Kentor.AuthServices 0.21.2 has just been released to NuGet. It is a security release fixing three issues.
XML External Entity Injection (affecting .NET 4.5 only)
Malicious IdP can cause write to arbitrary file
Flawed ReturnUrl validation leads to Open Redirect
The first two issues were reported by John Heasman, Morgan Roman and Joshua Estalilla from DocuSign. While I have dreaded the day when I would get a security issue I am extremely happy with the professionalism of the disclosure. I got the report privately, including detailed descriptions, reproduction steps and solid recommendations on how to fix it. I am very grateful you took the time to review AuthServices and find the issues and for the detailed reports.
More details on the vulernabilities will be published later.