chore(deps): Bump OpenIddict.EntityFrameworkCore from 5.8.0 to 7.5.0

[dependabot]

Updated OpenIddict.EntityFrameworkCore from 5.8.0 to 7.5.0.

Release notes

Sourced from OpenIddict.EntityFrameworkCore's releases.

7.5.0

[!CAUTION]
Earlier today, the ASP.NET team released an out-of-band 10.0.7 update to fix a critical vulnerability in the ASP.NET Core Data Protection library used by OpenIddict and multiple components in ASP.NET Core itself (including the cookie authentication handler). For more information about the CVE-2026-40372 vulnerability and to determine whether your application is affected, read dotnet/announcements#395 and https://devblogs.microsoft.com/dotnet/dotnet-10-0-7-oob-security-update/. Additional information can also be found in dotnet/aspnetcore#66335.

If your application is affected by the CVE-2026-40372 vulnerability, immediate action is strongly advised: not updating impacted applications will leave them vulnerable to chosen-ciphertext and padding oracle attacks, resulting in elevation of privilege attacks being possible.

Recommended actions:

• If possible, review your application/web server/reverse proxy logs to determine whether the security flaw was actively used by malicious actors to leak sensitive cryptographic material or to manipulate legitimate authentication cookies/tokens by changing specific bits in the ciphertext.

• Apply the recommendations listed in Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege dotnet/announcements#395 by revoking all the existing ASP.NET Core Data Protection master keys (e.g using the IKeyManager.RevokeAllKeys() API): doing so will ensure secrets protected before migrating to the fixed Microsoft.AspNetCore.DataProtection version - including authentication cookies produced by the ASP.NET Core cookie authentication handler (and ASP.NET Core Data Protection tokens generated by OpenIddict if the JWT format was opted out) - will be immediately rejected when trying to unprotect them.

• Even if you're not using ASP.NET Core Data Protection as the token format for any type of token in OpenIddict, revoke all the existing OpenIddict tokens using the IOpenIddictTokenManager.RevokeAsync() API to force client applications to acquire new sets of tokens for all their users: doing so will ensure refresh tokens generated by the OpenIddict server will be rejected when trying to redeem them. While this will force users to re-execute an authorization flow and re-authenticate, this step is essential to ensure chains of tokens generated from ClaimsPrincipal instances whose claims were directly copied or indirectly inferred from ambient user identities (typically persisted in authentication cookies protected by ASP.NET Core Data Protection) will not live forever and will be rejected when trying to redeem them.

await using (var scope = app.Services.CreateAsyncScope())
{
    // Revoke all the existing tokens, independently of their current status or type.
    //
    // Note: on EF Core 8.0+ and MongoDB, the process should be very efficient as batch
    // updates are used by default to change the status of the tokens in the database.
    var manager = scope.ServiceProvider.GetRequiredService<IOpenIddictTokenManager>();
    await manager.RevokeAsync(subject: null, client: null, status: null, type: null);
}

This release introduces the following changes:

• The ClaimTypes.NameIdentifier, ClaimTypes.Name and ClaimTypes.Email WS-Federation claims manually added to ProcessAuthenticationContext.MergedPrincipal are now preserved instead of being overwritten by OpenIddict when mapping OpenID Connect/non-standard claims to their WS-Federation equivalent (thanks @​ax0l0tl! ❤️)

• The net8.0, net9.0 and net10.0 versions of the OpenIddict.Client.DataProtection, OpenIddict.Server.DataProtection and OpenIddict.Validation.DataProtection packages now reference the Microsoft.AspNetCore.DataProtection package instead of the Microsoft.AspNetCore.App framework.

• Configuration delegates registered by the web provider integrations now run earlier to ensure invalid options are caught without waiting for IOptionsMonitor<OpenIddictClientOptions>.CurrentValue to be called.

• All the .NET and third-party dependencies have been updated to their latest version.

[!NOTE]
The ASP.NET team recently announced that ASP.NET Core 2.3 will no longer be supported after April 2027, which will result in important TFM and dependencies changes in the next version of OpenIddict. Developers using the OpenIddict packages in .NET Framework applications or in .NET Standard libraries are invited to read these threads and evaluate whether their applications may be affected by these changes:

• Remove ASP.NET Core 2.3 and Entity Framework Core 2.3 support.
• Require .NET Framework 4.8 as the new minimum version.
• Consider removing the UWP and .NET Standard target framework monikers.

7.4.0

This release introduces the following changes:

• The new mTLS-based OAuth 2.0 client authentication feature introduced in the previous version can now be used with the standard client credentials grant.

• The mTLS token binding implementation was updated to support anonymous clients (in this case, the base SelfSignedTlsClientAuthenticationPolicy instance attached to the server options is directly used and the IOpenIddictApplicationManager.GetSelfSignedTlsClientAuthenticationPolicyAsync()/IOpenIddictApplicationManager.ValidateSelfSignedTlsClientCertificateAsync() APIs are not used).

• The OpenIddict.Client.SystemIntegration package now restores the ambient request for marshalled authentication demands so that the OpenIddictRequest instance can be accessed from a custom event handler during a call to the AuthenticateInteractivelyAsync() method.

• A new DisableIssuerParameterValidation flag was introduced to allow disabling the built-in logic used to validate the iss authorization response parameter. Due to Google OIDC IdP returns iss parameter without declaring authorization_response_iss_parameter_supported in metadata openiddict/openiddict-core#2428, this flag is set to true for the Google provider for now.

7.3.0

This release introduces the following changes:

• Mutual TLS authentication is now fully supported by the server and validation stacks for both OAuth 2.0 client authentication and token binding (mTLS support in the client stack was introduced in OpenIddict 6.0). For more information on how to set up mTLS, read Mutual TLS authentication.

• Client secrets are still fully supported but the XML documentation was updated to discourage using them when possible. Instead, developers are encouraged to use either assertion-based client authentication or mTLS-based client authentication, as both offer a higher security level than shared secrets.

• Client-side mTLS support was moved from OpenIddict.Client.SystemNetHttp to OpenIddict.Client and is now a first-class citizen. As part of this task, the existing TlsClientAuthenticationCertificateSelector and SelfSignedTlsClientAuthenticationCertificateSelector options present in OpenIddictClientSystemNetHttpOptions and OpenIddictValidationSystemNetHttpOptions have been marked as deprecated and are no longer used as they didn't allow flowing certificates dynamically (which is required for mTLS token binding using certificates generated on-the-fly). Instead, developers who need to dynamically override the default TLS client certificates selection logic are now invited to create custom event handlers for the ProcessAuthenticationContext event and use the new *EndpointClientCertificate properties.

• OpenIddictClientService now allows attaching custom token request parameters via InteractiveAuthenticationRequest.AdditionalTokenRequestParameters. As part of this change, handling of redirection and post-logout redirection requests by the OpenIddict.Client.SystemIntegration has been improved: token and userinfo requests are no longer sent as part of the callback request itself but when OpenIddictClientService.AuthenticateInteractivelyAsync() is called by the application to finalize the authentication process.

• OpenIddict now uses 4096-bit RSA keys for development certificates and ephemeral keys (see Bump the key size of RSA keys used to generate ephemeral keys and development certificates openiddict/openiddict-core#2415 for more information).

• A new token validation check has been introduced in the client, server and validation stacks to detect when the payload associated with a reference token entry - stolen by a malicious actor from the server database - is directly used instead of the expected reference identifier.

• The osu! service is now supported by the OpenIddict.Client.WebIntegration package (thanks @​gehongyan! ❤️).

• A dedicated prompt setting was added to the Google web provider (thanks @​StellaAlexis! ❤️).

• An incorrect exception message reference was fixed (thanks @​JarieTimmer! ❤️)

• The entire code base was updated to use polyfills when targeting older .NET/.NET Framework/.NET Standard targets.

• All the .NET and third-party dependencies have been updated to the latest versions.

[!WARNING]
Multiple reports indicate that Google is progressively applying a breaking change affecting the Google web provider offered by the OpenIddict.Client.WebIntegration package. For more information on the root cause and the recommended workaround, see openiddict/openiddict-core#2428 and https://issuetracker.google.com/issues/479882107.

7.2.0

This release introduces the following changes:

• Following today's .NET 10.0 release, all the OpenIddict packages now offer a .NET 10.0 target framework moniker referencing .NET Extensions packages version 10.0.

• OpenIddict.Client.WebIntegration now supports Figma.

• The net8.0-android34.0, net8.0-ios18.0, net8.0-maccatalyst18.0 and net8.0-macos15.0 target framework monikers are no longer supported by Microsoft and have been removed from the OpenIddict.Client.SystemIntegration package and the OpenIddict metapackage. Users of the OpenIddict.Client.SystemIntegration package are invited to migrate to .NET 9.0 or 10.0.

[!TIP]
As part of this change, the net9.0-android35.0, net9.0-ios18.0, net9.0-maccatalyst18.0 and net9.0-macos15.0
TFMs have been replaced by net9.0-android, net9.0-ios, net9.0-maccatalyst and net9.0-macos.

New net10.0-android, net10.0-ios, net10.0-maccatalyst and net10.0-macos TFMs have also been added.

• The OpenIddict*Manager.UpdateAsync() methods have been updated to remove cached entries before calling Store.UpdateAsync() to ensure entities are always removed even when the inner store throws an exception.

7.1.0

This release introduces the following changes:

• The GitHub web provider was updated to enforce OAuth 2.0 Proof Key for Code Exchange for all client registrations.

[!TIP]
No change is required to enable PKCE for a specific client application (whether it is a treated as a public or confidential application): updating OpenIddict to 7.1.0 is enough to automatically enforce this security feature.

For more information, read PKCE support for OAuth and GitHub App authentication on the official GitHub blog.

• The HeyBoxChat service is now supported by the OpenIddict.Client.WebIntegration package (thanks @​gehongyan! ❤️)

• New AddGrantTypePermissions()/RemoveGrantTypePermissions() APIs have been added to OpenIddictApplicationDescriptor to simplify adding and removing grant type permissions for custom grants:

var descriptor = new OpenIddictApplicationDescriptor
{
    ClientId = "console",

    // ...
};

descriptor.AddGrantTypePermissions("custom_grant_type");
descriptor.AddScopePermissions("demo_api");

• All the .NET and third-party dependencies have been updated to the latest versions.

7.0.0

For more information about this release, read OpenIddict 7.0 is out.

7.0.0-preview.4

This release introduces the following changes:

• The OAuth 2.0 Token Exchange specification - that was by far the most requested feature by the OpenIddict community - is now fully supported by the client and server stacks:

var result = await _service.AuthenticateWithTokenExchangeAsync(new()
{
    ActorToken = actorToken,
    ActorTokenType = actorTokenType,
    CancellationToken = stoppingToken,
    ProviderName = "Local",
    RequestedTokenType = TokenTypeIdentifiers.AccessToken,
    SubjectToken = subjectToken,
    SubjectTokenType = subjectTokenType
});

var token = result.IssuedToken;
var type = result.IssuedTokenType;

[HttpPost("~/connect/token"), IgnoreAntiforgeryToken, Produces("application/json")]
public async Task<IActionResult> Exchange()
{
    var request = HttpContext.GetOpenIddictServerRequest() ??
        throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");

    if (request.IsAuthorizationCodeGrantType() || request.IsRefreshTokenGrantType())
    {
        // ...
    }

    else if (request.IsTokenExchangeGrantType())
    {
        // Retrieve the claims principal stored in the subject token.
        //
        // Note: the principal may not represent a user (e.g if the token was issued during a client credentials token
        // request and represents a client application): developers are strongly encouraged to ensure that the user
        // and client identifiers are randomly generated so that a malicious client cannot impersonate a legit user.
        //
        // See https://datatracker.ietf.org/doc/html/rfc9068#SecurityConsiderations for more information.
        var result = await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);

        // If available, retrieve the claims principal stored in the actor token.
        var actor = result.Properties?.GetParameter<ClaimsPrincipal>(OpenIddictServerAspNetCoreConstants.Properties.ActorTokenPrincipal);

        // Retrieve the user profile corresponding to the subject token.
        var user = await _userManager.FindByIdAsync(result.Principal!.GetClaim(Claims.Subject)!);
        if (user is null)
        {
 ... (truncated)

## 7.0.0-preview.3

This release introduces the following changes:

  - As a preliminary step to the introduction of OAuth 2.0 Token Exchange support in a future 7.0 preview, the entire OpenIddict code base was updated to use new URI-style token type identifiers to represent token types (e.g `urn:ietf:params:oauth:token-type:access_token`). These new identifiers will replace the `token_type_hint`-inspired constants that previous versions of OpenIddict were using in the core, client, server and validation stacks. For more information, read https://github.com/openiddict/openiddict-core/issues/2296.

> [!NOTE]
> While internally massive, this change should be completely transparent for most OpenIddict users. Only advanced users who implement custom handlers for the `GenerateToken`/`ValidateToken` events or use the `ClaimsPrincipal.GetTokenType()`/`ClaimsPrincipal.SetTokenType()` extensions will need to update their code to use the new values.

  - The Discord provider was updated to use the `/users/@​me` endpoint instead of `/oauth2/@​me`, which improves how userinfo claims are represented and returned to the application code (thanks @​egans146 for suggesting this improvement! ❤️).

> [!IMPORTANT]
> This behavior change is breaking: developers are encouraged to review their Discord integration to determine whether their code should be updated to support the new claims representation.

  - New `ClaimsPrincipal.AddClaim()`/`ClaimsPrincipal.AddClaims()`/`ClaimsPrincipal.SetClaim()`/`ClaimsPrincipal.SetClaims()` overloads accepting `System.Text.Json.Nodes.JsonNode` instances have been added to make working with types derived from `JsonNode` easier.

  - An event identifier is now attached to all the logs generated by the OpenIddict core, client, server and validation stacks.

  - A few properties in `OpenIddictClientModels` didn't have an `init` constraint and have been fixed in 7.0.0-preview.3.

> [!TIP]
> Note: this preview also includes all the changes introduced in the OpenIddict 6.3.0 release.

## 7.0.0-preview.2

This release introduces the following changes:

  - All the OpenIddict assemblies have been marked as trimming and Native AOT-compatible (only on .NET 9.0 and higher). For that, several changes had to be made to the OpenIddict core stack:

    - The store resolver interfaces (`IOpenIddict*StoreResolver`) and all their implementations have been removed and the managers have been updated to now directly take an `IOpenIddict*Store<T>` argument instead of an `IOpenIddict*StoreResolver`.

    - All the `OpenIddictCoreOptions.Default*Type` options (e.g `DefaultApplicationType`) have been removed and the untyped managers (`IOpenIddict*Manager`) no longer use options to determine the actual entity type at runtime. Instead, each store integration is now responsible for replacing the `IOpenIddict*Manager` services with a service descriptor pointing to the generic `OpenIddict*Manager<T>` implementation with the correct `T` argument: by default, the default entity types provided by the store are used, but the managers can be re-registered with a different type when the user decides to use different models (e.g via `options.UseEntityFrameworkCore().ReplaceDefaultModels<...>()`).

    - All the managers/store/store resolvers registration APIs offered by `OpenIddictCoreBuilder` have been removed: while they were very powerful and easy-to-use (e.g the `Replace*Manager` methods supported both open and closed generic types and were able to determine the entity type from the base type definition), they weren't AOT-compatible.

    - New AOT-friendly `Replace*Store()` and `Replace*Manager()` APIs have been introduced in `OpenIddictCoreBuilder`. The new `Replace*Manager()` APIs have two overloads that can be used depending on whether you need to register a closed or open generic type:

        ```csharp
        options.ReplaceApplicationManager<
            /* TApplication: */ OpenIddictEntityFrameworkCoreApplication,
            /* TManager: */ CustomApplicationManager<OpenIddictEntityFrameworkCoreApplication>>();
         ```

        ```csharp
        options.ReplaceApplicationManager(typeof(CustomApplicationManager<>));
        ```

    - While they are currently not functional on Native AOT due to EF Core not supporting interpreted LINQ expressions yet, the EF Core stores package has been updated to be ready for AOT: as part of this change, the signature of all the stores has been updated to remove the `TContext` generic argument from the definition. Similarly, the MongoDB C# driver isn't AOT (or even trimming) compatible yet, but the stores have been updated to ensure they only use statically-analyzable patterns.

    - A new `IOpenIddictEntityFrameworkCoreContext` interface containing a single `ValueTask<DbContext> GetDbContextAsync(CancellationToken cancellationToken)` method (similar to what's currently used in the MongoDB integration) has been introduced to allow each to resolve the `DbContext` to use. A default implementation named `OpenIddictEntityFrameworkCoreContext<TContext>` is used by the `OpenIddictEntityFrameworkCoreBuilder.UseDbContext<TContext>()` API to resolve the `TContext` type specified by the user.

    - The `OpenIddictEntityFrameworkCoreBuilder.ReplaceDefaultEntities<...>` API has been preserved - including the overload accepting a single `TKey` parameter but no longer use options internally. Instead, they re-register the untyped `IOpenIddict*Manager` to point to the correct `OpenIddict*Manager<T>` instances depending on the generic types set by the user.

  - For consistency with the Entity Framework Core stores, the `OpenIddictEntityFrameworkBuilder.UseDbContext<TContext>()` API will no longer automatically register the `DbContext` type in the DI container.

  - The authorization endpoint now uses `Cache-Control: no-store` instead of `Cache-Control: no-cache` when generating HTML auto-post form responses (thanks @​matthid! ❤️)

  - OpenIddict 7.0 preview 2 no longer allows dynamically overriding the `prompt` value when using OAuth 2.0 Pushed Authorization Requests.

  > [!IMPORTANT]
  > To prevent login endpoint -> authorization endpoint loops, developers are invited to update their authorization endpoint MVC action to use `TempData` to store a flag indicating whether the user has already been offered to re-authenticate and avoid triggering a new authentication challenge in that case. For instance:
  >
  > ```csharp
  > // Try to retrieve the user principal stored in the authentication cookie and redirect
  > // the user agent to the login page (or to an external provider) in the following cases:
  > //
  > //  - If the user principal can't be extracted or the cookie is too old.
  > //  - If prompt=login was specified by the client application.
  > //  - If max_age=0 was specified by the client application (max_age=0 is equivalent to prompt=login).
  > //  - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough.
  > //
  > // For scenarios where the default authentication handler configured in the ASP.NET Core
  > // authentication options shouldn't be used, a specific scheme can be specified here.
  > var result = await HttpContext.AuthenticateAsync();
  > if (result is not { Succeeded: true } ||
 ... (truncated)

## 7.0.0-preview.1

This release introduces the following changes:

  - All the ASP.NET Core and Entity Framework Core 2.1 references used for the .NET Framework and .NET Standard TFMs have been replaced by the new 2.3 packages released mid-January (including the .NET Standard 2.1 TFM, that previously referenced unsupported ASP.NET Core 3.1 packages).

> [!IMPORTANT]
> ASP.NET Core 2.3 replaces ASP.NET Core 2.1: as such, it is essential that all ASP.NET Core 2.1 applications running on .NET Framework 4.6.2+ quickly migrate to 2.3 to ensure they keep receiving security patches and critical bug fixes.

> [!CAUTION]
> While it was released as a minor version update, **ASP.NET Core 2.3 is not 100% compatible with ASP.NET Core 2.2**, as none of the changes or APIs introduced in 2.2 - no longer supported since December 2019 - is present in 2.3.
>
> When migrating to OpenIddict 7.0, you'll need to carefully review your dependencies to ensure your application doesn't accidentally depend on any ASP.NET Core 2.2-specific API or package and still runs fine on 2.3.
>
> For more information, read https://devblogs.microsoft.com/dotnet/servicing-release-advisory-aspnetcore-23/ and https://github.com/dotnet/aspnetcore/issues/58598.

  - All the OpenIddict packages now use 8.0 as the minimum .NET Extensions version for the .NET Framework and .NET Standard TFMs, which matches the approach used by the new ASP.NET Core/Entity Framework Core 2.3 packages (that all reference `Microsoft.Extensions.*` 8.0 packages instead of 2.1).

> [!IMPORTANT]
> Initial testing shows that OWIN/Katana or "legacy" ASP.NET 4.6.2+ applications are not negatively impacted by this change: in almost all cases, regenerating (or manually updating the binding redirects if necessary) after migrating to OpenIddict 7.0 should be enough. If you see regressions that may be caused by this change, please post in this thread: https://github.com/openiddict/openiddict-core/issues/2262.

  - As part of the .NET Extensions 2.1 -> 8.0 change, the following improvements have been made:

    - The .NET Framework and .NET Standard TFMs now support `TimeProvider` and the associated properties in `OpenIddictClientOptions`, `OpenIddictCoreOptions`, `OpenIddictQuartzOptions`, `OpenIddictServerOptions` and `OpenIddictValidationOptions` are no longer nullable.
 
    - The .NET Framework and .NET Standard TFMs now support `System.Text.Json.Nodes`, which allows using `JsonNode` with `OpenIddictParameter` on older platforms.

  - Several improvements have been made to the `OpenIddictParameter` primitive:
    - The `OpenIddictParameter` constructors and static operators offering `string?[]?` conversions have been replaced by equivalents taking `ImmutableArray<string?>` or `ImmutableArray<string?>?` parameters, which guarantees that the underlying value wrapped by `OpenIddictParameter` cannot be accidentally mutated after being created.

    - The `OpenIddictRequest.Audiences` and `OpenIddictRequest.Resources` properties have been updated to use `ImmutableArray<string?>?` instead of `string?[]?`, which should prevent unsupported mutations like `context.Request.Audiences[2] = "overridden audience"` (which may or may not work in 6.x depending on the actual CLR type of the parameter value initially wrapped).

    - For similar reasons, `JsonNode` instances are now cloned by `OpenIddictParameter`'s constructor and cloned by the `JsonNode?` conversion operator to prevent accidental mutations. As part of this change, the `OpenIddictRequest.Claims` and `OpenIddictRequest.Registration` properties are now of type `JsonObject` instead of `JsonElement`, which should make these properties easier to use.
 
    - The low-level/untyped `OpenIddictParameter.Value` property has been removed and replaced by a new (hidden) `OpenIddictParameter.GetRawValue()` to encourage users to leverage the built-in conversion operators instead. New `Microsoft.Extensions.Primitives.StringValues` conversion operators have been added to the `OpenIddictParameter` primitive as part of this change.

    - The `ClaimsPrincipal.GetDestinations()`/`ClaimsPrincipal.SetDestinations()` extensions now use `ImmutableDictionary<string, ImmutableArray<string>>` instead of `ImmutableDictionary<string, string[]>` for consistency with the previous changes.

    - The `OpenIddictParameter` structure was updated to use the `JsonNode.DeepEquals()`, `JsonElement.DeepEquals()` or `JsonElement.GetPropertyCount()` APIs when available.

  - The APIs obsoleted in OpenIddict 6.x have been removed.

  - The `net6.0` target framework monikers have been removed.

## 6.4.0

This release introduces the following changes:

  - Support for client authentication - `client_secret_basic`, `client_secret_post` and `private_key_jwt` - was added to the PAR endpoint, which allows rejecting unauthenticated requests without waiting until the token request is processed.
  
  - The `OpenIddict.Client.WebIntegration` package now supports Bungie.net.

  - Parsing of the standard `WWW-Authenticate` HTTP response header by the client and validation stacks was improved.

  - The OpenIddict client OWIN integration was updated to resolve the `IAppBuilder` instance from the DI container: when it is available, the `ICookieManager` attached to the application properties (by the host, typically) is automatically used instead of the default `CookieManager` implementation.

  > [!NOTE]
  > See https://github.com/aspnet/AspNetKatana/pull/486 for more information.

  - The portable, non-OS specific version of the `OpenIddict.Client.SystemIntegration` package can now be used on macOS (in this case, `ASWebAuthenticationSession` is not supported and only the system browser authentication mode can be used).

  - All the .NET and third-party dependencies have been updated to the latest versions.

## 6.3.0

This release introduces the following changes:

  - Two new providers have been added to the list of providers already supported by the `OpenIddict.Client.WebIntegration` package:
    - Contentful (thanks @​jerriep! ❤️)
    - Genesys Cloud (thanks @​MikeAlhayek! ❤️)

  - The web providers source code generator now generates constant strings for the static settings defined by some providers (e.g regions):

```csharp
options.UseWebProviders()
       .AddShopify(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetClientSecret("[client secret]")
                  .SetAccessMode(OpenIddictClientWebIntegrationConstants.Shopify.AccessModes.Online);
       })
       .AddStripeConnect(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetClientSecret("[client secret]")
                  .SetAccountType(OpenIddictClientWebIntegrationConstants.StripeConnect.AccountTypes.Express);
       })
       .AddZoho(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetClientSecret("[client secret]")
                  .SetRegion(OpenIddictClientWebIntegrationConstants.Zoho.Regions.EuropeanUnion);
       });

• The X/Twitter provider was updated to use the new x.com endpoints, which avoids forcing users to authenticate on twitter.com before being redirected to x.com to continue the authorization process on the new domain.

[!NOTE]
As part of this change, the default display name of the X/Twitter provider was changed to X (Twitter).
Developers who prefer a different display name can override the default one using the dedicated options.SetProviderDisplayName(...) API:

options.UseWebProviders()
       .AddTwitter(options =>
       {
           options.SetClientId("[client identifier]")
                  .SetRedirectUri("callback/login/twitter")
                  .SetProviderDisplayName("Twitter");
       });

• The Alibaba/Battle.net/Cognito/Lark/Zoho providers now throw an exception when an invalid region is configured instead of using the default value when an unrecognized region is explicitly set.

• The Zoho provider was updated to support the new United Kingdom region (https://accounts.zoho.uk/).

6.2.1

This release introduces the following changes:

• An issue preventing server configuration responses from being correctly extracted when a partial mtls_endpoint_aliases node is returned but doesn't include all the supported endpoints (thanks @​pctimhk for reporting it! ❤️).

6.2.0

This release introduces the following changes:

• The client/server/validation ASP.NET Core/OWIN hosts now use Uri.TryCreate() instead of new Uri() to compute the base and request URIs, which avoids throwing an exception when they can't be computed ; for instance when the length of the internal buffer exceeds the limit allowed by the BCL System.Uri type (thanks to @​tarunmathew12 from the Microsoft Healthcare team for reporting this issue! ❤️)

• 4 new providers have been added to OpenIddict.Client.WebIntegration:

  • Alibaba Cloud/Aliyun (thanks @​gehongyan! ❤️)
  • Linear (thanks @​jerriep! ❤️)
  • Miro (thanks @​jerriep! ❤️)
  • Webflow (thanks @​jerriep! ❤️)

6.1.1

This release introduces the following changes:

• An issue causing end session requests missing the optional client_id parameter to be rejected when enabling end session request caching was fixed (thanks @​miegir for reporting it! ❤️)

6.1.0

This release introduces the following changes:

• Native support for OAuth 2.0 Pushed Authorization Requests (aka PAR) has been implemented in both the OpenIddict client and server stacks. PAR increases the security level of user-interactive grants - like the code flow - by sending the actual authorization request parameters via backchannel communication before redirecting the user agent to the regular authorization endpoint with a unique and random request_uri attached. PAR has recently gained traction and is now supported by some OAuth 2.0 services and libraries (including Keycloak and Microsoft's ASP.NET Core OpenID Connect handler starting in .NET 9.0).

[!TIP]
For more information on how to use OAuth 2.0 Pushed Authorization Requests in OpenIddict, read Pushed Authorization Requests.

• As part of the PAR introduction, the authorization and end session request caching feature has been completely revamped to use the same code path as pushed authorization requests and the OpenIddict-specific request_id parameter has been replaced by request_uri. While cached requests were persisted using IDistributedCache in previous versions, they are now stored in request tokens and persisted in OpenIddict's tokens table with the other tokens.

[!NOTE]
The EnableAuthorizationRequestCaching and EnableEndSessionRequestCaching options have been moved from OpenIddictServerAspNetCoreOptions and OpenIddictServerOwinOptions to OpenIddictServerOptions (the original options are no longer honored). The corresponding methods in OpenIddictServerAspNetCoreBuilder and OpenIddictServerOwinBuilder are still functional - they internally use the new properties - but are now obsolete.

• GitCode, VK ID and Yandex are now supported by the OpenIddict.Client.WebIntegration package (thanks @​gehongyan and @​t1moH1ch! ❤️).

[!NOTE]
With these new providers, the OpenIddict client now supports 100 web services! 🎉

• The InteractiveChallengeRequest and InteractiveSignOutRequest models have been updated to allow easily attaching an identity token or login hint to authorization and end session requests.

• The OpenIddict*AuthorizationStore.PruneAsync() implementations were updated to always exclude permanent authorizations that still have tokens attached, which should reduce risks of seeing SQL exceptions when one of the pruned authorizations still has children entities attached.

• An issue affecting the OpenIddictEntityFrameworkCoreAuthorizationStore.FindByApplicationIdAsync() API was identified and fixed (thanks @​simon-wacker! ❤️)

6.0.0

For more information about this release, read OpenIddict 6.0 general availability.

6.0.0-rc1

This release introduces the following changes:

• The OpenIddict server now automatically normalizes unique "amr" claims in identity tokens to ensure a JSON array is always returned (as required by the OpenID Connect specification), even if the developer didn't explicitly use JsonClaimValueTypes.JsonArray as the claim value type.

• New methods allowing to register multiple certificates and keys at once have been added to the client/server/validation builders (thanks @​ionite34! ❤️)

• Zendesk and EVE Online are now supported by the OpenIddict web providers package (thanks @​mozts2005 and @​kalaveijo! ❤️)

[!TIP]
An OpenIddict 5.0 to 6.0 migration guide can be found here: https://documentation.openiddict.com/guides/migration/50-to-60.

6.0.0-preview4

This release introduces the following changes:

• OpenIddict 6.0 preview 4 was updated to reference the .NET 9.0 RTM packages on .NET 9.0.

• The ASP.NET Core and OWIN integrations now include the authentication properties attached to ProcessAuthenticationContext.Properties in errored authentication results, which can be used with the client stack to retrieve custom and non-custom properties attached to the state token when using the "error pass-through mode".

[!IMPORTANT]
As part of this change, the OWIN hosts now return an AuthenticateResult instance containing an empty ClaimsIdentity with its IsAuthenticated property set to false (instead of a null identity) to represent errored authentication demands.

If you're using the error pass-through mode and are calling await AuthenticateAsync(OpenIddict*OwinDefaults.AuthenticationType), consider updating your if checks to ensure unauthenticated identities are correctly identified.

For instance, with the client stack:

var result = await context.Authentication.AuthenticateAsync(OpenIddictClientOwinDefaults.AuthenticationType);
if (result is { Identity.IsAuthenticated: true })
{
    // The authentication result represents an authenticated user.
}

• Introspection and revocation requests started via OpenIddictClientService.IntrospectTokenAsync() and OpenIddictClientService.RevokeTokenAsync() are now eagerly aborted if the token to introspect or revoke is missing.

6.0.0-preview3

This release introduces the following changes:

• The existing IOpenIddictAuthorizationManager.FindAsync(...) and IOpenIddictTokenManager.FindAsync(...) overloads have been merged and replaced by a single method where all the parameters are now optional (for instance, if a null subject value is specified when calling IOpenIddictAuthorizationManager.FindAsync(...), the returned collection will contain authorizations for all users).

• New IOpenIddictAuthorizationManager.RevokeAsync(...) and IOpenIddictTokenManager.RevokeAsync(...) APIs have been introduced to allow easily revoking authorizations or tokens based on specific parameters. E.g:

// Revoke all the active access tokens attached to the user alice@​wonderland.com.
await _tokenManager.RevokeAsync(subject: "alice@​wonderland.com", client: null, status: Statuses.Active, type: TokenTypeHints.AccessToken);

6.0.0-preview2

This release introduces the following changes:

• OpenIddict 6.0 preview 2 was updated to reference the .NET 9.0 RC2 packages on .NET 9.0.

• The OpenIddict.MongoDb and OpenIddict.MongoDb.Models packages now reference MongoDB.Driver and MongoDB.Bson 3.0.0 and are now strong-named.

[!IMPORTANT]
The third iteration of the C# MongoDB driver no longer supports .NET Standard 2.0 and requires .NET Framework 4.7.2 as the minimum version: OpenIddict users relying on the MongoDB integration and using the OpenIddict.MongoDb or OpenIddict.MongoDb.Models packages in projects targeting .NET Standard 2.0 or .NET Framework < 4.7.2 will need to update their projects when bumping OpenIddict to 6.0 preview 2.

• A new "claims issuer" option has been added to the client and validation stacks to allow controlling the value OpenIddict uses to populate the Claim.Issuer and Claim.OriginalIssuer properties. This option is specially useful when using the OpenIddict client in legacy ASP.NET 4.6.2+ applications using ASP.NET Identity, since the Claim.Issuer property is directly reflected in the user interface:

options.AddRegistration(new OpenIddictClientRegistration
{
    // ...

    Issuer = new Uri("https://localhost:44395/", UriKind.Absolute),
    ClaimsIssuer = "Local authorization server"
});

options.UseWebProviders()
       .AddActiveDirectoryFederationServices(options =>
       {
           // ...

           options.SetClaimsIssuer("Contoso");
       });

[!IMPORTANT]
To simplify migrating from the aspnet-contrib providers, the OpenIddict client now uses OpenIddictClientRegistration.ProviderName as the first fallback value when OpenIddictClientRegistration.ClaimsIssuer is not explicitly set (which is consistent with the pattern used in the OAuth 2.0-based social providers developed by Microsoft and the community).

If no provider name was set, the issuer URI is used as the claims issuer, as in previous versions.

• To be consistent with the new prompt values name used in OpenIddict 6.0 preview 1, the GetPrompts() and HasPrompt() extension have been renamed to GetPromptValues() and HasPromptValue().

6.0.0-preview1

This release introduces the following changes:

• OpenIddict 6.0 preview 1 now targets .NET 9.0 and references the .NET 9.0 RC1 packages on .NET 9.0 and higher.

• The .NET 7.0 and .NET Framework 4.6.1 TFMs have been removed as these versions are no longer supported by Microsoft.

[!IMPORTANT]
While most OpenIddict 6.0 packages can still be used on these versions thanks to their .NET Standard 2.0 or 2.1 TFMs, doing that is strongly discouraged and users are instead encouraged to migrate to .NET 8.0 and .NET Framework 4.6.2 (or higher).

• Some of the server endpoints have been renamed in OpenIddict 6.0 to be more specific or more closely match the official names, which should reduce ambiguities and make migrating from other OAuth 2.0/OIDC stacks to OpenIddict easier:
  • Cryptography endpoint -> JSON Web Key Set endpoint.
  • Device endpoint -> Device authorization endpoint.
  • Logout endpoint -> End-session endpoint.
  • Userinfo endpoint -> UserInfo endpoint.
  • Verification endpoint -> End-user verification endpoint.

[!NOTE]
All the constants, builder methods, events and event handlers used by the OpenIddict client, core, server and validation stacks have been entirely updated to use the new names.

In most cases, reacting to this breaking change should be limited to just changing a few lines in your Startup file:

OpenIddict 5.x	OpenIddict 6.x
options.SetCryptographyEndpointUris()	options.SetJsonWebKeySetEndpointUris()
options.SetDeviceEndpointUris()	options.SetDeviceAuthorizationEndpointUris()
options.SetLogoutEndpointUris()	options.SetEndSessionEndpointUris()
options.SetUserinfoEndpointUris()	options.SetUserInfoEndpointUris()
options.SetVerificationEndpointUris()	options.SetEndUserVerificationEndpointUris()

OpenIddict 5.x	OpenIddict 6.x
options.AllowDeviceCodeFlow()	options.AllowDeviceAuthorizationFlow()

OpenIddict 5.x	OpenIddict 6.x
options.EnableLogoutEndpointPassthrough()	options.EnableEndSessionEndpointPassthrough()
options.EnableUserinfoEndpointPassthrough()	options.EnableUserInfoEndpointPassthrough()
options.EnableVerificationEndpointPassthrough()	options.EnableEndUserVerificationEndpointPassthrough()

OpenIddict 5.x	OpenIddict 6.x
OpenIddictConstants.Permissions.Endpoints.Device	OpenIddictConstants.Permissions.Endpoints.DeviceAuthorization
OpenIddictConstants.Permissions.Endpoints.Logout	OpenIddictConstants.Permissions.Endpoints.EndSession

[!TIP]
While not mandatory (as the permissions containing the old endpoint names are still fully functional in 6.x for backward compatibility), you can also update your applications table/database to use the new constant values (i.e ept:device_authorization and ept:end_session instead of ept:device and ept:logout).

• A whole new client authentication method negotiation logic was introduced in the OpenIddict client. As part of this change, complete support for mTLS in the client stack was also added to allow integrating with identity providers that require using tls_client_auth or self_signed_tls_client_auth.

... (truncated)

Commits viewable in compare view.

Summary by CodeRabbit

• Chores
  • Upgraded OpenIddict.EntityFrameworkCore package to version 7.5.0

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

OpenIddict.EntityFrameworkCore package pin in Directory.Packages.props is updated from 5.8.0 to 7.5.0; the change is a single-line version bump in the Auth group.

Changes

Package Upgrade

Layer / File(s)	Summary
OpenIddict.EntityFrameworkCore version bump Directory.Packages.props	OpenIddict.EntityFrameworkCore package pin changed from 5.8.0 to 7.5.0 in the Auth group of the centrally managed package versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• phuong-labs/axis#112: Also updates Directory.Packages.props to bump a centrally managed NuGet package version.

Poem

🐰
A hop, a tweak, a versions' flight,
Five point eight steps into seven's light.
The props file nods, the build may sing,
A tiny bump—big future spring.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: upgrading OpenIddict.EntityFrameworkCore from version 5.8.0 to 7.5.0 in a dependency management context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/nuget/OpenIddict.EntityFrameworkCore-7.5.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Directory.Packages.props`:
- Around line 92-93: The OpenIddict package family versions are mismatched in
Directory.Packages.props: PackageVersion entries for OpenIddict.AspNetCore
(currently 5.8.0) and OpenIddict.EntityFrameworkCore (7.5.0) must be aligned;
update the OpenIddict.AspNetCore PackageVersion to 7.5.0 (or alternatively
downgrade EntityFrameworkCore to 5.8.0) and then verify all other PackageVersion
entries whose Include starts with "OpenIddict." use the same version so
Axis.Identity.Infrastructure.csproj and Axis.Api.csproj inherit a consistent
OpenIddict version series.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 8b0377db-1d4c-4a90-b26a-62785dd9c975

📥 Commits

Reviewing files that changed from the base of the PR and between c8fdda3 and ec25534.

📒 Files selected for processing (1)

• Directory.Packages.props

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all OpenIddict package versions are aligned across central and project files.
set -euo pipefail

echo "== OpenIddict versions in central package management =="
rg -nP '<PackageVersion\s+Include="OpenIddict\.[^"]+"\s+Version="[^"]+"' Directory.Packages.props || true

echo
echo "== OpenIddict direct references in project files (if any overrides exist) =="
fd -e csproj -e props -e targets | xargs rg -nP '<PackageReference\s+Include="OpenIddict\.[^"]+"(\s+Version="[^"]+")?' || true

echo
echo "Expected: one consistent major/minor for all OpenIddict.* packages."

Repository: phuong-labs/axis

Length of output: 908

---

🌐 Web query:

Are OpenIddict.AspNetCore 5.8.0 and OpenIddict.EntityFrameworkCore 7.5.0 officially supported together, or must OpenIddict packages be kept on the same major/minor version?

💡 Result:

OpenIddict.AspNetCore 5.8.0 and OpenIddict.EntityFrameworkCore 7.5.0 are not officially supported together; OpenIddict requires the OpenIddict package stack to stay on the same OpenIddict version series (i.e., matching major/minor versions), and you should keep all OpenIddict packages aligned rather than mixing 5.x and 7.x. Evidence: OpenIddict’s own migration docs show both packages updated to the same version number when migrating (e.g., OpenIddict.AspNetCore and OpenIddict.EntityFrameworkCore both set to 5.8.0 in the 4.x→5.x guide, and both set to 7.5.0 in the 6.x→7.x guide) [1][2]. Additionally, OpenIddict’s GitHub repository states that support is only offered for the latest stable version of OpenIddict (implying no support for unsupported mixed-version combinations) [3]. Practical guidance: If you want to use OpenIddict.EntityFrameworkCore 7.5.0, use the corresponding OpenIddict.AspNetCore 7.5.0 (and similarly align Core/client/server/validation packages to 7.5.0) rather than mixing 5.8.0 with 7.5.0 [2][4].

Citations:

• 1: https://documentation.openiddict.com/guides/migration/50-to-60
• 2: https://documentation.openiddict.com/guides/migration/60-to-70
• 3: https://github.com/openiddict/core
• 4: https://documentation.openiddict.com/integrations/aspnet-core.html

---

Align OpenIddict package family versions before merge.

File: Directory.Packages.props
Lines: 92-93

Snippet showing the final state of code at these lines

    <PackageVersion Include="OpenIddict.AspNetCore" Version="5.8.0" />
    <PackageVersion Include="OpenIddict.EntityFrameworkCore" Version="7.5.0" />

Line 93 upgrades OpenIddict.EntityFrameworkCore to 7.5.0 while Line 92 keeps OpenIddict.AspNetCore at 5.8.0. Since Axis.Identity.Infrastructure.csproj and Axis.Api.csproj reference these packages without explicit versions, they will inherit this mixed setup from Directory.Packages.props, which is a compatibility risk because OpenIddict expects its package stack to stay aligned on the same OpenIddict version series. Align the whole OpenIddict.* family together (recommended: set OpenIddict.AspNetCore to 7.5.0 and ensure any other OpenIddict.* packages match; alternatively keep all OpenIddict packages at 5.8.0).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Directory.Packages.props` around lines 92 - 93, The OpenIddict package family
versions are mismatched in Directory.Packages.props: PackageVersion entries for
OpenIddict.AspNetCore (currently 5.8.0) and OpenIddict.EntityFrameworkCore
(7.5.0) must be aligned; update the OpenIddict.AspNetCore PackageVersion to
7.5.0 (or alternatively downgrade EntityFrameworkCore to 5.8.0) and then verify
all other PackageVersion entries whose Include starts with "OpenIddict." use the
same version so Axis.Identity.Infrastructure.csproj and Axis.Api.csproj inherit
a consistent OpenIddict version series.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.