IdentityModel.OidcClient v2 & the OpenID RP Certification

A couple of weeks ago I started re-writing (an re-designing) my OpenID Connect & OAuth 2 client library for native applications. The library follows the guidance from the OpenID Connect and OAuth 2.0 for native Applications specification.

Main features are:

  • Support for OpenID Connect authorization code and hybrid flow
  • Support for PKCE
  • NetStandard 1.4 library, which makes it compatible with x-plat .NET Core, desktop .NET, Xamarin iOS & Android (and UWP soon)
  • Configurable policy to lock down security requirements (e.g. requiring at_hash or c_hash, policies around discovery etc.)
  • either stand-alone mode (request generation and response processing) or support for pluggable (system) browser implementations
  • support for pluggable logging via .NET ILogger

In addition, starting with v2 – OidcClient is also now certified by the OpenID Foundation for the basic and config profile.


It also passes all conformance tests for the code id_token grant type (hybrid flow) – but since I don’t support the other hybrid flow combinations (e.g. code token or code id_token token), I couldn’t certify for the full hybrid profile.

For maximum transparency, I checked in my conformance test runner along with the source code. Feel free to try/verify yourself.

The latest version of OidcClient is the dalwhinnie release (courtesy of my whisky semver scheme). Source code is here.

I am waiting a couple more days for feedback – and then I will release the final 2.0.0 version. If you have some spare time, please give it a try (there’s a console client included and some more sample here <use the v2 branch for the time being>). Thanks!

This entry was posted in .NET Security, IdentityModel, OAuth, OpenID Connect, WebAPI. Bookmark the permalink.

5 Responses to IdentityModel.OidcClient v2 & the OpenID RP Certification

  1. arghya says:

    MissingMethodException + Method not found: ‘IdentityServer4.Configuration Method not found: ‘IdentityServer4.Configuration.AuthenticationOptions IdentityServer4.Configuration.IdentityServerOptions.get_AuthenticationOptions() When I just run the Authentication Server without the API or client projects. Am I missing anything?

  2. tomj says:

    well, I am looking for client code to use in a relying party web site and hoped that was what you were building, but I can’t really tell.
    I installed and built the code and looked at the samples.
    Perhaps a little guidance as to what I am looking at?

  3. Pingback: Native OIDC client sample for Windows that uses custom URI scheme handler | brockallen

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s