ABANDONED-RENOVATE chore(deps): update dependency duende.accesstokenmanagement.openidconnect to v3

[marvin-serp-bot]

This PR contains the following updates:

Package	Type	Update	Change
Duende.AccessTokenManagement.OpenIdConnect	nuget	major	2.0.3 -> 3.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

DuendeSoftware/Duende.AccessTokenManagement (Duende.AccessTokenManagement.OpenIdConnect)

v3.0.0

Compare Source

This is a major release of Duende.AccessTokenManagement and Duende.AccessTokenManagement.OpenIdConnect. Highlights include

• Improved support for Blazor Server
• Updates to dependencies
• Bug fixes and improvements

Breaking Changes

• Support for .NET 6 and 7 has been dropped, as Microsoft either no longer supports or soon will no longer support those versions in the coming months. Duende.AccessTokenManagement Version 2.1 (which supports .NET 6 and 7) will continue to be supported until .NET 6 reaches end of life in November.
• The OpenIdConnectUserAccessTokenHandler no longer depends on HttpContext, and instead depends on the new IUserAccessor interface. This change allows us to use the handler in Blazor Server projects. If you have customized the handler in a derived class, update your derived class's constructor to depend on the IUserAccessor and pass that to the handler's constructor. You probably don't need to implement IUserAccessor - the default implementation of the IUserAccessor is registered automatically and accesses the current user from the HttpContext, and a blazor server specific implementation is also available.
• The OpenIdConnectUserAccessTokenHandler also now takes a direct dependency on the IUserTokenManagementService, rather than resolving it from the HttpContext. Again, if you have customized the handler in a derived class, you'll need to update constructors.

Blazor Server Support

This release improves our support for Blazor Server. We've added a new method to use when registering services: AddBlazorServerAccessTokenManagement. This method sets up dependencies needed specifically in a Blazor Server environment, including retrieving the current user without using HttpContext when it is not available. This simplifies creating HttpClients that use the current user's access token.

Blazor Server implementations have always required a server side token store (an implementation of ITokenStore). You should pass your implementation of ITokenStore to AddBlazorServerAccessTokenManagement's type parameter.

We've also exposed the logic related to storage of tokens in an AuthenticationTicket as a new service.

Dependencies

• We now depend on:
  • version 7.0.0 or later of IdentityModel
  • version 8.0.1 or later of the ASP.NET OpenIdConnect Authentication Handler (Microsoft.AspNetCore.Authentication.OpenIdConnect)
  • version 7.1.2 or later of the Microsoft JWT Handler (System.IdentityModel.Tokens.Jwt)

Our approach for dependencies is to depend on the minimum patch version that accomplishes
the following:

• Avoid depending on a version of a package that has a known security vulnerability
• Avoid depending on a version that has a transitive dependency on a version of a package that has a known vulnerability
• Depend on the same version of the Microsoft JWT handler as the ASP.NET OpenIdConnect Authentication Handler

Full Changelog

Blazor Support

• Add accessor for current principal by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/99
• Add service for storage of tokens in auth properties by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/100

Bugs and Improvements

• Keep previous refresh token if not updated during refresh by @​hybrid2102 in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/46
• Add a specific exception when the clientId is empty by @​kallayj in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/73
• Remove space from closing a tag in Index.cshtml by @​RolandGuijt in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/72
• make constructor of ServicesAccessorCircuitHandler public by @​maxmantz in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/104
• Remove unknown client error message by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/106
• Fix typo in docs by @​willibrandon in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/107
• Final polish for release by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/126

Dependencies

• Updated System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to latest to address CVEs by @​chgl in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/53
• Updateed System.IdentityModel.Tokens.Jwt and Microsoft.AspNetCore.Authentication.* by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/92
• Update IdentityModel to v7.0.0 by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/93
• Drop support for .NET 6/7 by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/98

Dependabot

• added dependabot.yml by @​goldsam in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/56
• Bump coverlet.collector from 3.1.2 to 6.0.1 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/57
• Bump coverlet.collector from 6.0.1 to 6.0.2 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/83
• Bump Microsoft.NET.Test.Sdk from 17.1.0 to 17.9.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/60
• Bump Microsoft.NET.Test.Sdk from 17.9.0 to 17.10.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/111
• Bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/68
• Bump MinVer from 4.0.0 to 4.3.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/62
• Bump MinVer from 4.3.0 to 5.0.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/71
• Bump NuGetKeyVaultSignTool from 3.1.6 to 3.2.3 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/59
• Bump RichardSzalay.MockHttp from 6.0.0 to 7.0.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/63
• Bump Serilog.AspNetCore from 8.0.0 to 8.0.1 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/58
• Bump Shouldly from 4.0.3 to 4.2.1 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/70
• Bump xunit from 2.4.1 to 2.7.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/66
• Bump xunit from 2.7.0 to 2.7.1 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/88
• Bump xunit from 2.7.1 to 2.8.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/96
• Bump xunit from 2.8.0 to 2.8.1 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/110
• Bump xunit.runner.visualstudio from 2.4.3 to 2.5.7 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/65
• Bump xunit.runner.visualstudio from 2.5.7 to 2.8.0 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/97
• Bump xunit.runner.visualstudio from 2.8.0 to 2.8.1 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/112
• Bump IdentityServerVersion from 7.0.4 to 7.0.5 by @​dependabot in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/116

New Contributors

• @​goldsam made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/56
• @​chgl made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/53
• @​paulomorgado made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/52
• @​dependabot made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/58
• @​RolandGuijt made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/72
• @​kallayj made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/73
• @​maxmantz made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/104
• @​willibrandon made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/107

Full Changelog: DuendeSoftware/Duende.AccessTokenManagement@2.1.2...3.0.0

v2.1.2

Compare Source

This is a patch release that fixes a bug when using DPoP and Resource Indicators together.

What's Changed

• Fix DPoP proof token creation when resources are used by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/90

Full Changelog: DuendeSoftware/Duende.AccessTokenManagement@2.1.1...2.1.2

v2.1.1

Compare Source

This is a patch release that fixes a DPoP bug and updates our dependency on ASP.NET framework packages.

What's Changed

• update dependencies to latest patches by @​brockallen in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/78
  Updated dependency on ASP.NET framework packages from version 8.0.0 to version 8.0.3. This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.
• Fix handling of dpop nonce sent during token exchange by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/79
  Fixes a bug where DPoP nonces provided by authorization servers were not processed correctly.

Full Changelog: DuendeSoftware/Duende.AccessTokenManagement@2.1.0...2.1.1

v2.1.0

Compare Source

What's Changed

• Respect explicitly passed scopes on refresh by @​hybrid2102 in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/43
• Support for .NET 8 by @​josephdecock in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/44

New Contributors

• @​hybrid2102 made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/43
• @​josephdecock made their first contribution in https://github.com/DuendeSoftware/Duende.AccessTokenManagement/pull/44

Full Changelog: DuendeSoftware/Duende.AccessTokenManagement@2.0.3...2.1.0

---

Configuration

📅 Schedule: Branch creation - "anytime" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

✒️ PR Title Commitlint - ✔️ Lint success!

[marvin-serp-bot]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 3.x releases. But if you manually upgrade to 3.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.