Releases: auth0/auth0.net
7.0.0 beta 1
Many breaking changes
A migration guide will be produced while the beta runs and made available before GA. The summary is:
-
Authentication SDK includes all-new ID Token Validation which will now validate H256.
- If your app is configured for HS256 and is confidential such as a web server then you will need to set SigningAlgorithm to
SigningAlgorithm.HS256on yourAuthenticationApiClientrequests. - If your app is configured for HS256 and is NOT confidential such as a native client you should reconfigure your app for RS256 as soon as possible.
- If your app is configured for RS256 no changes are required. JWKS caches are now only valid for 10 minutes and will not cache the JWKS keys indefinitely.
- If your app is configured for HS256 and is confidential such as a web server then you will need to set SigningAlgorithm to
-
Improved testing and mocking support. You can now mock
IAuthenticationConnection/IManagementConnectionclasses to provide local unit-testing functionality forAuthenticationApiClientandManagementApiClientrespectively. Each has just two methods that can be mocked - one forGETand one for other HTTP verbs. -
Many classes moved namespace especially ones that were in
Coreas part of the long-term plan to only have AuthenticationApi and ManagementApi packages. Visual Studio should be able to suggest where classes you were using now reside. -
Disposal is now more consistent. If
AuthenticationApiClientorManagementApiClientcreate a connection for you they will manage its lifecycle. If you pass in a connection then it will be your responsibility to manage it. This also applies to howHttpClientAuthenticationConnectionandHttpClientManagementConnectionwill only dispose of aHttpClientthey create and not ones they are given. -
Rate Limiting information is now only available on the
RateLimitApiExceptionwhich is raised when the rate limit is exceeded. -
ApiExceptionis nowErrorApiException. If you use the status code or error message on exception you will need to switch to catching the later. The former is now a base class that does not have this information but ensures any old catchApiExceptionwill continue to catch rate limit exceptions which also now inherit from this class. -
Microsoft recommends
HttpClientis reused as much as possible. Therefore you should use dependency injection or inversion of control to ensure that either a single instance ofAuthenticationApiClient/ManagementApiClientor its connectionsHttpClientXConnectionare created to ensure sharing. These classes are now thread-safe. You can additionally shareHttpClientobjects between them if you wish by injecting it into theHttpClientXConnectionconstructor.
6.5.5
6.5.4
- SECURITY FIX for CVE-2019-16929
6.5.3
WARNING: If you generate tokens in your project via System.IdentityModel.Tokens.Jwt please read this important notice.
6.5.2
- UserClient.GetEnrollments now correctly passes user id.
6.5.1
- User and role permissions endpoints in UsersClient and RolesClient paging fix.
6.5.0
- Assembly is now strong-name-signed so it can be used by other strong-name-signed packages #207
- User & role permissions endpoints in UsersClient and RolesClient now correctly page #284 #282
- User model optional fields (CreatedAt, UpdatedAt, LastLogin) are now nullable #276
Note: This is code signing only using a non-secret key. It is not authenticode or tamper protection.
v6.4.0
- TenantSettings lifetimes are now double not integer.
- Added various Guardian-related endpoints on UserClient.
v6.3.0
- Missing Tenant settings now available (device flow, Guardian MFA, Change Password, flags etc.