Breaking Changes upgrading OIDCClient from 5.3.0 to 6.0.1?

[chris-walker-32341]

Have a MAUI app that is working fine with IdentityModel.OidcClient v5.3.0 but when attempting to upgrade to IdentityModel.OidcClient 6.0.1 or Duende.IdentityModel.OidcClient 6.0.1 the generated start URL is missing certain parameters like response_type=code and code_challenge.

Nothing else has changed in the code besides the version of the library, and the namespace when upgrading to the Duende one.

Tried sifting through change notes but nothing jumped out as to why this would break?

OLD Good URL:
https://login.company.net/login?ReturnUrl=%2fconnect%2fauthorize%2fcallback%3Fresponse_type%3Dcode%26state%321xxf5667788_k_K1w%26code_challenge%3DJrLVVFF1wayyyyikTTTKPS_GyjYL12345678zZzz%26code_challenge_method%3DS256%26client_id%3DCompany.Mobile.Dev%26scope%3Dopenid%2520profile%26redirect_uri%company-dev-app%253A%252F%252Flogin%26prompt%3Dlogin%26acr_values%3Dtenant%255555559ccc9-ffff-4444-bbbb-abcdefghijkl%26suppressed_prompt%3Dlogin%26audienceId%3D123456&forceLocal=True

NEW Bad URL:
https://login.company.net/login?ReturnUrl=%2fconnect%2fauthorize%2fcallback%3Frequest_uri%3Durn%253Aietf%253Aparams%253Aoauth%253Arequest_uri%255555E22A1FAAAA4444CCCC2BBBB11B188827AAAAAAA8AAAAAAAAA111111DDBB1%26client_id%3DCompany.Mobile.Dev%26suppressed_prompt%3Dlogin

[wcabus]

The new URL seems to be using Pushed Authorization Request (PAR). PAR helps to improve security by allowing clients to push the authorization flow parameters before making the request to the /authorize endpoint, while the client also authenticates itself when it performs the PAR request.

You can try to disable this feature by setting the DisablePushedAuthorization property to false, but we do recommend to use PAR whenever possible.