/1955) Authorization response prevented in some iframe scenarios - [__#1948__](https://github.com/IdentityServer/IdentityServer4/pull/1948) Log full exceptions when available to aid in debugging __enhancement__ - [__#1965__](https://github.com/IdentityServer/IdentityServer4/issues/1965) Update to latest ASP.NET Core packages (security patch)

IdentityServer4 2.1.2

2018-02-06T14:00:50+00:00

As part of this release we had [3 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=35&state=closed) closed. __bug__ - [__#2052__](https://github.com/IdentityServer/IdentityServer4/pull/2052) Fix Basic Authentication encoding to fully comply with RFC6749 __enhancements__ - [__#2054__](https://github.com/IdentityServer/IdentityServer4/pull/2054) Updates fluent assertions to v5 and fixes complile errors - [__#2050__](https://github.com/IdentityServer/IdentityServer4/issues/2050) Make DistributedCacheStateDataFormatter public

IdentityServer4 1.5.3

2018-03-22T00:34:25+00:00

As part of this release we had [1 issue](https://github.com/IdentityServer/IdentityServer4/issues?milestone=37&state=closed) closed. __bug__ - [__#2164__](https://github.com/IdentityServer/IdentityServer4/issues/2164) Encode redirect uri on authorization response

IdentityServer4 2.1.3

2018-03-22T01:01:00+00:00

As part of this release we had [5 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=36&state=closed) closed. __bug__ - [__#2164__](https://github.com/IdentityServer/IdentityServer4/issues/2164) Encode redirect uri on authorization response - [__#2127__](https://github.com/IdentityServer/IdentityServer4/pull/2127) Fix invalid grant type validation result __enhancements__ - [__#2099__](https://github.com/IdentityServer/IdentityServer4/pull/2099) Use HttpMethods.IsGet() and HttpMethods.IsPost() instead of string comparison - [__#2091__](https://github.com/IdentityServer/IdentityServer4/pull/2091) Update unhandled exception logging - [__#2095__](https://github.com/IdentityServer/IdentityServer4/pull/2095) Better exception logging in TokenValidator

IdentityServer4 2.2.0

2018-04-16T14:25:52+00:00

As part of this release we had [16 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=32&state=closed) closed. __bugs__ - [__#2224__](https://github.com/IdentityServer/IdentityServer4/issues/2224) RequireCspFrameSrcForSignout = false does not sign out websites using front channel - [__#2214__](https://github.com/IdentityServer/IdentityServer4/issues/2214) GetAcrValues() should call ToArray() internally - [__#2176__](https://github.com/IdentityServer/IdentityServer4/issues/2176) Allow client ids with spaces in check session endpoint - [__#2173__](https://github.com/IdentityServer/IdentityServer4/issues/2173) PublicOrigin with the value empty string results in invalid Issuer - [__#2121__](https://github.com/IdentityServer/IdentityServer4/pull/2121) explicitly set the default value of base target in html response from AuthorizeResult - [__#2080__](https://github.com/IdentityServer/IdentityServer4/issues/2080) Potential URL host encoding __enhancements__ - [__#2220__](https://github.com/IdentityServer/IdentityServer4/issues/2220) Add ws-fed wsignoutcleanup support to front-channel signout notification - [__#2219__](https://github.com/IdentityServer/IdentityServer4/issues/2219) Move IsPkceClient to UI - [__#2211__](https://github.com/IdentityServer/IdentityServer4/issues/2211) Hide index view when not in development - [__#2210__](https://github.com/IdentityServer/IdentityServer4/issues/2210) Add Events for grant management - [__#2204__](https://github.com/IdentityServer/IdentityServer4/pull/2204) Split controllers in local login/logout and external challenge/callback - [__#2200__](https://github.com/IdentityServer/IdentityServer4/pull/2200) Add client configuration validation infrastructure - [__#2199__](https://github.com/IdentityServer/IdentityServer4/pull/2199) Added events for granted/denied consent - [__#2194__](https://github.com/IdentityServer/IdentityServer4/issues/2194) Enhance scope validation to detect duplicates - [__#2035__](https://github.com/IdentityServer/IdentityServer4/pull/2035) Add Content-Security-Policy options - [__#1609__](https://github.com/IdentityServer/IdentityServer4/issues/1609) Consider adding events for introspection events

IdentityServer4 2.3.0-preview1

2018-08-09T15:13:02+00:00

As part of this release we had [40 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=39&state=closed) closed. next feature release __bugs__ - [__#2533__](https://github.com/IdentityServer/IdentityServer4/issues/2533) DistributedCacheStateDataFormatter should handle failed Unprotect workflows - [__#2523__](https://github.com/IdentityServer/IdentityServer4/issues/2523) CorsService doesn't handle null for origin - [__#2504__](https://github.com/IdentityServer/IdentityServer4/issues/2504) DistributedCacheStateDataFormatter tries to unprotect null string - [__#2499__](https://github.com/IdentityServer/IdentityServer4/pull/2499) fix ??-operator priority - [__#2492__](https://github.com/IdentityServer/IdentityServer4/issues/2492) Refresh token is not redacted - [__#2446__](https://github.com/IdentityServer/IdentityServer4/issues/2446) ReturnUrl in CustomRedirectResult? - [__#2441__](https://github.com/IdentityServer/IdentityServer4/issues/2441) CloneWithScopes in ApiResource does not clone DisplayName - [__#2358__](https://github.com/IdentityServer/IdentityServer4/pull/2358) Filter identity scopes and offline_access when no explicit scopes are specificed in client credentials - [__#2336__](https://github.com/IdentityServer/IdentityServer4/pull/2336) Fix incorrect log message - [__#2251__](https://github.com/IdentityServer/IdentityServer4/issues/2251) IdentityServer might log tokens in case of error __new feature__ - [__#2440__](https://github.com/IdentityServer/IdentityServer4/pull/2440) Add built-in support for Confirmation (cnf) __enhancements__ - [__#2525__](https://github.com/IdentityServer/IdentityServer4/pull/2525) enable default client validator by default - [__#2518__](https://github.com/IdentityServer/IdentityServer4/issues/2518) Add AsNoTracking for readonly queries - [__#2517__](https://github.com/IdentityServer/IdentityServer4/issues/2517) Add explicit FK properties in EF entities to allow EF Core DataSeeding - [__#2514__](https://github.com/IdentityServer/IdentityServer4/issues/2514) Add more strict cache control headers when softer headers are already added by HttpContext.SignInAsync - [__#2513__](https://github.com/IdentityServer/IdentityServer4/issues/2513) Make AddScriptCspHeaders and AddStyleCspHeaders public - [__#2512__](https://github.com/IdentityServer/IdentityServer4/pull/2512) Add parameters to IntrospectionRequestValidationResult - #2388 - [__#2509__](https://github.com/IdentityServer/IdentityServer4/issues/2509) Update all projects - [__#2508__](https://github.com/IdentityServer/IdentityServer4/issues/2508) Move all repos to ASP.NET Core 2.1 - [__#2506__](https://github.com/IdentityServer/IdentityServer4/pull/2506) add invalid uri scheme validation - [__#2489__](https://github.com/IdentityServer/IdentityServer4/issues/2489) IdentityServerAuthenticationService doesn't work well with the new dynamic/policy auth schemes in 2.1 - [__#2469__](https://github.com/IdentityServer/IdentityServer4/issues/2469) EndSession class should be public? - [__#2460__](https://github.com/IdentityServer/IdentityServer4/issues/2460) Create abstractions package for Storage models and interfaces - [__#2434__](https://github.com/IdentityServer/IdentityServer4/issues/2434) Consider redirect uri scheme blocked list - [__#2402__](https://github.com/IdentityServer/IdentityServer4/issues/2402) IdentityServer4.AspNetIdentity's ProfileService readonly filelds should be protected - [__#2393__](https://github.com/IdentityServer/IdentityServer4/pull/2393) Add details to logError in TokenRequestValidator - [__#2374__](https://github.com/IdentityServer/IdentityServer4/pull/2374) Make client secret optional while parsing basic authentication secret - [__#2359__](https://github.com/IdentityServer/IdentityServer4/issues/2359) During the cleanup token process, add support for an event when token is expired. - [__#2357__](https://github.com/IdentityServer/IdentityServer4/pull/2357) Dont log SecurityTokenExpiredException as error, since it is not - [__#2353__](https://github.com/IdentityServer/IdentityServer4/issues/2353) Sign nuget packages - [__#2300__](https://github.com/IdentityServer/IdentityServer4/issues/2300) update the generated EF sql files - [__#2299__](https://github.com/IdentityServer/IdentityServer4/issues/2299) Extract JWT payload creation to extension method - [__#2298__](https://github.com/IdentityServer/IdentityServer4/pull/2298) Extension Grant flows need all the data of the request at the final build of the claims. - [__#2285__](https://github.com/IdentityServer/IdentityServer4/issues/2285) Consider more metadata for clients and resources - [__#2280__](https://github.com/IdentityServer/IdentityServer4/issues/2280) Client missing description while EF Client has it. - [__#2264__](https://github.com/IdentityServer/IdentityServer4/issues/2264) ClientSecret exceeds the MaxLength value - [__#2249__](https://github.com/IdentityServer/IdentityServer4/issues/2249) Consider Properties on ApiResource and IdentityResource EF models - [__#2218__](https://github.com/IdentityServer/IdentityServer4/issues/2218) GetErrorContextAsync does not always return description. - [__#2055__](https://github.com/IdentityServer/IdentityServer4/issues/2055) Consider create datetime on ClientSecret __breaking change__ - [__#2524__](https://github.com/IdentityServer/IdentityServer4/pull/2524) Remove obsolete constructor on DefaultCustomTokenValidator

IdentityServer4 nuget_2.3.0-preview2

2018-11-05T08:00:32+00:00

As part of this release we had [65 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=39&state=closed) closed. next feature release __bugs__ - [__#2752__](https://github.com/IdentityServer/IdentityServer4/pull/2752) Endpoint returns wrong WwwAuthentication header - [__#2742__](https://github.com/IdentityServer/IdentityServer4/pull/2742) Fix a typo in TokenErrorResult.cs - [__#2729__](https://github.com/IdentityServer/IdentityServer4/pull/2729) Add null check on Consent page - [__#2658__](https://github.com/IdentityServer/IdentityServer4/pull/2658) Corrected internal value for ParsedSecretTypes.JwtBearer - [__#2604__](https://github.com/IdentityServer/IdentityServer4/pull/2604) Create jwk document when signing with JsonWebKey - [__#2561__](https://github.com/IdentityServer/IdentityServer4/pull/2561) Update path to SQL scripts - [__#2533__](https://github.com/IdentityServer/IdentityServer4/issues/2533) DistributedCacheStateDataFormatter should handle failed Unprotect workflows - [__#2523__](https://github.com/IdentityServer/IdentityServer4/issues/2523) CorsService doesn't handle null for origin - [__#2504__](https://github.com/IdentityServer/IdentityServer4/issues/2504) DistributedCacheStateDataFormatter tries to unprotect null string - [__#2499__](https://github.com/IdentityServer/IdentityServer4/pull/2499) fix ??-operator priority - [__#2492__](https://github.com/IdentityServer/IdentityServer4/issues/2492) Refresh token is not redacted - [__#2446__](https://github.com/IdentityServer/IdentityServer4/issues/2446) ReturnUrl in CustomRedirectResult? - [__#2441__](https://github.com/IdentityServer/IdentityServer4/issues/2441) CloneWithScopes in ApiResource does not clone DisplayName - [__#2358__](https://github.com/IdentityServer/IdentityServer4/pull/2358) Filter identity scopes and offline_access when no explicit scopes are specificed in client credentials - [__#2336__](https://github.com/IdentityServer/IdentityServer4/pull/2336) Fix incorrect log message - [__#2251__](https://github.com/IdentityServer/IdentityServer4/issues/2251) IdentityServer might log tokens in case of error __new features__ - [__#2597__](https://github.com/IdentityServer/IdentityServer4/pull/2597) Add strong name - [__#2440__](https://github.com/IdentityServer/IdentityServer4/pull/2440) Add built-in support for Confirmation (cnf) __enhancements__ - [__#2745__](https://github.com/IdentityServer/IdentityServer4/pull/2745) Enhance object logging - [__#2730__](https://github.com/IdentityServer/IdentityServer4/pull/2730) Unify empty string - [__#2695__](https://github.com/IdentityServer/IdentityServer4/pull/2695) Changed level from error to warn on refresh token - [__#2661__](https://github.com/IdentityServer/IdentityServer4/issues/2661) Be compatible with iOS 12 breaking changes - [__#2641__](https://github.com/IdentityServer/IdentityServer4/issues/2641) Support idp:local in host - [__#2617__](https://github.com/IdentityServer/IdentityServer4/pull/2617) Change: error code in TokenValidator class - [__#2611__](https://github.com/IdentityServer/IdentityServer4/pull/2611) Update secrets.rst - [__#2609__](https://github.com/IdentityServer/IdentityServer4/issues/2609) Add per-client SSO lifetime - [__#2607__](https://github.com/IdentityServer/IdentityServer4/pull/2607) Change: Made DefaultUserSession.AuthenticateAsync overrideable - [__#2593__](https://github.com/IdentityServer/IdentityServer4/pull/2593) Switch to new cake build version - [__#2582__](https://github.com/IdentityServer/IdentityServer4/issues/2582) redundant one line of code. - [__#2560__](https://github.com/IdentityServer/IdentityServer4/issues/2560) Consider making EndSessionRequestValidator public - [__#2554__](https://github.com/IdentityServer/IdentityServer4/issues/2554) Should SessionId Cookies be considered "Essential" - [__#2545__](https://github.com/IdentityServer/IdentityServer4/pull/2545) Make some internal types public to facilitate custom service implementations - [__#2540__](https://github.com/IdentityServer/IdentityServer4/pull/2540) resolve login/logout url, et al from named options - [__#2532__](https://github.com/IdentityServer/IdentityServer4/issues/2532) Consider resolving login url, et al from named options - [__#2525__](https://github.com/IdentityServer/IdentityServer4/pull/2525) enable default client validator by default - [__#2518__](https://github.com/IdentityServer/IdentityServer4/issues/2518) Add AsNoTracking for readonly queries - [__#2517__](https://github.com/IdentityServer/IdentityServer4/issues/2517) Add explicit FK properties in EF entities to allow EF Core DataSeeding - [__#2514__](https://github.com/IdentityServer/IdentityServer4/issues/2514) Add more strict cache control headers when softer headers are already added by HttpContext.SignInAsync - [__#2513__](https://github.com/IdentityServer/IdentityServer4/issues/2513) Make AddScriptCspHeaders and AddStyleCspHeaders public - [__#2512__](https://github.com/IdentityServer/IdentityServer4/pull/2512) Add parameters to IntrospectionRequestValidationResult - #2388 - [__#2509__](https://github.com/IdentityServer/IdentityServer4/issues/2509) Update all projects - [__#2508__](https://github.com/IdentityServer/IdentityServer4/issues/2508) Move all repos to ASP.NET Core 2.1 - [__#2506__](https://github.com/IdentityServer/IdentityServer4/pull/2506) add invalid uri scheme validation - [__#2489__](https://github.com/IdentityServer/IdentityServer4/issues/2489) IdentityServerAuthenticationService doesn't work well with the new dynamic/policy auth schemes in 2.1 - [__#2469__](https://github.com/IdentityServer/IdentityServer4/issues/2469) EndSession class should be public? - [__#2460__](https://github.com/IdentityServer/IdentityServer4/issues/2460) Create abstractions package for Storage models and interfaces - [__#2434__](https://github.com/IdentityServer/IdentityServer4/issues/2434) Consider redirect uri scheme blocked list - [__#2402__](https://github.com/IdentityServer/IdentityServer4/issues/2402) IdentityServer4.AspNetIdentity's ProfileService readonly filelds should be protected - [__#2393__](https://github.com/IdentityServer/IdentityServer4/pull/2393) Add details to logError in TokenRequestValidator - [__#2374__](https://github.com/IdentityServer/IdentityServer4/pull/2374) Make client secret optional while parsing basic authentication secret - [__#2359__](https://github.com/IdentityServer/IdentityServer4/issues/2359) During the cleanup token process, add support for an event when token is expired. - [__#2357__](https://github.com/IdentityServer/IdentityServer4/pull/2357) Dont log SecurityTokenExpiredException as error, since it is not - [__#2353__](https://github.com/IdentityServer/IdentityServer4/issues/2353) Sign nuget packages - [__#2300__](https://github.com/IdentityServer/IdentityServer4/issues/2300) update the generated EF sql files - [__#2299__](https://github.com/IdentityServer/IdentityServer4/issues/2299) Extract JWT payload creation to extension method - [__#2298__](https://github.com/IdentityServer/IdentityServer4/pull/2298) Extension Grant flows need all the data of the request at the final build of the claims. - [__#2285__](https://github.com/IdentityServer/IdentityServer4/issues/2285) Consider more metadata for clients and resources - [__#2284__](https://github.com/IdentityServer/IdentityServer4/pull/2284) Add support for OAuth 2.0 Device Flow [WIP] - [__#2280__](https://github.com/IdentityServer/IdentityServer4/issues/2280) Client missing description while EF Client has it. - [__#2271__](https://github.com/IdentityServer/IdentityServer4/issues/2271) AdminUI Custom Database Tables - [__#2264__](https://github.com/IdentityServer/IdentityServer4/issues/2264) ClientSecret exceeds the MaxLength value - [__#2249__](https://github.com/IdentityServer/IdentityServer4/issues/2249) Consider Properties on ApiResource and IdentityResource EF models - [__#2218__](https://github.com/IdentityServer/IdentityServer4/issues/2218) GetErrorContextAsync does not always return description. - [__#2055__](https://github.com/IdentityServer/IdentityServer4/issues/2055) Consider create datetime on ClientSecret __breaking change__ - [__#2524__](https://github.com/IdentityServer/IdentityServer4/pull/2524) Remove obsolete constructor on DefaultCustomTokenValidator

IdentityServer4 2.3.0

2018-11-17T08:03:57+00:00

As part of this release we had [71 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=39&state=closed) closed. next feature release __note__ The EntityFramework library contains schema changes to previous version. You need to run migrations (see [here](https://identityserver4.readthedocs.io/en/latest/reference/ef.html#database-creation-and-schema-changes-across-different-versions-of-identityserver)). __bugs__ - [__#2778__](https://github.com/IdentityServer/IdentityServer4/issues/2778) Invalid code on device flow user code page throws - [__#2752__](https://github.com/IdentityServer/IdentityServer4/pull/2752) Endpoint returns wrong WwwAuthentication header - [__#2742__](https://github.com/IdentityServer/IdentityServer4/pull/2742) Fix a typo in TokenErrorResult.cs - [__#2729__](https://github.com/IdentityServer/IdentityServer4/pull/2729) Add null check on Consent page - [__#2658__](https://github.com/IdentityServer/IdentityServer4/pull/2658) Corrected internal value for ParsedSecretTypes.JwtBearer - [__#2604__](https://github.com/IdentityServer/IdentityServer4/pull/2604) Create jwk document when signing with JsonWebKey - [__#2561__](https://github.com/IdentityServer/IdentityServer4/pull/2561) Update path to SQL scripts - [__#2533__](https://github.com/IdentityServer/IdentityServer4/issues/2533) DistributedCacheStateDataFormatter should handle failed Unprotect workflows - [__#2523__](https://github.com/IdentityServer/IdentityServer4/issues/2523) CorsService doesn't handle null for origin - [__#2504__](https://github.com/IdentityServer/IdentityServer4/issues/2504) DistributedCacheStateDataFormatter tries to unprotect null string - [__#2499__](https://github.com/IdentityServer/IdentityServer4/pull/2499) fix ??-operator priority - [__#2492__](https://github.com/IdentityServer/IdentityServer4/issues/2492) Refresh token is not redacted - [__#2446__](https://github.com/IdentityServer/IdentityServer4/issues/2446) ReturnUrl in CustomRedirectResult? - [__#2441__](https://github.com/IdentityServer/IdentityServer4/issues/2441) CloneWithScopes in ApiResource does not clone DisplayName - [__#2358__](https://github.com/IdentityServer/IdentityServer4/pull/2358) Filter identity scopes and offline_access when no explicit scopes are specificed in client credentials - [__#2336__](https://github.com/IdentityServer/IdentityServer4/pull/2336) Fix incorrect log message - [__#2251__](https://github.com/IdentityServer/IdentityServer4/issues/2251) IdentityServer might log tokens in case of error __new features__ - [__#2597__](https://github.com/IdentityServer/IdentityServer4/pull/2597) Add strong name - [__#2440__](https://github.com/IdentityServer/IdentityServer4/pull/2440) Add built-in support for Confirmation (cnf) __enhancements__ - [__#2783__](https://github.com/IdentityServer/IdentityServer4/pull/2783) Add AddPersistedGrantStore extension method for IIdentityServerBuilder - [__#2780__](https://github.com/IdentityServer/IdentityServer4/issues/2780) Document device flow - [__#2779__](https://github.com/IdentityServer/IdentityServer4/issues/2779) Document UserSsoLifetime - [__#2745__](https://github.com/IdentityServer/IdentityServer4/pull/2745) Enhance object logging - [__#2730__](https://github.com/IdentityServer/IdentityServer4/pull/2730) Unify empty string - [__#2695__](https://github.com/IdentityServer/IdentityServer4/pull/2695) Changed level from error to warn on refresh token - [__#2661__](https://github.com/IdentityServer/IdentityServer4/issues/2661) Be compatible with iOS 12 breaking changes - [__#2646__](https://github.com/IdentityServer/IdentityServer4/issues/2646) Emit more logging and errors around authentication scheme at startup - [__#2641__](https://github.com/IdentityServer/IdentityServer4/issues/2641) Support idp:local in host - [__#2617__](https://github.com/IdentityServer/IdentityServer4/pull/2617) Change: error code in TokenValidator class - [__#2611__](https://github.com/IdentityServer/IdentityServer4/pull/2611) Update secrets.rst - [__#2609__](https://github.com/IdentityServer/IdentityServer4/issues/2609) Add per-client SSO lifetime - [__#2607__](https://github.com/IdentityServer/IdentityServer4/pull/2607) Change: Made DefaultUserSession.AuthenticateAsync overrideable - [__#2593__](https://github.com/IdentityServer/IdentityServer4/pull/2593) Switch to new cake build version - [__#2582__](https://github.com/IdentityServer/IdentityServer4/issues/2582) redundant one line of code. - [__#2577__](https://github.com/IdentityServer/IdentityServer4/issues/2577) Make sure all nugets publish the repo URL - [__#2560__](https://github.com/IdentityServer/IdentityServer4/issues/2560) Consider making EndSessionRequestValidator public - [__#2554__](https://github.com/IdentityServer/IdentityServer4/issues/2554) Should SessionId Cookies be considered "Essential" - [__#2545__](https://github.com/IdentityServer/IdentityServer4/pull/2545) Make some internal types public to facilitate custom service implementations - [__#2540__](https://github.com/IdentityServer/IdentityServer4/pull/2540) resolve login/logout url, et al from named options - [__#2532__](https://github.com/IdentityServer/IdentityServer4/issues/2532) Consider resolving login url, et al from named options - [__#2525__](https://github.com/IdentityServer/IdentityServer4/pull/2525) enable default client validator by default - [__#2518__](https://github.com/IdentityServer/IdentityServer4/issues/2518) Add AsNoTracking for readonly queries - [__#2517__](https://github.com/IdentityServer/IdentityServer4/issues/2517) Add explicit FK properties in EF entities to allow EF Core DataSeeding - [__#2514__](https://github.com/IdentityServer/IdentityServer4/issues/2514) Add more strict cache control headers when softer headers are already added by HttpContext.SignInAsync - [__#2513__](https://github.com/IdentityServer/IdentityServer4/issues/2513) Make AddScriptCspHeaders and AddStyleCspHeaders public - [__#2512__](https://github.com/IdentityServer/IdentityServer4/pull/2512) Add parameters to IntrospectionRequestValidationResult - #2388 - [__#2509__](https://github.com/IdentityServer/IdentityServer4/issues/2509) Update all projects - [__#2508__](https://github.com/IdentityServer/IdentityServer4/issues/2508) Move all repos to ASP.NET Core 2.1 - [__#2506__](https://github.com/IdentityServer/IdentityServer4/pull/2506) add invalid uri scheme validation - [__#2489__](https://github.com/IdentityServer/IdentityServer4/issues/2489) IdentityServerAuthenticationService doesn't work well with the new dynamic/policy auth schemes in 2.1 - [__#2469__](https://github.com/IdentityServer/IdentityServer4/issues/2469) EndSession class should be public? - [__#2460__](https://github.com/IdentityServer/IdentityServer4/issues/2460) Create abstractions package for Storage models and interfaces - [__#2434__](https://github.com/IdentityServer/IdentityServer4/issues/2434) Consider redirect uri scheme blocked list - [__#2402__](https://github.com/IdentityServer/IdentityServer4/issues/2402) IdentityServer4.AspNetIdentity's ProfileService readonly filelds should be protected - [__#2393__](https://github.com/IdentityServer/IdentityServer4/pull/2393) Add details to logError in TokenRequestValidator - [__#2374__](https://github.com/IdentityServer/IdentityServer4/pull/2374) Make client secret optional while parsing basic authentication secret - [__#2359__](https://github.com/IdentityServer/IdentityServer4/issues/2359) During the cleanup token process, add support for an event when token is expired. - [__#2357__](https://github.com/IdentityServer/IdentityServer4/pull/2357) Dont log SecurityTokenExpiredException as error, since it is not - [__#2353__](https://github.com/IdentityServer/IdentityServer4/issues/2353) Sign nuget packages - [__#2300__](https://github.com/IdentityServer/IdentityServer4/issues/2300) update the generated EF sql files - [__#2299__](https://github.com/IdentityServer/IdentityServer4/issues/2299) Extract JWT payload creation to extension method - [__#2298__](https://github.com/IdentityServer/IdentityServer4/pull/2298) Extension Grant flows need all the data of the request at the final build of the claims. - [__#2285__](https://github.com/IdentityServer/IdentityServer4/issues/2285) Consider more metadata for clients and resources - [__#2284__](https://github.com/IdentityServer/IdentityServer4/pull/2284) Add support for OAuth 2.0 Device Flow [WIP] - [__#2280__](https://github.com/IdentityServer/IdentityServer4/issues/2280) Client missing description while EF Client has it. - [__#2271__](https://github.com/IdentityServer/IdentityServer4/issues/2271) AdminUI Custom Database Tables - [__#2264__](https://github.com/IdentityServer/IdentityServer4/issues/2264) ClientSecret exceeds the MaxLength value - [__#2249__](https://github.com/IdentityServer/IdentityServer4/issues/2249) Consider Properties on ApiResource and IdentityResource EF models - [__#2218__](https://github.com/IdentityServer/IdentityServer4/issues/2218) GetErrorContextAsync does not always return description. - [__#2055__](https://github.com/IdentityServer/IdentityServer4/issues/2055) Consider create datetime on ClientSecret __breaking change__ - [__#2524__](https://github.com/IdentityServer/IdentityServer4/pull/2524) Remove obsolete constructor on DefaultCustomTokenValidator

IdentityServer4 2.3.1

2018-11-30T15:37:01+00:00

As part of this release we had [5 issues](https://github.com/IdentityServer/IdentityServer4/issues?milestone=38&state=closed) closed. bug fixes __bugs__ - [__#2835__](https://github.com/IdentityServer/IdentityServer4/pull/2835) Updated ConsentPageResult to use GetIdentityServerBasePath - [__#2669__](https://github.com/IdentityServer/IdentityServer4/issues/2669) JWKS endpoint content type __enhancements__ - [__#2852__](https://github.com/IdentityServer/IdentityServer4/issues/2852) Update to latest automapper - [__#2826__](https://github.com/IdentityServer/IdentityServer4/issues/2826) Consider PersistentGrantSerializer to be singleton - [__#2822__](https://github.com/IdentityServer/IdentityServer4/issues/2822) Add version information

IdentityServer4 2.3.2

2018-12-05T10:10:56+00:00

Added explicit references to dependent assemblies.

IdentityServer4 2.4.0

2019-03-08T16:46:32+00:00

As part of this release we had [49 commits](https://github.com/IdentityServer/IdentityServer4/compare/2.3.2...2.4) which resulted in [7 issues](https://github.com/IdentityServer/IdentityServer4/milestone/42?closed=1) being closed. __bugs__ - [__#3066__](https://github.com/IdentityServer/IdentityServer4/pull/3066) Fix StringExtensions.GetOrigin throws for malformed URI #3065 - [__#3024__](https://github.com/IdentityServer/IdentityServer4/pull/3024) Added OIDC check to Default Client Config Validator - [__#2972__](https://github.com/IdentityServer/IdentityServer4/issues/2972) TokenRequestValidator.ValidateAuthorizationCodeRequestAsync: Bad logging for invalid redirect_uri __new features__ - [__#3028__](https://github.com/IdentityServer/IdentityServer4/pull/3028) Add LocalAccessTokenValidation authentication scheme - [__#3006__](https://github.com/IdentityServer/IdentityServer4/pull/3006) mutual TLS support __enhancement__ - [__#2880__](https://github.com/IdentityServer/IdentityServer4/pull/2880) AddDeviceFlowStore extension

IdentityServer4 2.5.0-preview.1

2019-05-01T09:12:11+00:00

As part of this release we had [20 issues](https://github.com/IdentityServer/IdentityServer4/milestone/40?closed=1) closed. __bugs__ - [__#3128__](https://github.com/IdentityServer/IdentityServer4/issues/3128) Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control - [__#3013__](https://github.com/IdentityServer/IdentityServer4/issues/3013) IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties - [__#2875__](https://github.com/IdentityServer/IdentityServer4/issues/2875) code flow with fragment response mode is not allowed __enhancements__ - [__#3234__](https://github.com/IdentityServer/IdentityServer4/pull/3234) Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent - [__#3229__](https://github.com/IdentityServer/IdentityServer4/pull/3229) Make back channel signout a first class service - [__#3227__](https://github.com/IdentityServer/IdentityServer4/issues/3227) Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change - [__#3215__](https://github.com/IdentityServer/IdentityServer4/pull/3215) LogInformation changed to LogDebug - [__#3201__](https://github.com/IdentityServer/IdentityServer4/pull/3201) Allowed usage of relative and absolute verification URIs for device authorization - [__#3193__](https://github.com/IdentityServer/IdentityServer4/issues/3193) Add validation for cors origins that aren't valid - [__#3183__](https://github.com/IdentityServer/IdentityServer4/pull/3183) Add support to carry an error description back to third party clients on authorize error results - [__#3160__](https://github.com/IdentityServer/IdentityServer4/issues/3160) PersistedGrants missing index on Expiration column - [__#3148__](https://github.com/IdentityServer/IdentityServer4/pull/3148) call flush async #3096 - [__#3143__](https://github.com/IdentityServer/IdentityServer4/pull/3143) Log request details on more log messages - [__#3139__](https://github.com/IdentityServer/IdentityServer4/issues/3139) Back-Channel Logout Token: Allow configuring additional claims - [__#3059__](https://github.com/IdentityServer/IdentityServer4/pull/3059) Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow - [__#2938__](https://github.com/IdentityServer/IdentityServer4/issues/2938) Provide more flexibility in the DefaultUserSession cookie management - [__#2884__](https://github.com/IdentityServer/IdentityServer4/issues/2884) Generate a token with claims from IdentityServerTools - [__#2859__](https://github.com/IdentityServer/IdentityServer4/issues/2859) Support HttpClientFactory for back channel signout - [__#2539__](https://github.com/IdentityServer/IdentityServer4/issues/2539) Consider Add or Replace Endpoint extension method - [__#1958__](https://github.com/IdentityServer/IdentityServer4/issues/1958) Add client_id to ErrorMessage when Authorization request failed

IdentityServer4 2.5.0-preview.2

2019-05-02T09:59:20+00:00

As part of this release we had [22 issues](https://github.com/IdentityServer/IdentityServer4/milestone/40?closed=1) closed. __bugs__ - [__#3128__](https://github.com/IdentityServer/IdentityServer4/issues/3128) Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control - [__#3013__](https://github.com/IdentityServer/IdentityServer4/issues/3013) IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties - [__#2875__](https://github.com/IdentityServer/IdentityServer4/issues/2875) code flow with fragment response mode is not allowed __enhancements__ - [__#3241__](https://github.com/IdentityServer/IdentityServer4/pull/3241) Add support for signed authorize requests - [__#3234__](https://github.com/IdentityServer/IdentityServer4/pull/3234) Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent - [__#3229__](https://github.com/IdentityServer/IdentityServer4/pull/3229) Make back channel signout a first class service - [__#3227__](https://github.com/IdentityServer/IdentityServer4/issues/3227) Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change - [__#3219__](https://github.com/IdentityServer/IdentityServer4/issues/3219) Add JWK support in JwtRequestValidator - [__#3215__](https://github.com/IdentityServer/IdentityServer4/pull/3215) LogInformation changed to LogDebug - [__#3201__](https://github.com/IdentityServer/IdentityServer4/pull/3201) Allowed usage of relative and absolute verification URIs for device authorization - [__#3193__](https://github.com/IdentityServer/IdentityServer4/issues/3193) Add validation for cors origins that aren't valid - [__#3183__](https://github.com/IdentityServer/IdentityServer4/pull/3183) Add support to carry an error description back to third party clients on authorize error results - [__#3160__](https://github.com/IdentityServer/IdentityServer4/issues/3160) PersistedGrants missing index on Expiration column - [__#3148__](https://github.com/IdentityServer/IdentityServer4/pull/3148) call flush async #3096 - [__#3143__](https://github.com/IdentityServer/IdentityServer4/pull/3143) Log request details on more log messages - [__#3139__](https://github.com/IdentityServer/IdentityServer4/issues/3139) Back-Channel Logout Token: Allow configuring additional claims - [__#3059__](https://github.com/IdentityServer/IdentityServer4/pull/3059) Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow - [__#2938__](https://github.com/IdentityServer/IdentityServer4/issues/2938) Provide more flexibility in the DefaultUserSession cookie management - [__#2884__](https://github.com/IdentityServer/IdentityServer4/issues/2884) Generate a token with claims from IdentityServerTools - [__#2859__](https://github.com/IdentityServer/IdentityServer4/issues/2859) Support HttpClientFactory for back channel signout - [__#2539__](https://github.com/IdentityServer/IdentityServer4/issues/2539) Consider Add or Replace Endpoint extension method - [__#1958__](https://github.com/IdentityServer/IdentityServer4/issues/1958) Add client_id to ErrorMessage when Authorization request failed

IdentityServer4 2.5.0

2019-07-12T13:42:11+00:00

As part of this release we had [44 issues](https://github.com/IdentityServer/IdentityServer4/milestone/40?closed=1) closed. __bugs__ - [__#3404__](https://github.com/IdentityServer/IdentityServer4/issues/3404) HashedSharedSecretValidator does not catch null value - [__#3391__](https://github.com/IdentityServer/IdentityServer4/pull/3391) Added check to scope validator for missing identity and api scopes - [__#3388__](https://github.com/IdentityServer/IdentityServer4/pull/3388) repro PR for Incorrect secret type for missing secret in BasicAuth #2975 - [__#3358__](https://github.com/IdentityServer/IdentityServer4/issues/3358) DefaultTokenService - access token claims without distinct - [__#3330__](https://github.com/IdentityServer/IdentityServer4/issues/3330) Object reference not set to an instance of an object - when calling RequestClientCredentialsTokenAsync - [__#3325__](https://github.com/IdentityServer/IdentityServer4/issues/3325) ids4 configured to use external ConsentUrl duplicates path in ReturnUrl - [__#3320__](https://github.com/IdentityServer/IdentityServer4/issues/3320) Include identity resource properties in GetAllResourcesAsync - [__#3282__](https://github.com/IdentityServer/IdentityServer4/issues/3282) Add vary by origin for Cache-Control on disco endpoints - [__#3128__](https://github.com/IdentityServer/IdentityServer4/issues/3128) Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control - [__#3013__](https://github.com/IdentityServer/IdentityServer4/issues/3013) IdentityServer4.Models.ApiResourceExtensions.CloneWithScopes does not clone properties - [__#2875__](https://github.com/IdentityServer/IdentityServer4/issues/2875) code flow with fragment response mode is not allowed __enhancements__ - [__#3422__](https://github.com/IdentityServer/IdentityServer4/pull/3422) Add claims transformation event to local API authN handler - [__#3409__](https://github.com/IdentityServer/IdentityServer4/pull/3409) add AddValidationKeys signature accepting X509Certificate2[] (#3383) - [__#3406__](https://github.com/IdentityServer/IdentityServer4/pull/3406) add scope to all token responses - [__#3392__](https://github.com/IdentityServer/IdentityServer4/pull/3392) Added scope param to token endpoint for device grant type - [__#3382__](https://github.com/IdentityServer/IdentityServer4/pull/3382) add message store abstraction on authorization request params - [__#3298__](https://github.com/IdentityServer/IdentityServer4/pull/3298) should never cache temporary data with no expiration - [__#3276__](https://github.com/IdentityServer/IdentityServer4/pull/3276) Handle unknown idp at login - [__#3257__](https://github.com/IdentityServer/IdentityServer4/issues/3257) Make EntityFramework.Stores\*Store.cs private fields accessible for derived Classes - [__#3254__](https://github.com/IdentityServer/IdentityServer4/pull/3254) Prototype for pluggable authN MW - [__#3243__](https://github.com/IdentityServer/IdentityServer4/pull/3243) Use Task.CompletedTask to reduce allocations - [__#3242__](https://github.com/IdentityServer/IdentityServer4/issues/3242) Consider global switch to disable request_uri feature - [__#3241__](https://github.com/IdentityServer/IdentityServer4/pull/3241) Add support for signed authorize requests - [__#3234__](https://github.com/IdentityServer/IdentityServer4/pull/3234) Add Client.Id and to UserLoginSuccessEvent and UserLoginFailureEvent - [__#3229__](https://github.com/IdentityServer/IdentityServer4/pull/3229) Make back channel signout a first class service - [__#3227__](https://github.com/IdentityServer/IdentityServer4/issues/3227) Recompilation required for EF.Storage with latest AutoMapper 8.1.0 due to signature change - [__#3219__](https://github.com/IdentityServer/IdentityServer4/issues/3219) Add JWK support in JwtRequestValidator - [__#3215__](https://github.com/IdentityServer/IdentityServer4/pull/3215) LogInformation changed to LogDebug - [__#3201__](https://github.com/IdentityServer/IdentityServer4/pull/3201) Allowed usage of relative and absolute verification URIs for device authorization - [__#3200__](https://github.com/IdentityServer/IdentityServer4/pull/3200) Device Code Cleanup - [__#3193__](https://github.com/IdentityServer/IdentityServer4/issues/3193) Add validation for cors origins that aren't valid - [__#3183__](https://github.com/IdentityServer/IdentityServer4/pull/3183) Add support to carry an error description back to third party clients on authorize error results - [__#3160__](https://github.com/IdentityServer/IdentityServer4/issues/3160) PersistedGrants missing index on Expiration column - [__#3148__](https://github.com/IdentityServer/IdentityServer4/pull/3148) call flush async #3096 - [__#3143__](https://github.com/IdentityServer/IdentityServer4/pull/3143) Log request details on more log messages - [__#3139__](https://github.com/IdentityServer/IdentityServer4/issues/3139) Back-Channel Logout Token: Allow configuring additional claims - [__#3059__](https://github.com/IdentityServer/IdentityServer4/pull/3059) Fixed bug where the Subject was not being set on the ValidatedRequest and would not end up in the TokenIssuedSuccessEvent using Code flow - [__#2938__](https://github.com/IdentityServer/IdentityServer4/issues/2938) Provide more flexibility in the DefaultUserSession cookie management - [__#2893__](https://github.com/IdentityServer/IdentityServer4/issues/2893) Make ProtectedDataMessageStore public - [__#2884__](https://github.com/IdentityServer/IdentityServer4/issues/2884) Generate a token with claims from IdentityServerTools - [__#2859__](https://github.com/IdentityServer/IdentityServer4/issues/2859) Support HttpClientFactory for back channel signout - [__#2846__](https://github.com/IdentityServer/IdentityServer4/issues/2846) Adjust "Authentication scheme Bearer is configured for IdentityServer, but it is not a scheme that supports signin (like cookies)" - [__#2539__](https://github.com/IdentityServer/IdentityServer4/issues/2539) Consider Add or Replace Endpoint extension method - [__#1958__](https://github.com/IdentityServer/IdentityServer4/issues/1958) Add client_id to ErrorMessage when Authorization request failed

IdentityServer4 2.5.1

2019-07-30T12:56:03+00:00

As part of this release we had [6 issues](https://github.com/IdentityServer/IdentityServer4/milestone/45?closed=1) closed. __bug__ - [__#3491__](https://github.com/IdentityServer/IdentityServer4/pull/3491) fix JS for automatic signout redirect __enhancements__ - [__#3478__](https://github.com/IdentityServer/IdentityServer4/pull/3478) CORS validation handling normalized URIs - [__#3464__](https://github.com/IdentityServer/IdentityServer4/pull/3464) Easier support for impersonating clients - [__#3463__](https://github.com/IdentityServer/IdentityServer4/pull/3463) Easier Authorization Code extensibility - [__#3462__](https://github.com/IdentityServer/IdentityServer4/pull/3462) Introduce separate property to hold the values of the request object - [__#3442__](https://github.com/IdentityServer/IdentityServer4/pull/3442) Set client id in user login events from resource owner password validator

IdentityServer4 2.5.2

2019-08-06T06:37:49+00:00

As part of this release we had [8 commits](https://github.com/IdentityServer/IdentityServer4/compare/2.5.1...2.5.2) which resulted in [3 issues](https://github.com/IdentityServer/IdentityServer4/milestone/46?closed=1) being closed. __bugs__ - [__#3517__](https://github.com/IdentityServer/IdentityServer4/pull/3517) Move HTTP context accessor access to a later point in JwtRequestValidator - [__#3494__](https://github.com/IdentityServer/IdentityServer4/pull/3494) Fix log exception while user authentication failed

IdentityServer4 2.5.3

2019-08-25T11:12:12+00:00

As part of this release we had [8 commits](https://github.com/IdentityServer/IdentityServer4/compare/2.5.2...2.5.3). * IdentityModel dependency was pinned to 3.x

IdentityServer4 3.0.0

2019-09-08T12:18:57+00:00

As part of this release we had [13 issues](https://github.com/IdentityServer/IdentityServer4/milestone/43?closed=1) closed. We didn't plan to make fundamental changes for this release - but since we had the opportunity, we added some important features and made some minor breaking changes to make IdentityServer more future proof. ## Updates for ASP.NET Core 3 - [__#3512__](https://github.com/IdentityServer/IdentityServer4/issues/3512) Drop netstandard2.0 and switch to netcoreapp3.0 ## Crypto update Before this release, we only supported RS256 as the signing algorithm for tokens. This release adds support for RS384, RS512, PS256, PS384, PS512, ES256, ES384 and ES512. We also added support for `s_hash`. - [__#3534__](https://github.com/IdentityServer/IdentityServer4/pull/3534) Ecdsa curve handling - [__#3527__](https://github.com/IdentityServer/IdentityServer4/issues/3527) Add support for ECDsa keys to discovery document - [__#3435__](https://github.com/IdentityServer/IdentityServer4/issues/3435) c_hash generated using wrong hashing algorithm acording to spec - [__#3511__](https://github.com/IdentityServer/IdentityServer4/pull/3511) Add support for additional signing algorithms - [__#3561__](https://github.com/IdentityServer/IdentityServer4/pull/3561) Support specific signing algorithms per validation key - [__#3584__](https://github.com/IdentityServer/IdentityServer4/pull/3584) Re-factor logic to turn Secrets into SecurityKeys ## Changes We removed the old legacy `~/resources` audience from access tokens and use a `typ` header instead. This might cause problems with some legacy JWT validation libraries and needs some testing. - [__#1961__](https://github.com/IdentityServer/IdentityServer4/issues/1961) Consider removing ~/resources audience from access tokens - [__#3513__](https://github.com/IdentityServer/IdentityServer4/pull/3513) Set typ header for access tokens ## Misc - [__#3563__](https://github.com/IdentityServer/IdentityServer4/pull/3563) Emit Integer64 for Epoch Time - [__#3415__](https://github.com/IdentityServer/IdentityServer4/issues/3415) Use same JSON.NET version as Microsoft's integration package - [__#3514__](https://github.com/IdentityServer/IdentityServer4/pull/3514) Update to IdentityModel v4 - [__#3499__](https://github.com/IdentityServer/IdentityServer4/issues/3499) Remove IdentityServerPrincipal

IdentityServer4 3.0.1

2019-09-25T14:41:05+00:00

Update to ASP.NET Core 3 RTM

IdentityServer4 3.0.2

2019-10-23T15:17:37+00:00

As part of this release we had [4 issues](https://github.com/IdentityServer/IdentityServer4/milestone/49?closed=1) closed. __bugs__ - [__#3704__](https://github.com/IdentityServer/IdentityServer4/pull/3704) Change HttpRequest/Response extension method namespace - [__#3645__](https://github.com/IdentityServer/IdentityServer4/pull/3645) Honour EnableDeviceAuthorizationEndpoint in IsEndpointEnabled __enhancements__ - [__#3760__](https://github.com/IdentityServer/IdentityServer4/pull/3760) Bring back /resources audience for legacy token validation scenarios - [__#3727__](https://github.com/IdentityServer/IdentityServer4/pull/3727) EF Core 3.0 Performance Fix

IdentityServer4 2.5.4

2019-12-11T16:16:28+00:00

__enhancements__ - [__#3602__](https://github.com/IdentityServer/IdentityServer4/pull/3602) Microsoft.AspNetCore.Authentication.Abstractions nuget package deleted - [__#3523__](https://github.com/IdentityServer/IdentityServer4/pull/3523) move logging before removal so the PromptMode is included in the logging

IdentityServer4 3.1.0

2019-12-20T16:01:31+00:00

As part of this release we had [74 commits](https://github.com/IdentityServer/IdentityServer4/compare/3.0.2...3.1) which resulted in [11 issues](https://github.com/IdentityServer/IdentityServer4/milestone/44?closed=1) being closed. __bugs__ - [__#3880__](https://github.com/IdentityServer/IdentityServer4/issues/3880) Custom URI schemes for Allowed CORS Origins failing in DefaultClientConfigurationValidator - [__#3879__](https://github.com/IdentityServer/IdentityServer4/issues/3879) Append to any existing "Vary" response header when setting response header - [__#3775__](https://github.com/IdentityServer/IdentityServer4/issues/3775) /resources claim still present in IdentityServerTools __enhancements__ - [__#3895__](https://github.com/IdentityServer/IdentityServer4/pull/3895) use asynchronous EF methods - [__#3893__](https://github.com/IdentityServer/IdentityServer4/issues/3893) Ignore invalid post_logout_redirect_uri - [__#3891__](https://github.com/IdentityServer/IdentityServer4/pull/3891) Add option to prevent automatic lower-casing of Issuer url #3600 - [__#3885__](https://github.com/IdentityServer/IdentityServer4/issues/3885) Username with empty password - TokenRequestValidator - [__#3881__](https://github.com/IdentityServer/IdentityServer4/issues/3881) Prevent current window from processing requests in check session JS - [__#3823__](https://github.com/IdentityServer/IdentityServer4/pull/3823) Cache the CheckSessionResult Script string - [__#3756__](https://github.com/IdentityServer/IdentityServer4/pull/3756) generate and return session_state for error authorization responses that are prompt=none __breaking change__ - [__#3699__](https://github.com/IdentityServer/IdentityServer4/issues/3699) Make these extension methods internal

IdentityServer4 3.1.1

2020-02-06T15:00:24+00:00

As part of this release we had [3 issues](https://github.com/IdentityServer/IdentityServer4/milestone/50?closed=1) closed. __bug__ - [__#3935__](https://github.com/IdentityServer/IdentityServer4/pull/3935) Fix user code param name in DeviceController __enhancements__ - [__#4056__](https://github.com/IdentityServer/IdentityServer4/pull/4056) Configurable JWK content type for 3.1.x - [__#4043__](https://github.com/IdentityServer/IdentityServer4/pull/4043) Add crv parameter when key is loaded from a JsonWebKey

IdentityServer4 3.1.2

2020-02-20T08:26:33+00:00

As part of this release we had [119 commits](https://github.com/IdentityServer/IdentityServer4/compare/3.1.1...3.1.2) which resulted in [1 issue](https://github.com/IdentityServer/IdentityServer4/milestone/53?closed=1) being closed. __bug__ - [__#4100__](https://github.com/IdentityServer/IdentityServer4/issues/4100) Fix TypeLoadException with 3.1.x and Microsoft Template

IdentityServer4 4.0.0-preview.3

2020-03-31T15:50:31+00:00

As part of this release we had [32 issues](https://github.com/IdentityServer/IdentityServer4/milestone/26?closed=1) closed. Next big release - after ASP.NET Core 3.1 __bugs__ - [__#4145__](https://github.com/IdentityServer/IdentityServer4/issues/4145) Error Response with invalid redirection URI on authorize endpoint - [__#4129__](https://github.com/IdentityServer/IdentityServer4/pull/4129) Fix logger category name for BackChannelLogoutHttpClient - [__#4095__](https://github.com/IdentityServer/IdentityServer4/pull/4095) Return invalid_grant when redirect_uri is invalid on token endpoint - [__#4075__](https://github.com/IdentityServer/IdentityServer4/issues/4075) Error Response with invalid redirection URI - [__#4037__](https://github.com/IdentityServer/IdentityServer4/pull/4037) Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni… __enhancements__ - [__#4237__](https://github.com/IdentityServer/IdentityServer4/pull/4237) Make aspid profile service more extensible - [__#4235__](https://github.com/IdentityServer/IdentityServer4/pull/4235) end session changes: IsActive no longer called and no longer default to a single redirect uri - [__#4234__](https://github.com/IdentityServer/IdentityServer4/pull/4234) Use non-case sensitive string for any ids - [__#4227__](https://github.com/IdentityServer/IdentityServer4/pull/4227) switch to named HTTP clients from factory (instead of typed) - [__#4226__](https://github.com/IdentityServer/IdentityServer4/pull/4226) Reduce usage of Newtonsoft.Json - [__#4210__](https://github.com/IdentityServer/IdentityServer4/pull/4210) add sid and device description to grants table - [__#4208__](https://github.com/IdentityServer/IdentityServer4/pull/4208) add support for handling multiple prompt values - [__#4204__](https://github.com/IdentityServer/IdentityServer4/pull/4204) Add API to interaction service to return error to client - [__#4203__](https://github.com/IdentityServer/IdentityServer4/pull/4203) Improve query on cors origins. #3395 - [__#4202__](https://github.com/IdentityServer/IdentityServer4/pull/4202) include sid (if present) in access tokens #3955 - [__#4153__](https://github.com/IdentityServer/IdentityServer4/pull/4153) private_key_jwt updates - [__#4026__](https://github.com/IdentityServer/IdentityServer4/pull/4026) Added AddUserSession extension method - [__#4024__](https://github.com/IdentityServer/IdentityServer4/pull/4024) Add JAR support - [__#4019__](https://github.com/IdentityServer/IdentityServer4/pull/4019) Add client setting to require request object - [__#3979__](https://github.com/IdentityServer/IdentityServer4/pull/3979) Added notification for device code removal - [__#3969__](https://github.com/IdentityServer/IdentityServer4/pull/3969) Make cnf part of Token model - [__#3962__](https://github.com/IdentityServer/IdentityServer4/pull/3962) MTLS Update - [__#3892__](https://github.com/IdentityServer/IdentityServer4/pull/3892) V4: Multiple signing keys - [__#3761__](https://github.com/IdentityServer/IdentityServer4/issues/3761) Add a client setting to require request objects - [__#3732__](https://github.com/IdentityServer/IdentityServer4/issues/3732) Remove unused SaveChanges APIs in EF DbContext Interfaces - [__#3692__](https://github.com/IdentityServer/IdentityServer4/pull/3692) Removed obsolete code - [__#3413__](https://github.com/IdentityServer/IdentityServer4/issues/3413) IUserSession.CreateSessionIdAsync should return sid - [__#3395__](https://github.com/IdentityServer/IdentityServer4/issues/3395) Improve query on cors origins. __breaking changes__ - [__#4199__](https://github.com/IdentityServer/IdentityServer4/pull/4199) scope validation refactor - [__#3939__](https://github.com/IdentityServer/IdentityServer4/pull/3939) Update PKCE and Consent default settings on Client - [__#3888__](https://github.com/IdentityServer/IdentityServer4/pull/3888) Cleanup SignInAsync extension methods - [__#3887__](https://github.com/IdentityServer/IdentityServer4/pull/3887) V4: Make client claims serialization friendly

IdentityServer4 3.1.3

2020-04-27T07:36:39+00:00

__Bug__ - [__#3981__](https://github.com/IdentityServer/IdentityServer4/pull/3981) Updated cache expiration to use current time

IdentityServer4 4.0.0-preview.4

2020-05-07T15:42:09+00:00

As part of this release we had [42 issues](https://github.com/IdentityServer/IdentityServer4/milestone/26?closed=1) closed. Next big release - after ASP.NET Core 3.1 __bugs__ - [__#4290__](https://github.com/IdentityServer/IdentityServer4/pull/4290) Fix cnf format for MTLS - [__#4268__](https://github.com/IdentityServer/IdentityServer4/issues/4268) AddOidcStateDataFormatterCache broken with new JSON serializer - [__#4145__](https://github.com/IdentityServer/IdentityServer4/issues/4145) Error Response with invalid redirection URI on authorize endpoint - [__#4129__](https://github.com/IdentityServer/IdentityServer4/pull/4129) Fix logger category name for BackChannelLogoutHttpClient - [__#4095__](https://github.com/IdentityServer/IdentityServer4/pull/4095) Return invalid_grant when redirect_uri is invalid on token endpoint - [__#4075__](https://github.com/IdentityServer/IdentityServer4/issues/4075) Error Response with invalid redirection URI - [__#4037__](https://github.com/IdentityServer/IdentityServer4/pull/4037) Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni… __enhancements__ - [__#4361__](https://github.com/IdentityServer/IdentityServer4/pull/4361) Extend JWT token validation to accept space separated scopes - [__#4360__](https://github.com/IdentityServer/IdentityServer4/pull/4360) Adapt JWT request validation to latest JAR spec - [__#4357__](https://github.com/IdentityServer/IdentityServer4/pull/4357) Add iat to access tokens - [__#4352__](https://github.com/IdentityServer/IdentityServer4/pull/4352) Emit jti by default - [__#4343__](https://github.com/IdentityServer/IdentityServer4/pull/4343) Add option to set SameSite mode for internal cookies - [__#4342__](https://github.com/IdentityServer/IdentityServer4/pull/4342) Add option to emit scopes as space separated string in JWT (as opposed to array) - [__#4245__](https://github.com/IdentityServer/IdentityServer4/pull/4245) Strict redirect uri validator app auth with path - [__#4237__](https://github.com/IdentityServer/IdentityServer4/pull/4237) Make aspid profile service more extensible - [__#4235__](https://github.com/IdentityServer/IdentityServer4/pull/4235) end session changes: IsActive no longer called and no longer default to a single redirect uri - [__#4234__](https://github.com/IdentityServer/IdentityServer4/pull/4234) Use non-case sensitive string for any ids - [__#4227__](https://github.com/IdentityServer/IdentityServer4/pull/4227) switch to named HTTP clients from factory (instead of typed) - [__#4226__](https://github.com/IdentityServer/IdentityServer4/pull/4226) Reduce usage of Newtonsoft.Json - [__#4210__](https://github.com/IdentityServer/IdentityServer4/pull/4210) add sid and device description to grants table - [__#4208__](https://github.com/IdentityServer/IdentityServer4/pull/4208) add support for handling multiple prompt values - [__#4204__](https://github.com/IdentityServer/IdentityServer4/pull/4204) Add API to interaction service to return error to client - [__#4203__](https://github.com/IdentityServer/IdentityServer4/pull/4203) Improve query on cors origins. #3395 - [__#4202__](https://github.com/IdentityServer/IdentityServer4/pull/4202) include sid (if present) in access tokens #3955 - [__#4153__](https://github.com/IdentityServer/IdentityServer4/pull/4153) private_key_jwt updates - [__#4026__](https://github.com/IdentityServer/IdentityServer4/pull/4026) Added AddUserSession extension method - [__#4024__](https://github.com/IdentityServer/IdentityServer4/pull/4024) Add JAR support - [__#4019__](https://github.com/IdentityServer/IdentityServer4/pull/4019) Add client setting to require request object - [__#3979__](https://github.com/IdentityServer/IdentityServer4/pull/3979) Added notification for device code removal - [__#3969__](https://github.com/IdentityServer/IdentityServer4/pull/3969) Make cnf part of Token model - [__#3962__](https://github.com/IdentityServer/IdentityServer4/pull/3962) MTLS Update - [__#3892__](https://github.com/IdentityServer/IdentityServer4/pull/3892) V4: Multiple signing keys - [__#3761__](https://github.com/IdentityServer/IdentityServer4/issues/3761) Add a client setting to require request objects - [__#3732__](https://github.com/IdentityServer/IdentityServer4/issues/3732) Remove unused SaveChanges APIs in EF DbContext Interfaces - [__#3692__](https://github.com/IdentityServer/IdentityServer4/pull/3692) Removed obsolete code - [__#3413__](https://github.com/IdentityServer/IdentityServer4/issues/3413) IUserSession.CreateSessionIdAsync should return sid - [__#3395__](https://github.com/IdentityServer/IdentityServer4/issues/3395) Improve query on cors origins. __breaking changes__ - [__#4335__](https://github.com/IdentityServer/IdentityServer4/pull/4335) Remove public origin setting - [__#4199__](https://github.com/IdentityServer/IdentityServer4/pull/4199) scope validation refactor - [__#3939__](https://github.com/IdentityServer/IdentityServer4/pull/3939) Update PKCE and Consent default settings on Client - [__#3888__](https://github.com/IdentityServer/IdentityServer4/pull/3888) Cleanup SignInAsync extension methods - [__#3887__](https://github.com/IdentityServer/IdentityServer4/pull/3887) V4: Make client claims serialization friendly

IdentityServer4 4.0.0-preview.5

2020-05-18T12:58:07+00:00

As part of this release we had [44 issues](https://github.com/IdentityServer/IdentityServer4/milestone/26?closed=1) closed. Next big release - after ASP.NET Core 3.1 __bugs__ - [__#4290__](https://github.com/IdentityServer/IdentityServer4/pull/4290) Fix cnf format for MTLS - [__#4268__](https://github.com/IdentityServer/IdentityServer4/issues/4268) AddOidcStateDataFormatterCache broken with new JSON serializer - [__#4145__](https://github.com/IdentityServer/IdentityServer4/issues/4145) Error Response with invalid redirection URI on authorize endpoint - [__#4129__](https://github.com/IdentityServer/IdentityServer4/pull/4129) Fix logger category name for BackChannelLogoutHttpClient - [__#4095__](https://github.com/IdentityServer/IdentityServer4/pull/4095) Return invalid_grant when redirect_uri is invalid on token endpoint - [__#4075__](https://github.com/IdentityServer/IdentityServer4/issues/4075) Error Response with invalid redirection URI - [__#4037__](https://github.com/IdentityServer/IdentityServer4/pull/4037) Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni… __enhancements__ - [__#4390__](https://github.com/IdentityServer/IdentityServer4/pull/4390) enhancements to add logout notification service as first class service - [__#4376__](https://github.com/IdentityServer/IdentityServer4/pull/4376) Features/grants enhancements - [__#4361__](https://github.com/IdentityServer/IdentityServer4/pull/4361) Extend JWT token validation to accept space separated scopes - [__#4360__](https://github.com/IdentityServer/IdentityServer4/pull/4360) Adapt JWT request validation to latest JAR spec - [__#4357__](https://github.com/IdentityServer/IdentityServer4/pull/4357) Add iat to access tokens - [__#4352__](https://github.com/IdentityServer/IdentityServer4/pull/4352) Emit jti by default - [__#4343__](https://github.com/IdentityServer/IdentityServer4/pull/4343) Add option to set SameSite mode for internal cookies - [__#4342__](https://github.com/IdentityServer/IdentityServer4/pull/4342) Add option to emit scopes as space separated string in JWT (as opposed to array) - [__#4245__](https://github.com/IdentityServer/IdentityServer4/pull/4245) Strict redirect uri validator app auth with path - [__#4237__](https://github.com/IdentityServer/IdentityServer4/pull/4237) Make aspid profile service more extensible - [__#4235__](https://github.com/IdentityServer/IdentityServer4/pull/4235) end session changes: IsActive no longer called and no longer default to a single redirect uri - [__#4234__](https://github.com/IdentityServer/IdentityServer4/pull/4234) Use non-case sensitive string for any ids - [__#4227__](https://github.com/IdentityServer/IdentityServer4/pull/4227) switch to named HTTP clients from factory (instead of typed) - [__#4226__](https://github.com/IdentityServer/IdentityServer4/pull/4226) Reduce usage of Newtonsoft.Json - [__#4210__](https://github.com/IdentityServer/IdentityServer4/pull/4210) add sid and device description to grants table - [__#4208__](https://github.com/IdentityServer/IdentityServer4/pull/4208) add support for handling multiple prompt values - [__#4204__](https://github.com/IdentityServer/IdentityServer4/pull/4204) Add API to interaction service to return error to client - [__#4203__](https://github.com/IdentityServer/IdentityServer4/pull/4203) Improve query on cors origins. #3395 - [__#4202__](https://github.com/IdentityServer/IdentityServer4/pull/4202) include sid (if present) in access tokens #3955 - [__#4153__](https://github.com/IdentityServer/IdentityServer4/pull/4153) private_key_jwt updates - [__#4026__](https://github.com/IdentityServer/IdentityServer4/pull/4026) Added AddUserSession extension method - [__#4024__](https://github.com/IdentityServer/IdentityServer4/pull/4024) Add JAR support - [__#4019__](https://github.com/IdentityServer/IdentityServer4/pull/4019) Add client setting to require request object - [__#3979__](https://github.com/IdentityServer/IdentityServer4/pull/3979) Added notification for device code removal - [__#3969__](https://github.com/IdentityServer/IdentityServer4/pull/3969) Make cnf part of Token model - [__#3962__](https://github.com/IdentityServer/IdentityServer4/pull/3962) MTLS Update - [__#3892__](https://github.com/IdentityServer/IdentityServer4/pull/3892) V4: Multiple signing keys - [__#3761__](https://github.com/IdentityServer/IdentityServer4/issues/3761) Add a client setting to require request objects - [__#3732__](https://github.com/IdentityServer/IdentityServer4/issues/3732) Remove unused SaveChanges APIs in EF DbContext Interfaces - [__#3692__](https://github.com/IdentityServer/IdentityServer4/pull/3692) Removed obsolete code - [__#3413__](https://github.com/IdentityServer/IdentityServer4/issues/3413) IUserSession.CreateSessionIdAsync should return sid - [__#3395__](https://github.com/IdentityServer/IdentityServer4/issues/3395) Improve query on cors origins. __breaking changes__ - [__#4335__](https://github.com/IdentityServer/IdentityServer4/pull/4335) Remove public origin setting - [__#4199__](https://github.com/IdentityServer/IdentityServer4/pull/4199) scope validation refactor - [__#3939__](https://github.com/IdentityServer/IdentityServer4/pull/3939) Update PKCE and Consent default settings on Client - [__#3888__](https://github.com/IdentityServer/IdentityServer4/pull/3888) Cleanup SignInAsync extension methods - [__#3887__](https://github.com/IdentityServer/IdentityServer4/pull/3887) V4: Make client claims serialization friendly

IdentityServer4 4.0.0-preview.6

2020-06-12T13:19:37+00:00

As part of this release we had [58 issues](https://github.com/IdentityServer/IdentityServer4/milestone/26?closed=1) closed. Next big release - after ASP.NET Core 3.1 __bugs__ - [__#4498__](https://github.com/IdentityServer/IdentityServer4/pull/4498) fix infinite loop in Token Cleanup after concurrency exception - [__#4496__](https://github.com/IdentityServer/IdentityServer4/pull/4496) AuthorizeInteractionResponseGenerator : MaxAge does not respect prompt=none - [__#4368__](https://github.com/IdentityServer/IdentityServer4/issues/4368) How to add a custom implementation (e.g. WsFederation) of IReturnUrlParser if everything is internal set in AuthorizationRequest class in next v4.x ? - [__#4295__](https://github.com/IdentityServer/IdentityServer4/issues/4295) DefaultClientConfigurationValidator bug - [__#4290__](https://github.com/IdentityServer/IdentityServer4/pull/4290) Fix cnf format for MTLS - [__#4268__](https://github.com/IdentityServer/IdentityServer4/issues/4268) AddOidcStateDataFormatterCache broken with new JSON serializer - [__#4173__](https://github.com/IdentityServer/IdentityServer4/issues/4173) Duplicate UserLoginSuccess/Failure events when using resource owner grant and IdentityServer4.AspNetIdentity - [__#4145__](https://github.com/IdentityServer/IdentityServer4/issues/4145) Error Response with invalid redirection URI on authorize endpoint - [__#4129__](https://github.com/IdentityServer/IdentityServer4/pull/4129) Fix logger category name for BackChannelLogoutHttpClient - [__#4095__](https://github.com/IdentityServer/IdentityServer4/pull/4095) Return invalid_grant when redirect_uri is invalid on token endpoint - [__#4075__](https://github.com/IdentityServer/IdentityServer4/issues/4075) Error Response with invalid redirection URI - [__#4037__](https://github.com/IdentityServer/IdentityServer4/pull/4037) Bug Fix #4036 - missing crv value when passing JsonWebKey to AddSigni… __enhancements__ - [__#4504__](https://github.com/IdentityServer/IdentityServer4/pull/4504) Update error handling for invalid response modes - [__#4502__](https://github.com/IdentityServer/IdentityServer4/pull/4502) Update form content check to reject multipart forms - [__#4501__](https://github.com/IdentityServer/IdentityServer4/pull/4501) Update authorization code validation to do client binding check before deleting the code in the store - [__#4499__](https://github.com/IdentityServer/IdentityServer4/pull/4499) Allow setting domain on SessionIdCookie #4406 - [__#4444__](https://github.com/IdentityServer/IdentityServer4/pull/4444) Make sensitive data filters configurable - [__#4439__](https://github.com/IdentityServer/IdentityServer4/pull/4439) namespace cleanup/refactor in host (to support templates) - [__#4428__](https://github.com/IdentityServer/IdentityServer4/pull/4428) add consumedtime to persisted grant and refresh token - [__#4427__](https://github.com/IdentityServer/IdentityServer4/pull/4427) Features/bootstrap update - [__#4409__](https://github.com/IdentityServer/IdentityServer4/pull/4409) Add strict JAR mode - [__#4390__](https://github.com/IdentityServer/IdentityServer4/pull/4390) enhancements to add logout notification service as first class service - [__#4376__](https://github.com/IdentityServer/IdentityServer4/pull/4376) Features/grants enhancements - [__#4361__](https://github.com/IdentityServer/IdentityServer4/pull/4361) Extend JWT token validation to accept space separated scopes - [__#4360__](https://github.com/IdentityServer/IdentityServer4/pull/4360) Adapt JWT request validation to latest JAR spec - [__#4357__](https://github.com/IdentityServer/IdentityServer4/pull/4357) Add iat to access tokens - [__#4352__](https://github.com/IdentityServer/IdentityServer4/pull/4352) Emit jti by default - [__#4343__](https://github.com/IdentityServer/IdentityServer4/pull/4343) Add option to set SameSite mode for internal cookies - [__#4342__](https://github.com/IdentityServer/IdentityServer4/pull/4342) Add option to emit scopes as space separated string in JWT (as opposed to array) - [__#4245__](https://github.com/IdentityServer/IdentityServer4/pull/4245) Strict redirect uri validator app auth with path - [__#4237__](https://github.com/IdentityServer/IdentityServer4/pull/4237) Make aspid profile service more extensible - [__#4235__](https://github.com/IdentityServer/IdentityServer4/pull/4235) end session changes: IsActive no longer called and no longer default to a single redirect uri - [__#4234__](https://github.com/IdentityServer/IdentityServer4/pull/4234) Use non-case sensitive string for any ids - [__#4227__](https://github.com/IdentityServer/IdentityServer4/pull/4227) switch to named HTTP clients from factory (instead of typed) - [__#4226__](https://github.com/IdentityServer/IdentityServer4/pull/4226) Reduce usage of Newtonsoft.Json - [__#4210__](https://github.com/IdentityServer/IdentityServer4/pull/4210) add sid and device description to grants table - [__#4208__](https://github.com/IdentityServer/IdentityServer4/pull/4208) add support for handling multiple prompt values - [__#4204__](https://github.com/IdentityServer/IdentityServer4/pull/4204) Add API to interaction service to return error to client - [__#4203__](https://github.com/IdentityServer/IdentityServer4/pull/4203) Improve query on cors origins. #3395 - [__#4202__](https://github.com/IdentityServer/IdentityServer4/pull/4202) include sid (if present) in access tokens #3955 - [__#4153__](https://github.com/IdentityServer/IdentityServer4/pull/4153) private_key_jwt updates - [__#4026__](https://github.com/IdentityServer/IdentityServer4/pull/4026) Added AddUserSession extension method - [__#4024__](https://github.com/IdentityServer/IdentityServer4/pull/4024) Add JAR support - [__#4019__](https://github.com/IdentityServer/IdentityServer4/pull/4019) Add client setting to require request object - [__#3979__](https://github.com/IdentityServer/IdentityServer4/pull/3979) Added notification for device code removal - [__#3969__](https://github.com/IdentityServer/IdentityServer4/pull/3969) Make cnf part of Token model - [__#3962__](https://github.com/IdentityServer/IdentityServer4/pull/3962) MTLS Update - [__#3892__](https://github.com/IdentityServer/IdentityServer4/pull/3892) V4: Multiple signing keys - [__#3761__](https://github.com/IdentityServer/IdentityServer4/issues/3761) Add a client setting to require request objects - [__#3732__](https://github.com/IdentityServer/IdentityServer4/issues/3732) Remove unused SaveChanges APIs in EF DbContext Interfaces - [__#3692__](https://github.com/IdentityServer/IdentityServer4/pull/3692) Removed obsolete code - [__#3413__](https://github.com/IdentityServer/IdentityServer4/issues/3413) IUserSession.CreateSessionIdAsync should return sid - [__#3395__](https://github.com/IdentityServer/IdentityServer4/issues/3395) Improve query on cors origins. __breaking changes__ - [__#4335__](https://github.com/IdentityServer/IdentityServer4/pull/4335) Remove public origin setting - [__#4199__](https://github.com/IdentityServer/IdentityServer4/pull/4199) scope validation refactor - [__#3939__](https://github.com/IdentityServer/IdentityServer4/pull/3939) Update PKCE and Consent default settings on Client - [__#3888__](https://github.com/IdentityServer/IdentityServer4/pull/3888) Cleanup SignInAsync extension methods - [__#3887__](https://github.com/IdentityServer/IdentityServer4/pull/3887) V4: Make client claims serialization friendly

IdentityServer4 4.0.0

2020-06-19T07:21:25+00:00

IdentityServer4 4.0.1

2020-06-29T13:46:29+00:00

As part of this release we had [1 issue](https://github.com/IdentityServer/IdentityServer4/milestone/56?closed=1) closed. __bug__ - [__#4577__](https://github.com/IdentityServer/IdentityServer4/pull/4577) fix exception with prompt=login

IdentityServer4 4.0.2

2020-07-03T16:14:45+00:00

As part of this release we had [2 issues](https://github.com/IdentityServer/IdentityServer4/milestone/57?closed=1) closed. __bug__ - [__#4615__](https://github.com/IdentityServer/IdentityServer4/pull/4615) Fix custom redirect after ProcessLogin for custom authorize response generators __enhancement__ - [__#4616__](https://github.com/IdentityServer/IdentityServer4/pull/4616) validate filter values on db results

IdentityServer4 3.1.4

2020-07-05T14:24:04+00:00

As part of this release we had [2 issues](https://github.com/IdentityServer/IdentityServer4/milestone/55?closed=1) closed. __bug__ - [__#4240__](https://github.com/IdentityServer/IdentityServer4/pull/4240) Fix UserLoginFailureEvent raised with interactive=true in resource owner grant flow __enhancement__ - [__#4618__](https://github.com/IdentityServer/IdentityServer4/pull/4618) validate filter values on db results

IdentityServer4 4.0.3

2020-07-21T15:29:56+00:00

As part of this release we had [4 issues](https://github.com/IdentityServer/IdentityServer4/milestone/58?closed=1) closed. __bugs__ - [__#4670__](https://github.com/IdentityServer/IdentityServer4/pull/4670) defer calls to perform signout work to avoid re-entry recursion issue with AspId - [__#4641__](https://github.com/IdentityServer/IdentityServer4/issues/4641) Fix exception message when no matching signing algorithm can be found __enhancements__ - [__#4611__](https://github.com/IdentityServer/IdentityServer4/pull/4611) Allow AutoMapper 10 - [__#4575__](https://github.com/IdentityServer/IdentityServer4/pull/4575) Reduce log level for expired secrets

IdentityServer4 4.0.4

2020-07-24T07:21:14+00:00

As part of this release we had [2 issues](https://github.com/IdentityServer/IdentityServer4/milestone/60?closed=1) closed. __bug__ - [__#4677__](https://github.com/IdentityServer/IdentityServer4/pull/4677) make AutoMapper v10 the min version __enhancement__ - [__#4649__](https://github.com/IdentityServer/IdentityServer4/pull/4649) Fix 401 malformed WWW-Authenticate

IdentityServer4 4.1.0

2020-09-14T17:54:01+00:00

As part of this release we had [13 issues](https://github.com/IdentityServer/IdentityServer4/milestone/61?closed=1) closed. __bugs__ - [__#4854__](https://github.com/IdentityServer/IdentityServer4/pull/4854) only re-issue session cookie when client added #4812 - [__#4852__](https://github.com/IdentityServer/IdentityServer4/pull/4852) add defensive check to fix bug for when session is expired #4844 - [__#4851__](https://github.com/IdentityServer/IdentityServer4/pull/4851) fix serialization bug on LogoutRequest.Parameters #4655 - [__#4850__](https://github.com/IdentityServer/IdentityServer4/pull/4850) ensure consumed time is utc - [__#4849__](https://github.com/IdentityServer/IdentityServer4/pull/4849) fix bug for consent is saved regardless of RememberConsent - [__#4833__](https://github.com/IdentityServer/IdentityServer4/issues/4833) Consent is saved regardless of RememberConsent checkbox value - [__#4812__](https://github.com/IdentityServer/IdentityServer4/issues/4812) Sliding Cookies not working for implicit flow in IdentityServer4 v4.x - [__#4712__](https://github.com/IdentityServer/IdentityServer4/pull/4712) fix multiple WWW-Authenticate header to one __enhancements__ - [__#4870__](https://github.com/IdentityServer/IdentityServer4/issues/4870) Update JAR mime type - [__#4868__](https://github.com/IdentityServer/IdentityServer4/pull/4868) Make identity server work with publish single file in .NET 5.0 - [__#4853__](https://github.com/IdentityServer/IdentityServer4/pull/4853) add more defensive check on check session endpoint #4051 - [__#4794__](https://github.com/IdentityServer/IdentityServer4/pull/4794) Add missing awaits on CachingClientStore and CachingResourceStore - [__#4744__](https://github.com/IdentityServer/IdentityServer4/pull/4744) Introduce LoggingOptions.AuthorizeRequestSensitiveValuesFilter

IdentityServer4 4.1.1

2020-10-07T14:04:02+00:00

As part of this release we had [6 issues](https://github.com/IdentityServer/IdentityServer4/milestone/62?closed=1) closed. __bugs__ - [__#4951__](https://github.com/IdentityServer/IdentityServer4/pull/4951) Add null check before setting consumedTime - [__#4948__](https://github.com/IdentityServer/IdentityServer4/pull/4948) DefaultClaimsService.GetIdentityTokenClaimsAsync uses wrong Resource parameter for ProfileData - [__#4929__](https://github.com/IdentityServer/IdentityServer4/issues/4929) Typo in DefaultClaimsService.cs __enhancements__ - [__#4942__](https://github.com/IdentityServer/IdentityServer4/pull/4942) Obfuscate refresh token and authorization code in logs - [__#4935__](https://github.com/IdentityServer/IdentityServer4/pull/4935) Update to Message to enable deserialization in .NET 5.0-rc1 - [__#4711__](https://github.com/IdentityServer/IdentityServer4/pull/4711) Allow setting SameSite mode of the SessionId cookie

IdentityServer4 4.1.2

2021-07-07T12:42:11+00:00

minor bug fixes