Bump OpenIddict to 6.1.1 (#17582)

* Bump OpenIddict to 6.1.1

* Update Identity packages

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: kevinchalet

Directory.Packages.props

@@ -38,8 +38,8 @@
     <PackageVersion Include="MailKit" Version="4.9.0" />
     <PackageVersion Include="Markdig" Version="0.39.1" />
     <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.9.0" />
-    <PackageVersion Include="Microsoft.Identity.Web" Version="3.5.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.3.0" />
+    <PackageVersion Include="Microsoft.Identity.Web" Version="3.8.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.6.1" />
     <PackageVersion Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageVersion Include="MimeKit" Version="4.9.0" />
@@ -49,12 +49,12 @@
     <PackageVersion Include="NJsonSchema" Version="11.1.0" />
     <PackageVersion Include="NLog.Web.AspNetCore" Version="5.3.15" />
     <PackageVersion Include="NodaTime" Version="3.2.1" />
-    <PackageVersion Include="OpenIddict.Core" Version="6.0.0" />
-    <PackageVersion Include="OpenIddict.Server.AspNetCore" Version="6.0.0" />
-    <PackageVersion Include="OpenIddict.Server.DataProtection" Version="6.0.0" />
-    <PackageVersion Include="OpenIddict.Validation.AspNetCore" Version="6.0.0" />
-    <PackageVersion Include="OpenIddict.Validation.DataProtection" Version="6.0.0" />
-    <PackageVersion Include="OpenIddict.Validation.SystemNetHttp" Version="6.0.0" />
+    <PackageVersion Include="OpenIddict.Core" Version="6.1.1" />
+    <PackageVersion Include="OpenIddict.Server.AspNetCore" Version="6.1.1" />
+    <PackageVersion Include="OpenIddict.Server.DataProtection" Version="6.1.1" />
+    <PackageVersion Include="OpenIddict.Validation.AspNetCore" Version="6.1.1" />
+    <PackageVersion Include="OpenIddict.Validation.DataProtection" Version="6.1.1" />
+    <PackageVersion Include="OpenIddict.Validation.SystemNetHttp" Version="6.1.1" />
     <PackageVersion Include="OrchardCore.Translations.All" Version="2.1.0" />
     <PackageVersion Include="PdfPig" Version="0.1.9" />
     <PackageVersion Include="Shortcodes" Version="1.3.5" />
@@ -143,7 +143,7 @@
     <PackageVersion Include="Microsoft.AspNetCore.Authorization" Version="9.0.2" />
 
     <!-- dotnet/extensions repository -->
-    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="9.1.0" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="9.2.0" />
 
     <!-- Serilog.AspNetCore -->
     <PackageVersion Include="Serilog.AspNetCore" Version="9.0.0" />

src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdServerConfiguration.cs

@@ -178,6 +178,12 @@ public void Configure(OpenIddictServerOptions options)
         options.Scopes.Add(Scopes.Phone);
         options.Scopes.Add(Scopes.Profile);
         options.Scopes.Add(Scopes.Roles);
+
+        // Note: caching is enabled for both authorization and end session requests to allow sending
+        // large POST authorization and end session requests, but can be programmatically disabled, as the
+        // authorization and end session views support flowing the entire payload and not just the request_uri.
+        options.EnableAuthorizationRequestCaching = true;
+        options.EnableEndSessionRequestCaching = true;
     }
 
     public void Configure(OpenIddictServerDataProtectionOptions options)
@@ -202,12 +208,6 @@ public void Configure(string name, OpenIddictServerAspNetCoreOptions options)
         options.EnableTokenEndpointPassthrough = true;
         options.EnableUserInfoEndpointPassthrough = true;
 
-        // Note: caching is enabled for both authorization and end session requests to allow sending
-        // large POST authorization and end session requests, but can be programmatically disabled, as the
-        // authorization and end session views support flowing the entire payload and not just the request_id.
-        options.EnableAuthorizationRequestCaching = true;
-        options.EnableEndSessionRequestCaching = true;
-
         // Note: error pass-through is enabled to allow the actions of the MVC authorization controller
         // to handle the errors returned by the interactive endpoints without relying on the generic
         // status code pages middleware to rewrite the response later in the request processing.

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/AccessController.cs

@@ -136,7 +136,6 @@ public async Task<IActionResult> Authorize()
                 return View(new AuthorizeViewModel
                 {
                     ApplicationName = await _applicationManager.GetLocalizedDisplayNameAsync(application),
-                    RequestId = request.RequestId,
                     Scope = request.Scope
                 });
         }
@@ -327,10 +326,7 @@ public async Task<IActionResult> Logout()
             }
         }
 
-        return View(new LogoutViewModel
-        {
-            RequestId = request.RequestId
-        });
+        return View();
     }
 
     [ActionName(nameof(Logout)), AllowAnonymous, DisableCors]

src/OrchardCore.Modules/OrchardCore.OpenId/ViewModels/AuthorizeViewModel.cs

@@ -4,7 +4,5 @@ public class AuthorizeViewModel
 {
     public string ApplicationName { get; set; }
 
-    public string RequestId { get; set; }
-
     public string Scope { get; set; }
 }

src/OrchardCore.Modules/OrchardCore.OpenId/ViewModels/LogoutViewModel.cs

@@ -1,6 +1,4 @@
 @using Microsoft.Extensions.Primitives
-@using OrchardCore.OpenId.ViewModels
-@model LogoutViewModel
 
 @{
     ViewLayout = "Layout__Login";

src/OrchardCore.Modules/OrchardCore.OpenId/Views/Access/Logout.cshtml

@@ -295,11 +295,10 @@ public virtual async ValueTask<long> PruneAsync(DateTimeOffset threshold, Cancel
 
             var authorizations = (await _session.Query<TAuthorization, OpenIdAuthorizationIndex>(
                 authorization => authorization.CreationDate < threshold.UtcDateTime &&
-                                (authorization.Status != OpenIddictConstants.Statuses.Valid ||
-                                (authorization.Type == OpenIddictConstants.AuthorizationTypes.AdHoc &&
+                                (authorization.Status != Statuses.Valid || authorization.Type == AuthorizationTypes.AdHoc) &&
                                  authorization.AuthorizationId.IsNotIn<OpenIdTokenIndex>(
                                      token => token.AuthorizationId,
-                                     token => token.Id != 0))),
+                                     token => token.Id != 0),
                 collection: OpenIdCollection).Take(100).ListAsync()).ToList();
 
             if (authorizations.Count is 0)