A couple of weeks ago I started re-writing (an re-designing) my OpenID Connect & OAuth 2 client library for native applications. The library follows the guidance from the OpenID Connect and OAuth 2.0 for native Applications specification.
Main features are:
- Support for OpenID Connect authorization code and hybrid flow
- Support for PKCE
- NetStandard 1.4 library, which makes it compatible with x-plat .NET Core, desktop .NET, Xamarin iOS & Android (and UWP soon)
- Configurable policy to lock down security requirements (e.g. requiring at_hash or c_hash, policies around discovery etc.)
- either stand-alone mode (request generation and response processing) or support for pluggable (system) browser implementations
- support for pluggable logging via .NET ILogger
In addition, starting with v2 – OidcClient is also now certified by the OpenID Foundation for the basic and config profile.
It also passes all conformance tests for the code id_token grant type (hybrid flow) – but since I don’t support the other hybrid flow combinations (e.g. code token or code id_token token), I couldn’t certify for the full hybrid profile.
For maximum transparency, I checked in my conformance test runner along with the source code. Feel free to try/verify yourself.
The latest version of OidcClient is the dalwhinnie release (courtesy of my whisky semver scheme). Source code is here.
I am waiting a couple more days for feedback – and then I will release the final 2.0.0 version. If you have some spare time, please give it a try (there’s a console client included and some more sample here <use the v2 branch for the time being>). Thanks!
Filed under: .NET Security, IdentityModel, OAuth, OpenID Connect, WebAPI
