Release Candidate for Katana 3 and the ASP.NET Security Components

One step closer to GA! The release candidate NuGet packages for Katana 3 are now available on the gallery, published with version 3.0.0-rc2.

Most of this release consists of bug fixes and stabilization updates, with the exception of the ASP.NET security components.

What’s New with the ASP.NET Security Components in the Release Candidate

You can install or update the release candidate bits through the Package Manager Console. If you were using WS-Federation, get the corresponding package with the following command:

Install-Package Microsoft.Owin.Security.WsFederation -Pre

If you were using OpenId Connect, use the following:

Install-Package Microsoft.Owin.Security.OpenIdConnect -Pre

Finally, you’ll want the new cookie middleware and, if you develop against IIS, you’ll want SystemWeb too:

Install-Package Microsoft.Owin.Security.Cookies -Pre

Install-Package Microsoft.Owin.Host.SystemWeb -Pre

Once again, this release features both feedback-driven updates and brand new features.

We’ll dig deeper in every new feature in the coming weeks, but to give you a sense of the scope of the changes:

  • In earlier previews we exposed protocol artifacts strictly following the protocol specification and their wire values, which resulted in a lot of property names containing ‘_‘.
    You were very vocal in requesting that we give priority to the .NET naming conventions, hence all underscores are now gone. That means that if you wrote code against preview bits you’ll almost certainly have to update it, but the good news is that it’s a very easy change.
  • We added some features that are not directly visible in the OM, such as the ability for apps to update their validation keys in adaptive fashion – so that apps can self-heal in case of key rollover without requiring a restart. That affected the programming model in indirect ways: for example, this feature called for a refactoring of how protocol options are stored and handled.
  • We added some advanced capabilities: the already described reference mode session, which allows you to write web apps that can be consumed by mobile devices with hard cookies size limits; we added a mechanism for automatically detecting token replay attacks; we made it easier for you to control the duration of sessions; and so on.
  • Of course, we fixed lots of bugs. A big thank you for reporting those!!! Please keep ‘em coming!

The main OM changes are demonstrated in the samples in filter the repos by ‘OpenId’ or ‘WsFed’.


At this point we don’t plan to introduce further changes to the development surface of the components: we’ll be doing stabilization work, and as soon as we’ll hit the right quality bar we’ll make the bits generally available. Please help us to weed out the last bugs as we work through the final stretch! As usual, there are many ways for you to engage:

Thanks and enjoy!