Update openiddict monorepo to 7.5.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
OpenIddict.AspNetCore (source)	7.2.0 → 7.5.0
OpenIddict.Core (source)	7.2.0 → 7.5.0
OpenIddict.EntityFrameworkCore (source)	7.2.0 → 7.5.0
OpenIddict.EntityFrameworkCore.Models (source)	7.2.0 → 7.5.0
OpenIddict.Quartz (source)	7.2.0 → 7.5.0

---

Release Notes

openiddict/openiddict-core (OpenIddict.AspNetCore)

v7.5.0

Compare Source

[!CAUTION]
Earlier today, the ASP.NET team released an out-of-band 10.0.7 update to fix a critical vulnerability in the ASP.NET Core Data Protection library used by OpenIddict and multiple components in ASP.NET Core itself (including the cookie authentication handler). For more information about the CVE-2026-40372 vulnerability and to determine whether your application is affected, read dotnet/announcements#395 and https://devblogs.microsoft.com/dotnet/dotnet-10-0-7-oob-security-update/. Additional information can also be found in dotnet/aspnetcore#66335.

If your application is affected by the CVE-2026-40372 vulnerability, immediate action is strongly advised: not updating impacted applications will leave them vulnerable to chosen-ciphertext and padding oracle attacks, resulting in elevation of privilege attacks being possible.

Recommended actions:

• If possible, review your application/web server/reverse proxy logs to determine whether the security flaw was actively used by malicious actors to leak sensitive cryptographic material or to manipulate legitimate authentication cookies/tokens by changing specific bits in the ciphertext.

• Apply the recommendations listed in dotnet/announcements#395 by revoking all the existing ASP.NET Core Data Protection master keys (e.g using the IKeyManager.RevokeAllKeys() API): doing so will ensure secrets protected before migrating to the fixed Microsoft.AspNetCore.DataProtection version - including authentication cookies produced by the ASP.NET Core cookie authentication handler (and ASP.NET Core Data Protection tokens generated by OpenIddict if the JWT format was opted out) - will be immediately rejected when trying to unprotect them.

• Even if you're not using ASP.NET Core Data Protection as the token format for any type of token in OpenIddict, revoke all the existing OpenIddict tokens using the IOpenIddictTokenManager.RevokeAsync() API to force client applications to acquire new sets of tokens for all their users: doing so will ensure refresh tokens generated by the OpenIddict server will be rejected when trying to redeem them. While this will force users to re-execute an authorization flow and re-authenticate, this step is essential to ensure tokens generated from ClaimsPrincipal instances whose claims were directly copied or indirectly inferred from ambient user identities (typically persisted in authentication cookies protected by ASP.NET Core Data Protection) will be rejected when trying to redeem them.

await using (var scope = app.Services.CreateAsyncScope())
{
    // Revoke all the existing tokens, independently of their current status or type.
    //
    // Note: on EF Core 8.0+ and MongoDB, the process should be very efficient as batch
    // updates are used by default to change the status of the tokens in the database.
    var manager = scope.ServiceProvider.GetRequiredService<IOpenIddictTokenManager>();
    await manager.RevokeAsync(subject: null, client: null, status: null, type: null);
}

This release introduces the following changes:

• The ClaimTypes.NameIdentifier, ClaimTypes.Name and ClaimTypes.Email WS-Federation claims manually added to ProcessAuthenticationContext.MergedPrincipal are now preserved instead of being overwritten by OpenIddict when mapping OpenID Connect/non-standard claims to their WS-Federation equivalent (thanks @​ax0l0tl! ❤️)

• The net8.0, net9.0 and net10.0 versions of the OpenIddict.Client.DataProtection, OpenIddict.Server.DataProtection and OpenIddict.Validation.DataProtection packages now reference the Microsoft.AspNetCore.DataProtection package instead of the Microsoft.AspNetCore.App framework.

• Configuration delegates registered by the web provider integrations now run earlier to ensure invalid options are caught without waiting for IOptionsMonitor<OpenIddictClientOptions>.CurrentValue to be called.

• All the .NET and third-party dependencies have been updated to their latest version.

[!NOTE]
The ASP.NET team recently announced that ASP.NET Core 2.3 will no longer be supported after April 2027, which will result in important TFM and dependencies changes in the next version of OpenIddict. Developers using the OpenIddict packages in .NET Framework applications or in .NET Standard libraries are invited to read these threads and evaluate whether their applications may be affected by these changes:

• Evaluate whether OpenIddict should still reference ASP.NET Core 2.3 and Entity Framework Core 2.3 after April 2027.
• Require .NET Framework 4.8 as the new minimum version.
• Consider removing the UWP and .NET Standard target framework monikers.

v7.4.0

Compare Source

This release introduces the following changes:

• The new mTLS-based OAuth 2.0 client authentication feature introduced in the previous version can now be used with the standard client credentials grant.

• The mTLS token binding implementation was updated to support anonymous clients (in this case, the base SelfSignedTlsClientAuthenticationPolicy instance attached to the server options is directly used and the IOpenIddictApplicationManager.GetSelfSignedTlsClientAuthenticationPolicyAsync()/IOpenIddictApplicationManager.ValidateSelfSignedTlsClientCertificateAsync() APIs are not used).

• The OpenIddict.Client.SystemIntegration package now restores the ambient request for marshalled authentication demands so that the OpenIddictRequest instance can be accessed from a custom event handler during a call to the AuthenticateInteractivelyAsync() method.

• A new DisableIssuerParameterValidation flag was introduced to allow disabling the built-in logic used to validate the iss authorization response parameter. Due to #​2428, this flag is set to true for the Google provider for now.

v7.3.0

Compare Source

This release introduces the following changes:

• Mutual TLS authentication is now fully supported by the server and validation stacks for both OAuth 2.0 client authentication and token binding (mTLS support in the client stack was introduced in OpenIddict 6.0). For more information on how to set up mTLS, read Mutual TLS authentication.

• Client secrets are still fully supported but the XML documentation was updated to discourage using them when possible. Instead, developers are encouraged to use either assertion-based client authentication or mTLS-based client authentication, as both offer a higher security level than shared secrets.

• Client-side mTLS support was moved from OpenIddict.Client.SystemNetHttp to OpenIddict.Client and is now a first-class citizen. As part of this task, the existing TlsClientAuthenticationCertificateSelector and SelfSignedTlsClientAuthenticationCertificateSelector options present in OpenIddictClientSystemNetHttpOptions and OpenIddictValidationSystemNetHttpOptions have been marked as deprecated and are no longer used as they didn't allow flowing certificates dynamically (which is required for mTLS token binding using certificates generated on-the-fly). Instead, developers who need to dynamically override the default TLS client certificates selection logic are now invited to create custom event handlers for the ProcessAuthenticationContext event and use the new *EndpointClientCertificate properties.

• OpenIddictClientService now allows attaching custom token request parameters via InteractiveAuthenticationRequest.AdditionalTokenRequestParameters. As part of this change, handling of redirection and post-logout redirection requests by the OpenIddict.Client.SystemIntegration has been improved: token and userinfo requests are no longer sent as part of the callback request itself but when OpenIddictClientService.AuthenticateInteractivelyAsync() is called by the application to finalize the authentication process.

• OpenIddict now uses 4096-bit RSA keys for development certificates and ephemeral keys (see #​2415 for more information).

• A new token validation check has been introduced in the client, server and validation stacks to detect when the payload associated with a reference token entry - stolen by a malicious actor from the server database - is directly used instead of the expected reference identifier.

• The osu! service is now supported by the OpenIddict.Client.WebIntegration package (thanks @​gehongyan! ❤️).

• A dedicated prompt setting was added to the Google web provider (thanks @​StellaAlexis! ❤️).

• An incorrect exception message reference was fixed (thanks @​JarieTimmer! ❤️)

• The entire code base was updated to use polyfills when targeting older .NET/.NET Framework/.NET Standard targets.

• All the .NET and third-party dependencies have been updated to the latest versions.

[!WARNING]
Multiple reports indicate that Google is progressively applying a breaking change affecting the Google web provider offered by the OpenIddict.Client.WebIntegration package. For more information on the root cause and the recommended workaround, see #​2428 and https://issuetracker.google.com/issues/479882107.

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • "before 5:00am,before 10am,before 3pm,before 8pm"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.