I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for):
- Removal of OpenID Connect Hybrid Flow.
The codebase does Authorization Code Flow + PKCE only now. This is inline with RFC8525 and the AppAuth reference implementations. Also – this reduced the complexity of the codebase dramatically
- Support for pure OAuth-based request.
Before this change, the openid scope was mandatory, which always meant OpenID Connect compliance on the server. You can now omit openid and do pure OAuth 2.0 as well.
- Removing JWT signature validation from the core codebase.
The signature validation is now a pluggable component. I provide a default implementation using Microsoft’s JWT handler in a separate Nuget package. This allowed to remove that dependency from OidcClient.
- Removed dependency on NewtonSoft.Json
Still IdentityModel uses it, this will change as well at some point.
All in all, this make OidcClient slimmer and thus hopefully easier to integrate into existing applications.
Please give it a try.