From 247fa81648a2aa9bc7ffc50c61b17c8bee7ef977 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 20 Oct 2017 13:05:18 +0200
Subject: [PATCH 01/64] Update version.props to build 1.0.0-rc1-final packages

---
 build/version.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/build/version.props b/build/version.props
index b0387258..7ba26f8b 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,9 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <VersionPrefix>1.0.0</VersionPrefix>
-    <VersionSuffix>rc1</VersionSuffix>
-    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <Version>1.0.0-rc1-final</Version>
   </PropertyGroup>
 
 </Project>

From 3d507b4f1fff0d2cbd205c86295fe23d96097601 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 20 Oct 2017 19:26:37 +0200
Subject: [PATCH 02/64] Change OpenIddict.EntityFramework's target framework
 from net461 to net451

---
 .../OpenIddict.EntityFramework.csproj                           | 2 +-
 .../OpenIddict.EntityFramework.Tests.csproj                     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/OpenIddict.EntityFramework/OpenIddict.EntityFramework.csproj b/src/OpenIddict.EntityFramework/OpenIddict.EntityFramework.csproj
index 2d72dcc4..65d32066 100644
--- a/src/OpenIddict.EntityFramework/OpenIddict.EntityFramework.csproj
+++ b/src/OpenIddict.EntityFramework/OpenIddict.EntityFramework.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\packages.props" />
 
   <PropertyGroup>
-    <TargetFramework>net461</TargetFramework>
+    <TargetFramework>net451</TargetFramework>
   </PropertyGroup>
 
   <PropertyGroup>
diff --git a/test/OpenIddict.EntityFramework.Tests/OpenIddict.EntityFramework.Tests.csproj b/test/OpenIddict.EntityFramework.Tests/OpenIddict.EntityFramework.Tests.csproj
index 34576c2c..432a8bf1 100644
--- a/test/OpenIddict.EntityFramework.Tests/OpenIddict.EntityFramework.Tests.csproj
+++ b/test/OpenIddict.EntityFramework.Tests/OpenIddict.EntityFramework.Tests.csproj
@@ -3,7 +3,7 @@
   <Import Project="..\..\build\tests.props" />
 
   <PropertyGroup>
-    <TargetFramework>net461</TargetFramework>
+    <TargetFramework>net452</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>

From a2d6258ccb6967de85ab22f7590c871a3b87a439 Mon Sep 17 00:00:00 2001
From: Henk Mollema <henkmollema@gmail.com>
Date: Wed, 7 Feb 2018 20:21:16 +0100
Subject: [PATCH 03/64] Replace CryptoHelper by CryptoHelper.StrongName in
 OpenIddict 1.x

---
 build/dependencies.props                   | 2 +-
 src/OpenIddict.Core/OpenIddict.Core.csproj | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index 4c9da5ec..b3d89d51 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -4,7 +4,7 @@
     <AspNetCoreVersion>1.0.0</AspNetCoreVersion>
     <AspNetContribOpenIdExtensionsVersion>1.0.0</AspNetContribOpenIdExtensionsVersion>
     <AspNetContribOpenIdServerVersion>1.0.2</AspNetContribOpenIdServerVersion>
-    <CryptoHelperVersion>2.0.0</CryptoHelperVersion>
+    <CryptoHelperVersion>2.0.3</CryptoHelperVersion>
     <EntityFrameworkVersion>6.1.3</EntityFrameworkVersion>
     <ImmutableCollectionsVersion>1.2.0</ImmutableCollectionsVersion>
     <JetBrainsVersion>10.3.0</JetBrainsVersion>
diff --git a/src/OpenIddict.Core/OpenIddict.Core.csproj b/src/OpenIddict.Core/OpenIddict.Core.csproj
index 99b71120..55459134 100644
--- a/src/OpenIddict.Core/OpenIddict.Core.csproj
+++ b/src/OpenIddict.Core/OpenIddict.Core.csproj
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="CryptoHelper" Version="$(CryptoHelperVersion)" />
+    <PackageReference Include="CryptoHelper.StrongName" Version="$(CryptoHelperVersion)" />
     <PackageReference Include="JetBrains.Annotations" Version="$(JetBrainsVersion)" PrivateAssets="All" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />

From 8318f2d4a175614d19633b9842ee3ff008beffed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 17 Feb 2018 04:31:19 +0100
Subject: [PATCH 04/64] Update version.props to build 1.0.0-rc2-final packages

---
 build/version.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/build/version.props b/build/version.props
index bf0d2289..a76c9ccd 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,9 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <VersionPrefix>1.0.0</VersionPrefix>
-    <VersionSuffix>rc2</VersionSuffix>
-    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <Version>1.0.0-rc2-final</Version>
   </PropertyGroup>
 
 </Project>

From 1ef8f6eac8510f10759de516a14e63d63548e944 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 19 Feb 2018 22:04:29 +0100
Subject: [PATCH 05/64] Update version.props to build 1.0.0-rc3 packages

---
 build/version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/version.props b/build/version.props
index bf0d2289..f960dcea 100644
--- a/build/version.props
+++ b/build/version.props
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <VersionPrefix>1.0.0</VersionPrefix>
-    <VersionSuffix>rc2</VersionSuffix>
+    <VersionSuffix>rc3</VersionSuffix>
     <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
   </PropertyGroup>
 

From 32f3bab7fc4003135b850626a2a40a44b31fa936 Mon Sep 17 00:00:00 2001
From: Henk Mollema <henkmollema@gmail.com>
Date: Tue, 13 Mar 2018 16:00:40 +0100
Subject: [PATCH 06/64] Use the new strong-named CryptoHelper package

---
 build/dependencies.props                   | 2 +-
 src/OpenIddict.Core/OpenIddict.Core.csproj | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/dependencies.props b/build/dependencies.props
index d4bf9a11..d37b8f56 100644
--- a/build/dependencies.props
+++ b/build/dependencies.props
@@ -5,7 +5,7 @@
     <AspNetContribOpenIdExtensionsVersion>1.0.0</AspNetContribOpenIdExtensionsVersion>
     <AspNetContribOpenIdServerVersion>1.0.2</AspNetContribOpenIdServerVersion>
     <ClaimsVersion>4.0.1</ClaimsVersion>
-    <CryptoHelperVersion>2.0.3</CryptoHelperVersion>
+    <CryptoHelperVersion>2.0.4</CryptoHelperVersion>
     <DataAnnotationsVersion>4.1.0</DataAnnotationsVersion>
     <EntityFrameworkVersion>6.1.3</EntityFrameworkVersion>
     <ImmutableCollectionsVersion>1.2.0</ImmutableCollectionsVersion>
diff --git a/src/OpenIddict.Core/OpenIddict.Core.csproj b/src/OpenIddict.Core/OpenIddict.Core.csproj
index 5dee59d4..f8081a3d 100644
--- a/src/OpenIddict.Core/OpenIddict.Core.csproj
+++ b/src/OpenIddict.Core/OpenIddict.Core.csproj
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="CryptoHelper.StrongName" Version="$(CryptoHelperVersion)" />
+    <PackageReference Include="CryptoHelper" Version="$(CryptoHelperVersion)" />
     <PackageReference Include="JetBrains.Annotations" Version="$(JetBrainsVersion)" PrivateAssets="All" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />

From 8b77b96a73342dfe89c1ed0de9c6bce738c6c1b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 28 Mar 2018 16:15:45 +0200
Subject: [PATCH 07/64] Move the OpenIddict meta extensions to
 Microsoft.Extensions.DependencyInjection

---
 src/OpenIddict/OpenIddictExtensions.cs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/OpenIddict/OpenIddictExtensions.cs b/src/OpenIddict/OpenIddictExtensions.cs
index 64db7ac3..1338e89e 100644
--- a/src/OpenIddict/OpenIddictExtensions.cs
+++ b/src/OpenIddict/OpenIddictExtensions.cs
@@ -6,10 +6,9 @@
 
 using System;
 using JetBrains.Annotations;
-using Microsoft.Extensions.DependencyInjection;
 using OpenIddict.Models;
 
-namespace Microsoft.AspNetCore.Builder
+namespace Microsoft.Extensions.DependencyInjection
 {
     public static class OpenIddictExtensions
     {

From 0dc749e5bce8de0502556ad87f6a17d4c346f53c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 27 Apr 2018 04:04:46 +0200
Subject: [PATCH 08/64] Update OpenIddict.Validatiion.Tests.csproj to run tests
 on netcoreapp1.0 instead of netcoreapp2.0

---
 .../OpenIddict.Validation.Tests.csproj                        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/OpenIddict.Validation.Tests/OpenIddict.Validation.Tests.csproj b/test/OpenIddict.Validation.Tests/OpenIddict.Validation.Tests.csproj
index 0ccaf453..2290da3e 100644
--- a/test/OpenIddict.Validation.Tests/OpenIddict.Validation.Tests.csproj
+++ b/test/OpenIddict.Validation.Tests/OpenIddict.Validation.Tests.csproj
@@ -3,8 +3,8 @@
   <Import Project="..\..\build\tests.props" />
 
   <PropertyGroup>
-    <TargetFrameworks>netcoreapp2.0;net461</TargetFrameworks>
-    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp2.0</TargetFrameworks>
+    <TargetFrameworks>netcoreapp1.0;net452</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(OS)' != 'Windows_NT' ">netcoreapp1.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>

From 07a5dad470e702921d630861f665b39ef9fcd0c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 27 Apr 2018 11:37:18 +0200
Subject: [PATCH 09/64] Replace IOptionsMonitor by IOptions in the
 OpenIddict.Tests unit tests

---
 test/OpenIddict.Tests/OpenIddictExtensionsTests.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs b/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
index e3864640..08976b28 100644
--- a/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
+++ b/test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
@@ -28,7 +28,7 @@ namespace OpenIddict.Tests
 
             // Assert
             var provider = services.BuildServiceProvider();
-            var options = provider.GetRequiredService<IOptionsMonitor<OpenIddictCoreOptions>>().CurrentValue;
+            var options = provider.GetRequiredService<IOptions<OpenIddictCoreOptions>>().Value;
 
             Assert.Equal(typeof(OpenIddictApplication), options.DefaultApplicationType);
             Assert.Equal(typeof(OpenIddictAuthorization), options.DefaultAuthorizationType);
@@ -48,7 +48,7 @@ namespace OpenIddict.Tests
 
             // Assert
             var provider = services.BuildServiceProvider();
-            var options = provider.GetRequiredService<IOptionsMonitor<OpenIddictCoreOptions>>().CurrentValue;
+            var options = provider.GetRequiredService<IOptions<OpenIddictCoreOptions>>().Value;
 
             Assert.Equal(typeof(OpenIddictApplication<Guid>), options.DefaultApplicationType);
             Assert.Equal(typeof(OpenIddictAuthorization<Guid>), options.DefaultAuthorizationType);

From b61018db7aa7442008cf8023f8e771abd3cbf380 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sun, 17 Jun 2018 23:12:40 +0200
Subject: [PATCH 10/64] Update version.props to build 1.0.0-rc3-final packages

---
 build/version.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/build/version.props b/build/version.props
index f960dcea..22cf398a 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,9 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <VersionPrefix>1.0.0</VersionPrefix>
-    <VersionSuffix>rc3</VersionSuffix>
-    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <Version>1.0.0-rc3-final</Version>
   </PropertyGroup>
 
 </Project>

From 0a0aafe853882b11ed29d5617aa7dd08dd966173 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 21 Jun 2018 13:36:41 +0200
Subject: [PATCH 11/64] Update version.props to build 1.0.0-rtm packages

---
 build/version.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/version.props b/build/version.props
index f960dcea..368c8971 100644
--- a/build/version.props
+++ b/build/version.props
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <VersionPrefix>1.0.0</VersionPrefix>
-    <VersionSuffix>rc3</VersionSuffix>
+    <VersionSuffix>rtm</VersionSuffix>
     <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
   </PropertyGroup>
 

From ab9b77a8bb1907c2013c802d0cd44c418d79979e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 1 Nov 2018 03:21:53 +0100
Subject: [PATCH 12/64] Update version.props to build 2.0.0 packages

---
 build/version.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/build/version.props b/build/version.props
index 5e3b5468..f2150e31 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,9 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <VersionPrefix>2.0.0</VersionPrefix>
-    <VersionSuffix>rtm</VersionSuffix>
-    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <Version>2.0.0</Version>
   </PropertyGroup>
 
 </Project>

From b12d33e4f9074b097d4a6eb5e200d1e1be9d5c49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 1 Nov 2018 03:22:25 +0100
Subject: [PATCH 13/64] Update version.props to build 1.0.0 packages

---
 build/version.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/build/version.props b/build/version.props
index 368c8971..debf4e96 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,9 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <VersionPrefix>1.0.0</VersionPrefix>
-    <VersionSuffix>rtm</VersionSuffix>
-    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <Version>1.0.0</Version>
   </PropertyGroup>
 
 </Project>

From 53086acdf2c242dab7f2ceb89fa52ae3cad51556 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 5 Oct 2019 17:45:33 +0200
Subject: [PATCH 14/64] Update version.props to build 2.0.1-preview1 packages

---
 build/version.props | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/build/version.props b/build/version.props
index f2150e31..e6b85449 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,7 +1,9 @@
 <Project>
 
   <PropertyGroup>
-    <Version>2.0.0</Version>
+    <VersionPrefix>2.0.1</VersionPrefix>
+    <VersionSuffix>preview1</VersionSuffix>
+    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
   </PropertyGroup>
 
 </Project>

From 2175c96120184602fa233d6fb218a6b517292210 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 9 Jan 2019 15:03:41 +0100
Subject: [PATCH 15/64] Update the MongoDB stores to use BsonDocument.Parse()
 to ensure properties are correctly serialized

---
 src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs   | 3 ++-
 src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs | 3 ++-
 src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs         | 3 ++-
 src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs         | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs
index 289c97dc..4accb1fe 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs
@@ -16,6 +16,7 @@ using Microsoft.Extensions.Options;
 using MongoDB.Bson;
 using MongoDB.Driver;
 using MongoDB.Driver.Linq;
+using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using OpenIddict.Abstractions;
 using OpenIddict.MongoDb.Models;
@@ -757,7 +758,7 @@ namespace OpenIddict.MongoDb
                 return Task.CompletedTask;
             }
 
-            application.Properties = new BsonDocument(properties.ToObject<IDictionary<string, object>>());
+            application.Properties = BsonDocument.Parse(properties.ToString(Formatting.None));
 
             return Task.CompletedTask;
         }
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs
index e805119e..c76438d4 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs
@@ -16,6 +16,7 @@ using Microsoft.Extensions.Options;
 using MongoDB.Bson;
 using MongoDB.Driver;
 using MongoDB.Driver.Linq;
+using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using OpenIddict.Abstractions;
 using OpenIddict.MongoDb.Models;
@@ -754,7 +755,7 @@ namespace OpenIddict.MongoDb
                 return Task.CompletedTask;
             }
 
-            authorization.Properties = new BsonDocument(properties.ToObject<IDictionary<string, object>>());
+            authorization.Properties = BsonDocument.Parse(properties.ToString(Formatting.None));
 
             return Task.CompletedTask;
         }
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs
index d1bcc5b0..c5286161 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs
@@ -16,6 +16,7 @@ using Microsoft.Extensions.Options;
 using MongoDB.Bson;
 using MongoDB.Driver;
 using MongoDB.Driver.Linq;
+using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using OpenIddict.Abstractions;
 using OpenIddict.MongoDb.Models;
@@ -550,7 +551,7 @@ namespace OpenIddict.MongoDb
                 return Task.CompletedTask;
             }
 
-            scope.Properties = new BsonDocument(properties.ToObject<IDictionary<string, object>>());
+            scope.Properties = BsonDocument.Parse(properties.ToString(Formatting.None));
 
             return Task.CompletedTask;
         }
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
index 224d312a..7b12511a 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
@@ -16,6 +16,7 @@ using Microsoft.Extensions.Options;
 using MongoDB.Bson;
 using MongoDB.Driver;
 using MongoDB.Driver.Linq;
+using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using OpenIddict.Abstractions;
 using OpenIddict.MongoDb.Models;
@@ -860,7 +861,7 @@ namespace OpenIddict.MongoDb
                 return Task.CompletedTask;
             }
 
-            token.Properties = new BsonDocument(properties.ToObject<IDictionary<string, object>>());
+            token.Properties = BsonDocument.Parse(properties.ToString(Formatting.None));
 
             return Task.CompletedTask;
         }

From f5c1437bd31b4c1c1acaea1d2ad79551287a1cbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sun, 13 Jan 2019 14:18:48 +0100
Subject: [PATCH 16/64] Remove invalid null checks from OpenIddictTokenStore

---
 .../Stores/OpenIddictTokenStore.cs                | 15 ---------------
 .../Stores/OpenIddictTokenStore.cs                | 15 ---------------
 .../Stores/OpenIddictTokenStore.cs                | 15 ---------------
 3 files changed, 45 deletions(-)

diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
index 8c6ac70f..ed6ef8e5 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
@@ -1095,11 +1095,6 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(status))
-            {
-                throw new ArgumentException("The status cannot be null or empty.", nameof(status));
-            }
-
             token.Status = status;
 
             return Task.CompletedTask;
@@ -1121,11 +1116,6 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(subject))
-            {
-                throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
-            }
-
             token.Subject = subject;
 
             return Task.CompletedTask;
@@ -1147,11 +1137,6 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(type))
-            {
-                throw new ArgumentException("The token type cannot be null or empty.", nameof(type));
-            }
-
             token.Type = type;
 
             return Task.CompletedTask;
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
index 86b6e032..27d6767b 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
@@ -1220,11 +1220,6 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(status))
-            {
-                throw new ArgumentException("The status cannot be null or empty.", nameof(status));
-            }
-
             token.Status = status;
 
             return Task.CompletedTask;
@@ -1246,11 +1241,6 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(subject))
-            {
-                throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
-            }
-
             token.Subject = subject;
 
             return Task.CompletedTask;
@@ -1272,11 +1262,6 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(type))
-            {
-                throw new ArgumentException("The token type cannot be null or empty.", nameof(type));
-            }
-
             token.Type = type;
 
             return Task.CompletedTask;
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
index 7b12511a..cacd8d1b 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
@@ -905,11 +905,6 @@ namespace OpenIddict.MongoDb
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(status))
-            {
-                throw new ArgumentException("The status cannot be null or empty.", nameof(status));
-            }
-
             token.Status = status;
 
             return Task.CompletedTask;
@@ -931,11 +926,6 @@ namespace OpenIddict.MongoDb
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(subject))
-            {
-                throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
-            }
-
             token.Subject = subject;
 
             return Task.CompletedTask;
@@ -957,11 +947,6 @@ namespace OpenIddict.MongoDb
                 throw new ArgumentNullException(nameof(token));
             }
 
-            if (string.IsNullOrEmpty(type))
-            {
-                throw new ArgumentException("The token type cannot be null or empty.", nameof(type));
-            }
-
             token.Type = type;
 
             return Task.CompletedTask;

From b834c048a847409dc3e99b7b190040b1a95c01ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 6 Feb 2019 17:02:11 +0100
Subject: [PATCH 17/64] Replace TryGetValue/TryRemove by a single TryRemove
 call to avoid potential issues with concurrent cache removal/addition

---
 .../Caches/OpenIddictApplicationCache.cs      | 22 ++++++-------------
 .../Caches/OpenIddictAuthorizationCache.cs    | 22 ++++++-------------
 .../Caches/OpenIddictScopeCache.cs            | 22 ++++++-------------
 .../Caches/OpenIddictTokenCache.cs            | 22 ++++++-------------
 4 files changed, 28 insertions(+), 60 deletions(-)

diff --git a/src/OpenIddict.Core/Caches/OpenIddictApplicationCache.cs b/src/OpenIddict.Core/Caches/OpenIddictApplicationCache.cs
index f9a75d8c..07dd3020 100644
--- a/src/OpenIddict.Core/Caches/OpenIddictApplicationCache.cs
+++ b/src/OpenIddict.Core/Caches/OpenIddictApplicationCache.cs
@@ -24,7 +24,7 @@ namespace OpenIddict.Core
     public class OpenIddictApplicationCache<TApplication> : IOpenIddictApplicationCache<TApplication>, IDisposable where TApplication : class
     {
         private readonly MemoryCache _cache;
-        private readonly ConcurrentDictionary<string, Lazy<CancellationTokenSource>> _signals;
+        private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
         private readonly IOpenIddictApplicationStore<TApplication> _store;
 
         public OpenIddictApplicationCache(
@@ -36,7 +36,7 @@ namespace OpenIddict.Core
                 SizeLimit = options.CurrentValue.EntityCacheLimit
             });
 
-            _signals = new ConcurrentDictionary<string, Lazy<CancellationTokenSource>>(StringComparer.Ordinal);
+            _signals = new ConcurrentDictionary<string, CancellationTokenSource>(StringComparer.Ordinal);
             _store = resolver.Get<TApplication>();
         }
 
@@ -121,7 +121,7 @@ namespace OpenIddict.Core
         {
             foreach (var signal in _signals)
             {
-                signal.Value.Value.Dispose();
+                signal.Value.Dispose();
             }
 
             _cache.Dispose();
@@ -378,11 +378,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The application identifier cannot be extracted.");
             }
 
-            if (_signals.TryGetValue(identifier, out Lazy<CancellationTokenSource> signal))
+            if (_signals.TryRemove(identifier, out CancellationTokenSource signal))
             {
-                signal.Value.Cancel();
-
-                _signals.TryRemove(identifier, out signal);
+                signal.Cancel();
             }
         }
 
@@ -410,15 +408,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The application identifier cannot be extracted.");
             }
 
-            var signal = _signals.GetOrAdd(identifier, delegate
-            {
-                // Note: a Lazy<CancellationTokenSource> is used here to ensure only one CancellationTokenSource
-                // can be created. Not doing so would result in expiration signals being potentially linked to
-                // multiple sources, with a single one of them being eventually tracked and thus, cancelable.
-                return new Lazy<CancellationTokenSource>(() => new CancellationTokenSource());
-            });
+            var signal = _signals.GetOrAdd(identifier, _ => new CancellationTokenSource());
 
-            return new CancellationChangeToken(signal.Value.Token);
+            return new CancellationChangeToken(signal.Token);
         }
     }
 }
diff --git a/src/OpenIddict.Core/Caches/OpenIddictAuthorizationCache.cs b/src/OpenIddict.Core/Caches/OpenIddictAuthorizationCache.cs
index 53b673cd..0191d009 100644
--- a/src/OpenIddict.Core/Caches/OpenIddictAuthorizationCache.cs
+++ b/src/OpenIddict.Core/Caches/OpenIddictAuthorizationCache.cs
@@ -24,7 +24,7 @@ namespace OpenIddict.Core
     public class OpenIddictAuthorizationCache<TAuthorization> : IOpenIddictAuthorizationCache<TAuthorization>, IDisposable where TAuthorization : class
     {
         private readonly MemoryCache _cache;
-        private readonly ConcurrentDictionary<string, Lazy<CancellationTokenSource>> _signals;
+        private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
         private readonly IOpenIddictAuthorizationStore<TAuthorization> _store;
 
         public OpenIddictAuthorizationCache(
@@ -36,7 +36,7 @@ namespace OpenIddict.Core
                 SizeLimit = options.CurrentValue.EntityCacheLimit
             });
 
-            _signals = new ConcurrentDictionary<string, Lazy<CancellationTokenSource>>(StringComparer.Ordinal);
+            _signals = new ConcurrentDictionary<string, CancellationTokenSource>(StringComparer.Ordinal);
             _store = resolver.Get<TAuthorization>();
         }
 
@@ -122,7 +122,7 @@ namespace OpenIddict.Core
         {
             foreach (var signal in _signals)
             {
-                signal.Value.Value.Dispose();
+                signal.Value.Dispose();
             }
 
             _cache.Dispose();
@@ -596,11 +596,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The application identifier cannot be extracted.");
             }
 
-            if (_signals.TryGetValue(identifier, out Lazy<CancellationTokenSource> signal))
+            if (_signals.TryRemove(identifier, out CancellationTokenSource signal))
             {
-                signal.Value.Cancel();
-
-                _signals.TryRemove(identifier, out signal);
+                signal.Cancel();
             }
         }
 
@@ -628,15 +626,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The authorization identifier cannot be extracted.");
             }
 
-            var signal = _signals.GetOrAdd(identifier, delegate
-            {
-                // Note: a Lazy<CancellationTokenSource> is used here to ensure only one CancellationTokenSource
-                // can be created. Not doing so would result in expiration signals being potentially linked to
-                // multiple sources, with a single one of them being eventually tracked and thus, cancelable.
-                return new Lazy<CancellationTokenSource>(() => new CancellationTokenSource());
-            });
+            var signal = _signals.GetOrAdd(identifier, _ => new CancellationTokenSource());
 
-            return new CancellationChangeToken(signal.Value.Token);
+            return new CancellationChangeToken(signal.Token);
         }
     }
 }
diff --git a/src/OpenIddict.Core/Caches/OpenIddictScopeCache.cs b/src/OpenIddict.Core/Caches/OpenIddictScopeCache.cs
index f30dfdfb..710ce8e6 100644
--- a/src/OpenIddict.Core/Caches/OpenIddictScopeCache.cs
+++ b/src/OpenIddict.Core/Caches/OpenIddictScopeCache.cs
@@ -25,7 +25,7 @@ namespace OpenIddict.Core
     public class OpenIddictScopeCache<TScope> : IOpenIddictScopeCache<TScope>, IDisposable where TScope : class
     {
         private readonly MemoryCache _cache;
-        private readonly ConcurrentDictionary<string, Lazy<CancellationTokenSource>> _signals;
+        private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
         private readonly IOpenIddictScopeStore<TScope> _store;
 
         public OpenIddictScopeCache(
@@ -37,7 +37,7 @@ namespace OpenIddict.Core
                 SizeLimit = options.CurrentValue.EntityCacheLimit
             });
 
-            _signals = new ConcurrentDictionary<string, Lazy<CancellationTokenSource>>(StringComparer.Ordinal);
+            _signals = new ConcurrentDictionary<string, CancellationTokenSource>(StringComparer.Ordinal);
             _store = resolver.Get<TScope>();
         }
 
@@ -113,7 +113,7 @@ namespace OpenIddict.Core
         {
             foreach (var signal in _signals)
             {
-                signal.Value.Value.Dispose();
+                signal.Value.Dispose();
             }
 
             _cache.Dispose();
@@ -349,11 +349,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The application identifier cannot be extracted.");
             }
 
-            if (_signals.TryGetValue(identifier, out Lazy<CancellationTokenSource> signal))
+            if (_signals.TryRemove(identifier, out CancellationTokenSource signal))
             {
-                signal.Value.Cancel();
-
-                _signals.TryRemove(identifier, out signal);
+                signal.Cancel();
             }
         }
 
@@ -380,15 +378,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The scope identifier cannot be extracted.");
             }
 
-            var signal = _signals.GetOrAdd(identifier, delegate
-            {
-                // Note: a Lazy<CancellationTokenSource> is used here to ensure only one CancellationTokenSource
-                // can be created. Not doing so would result in expiration signals being potentially linked to
-                // multiple sources, with a single one of them being eventually tracked and thus, cancelable.
-                return new Lazy<CancellationTokenSource>(() => new CancellationTokenSource());
-            });
+            var signal = _signals.GetOrAdd(identifier, _ => new CancellationTokenSource());
 
-            return new CancellationChangeToken(signal.Value.Token);
+            return new CancellationChangeToken(signal.Token);
         }
     }
 }
diff --git a/src/OpenIddict.Core/Caches/OpenIddictTokenCache.cs b/src/OpenIddict.Core/Caches/OpenIddictTokenCache.cs
index d2e8d451..1caef84e 100644
--- a/src/OpenIddict.Core/Caches/OpenIddictTokenCache.cs
+++ b/src/OpenIddict.Core/Caches/OpenIddictTokenCache.cs
@@ -24,7 +24,7 @@ namespace OpenIddict.Core
     public class OpenIddictTokenCache<TToken> : IOpenIddictTokenCache<TToken>, IDisposable where TToken : class
     {
         private readonly MemoryCache _cache;
-        private readonly ConcurrentDictionary<string, Lazy<CancellationTokenSource>> _signals;
+        private readonly ConcurrentDictionary<string, CancellationTokenSource> _signals;
         private readonly IOpenIddictTokenStore<TToken> _store;
 
         public OpenIddictTokenCache(
@@ -36,7 +36,7 @@ namespace OpenIddict.Core
                 SizeLimit = options.CurrentValue.EntityCacheLimit
             });
 
-            _signals = new ConcurrentDictionary<string, Lazy<CancellationTokenSource>>(StringComparer.Ordinal);
+            _signals = new ConcurrentDictionary<string, CancellationTokenSource>(StringComparer.Ordinal);
             _store = resolver.Get<TToken>();
         }
 
@@ -145,7 +145,7 @@ namespace OpenIddict.Core
         {
             foreach (var signal in _signals)
             {
-                signal.Value.Value.Dispose();
+                signal.Value.Dispose();
             }
 
             _cache.Dispose();
@@ -679,11 +679,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The application identifier cannot be extracted.");
             }
 
-            if (_signals.TryGetValue(identifier, out Lazy<CancellationTokenSource> signal))
+            if (_signals.TryRemove(identifier, out CancellationTokenSource signal))
             {
-                signal.Value.Cancel();
-
-                _signals.TryRemove(identifier, out signal);
+                signal.Cancel();
             }
         }
 
@@ -710,15 +708,9 @@ namespace OpenIddict.Core
                 throw new InvalidOperationException("The token identifier cannot be extracted.");
             }
 
-            var signal = _signals.GetOrAdd(identifier, delegate
-            {
-                // Note: a Lazy<CancellationTokenSource> is used here to ensure only one CancellationTokenSource
-                // can be created. Not doing so would result in expiration signals being potentially linked to
-                // multiple sources, with a single one of them being eventually tracked and thus, cancelable.
-                return new Lazy<CancellationTokenSource>(() => new CancellationTokenSource());
-            });
+            var signal = _signals.GetOrAdd(identifier, _ => new CancellationTokenSource());
 
-            return new CancellationChangeToken(signal.Value.Token);
+            return new CancellationChangeToken(signal.Token);
         }
     }
 }

From 1b03a546c2488cf6c4b02e4769c8669017a5f4c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 17 Aug 2019 16:44:29 +0200
Subject: [PATCH 18/64] Replace the static caches used in the EF 6/EF Core
 caches by private singleton caches injected via DI

---
 .../OpenIddictEntityFrameworkExtensions.cs    |  5 +++++
 .../OpenIddictApplicationStoreResolver.cs     | 10 +++++++++-
 .../OpenIddictAuthorizationStoreResolver.cs   | 10 +++++++++-
 .../Resolvers/OpenIddictScopeStoreResolver.cs | 10 +++++++++-
 .../Resolvers/OpenIddictTokenStoreResolver.cs | 10 +++++++++-
 ...OpenIddictEntityFrameworkCoreExtensions.cs |  5 +++++
 .../OpenIddictApplicationStoreResolver.cs     | 10 +++++++++-
 .../OpenIddictAuthorizationStoreResolver.cs   | 10 +++++++++-
 .../Resolvers/OpenIddictScopeStoreResolver.cs | 10 +++++++++-
 .../Resolvers/OpenIddictTokenStoreResolver.cs | 10 +++++++++-
 ...penIddictEntityFrameworkExtensionsTests.cs | 19 +++++++++++++++++++
 ...OpenIddictApplicationStoreResolverTests.cs |  9 +++++----
 ...enIddictAuthorizationStoreResolverTests.cs |  9 +++++----
 .../OpenIddictScopeStoreResolverTests.cs      |  9 +++++----
 .../OpenIddictTokenStoreResolverTests.cs      |  9 +++++----
 ...ddictEntityFrameworkCoreExtensionsTests.cs | 19 +++++++++++++++++++
 ...OpenIddictApplicationStoreResolverTests.cs |  9 +++++----
 ...enIddictAuthorizationStoreResolverTests.cs |  9 +++++----
 .../OpenIddictScopeStoreResolverTests.cs      |  9 +++++----
 .../OpenIddictTokenStoreResolverTests.cs      |  9 +++++----
 20 files changed, 160 insertions(+), 40 deletions(-)

diff --git a/src/OpenIddict.EntityFramework/OpenIddictEntityFrameworkExtensions.cs b/src/OpenIddict.EntityFramework/OpenIddictEntityFrameworkExtensions.cs
index 474b4a9c..f2ed4313 100644
--- a/src/OpenIddict.EntityFramework/OpenIddictEntityFrameworkExtensions.cs
+++ b/src/OpenIddict.EntityFramework/OpenIddictEntityFrameworkExtensions.cs
@@ -46,6 +46,11 @@ namespace Microsoft.Extensions.DependencyInjection
                    .ReplaceScopeStoreResolver<OpenIddictScopeStoreResolver>()
                    .ReplaceTokenStoreResolver<OpenIddictTokenStoreResolver>();
 
+            builder.Services.TryAddSingleton<OpenIddictApplicationStoreResolver.TypeResolutionCache>();
+            builder.Services.TryAddSingleton<OpenIddictAuthorizationStoreResolver.TypeResolutionCache>();
+            builder.Services.TryAddSingleton<OpenIddictScopeStoreResolver.TypeResolutionCache>();
+            builder.Services.TryAddSingleton<OpenIddictTokenStoreResolver.TypeResolutionCache>();
+
             builder.Services.TryAddScoped(typeof(OpenIddictApplicationStore<,,,,>));
             builder.Services.TryAddScoped(typeof(OpenIddictAuthorizationStore<,,,,>));
             builder.Services.TryAddScoped(typeof(OpenIddictScopeStore<,,>));
diff --git a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictApplicationStoreResolver.cs b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictApplicationStoreResolver.cs
index 044cfa11..05f5491d 100644
--- a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictApplicationStoreResolver.cs
+++ b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictApplicationStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFramework
     /// </summary>
     public class OpenIddictApplicationStoreResolver : IOpenIddictApplicationStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictApplicationStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -80,5 +82,11 @@ namespace OpenIddict.EntityFramework
 
             return (IOpenIddictApplicationStore<TApplication>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictAuthorizationStoreResolver.cs b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictAuthorizationStoreResolver.cs
index 9683733d..a037d42b 100644
--- a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictAuthorizationStoreResolver.cs
+++ b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictAuthorizationStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFramework
     /// </summary>
     public class OpenIddictAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictAuthorizationStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -80,5 +82,11 @@ namespace OpenIddict.EntityFramework
 
             return (IOpenIddictAuthorizationStore<TAuthorization>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictScopeStoreResolver.cs b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictScopeStoreResolver.cs
index cfe05634..74ffc732 100644
--- a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictScopeStoreResolver.cs
+++ b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictScopeStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFramework
     /// </summary>
     public class OpenIddictScopeStoreResolver : IOpenIddictScopeStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictScopeStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -78,5 +80,11 @@ namespace OpenIddict.EntityFramework
 
             return (IOpenIddictScopeStore<TScope>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictTokenStoreResolver.cs b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictTokenStoreResolver.cs
index eebd7503..7bd07398 100644
--- a/src/OpenIddict.EntityFramework/Resolvers/OpenIddictTokenStoreResolver.cs
+++ b/src/OpenIddict.EntityFramework/Resolvers/OpenIddictTokenStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFramework
     /// </summary>
     public class OpenIddictTokenStoreResolver : IOpenIddictTokenStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictTokenStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -80,5 +82,11 @@ namespace OpenIddict.EntityFramework
 
             return (IOpenIddictTokenStore<TToken>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreExtensions.cs b/src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreExtensions.cs
index 93d9b75d..f93af4f1 100644
--- a/src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreExtensions.cs
+++ b/src/OpenIddict.EntityFrameworkCore/OpenIddictEntityFrameworkCoreExtensions.cs
@@ -48,6 +48,11 @@ namespace Microsoft.Extensions.DependencyInjection
                    .ReplaceScopeStoreResolver<OpenIddictScopeStoreResolver>()
                    .ReplaceTokenStoreResolver<OpenIddictTokenStoreResolver>();
 
+            builder.Services.TryAddSingleton<OpenIddictApplicationStoreResolver.TypeResolutionCache>();
+            builder.Services.TryAddSingleton<OpenIddictAuthorizationStoreResolver.TypeResolutionCache>();
+            builder.Services.TryAddSingleton<OpenIddictScopeStoreResolver.TypeResolutionCache>();
+            builder.Services.TryAddSingleton<OpenIddictTokenStoreResolver.TypeResolutionCache>();
+
             builder.Services.TryAddScoped(typeof(OpenIddictApplicationStore<,,,,>));
             builder.Services.TryAddScoped(typeof(OpenIddictAuthorizationStore<,,,,>));
             builder.Services.TryAddScoped(typeof(OpenIddictScopeStore<,,>));
diff --git a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictApplicationStoreResolver.cs b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictApplicationStoreResolver.cs
index 030a0f2c..4441aafb 100644
--- a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictApplicationStoreResolver.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictApplicationStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFrameworkCore
     /// </summary>
     public class OpenIddictApplicationStoreResolver : IOpenIddictApplicationStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictApplicationStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -80,5 +82,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             return (IOpenIddictApplicationStore<TApplication>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework Core resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictAuthorizationStoreResolver.cs b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictAuthorizationStoreResolver.cs
index 8964735e..eda0e4d8 100644
--- a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictAuthorizationStoreResolver.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictAuthorizationStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFrameworkCore
     /// </summary>
     public class OpenIddictAuthorizationStoreResolver : IOpenIddictAuthorizationStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictAuthorizationStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -80,5 +82,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             return (IOpenIddictAuthorizationStore<TAuthorization>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework Core resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictScopeStoreResolver.cs b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictScopeStoreResolver.cs
index 9c249b78..ed65f16a 100644
--- a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictScopeStoreResolver.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictScopeStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFrameworkCore
     /// </summary>
     public class OpenIddictScopeStoreResolver : IOpenIddictScopeStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictScopeStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -78,5 +80,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             return (IOpenIddictScopeStore<TScope>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework Core resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictTokenStoreResolver.cs b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictTokenStoreResolver.cs
index 860ca846..07c3304a 100644
--- a/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictTokenStoreResolver.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Resolvers/OpenIddictTokenStoreResolver.cs
@@ -21,14 +21,16 @@ namespace OpenIddict.EntityFrameworkCore
     /// </summary>
     public class OpenIddictTokenStoreResolver : IOpenIddictTokenStoreResolver
     {
-        private static readonly ConcurrentDictionary<Type, Type> _cache = new ConcurrentDictionary<Type, Type>();
+        private readonly TypeResolutionCache _cache;
         private readonly IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> _options;
         private readonly IServiceProvider _provider;
 
         public OpenIddictTokenStoreResolver(
+            [NotNull] TypeResolutionCache cache,
             [NotNull] IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions> options,
             [NotNull] IServiceProvider provider)
         {
+            _cache = cache;
             _options = options;
             _provider = provider;
         }
@@ -80,5 +82,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             return (IOpenIddictTokenStore<TToken>) _provider.GetRequiredService(type);
         }
+
+        // Note: Entity Framework Core resolvers are registered as scoped dependencies as their inner
+        // service provider must be able to resolve scoped services (typically, the store they return).
+        // To avoid having to declare a static type resolution cache, a special cache service is used
+        // here and registered as a singleton dependency so that its content persists beyond the scope.
+        public class TypeResolutionCache : ConcurrentDictionary<Type, Type> { }
     }
 }
diff --git a/test/OpenIddict.EntityFramework.Tests/OpenIddictEntityFrameworkExtensionsTests.cs b/test/OpenIddict.EntityFramework.Tests/OpenIddictEntityFrameworkExtensionsTests.cs
index a28b1777..36cb33be 100644
--- a/test/OpenIddict.EntityFramework.Tests/OpenIddictEntityFrameworkExtensionsTests.cs
+++ b/test/OpenIddict.EntityFramework.Tests/OpenIddictEntityFrameworkExtensionsTests.cs
@@ -81,6 +81,25 @@ namespace OpenIddict.EntityFramework.Tests
                                                  service.ImplementationType == implementationType);
         }
 
+        [Theory]
+        [InlineData(typeof(OpenIddictApplicationStoreResolver.TypeResolutionCache))]
+        [InlineData(typeof(OpenIddictAuthorizationStoreResolver.TypeResolutionCache))]
+        [InlineData(typeof(OpenIddictScopeStoreResolver.TypeResolutionCache))]
+        [InlineData(typeof(OpenIddictTokenStoreResolver.TypeResolutionCache))]
+        public void UseEntityFramework_RegistersEntityFrameworkStoreResolverCaches(Type type)
+        {
+            // Arrange
+            var services = new ServiceCollection();
+            var builder = new OpenIddictCoreBuilder(services);
+
+            // Act
+            builder.UseEntityFramework();
+
+            // Assert
+            Assert.Contains(services, service => service.ServiceType == type &&
+                                                 service.ImplementationType == type);
+        }
+
         [Theory]
         [InlineData(typeof(OpenIddictApplicationStore<,,,,>))]
         [InlineData(typeof(OpenIddictAuthorizationStore<,,,,>))]
diff --git a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs
index f21ad750..f623d3c1 100644
--- a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFramework.Models;
 using Xunit;
+using static OpenIddict.EntityFramework.OpenIddictApplicationStoreResolver;
 
 namespace OpenIddict.EntityFramework.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomApplication>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomApplication>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictApplication>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyApplication>());
diff --git a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs
index 2ac870fd..329dd09e 100644
--- a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFramework.Models;
 using Xunit;
+using static OpenIddict.EntityFramework.OpenIddictAuthorizationStoreResolver;
 
 namespace OpenIddict.EntityFramework.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomAuthorization>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomAuthorization>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictAuthorization>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyAuthorization>());
diff --git a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs
index 1e66222a..8d3db847 100644
--- a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFramework.Models;
 using Xunit;
+using static OpenIddict.EntityFramework.OpenIddictScopeStoreResolver;
 
 namespace OpenIddict.EntityFramework.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomScope>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomScope>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictScope>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyScope>());
diff --git a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs
index cfe13b5d..6903d605 100644
--- a/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFramework.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFramework.Models;
 using Xunit;
+using static OpenIddict.EntityFramework.OpenIddictTokenStoreResolver;
 
 namespace OpenIddict.EntityFramework.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomToken>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFramework.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomToken>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictToken>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFramework.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyToken>());
diff --git a/test/OpenIddict.EntityFrameworkCore.Tests/OpenIddictEntityFrameworkCoreExtensionsTests.cs b/test/OpenIddict.EntityFrameworkCore.Tests/OpenIddictEntityFrameworkCoreExtensionsTests.cs
index a23197ec..3c519a9e 100644
--- a/test/OpenIddict.EntityFrameworkCore.Tests/OpenIddictEntityFrameworkCoreExtensionsTests.cs
+++ b/test/OpenIddict.EntityFrameworkCore.Tests/OpenIddictEntityFrameworkCoreExtensionsTests.cs
@@ -81,6 +81,25 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                                                  service.ImplementationType == implementationType);
         }
 
+        [Theory]
+        [InlineData(typeof(OpenIddictApplicationStoreResolver.TypeResolutionCache))]
+        [InlineData(typeof(OpenIddictAuthorizationStoreResolver.TypeResolutionCache))]
+        [InlineData(typeof(OpenIddictScopeStoreResolver.TypeResolutionCache))]
+        [InlineData(typeof(OpenIddictTokenStoreResolver.TypeResolutionCache))]
+        public void UseEntityFrameworkCore_RegistersEntityFrameworkCoreStoreResolverCaches(Type type)
+        {
+            // Arrange
+            var services = new ServiceCollection();
+            var builder = new OpenIddictCoreBuilder(services);
+
+            // Act
+            builder.UseEntityFrameworkCore();
+
+            // Assert
+            Assert.Contains(services, service => service.ServiceType == type &&
+                                                 service.ImplementationType == type);
+        }
+
         [Theory]
         [InlineData(typeof(OpenIddictApplicationStore<,,,,>))]
         [InlineData(typeof(OpenIddictAuthorizationStore<,,,,>))]
diff --git a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs
index 9e6bfe4c..2fefb1b1 100644
--- a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictApplicationStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFrameworkCore.Models;
 using Xunit;
+using static OpenIddict.EntityFrameworkCore.OpenIddictApplicationStoreResolver;
 
 namespace OpenIddict.EntityFrameworkCore.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomApplication>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomApplication>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictApplication>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictApplicationStoreResolver(options, provider);
+            var resolver = new OpenIddictApplicationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyApplication>());
diff --git a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs
index ef04c8d7..e58821fc 100644
--- a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictAuthorizationStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFrameworkCore.Models;
 using Xunit;
+using static OpenIddict.EntityFrameworkCore.OpenIddictAuthorizationStoreResolver;
 
 namespace OpenIddict.EntityFrameworkCore.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomAuthorization>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomAuthorization>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictAuthorization>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictAuthorizationStoreResolver(options, provider);
+            var resolver = new OpenIddictAuthorizationStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyAuthorization>());
diff --git a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs
index b46003e9..89fea545 100644
--- a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictScopeStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFrameworkCore.Models;
 using Xunit;
+using static OpenIddict.EntityFrameworkCore.OpenIddictScopeStoreResolver;
 
 namespace OpenIddict.EntityFrameworkCore.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomScope>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomScope>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictScope>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictScopeStoreResolver(options, provider);
+            var resolver = new OpenIddictScopeStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyScope>());
diff --git a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs
index 973eca85..db5a2db1 100644
--- a/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs
+++ b/test/OpenIddict.EntityFrameworkCore.Tests/Resolvers/OpenIddictTokenStoreResolverTests.cs
@@ -14,6 +14,7 @@ using Moq;
 using OpenIddict.Abstractions;
 using OpenIddict.EntityFrameworkCore.Models;
 using Xunit;
+using static OpenIddict.EntityFrameworkCore.OpenIddictTokenStoreResolver;
 
 namespace OpenIddict.EntityFrameworkCore.Tests
 {
@@ -28,7 +29,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<CustomToken>());
@@ -42,7 +43,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
 
             var options = Mock.Of<IOptionsMonitor<OpenIddictEntityFrameworkCoreOptions>>();
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<CustomToken>());
@@ -68,7 +69,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             var exception = Assert.Throws<InvalidOperationException>(() => resolver.Get<OpenIddictToken>());
@@ -95,7 +96,7 @@ namespace OpenIddict.EntityFrameworkCore.Tests
                 });
 
             var provider = services.BuildServiceProvider();
-            var resolver = new OpenIddictTokenStoreResolver(options, provider);
+            var resolver = new OpenIddictTokenStoreResolver(new TypeResolutionCache(), options, provider);
 
             // Act and assert
             Assert.NotNull(resolver.Get<MyToken>());

From 1917cf08d0665d4a313c682e688197f464d9e16c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 5 Oct 2019 18:30:25 +0200
Subject: [PATCH 19/64] Add appveyor.yml

---
 appveyor.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 appveyor.yml

diff --git a/appveyor.yml b/appveyor.yml
new file mode 100644
index 00000000..a6bf7f44
--- /dev/null
+++ b/appveyor.yml
@@ -0,0 +1,30 @@
+version: '{build}'
+image: Visual Studio 2017
+
+build_script:
+- cmd: >-
+    set CONFIGURATION=Release
+
+    set BUILDNUMBER=000%APPVEYOR_BUILD_NUMBER%
+
+    set BUILDNUMBER=%BUILDNUMBER:~-4%
+
+    set DOTNET_SKIP_FIRST_TIME_EXPERIENCE=true
+
+    set DOTNET_CLI_TELEMETRY_OPTOUT=1
+
+    build.cmd
+
+test: off
+
+artifacts:
+- path: artifacts\build\*.nupkg
+  name: NuGet
+
+deploy:
+- provider: NuGet
+  server: https://www.myget.org/F/openiddict/api/v2/package
+  api_key:
+    secure: 0ZVg9vnH4PzTu0CXjTZyDmvvzPMt1R8Yl1ObxleO8dAMk6M1AqmU3YmoaQkc2VNi
+  skip_symbols: false
+  symbol_server: https://www.myget.org/F/openiddict/api/v2/package
\ No newline at end of file

From 880b0e1eb7b188bb5f07b5bf5b95906cc70414a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 5 Oct 2019 18:54:43 +0200
Subject: [PATCH 20/64] Remove compiled queries from the EF Core 2.x stores

---
 .../Stores/OpenIddictApplicationStore.cs      |  79 +++----
 .../Stores/OpenIddictAuthorizationStore.cs    | 159 +++++---------
 .../Stores/OpenIddictScopeStore.cs            |  70 ++----
 .../Stores/OpenIddictTokenStore.cs            | 205 ++++++------------
 4 files changed, 176 insertions(+), 337 deletions(-)

diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
index 8798d150..bddb7701 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
@@ -16,7 +16,6 @@ using System.Threading.Tasks;
 using JetBrains.Annotations;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
-using Microsoft.EntityFrameworkCore.Query;
 using Microsoft.EntityFrameworkCore.Storage;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Options;
@@ -273,15 +272,6 @@ namespace OpenIddict.EntityFrameworkCore
             }
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve an application using its client identifier.
-        /// </summary>
-        private static readonly Func<TContext, string, Task<TApplication>> FindByClientId =
-            EF.CompileAsyncQuery((TContext context, string identifier) =>
-                (from application in context.Set<TApplication>().AsTracking()
-                 where application.ClientId == identifier
-                 select application).FirstOrDefault());
-
         /// <summary>
         /// Retrieves an application using its client identifier.
         /// </summary>
@@ -298,18 +288,11 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return FindByClientId(Context, identifier);
+            return (from application in Applications.AsTracking()
+                    where application.ClientId == identifier
+                    select application).FirstOrDefaultAsync(cancellationToken);
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve an application using its unique identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, Task<TApplication>> FindById =
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                (from application in context.Set<TApplication>().AsTracking()
-                 where application.Id.Equals(identifier)
-                 select application).FirstOrDefault());
-
         /// <summary>
         /// Retrieves an application using its unique identifier.
         /// </summary>
@@ -326,23 +309,12 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return FindById(Context, ConvertIdentifierFromString(identifier));
-        }
+            var key = ConvertIdentifierFromString(identifier);
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve all the applications
-        /// associated with the specified post_logout_redirect_uri.
-        /// </summary>
-        private static readonly Func<TContext, string, AsyncEnumerable<TApplication>> FindByPostLogoutRedirectUri =
-            // To optimize the efficiency of the query a bit, only applications whose stringified
-            // PostLogoutRedirectUris contains the specified URL are returned. Once the applications
-            // are retrieved, a second pass is made to ensure only valid elements are returned.
-            // Implementers that use this query in a hot path may want to override this method
-            // to use SQL Server 2016 functions like JSON_VALUE to make the query more efficient.
-            EF.CompileAsyncQuery((TContext context, string address) =>
-                from application in context.Set<TApplication>().AsTracking()
-                where application.PostLogoutRedirectUris.Contains(address)
-                select application);
+            return (from application in Applications.AsTracking()
+                    where application.Id.Equals(key)
+                    select application).FirstOrDefaultAsync(cancellationToken);
+        }
 
         /// <summary>
         /// Retrieves all the applications associated with the specified post_logout_redirect_uri.
@@ -361,7 +333,15 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The address cannot be null or empty.", nameof(address));
             }
 
-            var applications = await FindByPostLogoutRedirectUri(Context, address).ToListAsync(cancellationToken);
+            // To optimize the efficiency of the query a bit, only applications whose stringified
+            // PostLogoutRedirectUris contains the specified URL are returned. Once the applications
+            // are retrieved, a second pass is made to ensure only valid elements are returned.
+            // Implementers that use this method in a hot path may want to override this method
+            // to use SQL Server 2016 functions like JSON_VALUE to make the query more efficient.
+            var applications = await (from application in Applications.AsTracking()
+                                      where application.PostLogoutRedirectUris.Contains(address)
+                                      select application).ToListAsync(cancellationToken);
+
             var builder = ImmutableArray.CreateBuilder<TApplication>(applications.Count);
 
             foreach (var application in applications)
@@ -384,21 +364,6 @@ namespace OpenIddict.EntityFrameworkCore
                 builder.ToImmutable();
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve all the
-        /// applications associated with the specified redirect_uri.
-        /// </summary>
-        private static readonly Func<TContext, string, AsyncEnumerable<TApplication>> FindByRedirectUri =
-            // To optimize the efficiency of the query a bit, only applications whose stringified
-            // RedirectUris property contains the specified URL are returned. Once the applications
-            // are retrieved, a second pass is made to ensure only valid elements are returned.
-            // Implementers that use this query in a hot path may want to override this method
-            // to use SQL Server 2016 functions like JSON_VALUE to make the query more efficient.
-            EF.CompileAsyncQuery((TContext context, string address) =>
-                from application in context.Set<TApplication>().AsTracking()
-                where application.RedirectUris.Contains(address)
-                select application);
-
         /// <summary>
         /// Retrieves all the applications associated with the specified redirect_uri.
         /// </summary>
@@ -416,7 +381,15 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The address cannot be null or empty.", nameof(address));
             }
 
-            var applications = await FindByRedirectUri(Context, address).ToListAsync(cancellationToken);
+            // To optimize the efficiency of the query a bit, only applications whose stringified
+            // RedirectUris property contains the specified URL are returned. Once the applications
+            // are retrieved, a second pass is made to ensure only valid elements are returned.
+            // Implementers that use this method in a hot path may want to override this method
+            // to use SQL Server 2016 functions like JSON_VALUE to make the query more efficient.
+            var applications = await (from application in Applications.AsTracking()
+                                      where application.RedirectUris.Contains(address)
+                                      select application).ToListAsync(cancellationToken);
+
             var builder = ImmutableArray.CreateBuilder<TApplication>(applications.Count);
 
             foreach (var application in applications)
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
index dcd3627a..cea6805c 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
@@ -16,7 +16,6 @@ using System.Threading.Tasks;
 using JetBrains.Annotations;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
-using Microsoft.EntityFrameworkCore.Query;
 using Microsoft.EntityFrameworkCore.Storage;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Options;
@@ -249,24 +248,6 @@ namespace OpenIddict.EntityFrameworkCore
             }
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the authorizations corresponding
-        /// to the specified subject and associated with the application identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, string, AsyncEnumerable<TAuthorization>> FindBySubjectAndClient =
-            // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
-            // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-            // this compiled query uses an explicit join before applying the equality check.
-            // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier, string subject) =>
-                from authorization in context.Set<TAuthorization>()
-                    .Include(authorization => authorization.Application)
-                    .AsTracking()
-                where authorization.Subject == subject
-                join application in context.Set<TApplication>().AsTracking() on authorization.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select authorization);
-
         /// <summary>
         /// Retrieves the authorizations corresponding to the specified
         /// subject and associated with the application identifier.
@@ -291,26 +272,20 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The client cannot be null or empty.", nameof(client));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubjectAndClient(Context,
-                ConvertIdentifierFromString(client), subject).ToListAsync(cancellationToken));
-        }
-
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the authorizations matching the specified parameters.
-        /// </summary>
-        private static readonly Func<TContext, TKey, string, string, AsyncEnumerable<TAuthorization>> FindBySubjectClientAndStatus =
             // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
             // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-            // this compiled query uses an explicit join before applying the equality check.
+            // this method is overriden to use an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier, string subject, string status) =>
-                from authorization in context.Set<TAuthorization>()
-                    .Include(authorization => authorization.Application)
-                    .AsTracking()
-                where authorization.Subject == subject && authorization.Status == status
-                join application in context.Set<TApplication>().AsTracking() on authorization.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select authorization);
+
+            var key = ConvertIdentifierFromString(client);
+
+            return ImmutableArray.CreateRange(
+                await (from authorization in Authorizations.Include(authorization => authorization.Application).AsTracking()
+                       where authorization.Subject == subject
+                       join application in Applications.AsTracking() on authorization.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select authorization).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves the authorizations matching the specified parameters.
@@ -342,28 +317,20 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The status cannot be null or empty.", nameof(status));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubjectClientAndStatus(Context,
-                ConvertIdentifierFromString(client), subject, status).ToListAsync(cancellationToken));
-        }
-
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the authorizations matching the specified parameters.
-        /// </summary>
-        private static readonly Func<TContext, TKey, string, string, string, AsyncEnumerable<TAuthorization>> FindBySubjectClientStatusAndType =
             // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
             // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-            // this compiled query uses an explicit join before applying the equality check.
+            // this method is overriden to use an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier, string subject, string status, string type) =>
-                from authorization in context.Set<TAuthorization>()
-                    .Include(authorization => authorization.Application)
-                    .AsTracking()
-                where authorization.Subject == subject &&
-                      authorization.Status == status &&
-                      authorization.Type == type
-                join application in context.Set<TApplication>().AsTracking() on authorization.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select authorization);
+
+            var key = ConvertIdentifierFromString(client);
+
+            return ImmutableArray.CreateRange(
+                await (from authorization in Authorizations.Include(authorization => authorization.Application).AsTracking()
+                       where authorization.Subject == subject && authorization.Status == status
+                       join application in Applications.AsTracking() on authorization.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select authorization).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves the authorizations matching the specified parameters.
@@ -401,8 +368,21 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The type cannot be null or empty.", nameof(type));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubjectClientStatusAndType(Context,
-                ConvertIdentifierFromString(client), subject, status, type).ToListAsync(cancellationToken));
+            // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
+            // filtered using authorization.Application.Id.Equals(key). To work around this issue,
+            // this method is overriden to use an explicit join before applying the equality check.
+            // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
+
+            var key = ConvertIdentifierFromString(client);
+
+            return ImmutableArray.CreateRange(
+                await (from authorization in Authorizations.Include(authorization => authorization.Application).AsTracking()
+                       where authorization.Subject == subject &&
+                             authorization.Status == status &&
+                             authorization.Type == type
+                       join application in Applications.AsTracking() on authorization.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select authorization).ToListAsync(cancellationToken));
         }
 
         /// <summary>
@@ -449,23 +429,6 @@ namespace OpenIddict.EntityFrameworkCore
                 builder.ToImmutable();
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the list of
-        /// authorizations corresponding to the specified application identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, AsyncEnumerable<TAuthorization>> FindByApplicationId =
-            // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
-            // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-            // this compiled query uses an explicit join before applying the equality check.
-            // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                from authorization in context.Set<TAuthorization>()
-                    .Include(authorization => authorization.Application)
-                    .AsTracking()
-                join application in context.Set<TApplication>().AsTracking() on authorization.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select authorization);
-
         /// <summary>
         /// Retrieves the list of authorizations corresponding to the specified application identifier.
         /// </summary>
@@ -483,20 +446,19 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return ImmutableArray.CreateRange(await FindByApplicationId(Context,
-                ConvertIdentifierFromString(identifier)).ToListAsync(cancellationToken));
-        }
+            // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
+            // filtered using authorization.Application.Id.Equals(key). To work around this issue,
+            // this method is overriden to use an explicit join before applying the equality check.
+            // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve an authorization using its unique identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, Task<TAuthorization>> FindById =
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                (from authorization in context.Set<TAuthorization>()
-                    .Include(authorization => authorization.Application)
-                    .AsTracking()
-                 where authorization.Id.Equals(identifier)
-                 select authorization).FirstOrDefault());
+            var key = ConvertIdentifierFromString(identifier);
+
+            return ImmutableArray.CreateRange(
+                await (from authorization in Authorizations.Include(authorization => authorization.Application).AsTracking()
+                       join application in Applications.AsTracking() on authorization.Application.Id equals application.Id
+                       where application.Id.Equals(identifier)
+                       select authorization).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves an authorization using its unique identifier.
@@ -514,20 +476,12 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return FindById(Context, ConvertIdentifierFromString(identifier));
-        }
+            var key = ConvertIdentifierFromString(identifier);
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve all the
-        /// authorizations corresponding to the specified subject.
-        /// </summary>
-        private static readonly Func<TContext, string, AsyncEnumerable<TAuthorization>> FindBySubject =
-            EF.CompileAsyncQuery((TContext context, string subject) =>
-                from authorization in context.Set<TAuthorization>()
-                    .Include(authorization => authorization.Application)
-                    .AsTracking()
-                where authorization.Subject == subject
-                select authorization);
+            return (from authorization in Authorizations.Include(authorization => authorization.Application).AsTracking()
+                    where authorization.Id.Equals(key)
+                    select authorization).FirstOrDefaultAsync(cancellationToken);
+        }
 
         /// <summary>
         /// Retrieves .
@@ -546,7 +500,10 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubject(Context, subject).ToListAsync(cancellationToken));
+            return ImmutableArray.CreateRange(
+                await (from authorization in Authorizations.Include(authorization => authorization.Application).AsTracking()
+                       where authorization.Subject == subject
+                       select authorization).ToListAsync(cancellationToken));
         }
 
         /// <summary>
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
index f945e4f8..9f4aee41 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
@@ -13,7 +13,6 @@ using System.Threading;
 using System.Threading.Tasks;
 using JetBrains.Annotations;
 using Microsoft.EntityFrameworkCore;
-using Microsoft.EntityFrameworkCore.Query;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Options;
 using Newtonsoft.Json;
@@ -180,15 +179,6 @@ namespace OpenIddict.EntityFrameworkCore
             }
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve a scope using its unique identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, Task<TScope>> FindById =
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                (from scope in context.Set<TScope>().AsTracking()
-                 where scope.Id.Equals(identifier)
-                 select scope).FirstOrDefault());
-
         /// <summary>
         /// Retrieves a scope using its unique identifier.
         /// </summary>
@@ -205,17 +195,12 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return FindById(Context, ConvertIdentifierFromString(identifier));
-        }
+            var key = ConvertIdentifierFromString(identifier);
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve a scope using its name.
-        /// </summary>
-        private static readonly Func<TContext, string, Task<TScope>> FindByName =
-            EF.CompileAsyncQuery((TContext context, string name) =>
-                (from scope in context.Set<TScope>().AsTracking()
-                 where scope.Name == name
-                 select scope).FirstOrDefault());
+            return (from scope in Scopes.AsTracking()
+                    where scope.Id.Equals(key)
+                    select scope).FirstOrDefaultAsync(cancellationToken);
+        }
 
         /// <summary>
         /// Retrieves a scope using its name.
@@ -233,18 +218,11 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The scope name cannot be null or empty.", nameof(name));
             }
 
-            return FindByName(Context, name);
+            return (from scope in Scopes.AsTracking()
+                    where scope.Name == name
+                    select scope).FirstOrDefaultAsync(cancellationToken);
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve a list of scopes using their name.
-        /// </summary>
-        private static readonly Func<TContext, ImmutableArray<string>, AsyncEnumerable<TScope>> FindByNames =
-            EF.CompileAsyncQuery((TContext context, ImmutableArray<string> names) =>
-                from scope in context.Set<TScope>().AsTracking()
-                where names.Contains(scope.Name)
-                select scope);
-
         /// <summary>
         /// Retrieves a list of scopes using their name.
         /// </summary>
@@ -262,23 +240,12 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("Scope names cannot be null or empty.", nameof(names));
             }
 
-            return ImmutableArray.CreateRange(await FindByNames(Context, names).ToListAsync(cancellationToken));
+            return ImmutableArray.CreateRange(
+                await (from scope in Scopes.AsTracking()
+                       where names.Contains(scope.Name)
+                       select scope).ToListAsync(cancellationToken));
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve all the scopes that contain the specified resource.
-        /// </summary>
-        private static readonly Func<TContext, string, AsyncEnumerable<TScope>> FindByResource =
-            // To optimize the efficiency of the query a bit, only scopes whose stringified
-            // Resources column contains the specified resource are returned. Once the scopes
-            // are retrieved, a second pass is made to ensure only valid elements are returned.
-            // Implementers that use this query in a hot path may want to override this method
-            // to use SQL Server 2016 functions like JSON_VALUE to make the query more efficient.
-            EF.CompileAsyncQuery((TContext context, string resource) =>
-                from scope in context.Set<TScope>().AsTracking()
-                where scope.Resources.Contains(resource)
-                select scope);
-
         /// <summary>
         /// Retrieves all the scopes that contain the specified resource.
         /// </summary>
@@ -296,12 +263,21 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The resource cannot be null or empty.", nameof(resource));
             }
 
+            // To optimize the efficiency of the query a bit, only scopes whose stringified
+            // Resources column contains the specified resource are returned. Once the scopes
+            // are retrieved, a second pass is made to ensure only valid elements are returned.
+            // Implementers that use this method in a hot path may want to override this method
+            // to use SQL Server 2016 functions like JSON_VALUE to make the query more efficient.
+            var scopes = await (from scope in Scopes.AsTracking()
+                                where scope.Resources.Contains(resource)
+                                select scope).ToListAsync(cancellationToken);
+
             var builder = ImmutableArray.CreateBuilder<TScope>();
 
-            foreach (var scope in await FindByResource(Context, resource).ToListAsync(cancellationToken))
+            foreach (var scope in scopes)
             {
                 var resources = await GetResourcesAsync(scope, cancellationToken);
-                if (resources.Contains(resource, StringComparer.Ordinal))
+                if (resources.Contains(resource, StringComparer.OrdinalIgnoreCase))
                 {
                     builder.Add(scope);
                 }
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
index 27d6767b..6b242e8b 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
@@ -16,7 +16,6 @@ using System.Threading.Tasks;
 using JetBrains.Annotations;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Infrastructure;
-using Microsoft.EntityFrameworkCore.Query;
 using Microsoft.EntityFrameworkCore.Storage;
 using Microsoft.Extensions.Caching.Memory;
 using Microsoft.Extensions.Options;
@@ -202,25 +201,6 @@ namespace OpenIddict.EntityFrameworkCore
             }
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the tokens corresponding
-        /// to the specified subject and associated with the application identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, string, AsyncEnumerable<TToken>> FindBySubjectAndClient =
-            // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
-            // filtered using token.Application.Id.Equals(key). To work around this issue,
-            // this compiled query uses an explicit join before applying the equality check.
-            // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier, string subject) =>
-                from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                where token.Subject == subject
-                join application in context.Set<TApplication>().AsTracking() on token.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select token);
-
         /// <summary>
         /// Retrieves the tokens corresponding to the specified
         /// subject and associated with the application identifier.
@@ -245,27 +225,20 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The client cannot be null or empty.", nameof(client));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubjectAndClient(Context,
-                ConvertIdentifierFromString(client), subject).ToListAsync(cancellationToken));
-        }
-
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the tokens matching the specified parameters.
-        /// </summary>
-        private static readonly Func<TContext, TKey, string, string, AsyncEnumerable<TToken>> FindBySubjectClientAndStatus =
             // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
             // filtered using token.Application.Id.Equals(key). To work around this issue,
             // this compiled query uses an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier, string subject, string status) =>
-                from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                where token.Subject == subject && token.Status == status
-                join application in context.Set<TApplication>().AsTracking() on token.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select token);
+
+            var key = ConvertIdentifierFromString(client);
+
+            return ImmutableArray.CreateRange(
+                await (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                       where token.Subject == subject
+                       join application in Applications.AsTracking() on token.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select token).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves the tokens matching the specified parameters.
@@ -297,29 +270,21 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The status cannot be null or empty.", nameof(status));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubjectClientAndStatus(Context,
-                ConvertIdentifierFromString(client), subject, status).ToListAsync(cancellationToken));
-        }
-
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the tokens matching the specified parameters.
-        /// </summary>
-        private static readonly Func<TContext, TKey, string, string, string, AsyncEnumerable<TToken>> FindBySubjectClientStatusAndType =
             // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
             // filtered using token.Application.Id.Equals(key). To work around this issue,
             // this compiled query uses an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier, string subject, string status, string type) =>
-                from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                where token.Subject == subject &&
-                      token.Status == status &&
-                      token.Type == type
-                join application in context.Set<TApplication>().AsTracking() on token.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select token);
+
+            var key = ConvertIdentifierFromString(client);
+
+            return ImmutableArray.CreateRange(
+                await (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                       where token.Subject == subject &&
+                             token.Status == status
+                       join application in Applications.AsTracking() on token.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select token).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves the tokens matching the specified parameters.
@@ -357,27 +322,22 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The type cannot be null or empty.", nameof(type));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubjectClientStatusAndType(Context,
-                ConvertIdentifierFromString(client), subject, status, type).ToListAsync(cancellationToken));
-        }
-
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the list of
-        /// tokens corresponding to the specified application identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, AsyncEnumerable<TToken>> FindByApplicationId =
-            // Note: due to a bug in Entity Framework Core's query visitor, the tokens can't be
+            // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
             // filtered using token.Application.Id.Equals(key). To work around this issue,
             // this compiled query uses an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                join application in context.Set<TApplication>().AsTracking() on token.Application.Id equals application.Id
-                where application.Id.Equals(identifier)
-                select token);
+
+            var key = ConvertIdentifierFromString(client);
+
+            return ImmutableArray.CreateRange(
+                await (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                       where token.Subject == subject &&
+                             token.Status == status &&
+                             token.Type == type
+                       join application in Applications.AsTracking() on token.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select token).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves the list of tokens corresponding to the specified application identifier.
@@ -395,27 +355,19 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return ImmutableArray.CreateRange(await FindByApplicationId(Context,
-                ConvertIdentifierFromString(identifier)).ToListAsync(cancellationToken));
-        }
-
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the list of
-        /// tokens corresponding to the specified authorization identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, AsyncEnumerable<TToken>> FindByAuthorizationId =
             // Note: due to a bug in Entity Framework Core's query visitor, the tokens can't be
-            // filtered using token.Authorization.Id.Equals(key). To work around this issue,
-            // this compiled query uses an explicit join before applying the equality check.
+            // filtered using token.Application.Id.Equals(key). To work around this issue,
+            // this method is overriden to use an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                join authorization in context.Set<TAuthorization>().AsTracking() on token.Authorization.Id equals authorization.Id
-                where authorization.Id.Equals(identifier)
-                select token);
+
+            var key = ConvertIdentifierFromString(identifier);
+
+            return ImmutableArray.CreateRange(
+                await (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                       join application in Applications.AsTracking() on token.Application.Id equals application.Id
+                       where application.Id.Equals(key)
+                       select token).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves the list of tokens corresponding to the specified authorization identifier.
@@ -433,21 +385,19 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return ImmutableArray.CreateRange(await FindByAuthorizationId(Context,
-                ConvertIdentifierFromString(identifier)).ToListAsync(cancellationToken));
-        }
+            // Note: due to a bug in Entity Framework Core's query visitor, the tokens can't be
+            // filtered using token.Authorization.Id.Equals(key). To work around this issue,
+            // this method is overriden to use an explicit join before applying the equality check.
+            // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve a token using its unique identifier.
-        /// </summary>
-        private static readonly Func<TContext, TKey, Task<TToken>> FindById =
-            EF.CompileAsyncQuery((TContext context, TKey identifier) =>
-                (from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                 where token.Id.Equals(identifier)
-                 select token).FirstOrDefault());
+            var key = ConvertIdentifierFromString(identifier);
+
+            return ImmutableArray.CreateRange(
+                await (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                       join authorization in Authorizations.AsTracking() on token.Authorization.Id equals authorization.Id
+                       where authorization.Id.Equals(key)
+                       select token).ToListAsync(cancellationToken));
+        }
 
         /// <summary>
         /// Retrieves a token using its unique identifier.
@@ -465,21 +415,12 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return FindById(Context, ConvertIdentifierFromString(identifier));
-        }
+            var key = ConvertIdentifierFromString(identifier);
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the list of
-        /// tokens corresponding to the specified reference identifier.
-        /// </summary>
-        private static readonly Func<TContext, string, Task<TToken>> FindByReferenceId =
-            EF.CompileAsyncQuery((TContext context, string identifier) =>
-                (from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                 where token.ReferenceId == identifier
-                 select token).FirstOrDefault());
+            return (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                    where token.Id.Equals(key)
+                    select token).FirstOrDefaultAsync(cancellationToken);
+        }
 
         /// <summary>
         /// Retrieves the list of tokens corresponding to the specified reference identifier.
@@ -498,22 +439,11 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The identifier cannot be null or empty.", nameof(identifier));
             }
 
-            return FindByReferenceId(Context, identifier);
+            return (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                    where token.ReferenceId == identifier
+                    select token).FirstOrDefaultAsync(cancellationToken);
         }
 
-        /// <summary>
-        /// Exposes a compiled query allowing to retrieve the
-        /// list of tokens corresponding to the specified subject.
-        /// </summary>
-        private static readonly Func<TContext, string, AsyncEnumerable<TToken>> FindBySubject =
-            EF.CompileAsyncQuery((TContext context, string subject) =>
-                from token in context.Set<TToken>()
-                    .Include(token => token.Application)
-                    .Include(token => token.Authorization)
-                    .AsTracking()
-                where token.Subject == subject
-                select token);
-
         /// <summary>
         /// Retrieves the list of tokens corresponding to the specified subject.
         /// </summary>
@@ -530,7 +460,10 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
             }
 
-            return ImmutableArray.CreateRange(await FindBySubject(Context, subject).ToListAsync(cancellationToken));
+            return ImmutableArray.CreateRange(
+                await (from token in Tokens.Include(token => token.Application).Include(token => token.Authorization).AsTracking()
+                       where token.Subject == subject
+                       select token).ToListAsync(cancellationToken));
         }
 
         /// <summary>

From 51ea4c4c8b46ec9cd483dbc615c1bed8dbe29c5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 5 Oct 2019 20:19:33 +0200
Subject: [PATCH 21/64] Add workarounds for API breaking changes introduced in
 Entity Framework Core 3.x

---
 .../OpenIddictApplicationConfiguration.cs            |  5 ++++-
 .../Configurations/OpenIddictScopeConfiguration.cs   |  5 ++++-
 .../Configurations/OpenIddictTokenConfiguration.cs   |  5 ++++-
 .../Stores/OpenIddictAuthorizationStore.cs           |  6 +++++-
 .../Stores/OpenIddictTokenStore.cs                   | 12 ++++++++++--
 5 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictApplicationConfiguration.cs b/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictApplicationConfiguration.cs
index 57c4c05c..c3db132a 100644
--- a/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictApplicationConfiguration.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictApplicationConfiguration.cs
@@ -40,7 +40,10 @@ namespace OpenIddict.EntityFrameworkCore
 
             builder.HasKey(application => application.Id);
 
-            builder.HasIndex(application => application.ClientId)
+            // Warning: the non-generic overlord is deliberately used to work around
+            // a breaking change introduced in Entity Framework Core 3.x (where a
+            // generic entity type builder is now returned by the HasIndex() method).
+            builder.HasIndex(nameof(OpenIddictApplication.ClientId))
                    .IsUnique();
 
             builder.Property(application => application.ClientId)
diff --git a/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictScopeConfiguration.cs b/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictScopeConfiguration.cs
index b9389668..4a241b43 100644
--- a/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictScopeConfiguration.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictScopeConfiguration.cs
@@ -36,7 +36,10 @@ namespace OpenIddict.EntityFrameworkCore
 
             builder.HasKey(scope => scope.Id);
 
-            builder.HasIndex(scope => scope.Name)
+            // Warning: the non-generic overlord is deliberately used to work around
+            // a breaking change introduced in Entity Framework Core 3.x (where a
+            // generic entity type builder is now returned by the HasIndex() method).
+            builder.HasIndex(nameof(OpenIddictScope.Name))
                    .IsUnique();
 
             builder.Property(scope => scope.ConcurrencyToken)
diff --git a/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictTokenConfiguration.cs b/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictTokenConfiguration.cs
index 7e3ff800..6cba70aa 100644
--- a/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictTokenConfiguration.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Configurations/OpenIddictTokenConfiguration.cs
@@ -40,7 +40,10 @@ namespace OpenIddict.EntityFrameworkCore
 
             builder.HasKey(token => token.Id);
 
-            builder.HasIndex(token => token.ReferenceId)
+            // Warning: the non-generic overlord is deliberately used to work around
+            // a breaking change introduced in Entity Framework Core 3.x (where a
+            // generic entity type builder is now returned by the HasIndex() method).
+            builder.HasIndex(nameof(OpenIddictToken.ReferenceId))
                    .IsUnique();
 
             builder.HasIndex(
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
index cea6805c..d056ecb2 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
@@ -913,7 +913,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             if (!string.IsNullOrEmpty(identifier))
             {
-                var application = await Applications.FindAsync(new object[] { ConvertIdentifierFromString(identifier) }, cancellationToken);
+                var key = ConvertIdentifierFromString(identifier);
+
+                // Warning: FindAsync() is deliberately not used to work around a breaking change introduced
+                // in Entity Framework Core 3.x (where a ValueTask instead of a Task is now returned).
+                var application = await Applications.FirstOrDefaultAsync(element => element.Id.Equals(key), cancellationToken);
                 if (application == null)
                 {
                     throw new InvalidOperationException("The application associated with the authorization cannot be found.");
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
index 6b242e8b..7b95b288 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
@@ -948,7 +948,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             if (!string.IsNullOrEmpty(identifier))
             {
-                var application = await Applications.FindAsync(new object[] { ConvertIdentifierFromString(identifier) }, cancellationToken);
+                var key = ConvertIdentifierFromString(identifier);
+
+                // Warning: FindAsync() is deliberately not used to work around a breaking change introduced
+                // in Entity Framework Core 3.x (where a ValueTask instead of a Task is now returned).
+                var application = await Applications.FirstOrDefaultAsync(element => element.Id.Equals(key), cancellationToken);
                 if (application == null)
                 {
                     throw new InvalidOperationException("The application associated with the token cannot be found.");
@@ -994,7 +998,11 @@ namespace OpenIddict.EntityFrameworkCore
 
             if (!string.IsNullOrEmpty(identifier))
             {
-                var authorization = await Authorizations.FindAsync(new object[] { ConvertIdentifierFromString(identifier) }, cancellationToken);
+                var key = ConvertIdentifierFromString(identifier);
+
+                // Warning: FindAsync() is deliberately not used to work around a breaking change introduced
+                // in Entity Framework Core 3.x (where a ValueTask instead of a Task is now returned).
+                var authorization = await Authorizations.FirstOrDefaultAsync(element => element.Id.Equals(key), cancellationToken);
                 if (authorization == null)
                 {
                     throw new InvalidOperationException("The authorization associated with the token cannot be found.");

From 8fdabc71a159a569575726f4da73a0ba27653d30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sun, 6 Oct 2019 17:47:25 +0200
Subject: [PATCH 22/64] Use Enumerable.Contains() instead of
 ImmutableArray.Contains() and add missing cancellation tokens

---
 .../Stores/OpenIddictApplicationStore.cs           | 14 +++++++-------
 .../Stores/OpenIddictAuthorizationStore.cs         |  6 +++---
 .../Stores/OpenIddictScopeStore.cs                 | 10 ++++++----
 .../Stores/OpenIddictTokenStore.cs                 |  4 ++--
 .../Stores/OpenIddictApplicationStore.cs           | 10 +++++-----
 .../Stores/OpenIddictAuthorizationStore.cs         |  6 +++---
 .../Stores/OpenIddictScopeStore.cs                 |  9 ++++++---
 .../Stores/OpenIddictTokenStore.cs                 |  4 ++--
 .../Stores/OpenIddictApplicationStore.cs           |  4 ++--
 .../Stores/OpenIddictAuthorizationStore.cs         |  4 ++--
 .../Stores/OpenIddictScopeStore.cs                 |  8 +++++---
 .../Stores/OpenIddictTokenStore.cs                 |  4 ++--
 12 files changed, 45 insertions(+), 38 deletions(-)

diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictApplicationStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictApplicationStore.cs
index 3a1de64d..4f7f561e 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictApplicationStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictApplicationStore.cs
@@ -107,7 +107,7 @@ namespace OpenIddict.EntityFramework
         /// whose result returns the number of applications in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Applications.LongCountAsync();
+            => Applications.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of applications that match the specified query.
@@ -126,7 +126,7 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Applications).LongCountAsync();
+            return query(Applications).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -249,7 +249,7 @@ namespace OpenIddict.EntityFramework
 
             return (from application in Applications
                     where application.Id.Equals(key)
-                    select application).FirstOrDefaultAsync();
+                    select application).FirstOrDefaultAsync(cancellationToken);
         }
 
         /// <summary>
@@ -270,7 +270,7 @@ namespace OpenIddict.EntityFramework
 
             return (from application in Applications
                     where application.ClientId == identifier
-                    select application).FirstOrDefaultAsync();
+                    select application).FirstOrDefaultAsync(cancellationToken);
         }
 
         /// <summary>
@@ -539,7 +539,7 @@ namespace OpenIddict.EntityFramework
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(application.Permissions)
-                    .Select(element => (string) element)
+                    .Select(permission => (string) permission)
                     .ToImmutableArray();
             });
 
@@ -576,7 +576,7 @@ namespace OpenIddict.EntityFramework
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(application.PostLogoutRedirectUris)
-                    .Select(element => (string) element)
+                    .Select(address => (string) address)
                     .ToImmutableArray();
             });
 
@@ -648,7 +648,7 @@ namespace OpenIddict.EntityFramework
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(application.RedirectUris)
-                    .Select(element => (string) element)
+                    .Select(address => (string) address)
                     .ToImmutableArray();
             });
 
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictAuthorizationStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictAuthorizationStore.cs
index 15549405..2145d478 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictAuthorizationStore.cs
@@ -107,7 +107,7 @@ namespace OpenIddict.EntityFramework
         /// whose result returns the number of authorizations in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Authorizations.LongCountAsync();
+            => Authorizations.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of authorizations that match the specified query.
@@ -126,7 +126,7 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Authorizations).LongCountAsync();
+            return query(Authorizations).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -594,7 +594,7 @@ namespace OpenIddict.EntityFramework
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(authorization.Scopes)
-                    .Select(element => (string) element)
+                    .Select(scope => (string) scope)
                     .ToImmutableArray();
             });
 
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictScopeStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictScopeStore.cs
index 0f657bae..1c86d014 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictScopeStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictScopeStore.cs
@@ -89,7 +89,7 @@ namespace OpenIddict.EntityFramework
         /// whose result returns the number of scopes in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Scopes.LongCountAsync();
+            => Scopes.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of scopes that match the specified query.
@@ -108,7 +108,7 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Scopes).LongCountAsync();
+            return query(Scopes).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -223,9 +223,11 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentException("Scope names cannot be null or empty.", nameof(names));
             }
 
+            // Note: Enumerable.Contains() is deliberately used without the extension method syntax to ensure
+            // ImmutableArray.Contains() (which is not fully supported by Entity Framework 6.x) is not used instead.
             return ImmutableArray.CreateRange(
                 await (from scope in Scopes
-                       where names.Contains(scope.Name)
+                       where Enumerable.Contains(names, scope.Name)
                        select scope).ToListAsync(cancellationToken));
         }
 
@@ -434,7 +436,7 @@ namespace OpenIddict.EntityFramework
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(scope.Resources)
-                    .Select(element => (string) element)
+                    .Select(resource => (string) resource)
                     .ToImmutableArray();
             });
 
diff --git a/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
index ed6ef8e5..5392cf1e 100644
--- a/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
@@ -107,7 +107,7 @@ namespace OpenIddict.EntityFramework
         /// whose result returns the number of applications in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Tokens.LongCountAsync();
+            => Tokens.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of tokens that match the specified query.
@@ -126,7 +126,7 @@ namespace OpenIddict.EntityFramework
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Tokens).LongCountAsync();
+            return query(Tokens).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
index bddb7701..a1a362cc 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
@@ -128,7 +128,7 @@ namespace OpenIddict.EntityFrameworkCore
         /// whose result returns the number of applications in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Applications.LongCountAsync();
+            => Applications.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of applications that match the specified query.
@@ -147,7 +147,7 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Applications).LongCountAsync();
+            return query(Applications).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -582,7 +582,7 @@ namespace OpenIddict.EntityFrameworkCore
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(application.Permissions)
-                    .Select(element => (string) element)
+                    .Select(permission => (string) permission)
                     .ToImmutableArray();
             });
 
@@ -619,7 +619,7 @@ namespace OpenIddict.EntityFrameworkCore
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(application.PostLogoutRedirectUris)
-                    .Select(element => (string) element)
+                    .Select(address => (string) address)
                     .ToImmutableArray();
             });
 
@@ -691,7 +691,7 @@ namespace OpenIddict.EntityFrameworkCore
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(application.RedirectUris)
-                    .Select(element => (string) element)
+                    .Select(address => (string) address)
                     .ToImmutableArray();
             });
 
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
index d056ecb2..f9aa7271 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
@@ -128,7 +128,7 @@ namespace OpenIddict.EntityFrameworkCore
         /// whose result returns the number of authorizations in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Authorizations.LongCountAsync();
+            => Authorizations.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of authorizations that match the specified query.
@@ -147,7 +147,7 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Authorizations).LongCountAsync();
+            return query(Authorizations).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -652,7 +652,7 @@ namespace OpenIddict.EntityFrameworkCore
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(authorization.Scopes)
-                    .Select(element => (string) element)
+                    .Select(scope => (string) scope)
                     .ToImmutableArray();
             });
 
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
index 9f4aee41..d127182b 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
@@ -106,7 +106,7 @@ namespace OpenIddict.EntityFrameworkCore
         /// whose result returns the number of scopes in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Scopes.LongCountAsync();
+            => Scopes.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of scopes that match the specified query.
@@ -125,7 +125,7 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Scopes).LongCountAsync();
+            return query(Scopes).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -240,9 +240,12 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentException("Scope names cannot be null or empty.", nameof(names));
             }
 
+            // Note: Enumerable.Contains() is deliberately used without the extension method syntax to ensure
+            // ImmutableArray.Contains() (which is not fully supported by Entity Framework Core) is not used instead.
             return ImmutableArray.CreateRange(
                 await (from scope in Scopes.AsTracking()
                        where names.Contains(scope.Name)
+                       where Enumerable.Contains(names, scope.Name)
                        select scope).ToListAsync(cancellationToken));
         }
 
@@ -451,7 +454,7 @@ namespace OpenIddict.EntityFrameworkCore
                      .SetSlidingExpiration(TimeSpan.FromMinutes(1));
 
                 return JArray.Parse(scope.Resources)
-                    .Select(element => (string) element)
+                    .Select(resource => (string) resource)
                     .ToImmutableArray();
             });
 
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
index 7b95b288..d3de1216 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
@@ -128,7 +128,7 @@ namespace OpenIddict.EntityFrameworkCore
         /// whose result returns the number of applications in the database.
         /// </returns>
         public virtual Task<long> CountAsync(CancellationToken cancellationToken)
-            => Tokens.LongCountAsync();
+            => Tokens.LongCountAsync(cancellationToken);
 
         /// <summary>
         /// Determines the number of tokens that match the specified query.
@@ -147,7 +147,7 @@ namespace OpenIddict.EntityFrameworkCore
                 throw new ArgumentNullException(nameof(query));
             }
 
-            return query(Tokens).LongCountAsync();
+            return query(Tokens).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs
index 4accb1fe..f2bdc763 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictApplicationStore.cs
@@ -61,7 +61,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TApplication>(Options.CurrentValue.ApplicationsCollectionName);
 
-            return await collection.CountDocumentsAsync(FilterDefinition<TApplication>.Empty);
+            return await collection.CountDocumentsAsync(FilterDefinition<TApplication>.Empty, null, cancellationToken);
         }
 
         /// <summary>
@@ -85,7 +85,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TApplication>(Options.CurrentValue.ApplicationsCollectionName);
 
-            return await ((IMongoQueryable<TApplication>) query(collection.AsQueryable())).LongCountAsync();
+            return await ((IMongoQueryable<TApplication>) query(collection.AsQueryable())).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs
index c76438d4..c32a9c83 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictAuthorizationStore.cs
@@ -61,7 +61,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TAuthorization>(Options.CurrentValue.AuthorizationsCollectionName);
 
-            return await collection.CountDocumentsAsync(FilterDefinition<TAuthorization>.Empty);
+            return await collection.CountDocumentsAsync(FilterDefinition<TAuthorization>.Empty, null, cancellationToken);
         }
 
         /// <summary>
@@ -85,7 +85,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TAuthorization>(Options.CurrentValue.AuthorizationsCollectionName);
 
-            return await ((IMongoQueryable<TAuthorization>) query(collection.AsQueryable())).LongCountAsync();
+            return await ((IMongoQueryable<TAuthorization>) query(collection.AsQueryable())).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs
index c5286161..7d8fc65c 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictScopeStore.cs
@@ -61,7 +61,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TScope>(Options.CurrentValue.ScopesCollectionName);
 
-            return await collection.CountDocumentsAsync(FilterDefinition<TScope>.Empty);
+            return await collection.CountDocumentsAsync(FilterDefinition<TScope>.Empty, null, cancellationToken);
         }
 
         /// <summary>
@@ -85,7 +85,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TScope>(Options.CurrentValue.ScopesCollectionName);
 
-            return await ((IMongoQueryable<TScope>) query(collection.AsQueryable())).LongCountAsync();
+            return await ((IMongoQueryable<TScope>) query(collection.AsQueryable())).LongCountAsync(cancellationToken);
         }
 
         /// <summary>
@@ -202,7 +202,9 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TScope>(Options.CurrentValue.ScopesCollectionName);
 
-            return ImmutableArray.CreateRange(await collection.Find(scope => names.Contains(scope.Name)).ToListAsync(cancellationToken));
+            // Note: Enumerable.Contains() is deliberately used without the extension method syntax to ensure
+            // ImmutableArray.Contains() (which is not fully supported by MongoDB) is not used instead.
+            return ImmutableArray.CreateRange(await collection.Find(scope => Enumerable.Contains(names, scope.Name)).ToListAsync(cancellationToken));
         }
 
         /// <summary>
diff --git a/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs b/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
index cacd8d1b..9abfed98 100644
--- a/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
+++ b/src/OpenIddict.MongoDb/Stores/OpenIddictTokenStore.cs
@@ -61,7 +61,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TToken>(Options.CurrentValue.TokensCollectionName);
 
-            return await collection.CountDocumentsAsync(FilterDefinition<TToken>.Empty);
+            return await collection.CountDocumentsAsync(FilterDefinition<TToken>.Empty, null, cancellationToken);
         }
 
         /// <summary>
@@ -85,7 +85,7 @@ namespace OpenIddict.MongoDb
             var database = await Context.GetDatabaseAsync(cancellationToken);
             var collection = database.GetCollection<TToken>(Options.CurrentValue.TokensCollectionName);
 
-            return await ((IMongoQueryable<TToken>) query(collection.AsQueryable())).LongCountAsync();
+            return await ((IMongoQueryable<TToken>) query(collection.AsQueryable())).LongCountAsync(cancellationToken);
         }
 
         /// <summary>

From 2abdd3c3f906f9015291f4dbab6b64c6ed38f006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 17 Oct 2019 16:48:21 +0200
Subject: [PATCH 23/64] Update version.props to build 2.0.1 packages

---
 build/version.props | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/build/version.props b/build/version.props
index e6b85449..c3518815 100644
--- a/build/version.props
+++ b/build/version.props
@@ -1,9 +1,7 @@
 <Project>
 
   <PropertyGroup>
-    <VersionPrefix>2.0.1</VersionPrefix>
-    <VersionSuffix>preview1</VersionSuffix>
-    <VersionSuffix Condition=" '$(VersionSuffix)' != '' AND '$(BuildNumber)' != '' ">$(VersionSuffix)-$(BuildNumber)</VersionSuffix>
+    <Version>2.0.1</Version>
   </PropertyGroup>
 
 </Project>

From e34a1f0e0d9788e6d902dfba794898707ad09786 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 19 Jun 2021 01:59:30 +0200
Subject: [PATCH 24/64] Remove TunnelVisionLabs.ReferenceAssemblyAnnotator

---
 Directory.Build.props   |  6 ------
 Directory.Build.targets | 13 +++++++++++++
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index 5a53c72a..f3ac8a8d 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -62,12 +62,6 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.NETFramework.ReferenceAssemblies" PrivateAssets="All" />
-    <PackageReference Include="TunnelVisionLabs.ReferenceAssemblyAnnotator" PrivateAssets="All" />
-  </ItemGroup>
-
-  <ItemGroup>
-    <PackageDownload Include="Microsoft.NETCore.App.Ref" Version="[3.1.0]" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/Directory.Build.targets b/Directory.Build.targets
index 5ff47e01..fd42380e 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -16,6 +16,19 @@
     <PublicSign>false</PublicSign>
   </PropertyGroup>
 
+  <!--
+    Note: .NET Framework and .NET Core <3.0/.NET Standard assemblies are not annotated
+    with nullable references annotations. To avoid errors on these target frameworks,
+    related warnings are disabled by using Nullable = "annotations" instead of "enable".
+  -->
+
+  <PropertyGroup
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0'))) Or
+                ('$(TargetFrameworkIdentifier)' == '.NETFramework') Or
+                ('$(TargetFrameworkIdentifier)' == '.NETStandard') ">
+    <Nullable>annotations</Nullable>
+  </PropertyGroup>
+
   <PropertyGroup
     Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp') Or
                 ('$(TargetFrameworkIdentifier)' == '.NETFramework' And $([MSBuild]::VersionGreaterThanOrEquals($(TargetFrameworkVersion), '4.7'))) Or

From 3dca62549f486f32ac61421dc5bfa5602096aad3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 19 Jun 2021 02:26:17 +0200
Subject: [PATCH 25/64] Remove the TunnelVisionLabs.ReferenceAssemblyAnnotator
 reference from Packages.props

---
 Packages.props | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Packages.props b/Packages.props
index 846474fe..ec65777b 100644
--- a/Packages.props
+++ b/Packages.props
@@ -17,7 +17,6 @@
     <PackageReference Update="Portable.BouncyCastle" Version="1.8.10" />
     <PackageReference Update="Quartz.Extensions.DependencyInjection" Version="3.2.4" />
     <PackageReference Update="Quartz.Extensions.Hosting" Version="3.2.4" />
-    <PackageReference Update="TunnelVisionLabs.ReferenceAssemblyAnnotator" Version="1.0.0-alpha.160" />
   </ItemGroup>
 
   <ItemGroup

From d5a5b679c06ec1fa227e3cd8bcd1eb853b9c6c89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 19 Jun 2021 13:56:58 +0200
Subject: [PATCH 26/64] Bump the .NET SDK/packages and the Katana dependencies

---
 Packages.props                                | 48 +++++++++----------
 global.json                                   |  6 +--
 .../OpenIddict.Server.AspNetCore.csproj       |  4 +-
 .../OpenIddict.Server.DataProtection.csproj   |  4 +-
 .../OpenIddict.Validation.AspNetCore.csproj   |  4 +-
 ...penIddict.Validation.DataProtection.csproj |  4 +-
 6 files changed, 39 insertions(+), 31 deletions(-)

diff --git a/Packages.props b/Packages.props
index ec65777b..d42526c5 100644
--- a/Packages.props
+++ b/Packages.props
@@ -9,8 +9,8 @@
     <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.8.0" />
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />
     <PackageReference Update="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />
-    <PackageReference Update="Microsoft.Owin.Security" Version="4.1.1" />
-    <PackageReference Update="Microsoft.Owin.Testing" Version="4.1.1" />
+    <PackageReference Update="Microsoft.Owin.Security" Version="4.2.0" />
+    <PackageReference Update="Microsoft.Owin.Testing" Version="4.2.0" />
     <PackageReference Update="MongoDB.Bson" Version="2.10.4" />
     <PackageReference Update="MongoDB.Driver" Version="2.10.4" />
     <PackageReference Update="Moq" Version="4.16.1" />
@@ -51,21 +51,21 @@
   <ItemGroup
     Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp'  And $([MSBuild]::VersionEquals($(TargetFrameworkVersion), '3.1'))) Or
                 ('$(TargetFrameworkIdentifier)' == '.NETStandard' And $([MSBuild]::VersionEquals($(TargetFrameworkVersion), '2.1'))) ">
-    <PackageReference Update="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="3.1.13" />
-    <PackageReference Update="Microsoft.AspNetCore.DataProtection" Version="3.1.13" />
-    <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.13" />
-    <PackageReference Update="Microsoft.AspNetCore.TestHost" Version="3.1.13" />
-    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="3.1.13" />
-    <PackageReference Update="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.Caching.Abstractions" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.Caching.Memory" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.DependencyInjection" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.DependencyInjection.Abstractions" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.Http.Polly" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.Logging" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.Options" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.Primitives" Version="3.1.13" />
-    <PackageReference Update="Microsoft.Extensions.WebEncoders" Version="3.1.13" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="3.1.16" />
+    <PackageReference Update="Microsoft.AspNetCore.DataProtection" Version="3.1.16" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="3.1.16" />
+    <PackageReference Update="Microsoft.AspNetCore.TestHost" Version="3.1.16" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="3.1.16" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.SqlServer" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.Caching.Abstractions" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.Caching.Memory" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.DependencyInjection" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.DependencyInjection.Abstractions" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.Http.Polly" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.Logging" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.Options" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.Primitives" Version="3.1.16" />
+    <PackageReference Update="Microsoft.Extensions.WebEncoders" Version="3.1.16" />
     <PackageReference Update="System.Collections.Immutable" Version="1.7.1" />
     <PackageReference Update="System.ComponentModel.Annotations" Version="4.7.0" />
     <PackageReference Update="System.Linq.Async" Version="4.1.1" />
@@ -76,12 +76,12 @@
 
   <ItemGroup
     Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionEquals($(TargetFrameworkVersion), '5.0'))) ">
-    <PackageReference Update="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="5.0.4" />
-    <PackageReference Update="Microsoft.AspNetCore.DataProtection" Version="5.0.4" />
-    <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="5.0.4" />
-    <PackageReference Update="Microsoft.AspNetCore.TestHost" Version="5.0.4" />
-    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="5.0.4" />
-    <PackageReference Update="Microsoft.EntityFrameworkCore.SqlServer" Version="5.0.4" />
+    <PackageReference Update="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="5.0.7" />
+    <PackageReference Update="Microsoft.AspNetCore.DataProtection" Version="5.0.7" />
+    <PackageReference Update="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="5.0.7" />
+    <PackageReference Update="Microsoft.AspNetCore.TestHost" Version="5.0.7" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.Relational" Version="5.0.7" />
+    <PackageReference Update="Microsoft.EntityFrameworkCore.SqlServer" Version="5.0.7" />
     <PackageReference Update="Microsoft.Extensions.Caching.Abstractions" Version="5.0.0" />
     <PackageReference Update="Microsoft.Extensions.Caching.Memory" Version="5.0.0" />
     <PackageReference Update="Microsoft.Extensions.DependencyInjection" Version="5.0.1" />
@@ -90,7 +90,7 @@
     <PackageReference Update="Microsoft.Extensions.Logging" Version="5.0.0" />
     <PackageReference Update="Microsoft.Extensions.Options" Version="5.0.0" />
     <PackageReference Update="Microsoft.Extensions.Primitives" Version="5.0.0" />
-    <PackageReference Update="Microsoft.Extensions.WebEncoders" Version="5.0.4" />
+    <PackageReference Update="Microsoft.Extensions.WebEncoders" Version="5.0.7" />
     <PackageReference Update="System.Collections.Immutable" Version="5.0.0" />
     <PackageReference Update="System.ComponentModel.Annotations" Version="5.0.0" />
     <PackageReference Update="System.Linq.Async" Version="5.0.0" />
diff --git a/global.json b/global.json
index 2eb4cb3f..0db3faa4 100644
--- a/global.json
+++ b/global.json
@@ -1,11 +1,11 @@
 {
   "tools": {
-    "dotnet": "5.0.201",
+    "dotnet": "5.0.301",
 
     "runtimes": {
       "aspnetcore": [
-        "2.1.26",
-        "3.1.13"
+        "2.1.28",
+        "3.1.16"
       ]
     }
   },
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddict.Server.AspNetCore.csproj b/src/OpenIddict.Server.AspNetCore/OpenIddict.Server.AspNetCore.csproj
index d05b3a44..5e59c34b 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddict.Server.AspNetCore.csproj
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddict.Server.AspNetCore.csproj
@@ -19,7 +19,9 @@
   </ItemGroup>
 
   <ItemGroup
-    Condition=" '$(TargetFrameworkIdentifier)' != '.NETCoreApp' Or $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0')) ">
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0'))) Or
+                ('$(TargetFrameworkIdentifier)' == '.NETFramework') Or
+                ('$(TargetFrameworkIdentifier)' == '.NETStandard') ">
     <PackageReference Include="Microsoft.AspNetCore.Authentication" />
     <PackageReference Include="Microsoft.AspNetCore.Diagnostics.Abstractions" />
     <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" />
diff --git a/src/OpenIddict.Server.DataProtection/OpenIddict.Server.DataProtection.csproj b/src/OpenIddict.Server.DataProtection/OpenIddict.Server.DataProtection.csproj
index 13cca40e..ecac5301 100644
--- a/src/OpenIddict.Server.DataProtection/OpenIddict.Server.DataProtection.csproj
+++ b/src/OpenIddict.Server.DataProtection/OpenIddict.Server.DataProtection.csproj
@@ -19,7 +19,9 @@
   </ItemGroup>
 
   <ItemGroup
-    Condition=" '$(TargetFrameworkIdentifier)' != '.NETCoreApp' Or $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0')) ">
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0'))) Or
+                ('$(TargetFrameworkIdentifier)' == '.NETFramework') Or
+                ('$(TargetFrameworkIdentifier)' == '.NETStandard') ">
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" />
   </ItemGroup>
 
diff --git a/src/OpenIddict.Validation.AspNetCore/OpenIddict.Validation.AspNetCore.csproj b/src/OpenIddict.Validation.AspNetCore/OpenIddict.Validation.AspNetCore.csproj
index a6dbd88e..e63dd866 100644
--- a/src/OpenIddict.Validation.AspNetCore/OpenIddict.Validation.AspNetCore.csproj
+++ b/src/OpenIddict.Validation.AspNetCore/OpenIddict.Validation.AspNetCore.csproj
@@ -19,7 +19,9 @@
   </ItemGroup>
 
   <ItemGroup
-    Condition=" '$(TargetFrameworkIdentifier)' != '.NETCoreApp' Or $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0')) ">
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0'))) Or
+                ('$(TargetFrameworkIdentifier)' == '.NETFramework') Or
+                ('$(TargetFrameworkIdentifier)' == '.NETStandard') ">
     <PackageReference Include="Microsoft.AspNetCore.Authentication" />
   </ItemGroup>
 
diff --git a/src/OpenIddict.Validation.DataProtection/OpenIddict.Validation.DataProtection.csproj b/src/OpenIddict.Validation.DataProtection/OpenIddict.Validation.DataProtection.csproj
index 7b1788d8..429b5a53 100644
--- a/src/OpenIddict.Validation.DataProtection/OpenIddict.Validation.DataProtection.csproj
+++ b/src/OpenIddict.Validation.DataProtection/OpenIddict.Validation.DataProtection.csproj
@@ -19,7 +19,9 @@
   </ItemGroup>
 
   <ItemGroup
-    Condition=" '$(TargetFrameworkIdentifier)' != '.NETCoreApp' Or $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0')) ">
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '3.0'))) Or
+                ('$(TargetFrameworkIdentifier)' == '.NETFramework') Or
+                ('$(TargetFrameworkIdentifier)' == '.NETStandard') ">
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" />
   </ItemGroup>
 

From 9671751e5cb6f356aee0746195342290a54409b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 19 Jun 2021 13:59:00 +0200
Subject: [PATCH 27/64] Remove the Microsoft.CodeAnalysis.NetAnalyzers package
 reference

---
 Directory.Build.props | 5 +----
 Packages.props        | 1 -
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index f3ac8a8d..d50476d0 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -4,6 +4,7 @@
 
   <PropertyGroup>
     <LangVersion>preview</LangVersion>
+    <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <AnalysisLevel>preview</AnalysisLevel>
     <NoWarn>$(NoWarn);CS1591;NU5118;NU5128</NoWarn>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
@@ -60,10 +61,6 @@
     <Serviceable>false</Serviceable>
   </PropertyGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" PrivateAssets="All" />
-  </ItemGroup>
-
   <ItemGroup>
     <ProjectCapability Include="DynamicDependentFile" />
     <ProjectCapability Include="DynamicFileNesting" />
diff --git a/Packages.props b/Packages.props
index d42526c5..d813e062 100644
--- a/Packages.props
+++ b/Packages.props
@@ -5,7 +5,6 @@
     <PackageReference Update="EntityFramework" Version="6.4.4" />
     <PackageReference Update="MartinCostello.Logging.XUnit" Version="0.1.0" />
     <PackageReference Update="Microsoft.Bcl.HashCode" Version="1.1.1" />
-    <PackageReference Update="Microsoft.CodeAnalysis.NetAnalyzers" Version="5.0.3" />
     <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.8.0" />
     <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />
     <PackageReference Update="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />

From 8e478acd8ad9408e8566bbfb2763f552c5c4a4c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 19 Jun 2021 14:38:49 +0200
Subject: [PATCH 28/64] Bump Wilson to 6.11.1

---
 Packages.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Packages.props b/Packages.props
index d813e062..94cedfa6 100644
--- a/Packages.props
+++ b/Packages.props
@@ -5,8 +5,8 @@
     <PackageReference Update="EntityFramework" Version="6.4.4" />
     <PackageReference Update="MartinCostello.Logging.XUnit" Version="0.1.0" />
     <PackageReference Update="Microsoft.Bcl.HashCode" Version="1.1.1" />
-    <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.8.0" />
-    <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />
+    <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="6.11.1" />
+    <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.11.1" />
     <PackageReference Update="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />
     <PackageReference Update="Microsoft.Owin.Security" Version="4.2.0" />
     <PackageReference Update="Microsoft.Owin.Testing" Version="4.2.0" />

From aef4d5931b920790407e9ccf459edaf59af6e67e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 1 Jul 2021 21:04:24 +0200
Subject: [PATCH 29/64] Update the ID0112 and ID0166 messages to help debug
 invalid ASP.NET Core configurations

---
 src/OpenIddict.Abstractions/OpenIddictResources.resx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
index ed48e9c7..d618a837 100644
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -500,7 +500,7 @@ Make sure that neither DefaultAuthenticateScheme, DefaultChallengeScheme, Defaul
 This may indicate that the event handler responsible of processing OpenID Connect responses was not registered or was explicitly removed from the handlers list.</value>
   </data>
   <data name="ID0112" xml:space="preserve">
-    <value>An unknown error occurred while retrieving the OpenIddict server context.</value>
+    <value>An error occurred while retrieving the OpenIddict server context. On ASP.NET Core, this may indicate that the authentication middleware was not registered early enough in the request pipeline. Make sure that 'app.UseAuthentication()' is registered before 'app.UseAuthorization()' and 'app.UseEndpoints()' (or 'app.UseMvc()') and try again.</value>
   </data>
   <data name="ID0113" xml:space="preserve">
     <value>An error occurred while authenticating the current request.</value>
@@ -716,7 +716,7 @@ This may indicate that an instance of another handler was registered with the sa
 Make sure that neither DefaultSignInScheme nor DefaultSignOutScheme point to an instance of the OpenIddict ASP.NET Core validation handler.</value>
   </data>
   <data name="ID0166" xml:space="preserve">
-    <value>An unknown error occurred while retrieving the OpenIddict validation context.</value>
+    <value>An error occurred while retrieving the OpenIddict validation context. On ASP.NET Core, this may indicate that the authentication middleware was not registered early enough in the request pipeline. Make sure that 'app.UseAuthentication()' is registered before 'app.UseAuthorization()' and 'app.UseEndpoints()' (or 'app.UseMvc()') and try again.</value>
   </data>
   <data name="ID0167" xml:space="preserve">
     <value>Generic token validation is not supported by the validation handler.</value>

From 1ea6eeb6e7e672842f02190cb40f350ab0688a5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sun, 25 Apr 2021 17:18:47 +0200
Subject: [PATCH 30/64] Tweak the log levels used by OpenIddict

---
 .../Managers/OpenIddictApplicationManager.cs  |  4 +-
 ...ServerAspNetCoreHandlers.Authentication.cs |  4 +-
 ...nIddictServerAspNetCoreHandlers.Session.cs |  4 +-
 .../OpenIddictServerAspNetCoreHandlers.cs     | 16 ++---
 ...IddictServerOwinHandlers.Authentication.cs |  4 +-
 .../OpenIddictServerOwinHandlers.Session.cs   |  4 +-
 .../OpenIddictServerOwinHandlers.cs           | 16 ++---
 ...OpenIddictServerHandlers.Authentication.cs | 70 +++++++++----------
 .../OpenIddictServerHandlers.Device.cs        | 20 +++---
 .../OpenIddictServerHandlers.Discovery.cs     |  2 +-
 .../OpenIddictServerHandlers.Exchange.cs      | 54 +++++++-------
 .../OpenIddictServerHandlers.Introspection.cs | 20 +++---
 .../OpenIddictServerHandlers.Revocation.cs    | 22 +++---
 .../OpenIddictServerHandlers.Session.cs       |  6 +-
 .../OpenIddictServerHandlers.Userinfo.cs      |  2 +-
 .../OpenIddictServerHandlers.cs               | 10 +--
 .../OpenIddictValidationHandlers.cs           | 10 +--
 17 files changed, 134 insertions(+), 134 deletions(-)

diff --git a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
index b0475f46..68d06639 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@@ -1277,7 +1277,7 @@ namespace OpenIddict.Core
 
             if (!await ValidateClientSecretAsync(secret, value, cancellationToken))
             {
-                Logger.LogWarning(SR.GetResourceString(SR.ID6161), await GetClientIdAsync(application, cancellationToken));
+                Logger.LogInformation(SR.GetResourceString(SR.ID6161), await GetClientIdAsync(application, cancellationToken));
 
                 return false;
             }
@@ -1318,7 +1318,7 @@ namespace OpenIddict.Core
                 }
             }
 
-            Logger.LogWarning(SR.GetResourceString(SR.ID6162), address, await GetClientIdAsync(application, cancellationToken));
+            Logger.LogInformation(SR.GetResourceString(SR.ID6162), address, await GetClientIdAsync(application, cancellationToken));
 
             return false;
         }
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
index 5648551c..d7203911 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Authentication.cs
@@ -110,7 +110,7 @@ namespace OpenIddict.Server.AspNetCore
                     var token = await _cache.GetStringAsync(Cache.AuthorizationRequest + context.Request.RequestId);
                     if (token is null || !context.Options.JsonWebTokenHandler.CanReadToken(token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -128,7 +128,7 @@ namespace OpenIddict.Server.AspNetCore
                     var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);
                     if (!result.IsValid)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
index fb444a82..e6553286 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.Session.cs
@@ -108,7 +108,7 @@ namespace OpenIddict.Server.AspNetCore
                     var token = await _cache.GetStringAsync(Cache.LogoutRequest + context.Request.RequestId);
                     if (token is null || !context.Options.JsonWebTokenHandler.CanReadToken(token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -126,7 +126,7 @@ namespace OpenIddict.Server.AspNetCore
                     var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);
                     if (!result.IsValid)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.cs
index 4e6f9857..843450a4 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandlers.cs
@@ -427,7 +427,7 @@ namespace OpenIddict.Server.AspNetCore
 
                 else
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6137), request.Method);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6137), request.Method);
 
                     context.Reject(
                         error: Errors.InvalidRequest,
@@ -484,7 +484,7 @@ namespace OpenIddict.Server.AspNetCore
                     // See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
                     if (string.IsNullOrEmpty(request.ContentType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6138), HeaderNames.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6138), HeaderNames.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -497,7 +497,7 @@ namespace OpenIddict.Server.AspNetCore
                     // May have media/type; charset=utf-8, allow partial match.
                     if (!request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6139), HeaderNames.ContentType, request.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6139), HeaderNames.ContentType, request.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -512,7 +512,7 @@ namespace OpenIddict.Server.AspNetCore
 
                 else
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6137), request.Method);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6137), request.Method);
 
                     context.Reject(
                         error: Errors.InvalidRequest,
@@ -562,7 +562,7 @@ namespace OpenIddict.Server.AspNetCore
                     // See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
                     if (string.IsNullOrEmpty(request.ContentType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6138), HeaderNames.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6138), HeaderNames.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -575,7 +575,7 @@ namespace OpenIddict.Server.AspNetCore
                     // May have media/type; charset=utf-8, allow partial match.
                     if (!request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6139), HeaderNames.ContentType, request.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6139), HeaderNames.ContentType, request.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -590,7 +590,7 @@ namespace OpenIddict.Server.AspNetCore
 
                 else
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6137), request.Method);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6137), request.Method);
 
                     context.Reject(
                         error: Errors.InvalidRequest,
@@ -649,7 +649,7 @@ namespace OpenIddict.Server.AspNetCore
                 if (!string.IsNullOrEmpty(context.Transaction.Request.ClientAssertion) ||
                     !string.IsNullOrEmpty(context.Transaction.Request.ClientSecret))
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6140));
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6140));
 
                     context.Reject(
                         error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
index 6c786cad..5e5cedfb 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Authentication.cs
@@ -109,7 +109,7 @@ namespace OpenIddict.Server.Owin
                     var token = await _cache.GetStringAsync(Cache.AuthorizationRequest + context.Request.RequestId);
                     if (token is null || !context.Options.JsonWebTokenHandler.CanReadToken(token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -127,7 +127,7 @@ namespace OpenIddict.Server.Owin
                     var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);
                     if (!result.IsValid)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6146), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
index b2255ed7..df63c363 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.Session.cs
@@ -107,7 +107,7 @@ namespace OpenIddict.Server.Owin
                     var token = await _cache.GetStringAsync(Cache.LogoutRequest + context.Request.RequestId);
                     if (token is null || !context.Options.JsonWebTokenHandler.CanReadToken(token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -125,7 +125,7 @@ namespace OpenIddict.Server.Owin
                     var result = context.Options.JsonWebTokenHandler.ValidateToken(token, parameters);
                     if (!result.IsValid)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6150), Parameters.RequestId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.cs b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.cs
index 14aa5b88..aecc76af 100644
--- a/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.cs
+++ b/src/OpenIddict.Server.Owin/OpenIddictServerOwinHandlers.cs
@@ -365,7 +365,7 @@ namespace OpenIddict.Server.Owin
 
                 else
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6137), request.Method);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6137), request.Method);
 
                     context.Reject(
                         error: Errors.InvalidRequest,
@@ -422,7 +422,7 @@ namespace OpenIddict.Server.Owin
                     // See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
                     if (string.IsNullOrEmpty(request.ContentType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6138), Headers.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6138), Headers.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -435,7 +435,7 @@ namespace OpenIddict.Server.Owin
                     // May have media/type; charset=utf-8, allow partial match.
                     if (!request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6139), Headers.ContentType, request.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6139), Headers.ContentType, request.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -450,7 +450,7 @@ namespace OpenIddict.Server.Owin
 
                 else
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6137), request.Method);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6137), request.Method);
 
                     context.Reject(
                         error: Errors.InvalidRequest,
@@ -500,7 +500,7 @@ namespace OpenIddict.Server.Owin
                     // See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization
                     if (string.IsNullOrEmpty(request.ContentType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6138), Headers.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6138), Headers.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -513,7 +513,7 @@ namespace OpenIddict.Server.Owin
                     // May have media/type; charset=utf-8, allow partial match.
                     if (!request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6139), Headers.ContentType, request.ContentType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6139), Headers.ContentType, request.ContentType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -528,7 +528,7 @@ namespace OpenIddict.Server.Owin
 
                 else
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6137), request.Method);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6137), request.Method);
 
                     context.Reject(
                         error: Errors.InvalidRequest,
@@ -587,7 +587,7 @@ namespace OpenIddict.Server.Owin
                 if (!string.IsNullOrEmpty(context.Transaction.Request.ClientAssertion) ||
                     !string.IsNullOrEmpty(context.Transaction.Request.ClientSecret))
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6140));
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6140));
 
                     context.Reject(
                         error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
index fda3e1d3..ff339473 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
@@ -358,7 +358,7 @@ namespace OpenIddict.Server
                     // Reject requests using the unsupported request parameter.
                     if (!string.IsNullOrEmpty(context.Request.Request))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6032), Parameters.Request);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6032), Parameters.Request);
 
                         context.Reject(
                             error: Errors.RequestNotSupported,
@@ -398,7 +398,7 @@ namespace OpenIddict.Server
                     // Reject requests using the unsupported request_uri parameter.
                     if (!string.IsNullOrEmpty(context.Request.RequestUri))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6032), Parameters.RequestUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6032), Parameters.RequestUri);
 
                         context.Reject(
                             error: Errors.RequestUriNotSupported,
@@ -439,7 +439,7 @@ namespace OpenIddict.Server
                     // See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest.
                     if (string.IsNullOrEmpty(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -485,7 +485,7 @@ namespace OpenIddict.Server
                     {
                         if (context.Request.HasScope(Scopes.OpenId))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.RedirectUri);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.RedirectUri);
 
                             context.Reject(
                                 error: Errors.InvalidRequest,
@@ -508,7 +508,7 @@ namespace OpenIddict.Server
                     // See https://github.com/dotnet/corefx/issues/22098 for more information.
                     if (!Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out Uri? uri) || !uri.IsWellFormedOriginalString())
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6034), Parameters.RedirectUri, context.RedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6034), Parameters.RedirectUri, context.RedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -523,7 +523,7 @@ namespace OpenIddict.Server
                     // and http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
                     if (!string.IsNullOrEmpty(uri.Fragment))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6035), Parameters.RedirectUri, context.RedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6035), Parameters.RedirectUri, context.RedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -563,7 +563,7 @@ namespace OpenIddict.Server
                     // Reject requests missing the mandatory response_type parameter.
                     if (string.IsNullOrEmpty(context.Request.ResponseType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.ResponseType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.ResponseType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -576,7 +576,7 @@ namespace OpenIddict.Server
                     // Reject code flow requests if the server is not configured to allow the authorization code grant type.
                     if (context.Request.IsAuthorizationCodeFlow() && !context.Options.GrantTypes.Contains(GrantTypes.AuthorizationCode))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
 
                         context.Reject(
                             error: Errors.UnsupportedResponseType,
@@ -589,7 +589,7 @@ namespace OpenIddict.Server
                     // Reject implicit flow requests if the server is not configured to allow the implicit grant type.
                     if (context.Request.IsImplicitFlow() && !context.Options.GrantTypes.Contains(GrantTypes.Implicit))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
 
                         context.Reject(
                             error: Errors.UnsupportedResponseType,
@@ -603,7 +603,7 @@ namespace OpenIddict.Server
                     if (context.Request.IsHybridFlow() && (!context.Options.GrantTypes.Contains(GrantTypes.AuthorizationCode) ||
                                                            !context.Options.GrantTypes.Contains(GrantTypes.Implicit)))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
 
                         context.Reject(
                             error: Errors.UnsupportedResponseType,
@@ -618,7 +618,7 @@ namespace OpenIddict.Server
                     if (!context.Options.ResponseTypes.Any(type =>
                         types.SetEquals(type.Split(Separators.Space, StringSplitOptions.RemoveEmptyEntries))))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6036), context.Request.ResponseType);
 
                         context.Reject(
                             error: Errors.UnsupportedResponseType,
@@ -661,7 +661,7 @@ namespace OpenIddict.Server
                     if (context.Request.IsQueryResponseMode() && (context.Request.HasResponseType(ResponseTypes.IdToken) ||
                                                                   context.Request.HasResponseType(ResponseTypes.Token)))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6037), context.Request.ResponseType, context.Request.ResponseMode);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6037), context.Request.ResponseType, context.Request.ResponseMode);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -675,7 +675,7 @@ namespace OpenIddict.Server
                     // if the default response_mode inferred from the response_type was explicitly disabled in the options.
                     if (!ValidateResponseMode(context.Request, context.Options))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6038), context.Request.ResponseMode);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6038), context.Request.ResponseMode);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -740,7 +740,7 @@ namespace OpenIddict.Server
                     // Reject authorization requests containing the id_token response_type if no openid scope has been received.
                     if (context.Request.HasResponseType(ResponseTypes.IdToken) && !context.Request.HasScope(Scopes.OpenId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6039), Scopes.OpenId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6039), Scopes.OpenId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -800,7 +800,7 @@ namespace OpenIddict.Server
 
                     if (context.Request.IsImplicitFlow() || context.Request.IsHybridFlow())
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.Nonce);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.Nonce);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -842,7 +842,7 @@ namespace OpenIddict.Server
                                                                     context.Request.HasPrompt(Prompts.Login) ||
                                                                     context.Request.HasPrompt(Prompts.SelectAccount)))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6040));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6040));
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -885,7 +885,7 @@ namespace OpenIddict.Server
                         context.Request.HasResponseType(ResponseTypes.Code) &&
                         string.IsNullOrEmpty(context.Request.CodeChallenge))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.CodeChallenge);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.CodeChallenge);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -906,7 +906,7 @@ namespace OpenIddict.Server
                     // Ensure a code_challenge was specified if a code_challenge_method was used.
                     if (string.IsNullOrEmpty(context.Request.CodeChallenge))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.CodeChallenge);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.CodeChallenge);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -921,7 +921,7 @@ namespace OpenIddict.Server
                     if (string.IsNullOrEmpty(context.Request.CodeChallengeMethod) &&
                         !context.Options.CodeChallengeMethods.Contains(CodeChallengeMethods.Plain))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.CodeChallengeMethod);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.CodeChallengeMethod);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -935,7 +935,7 @@ namespace OpenIddict.Server
                     if (!string.IsNullOrEmpty(context.Request.CodeChallengeMethod) &&
                         !context.Options.CodeChallengeMethods.Contains(context.Request.CodeChallengeMethod))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6041));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6041));
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -948,7 +948,7 @@ namespace OpenIddict.Server
                     // When code_challenge or code_challenge_method is specified, ensure the response_type includes "code".
                     if (!context.Request.HasResponseType(ResponseTypes.Code))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6042));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6042));
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -961,7 +961,7 @@ namespace OpenIddict.Server
                     // Reject authorization requests that contain response_type=token when a code_challenge is specified.
                     if (context.Request.HasResponseType(ResponseTypes.Token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6043));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6043));
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1012,7 +1012,7 @@ namespace OpenIddict.Server
                     var application = await _applicationManager.FindByClientIdAsync(context.ClientId);
                     if (application is null)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6044), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6044), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1079,7 +1079,7 @@ namespace OpenIddict.Server
 
                     if (await _applicationManager.HasClientTypeAsync(application, ClientTypes.Confidential))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6045), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6045), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1138,7 +1138,7 @@ namespace OpenIddict.Server
                         var addresses = await _applicationManager.GetRedirectUrisAsync(application);
                         if (addresses.Length != 1)
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.RedirectUri);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.RedirectUri);
 
                             context.Reject(
                                 error: Errors.InvalidRequest,
@@ -1156,7 +1156,7 @@ namespace OpenIddict.Server
                     // Otherwise, ensure that the specified redirect_uri is valid and is associated with the client application.
                     if (!await _applicationManager.ValidateRedirectUriAsync(application, context.RedirectUri))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6046), context.RedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6046), context.RedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1235,7 +1235,7 @@ namespace OpenIddict.Server
                     // If at least one scope was not recognized, return an error.
                     if (scopes.Count != 0)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6047), scopes);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6047), scopes);
 
                         context.Reject(
                             error: Errors.InvalidScope,
@@ -1291,7 +1291,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the authorization endpoint.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.Endpoints.Authorization))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6048), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6048), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1348,7 +1348,7 @@ namespace OpenIddict.Server
                     if (context.Request.IsAuthorizationCodeFlow() &&
                         !await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.AuthorizationCode))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6049), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6049), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1362,7 +1362,7 @@ namespace OpenIddict.Server
                     if (context.Request.IsImplicitFlow() &&
                         !await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.Implicit))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6050), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6050), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1377,7 +1377,7 @@ namespace OpenIddict.Server
                        (!await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.AuthorizationCode) ||
                         !await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.Implicit)))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6051), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6051), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1392,7 +1392,7 @@ namespace OpenIddict.Server
                     if (context.Request.HasScope(Scopes.OfflineAccess) &&
                        !await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.RefreshToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6052), context.ClientId, Scopes.OfflineAccess);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6052), context.ClientId, Scopes.OfflineAccess);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1448,7 +1448,7 @@ namespace OpenIddict.Server
                     // Reject requests that specify a response_type for which no permission was granted.
                     if (!await HasPermissionAsync(context.Request.GetResponseTypes()))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6177), context.ClientId, context.Request.ResponseType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6177), context.ClientId, context.Request.ResponseType);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1540,7 +1540,7 @@ namespace OpenIddict.Server
                         // Reject the request if the application is not allowed to use the iterated scope.
                         if (!await _applicationManager.HasPermissionAsync(application, Permissions.Prefixes.Scope + scope))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6052), context.ClientId, scope);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6052), context.ClientId, scope);
 
                             context.Reject(
                                 error: Errors.InvalidRequest,
@@ -1603,7 +1603,7 @@ namespace OpenIddict.Server
 
                     if (await _applicationManager.HasRequirementAsync(application, Requirements.Features.ProofKeyForCodeExchange))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.CodeChallenge);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.CodeChallenge);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
index e8c47ea4..a9b91fd4 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
@@ -353,7 +353,7 @@ namespace OpenIddict.Server
                     // See https://tools.ietf.org/html/rfc8628#section-3.1 for more information.
                     if (string.IsNullOrEmpty(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6056));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6056));
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -472,7 +472,7 @@ namespace OpenIddict.Server
                     // If at least one scope was not recognized, return an error.
                     if (scopes.Count != 0)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6057), scopes);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6057), scopes);
 
                         context.Reject(
                             error: Errors.InvalidScope,
@@ -524,7 +524,7 @@ namespace OpenIddict.Server
                     var application = await _applicationManager.FindByClientIdAsync(context.ClientId);
                     if (application is null)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6058), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6058), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -583,7 +583,7 @@ namespace OpenIddict.Server
                         // Reject device requests containing a client_secret when the client is a public application.
                         if (!string.IsNullOrEmpty(context.ClientSecret))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6059), context.ClientId);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6059), context.ClientId);
 
                             context.Reject(
                                 error: Errors.InvalidClient,
@@ -599,7 +599,7 @@ namespace OpenIddict.Server
                     // Confidential and hybrid applications MUST authenticate to protect them from impersonation attacks.
                     if (string.IsNullOrEmpty(context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6060), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6060), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -662,7 +662,7 @@ namespace OpenIddict.Server
 
                     if (!await _applicationManager.ValidateClientSecretAsync(application, context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6061), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6061), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -720,7 +720,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the device endpoint.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.Endpoints.Device))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6062), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6062), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -776,7 +776,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the device code grant.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.DeviceCode))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6118), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6118), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -791,7 +791,7 @@ namespace OpenIddict.Server
                     if (context.Request.HasScope(Scopes.OfflineAccess) &&
                        !await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.RefreshToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6120), context.ClientId, Scopes.OfflineAccess);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6120), context.ClientId, Scopes.OfflineAccess);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -858,7 +858,7 @@ namespace OpenIddict.Server
                         // Reject the request if the application is not allowed to use the iterated scope.
                         if (!await _applicationManager.HasPermissionAsync(application, Permissions.Prefixes.Scope + scope))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6063), context.ClientId, scope);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6063), context.ClientId, scope);
 
                             context.Reject(
                                 error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
index 11d84241..836e3ceb 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
@@ -942,7 +942,7 @@ namespace OpenIddict.Server
                         // See https://tools.ietf.org/html/rfc7517#section-4.1
                         if (string.IsNullOrEmpty(key.Kty))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6070), JsonWebKeyParameterNames.Kty);
+                            context.Logger.LogWarning(SR.GetResourceString(SR.ID6070), JsonWebKeyParameterNames.Kty);
 
                             continue;
                         }
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs
index 937c51ad..2ff73e61 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Exchange.cs
@@ -360,7 +360,7 @@ namespace OpenIddict.Server
                     // Reject token requests missing the mandatory grant_type parameter.
                     if (string.IsNullOrEmpty(context.Request.GrantType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.GrantType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.GrantType);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -373,7 +373,7 @@ namespace OpenIddict.Server
                     // Reject token requests that don't specify a supported grant type.
                     if (!context.Options.GrantTypes.Contains(context.Request.GrantType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6078), context.Request.GrantType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6078), context.Request.GrantType);
 
                         context.Reject(
                             error: Errors.UnsupportedGrantType,
@@ -434,7 +434,7 @@ namespace OpenIddict.Server
                     // See https://tools.ietf.org/html/rfc6749#section-4.1.3 for more information.
                     if (!context.Options.AcceptAnonymousClients || context.Request.IsAuthorizationCodeGrantType())
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -476,7 +476,7 @@ namespace OpenIddict.Server
                     // See https://tools.ietf.org/html/rfc6749#section-4.1.3 for more information.
                     if (context.Request.IsAuthorizationCodeGrantType() && string.IsNullOrEmpty(context.Request.Code))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.Code);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.Code);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -599,7 +599,7 @@ namespace OpenIddict.Server
                     // See https://tools.ietf.org/html/rfc6749#section-6 for more information.
                     if (context.Request.IsRefreshTokenGrantType() && string.IsNullOrEmpty(context.Request.RefreshToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.RefreshToken);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.RefreshToken);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -642,7 +642,7 @@ namespace OpenIddict.Server
                     if (context.Request.IsPasswordGrantType() && (string.IsNullOrEmpty(context.Request.Username) ||
                                                                   string.IsNullOrEmpty(context.Request.Password)))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6079));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6079));
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -690,7 +690,7 @@ namespace OpenIddict.Server
                     // If OpenIddict was configured to require PKCE, this can be potentially avoided by making an early check here.
                     if (context.Options.RequireProofKeyForCodeExchange && string.IsNullOrEmpty(context.Request.CodeVerifier))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6033), Parameters.CodeVerifier);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6033), Parameters.CodeVerifier);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -771,7 +771,7 @@ namespace OpenIddict.Server
                     // If at least one scope was not recognized, return an error.
                     if (scopes.Count != 0)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6080), scopes);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6080), scopes);
 
                         context.Reject(
                             error: Errors.InvalidScope,
@@ -823,7 +823,7 @@ namespace OpenIddict.Server
                     var application = await _applicationManager.FindByClientIdAsync(context.ClientId);
                     if (application is null)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6081), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6081), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -882,7 +882,7 @@ namespace OpenIddict.Server
                         // Public applications are not allowed to use the client credentials grant.
                         if (context.Request.IsClientCredentialsGrantType())
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6082), context.Request.ClientId);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6082), context.Request.ClientId);
 
                             context.Reject(
                                 error: Errors.UnauthorizedClient,
@@ -895,7 +895,7 @@ namespace OpenIddict.Server
                         // Reject token requests containing a client_secret when the client is a public application.
                         if (!string.IsNullOrEmpty(context.ClientSecret))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6083), context.ClientId);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6083), context.ClientId);
 
                             context.Reject(
                                 error: Errors.InvalidClient,
@@ -911,7 +911,7 @@ namespace OpenIddict.Server
                     // Confidential and hybrid applications MUST authenticate to protect them from impersonation attacks.
                     if (string.IsNullOrEmpty(context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6084), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6084), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -974,7 +974,7 @@ namespace OpenIddict.Server
 
                     if (!await _applicationManager.ValidateClientSecretAsync(application, context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6085), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6085), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -1032,7 +1032,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the token endpoint.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.Endpoints.Token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6086), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6086), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1090,7 +1090,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the specified grant type.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.Prefixes.GrantType + context.Request.GrantType))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6087), context.ClientId, context.Request.GrantType);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6087), context.ClientId, context.Request.GrantType);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -1105,7 +1105,7 @@ namespace OpenIddict.Server
                     if (context.Request.HasScope(Scopes.OfflineAccess) &&
                         !await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.RefreshToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6088), context.ClientId, Scopes.OfflineAccess);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6088), context.ClientId, Scopes.OfflineAccess);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1172,7 +1172,7 @@ namespace OpenIddict.Server
                         // Reject the request if the application is not allowed to use the iterated scope.
                         if (!await _applicationManager.HasPermissionAsync(application, Permissions.Prefixes.Scope + scope))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6089), context.ClientId, scope);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6089), context.ClientId, scope);
 
                             context.Reject(
                                 error: Errors.InvalidRequest,
@@ -1241,7 +1241,7 @@ namespace OpenIddict.Server
 
                     if (await _applicationManager.HasRequirementAsync(application, Requirements.Features.ProofKeyForCodeExchange))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.CodeVerifier);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.CodeVerifier);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1377,7 +1377,7 @@ namespace OpenIddict.Server
                     // reject the request if the client_id of the caller cannot be retrieved or inferred.
                     if (string.IsNullOrEmpty(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6090));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6090));
 
                         context.Reject(
                             error: Errors.InvalidGrant,
@@ -1397,7 +1397,7 @@ namespace OpenIddict.Server
                     // and http://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken.
                     if (!presenters.Contains(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6091));
+                        context.Logger.LogWarning(SR.GetResourceString(SR.ID6091));
 
                         context.Reject(
                             error: Errors.InvalidGrant,
@@ -1460,7 +1460,7 @@ namespace OpenIddict.Server
 
                     if (string.IsNullOrEmpty(context.Request.RedirectUri))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.RedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.RedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1472,7 +1472,7 @@ namespace OpenIddict.Server
 
                     if (!string.Equals(address, context.Request.RedirectUri, StringComparison.Ordinal))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6092), Parameters.RedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6092), Parameters.RedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidGrant,
@@ -1529,7 +1529,7 @@ namespace OpenIddict.Server
                         // when code_challenge private claim was attached to the authorization code.
                         if (!string.IsNullOrEmpty(context.Request.CodeVerifier))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6093), Parameters.CodeVerifier);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6093), Parameters.CodeVerifier);
 
                             context.Reject(
                                 error: Errors.InvalidRequest,
@@ -1545,7 +1545,7 @@ namespace OpenIddict.Server
                     // Get the code verifier from the token request. If it cannot be found, return an invalid_grant error.
                     if (string.IsNullOrEmpty(context.Request.CodeVerifier))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6077), Parameters.CodeVerifier);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6077), Parameters.CodeVerifier);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -1590,7 +1590,7 @@ namespace OpenIddict.Server
                     if (!Arrays.ConstantTimeAreEqual(data, Encoding.ASCII.GetBytes(challenge)))
 #endif
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6092), Parameters.CodeVerifier);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6092), Parameters.CodeVerifier);
 
                         context.Reject(
                             error: Errors.InvalidGrant,
@@ -1646,7 +1646,7 @@ namespace OpenIddict.Server
                     var scopes = new HashSet<string>(context.Principal.GetScopes(), StringComparer.Ordinal);
                     if (scopes.Count == 0)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6094), Parameters.Scope);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6094), Parameters.Scope);
 
                         context.Reject(
                             error: Errors.InvalidGrant,
@@ -1662,7 +1662,7 @@ namespace OpenIddict.Server
                     // See https://tools.ietf.org/html/rfc6749#section-6 for more information.
                     else if (!scopes.IsSupersetOf(context.Request.GetScopes()))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6095), Parameters.Scope);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6095), Parameters.Scope);
 
                         context.Reject(
                             error: Errors.InvalidGrant,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
index c583543e..ffb4042d 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
@@ -367,7 +367,7 @@ namespace OpenIddict.Server
                     // Reject introspection requests missing the mandatory token parameter.
                     if (string.IsNullOrEmpty(context.Request.Token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6098), Parameters.Token);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6098), Parameters.Token);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -407,7 +407,7 @@ namespace OpenIddict.Server
                     // At this stage, reject the introspection request unless the client identification requirement was disabled.
                     if (!context.Options.AcceptAnonymousClients && string.IsNullOrEmpty(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6098), Parameters.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6098), Parameters.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -461,7 +461,7 @@ namespace OpenIddict.Server
                     var application = await _applicationManager.FindByClientIdAsync(context.ClientId);
                     if (application is null)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6099), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6099), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -520,7 +520,7 @@ namespace OpenIddict.Server
                         // Reject introspection requests containing a client_secret when the client is a public application.
                         if (!string.IsNullOrEmpty(context.ClientSecret))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6100), context.ClientId);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6100), context.ClientId);
 
                             context.Reject(
                                 error: Errors.InvalidClient,
@@ -536,7 +536,7 @@ namespace OpenIddict.Server
                     // Confidential and hybrid applications MUST authenticate to protect them from impersonation attacks.
                     if (string.IsNullOrEmpty(context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6101), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6101), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -599,7 +599,7 @@ namespace OpenIddict.Server
 
                     if (!await _applicationManager.ValidateClientSecretAsync(application, context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6102), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6102), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -657,7 +657,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the introspection endpoint.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.Endpoints.Introspection))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6103), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6103), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -754,7 +754,7 @@ namespace OpenIddict.Server
                     if (!context.Principal.HasTokenType(TokenTypeHints.AccessToken) &&
                         !context.Principal.HasTokenType(TokenTypeHints.RefreshToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6104));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6104));
 
                         context.Reject(
                             error: Errors.UnsupportedTokenType,
@@ -807,7 +807,7 @@ namespace OpenIddict.Server
                         context.Principal.HasClaim(Claims.Private.Audience) && !context.Principal.HasAudience(context.ClientId) &&
                         context.Principal.HasClaim(Claims.Private.Presenter) && !context.Principal.HasPresenter(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6106));
+                        context.Logger.LogWarning(SR.GetResourceString(SR.ID6106));
 
                         context.Reject(
                             error: Errors.InvalidToken,
@@ -824,7 +824,7 @@ namespace OpenIddict.Server
                     if (context.Principal.HasTokenType(TokenTypeHints.RefreshToken) &&
                         context.Principal.HasClaim(Claims.Private.Presenter) && !context.Principal.HasPresenter(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6108));
+                        context.Logger.LogWarning(SR.GetResourceString(SR.ID6108));
 
                         context.Reject(
                             error: Errors.InvalidToken,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs
index 895e3361..366b0ddb 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs
@@ -310,7 +310,7 @@ namespace OpenIddict.Server
                     // Reject revocation requests missing the mandatory token parameter.
                     if (string.IsNullOrEmpty(context.Request.Token))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6111), Parameters.Token);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6111), Parameters.Token);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -350,7 +350,7 @@ namespace OpenIddict.Server
                     // At this stage, reject the revocation request unless the client identification requirement was disabled.
                     if (!context.Options.AcceptAnonymousClients && string.IsNullOrEmpty(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6111), Parameters.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6111), Parameters.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -404,7 +404,7 @@ namespace OpenIddict.Server
                     var application = await _applicationManager.FindByClientIdAsync(context.ClientId);
                     if (application is null)
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6112), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6112), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -463,7 +463,7 @@ namespace OpenIddict.Server
                         // Reject revocation requests containing a client_secret when the client is a public application.
                         if (!string.IsNullOrEmpty(context.ClientSecret))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6113), context.ClientId);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6113), context.ClientId);
 
                             context.Reject(
                                 error: Errors.InvalidClient,
@@ -479,7 +479,7 @@ namespace OpenIddict.Server
                     // Confidential and hybrid applications MUST authenticate to protect them from impersonation attacks.
                     if (string.IsNullOrEmpty(context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6114), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6114), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -542,7 +542,7 @@ namespace OpenIddict.Server
 
                     if (!await _applicationManager.ValidateClientSecretAsync(application, context.ClientSecret))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6115), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6115), context.ClientId);
 
                         context.Reject(
                             error: Errors.InvalidClient,
@@ -600,7 +600,7 @@ namespace OpenIddict.Server
                     // Reject the request if the application is not allowed to use the revocation endpoint.
                     if (!await _applicationManager.HasPermissionAsync(application, Permissions.Endpoints.Revocation))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6116), context.ClientId);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6116), context.ClientId);
 
                         context.Reject(
                             error: Errors.UnauthorizedClient,
@@ -697,7 +697,7 @@ namespace OpenIddict.Server
                     if (!context.Principal.HasTokenType(TokenTypeHints.AccessToken) &&
                         !context.Principal.HasTokenType(TokenTypeHints.RefreshToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6117));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6117));
 
                         context.Reject(
                             error: Errors.UnsupportedTokenType,
@@ -750,7 +750,7 @@ namespace OpenIddict.Server
                         context.Principal.HasClaim(Claims.Private.Audience) && !context.Principal.HasAudience(context.ClientId) &&
                         context.Principal.HasClaim(Claims.Private.Presenter) && !context.Principal.HasPresenter(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6119));
+                        context.Logger.LogWarning(SR.GetResourceString(SR.ID6119));
 
                         context.Reject(
                             error: Errors.InvalidToken,
@@ -767,7 +767,7 @@ namespace OpenIddict.Server
                     if (context.Principal.HasTokenType(TokenTypeHints.RefreshToken) &&
                         context.Principal.HasClaim(Claims.Private.Presenter) && !context.Principal.HasPresenter(context.ClientId))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6121));
+                        context.Logger.LogWarning(SR.GetResourceString(SR.ID6121));
 
                         context.Reject(
                             error: Errors.InvalidToken,
@@ -853,7 +853,7 @@ namespace OpenIddict.Server
                     var identifier = context.Principal.GetTokenId();
                     if (string.IsNullOrEmpty(identifier))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6122));
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6122));
 
                         context.Reject(
                             error: Errors.UnsupportedTokenType,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Session.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Session.cs
index 4c90992d..307e4b08 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Session.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Session.cs
@@ -334,7 +334,7 @@ namespace OpenIddict.Server
                     // If an optional post_logout_redirect_uri was provided, validate it.
                     if (!Uri.TryCreate(context.PostLogoutRedirectUri, UriKind.Absolute, out Uri? uri) || !uri.IsWellFormedOriginalString())
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6126), Parameters.PostLogoutRedirectUri, context.PostLogoutRedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6126), Parameters.PostLogoutRedirectUri, context.PostLogoutRedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -346,7 +346,7 @@ namespace OpenIddict.Server
 
                     if (!string.IsNullOrEmpty(uri.Fragment))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6127), Parameters.PostLogoutRedirectUri, context.PostLogoutRedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6127), Parameters.PostLogoutRedirectUri, context.PostLogoutRedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
@@ -397,7 +397,7 @@ namespace OpenIddict.Server
 
                     if (!await ValidatePostLogoutRedirectUriAsync(context.PostLogoutRedirectUri))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6128), context.PostLogoutRedirectUri);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6128), context.PostLogoutRedirectUri);
 
                         context.Reject(
                             error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs
index a882e764..e97b547f 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs
@@ -335,7 +335,7 @@ namespace OpenIddict.Server
 
                     if (string.IsNullOrEmpty(context.Request.AccessToken))
                     {
-                        context.Logger.LogError(SR.GetResourceString(SR.ID6131), Parameters.AccessToken);
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6131), Parameters.AccessToken);
 
                         context.Reject(
                             error: Errors.MissingToken,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
index ec665724..1e2238ad 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
@@ -942,7 +942,7 @@ namespace OpenIddict.Server
                     {
                         if (!context.Request.IsRefreshTokenGrantType() || !await IsReusableAsync(token))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6002), identifier);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6002), identifier);
 
                             context.Reject(
                                 error: context.EndpointType switch
@@ -988,7 +988,7 @@ namespace OpenIddict.Server
                         // If the device code is not marked as valid yet, return an authorization_pending error.
                         if (await _tokenManager.HasStatusAsync(token, Statuses.Inactive))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6003), identifier);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6003), identifier);
 
                             context.Reject(
                                 error: Errors.AuthorizationPending,
@@ -1001,7 +1001,7 @@ namespace OpenIddict.Server
                         // If the device code is marked as rejected, return an access_denied error.
                         if (await _tokenManager.HasStatusAsync(token, Statuses.Rejected))
                         {
-                            context.Logger.LogError(SR.GetResourceString(SR.ID6004), identifier);
+                            context.Logger.LogInformation(SR.GetResourceString(SR.ID6004), identifier);
 
                             context.Reject(
                                 error: Errors.AccessDenied,
@@ -1015,7 +1015,7 @@ namespace OpenIddict.Server
 
                 if (!await _tokenManager.HasStatusAsync(token, Statuses.Valid))
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6005), identifier);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6005), identifier);
 
                     context.Reject(
                         error: context.EndpointType switch
@@ -1135,7 +1135,7 @@ namespace OpenIddict.Server
                 var authorization = await _authorizationManager.FindByIdAsync(identifier);
                 if (authorization is null || !await _authorizationManager.HasStatusAsync(authorization, Statuses.Valid))
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6006), identifier);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6006), identifier);
 
                     context.Reject(
                         error: context.EndpointType switch
diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
index 085a777a..94ec28ea 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.cs
@@ -660,7 +660,7 @@ namespace OpenIddict.Validation
                 var date = context.Principal.GetExpirationDate();
                 if (date.HasValue && date.Value < DateTimeOffset.UtcNow)
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6156));
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6156));
 
                     context.Reject(
                         error: Errors.InvalidToken,
@@ -711,7 +711,7 @@ namespace OpenIddict.Validation
                 var audiences = context.Principal.GetAudiences();
                 if (audiences.IsDefaultOrEmpty)
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6157));
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6157));
 
                     context.Reject(
                         error: Errors.InvalidToken,
@@ -724,7 +724,7 @@ namespace OpenIddict.Validation
                 // If the access token doesn't include any registered audience, return an error.
                 if (!audiences.Intersect(context.Options.Audiences, StringComparer.Ordinal).Any())
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6158));
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6158));
 
                     context.Reject(
                         error: Errors.InvalidToken,
@@ -783,7 +783,7 @@ namespace OpenIddict.Validation
                 var token = await _tokenManager.FindByIdAsync(identifier);
                 if (token is null || !await _tokenManager.HasStatusAsync(token, Statuses.Valid))
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6005), identifier);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6005), identifier);
 
                     context.Reject(
                         error: Errors.InvalidToken,
@@ -847,7 +847,7 @@ namespace OpenIddict.Validation
                 var authorization = await _authorizationManager.FindByIdAsync(identifier);
                 if (authorization is null || !await _authorizationManager.HasStatusAsync(authorization, Statuses.Valid))
                 {
-                    context.Logger.LogError(SR.GetResourceString(SR.ID6006), identifier);
+                    context.Logger.LogInformation(SR.GetResourceString(SR.ID6006), identifier);
 
                     context.Reject(
                         error: Errors.InvalidToken,

From a79f452e658ea8489c7d56de1d423466cbc920f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 7 Jul 2021 18:51:14 +0200
Subject: [PATCH 31/64] Update Versions.props to build 3.1.0 packages

---
 eng/Versions.props | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index f1aa5e09..5b101981 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -2,8 +2,8 @@
 
   <PropertyGroup>
     <MajorVersion>3</MajorVersion>
-    <MinorVersion>0</MinorVersion>
-    <PatchVersion>5</PatchVersion>
+    <MinorVersion>1</MinorVersion>
+    <PatchVersion>0</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>rtm</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>

From 93dd3ba0f41402f7923a9d16aa403e98ca288862 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 25 Aug 2021 20:26:11 +0200
Subject: [PATCH 32/64] Cache the ProcessAuthenticationContext instance to
 avoid having to re-authenticate userinfo/revocation/introspection requests

---
 .../OpenIddictServerHandlers.Introspection.cs                 | 4 ++++
 src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs  | 4 ++++
 src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs    | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
index ffb4042d..0eb3694b 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
@@ -700,6 +700,10 @@ namespace OpenIddict.Server
                     var notification = new ProcessAuthenticationContext(context.Transaction);
                     await _dispatcher.DispatchAsync(notification);
 
+                    // Store the context object in the transaction so it can be later retrieved by handlers
+                    // that want to access the authentication result without triggering a new authentication flow.
+                    context.Transaction.SetProperty(typeof(ProcessAuthenticationContext).FullName!, notification);
+
                     if (notification.IsRequestHandled)
                     {
                         context.HandleRequest();
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs
index 366b0ddb..6b5ef32e 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Revocation.cs
@@ -643,6 +643,10 @@ namespace OpenIddict.Server
                     var notification = new ProcessAuthenticationContext(context.Transaction);
                     await _dispatcher.DispatchAsync(notification);
 
+                    // Store the context object in the transaction so it can be later retrieved by handlers
+                    // that want to access the authentication result without triggering a new authentication flow.
+                    context.Transaction.SetProperty(typeof(ProcessAuthenticationContext).FullName!, notification);
+
                     if (notification.IsRequestHandled)
                     {
                         context.HandleRequest();
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs
index e97b547f..793e0aa0 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Userinfo.cs
@@ -380,6 +380,10 @@ namespace OpenIddict.Server
                     var notification = new ProcessAuthenticationContext(context.Transaction);
                     await _dispatcher.DispatchAsync(notification);
 
+                    // Store the context object in the transaction so it can be later retrieved by handlers
+                    // that want to access the authentication result without triggering a new authentication flow.
+                    context.Transaction.SetProperty(typeof(ProcessAuthenticationContext).FullName!, notification);
+
                     if (notification.IsRequestHandled)
                     {
                         context.HandleRequest();

From 02c64fdd90d5d5d54e918b508088f3dce74233fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 27 Aug 2021 11:36:33 +0200
Subject: [PATCH 33/64] Update Versions.props to build 3.1.1 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 5b101981..5f91040b 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <MajorVersion>3</MajorVersion>
     <MinorVersion>1</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>rtm</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>

From 9d9ff91914c068af1d13f94e32aa3260fca0c34d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 27 Feb 2023 15:55:46 +0100
Subject: [PATCH 34/64] Update Versions.props to build 4.1.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 687dfa02..d49c7396 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 32fe1caa469eaefd141f6692cfc2f40e2715172c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 24 Mar 2023 18:36:56 +0100
Subject: [PATCH 35/64] Update Versions.props to build 4.2.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 78d5d853..721d03f1 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 936e590d3c2598d9b3a293a4831715ee6f4d6263 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 29 Apr 2023 16:28:26 +0200
Subject: [PATCH 36/64] Update Versions.props to build 4.3.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 8e3c9a18..8c3fcfe7 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 8b586ea3e1c62e12a713691a2f90d363b36244f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 25 May 2023 17:33:23 +0200
Subject: [PATCH 37/64] Update Versions.props to build 4.4.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index b3763579..915db94e 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 76c050149e8d9d24f34c61e64915f775520f0bca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 11 Jul 2023 18:16:09 +0200
Subject: [PATCH 38/64] Update Versions.props to build 4.6.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index ea1841a8..691fdad8 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -9,7 +9,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From dcde0464205c7f453218e0bef5c07a8c7b39a1b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 13 Jul 2023 17:19:58 +0200
Subject: [PATCH 39/64] Replace references to Azure Active Directory by
 Microsoft Entra ID

---
 .../OpenIddictClientWebIntegrationHandlers.Discovery.cs     | 2 +-
 .../OpenIddictClientWebIntegrationHandlers.Protection.cs    | 2 +-
 .../OpenIddictClientWebIntegrationHandlers.cs               | 6 +++---
 .../OpenIddictClientWebIntegrationProviders.xml             | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
index e873c82d..26bc87d4 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
@@ -58,7 +58,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                     // such responses as the issuer wouldn't match the expected value. To work around that, the
                     // issuer is replaced by this handler to always use a static value (e.g "common" or "consumers").
                     //
-                    // For more information about the special tenants supported by Microsoft Account/Azure AD, see
+                    // For more information about the special tenants supported by Microsoft Account/Entra ID, see
                     // https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri.
                     ProviderTypes.Microsoft when context.Registration.GetMicrosoftSettings() is { Tenant: string tenant } =>
                         string.Equals(tenant, "common", StringComparison.OrdinalIgnoreCase)        ? "https://login.microsoftonline.com/common/v2.0" :
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Protection.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Protection.cs
index 833564a5..d7f2b6e0 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Protection.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Protection.cs
@@ -57,7 +57,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                     // that is associated with the client application. Since the tenant cannot be
                     // inferred when targeting these special tenants, issuer validation is disabled.
                     //
-                    // For more information about the special tenants supported by Microsoft Account/Azure AD, see
+                    // For more information about the special tenants supported by Microsoft Account/Entra ID, see
                     // https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri.
                     ProviderTypes.Microsoft when
                         context.Registration.GetMicrosoftSettings() is { Tenant: string tenant } &&
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index b40e8332..063c54cc 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -677,9 +677,9 @@ public static partial class OpenIddictClientWebIntegrationHandlers
 
             context.SendUserinfoRequest = context.Registration.ProviderType switch
             {
-                // Note: the frontchannel or backchannel access tokens returned by Azure AD when a
-                // Xbox scope is requested cannot be used with the userinfo endpoint as they use a
-                // legacy format that is not supported by the Azure AD userinfo implementation.
+                // Note: the frontchannel or backchannel access tokens returned by Microsoft Entra ID
+                // when a Xbox scope is requested cannot be used with the userinfo endpoint as they use
+                // a legacy format that is not supported by the Microsoft Entra userinfo implementation.
                 //
                 // To work around this limitation, userinfo retrieval is disabled when a Xbox scope is requested.
                 ProviderTypes.Microsoft => context.GrantType switch
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index b8f8dccf..26a6c87e 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -601,7 +601,7 @@
               ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
   -->
 
-  <Provider Name="Microsoft" DisplayName="Microsoft Account/Azure Active Directory" Id="b533a06a-3fd6-4754-aeca-025d4e3666ad"
+  <Provider Name="Microsoft" DisplayName="Microsoft Account/Entra ID" Id="b533a06a-3fd6-4754-aeca-025d4e3666ad"
             Documentation="https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc">
     <!--
       Note: Microsoft is a multitenant provider that relies on virtual paths to identify instances.
@@ -613,7 +613,7 @@
     <Environment Issuer="https://login.microsoftonline.com/{settings.Tenant}/v2.0" />
 
     <Setting PropertyName="Tenant" ParameterName="tenant" Type="String" Required="false" DefaultValue="common"
-             Description="The tenant used to identify the Azure AD instance (by default, the common tenant is used)" />
+             Description="The tenant used to identify the Microsoft Entra instance (by default, the common tenant is used)" />
   </Provider>
 
   <!--

From 24d53ba87259f0d9219910f44d388c8280397f89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 9 Aug 2023 17:55:32 +0200
Subject: [PATCH 40/64] Update Versions.props to build 4.7.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index f74a30c3..95f55f35 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 1a41fd6baa1a99ff1f4df6fb6d0cdcfd0cce5201 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 12 Sep 2023 17:48:56 +0200
Subject: [PATCH 41/64] Update Versions.props to build 4.8.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index a5709fe3..fc4d0e14 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From e13e2b4bb4c51978a31db9498a0b502c0ae5c4f3 Mon Sep 17 00:00:00 2001
From: pableess <8421069+pableess@users.noreply.github.com>
Date: Tue, 26 Sep 2023 07:38:36 -0500
Subject: [PATCH 42/64] Add Auth0 to the list of supported providers

---
 ...tClientWebIntegrationHandlers.Discovery.cs | 20 ++++++++++++++-
 ...penIddictClientWebIntegrationProviders.xml | 25 +++++++++++++++++--
 2 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
index e873c82d..98086f16 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
@@ -5,6 +5,7 @@
  */
 
 using System.Collections.Immutable;
+using OpenIddict.Extensions;
 using static OpenIddict.Client.OpenIddictClientHandlers.Discovery;
 using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationConstants;
 
@@ -113,6 +114,14 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                     context.Configuration.GrantTypesSupported.Add(GrantTypes.RefreshToken);
                 }
 
+                else if (context.Registration.ProviderType is ProviderTypes.Auth0)
+                {
+                    context.Configuration.GrantTypesSupported.Add(GrantTypes.AuthorizationCode);
+                    context.Configuration.GrantTypesSupported.Add(GrantTypes.ClientCredentials);
+                    context.Configuration.GrantTypesSupported.Add(GrantTypes.DeviceCode);
+                    context.Configuration.GrantTypesSupported.Add(GrantTypes.RefreshToken);
+                }
+
                 else if (context.Registration.ProviderType is
                     ProviderTypes.Cognito   or ProviderTypes.EpicGames or
                     ProviderTypes.Microsoft or ProviderTypes.Salesforce)
@@ -330,11 +339,20 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                     throw new ArgumentNullException(nameof(context));
                 }
 
+                // While Auth0 exposes an OpenID Connect-compliant logout endpoint, its address is not returned
+                // as part of the configuration document. To ensure RP-initiated logout is supported with Auth0,
+                // "end_session_endpoint" is manually computed using the issuer URI and added to the configuration.
+                if (context.Registration.ProviderType is ProviderTypes.Auth0)
+                {
+                    context.Configuration.EndSessionEndpoint ??= OpenIddictHelpers.CreateAbsoluteUri(
+                        context.Registration.Issuer, "oidc/logout");
+                }
+
                 // While PayPal supports OpenID Connect discovery, the configuration document returned
                 // by the sandbox environment always contains the production endpoints, which would
                 // prevent the OpenIddict integration from working properly when using the sandbox mode.
                 // To work around that, the endpoints are manually overriden when this environment is used.
-                if (context.Registration.ProviderType is ProviderTypes.PayPal &&
+                else if (context.Registration.ProviderType is ProviderTypes.PayPal &&
                     context.Registration.GetPayPalSettings() is { Environment: string environment } &&
                     string.Equals(environment, PayPal.Environments.Sandbox, StringComparison.OrdinalIgnoreCase))
                 {
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index 977ee1f1..dd9366c3 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -102,6 +102,27 @@
     <Environment Issuer="https://app.asana.com/api/1.0" />
   </Provider>
 
+  <!--
+                                                  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                                  █ ▄▄▀██ ██ █▄▄ ▄▄██ ██ █ ▄▄ ██
+                                                  █ ▀▀ ██ ██ ███ ████ ▄▄ █ ▀▄ ██
+                                                  █ ██ ██▄▀▀▄███ ████ ██ █ ▀▀ ██
+                                                  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Auth0" Id="7409ff87-3c9d-4959-b187-2fc0077d544f" Documentation="https://auth0.com/docs">
+    <!--
+      Note: Auth0 is a multitenant identity provider that doesn't have a generic
+      issuer URI. As such, the complete URI must always be set in the options.
+    -->
+
+    <Environment Issuer="{settings.Issuer}" />
+
+    <Setting PropertyName="Issuer" ParameterName="issuer" Type="Uri" Required="true"
+             Description="The URI used to access the Auth0 tenant (e.g 'https://contoso.us.auth0.com')" />
+  </Provider>
+
+
   <!--
                                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                         █ ▄▄▀██ ██ █▄▄ ▄▄██ ▄▄▄ ██ ▄▄▀██ ▄▄▄██ ▄▄▄ ██ █▀▄██
@@ -1319,7 +1340,7 @@
                                            ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
   -->
 
-  <Provider Name="Verimi" Id="de781ebe-164c-4948-96d8-5e5adbbf19f0" Documentation="https://docs.verimi.de/#/oidc/oidc_overview">    
+  <Provider Name="Verimi" Id="de781ebe-164c-4948-96d8-5e5adbbf19f0" Documentation="https://docs.verimi.de/#/oidc/oidc_overview">
     <Environment Name="Production" Issuer="https://web.verimi.de/" />
     <Environment Name="Staging"    Issuer="https://web.uat.verimi.cloud/" />
   </Provider>
@@ -1356,7 +1377,7 @@
       varies dynamically depending on the location of the client making the discovery request.
 
       Since the returned issuer is not stable, the hardcoded "https://www.webex.com/" is used instead.
-    -->    
+    -->
 
     <Environment Issuer="https://www.webex.com/" ConfigurationEndpoint="https://webexapis.com/v1/.well-known/openid-configuration" />
   </Provider>

From 680d51d8f98b9e3512db62e2d6de6bcc9271897c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 26 Sep 2023 16:27:57 +0200
Subject: [PATCH 43/64] Fix AuthenticateWithDeviceAsync() to flow the scopes
 attached to the request model

---
 src/OpenIddict.Client/OpenIddictClientHandlers.cs | 3 ++-
 src/OpenIddict.Client/OpenIddictClientService.cs  | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
index 169aba2d..b692b351 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -2252,7 +2252,8 @@ public static partial class OpenIddictClientHandlers
                 string type => type
             };
 
-            if (context.Scopes.Count > 0)
+            if (context.Scopes.Count > 0 &&
+                context.TokenRequest.GrantType is not (GrantTypes.AuthorizationCode or GrantTypes.DeviceCode))
             {
                 // Note: the final OAuth 2.0 specification requires using a space as the scope separator.
                 // Clients that need to deal with older or non-compliant implementations can register
diff --git a/src/OpenIddict.Client/OpenIddictClientService.cs b/src/OpenIddict.Client/OpenIddictClientService.cs
index 6cded38e..6deb99ed 100644
--- a/src/OpenIddict.Client/OpenIddictClientService.cs
+++ b/src/OpenIddict.Client/OpenIddictClientService.cs
@@ -734,6 +734,11 @@ public sealed class OpenIddictClientService
                             is Dictionary<string, OpenIddictParameter> parameters ? new(parameters) : new(),
                     };
 
+                    if (request.Scopes is { Count: > 0 })
+                    {
+                        context.Scopes.UnionWith(request.Scopes);
+                    }
+
                     if (request.Properties is { Count: > 0 })
                     {
                         foreach (var property in request.Properties)

From 7b214be3fce2b5573f38f064527abd9059a84a35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 26 Sep 2023 16:32:26 +0200
Subject: [PATCH 44/64] Automatically disable userinfo validation when the
 openid scope is not requested

---
 .../OpenIddictClientHandlers.cs               | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
index b692b351..625842cf 100644
--- a/src/OpenIddict.Client/OpenIddictClientHandlers.cs
+++ b/src/OpenIddict.Client/OpenIddictClientHandlers.cs
@@ -3507,8 +3507,27 @@ public static partial class OpenIddictClientHandlers
             // The OpenIddict client is expected to be used with standard OpenID Connect userinfo endpoints
             // but must also support non-standard implementations, that are common with OAuth 2.0-only servers.
             //
-            // As such, protocol requirements are only enforced if the server supports OpenID Connect.
-            context.DisableUserinfoValidation = !context.Configuration.ScopesSupported.Contains(Scopes.OpenId);
+            // As such, protocol requirements are, by default, only enforced if the openid scope was requested.
+            context.DisableUserinfoValidation = context.GrantType switch
+            {
+                GrantTypes.AuthorizationCode or GrantTypes.Implicit
+                    when context.StateTokenPrincipal is ClaimsPrincipal principal
+                    => !principal.HasScope(Scopes.OpenId),
+
+                // Note: while the OAuth 2.0-only device authorization and password flows can be generally used
+                // flawlessly with OpenID Connect implementations, the userinfo response returned by the server
+                // for an OAuth 2.0-only flow might not be OpenID Connect-compliant. In this case, disable
+                // userinfo validation, unless the "openid" scope was explicitly requested by the application.
+                GrantTypes.DeviceCode or GrantTypes.Password or
+
+                // Note: when using grant_type=refresh_token, it is not possible to determine whether the refresh token
+                // was issued during an OAuth 2.0-only or OpenID Connect flow. In this case, only validate userinfo
+                // responses if the openid scope was explicitly added by the user to the list of requested scopes.
+                GrantTypes.RefreshToken or
+
+                // For unknown grant types, disable userinfo validation, unless the openid scope was explicitly added.
+                _ => !context.Scopes.Contains(Scopes.OpenId)
+            };
 
             return default;
         }

From e18132571ecc8a91be1d4c467ac093641ac0b92f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 9 Oct 2023 15:57:26 +0200
Subject: [PATCH 45/64] Update Versions.props to build 4.9.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index fc4d0e14..242daac7 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <MajorVersion>4</MajorVersion>
-    <MinorVersion>8</MinorVersion>
+    <MinorVersion>9</MinorVersion>
     <PatchVersion>0</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>

From 1b48d9691006c0dd450c1bab5b7f4a4f4db485ca Mon Sep 17 00:00:00 2001
From: Dennis Haney <davh@davh.dk>
Date: Mon, 23 Oct 2023 19:33:45 +0700
Subject: [PATCH 46/64] Update the client authentication results to expose the
 access token expiration date

---
 .../OpenIddictClientModels.cs                 | 30 +++++++++++++++++++
 .../OpenIddictClientService.cs                |  6 ++++
 2 files changed, 36 insertions(+)

diff --git a/src/OpenIddict.Client/OpenIddictClientModels.cs b/src/OpenIddict.Client/OpenIddictClientModels.cs
index 24740a1d..617a0edb 100644
--- a/src/OpenIddict.Client/OpenIddictClientModels.cs
+++ b/src/OpenIddict.Client/OpenIddictClientModels.cs
@@ -66,6 +66,11 @@ public static class OpenIddictClientModels
         /// </summary>
         public required string? BackchannelAccessToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the backchannel access token, if available.
+        /// </summary>
+        public required DateTimeOffset? BackchannelAccessTokenExpirationDate { get; init; }
+
         /// <summary>
         /// Gets or sets the backchannel identity token, if available.
         /// </summary>
@@ -82,6 +87,11 @@ public static class OpenIddictClientModels
         /// </summary>
         public required string? FrontchannelAccessToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the frontchannel access token, if available.
+        /// </summary>
+        public required DateTimeOffset? FrontchannelAccessTokenExpirationDate { get; init; }
+
         /// <summary>
         /// Gets or sets the frontchannel identity token, if available.
         /// </summary>
@@ -253,6 +263,11 @@ public static class OpenIddictClientModels
         /// </summary>
         public required string AccessToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the access token, if available.
+        /// </summary>
+        public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
+
         /// <summary>
         /// Gets or sets the identity token, if available.
         /// </summary>
@@ -394,6 +409,11 @@ public static class OpenIddictClientModels
         /// </summary>
         public required string AccessToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the access token, if available.
+        /// </summary>
+        public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
+
         /// <summary>
         /// Gets or sets the identity token, if available.
         /// </summary>
@@ -605,6 +625,11 @@ public static class OpenIddictClientModels
         /// </summary>
         public required string AccessToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the access token, if available.
+        /// </summary>
+        public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
+
         /// <summary>
         /// Gets or sets the identity token, if available.
         /// </summary>
@@ -714,6 +739,11 @@ public static class OpenIddictClientModels
         /// </summary>
         public required string AccessToken { get; init; }
 
+        /// <summary>
+        /// Gets or sets the expiration date of the access token, if available.
+        /// </summary>
+        public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
+
         /// <summary>
         /// Gets or sets the identity token, if available.
         /// </summary>
diff --git a/src/OpenIddict.Client/OpenIddictClientService.cs b/src/OpenIddict.Client/OpenIddictClientService.cs
index 6deb99ed..ffa117a5 100644
--- a/src/OpenIddict.Client/OpenIddictClientService.cs
+++ b/src/OpenIddict.Client/OpenIddictClientService.cs
@@ -343,9 +343,11 @@ public sealed class OpenIddictClientService
                     AuthorizationCode = context.AuthorizationCode,
                     AuthorizationResponse = context.Request is not null ? new(context.Request.GetParameters()) : new(),
                     BackchannelAccessToken = context.BackchannelAccessToken,
+                    BackchannelAccessTokenExpirationDate = context.BackchannelAccessTokenExpirationDate,
                     BackchannelIdentityToken = context.BackchannelIdentityToken,
                     BackchannelIdentityTokenPrincipal = context.BackchannelIdentityTokenPrincipal,
                     FrontchannelAccessToken = context.FrontchannelAccessToken,
+                    FrontchannelAccessTokenExpirationDate = context.FrontchannelAccessTokenExpirationDate,
                     FrontchannelIdentityToken = context.FrontchannelIdentityToken,
                     FrontchannelIdentityTokenPrincipal = context.FrontchannelIdentityTokenPrincipal,
                     Principal = context.MergedPrincipal,
@@ -590,6 +592,7 @@ public sealed class OpenIddictClientService
             return new()
             {
                 AccessToken = context.BackchannelAccessToken!,
+                AccessTokenExpirationDate = context.BackchannelAccessTokenExpirationDate,
                 IdentityToken = context.BackchannelIdentityToken,
                 IdentityTokenPrincipal = context.BackchannelIdentityTokenPrincipal,
                 Principal = context.MergedPrincipal,
@@ -763,6 +766,7 @@ public sealed class OpenIddictClientService
                         return new()
                         {
                             AccessToken = context.BackchannelAccessToken!,
+                            AccessTokenExpirationDate = context.BackchannelAccessTokenExpirationDate,
                             IdentityToken = context.BackchannelIdentityToken,
                             IdentityTokenPrincipal = context.BackchannelIdentityTokenPrincipal,
                             Principal = context.MergedPrincipal,
@@ -1107,6 +1111,7 @@ public sealed class OpenIddictClientService
             return new()
             {
                 AccessToken = context.BackchannelAccessToken!,
+                AccessTokenExpirationDate = context.BackchannelAccessTokenExpirationDate,
                 IdentityToken = context.BackchannelIdentityToken,
                 IdentityTokenPrincipal = context.BackchannelIdentityTokenPrincipal,
                 Principal = context.MergedPrincipal,
@@ -1268,6 +1273,7 @@ public sealed class OpenIddictClientService
             return new()
             {
                 AccessToken = context.BackchannelAccessToken!,
+                AccessTokenExpirationDate = context.BackchannelAccessTokenExpirationDate,
                 IdentityToken = context.BackchannelIdentityToken,
                 IdentityTokenPrincipal = context.BackchannelIdentityTokenPrincipal,
                 Principal = context.MergedPrincipal,

From 0bf4a433bd86a54ecb164c70273d610a3b56cd37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 6 Nov 2023 05:37:43 +0100
Subject: [PATCH 47/64] Add Zoom to the list of supported providers

---
 Directory.Build.targets                       |  2 +-
 ...OpenIddictClientWebIntegrationGenerator.cs |  2 +-
 .../Helpers/OpenIddictHelpers.cs              |  2 +-
 ...ClientDataProtectionHandlers.Protection.cs |  2 +-
 ...tClientWebIntegrationHandlers.Discovery.cs |  7 +++---
 .../OpenIddictClientWebIntegrationHandlers.cs |  7 +++---
 ...penIddictClientWebIntegrationProviders.xml | 25 +++++++++++++++++++
 ...ctEntityFrameworkCoreAuthorizationStore.cs | 10 ++++----
 ...OpenIddictEntityFrameworkCoreTokenStore.cs |  4 +--
 ...ServerDataProtectionHandlers.Protection.cs |  2 +-
 .../OpenIddictServerIntegrationTests.cs       |  2 +-
 11 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index 3fa30360..692ac5ab 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -123,7 +123,7 @@
   
   <!--
     Note: Arcade always generates .resx backing files with internal static methods/constants.
-    To ensure the OpenIddict resources are public, the default visibility is manually overriden.
+    To ensure the OpenIddict resources are public, the default visibility is manually overridden.
   -->
 
   <Target Name="OverrideResourcesVisibility" Condition=" @(EmbeddedResourceSGResx) != '' " AfterTargets="_GenerateResxSource">
diff --git a/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs b/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
index 69abb53b..1b60c4f5 100644
--- a/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
+++ b/gen/OpenIddict.Client.WebIntegration.Generators/OpenIddictClientWebIntegrationGenerator.cs
@@ -1165,7 +1165,7 @@ public sealed partial class OpenIddictClientWebIntegrationConfiguration
                                             _ => (IList<string>) Array.Empty<string>()
                                         },
 
-                                        DeviceAuthorizationEndpointAuthMethodsSupported = configuration.Elements("DeviceAuthorizationEndpointAuthMethodsSupported").ToList() switch
+                                        DeviceAuthorizationEndpointAuthMethodsSupported = configuration.Elements("DeviceAuthorizationEndpointAuthMethod").ToList() switch
                                         {
                                             { Count: > 0 } methods => methods.Select(type => (string?) type.Attribute("Value")).ToList(),
 
diff --git a/shared/OpenIddict.Extensions/Helpers/OpenIddictHelpers.cs b/shared/OpenIddict.Extensions/Helpers/OpenIddictHelpers.cs
index f340b18c..45ebb756 100644
--- a/shared/OpenIddict.Extensions/Helpers/OpenIddictHelpers.cs
+++ b/shared/OpenIddict.Extensions/Helpers/OpenIddictHelpers.cs
@@ -478,7 +478,7 @@ internal static class OpenIddictHelpers
 
         // Note: on .NET Framework, the RSA.Create() overload uses CryptoConfig.CreateFromName()
         // and always returns a RSACryptoServiceProvider instance unless the default name mapping was
-        // explicitly overriden in machine.config or via CryptoConfig.AddAlgorithm(). Unfortunately,
+        // explicitly overridden in machine.config or via CryptoConfig.AddAlgorithm(). Unfortunately,
         // RSACryptoServiceProvider still uses 1024-bit keys by default and doesn't support changing
         // the key size via RSACryptoServiceProvider.KeySize (setting it has no effect on the object).
         //
diff --git a/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs b/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs
index 6b2f346b..d7fe4995 100644
--- a/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs
+++ b/src/OpenIddict.Client.DataProtection/OpenIddictClientDataProtectionHandlers.Protection.cs
@@ -178,7 +178,7 @@ public static partial class OpenIddictClientDataProtectionHandlers
                 // of the default token format (typically, JSON Web Token). By default, Data Protection
                 // is automatically used for all the supported token types once the integration is enabled
                 // but the default token format can be re-enabled in the options. Alternatively, the token
-                // format can be overriden manually using a custom event handler registered after this one.
+                // format can be overridden manually using a custom event handler registered after this one.
 
                 context.TokenFormat = context.TokenType switch
                 {
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
index 98086f16..bf078a15 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs
@@ -250,7 +250,7 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                 }
 
                 // Google doesn't properly implement the device authorization grant, doesn't support
-                // client authentication method for the device authorization endpoint and returns a
+                // basic client authentication for the device authorization endpoint and returns a
                 // generic "invalid_request" request when using "client_secret_basic" instead of
                 // sending the client identifier in the request form. To work around this limitation,
                 // "client_secret_post" is listed as the only supported client authentication method.
@@ -351,10 +351,9 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                 // While PayPal supports OpenID Connect discovery, the configuration document returned
                 // by the sandbox environment always contains the production endpoints, which would
                 // prevent the OpenIddict integration from working properly when using the sandbox mode.
-                // To work around that, the endpoints are manually overriden when this environment is used.
+                // To work around that, the endpoints are manually overridden when this environment is used.
                 else if (context.Registration.ProviderType is ProviderTypes.PayPal &&
-                    context.Registration.GetPayPalSettings() is { Environment: string environment } &&
-                    string.Equals(environment, PayPal.Environments.Sandbox, StringComparison.OrdinalIgnoreCase))
+                    context.Registration.GetPayPalSettings() is { Environment: PayPal.Environments.Sandbox })
                 {
                     context.Configuration.AuthorizationEndpoint =
                         new Uri("https://www.sandbox.paypal.com/signin/authorize", UriKind.Absolute);
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index cdea30f4..fbd348e9 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -1065,8 +1065,8 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                          context.UserinfoResponse?.HasParameter("lastName")  is true
                     => $"{(string?) context.UserinfoResponse?["firstName"]} {(string?) context.UserinfoResponse?["lastName"]}",
 
-                // Spotify and StackExchange return the username as a custom "display_name" node:
-                ProviderTypes.Spotify or ProviderTypes.StackExchange
+                // These providers return return the username as a custom "display_name" node:
+                ProviderTypes.Spotify or ProviderTypes.StackExchange or ProviderTypes.Zoom
                     => (string?) context.UserinfoResponse?["display_name"],
 
                 // Strava returns the username as a custom "athlete/username" node in token responses:
@@ -1095,7 +1095,8 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                 ProviderTypes.Facebook or ProviderTypes.GitHub        or ProviderTypes.Harvest    or
                 ProviderTypes.Kroger   or ProviderTypes.Lichess       or ProviderTypes.Nextcloud  or
                 ProviderTypes.Patreon  or ProviderTypes.Reddit        or ProviderTypes.Smartsheet or
-                ProviderTypes.Spotify  or ProviderTypes.SubscribeStar or ProviderTypes.Twitter
+                ProviderTypes.Spotify  or ProviderTypes.SubscribeStar or ProviderTypes.Twitter    or
+                ProviderTypes.Zoom
                     => (string?) context.UserinfoResponse?["id"],
 
                 // Bitbucket returns the user identifier as a custom "uuid" node:
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index dd9366c3..58d03690 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -1431,4 +1431,29 @@
     <Environment Issuer="https://api.login.yahoo.com/" />
   </Provider>
 
+  <!--
+                                              ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                              ██ ▄▄▄ ██ ▄▄▄ ██ ▄▄▄ ██ ▄▀▄ ██
+                                              ██▀▀▀▄▄██ ███ ██ ███ ██ █ █ ██
+                                              ██ ▀▀▀ ██ ▀▀▀ ██ ▀▀▀ ██ ███ ██
+                                              ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Zoom" Id="2aa63549-8bb3-426d-a95d-dbc2479167e6"
+            Documentation="https://developers.zoom.us/docs/integrations/oauth/">
+    <Environment Issuer="https://zoom.us/">
+      <Configuration AuthorizationEndpoint="https://zoom.us/oauth/authorize"
+                     TokenEndpoint="https://zoom.us/oauth/token"
+                     UserinfoEndpoint="https://api.zoom.us/v2/users/me">
+        <CodeChallengeMethod Value="plain" />
+        <CodeChallengeMethod Value="S256" />
+
+        <GrantType Value="authorization_code" />
+        <GrantType Value="refresh_token" />
+
+        <TokenEndpointAuthMethod Value="client_secret_basic" />
+      </Configuration>
+    </Environment>
+  </Provider>
+
 </Providers>
\ No newline at end of file
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
index 47e21a06..db858815 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreAuthorizationStore.cs
@@ -234,7 +234,7 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore<TAuthorization, TAp
 
         // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
         // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-        // this method is overriden to use an explicit join before applying the equality check.
+        // this method is overridden to use an explicit join before applying the equality check.
         // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
         var key = ConvertIdentifierFromString(client);
@@ -268,7 +268,7 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore<TAuthorization, TAp
 
         // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
         // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-        // this method is overriden to use an explicit join before applying the equality check.
+        // this method is overridden to use an explicit join before applying the equality check.
         // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
         var key = ConvertIdentifierFromString(client);
@@ -307,7 +307,7 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore<TAuthorization, TAp
 
         // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
         // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-        // this method is overriden to use an explicit join before applying the equality check.
+        // this method is overridden to use an explicit join before applying the equality check.
         // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
         var key = ConvertIdentifierFromString(client);
@@ -353,7 +353,7 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore<TAuthorization, TAp
         {
             // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
             // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-            // this method is overriden to use an explicit join before applying the equality check.
+            // this method is overridden to use an explicit join before applying the equality check.
             // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
             var key = ConvertIdentifierFromString(client);
@@ -389,7 +389,7 @@ public class OpenIddictEntityFrameworkCoreAuthorizationStore<TAuthorization, TAp
 
         // Note: due to a bug in Entity Framework Core's query visitor, the authorizations can't be
         // filtered using authorization.Application.Id.Equals(key). To work around this issue,
-        // this method is overriden to use an explicit join before applying the equality check.
+        // this method is overridden to use an explicit join before applying the equality check.
         // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
         var key = ConvertIdentifierFromString(identifier);
diff --git a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs
index 31db2cc2..5a8eace1 100644
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictEntityFrameworkCoreTokenStore.cs
@@ -278,7 +278,7 @@ public class OpenIddictEntityFrameworkCoreTokenStore<TToken, TApplication, TAuth
 
         // Note: due to a bug in Entity Framework Core's query visitor, the tokens can't be
         // filtered using token.Application.Id.Equals(key). To work around this issue,
-        // this method is overriden to use an explicit join before applying the equality check.
+        // this method is overridden to use an explicit join before applying the equality check.
         // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
         var key = ConvertIdentifierFromString(identifier);
@@ -299,7 +299,7 @@ public class OpenIddictEntityFrameworkCoreTokenStore<TToken, TApplication, TAuth
 
         // Note: due to a bug in Entity Framework Core's query visitor, the tokens can't be
         // filtered using token.Authorization.Id.Equals(key). To work around this issue,
-        // this method is overriden to use an explicit join before applying the equality check.
+        // this method is overridden to use an explicit join before applying the equality check.
         // See https://github.com/openiddict/openiddict-core/issues/499 for more information.
 
         var key = ConvertIdentifierFromString(identifier);
diff --git a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs
index e4e5df08..5cf61edb 100644
--- a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs
+++ b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs
@@ -283,7 +283,7 @@ public static partial class OpenIddictServerDataProtectionHandlers
                 // of the default token format (typically, JSON Web Token). By default, Data Protection
                 // is automatically used for all the supported token types once the integration is enabled
                 // but the default token format can be re-enabled in the options. Alternatively, the token
-                // format can be overriden manually using a custom event handler registered after this one.
+                // format can be overridden manually using a custom event handler registered after this one.
 
                 context.TokenFormat = context.TokenType switch
                 {
diff --git a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.cs b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.cs
index 01e2cb4a..6f2e547e 100644
--- a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.cs
+++ b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.cs
@@ -2132,7 +2132,7 @@ public abstract partial class OpenIddictServerIntegrationTests
     }
 
     [Fact]
-    public async Task ProcessSignIn_ScopesCanBeOverridenForRefreshTokenRequests()
+    public async Task ProcessSignIn_ScopesCanBeOverriddenForRefreshTokenRequests()
     {
         // Arrange
         await using var server = await CreateServerAsync(options =>

From f0650028fb7a752a4215ba3e66eb0e89ff36f7ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 14 Nov 2023 16:39:18 +0100
Subject: [PATCH 48/64] Bump the .NET SDK to 8.0.100 and add a .NET 8.0 TFM

---
 .github/workflows/build.yml                   |  3 +-
 Directory.Build.props                         |  7 ++-
 Directory.Build.targets                       |  5 ++
 Directory.Packages.props                      | 58 ++++++++++++++++---
 global.json                                   |  7 ++-
 ...penIddict.Sandbox.AspNetCore.Client.csproj |  2 +-
 ...penIddict.Sandbox.AspNetCore.Server.csproj |  2 +-
 .../OpenIddict.Sandbox.Console.Client.csproj  |  2 +-
 .../OpenIddict.Sandbox.WinForms.Client.csproj |  2 +-
 .../OpenIddict.Sandbox.Wpf.Client.csproj      |  2 +-
 .../OpenIddict.AspNetCore.csproj              |  1 +
 .../OpenIddictClientAspNetCoreHandler.cs      | 14 +++++
 .../OpenIddict.MongoDb.Models.csproj          |  2 +-
 .../OpenIddict.MongoDb.csproj                 |  2 +-
 .../OpenIddictServerAspNetCoreHandler.cs      | 14 +++++
 .../OpenIddictValidationAspNetCoreHandler.cs  | 14 +++++
 src/OpenIddict/OpenIddict.csproj              |  3 +
 17 files changed, 120 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e28d1de9..a56063a4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,6 +46,7 @@ jobs:
           3.1.426
           6.0.408
           7.0.302
+          8.0.100
 
     # Arcade only allows the revision to contain up to two characters, and GitHub Actions does not roll-over
     # build numbers every day like Azure DevOps does. To balance these two requirements, set the official
@@ -105,7 +106,7 @@ jobs:
     - name: Setup .NET
       uses: actions/setup-dotnet@v3
       with:
-        dotnet-version: '7.0.302'
+        dotnet-version: '8.0.100'
 
     - name: Validate NuGet packages
       shell: pwsh
diff --git a/Directory.Build.props b/Directory.Build.props
index 6c0581ac..52c0f8fd 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -44,13 +44,16 @@
     <NetCoreTargetFrameworks Condition=" '$(NetCoreTargetFrameworks)' == '' ">
       netcoreapp3.1;
       net6.0;
-      net7.0
+      net7.0;
+      net8.0
     </NetCoreTargetFrameworks>
     <NetCoreWindowsTargetFrameworks Condition=" '$(NetCoreWindowsTargetFrameworks)' == '' ">
       net6.0-windows7.0;
       net6.0-windows10.0.17763;
       net7.0-windows7.0;
-      net7.0-windows10.0.17763
+      net7.0-windows10.0.17763;
+      net8.0-windows7.0;
+      net8.0-windows10.0.17763
     </NetCoreWindowsTargetFrameworks>
     <NetStandardTargetFrameworks Condition=" '$(NetStandardTargetFrameworks)' == '' ">
       netstandard2.0;
diff --git a/Directory.Build.targets b/Directory.Build.targets
index 692ac5ab..904bd736 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -109,6 +109,11 @@
     <DefineConstants>$(DefineConstants);SUPPORTS_AUTHENTICATION_HANDLER_SELECTION_FALLBACK</DefineConstants>
   </PropertyGroup>
 
+  <PropertyGroup
+    Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionGreaterThanOrEquals($(TargetFrameworkVersion), '8.0'))) ">
+    <DefineConstants>$(DefineConstants);SUPPORTS_TIME_PROVIDER</DefineConstants>
+  </PropertyGroup>
+
   <PropertyGroup
     Condition=" ('$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionLessThan($(TargetFrameworkVersion), '5.0'))) Or
 
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 797f78f2..af9bb56b 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -188,8 +188,8 @@
     <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.AppServices"                 Version="1.0.14"          />
     <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.WinForms"                    Version="1.0.14"          />
     <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.Wpf"                         Version="1.0.14"          />
-    <PackageVersion Include="Microsoft.AspNet.Identity.EntityFramework"                       Version="2.2.3"           />
-    <PackageVersion Include="Microsoft.AspNet.Identity.Owin"                                  Version="2.2.3"           />
+    <PackageVersion Include="Microsoft.AspNet.Identity.EntityFramework"                       Version="2.2.4"           />
+    <PackageVersion Include="Microsoft.AspNet.Identity.Owin"                                  Version="2.2.4"           />
     <PackageVersion Include="Microsoft.AspNet.Mvc"                                            Version="5.2.9"           />
     <PackageVersion Include="Microsoft.AspNet.Web.Optimization"                               Version="1.1.3"           />
     <PackageVersion Include="Microsoft.AspNet.WebApi.Owin"                                    Version="5.2.9"           />
@@ -345,17 +345,61 @@
     <PackageVersion Include="Moq"                                                             Version="4.18.4"          />
     <PackageVersion Include="System.Linq.Async"                                               Version="6.0.1"           />
 
+    <!--
+      Note: OpenIddict uses PolySharp to dynamically generate polyfills for types that are not available on
+      some of the targeted TFMs (e.g Index, Range or nullable attributes on .NET Framework/.NET Standard).
+    -->
+    <GlobalPackageReference Include="PolySharp" Condition=" '$(DisablePolySharp)' != 'true' " Version="1.13.1"          />
+  </ItemGroup>
+
+  <!--
+                                          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                          █████ ▀██ ██ ▄▄▄█▄▄ ▄▄███▀▄▄▀████ ▄▄ ██
+                                          █▀▀██ █ █ ██ ▄▄▄███ █████▀▄▄▀█▀▀█ ▀▄ ██
+                                          █▄▄██ ██▄ ██ ▀▀▀███ █████▄▀▀▄█▄▄█ ▀▀ ██
+                                          ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <ItemGroup Label="Package versions for .NET 8.0"
+    Condition=" '$(TargetFrameworkIdentifier)' == '.NETCoreApp' And $([MSBuild]::VersionEquals($(TargetFrameworkVersion), '8.0')) ">
+    <PackageVersion Include="EntityFramework"                                                 Version="6.4.4"           />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Relational"                        Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Abstractions"                       Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Memory"                             Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions"           Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions"                       Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Http.Polly"                                 Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Logging"                                    Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Options"                                    Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Primitives"                                 Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.WebEncoders"                                Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens"                           Version="7.0.0"           />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols"                               Version="7.0.0"           />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens"                                  Version="7.0.0"           />
+    <PackageVersion Include="MongoDB.Bson"                                                    Version="2.20.0"          />
+    <PackageVersion Include="MongoDB.Driver"                                                  Version="2.20.0"          />
+    <PackageVersion Include="Quartz.Extensions.DependencyInjection"                           Version="3.5.0"           />
+
+    <!--
+      Note: the following references are exclusively used in the test projects:
+    -->
+    <PackageVersion Include="AngleSharp"                                                      Version="0.17.1"          />
+    <PackageVersion Include="MartinCostello.Logging.XUnit"                                    Version="0.3.0"           />
+    <PackageVersion Include="Microsoft.AspNetCore.TestHost"                                   Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection"                        Version="8.0.0"           />
+    <PackageVersion Include="Moq"                                                             Version="4.18.4"          />
+    <PackageVersion Include="System.Linq.Async"                                               Version="6.0.1"           />
+
     <!--
       Note: the following references are exclusively used in the samples:
     -->
     <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.AppServices"                 Version="1.0.14"          />
     <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.WinForms"                    Version="1.0.14"          />
     <PackageVersion Include="Dapplo.Microsoft.Extensions.Hosting.Wpf"                         Version="1.0.14"          />
-    <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore"               Version="7.0.5"           />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite"                            Version="7.0.5"           />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer"                         Version="7.0.5"           />
-    <PackageVersion Include="Microsoft.Extensions.Hosting"                                    Version="7.0.1"           />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Debug"                              Version="7.0.0"           />
+    <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore"               Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite"                            Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Hosting"                                    Version="8.0.0"           />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Debug"                              Version="8.0.0"           />
     <PackageVersion Include="Quartz.Extensions.Hosting"                                       Version="3.5.0"           />
     <PackageVersion Include="Spectre.Console"                                                 Version="0.46.0"          />
 
diff --git a/global.json b/global.json
index 0dd10c6f..2103a5ff 100644
--- a/global.json
+++ b/global.json
@@ -1,18 +1,19 @@
 {
   "sdk": {
-    "version": "7.0.302",
+    "version": "8.0.100",
     "allowPrerelease": true,
     "rollForward": "major"
   },
 
   "tools": {
-    "dotnet": "7.0.302",
+    "dotnet": "8.0.100",
 
     "runtimes": {
       "aspnetcore": [
         "3.1.32",
         "6.0.16",
-        "7.0.5"
+        "7.0.5",
+        "8.0.0"
       ]
     }
   },
diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj
index e0271a38..e8b91d39 100644
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/OpenIddict.Sandbox.AspNetCore.Client.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <IsShipping>false</IsShipping>
     <Nullable>disable</Nullable>
   </PropertyGroup>
diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj
index e52acc10..eefd3c7e 100644
--- a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj
+++ b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <IsShipping>false</IsShipping>
     <SignAssembly>false</SignAssembly>
     <TypeScriptEnabled>false</TypeScriptEnabled>
diff --git a/sandbox/OpenIddict.Sandbox.Console.Client/OpenIddict.Sandbox.Console.Client.csproj b/sandbox/OpenIddict.Sandbox.Console.Client/OpenIddict.Sandbox.Console.Client.csproj
index caf51e3b..d00328f7 100644
--- a/sandbox/OpenIddict.Sandbox.Console.Client/OpenIddict.Sandbox.Console.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.Console.Client/OpenIddict.Sandbox.Console.Client.csproj
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFrameworks>net48;net7.0</TargetFrameworks>
+    <TargetFrameworks>net48;net8.0</TargetFrameworks>
     <EnablePreviewFeatures>true</EnablePreviewFeatures>
     <IsShipping>false</IsShipping>
     <SignAssembly>false</SignAssembly>
diff --git a/sandbox/OpenIddict.Sandbox.WinForms.Client/OpenIddict.Sandbox.WinForms.Client.csproj b/sandbox/OpenIddict.Sandbox.WinForms.Client/OpenIddict.Sandbox.WinForms.Client.csproj
index caac4ade..84890b02 100644
--- a/sandbox/OpenIddict.Sandbox.WinForms.Client/OpenIddict.Sandbox.WinForms.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.WinForms.Client/OpenIddict.Sandbox.WinForms.Client.csproj
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>WinExe</OutputType>
-    <TargetFrameworks>net48;net7.0-windows7.0</TargetFrameworks>
+    <TargetFrameworks>net48;net8.0-windows7.0</TargetFrameworks>
     <EnablePreviewFeatures>true</EnablePreviewFeatures>
     <EnableWindowsTargeting>true</EnableWindowsTargeting>
     <UseWindowsForms>true</UseWindowsForms>
diff --git a/sandbox/OpenIddict.Sandbox.Wpf.Client/OpenIddict.Sandbox.Wpf.Client.csproj b/sandbox/OpenIddict.Sandbox.Wpf.Client/OpenIddict.Sandbox.Wpf.Client.csproj
index 47aa9257..1b606c7a 100644
--- a/sandbox/OpenIddict.Sandbox.Wpf.Client/OpenIddict.Sandbox.Wpf.Client.csproj
+++ b/sandbox/OpenIddict.Sandbox.Wpf.Client/OpenIddict.Sandbox.Wpf.Client.csproj
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <OutputType>WinExe</OutputType>
-    <TargetFrameworks>net48;net7.0-windows10.0.17763</TargetFrameworks>
+    <TargetFrameworks>net48;net8.0-windows10.0.17763</TargetFrameworks>
     <EnablePreviewFeatures>true</EnablePreviewFeatures>
     <EnableWindowsTargeting>true</EnableWindowsTargeting>
     <UseWPF>true</UseWPF>
diff --git a/src/OpenIddict.AspNetCore/OpenIddict.AspNetCore.csproj b/src/OpenIddict.AspNetCore/OpenIddict.AspNetCore.csproj
index 1f49ab39..8d3635c0 100644
--- a/src/OpenIddict.AspNetCore/OpenIddict.AspNetCore.csproj
+++ b/src/OpenIddict.AspNetCore/OpenIddict.AspNetCore.csproj
@@ -28,6 +28,7 @@
     <None Include="_._" Pack="true" PackagePath="lib\netcoreapp3.1\_._" />
     <None Include="_._" Pack="true" PackagePath="lib\net6.0\_._" />
     <None Include="_._" Pack="true" PackagePath="lib\net7.0\_._" />
+    <None Include="_._" Pack="true" PackagePath="lib\net8.0\_._" />
   </ItemGroup>
 
 </Project>
diff --git a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
index 2d546cde..0d213bc8 100644
--- a/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
+++ b/src/OpenIddict.Client.AspNetCore/OpenIddictClientAspNetCoreHandler.cs
@@ -30,6 +30,19 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
     /// <summary>
     /// Creates a new instance of the <see cref="OpenIddictClientAspNetCoreHandler"/> class.
     /// </summary>
+#if SUPPORTS_TIME_PROVIDER
+    public OpenIddictClientAspNetCoreHandler(
+        IOpenIddictClientDispatcher dispatcher,
+        IOpenIddictClientFactory factory,
+        IOptionsMonitor<OpenIddictClientAspNetCoreOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder)
+        : base(options, logger, encoder)
+    {
+        _dispatcher = dispatcher ?? throw new ArgumentNullException(nameof(dispatcher));
+        _factory = factory ?? throw new ArgumentNullException(nameof(factory));
+    }
+#else
     public OpenIddictClientAspNetCoreHandler(
         IOpenIddictClientDispatcher dispatcher,
         IOpenIddictClientFactory factory,
@@ -42,6 +55,7 @@ public sealed class OpenIddictClientAspNetCoreHandler : AuthenticationHandler<Op
         _dispatcher = dispatcher ?? throw new ArgumentNullException(nameof(dispatcher));
         _factory = factory ?? throw new ArgumentNullException(nameof(factory));
     }
+#endif
 
     /// <inheritdoc/>
     public async Task<bool> HandleRequestAsync()
diff --git a/src/OpenIddict.MongoDb.Models/OpenIddict.MongoDb.Models.csproj b/src/OpenIddict.MongoDb.Models/OpenIddict.MongoDb.Models.csproj
index 32dc4506..05bec032 100644
--- a/src/OpenIddict.MongoDb.Models/OpenIddict.MongoDb.Models.csproj
+++ b/src/OpenIddict.MongoDb.Models/OpenIddict.MongoDb.Models.csproj
@@ -17,7 +17,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="MongoDB.Bson" NoWarn="NU1902" />
+    <PackageReference Include="MongoDB.Bson" />
   </ItemGroup>
 
   <ItemGroup
diff --git a/src/OpenIddict.MongoDb/OpenIddict.MongoDb.csproj b/src/OpenIddict.MongoDb/OpenIddict.MongoDb.csproj
index 729c8170..6d885128 100644
--- a/src/OpenIddict.MongoDb/OpenIddict.MongoDb.csproj
+++ b/src/OpenIddict.MongoDb/OpenIddict.MongoDb.csproj
@@ -21,7 +21,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="MongoDB.Driver" NoWarn="NU1902" />
+    <PackageReference Include="MongoDB.Driver" NoWarn="NU1901;NU1902;NU1903;NU1904" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs
index 6ef436c9..343f5382 100644
--- a/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs
+++ b/src/OpenIddict.Server.AspNetCore/OpenIddictServerAspNetCoreHandler.cs
@@ -30,6 +30,19 @@ public sealed class OpenIddictServerAspNetCoreHandler : AuthenticationHandler<Op
     /// <summary>
     /// Creates a new instance of the <see cref="OpenIddictServerAspNetCoreHandler"/> class.
     /// </summary>
+#if SUPPORTS_TIME_PROVIDER
+    public OpenIddictServerAspNetCoreHandler(
+        IOpenIddictServerDispatcher dispatcher,
+        IOpenIddictServerFactory factory,
+        IOptionsMonitor<OpenIddictServerAspNetCoreOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder)
+        : base(options, logger, encoder)
+    {
+        _dispatcher = dispatcher ?? throw new ArgumentNullException(nameof(dispatcher));
+        _factory = factory ?? throw new ArgumentNullException(nameof(factory));
+    }
+#else
     public OpenIddictServerAspNetCoreHandler(
         IOpenIddictServerDispatcher dispatcher,
         IOpenIddictServerFactory factory,
@@ -42,6 +55,7 @@ public sealed class OpenIddictServerAspNetCoreHandler : AuthenticationHandler<Op
         _dispatcher = dispatcher ?? throw new ArgumentNullException(nameof(dispatcher));
         _factory = factory ?? throw new ArgumentNullException(nameof(factory));
     }
+#endif
 
     /// <inheritdoc/>
     public async Task<bool> HandleRequestAsync()
diff --git a/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs b/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs
index ee977f81..cf31526d 100644
--- a/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs
+++ b/src/OpenIddict.Validation.AspNetCore/OpenIddictValidationAspNetCoreHandler.cs
@@ -26,6 +26,19 @@ public sealed class OpenIddictValidationAspNetCoreHandler : AuthenticationHandle
     /// <summary>
     /// Creates a new instance of the <see cref="OpenIddictValidationAspNetCoreHandler"/> class.
     /// </summary>
+#if SUPPORTS_TIME_PROVIDER
+    public OpenIddictValidationAspNetCoreHandler(
+        IOpenIddictValidationDispatcher dispatcher,
+        IOpenIddictValidationFactory factory,
+        IOptionsMonitor<OpenIddictValidationAspNetCoreOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder)
+        : base(options, logger, encoder)
+    {
+        _dispatcher = dispatcher ?? throw new ArgumentNullException(nameof(dispatcher));
+        _factory = factory ?? throw new ArgumentNullException(nameof(factory));
+    }
+#else
     public OpenIddictValidationAspNetCoreHandler(
         IOpenIddictValidationDispatcher dispatcher,
         IOpenIddictValidationFactory factory,
@@ -38,6 +51,7 @@ public sealed class OpenIddictValidationAspNetCoreHandler : AuthenticationHandle
         _dispatcher = dispatcher ?? throw new ArgumentNullException(nameof(dispatcher));
         _factory = factory ?? throw new ArgumentNullException(nameof(factory));
     }
+#endif
 
     /// <inheritdoc/>
     public async Task<bool> HandleRequestAsync()
diff --git a/src/OpenIddict/OpenIddict.csproj b/src/OpenIddict/OpenIddict.csproj
index cd24b735..113f1c5c 100644
--- a/src/OpenIddict/OpenIddict.csproj
+++ b/src/OpenIddict/OpenIddict.csproj
@@ -43,6 +43,9 @@ To use these features on ASP.NET Core or OWIN/Katana/ASP.NET 4.x, reference the
     <None Include="_._" Pack="true" PackagePath="lib\net7.0\_._" />
     <None Include="_._" Pack="true" PackagePath="lib\net7.0-windows7.0\_._" />
     <None Include="_._" Pack="true" PackagePath="lib\net7.0-windows10.0.17763\_._" />
+    <None Include="_._" Pack="true" PackagePath="lib\net8.0\_._" />
+    <None Include="_._" Pack="true" PackagePath="lib\net8.0-windows7.0\_._" />
+    <None Include="_._" Pack="true" PackagePath="lib\net8.0-windows10.0.17763\_._" />
     <None Include="_._" Pack="true" PackagePath="lib\netstandard2.0\_._" />
     <None Include="_._" Pack="true" PackagePath="lib\netstandard2.1\_._" />
   </ItemGroup>

From d069c0d7b853677996c39105be346ee8995fa08f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 14 Nov 2023 18:03:12 +0100
Subject: [PATCH 49/64] Update Versions.props to build 4.10.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 242daac7..41a5e378 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <MajorVersion>4</MajorVersion>
-    <MinorVersion>9</MinorVersion>
+    <MinorVersion>10</MinorVersion>
     <PatchVersion>0</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>

From f541dcd1f7a1583cb84189cd0013d3d921a0fb19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 2 Dec 2023 08:43:43 +0100
Subject: [PATCH 50/64] Update the client service to attach the additional
 parameters to the correct request instances

---
 src/OpenIddict.Client/OpenIddictClientModels.cs  |  2 ++
 src/OpenIddict.Client/OpenIddictClientService.cs | 16 ++++++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/OpenIddict.Client/OpenIddictClientModels.cs b/src/OpenIddict.Client/OpenIddictClientModels.cs
index 617a0edb..4a200666 100644
--- a/src/OpenIddict.Client/OpenIddictClientModels.cs
+++ b/src/OpenIddict.Client/OpenIddictClientModels.cs
@@ -22,6 +22,7 @@ public static class OpenIddictClientModels
         /// <summary>
         /// Gets or sets the parameters that will be added to the token request.
         /// </summary>
+        [Obsolete("This property is no longer supported and will be removed in a future version.")]
         public Dictionary<string, OpenIddictParameter>? AdditionalTokenRequestParameters { get; init; }
 
         /// <summary>
@@ -43,6 +44,7 @@ public static class OpenIddictClientModels
         /// <summary>
         /// Gets the scopes that will be sent to the authorization server.
         /// </summary>
+        [Obsolete("This property is no longer supported and will be removed in a future version.")]
         public List<string>? Scopes { get; init; }
     }
 
diff --git a/src/OpenIddict.Client/OpenIddictClientService.cs b/src/OpenIddict.Client/OpenIddictClientService.cs
index ffa117a5..96f28aa7 100644
--- a/src/OpenIddict.Client/OpenIddictClientService.cs
+++ b/src/OpenIddict.Client/OpenIddictClientService.cs
@@ -325,6 +325,14 @@ public sealed class OpenIddictClientService
                 Nonce = request.Nonce
             };
 
+            if (request.Properties is { Count: > 0 })
+            {
+                foreach (var property in request.Properties)
+                {
+                    context.Properties[property.Key] = property.Value;
+                }
+            }
+
             await dispatcher.DispatchAsync(context);
 
             if (context.IsRejected)
@@ -733,7 +741,7 @@ public sealed class OpenIddictClientService
                         Issuer = request.Issuer,
                         ProviderName = request.ProviderName,
                         RegistrationId = request.RegistrationId,
-                        Request = request.AdditionalTokenRequestParameters
+                        TokenRequest = request.AdditionalTokenRequestParameters
                             is Dictionary<string, OpenIddictParameter> parameters ? new(parameters) : new(),
                     };
 
@@ -912,13 +920,13 @@ public sealed class OpenIddictClientService
             var context = new ProcessChallengeContext(transaction)
             {
                 CancellationToken = request.CancellationToken,
+                DeviceAuthorizationRequest = request.AdditionalDeviceAuthorizationRequestParameters
+                    is Dictionary<string, OpenIddictParameter> parameters ? new(parameters) : new(),
                 GrantType = GrantTypes.DeviceCode,
                 Issuer = request.Issuer,
                 Principal = new ClaimsPrincipal(new ClaimsIdentity()),
                 ProviderName = request.ProviderName,
-                RegistrationId = request.RegistrationId,
-                Request = request.AdditionalDeviceAuthorizationRequestParameters
-                    is Dictionary<string, OpenIddictParameter> parameters ? new(parameters) : new(),
+                RegistrationId = request.RegistrationId
             };
 
             if (request.Scopes is { Count: > 0 })

From 74e329eabba35f8fe11da618afc96d550bd241cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Sat, 2 Dec 2023 09:10:57 +0100
Subject: [PATCH 51/64] Update Versions.props to build 4.10.1 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 41a5e378..0c6412fe 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <MajorVersion>4</MajorVersion>
     <MinorVersion>10</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>

From 5162809197ec409c24b94d9c994122adb4fd8c42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 18 Dec 2023 16:54:55 +0100
Subject: [PATCH 52/64] Update Versions.props to build 5.0.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index cd1ce97d..90a1a1e0 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>rtm</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Release to Manufacturing</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From ce2abe278c9e13f0525960901beee78b9ac789a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 21 Dec 2023 15:30:49 +0100
Subject: [PATCH 53/64] Fix the ResolveTokenValidationParameters handler to run
 when using introspection

---
 .../OpenIddictValidationHandlers.Protection.cs                   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
index 8713596b..59548754 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs
@@ -50,7 +50,6 @@ public static partial class OpenIddictValidationHandlers
             /// </summary>
             public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
                 = OpenIddictValidationHandlerDescriptor.CreateBuilder<ValidateTokenContext>()
-                    .AddFilter<RequireLocalValidation>()
                     .UseSingletonHandler<ResolveTokenValidationParameters>()
                     .SetOrder(int.MinValue + 100_000)
                     .SetType(OpenIddictValidationHandlerType.BuiltIn)

From 40231e940ab25fb78237d01fae27ebe157e2e120 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 22 Dec 2023 13:08:13 +0100
Subject: [PATCH 54/64] Update Versions.props to build 5.0.1 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 90a1a1e0..146edb72 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <MajorVersion>5</MajorVersion>
     <MinorVersion>0</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>rtm</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>

From 2537a8d18913d3580da50fcb7cf276a924f17af4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 18 Jan 2024 18:24:27 +0100
Subject: [PATCH 55/64] Update Versions.props to build 5.1.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 98c3e1aa..e41d5e56 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 36eb37d77584588cdfbece7c7570fd22cadeec6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 12 Feb 2024 07:24:36 +0100
Subject: [PATCH 56/64] Update Versions.props to build 5.2.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 0284e015..af9f28cc 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 8d46b2bda8ecd89c2e326007ddb76d98c9416f22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 4 Mar 2024 16:55:07 +0100
Subject: [PATCH 57/64] Update Versions.props to build 5.3.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 6c47923d..8e45fbc2 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From d1ae4a2bb39c9f91892be457acae3139bcf21e8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 26 Mar 2024 17:07:57 +0100
Subject: [PATCH 58/64] Update Versions.props to build 5.4.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index aef85dc7..b95373c8 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From bbf23c44e41c4390fd7aaca728665762ff5c323f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 25 Apr 2024 17:59:30 +0200
Subject: [PATCH 59/64] Update Versions.props to build 5.5.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 943d7701..87ec3514 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From f2cf097b5a58aef85148df40c41e8630ceca04a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 14 May 2024 15:54:20 +0200
Subject: [PATCH 60/64] Update Versions.props to build 5.6.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index c33bc6a3..cb3b7660 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 99c5e902d38eb1d51143edef540bdb43a9d29aef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 19 Jun 2024 20:06:09 +0200
Subject: [PATCH 61/64] Update Versions.props to build 5.7.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index 8ec64b8c..ef8ac56f 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>

From 62ce9849c91d0b470af8c38f6c20cb929fc38c29 Mon Sep 17 00:00:00 2001
From: Dovydas Navickas <dovydas@reactway.com>
Date: Thu, 15 Aug 2024 21:31:57 +0300
Subject: [PATCH 62/64] Fix the LinkedIn provider to use the new issuer
 returned by the configuration endpoint

---
 .../OpenIddictClientWebIntegrationProviders.xml              | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index 7beaf2d6..909245b1 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -967,8 +967,7 @@
 
   <Provider Name="LinkedIn" Id="eb3bc226-ed25-4258-8a37-2bfcc4d628a2"
             Documentation="https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2">
-    <Environment Issuer="https://www.linkedin.com/"
-                 ConfigurationEndpoint="https://www.linkedin.com/oauth/.well-known/openid-configuration">
+    <Environment Issuer="https://www.linkedin.com/oauth">
       <!--
         Note: LinkedIn requires sending the "profile" scope to be able to use the userinfo endpoint.
       -->
@@ -2076,4 +2075,4 @@
     </Environment>
   </Provider>
 
-</Providers>
\ No newline at end of file
+</Providers>

From 460fc4f3ff0eabe8d7ff7bfe99b89643ea4635a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 15 Aug 2024 20:34:39 +0200
Subject: [PATCH 63/64] Update Versions.props to build 5.7.1 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index ef8ac56f..78bb2e95 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -3,7 +3,7 @@
   <PropertyGroup>
     <MajorVersion>5</MajorVersion>
     <MinorVersion>7</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>

From 69678b0b577660b8b6ea3aa5bd938b6a604955df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Thu, 22 Aug 2024 10:49:49 +0200
Subject: [PATCH 64/64] Update Versions.props to build 5.8.0 packages

---
 eng/Versions.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eng/Versions.props b/eng/Versions.props
index cb3ad299..ba33750b 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -8,7 +8,7 @@
     <PreReleaseVersionLabel>preview1</PreReleaseVersionLabel>
     <PreReleaseVersionIteration></PreReleaseVersionIteration>
     <PreReleaseBrandingLabel>Preview 1</PreReleaseBrandingLabel>
-    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">false</StabilizePackageVersion>
+    <StabilizePackageVersion Condition=" '$(StabilizePackageVersion)' == '' ">true</StabilizePackageVersion>
     <DotNetFinalVersionKind Condition=" '$(StabilizePackageVersion)' == 'true' ">release</DotNetFinalVersionKind>
     <IncludePreReleaseLabelInPackageVersion>true</IncludePreReleaseLabelInPackageVersion>
     <IncludePreReleaseLabelInPackageVersion Condition=" '$(DotNetFinalVersionKind)' == 'release' ">false</IncludePreReleaseLabelInPackageVersion>