lsm/openiddict-documentation
1
0
Fork 0
mirror of https://gitee.com/dcren/openiddict-documentation.git synced 2025-07-16 16:50:46 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update the link to the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification

Browse Source
This commit is contained in:
Kévin Chalet 2022-01-07 17:00:27 +01:00
parent 97d86fe382
commit b3a75b3a63
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
configuration/token-formats.md
View File

@ -18,7 +18,7 @@ developed and maintained by Microsoft to generate signed and encrypted tokens us
To protect against token substitution and confused deputy attacks, **OpenIddict 3.0 uses the standard `typ` JWT header to convey the actual token type**. To protect against token substitution and confused deputy attacks, **OpenIddict 3.0 uses the standard `typ` JWT header to convey the actual token type**.
This mechanism replaces the private `token_usage` claim used for the same purpose in previous versions of OpenIddict. This mechanism replaces the private `token_usage` claim used for the same purpose in previous versions of OpenIddict.
As required by the [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens draft](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-2.1), As required by the [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens specification](https://datatracker.ietf.org/doc/html/rfc9068),
**access tokens produced by OpenIddict 3.0 are always issued with a `"typ": "at+jwt"` header** while identity tokens still use `"typ": "JWT"` for backward compatibility. **access tokens produced by OpenIddict 3.0 are always issued with a `"typ": "at+jwt"` header** while identity tokens still use `"typ": "JWT"` for backward compatibility.
Other types of tokens only accepted by OpenIddict's own endpoints use private token types prefixed by `oi_`. Other types of tokens only accepted by OpenIddict's own endpoints use private token types prefixed by `oi_`.

8
guide/migration/20-to-30.md
View File

@ -117,7 +117,7 @@ services.AddOpenIddict()
If you use JSON.NET to serialize or deserialize `OpenIdConnectMessage`, `OpenIdConnectRequest` or `OpenIdConnectResponse` instances, If you use JSON.NET to serialize or deserialize `OpenIdConnectMessage`, `OpenIdConnectRequest` or `OpenIdConnectResponse` instances,
consider moving to `System.Text.Json` when migrating to OpenIddict 3.0, as 3.0 no longer includes a built-in JSON.NET `JsonConverter` for their consider moving to `System.Text.Json` when migrating to OpenIddict 3.0, as 3.0 no longer includes a built-in JSON.NET `JsonConverter` for their
equivalent in 3.0: `OpenIddictMessage`, `OpenIddictRequest` or `OpenIddictResponse`. equivalent in 3.0 (i.e `OpenIddictMessage`, `OpenIddictRequest` and `OpenIddictResponse`).
In most cases, this should be as simple as replacing `JsonConvert.SerializeObject()`/`JsonConvert.DeserializeObject()` In most cases, this should be as simple as replacing `JsonConvert.SerializeObject()`/`JsonConvert.DeserializeObject()`
by their `System.Text.Json` equivalent: `JsonSerializer.Serialize()`/`JsonSerializer.Deserialize()`. by their `System.Text.Json` equivalent: `JsonSerializer.Serialize()`/`JsonSerializer.Deserialize()`.
@ -140,12 +140,12 @@ In 3.0, the constants used as the ASP.NET Core authentication schemes have chang
> [!NOTE] > [!NOTE]
> In 3.0, the OpenIddict server ASP.NET Core handler supports authenticating userinfo requests. As such, if you use the pass-through mode > In 3.0, the OpenIddict server ASP.NET Core handler supports authenticating userinfo requests. As such, if you use the pass-through mode
> to handle userinfo requests in your own userinfo MVC action, consider using `OpenIddictServerAspNetCoreDefaults.AuthenticationScheme` > to handle userinfo requests in your own userinfo MVC action, consider using `OpenIddictServerAspNetCoreDefaults.AuthenticationScheme`
> instead of `OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme` for your userinfo endpoint to avoid duplicate access token validation. > instead of `OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme` for your userinfo endpoint to avoid validating access tokens twice.
## Update your application to work with the new `scope` format ## Update your application to work with the new `scope` format
In OpenIddict 3.0, the format of the `scope` claim used in JWT tokens has changed from a JSON array to a single space-separated claim to match In OpenIddict 3.0, the format of the `scope` claim used in JWT tokens has changed from a JSON array to a single space-separated claim
[the JWT access token specification](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-12). To ensure your authorization policies to match [the JWT access token specification](https://datatracker.ietf.org/doc/html/rfc9068). To ensure your authorization policies
still work after migrating, consider using the `principal.HasScope()` extension to determine whether a scope has been granted: still work after migrating, consider using the `principal.HasScope()` extension to determine whether a scope has been granted:
```csharp ```csharp