Changes between versions

Curious what's changed from version to version? Wonder if it's worth upgrading or what breaking changes may exist? This is the page for you. Not all fixed issues are listed here, but the more noteworthy ones are. Unless explicitly said otherwise, each version has all the enhancements of the previously listed ones.

Version 2.3.0

• Provider direct response message content-type now set to application/x-openid-kvf to allow hosting of providers on free GoDaddy hosting without ads corrupting the message.
• RP support for discovering multiple endpoints at a single identifier, custom filtering and sorting by host site. Includes some intelligent fail-over if first choice OPs are down during authentication.
• RP no longer strips Claimed Identifier's #fragment portion. Very Important Breaking Change. See  Issue 112  for details that upgraders must read.
• Provider can now add a #fragment portion to a URI claimed identifier.
• Added IAuthenticationResponse.FriendlyIdentifierForDisplay property.

Version 2.2.2

• Added the RelyingParty.IProviderEndpoint.Uri property to allow host RP to filter on trusted providers.

Version 2.1.5

• Added XRI Canonical ID verification for more secure logins.
• XRIs now resolved entirely using HTTPS.
• Added IDSelector support to OpenIdLogin ( Issue 99 ).
• Switched to log4net for logging (log4net.dll is optional in deployment)
• Fixed bug in Provider where check_authentication would fail with empty values ( Issue 110 ).
• Fixed the way Provider returns error conditions to relying parties.

Version 2.2.1 / 2.1.4

• Security issue: Fixed community i-name ClaimedIdentifiers ( Issue 96 ).
• Fixed some unhandled exceptions when dealing with some (incomplete) XRDS documents.

Version 2.2.0

• Add built-in support for the PAPE extension ( Issue 57 ).
• Large OpenID messages are now sent/received using form POST. This required breaking changes, see issue for details ( Issue 79 ).
• Security enhancement to protect RPs from malicious OpenID URLs ( Issue 64 ).
• Allow for discovery of an Identifier's supported extensions before authentication ( Issue 83 ).
• Support extensions that have multiple versions and want to support all of them ( Issue 85 ).
• IAuthenticationRequest/OpenIdEventArgs ClaimedIdentifier now returns null in directed identity scenarios instead of the identifier_select URL, and a new IsDirectedIdentity property has been added. Breaking change ( Issue 88 ). IAuthenticationResponse.ClaimedIdentifier, which most sites probably are using, is left unchanged and always provides the correct ClaimedIdentifier.

Version 2.1.3

• Better support for ASP.NET URL rewriting ( Issue 86 ).
• ASP.NET MVC sample updated to MVC Preview 3 ( Issue 93 ).
• Shared hosting strong-name issue fixed ( Issue 14 ). We've supported partial trust environments for quite a while, but it mysteriously required a recompile at times. I finally figured it out and this fixes it.

Version 2.1.2

• Fixed handling of URLs that start with ?& ( Issue 81 ).
• Added RP discovery for return URL verification for Providers ( Issue 56 ).
• Fixed cookieless session ASP.NET relying parties ( Issue 78 ).
• New HTML and CHM documentation generated from xml doc comments ( Issue 70 ).

Version 2.1.1, 2.0.2

• Fixed encoding bug in return_to argument and a couple of other places that cause random FormatExceptions ( Issue 73 ).
• Realm and return_to arguments are consistent with explicit/implicit port inclusion for better interop with other libraries ( Issue 71 ).
• Better handling of HTTP/1.0 servers that do not support "Expect: 100 Continue" header. ( Issue 72 )
• Fixed Realm implicit conversion handling of null values.
• Fixed realm bug where 'star'.domain.com would throw ArgumentOutOfRangeException when matching against domain.com.
• Trace warning when return_to URL includes openid parameters from a previous attempt.

Version 2.1.0

• Add built-in support for the Attribute Exchange extension ( Issue 58 ).
• Breaking changes for simple registration extension and any custom built extensions by users of this library to simplify use of and writing new extensions.
• INonceStore now easier to implement for custom stores while protecting against replay attacks. Breaking change for anyone implementing custom store. ( Issue 66 ).
• Added sample ASP.NET MVC relying party application ( Issue 61 ).
• Timeouts and other paranoid HTTP settings adjustable through public members ( Issue 62 ).

Version 2.0.1

• Fixed unhandled exception when HTTP responses lack a Content-Type header.
• Clarified DateTimeKind of Nonce.ExpirationDate.
• Official builds now strong-name signed.

Version 2.0.0

• Support for OpenID 2.0 Relying Parties and Providers, including but not limited to these features:
• Xri and i-name support
• Directed identity support
• More secure hashing algorithms (SHA-256)
• Interop with Yahoo and other OpenID 2.0-only providers
• Better security against replay attacks.
• Send unsolicited positive assertions from providers to automatically log your users in to relying party web sites.
• Much more comprehensive testing of common scenarios and possible security exploits.
• More comprehensive HTML-based identity discovery.
• Completely stateless mode support for Relying Parties (not even HttpApplication state).
• New OpenIdMobileTextBox ASP.NET control.
• All relying party ASP.NET controls now support immediate mode.
• Improved support for custom stores that have to serialize associations (for databases, etc.)
• Debugger attributes to make stepping through the code easier.

Version 1.0.2

• Fixed localization bug that makes some DotNetOpenId relying party sites fail to authenticate users whose browsers are set to a neutral culture (i.e. 'en' instead of 'en-US').

Version 1.0.1

• Fixed Provider bug where all issued associations lasted only one minute. This has no impact on sites only using Relying Party functionality in the library.

Version 1.0.0

• Added replay attack detection and prevention. ( issue 40 )
• Fixed MemoryStore caching where ASP.NET could freely clear out keys in the middle of an authentication causing random failures. ( issue 16 )
• Heavy refactoring to follow more .NET conventions, be easier to 'discover' with
• Most classes now belong to the new DotNetOpenId namespace.
• Two new ASP.NET controls to make hosting OpenID providers or identity forwarders easier.
• OpenIdTextBox.ShowLogo property now defaults to true.
• ProviderPortal sample web site's urlrewrite section moved outside of system.web. ( issue 38 )
• Many more unit tests for more comprehensive coverage of code and scenarios. Lots of little bugs fixed.

Version 0.1.2

• Session state is no longer required for consumers. ( issue 37 )
• Partial trust scenarios now supported. Unsafe C# code rewritten in safe code so shared-hosting ASP.NET web sites can now be OpenID providers/consumers. ( issue 14 )
• Fixed intermittent authentication failure due to indeterministic signature verification. ( issue 47 )

Version 0.1.1

• Added OpenIdTextBox.ShowLogo property to easily show OpenID logo from embedded resource. ( issue 25 )
• Added a Remember Me checkbox to the OpenIdLogin control. ( issue 32 )
• Added OpenIdLogin.RegisterVisible property.
• Fixed UTC/Local DateTime inconsistent usage. ( issue 18 )
• Fixed bug where one of CheckIdRequest's constructors would always fail due to passing Uri.AbsolutePath to TrustRoot's constructor. ( issue 35 )
• Improved security by adding TrustRoot validation that was missing from earlier versions.
• Added OpenIdTextBox.TrustRootUrl property. ( issue 39 )

Version 0.1.0

• Fixed bug where only the first LINK tag in an HTML document would be parsed for openid.server information. ( issue 15 )
• Fixed OpenIdTextBox bug where old failure cases would cause all future cases to fail as well. ( issue 17 )
• OpenIdTextBox now catches some failure exceptions and fires the Error event as appropriate. ( issue 19 )
• Removed requirement for http:// to precede the host in the OpenIdLogin control. ( issue 25 )

Version M1

• First release of a working library.
• Full support for OpenID 1.1 consumers and providers.
• Easy to use ASP.NET controls for OpenID consumers.