diff --git a/.gitignore b/.gitignore
index 8d2426af..b62075ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-## Ignore Visual Studio temporary files, build results, and 
+## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
 
 # VS 14 temporary folder
@@ -16,6 +16,7 @@ project.lock.json
 
 # Build results
 
+.dotnet
 artifacts/
 coverage.*
 [Dd]ebug/
@@ -30,6 +31,7 @@ x64/
 # MSTest test Results
 [Tt]est[Rr]esult*/
 [Bb]uild[Ll]og.*
+*.coverage
 
 *_i.c
 *_p.c
diff --git a/Directory.Build.props b/Directory.Build.props
index bb87c839..f202f102 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -30,7 +30,7 @@
     <Product>aspnet-contrib</Product>
     <Company>$(Authors)</Company>
     <_ProjectCopyright>© AspNet.Security.OAuth.Providers contributors. All rights reserved.</_ProjectCopyright>
-    <PackageIconUrl>https://avatars3.githubusercontent.com/u/7998081?s=64</PackageIconUrl>
+    <PackageIcon>package-icon.png</PackageIcon>
     <PackageProjectUrl>https://github.com/aspnet-contrib/AspNet.Security.OpenId.Providers</PackageProjectUrl>
     <PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
     <RepositoryType>git</RepositoryType>
@@ -47,6 +47,9 @@
     <IsPackable>true</IsPackable>
     <IsShipping>true</IsShipping>
   </PropertyGroup>
+  <ItemGroup Condition=" '$(IsPackable)' == 'true' ">
+    <None Include="$(MSBuildThisFileDirectory)\package-icon.png" Pack="True" PackagePath="" />
+  </ItemGroup>
   <ItemGroup Condition=" '$(OS)' != 'Windows_NT' ">
     <PackageReference Include="Microsoft.NETFramework.ReferenceAssemblies" PrivateAssets="All" Version="1.0.0-preview.2" />
   </ItemGroup>
diff --git a/NuGet.config b/NuGet.config
index 7e0e7690..59dc88c6 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -6,4 +6,4 @@
     <add key="dotnet-core" value="https://dotnetfeed.blob.core.windows.net/dotnet-core/index.json" />
     <add key="azureadwebstacknightly" value="https://www.myget.org/F/azureadwebstacknightly/api/v3/index.json" />
   </packageSources>
-</configuration>
\ No newline at end of file
+</configuration>
diff --git a/appveyor.yml b/appveyor.yml
index d17c5be3..b047f627 100644
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -17,7 +17,7 @@ test: off
 
 after_build:
   - ps: $wc = New-Object 'System.Net.WebClient'
-  - ps: $wc.UploadFile("https://ci.appveyor.com/api/testresults/xunit/$($env:APPVEYOR_JOB_ID)", (Resolve-Path .\artifacts\TestResults\Release\AspNet.Security.OpenId.Providers.Tests_netcoreapp2.2_x64.xml))
+  - ps: $wc.UploadFile("https://ci.appveyor.com/api/testresults/xunit/$($env:APPVEYOR_JOB_ID)", (Resolve-Path .\artifacts\TestResults\Release\AspNet.Security.OpenId.Providers.Tests_netcoreapp3.0_x64.xml))
 
 deploy:
 - provider: NuGet
diff --git a/eng/Versions.props b/eng/Versions.props
index 3be97643..c76060d0 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -1,13 +1,13 @@
 <Project>
   <PropertyGroup>
-    <VersionPrefix>2.1.1</VersionPrefix>
-    <PreReleaseVersionLabel>alpha1</PreReleaseVersionLabel>
+    <VersionPrefix>3.0.0</VersionPrefix>
+    <PreReleaseVersionLabel>release</PreReleaseVersionLabel>
   </PropertyGroup>
   <PropertyGroup>
     <AngleSharpVersion>0.9.9</AngleSharpVersion>
-    <AspNetCoreVersion>2.0.0</AspNetCoreVersion>
+    <AspNetCoreVersion>3.0.0</AspNetCoreVersion>
     <IdentityModelCoreVersion>2.1.4</IdentityModelCoreVersion>
-    <JetBrainsVersion>2019.1.1</JetBrainsVersion>
+    <JetBrainsVersion>2019.1.3</JetBrainsVersion>
     <JsonNetVersion>10.0.3</JsonNetVersion>
     <JustEatHttpClientInterceptionVersion>2.0.2</JustEatHttpClientInterceptionVersion>
     <MartinCostelloLoggingXUnitVersion>0.1.0</MartinCostelloLoggingXUnitVersion>
diff --git a/global.json b/global.json
index 76e2d2d5..4983c683 100644
--- a/global.json
+++ b/global.json
@@ -1,6 +1,6 @@
 {
   "tools": {
-    "dotnet": "2.2.401"
+    "dotnet": "3.0.100"
   },
   "msbuild-sdks": {
     "Microsoft.DotNet.Arcade.Sdk": "1.0.0-beta.19405.1",
diff --git a/package-icon.png b/package-icon.png
new file mode 100644
index 00000000..902340c7
Binary files /dev/null and b/package-icon.png differ
diff --git a/samples/Mvc.Client/Mvc.Client.csproj b/samples/Mvc.Client/Mvc.Client.csproj
index 7db09c4b..cfa1585e 100644
--- a/samples/Mvc.Client/Mvc.Client.csproj
+++ b/samples/Mvc.Client/Mvc.Client.csproj
@@ -1,15 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp2.2</TargetFramework>
+    <TargetFrameworks>netcoreapp3.0</TargetFrameworks>
   </PropertyGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\AspNet.Security.OpenId.Steam\AspNet.Security.OpenId.Steam.csproj" />
   </ItemGroup>
 
-  <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.App" />
-  </ItemGroup>
-
 </Project>
diff --git a/samples/Mvc.Client/Program.cs b/samples/Mvc.Client/Program.cs
index 2f7d08eb..4036f4eb 100644
--- a/samples/Mvc.Client/Program.cs
+++ b/samples/Mvc.Client/Program.cs
@@ -1,17 +1,16 @@
-using Microsoft.AspNetCore;
-using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
 
 namespace Mvc.Client
 {
     public static class Program
     {
         public static void Main(string[] args)
-        {
-            CreateWebHostBuilder(args).Build().Run();
-        }
+          => CreateHostBuilder(args).Build().Run();
 
-        public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
-            WebHost.CreateDefaultBuilder(args)
-                   .UseStartup<Startup>();
+        public static IHostBuilder CreateHostBuilder(string[] args) =>
+            Host.CreateDefaultBuilder(args)
+                .ConfigureWebHostDefaults(
+                    (webBuilder) => webBuilder.UseStartup<Startup>());
     }
 }
diff --git a/samples/Mvc.Client/Startup.cs b/samples/Mvc.Client/Startup.cs
index 0dab92d5..16a65238 100644
--- a/samples/Mvc.Client/Startup.cs
+++ b/samples/Mvc.Client/Startup.cs
@@ -51,16 +51,22 @@ public void ConfigureServices(IServiceCollection services)
 
             .AddSteam();
 
-            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
+            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);
         }
 
         public void Configure(IApplicationBuilder app)
         {
             app.UseStaticFiles();
 
+            app.UseRouting();
+
             app.UseAuthentication();
+            app.UseAuthorization();
 
-            app.UseMvc();
+            app.UseEndpoints(endpoints =>
+            {
+                endpoints.MapDefaultControllerRoute();
+            });
         }
     }
 }
diff --git a/src/AspNet.Security.OpenId.Steam/AspNet.Security.OpenId.Steam.csproj b/src/AspNet.Security.OpenId.Steam/AspNet.Security.OpenId.Steam.csproj
index 9f5bca72..6f6704d3 100644
--- a/src/AspNet.Security.OpenId.Steam/AspNet.Security.OpenId.Steam.csproj
+++ b/src/AspNet.Security.OpenId.Steam/AspNet.Security.OpenId.Steam.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netstandard2.0</TargetFramework>
+    <TargetFramework>netcoreapp3.0</TargetFramework>
   </PropertyGroup>
 
   <PropertyGroup>
@@ -15,6 +15,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="JetBrains.Annotations" Version="$(JetBrainsVersion)" PrivateAssets="All" />
   </ItemGroup>
 
diff --git a/src/AspNet.Security.OpenId.Steam/SteamAuthenticationHandler.cs b/src/AspNet.Security.OpenId.Steam/SteamAuthenticationHandler.cs
index 653a69cc..ce707208 100644
--- a/src/AspNet.Security.OpenId.Steam/SteamAuthenticationHandler.cs
+++ b/src/AspNet.Security.OpenId.Steam/SteamAuthenticationHandler.cs
@@ -84,7 +84,7 @@ protected override async Task<AuthenticationTicket> CreateTicketAsync(
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue(OpenIdAuthenticationConstants.Media.Json));
 
             // Return the authentication ticket as-is if the userinfo request failed.
-            var response = await Options.HttpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
+            var response = await Options.Backchannel.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
             if (!response.IsSuccessStatusCode)
             {
                 Logger.LogWarning("The userinfo request failed because an invalid response was received: the identity provider " +
diff --git a/src/AspNet.Security.OpenId/AspNet.Security.OpenId.csproj b/src/AspNet.Security.OpenId/AspNet.Security.OpenId.csproj
index 94e92314..53c9dc9b 100644
--- a/src/AspNet.Security.OpenId/AspNet.Security.OpenId.csproj
+++ b/src/AspNet.Security.OpenId/AspNet.Security.OpenId.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netstandard2.0</TargetFramework>
+    <TargetFramework>netcoreapp3.0</TargetFramework>
   </PropertyGroup>
 
   <PropertyGroup>
@@ -11,9 +11,9 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="AngleSharp" Version="$(AngleSharpVersion)" />
     <PackageReference Include="JetBrains.Annotations" Version="$(JetBrainsVersion)" PrivateAssets="All" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication" Version="$(AspNetCoreVersion)" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols" Version="$(IdentityModelCoreVersion)" />
     <PackageReference Include="Newtonsoft.Json" Version="$(JsonNetVersion)" />
   </ItemGroup>
diff --git a/src/AspNet.Security.OpenId/OpenIdAuthenticationHandler.cs b/src/AspNet.Security.OpenId/OpenIdAuthenticationHandler.cs
index 548a5f19..d71dfe58 100644
--- a/src/AspNet.Security.OpenId/OpenIdAuthenticationHandler.cs
+++ b/src/AspNet.Security.OpenId/OpenIdAuthenticationHandler.cs
@@ -380,7 +380,7 @@ private async Task<bool> VerifyAssertionAsync([NotNull] OpenIdAuthenticationMess
                 Content = new FormUrlEncodedContent(payload)
             };
 
-            var response = await Options.HttpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
+            var response = await Options.Backchannel.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
             if (!response.IsSuccessStatusCode)
             {
                 Logger.LogWarning("The authentication failed because an invalid check_authentication response was received: " +
diff --git a/src/AspNet.Security.OpenId/OpenIdAuthenticationInitializer.cs b/src/AspNet.Security.OpenId/OpenIdAuthenticationInitializer.cs
index af2adbbb..f8e55752 100644
--- a/src/AspNet.Security.OpenId/OpenIdAuthenticationInitializer.cs
+++ b/src/AspNet.Security.OpenId/OpenIdAuthenticationInitializer.cs
@@ -77,15 +77,12 @@ public void PostConfigure([NotNull] string name, [NotNull] TOptions options)
                 options.HtmlParser = new HtmlParser();
             }
 
-            if (options.HttpClient == null)
+            if (options.Backchannel == null)
             {
-                options.HttpClient = new HttpClient
-                {
-                    Timeout = TimeSpan.FromSeconds(30),
-                    MaxResponseContentBufferSize = 1024 * 1024 * 10
-                };
-
-                options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET Core OpenID 2.0 middleware");
+                options.Backchannel = new HttpClient(options.BackchannelHttpHandler ?? new HttpClientHandler());
+                options.Backchannel.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET Core OpenID 2.0 middleware");
+                options.Backchannel.Timeout = options.BackchannelTimeout;
+                options.Backchannel.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
             }
 
             if (options.ConfigurationManager == null)
@@ -140,13 +137,13 @@ public void PostConfigure([NotNull] string name, [NotNull] TOptions options)
 
                     options.ConfigurationManager = new ConfigurationManager<OpenIdAuthenticationConfiguration>(
                         options.MetadataAddress?.AbsoluteUri ?? options.Authority.AbsoluteUri,
-                        new OpenIdAuthenticationConfiguration.Retriever(options.HttpClient, options.HtmlParser)
+                        new OpenIdAuthenticationConfiguration.Retriever(options.Backchannel, options.HtmlParser)
                         {
                             MaximumRedirections = options.MaximumRedirections
                         },
-                        new HttpDocumentRetriever(options.HttpClient) { RequireHttps = options.RequireHttpsMetadata });
+                        new HttpDocumentRetriever(options.Backchannel) { RequireHttps = options.RequireHttpsMetadata });
                 }
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/src/AspNet.Security.OpenId/OpenIdAuthenticationOptions.cs b/src/AspNet.Security.OpenId/OpenIdAuthenticationOptions.cs
index 5bee6ad2..1da0645e 100644
--- a/src/AspNet.Security.OpenId/OpenIdAuthenticationOptions.cs
+++ b/src/AspNet.Security.OpenId/OpenIdAuthenticationOptions.cs
@@ -95,7 +95,12 @@ public OpenIdAuthenticationOptions()
         /// <summary>
         /// Gets or sets the HTTP client used to communicate with the OpenID provider.
         /// </summary>
-        public HttpClient HttpClient { get; set; }
+        [Obsolete("Use the Backchannel property instead.")]
+        public HttpClient HttpClient
+        {
+            get => Backchannel;
+            set => Backchannel = value;
+        }
 
         /// <summary>
         /// Gets or sets the HTML parser used to parse discovery documents.
diff --git a/test/AspNet.Security.OpenId.Providers.Tests/AspNet.Security.OpenId.Providers.Tests.csproj b/test/AspNet.Security.OpenId.Providers.Tests/AspNet.Security.OpenId.Providers.Tests.csproj
index 4d8d97b4..8a1d23e0 100644
--- a/test/AspNet.Security.OpenId.Providers.Tests/AspNet.Security.OpenId.Providers.Tests.csproj
+++ b/test/AspNet.Security.OpenId.Providers.Tests/AspNet.Security.OpenId.Providers.Tests.csproj
@@ -1,8 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <AspNetCoreVersion>2.2.0</AspNetCoreVersion>
     <RootNamespace>AspNet.Security.OpenId</RootNamespace>
-    <TargetFramework>netcoreapp2.2</TargetFramework>
+    <TargetFramework>netcoreapp3.0</TargetFramework>
     <IsPackable>false</IsPackable>
     <IsTestProject>true</IsTestProject>
   </PropertyGroup>
@@ -13,7 +12,7 @@
     <ProjectReference Include="..\..\src\**\*.csproj" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.App" />
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="JustEat.HttpClientInterception" Version="$(JustEatHttpClientInterceptionVersion)" />
     <PackageReference Include="MartinCostello.Logging.XUnit" Version="$(MartinCostelloLoggingXUnitVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="$(AspNetCoreVersion)" />
diff --git a/test/AspNet.Security.OpenId.Providers.Tests/Infrastructure/ApplicationFactory.cs b/test/AspNet.Security.OpenId.Providers.Tests/Infrastructure/ApplicationFactory.cs
index 33abe064..94244266 100644
--- a/test/AspNet.Security.OpenId.Providers.Tests/Infrastructure/ApplicationFactory.cs
+++ b/test/AspNet.Security.OpenId.Providers.Tests/Infrastructure/ApplicationFactory.cs
@@ -78,6 +78,8 @@ private static void Configure<TOptions>(IWebHostBuilder builder, OpenIdTests<TOp
                             .AddCookie("External", o => o.ForwardChallenge = tests.DefaultScheme);
 
                         tests.RegisterAuthentication(authentication);
+
+                        services.AddAuthorization();
                     });
         }
 
@@ -85,26 +87,32 @@ private static void ConfigureApplication(IApplicationBuilder app)
         {
             // Configure a single HTTP resource that challenges the client if unauthenticated
             // or returns the logged in user's claims as XML if the request is authenticated.
-            app.UseAuthentication();
-
-            app.Map("/me", childApp => childApp.Run(
-                async context =>
-                {
-                    if (context.User.Identity.IsAuthenticated)
-                    {
-                        string xml = IdentityToXmlString(context.User);
-                        byte[] buffer = Encoding.UTF8.GetBytes(xml.ToString());
-
-                        context.Response.StatusCode = 200;
-                        context.Response.ContentType = "text/xml";
-
-                        await context.Response.Body.WriteAsync(buffer, 0, buffer.Length);
-                    }
-                    else
-                    {
-                        await context.ChallengeAsync();
-                    }
-                }));
+            app.UseRouting();
+
+            app.UseAuthentication()
+               .UseAuthorization()
+               .UseEndpoints(endpoints =>
+               {
+                   endpoints.MapGet(
+                       "/me",
+                       async context =>
+                       {
+                           if (context.User.Identity.IsAuthenticated)
+                           {
+                               var xml = IdentityToXmlString(context.User);
+                               var buffer = Encoding.UTF8.GetBytes(xml.ToString());
+
+                               context.Response.StatusCode = 200;
+                               context.Response.ContentType = "text/xml";
+
+                               await context.Response.Body.WriteAsync(buffer, 0, buffer.Length);
+                           }
+                           else
+                           {
+                               await context.ChallengeAsync();
+                           }
+                        });
+               });
         }
 
         private static string IdentityToXmlString(ClaimsPrincipal user)
diff --git a/test/AspNet.Security.OpenId.Providers.Tests/OpenIdTests`1.cs b/test/AspNet.Security.OpenId.Providers.Tests/OpenIdTests`1.cs
index a847583c..7db9494b 100644
--- a/test/AspNet.Security.OpenId.Providers.Tests/OpenIdTests`1.cs
+++ b/test/AspNet.Security.OpenId.Providers.Tests/OpenIdTests`1.cs
@@ -85,7 +85,6 @@ protected OpenIdTests()
         protected virtual void ConfigureDefaults(AuthenticationBuilder builder, TOptions options)
         {
             options.Backchannel = CreateBackchannel(builder);
-            options.HttpClient = options.Backchannel;
         }
 
         /// <summary>