Changes between versions

Curious what's changed from version to version? Wonder if it's worth upgrading or what breaking changes may exist? This is the page for you. Not all fixed issues are listed here, but the more noteworthy ones are. Unless explicitly said otherwise, each version has all the enhancements of the previously listed ones.

Version 3.0.0 RC 1

• RP: NEW InfoCard Selector ASP.NET control
• RP: More efficient reuse of allocated objects by ASP.NET controls.
• RP: Certificate Revocation List check is now on by default in samples.
• OP: New ASP.NET MVC OpenID Provider sample.
• RP+OP: Fixed interop with some remote servers that omit certain common HTTP headers.
• All around: final refactoring to give v3.0 a clean and consistent feel, including some breaking changes to the public API.

Version 3.0.0 Beta 2

• RP+OP: fixed hangs, login failures against some HTTP servers ( Issue 205 ).
• RP+OP: discovery results cached for faster repeat logins ( Issue 198 ).
• RP+OP: Fixed missing feature for non-ASP.NET web site support ( Issue 209 ).
• RP: classic ASP support fixed ( Issue 213 ).
• RP: classic ASP now has support for the Simple Registration extension ( Issue 212 ).
• RP: All callback arguments on return_to URL are now signed to protect against tampering ( Issue 147 ).
• RP: More reliable logins due to nonce checking that is per-provider endpoint instead of global ( Issue 175 ).
• RP: Added support for using ASP.NET State Server and other serialization-based session stores ( Issue 185 ).
• OP: Even OpenID 1.x RPs are now protected from replay attacks on positive assertions ( Issue 176 ).

Version 3.0.0 Beta 1

• OAuth support! Both for Service Provider and Consumer roles.
• RP+OP: Exceptions are now much more predictable: the host need only catch ProtocolException to handle all unexpected error cases.
• RP+OP: OpenID extensions without simultaneous authentication.
• RP: Signed callback arguments so relying parties can be confident their data was not tampered with during authentication.
• RP: Smaller authentication request messages (shorter URLs).
• RP: OpenIdAjaxTextBox now batches authentication attempts to several OPs specified in the user's XRDS document at once in search of one that will authenticate without further user interaction.
• OP: Ability to customize the lifetimes of each shared association type for added security.
• Over 400 unit tests (150+ more than previous version).
• The public API, while extremely similar, has changed its namespace. Hosting sites will need to accommodate to the changes!
• Beta 1 is only available from our Ohloh project site.

Version 2.5.4

• RP: Fixed  Issue 204 , a regression in interop with older Providers introduced in v2.5.3.

Version 2.5.3

• RP: HTML discovery now notices both OpenID 1.x and 2.0 endpoints at once (instead of just one, whichever is best). This helps users log in with Identifiers that incorrectly advertise their Provider as supporting 1.x and 2.0 even when they only support 1.x ( Issue 180 ).

Version 2.5.2

• RP: Fix to put up with AOL's incorrect decoding of our return_to URL, which causes a corruption in the base64 encoded token.
• RP: Better trimming of user supplied identifiers
• RP: XRDS documents are now discovered using Accept-Type HTTP header in more scenarios, fixing discovery on some OpenIDs. ( Issue 182 )
• RP: Added User-Agent HTTP header to discovery requests so that Technorati OpenIDs are discoverable. ( Issue 181 )
• RP: Fixed a corner case where some redirects that were just barely over the 2KB limit would still use 301 Redirect instead of FORM submit, causing some authentications to fail. ( Issue 170 )
• RP: Updated MVC sample to work with ASP.NET MVC beta 1.
• OP: Locked down Provider's IAuthenticationRequest.ClaimedIdentifier to prevent the host changing it in delegated URL scenarios.

Version 2.5.1

• Fixes RP to tolerate an OP that unexpectedly changes the Claimed Identifier during authentication ( Issue 162 ). This gets DotNetOpenId working better with Windows Live OpenID and Yahoo! providers.
• Modified samples' web.config file to support international domain names in OpenID Identifiers.
• Fixes persistence of "Remember Me" checkbox in OpenIdLogin control ( Issue 156 ).
• OpenIdTextBox paints solid white background instead of being transparent ( Issue 155 ).
• Updated PAPE extension to DRAFT 7 spec.
• Added PAPE to sample RP and OP sites.

Version 2.5.0

• Added OpenIdAjaxTextBox: an AJAX-style login control that immediately attempts authentication once the identifier has been entered, and provides explicit "setup" style login via an unobtrusive login button where required. Supports OpenID extensions both in JavaScript and on the server so forms can be prefilled. Great for blog commenting and user account pages where additional identifiers can be added to an account. See the live demo.

Version 2.4.3

• Fixed bug introduced in 2.4.1 (or 2.4.0?) where RP would reject association responses from 1.0 OPs that omitted the session_type parameter ( Issue 148 ).
• IdentityEndpointNormalizationEventArgs.UserSuppliedIdentifier is now settable by the host web site for highly customized url rewriting scenarios.
• Lots more Identifier discovery logging.
• Better logging of nonce failures.

Version 2.4.2

• Fixed RelyingPartyMvc sample so its assembly references to MVC are correct ( Issue 145 ).
• Fixed unhandled NullReferenceException on failed, immediate, directed identity authentication requests.
• Fixed redirect handling when Location header is a relative URL.
• IAuthenticationResponse.FriendlyIdentifierForDisplay now returns just the i-name when the user provided an i-name, instead of "i-number (i-name)".
• Added sample provider .ashx handler.

Version 2.4.1

• Fixed association handling with OPs that don't support SHA-256 ( Issue 134 ). This did not break login, but just forced RPs to use dumb mode when working with OPs that didn't support SHA-256. The bug only repros in 2.4.0. All versions before that were correct.
• New support for configuring many aspects of DotNetOpenId using your Web.config file instead of imperative code. Makes customizing settings much easier, whether you're using the ASP.NET controls or doing things programmatically ( Issue 131 ).
• CanonicalID verification now done at the XRI resolver proxy, resulting in XRI discovery happening twice as fast ( Issue 137 ).
• XRDS default prioritization fixed to sort by service type first, then priority value ( Issue 136 ).
• RP interops better with OPs that want to use Diffie-Hellman sessions even over HTTPS ( Issue 141 ).
• Fixed forced HTTPS use in XRI resolution when in high security profile mode ( Issue 138 ).
• A few other small interop improvements.
• As part of web.config configuration, the RP and OP custom store samples have been removed. The more complete RP and OP samples have been augmented with custom store options that can be activated by uncommenting a line in their web.config files.

Version 2.4.0

• Added OpenIdRelyingParty.RequireSsl property to require a completely SSL secured end-to-end authentication ( Issue 123 ).
• Added support to require some minimum SHA bit length to exclude SHA1 or higher for enhanced security ( Issue 124 ).
• Added support for SHA384 and SHA512 for enhanced security over SHA256 ( Issue 125 ).
• Added support for requiring the remote end of an OpenID authentication to implement OpenID 2.0 ( Issue 127 ).
• Added support for ASP.NET validation controls to validate OpenIdTextBox, OpenIdLogin controls ( Issue 121 ).
• Added bool AutoNormalizeRequest property and NormalizeUri event to IdentityEndpoint control ( Issue 120 ).
• Fixed directed identity immediate mode where setup_required is returned by ClaimedIdentifier has the special identifier select string instead of null, and the original user-supplied identifier is unrecoverable ( Issue 116 ).
• Added OpenIdTextBox.CustomApplicationStore and Stateless properties ( Issue 128 ).
• Added ProviderEndpoint.CustomApplicationStore property ( Issue 129 ).

Version 2.1.7, 2.2.4, 2.3.2

• Fixes realm/return_to capitalization compatibility issue ( Issue 122 ).

Version 2.3.1

• Fixed RP stateless mode that broke directed identity in stateless ( Issue 119 ).

Version 2.2.3, 2.1.6

• Fixed log4net.dll non-dependency bug, so that log4net.dll really isn't necessary unless great logging is needed.

Version 2.3.0b/2.2.2b/2.1.5b

• No changes whatever, except that the binaries are strong-name signed. Previous releases were strong-name signed, but the last release somehow managed to avoid it by accident.

Version 2.3.0a/2.2.2a/2.1.5a

• Fixes ProviderPortal sample's directed identity support
• Fixes all samples' csproj files to correctly reference the DotNetOpenId.dll assembly (fixes  Issue 117 ).

Version 2.3.0

• Provider direct response message content-type now set to application/x-openid-kvf to allow hosting of providers on free GoDaddy hosting without ads corrupting the message.
• RP support for discovering multiple endpoints at a single identifier, custom filtering and sorting by host site. Includes some intelligent fail-over if first choice OPs are down during authentication.
• RP no longer strips Claimed Identifier's #fragment portion. Very Important Breaking Change. See  Issue 112  for details that upgraders must read.
• Provider can now add a #fragment portion to a URI claimed identifier.
• Added IAuthenticationResponse.FriendlyIdentifierForDisplay property.

Version 2.2.2

• Added the RelyingParty.IProviderEndpoint.Uri property to allow host RP to filter on trusted providers.

Version 2.1.5

• Added XRI Canonical ID verification for more secure logins.
• XRIs now resolved entirely using HTTPS.
• Added IDSelector support to OpenIdLogin ( Issue 99 ).
• Switched to log4net for logging (log4net.dll is optional in deployment)
• Fixed bug in Provider where check_authentication would fail with empty values ( Issue 110 ).
• Fixed the way Provider returns error conditions to relying parties.

Version 2.2.1 / 2.1.4

• Security issue: Fixed community i-name ClaimedIdentifiers ( Issue 96 ).
• Fixed some unhandled exceptions when dealing with some (incomplete) XRDS documents.

Version 2.2.0

• Add built-in support for the PAPE extension ( Issue 57 ).
• Large OpenID messages are now sent/received using form POST. This required breaking changes, see issue for details ( Issue 79 ).
• Security enhancement to protect RPs from malicious OpenID URLs ( Issue 64 ).
• Allow for discovery of an Identifier's supported extensions before authentication ( Issue 83 ).
• Support extensions that have multiple versions and want to support all of them ( Issue 85 ).
• IAuthenticationRequest/OpenIdEventArgs ClaimedIdentifier now returns null in directed identity scenarios instead of the identifier_select URL, and a new IsDirectedIdentity property has been added. Breaking change ( Issue 88 ). IAuthenticationResponse.ClaimedIdentifier, which most sites probably are using, is left unchanged and always provides the correct ClaimedIdentifier.

Version 2.1.3

• Better support for ASP.NET URL rewriting ( Issue 86 ).
• ASP.NET MVC sample updated to MVC Preview 3 ( Issue 93 ).
• Shared hosting strong-name issue fixed ( Issue 14 ). We've supported partial trust environments for quite a while, but it mysteriously required a recompile at times. I finally figured it out and this fixes it.

Version 2.1.2

• Fixed handling of URLs that start with ?& ( Issue 81 ).
• Added RP discovery for return URL verification for Providers ( Issue 56 ).
• Fixed cookieless session ASP.NET relying parties ( Issue 78 ).
• New HTML and CHM documentation generated from xml doc comments ( Issue 70 ).

Version 2.1.1, 2.0.2

• Fixed encoding bug in return_to argument and a couple of other places that cause random FormatExceptions ( Issue 73 ).
• Realm and return_to arguments are consistent with explicit/implicit port inclusion for better interop with other libraries ( Issue 71 ).
• Better handling of HTTP/1.0 servers that do not support "Expect: 100 Continue" header. ( Issue 72 )
• Fixed Realm implicit conversion handling of null values.
• Fixed realm bug where 'star'.domain.com would throw ArgumentOutOfRangeException when matching against domain.com.
• Trace warning when return_to URL includes openid parameters from a previous attempt.

Version 2.1.0

• Add built-in support for the Attribute Exchange extension ( Issue 58 ).
• Breaking changes for simple registration extension and any custom built extensions by users of this library to simplify use of and writing new extensions.
• INonceStore now easier to implement for custom stores while protecting against replay attacks. Breaking change for anyone implementing custom store. ( Issue 66 ).
• Added sample ASP.NET MVC relying party application ( Issue 61 ).
• Timeouts and other paranoid HTTP settings adjustable through public members ( Issue 62 ).

Version 2.0.1

• Fixed unhandled exception when HTTP responses lack a Content-Type header.
• Clarified DateTimeKind of Nonce.ExpirationDate.
• Official builds now strong-name signed.

Version 2.0.0

• Support for OpenID 2.0 Relying Parties and Providers, including but not limited to these features:
• Xri and i-name support
• Directed identity support
• More secure hashing algorithms (SHA-256)
• Interop with Yahoo and other OpenID 2.0-only providers
• Better security against replay attacks.
• Send unsolicited positive assertions from providers to automatically log your users in to relying party web sites.
• Much more comprehensive testing of common scenarios and possible security exploits.
• More comprehensive HTML-based identity discovery.
• Completely stateless mode support for Relying Parties (not even HttpApplication state).
• New OpenIdMobileTextBox ASP.NET control.
• All relying party ASP.NET controls now support immediate mode.
• Improved support for custom stores that have to serialize associations (for databases, etc.)
• Debugger attributes to make stepping through the code easier.

Version 1.0.2

• Fixed localization bug that makes some DotNetOpenId relying party sites fail to authenticate users whose browsers are set to a neutral culture (i.e. 'en' instead of 'en-US').

Version 1.0.1

• Fixed Provider bug where all issued associations lasted only one minute. This has no impact on sites only using Relying Party functionality in the library.

Version 1.0.0

• Added replay attack detection and prevention. ( issue 40 )
• Fixed MemoryStore caching where ASP.NET could freely clear out keys in the middle of an authentication causing random failures. ( issue 16 )
• Heavy refactoring to follow more .NET conventions, be easier to 'discover' with
• Most classes now belong to the new DotNetOpenId namespace.
• Two new ASP.NET controls to make hosting OpenID providers or identity forwarders easier.
• OpenIdTextBox.ShowLogo property now defaults to true.
• ProviderPortal sample web site's urlrewrite section moved outside of system.web. ( issue 38 )
• Many more unit tests for more comprehensive coverage of code and scenarios. Lots of little bugs fixed.

Version 0.1.2

• Session state is no longer required for consumers. ( issue 37 )
• Partial trust scenarios now supported. Unsafe C# code rewritten in safe code so shared-hosting ASP.NET web sites can now be OpenID providers/consumers. ( issue 14 )
• Fixed intermittent authentication failure due to indeterministic signature verification. ( issue 47 )

Version 0.1.1

• Added OpenIdTextBox.ShowLogo property to easily show OpenID logo from embedded resource. ( issue 25 )
• Added a Remember Me checkbox to the OpenIdLogin control. ( issue 32 )
• Added OpenIdLogin.RegisterVisible property.
• Fixed UTC/Local DateTime inconsistent usage. ( issue 18 )
• Fixed bug where one of CheckIdRequest's constructors would always fail due to passing Uri.AbsolutePath to TrustRoot's constructor. ( issue 35 )
• Improved security by adding TrustRoot validation that was missing from earlier versions.
• Added OpenIdTextBox.TrustRootUrl property. ( issue 39 )

Version 0.1.0

• Fixed bug where only the first LINK tag in an HTML document would be parsed for openid.server information. ( issue 15 )
• Fixed OpenIdTextBox bug where old failure cases would cause all future cases to fail as well. ( issue 17 )
• OpenIdTextBox now catches some failure exceptions and fires the Error event as appropriate. ( issue 19 )
• Removed requirement for http:// to precede the host in the OpenIdLogin control. ( issue 25 )

Version M1

• First release of a working library.
• Full support for OpenID 1.1 consumers and providers.
• Easy to use ASP.NET controls for OpenID consumers.