Build(deps): Bump OpenIddict.Core from 4.3.0 to 4.9.0

[dependabot]

Bumps OpenIddict.Core from 4.3.0 to 4.9.0.

Release notes

Sourced from OpenIddict.Core's releases.

4.9.0

This release introduces the following changes:

• An Auth0 provider integration was added to OpenIddict.Client.WebIntegration (thanks @​pableess! ❤️)

• OpenIddictClientService.AuthenticateWithDeviceAsync() was fixed to honor DeviceAuthenticationRequest.Scopes.

• The userinfo validation logic was improved to be compatible with more OAuth 2.0-only scenarios.

4.8.0

This release introduces the following changes:

• The OpenIddict server stack was updated to be compatible with the new Microsoft.IdentityModel.* 7.0 packages (that now use System.Text.Json instead of an internal copy of JSON.NET). Users migrating to Microsoft.IdentityModel.* 7.0 are strongly encouraged to bump OpenIddict to 4.8.0 at the same time to avoid compatibility issues (e.g missing claims).

• 2 new providers have been added to OpenIddict.Client.WebIntegration:

  • JumpCloud
  • Kakao (thanks @​steveberdy! ❤️)

• The OpenIddict.*.DataProtection packages have been updated to support custom IDataProtectionProvider instances that don't use the default magic header (thanks @​sbolofsson! ❤️)

Special thanks to the IdentityModel team for the effort they put into Microsoft.IdentityModel.* 7.0 and for being extremely attentive to the community feedback 👏🏻

4.7.0

This release introduces the following changes:

Note These changes are expected to drastically simplify using the OpenIddict client and its web integration companion package as drop-in replacements for the Microsoft OIDC/OAuth 2.0 handlers and the aspnet-contrib social providers. The aspnet-contrib providers are still supported, but the OpenIddict providers are now the recommended option for most scenarios.

• A built-in authentication scheme forwarding feature was added to the OpenIddict client: starting in OpenIddict 4.7, an authentication scheme will now be dynamically created for each client registration that has a non-null OpenIddictClientRegistration.ProviderName attached, which allows calling the ASP.NET Core IAuthenticationService APIs (or the equivalents in IAuthenticationManager for OWIN) directly using the provider name instead of having to specify it as an authentication property:

app.MapGet("redirect-to-github", () => Results.Challenge(properties: null, authenticationSchemes: new[] { Providers.GitHub }));

• Client registrations with a non-null OpenIddictClientRegistration.ProviderDisplayName attached - which is the case for all the built-in web providers by default - will now be returned by ASP.NET Core Identity's SignInManager.GetExternalAuthenticationSchemesAsync() API and will automatically appear in the "external providers" list that is part of the default Identity UI:

• If necessary, this new authentication scheme forwarding feature can be disabled in the ASP.NET Core or OWIN options using the dedicated methods:

services.AddOpenIddict()
    .AddClient(options =>
    {
        options.UseAspNetCore()
               .DisableAutomaticAuthenticationSchemeForwarding();
    });

services.AddOpenIddict()
    .AddClient(options =>
</tr></table> 

... (truncated)

Commits

• e181325 Update Versions.props to build 4.9.0 packages
• 7b214be Automatically disable userinfo validation when the openid scope is not requested
• 680d51d Fix AuthenticateWithDeviceAsync() to flow the scopes attached to the request ...
• e13e2b4 Add Auth0 to the list of supported providers
• 1a41fd6 Update Versions.props to build 4.8.0 packages
• 4cd4c09 Automatically abort interactive challenge demands when no client identifier c...
• 8f9c641 Update the samples to store the provider name in the authentication cookie
• ca1784f Update ValidateIdentityModelToken to use TryGetPayloadValue() with Dictionary...
• 23d8d9b Update ValidateDataProtectionToken to support IDataProtectionProvider impleme...
• bd3205b Update the sponsors section
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.