VirtoCommerce · artem-dudarev · May 23, 2025 · May 26, 2025
diff --git a/src/VirtoCommerce.Platform.Security/VirtoCommerce.Platform.Security.csproj b/src/VirtoCommerce.Platform.Security/VirtoCommerce.Platform.Security.csproj
@@ -24,7 +24,7 @@
     <PackageReference Include="Microsoft.Extensions.Identity.Core" Version="[8.0.11,9)" />
     <PackageReference Include="Microsoft.IdentityModel.Validators" Version="8.2.1" />
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All" />
-    <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="5.8.0" />
+    <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="6.3.0" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/AuthorizationController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/AuthorizationController.cs
@@ -417,7 +417,7 @@ public async Task<IActionResult> Authorize()
             {
                 // If the client application requested promptless authentication,
                 // return an error indicating that the user is not logged in.
-                if (request.HasPrompt(Prompts.None))
+                if (request.HasPromptValue(PromptValues.None))
                 {
                     return Forbid(
                         authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
@@ -450,13 +450,13 @@ public async Task<IActionResult> Authorize()
                 // return an authorization response without displaying the consent form.
                 case ConsentTypes.Implicit:
                 case ConsentTypes.External when authorizations.Count != 0:
-                case ConsentTypes.Explicit when authorizations.Count != 0 && !request.HasPrompt(Prompts.Consent):
+                case ConsentTypes.Explicit when authorizations.Count != 0 && !request.HasPromptValue(PromptValues.Consent):
                     return await SignInAsync(request, user, application, authorizations);
 
                 // At this point, no authorization was found in the database and an error must be returned
                 // if the client application specified prompt=none in the authorization request.
-                case ConsentTypes.Explicit when request.HasPrompt(Prompts.None):
-                case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
+                case ConsentTypes.Explicit when request.HasPromptValue(PromptValues.None):
+                case ConsentTypes.Systematic when request.HasPromptValue(PromptValues.None):
                     return Forbid(
                         authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                         properties: new AuthenticationProperties(new Dictionary<string, string>

diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/OAuthAppsController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/OAuthAppsController.cs
@@ -23,7 +23,7 @@ public class OAuthAppsController : Controller
         private readonly ISet<string> _defaultPermissions = new HashSet<string>
         {
             OpenIddictConstants.Permissions.Endpoints.Authorization,
-            OpenIddictConstants.Permissions.Endpoints.Logout,
+            OpenIddictConstants.Permissions.Endpoints.EndSession,
             OpenIddictConstants.Permissions.Endpoints.Token,
             OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
             OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,

diff --git a/src/VirtoCommerce.Platform.Web/Startup.cs b/src/VirtoCommerce.Platform.Web/Startup.cs
@@ -371,18 +371,10 @@ public void ConfigureServices(IServiceCollection services)
                     {
                         aspNetBuilder.EnableTokenEndpointPassthrough();
                         aspNetBuilder.EnableAuthorizationEndpointPassthrough();
-                        aspNetBuilder.EnableLogoutEndpointPassthrough();
-                        aspNetBuilder.EnableUserinfoEndpointPassthrough();
+                        aspNetBuilder.EnableEndSessionEndpointPassthrough();
+                        aspNetBuilder.EnableUserInfoEndpointPassthrough();
                         aspNetBuilder.EnableStatusCodePagesIntegration();
 
-                        // When request caching is enabled, authorization and logout requests
-                        // are stored in the distributed cache by OpenIddict and the user agent
-                        // is redirected to the same page with a single parameter (request_id).
-                        // This allows flowing large OpenID Connect requests even when using
-                        // an external authentication provider like Google, Facebook or Twitter.
-                        aspNetBuilder.EnableAuthorizationRequestCaching();
-                        aspNetBuilder.EnableLogoutRequestCaching();
-
                         // During development or when you explicitly run the platform in production mode without https,
                         // need to disable the HTTPS requirement.
                         if (WebHostEnvironment.IsDevelopment() || platformOptions.AllowInsecureHttp || !Configuration.IsHttpsServerUrlSet())
@@ -391,11 +383,19 @@ public void ConfigureServices(IServiceCollection services)
                         }
                     });
 
+                    // When request caching is enabled, authorization and logout requests
+                    // are stored in the distributed cache by OpenIddict and the user agent
+                    // is redirected to the same page with a single parameter (request_id).
+                    // This allows flowing large OpenID Connect requests even when using
+                    // an external authentication provider like Google, Facebook or Twitter.
+                    serverBuilder.EnableAuthorizationRequestCaching();
+                    serverBuilder.EnableEndSessionRequestCaching();
+
                     // Enable the authorization, logout, token and userinfo endpoints.
                     serverBuilder.SetTokenEndpointUris("/connect/token");
-                    serverBuilder.SetUserinfoEndpointUris("/connect/userinfo");
+                    serverBuilder.SetUserInfoEndpointUris("/connect/userinfo");
                     serverBuilder.SetAuthorizationEndpointUris("/connect/authorize");
-                    serverBuilder.SetLogoutEndpointUris("/connect/logout");
+                    serverBuilder.SetEndSessionEndpointUris("/connect/logout");
 
                     // Note: the Mvc.Client sample only uses the code flow and the password flow, but you
                     // can enable the other flows if you need to support implicit or client credentials.

diff --git a/src/VirtoCommerce.Platform.Web/VirtoCommerce.Platform.Web.csproj b/src/VirtoCommerce.Platform.Web/VirtoCommerce.Platform.Web.csproj
@@ -32,7 +32,7 @@
     <PackageReference Include="Microsoft.Identity.Client" Version="4.66.2" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
     <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.0.0-preview.2" />
-    <PackageReference Include="OpenIddict.AspNetCore" Version="5.8.0" />
+    <PackageReference Include="OpenIddict.AspNetCore" Version="6.3.0" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
     <PackageReference Include="Serilog.Extensions.Hosting" Version="8.0.0" />
     <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />