Duende BFF Security Framework V4.0.1

This is a minor release that fixes a problem with BFF 4.0.0 when using DPoP.

What's Changed

• BFF should use the AccessToken instead of the serialized version of the token representation by @Erwinvandervalk in https://github.com/DuendeSoftware/products/pull/2307

IdentityServer 7.4.3

This is bugfix release that fixes an issue where claims in a session would be duplicated.

What's Changed

• Fixed an issue where claims where duplicated by @josephdecock in https://github.com/DuendeSoftware/products/pull/2301, with special thanks to @wcabus

Full Changelog: is-7.4.2...is-7.4.3

IdentityServer 7.3.3

This is a minor release which changes how a CSP hash is calculated to prevent future issues and updates the version of Duende.IdentityModel used to 8.0.0.

What's Changed

• Resolve CSP by moving it to a not dotnet formattable file by @pgermishuys in #2295
• Updated to IdentityModel 8.0.0 by @bhazen in #2302

Breaking Changes

The update to Duende.IdentityModel can cause breaking changes as it is a major version. Refer to the Duende.IdentityModel 8.0.0 release notes for upgrade instructions.

IdentityServer 7.4.2

This is a patch release that fixes a bug in license verification.

What's Changed

• fix IdentityServerLicenseValidator log formatting issue by @Erwinvandervalk in https://github.com/DuendeSoftware/products/pull/2288

IdentityServer 7.4.1

This is a patch release that fixes a bug related to CSP hashes.

What's Changed

• Fix incorrect CSP hash constants in check session endpoint by @maartenba in https://github.com/DuendeSoftware/products/pull/2283

Duende BFF Security Framework V3.1.0

The changes since the release candidate are:

• Update to .NET 10 from Release Candidate to GA by @pgermishuys in #2267
• Update to GA FOSS Packages for .NET 10 Release by @bhazen in #2282

Note that Duende.BFF.EntityFramework now depends on Entity Framework Core 9.x in the net8.0 target framework, which should be fully supported on both .NET 8 and .NET 9. .NET 10 projects will use Entity Framework Core 10.x.

Bug Fixes

• Fix entity framework scoping issue in ServerSideSessionChecker @maartenba in #2251

Duende.AspNetCore.Authentication.JwtBearer 0.3.0

This is a minor release to add support for .NET 10.

Detailed Changes

• .NET 10 Support (Simplified) by @josephdecock in #2216
• .NET 10 RC2 by @bhazen in #2245
• Use latest IdentityModel and AccessTokenManagement packages in JwtBearer, BFF by @josephdecock in #2248
• Update .NET 10 from Release Candidate to GA by @pgermishuys in #2267
• Updated to FOSS packages to GA versions for dotnet 10 release by @bhazen in #2281

IdentityServer 7.4.0

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Since the 7.4.0 release candidate, there have been a few minor changes, including:

• Add service for diagnostic data by @josephdecock in #2252
• Trigger Back Channel Logout Earlier in Pipeline by @bhazen in #2258
• Enable Customizing ErrorMessage on Redirect to Error Page by @bhazen in #2263
• Better DCR Support for Public Clientsby @bhazen in #2264
• Update .NET 10 from Release Candidate to GA by @pgermishuys in #2267

Note that Duende.IdentityServer.EntityFramework.Storage now depends on Entity Framework Core 9.x in the net8.0 target framework, which should be fully supported on both .NET 8 and .NET 9. .NET 10 projects will use Entity Framework Core 10.x.

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @bhazen in #2128
  In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @bhazen in #2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @josephdecock in #2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @bhazen in #2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @bhazen in #2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @bhazen in #2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @bhazen in #2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @bhazen in #2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @bhazen in #2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @josephdecock in #2216
  • Added initial support for .NET 10.
• Updated IS and BFF to IM 8.0.0 Preview 1 and ATM Previews in #2247
• Add service for diagnostic data in #2252 by @josephdecock
• Enable Customizing ErrorMessage on Redirect to Error Page in #2263 by @bhazen
  • Adds an extension point for customizing the ErrorMessage sent to the error page when an error which is not safe to return to the client occurs during an authorize request.
• Update .NET 10 from Release Candidate to GA by @pgermishuys in #2267
• Updated to FOSS packages to GA versions for dotnet 10 release by @bhazen in #2281

Bug Fixes

• Reject Pushed Authorization Requests with parameters duplicated in a JAR by @wcabus in #2073
  • Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
  • Such as request will now correctly return an invalid request.
• Emit telemetry event on successful token introspection by @bhazen in #2231
  • Fixes a bug where the telemetry event for token introspection was not being emitted.
• Consolidated EF Core versions to prevent missing method exceptions by @bhazen in #2238
  • Fixes an issue where a mismatch of .NET versions and EF versions caused a method not found exception.
• Catch potential OperationCanceledException in DiagnosticHostedService by @wcabus in #2229
  • Fixes an issue where when the DiagnosticHostedService stops, the PeriodicTimer can throw an OperationCanceledException which was causing issues with some testing frameworks.
• Trigger Back Channel Logout Earlier in Pipeline in #2258 by @bhazen
  • When an upstream IdP triggered front-channel logout to IdentityServer, IdentityServer was not sending back-channel logout requests.
• Better DCR Support for Public Clients in #2264 by @bhazen
  • Dynamic client registration requests with a token_endpoint_auth_method value of none were not being properly processed.

Code Quality

• Fixed typo in XML doc for Client.CoordinateLifetimeWithUserSession by @wcabus in #2078

Duende BFF Security Framework V4.0.0

This is the fourth release Duende Backend for Frontend Security Framework 4.0.0. The changes since the last release are:

• Update to .NET 10 from Release Candidate to GA by @pgermishuys in #2269
• Check authentication state by @StuFrankish in #2275
• Introduce BFF Trial Mode by @pgermishuys in #2279
• Introduce Diagnostics in BFF by @pgermishuys in #2278
• Updated to FOSS packages to GA versions for dotnet 10 release by @bhazen in #2281

Enhancements

• Avoid relying on an active Http Context by @pgermishuys in #2259

Bug Fixes

• Fix entity framework scoping issue in ServerSideSessionChecker @Erwinvandervalk in #2262

IdentityServer 7.4.0 - RC 1

This is the first release candidate of IdentityServer 7.4.0. The changes since the last preview release are:

• Add service for diagnostic data by @josephdecock in #2252
• Trigger Back Channel Logout Earlier in Pipeline by @bhazen in #2258
• Enable Customizing ErrorMessage on Redirect to Error Page by @bhazen in #2263
• Better DCR Support for Public Clientsby @bhazen in #2264
• Update .NET 10 from Release Candidate to GA by @pgermishuys in #2267

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10 (this preview targets .NET10 RC2)
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @bhazen in #2128
  In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @bhazen in #2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @josephdecock in #2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @bhazen in #2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @bhazen in #2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @bhazen in #2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @bhazen in #2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @bhazen in #2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @bhazen in #2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @josephdecock in #2216
  • Added initial support for .NET 10.
• Updated IS and BFF to IM 8.0.0 Preview 1 and ATM Previews in #2247
• Add service for diagnostic data in #2252 by @josephdecock
• Enable Customizing ErrorMessage on Redirect to Error Page in #2263 by @bhazen
  • Adds an extension point for customizing the ErrorMessage sent to the error page when an error which is not safe to return to the client occurs during an authorize request.
  • Update .NET 10 from Release Candidate to GA by @pgermishuys in #2267

Bug Fixes

• Reject Pushed Authorization Requests with parameters duplicated in a JAR by @wcabus in #2073
  • Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
  • Such as request will now correctly return an invalid request.
• Emit telemetry event on successful token introspection by @bhazen in #2231
  • Fixes a bug where the telemetry event for token introspection was not being emitted.
• Consolidated EF Core versions to prevent missing method exceptions by @bhazen in #2238
  • Fixes an issue where a mismatch of .NET versions and EF versions caused a method not found exception.
• Catch potential OperationCanceledException in DiagnosticHostedService by @wcabus in #2229
  • Fixes an issue where when the DiagnosticHostedService stops, the PeriodicTimer can throw an OperationCanceledException which was causing issues with some testing frameworks.
• Trigger Back Channel Logout Earlier in Pipeline in #2258 by @bhazen
  • When an upstream IdP triggered front-channel logout to IdentityServer, IdentityServer was not sending back-channel logout requests.
• Better DCR Support for Public Clients in #2264 by @bhazen
  • Dynamic client registration requests with a token_endpoint_auth_method value of none were not being properly processed.

Code Quality

• Fixed typo in XML doc for Client.CoordinateLifetimeWithUserSession by @wcabus in #2078