Duende AccessTokenManagement v3.x to v4.0
Changes
Section titled “Changes”Moving Towards HybridCache Implementation And Away from Distributed Cache
Section titled “Moving Towards HybridCache Implementation And Away from Distributed Cache”Microsoft has recently released HybridCache. While this is only released as a .NET 9 assembly, these assemblies work fine in .NET 8. So, while we still support .NET 8 with ATM 4.0, we are moving towards using HybridCache.
HybridCache brings significant improvements for us. Because of the two-layered cache, we’ve found it significantly improves performance.
If you currently use a distributed cache, this should still work seamlessly.
If you wish to encrypt access tokens, you can do so by implementing a custom serializer. Documentation on this will follow later.
We have added support for using a custom HybridCache instance via keyed services.
Complete Internal Refactoring
Section titled “Complete Internal Refactoring”The library has undergone extensive internal changes—so much so that it can be considered a new implementation under the same conceptual umbrella. Despite this, the public API surface remains mostly compatible with earlier versions.
- New extensibility model (see below).
- All async methods now support cancellation tokens.
- Renaming of certain classes and interfaces (see below).
- Implementation logic is now internal.
Reduced Public API Surface
Section titled “Reduced Public API Surface”All internal implementation details are now marked as internal, reducing accidental coupling and clarifying the intended extension points. In V3, all classes were public and most public methods were marked as virtual. This meant you could override any class by inheriting from it and overriding a single method.
While this was very convenient for our consumers, it made it challenging to introduce changes to the library without making breaking changes.
We still want to ensure our users’ extensibility needs are met, but via more controlled mechanisms. If you find that you have an extensibility need not covered by the new model, please raise a discussion in our discussion board. If this is a scenario we want to support, we’ll do our best to accommodate it.
Explicit Extension Model
Section titled “Explicit Extension Model”Instead of relying on implicit behaviors or inheritance, V4 introduces clearly defined extension points, making it easier to customize behavior without relying on internal details.
Composition Over Inheritance
Section titled “Composition Over Inheritance”The AccessTokenHandler has been restructured to use composition rather than inheritance, simplifying the customization of token handling and increasing testability.
If you wish to implement a custom access token handling process, for example to implement token exchange, you can now implement your own AccessTokenRequestHandler.ITokenRetriever.
Strongly Typed Configuration
Section titled “Strongly Typed Configuration”Configuration is now represented by strongly typed objects, improving validation, discoverability, and IDE support.
This means that where before you could assign strings to the configuration system, you’ll now have to explicitly parse the string values.
For example:
var scheme = Scheme.Parse("oidc");Renamed classes
Section titled “Renamed classes”Several classes have been renamed, either to clarify their usage or to drop the service suffix, which only adds noise:
AccessTokenHandleris nowAccessTokenRequestHandlerClientCredentialsTokenManagementServiceis nowIClientIClientCredentialsTokenManagerIClientCredentialsTokenEndpointServiceis nowIClientCredentialsTokenEndpointIUserTokenManagementServiceis nowIUserTokenManagerITokenRequestSynchronizationis nowIUserTokenRequestConcurrencyControlIUserTokenEndpointServiceis nowIUserTokenEndpoint