Duende BFF Security Framework V4.0.0 - Release Candidate 4

This is the fourth release candidate of Duende Backend for Frontend Security Framework 4.0.0. The changes since the last preview release are:

• Update to .NET 10 from Release Candidate to GA by @pgermishuys in #2269

Enhancements

• Avoid relying on an active Http Context by @pgermishuys in #2259

Bug Fixes

• Fix entity framework scoping issue in ServerSideSessionChecker @Erwinvandervalk in #2262

Duende BFF Security Framework V3.1.0 - Release Candidate 1

The changes since the last preview release are:

• Update to .NET 10 from Release Candidate to GA by @pgermishuys in #2267

Bug Fixes

• Fix entity framework scoping issue in ServerSideSessionChecker @maartenba in #2251

Duende.AspNetCore.Authentication.JwtBearer 0.3.0 - Release Candidate 1

This is a release candidate of a minor release to add support for .NET 10.

The only change from the most recent preview release is that this release candidate targets the released version of .NET 10 rather than .NET 10 RC2.

Detailed Changes

• .NET 10 Support (Simplified) by @josephdecock in #2216
• .NET 10 RC2 by @bhazen in #2245
• Use latest IdentityModel and AccessTokenManagement packages in JwtBearer, BFF by @josephdecock in #2248
• Update .NET 10 from Release Candidate to GA by @pgermishuys in #2267

Duende BFF Security Framework V4.0.0 - Release Candidate 3

Changes and improvements

• Allows users to leverage the other extension methods such as AddBlazorServer after calling AddServerSideSessions [#2230]
• Update to BFF to .NET 10 RC 2 [#2246]
• Update Access Token Management to 4.1.0 Preview 2 [#2249]

Duende BFF Security Framework V3.1.0 - Preview 2

BFF Security Framework 3.1.0 - Preview 2 includes:

Enhancements

• .NET 10 Support (Simplified) by @josephdecock in #2216
  Added initial support for .NET 10.
• Updated Access Token Management to 3.3.0-preview.1 in #2248

Duende.AspNetCore.Authentication.JwtBearer 0.3.0 - Preview 1

This is a preview of a minor release to add support for .NET 10 RC2.

Detailed Changes

• .NET 10 Support (Simplified) by @josephdecock in #2216
• .NET 10 RC2 by @bhazen in #2245
• Use latest IdentityModel and AccessTokenManagement packages in JwtBearer, BFF by @josephdecock in #2248

IdentityServer 7.4.0 - Preview 2

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10 (this preview targets .NET10 RC2)
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @bhazen in #2128
  In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @bhazen in #2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @josephdecock in #2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @bhazen in #2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @bhazen in #2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @bhazen in #2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @bhazen in #2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @bhazen in #2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @bhazen in #2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @josephdecock in #2216
  • Added initial support for .NET 10.
• Updated IS and BFF to IM 8.0.0 Preview 1 and ATM Previews in #2247

Bug Fixes

• Reject Pushed Authorization Requests with parameters duplicated in a JAR by @wcabus in #2073
  • Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
  • Such as request will now correctly return an invalid request.
• Emit telemetry event on successful token introspection by @bhazen in #2231
  • Fixes a bug where the telemetry event for token introspection was not being emitted.
• Consolidated EF Core versions to prevent missing method exceptions by @bhazen in #2238
  • Fixes an issue where a mismatch of .NET versions and EF versions caused a method not found exception.
• Catch potential OperationCanceledException in DiagnosticHostedService by @wcabus in #2229
  • Fixes an issue where when the DiagnosticHostedService stops, the PeriodicTimer can throw an OperationCanceledException which was causing issues with some testing frameworks.

Code Quality

• Fixed typo in XML doc for Client.CoordinateLifetimeWithUserSession by @wcabus in #2078

IdentityServer 7.4.0 - Preview 1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

IdentityServer 7.4.0 is a significant release that includes:

• Support for .NET 10 (this preview targets .NET10 RC2)
• Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
• New Callback option for path detection in Dynamic Providers
• Improved UI locales support
• Support for custom parameters in the Authorize Redirect Uri
• Identity package now persists session claims based on an interface
• Skipping front-channel logout iframe when unnecessary
• Set HTTP activity name on routing

Breaking Changes

There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

• Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public
• Marked static properties referring to counters in Telemetry.cs as readonly

Removed the unused Duende.IdentityServer.Models.DiscoveryDocument class which was public

• Address CA1707 violations by @bhazen in #2128
  In the process of internal code cleanup, this unused and unreferenced file was used. If code was referencing this file, see the linked PR to create a local copy in the code base needing it.

Marked static properties referring to counters in Telemetry.cs as readonly

• Address CA2211 Violations by @bhazen in #2170
  In the process of internal code cleanup, these properties were updated to be marked as readonly. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario.

Enhancements

• Set HTTP activity name on routing by @josephdecock in #2049
  • Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
• Skip front-channel logout iframe when unnecessary by @bhazen in #2109
  • Enables the UI to skip rendering the front channel logout iframe when it is not needed.
• Callback Option for Path Detection in Dynamic Providers by @bhazen in #2126
  • Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new PathMatchingCallback setting can be used as an alternative to the previously existing PathPrefix option.
• Improved UI locales support by @bhazen in #2158
  • Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  • The default implementation, DefaultUiLocalsService.cs, delegates to the CookieRequestCultureProvider if it is present and any of the values passed in the ui_locales parameter match a supported UI culture.
  • If the default implementation does not meet your needs, IUiLocalesService can be implemented and registered with DI.
• RFC 8414 support by @bhazen in #2189
  • Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
• Support for custom parameters in authorize response by @bhazen in #2206
  • Adds a new CustomParameters property to AuthorizeResponse to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom IAuthorizeResponseGenerator.
• Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @bhazen in #2213
  • The ASP.NET Identity integration package now persists session claims based on ISessionClaimsFilter.FilterToSessionClaimsAsync which comes with a default implementation.
  • The new interface can be implemented to customize which session claims are persisted in non-default scenarios.
• .NET 10 Support (Simplified) by @josephdecock in #2216
  • Added initial support for .NET 10.

Bug Fixes

• Reject Pushed Authorization Requests with parameters duplicated in a JAR by @wcabus in #2073
  • Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
  • Such as request will now correctly return an invalid request.
• Emit telemetry event on successful token introspection by @bhazen in #2231
  • Fixes a bug where the telemetry event for token introspection was not being emitted.
• Consolidated EF Core versions to prevent missing method exceptions by @bhazen in #2238
  • Fixes an issue where a mismatch of .NET versions and EF versions caused a method not found exception.
• Catch potential OperationCanceledException in DiagnosticHostedService by @wcabus in #2229
  • Fixes an issue where when the DiagnosticHostedService stops, the PeriodicTimer can throw an OperationCanceledException which was causing issues with some testing frameworks.

Code Quality

• Fixed typo in XML doc for Client.CoordinateLifetimeWithUserSession by @wcabus in #2078

Duende BFF Security Framework V3.1.0 - Preview 1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

Enhancements

• .NET 10 Support (Simplified) by @josephdecock in https://github.com/DuendeSoftware/products/pull/2216
  Added initial support for .NET 10.

Duende.Bff V4 - RC.2

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

• Support for login prompts, such as prompt = create => https://github.com/DuendeSoftware/products/issues/1701
• Deprecated silent login endpoint in favor of prompt=none
• Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
• Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
• Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
• Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945
• X-forward header support => https://github.com/DuendeSoftware/products/pull/2129
• Make sure compatible with non-standard compliant openid connect providers => https://github.com/DuendeSoftware/products/pull/2132
• Added License enforcement warnings => https://github.com/DuendeSoftware/products/pull/2130

Changes since RC1:

• BFF now references Duende.AccessTokenManagement 4.0.0
• Added support for management basepaths with templates: #2185
• Allow management endpoints to be overwritten manually: #2186
• Adjusted loglevel for several log messages : #2192
• Fix issue that openid connect handlers are not registered correctly if only relying on config: #2194
• remove LocalPath and rename Origin to HostHeaderValue #2208
• Adding development time static files proxying #2207
• Disable default frontend when using multiple frontends #2202

Breaking changes since RC2:

Based on feedback from the community, we have made a couple of functional improvements and renamed certain properties to clarify the API.

Renamed properties

The following concepts have been renamed:

• Path mapping used to use a strongly typed object called LocalPath. It was used to map properties from a path local to the BFF to a remote path or a url. We received feedback that this was confusing. Since .Net already contains a property that could help PathString we decided to remove LocalPath and rely on PathString only.
• Origin has been renamed to HostHeaderValue. Technically, we're binding frontends to an origin, which is a data structure that contains the scheme, host and port number). However, we're not binding the frontend to the Origin Header*, but to the Host Header. This caused quite a bit of confusion as origins are also used in Cross Origin Resource Sharing.
• Renamed BffFrontend.MappedToPath() to BffFrontend.MapToPath
• Renamed BffFrontend.MappedToOrigin() to BffFrontend.MapToHost()
• Renamed RemoteApi.LocalPath to RemoteApi.MatchingPath
• Renamed BffFrontend.SelectionCriteria to BffFrontend.MatchingCriteria
• Renamed BffFrontendConfiguration.MatchingOrigin to BffFrontendConfiguration.MatchingHostHeader

The methods BffFrontend.MapToHost and BffFrontend.MapToPath are now mutually exclusive. Setting both will throw. If you want to match a frontend based on both a Host and a Path, you should use BffFrontend.MapTo()

• Renamed BffFrontend.WithIndexHtml to BffFrontend.WithCdnIndexUrl (to make it's purpose clearer).
• Renamed IIndexHtmlClient to IStaticFilesHttpClient
• Renamed IndexHtmlClientName to StaticAssetsClientName

Development time Static files proxying

We introduced additional functionality for proxying static files. Initially, we only support proxying an index.html file from a CDN. This is still the recommended way to deploy a frontend. There was no support for local development however.

We now also allow you to use a frontend development server, such as Vite.

The method BffFrontend.WithProxiedStaticAssets() allows you to proxy all static assets from a development web server. This provides a very nice development workflow (which also works with hot reloading).

If you want to use WithProxiedStaticAssets during development, but WithCdnIndexUrl in production (recommended), then there is also another method: BffFrontend.WithBffStaticAssets() This provides a delegate (useCdnWhen) that allows you to control under which conditions you'd like to use the proxying. IE:

new BffFrontend(BffFrontendName.Parse("default-frontend"))
            .WithBffStaticAssets(new Uri("https://localhost:5010/static"), 
                 useCdnWhen: () => builder.Environment.EnvironmentName == Environments.Production);

Disable implicit frontend when using multiple frontends

If you don't use the multi-frontend feature, then the BFF uses an implicit frontend. So by default, it automatically adds the management endpoints and allows you to log in.

In Rc1, this 'implicit' frontend was also available if you did add multiple frontends. This caused confusion because it wasn't always 100% clear which frontend was selected.

So, in RC2, the implicit frontend is disabled as soon as there is a single frontend added to the IFrontendCollection.

Changes since preview 2:

• BffBuilder type (returned from services.AddBff()) is now an interface called IBffServicesBuilder. This is used as the basis for extension methods.

• IBffServicesBuilder.WithDefaultCookieOptions is now called IBffServicesBuilder.ConfigureCookies()

• IBffServicesBuilder.WithDefaultOpenIdConnectOptions is now called IBffServicesBuilder.ConfigureOpenIdConnect()

• To support split host login scenarios', you can use a referer header in the Silent Login, coupled with BffOptions.AllowedSilentLoginReferers to create a list of allowed referers.

• IFrontendCollection no longer exposes a GetAll method, but now implements IEnumerable.

• ReturnUrlValidator.IsValidAsync now only accepts a uri

• User sessions are now partitioned per frontend. IUserSessionStore has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change.

• When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property BffOptions.EnableSessionCleanup is removed. You now have to call AddSessionCleanupBackgroundProcess() to enable session migration.

Changes since preview 1:

• Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
• Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
• Fixed logout => https://github.com/DuendeSoftware/products/pull/2060

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);            

• The enum TokenType has been renamed to RequiredTokenType.
• The method to require the token type is renamed to WithAccessToken()
• Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

The V3 style of wireup still works, but BFF V4 comes with a newer style of wireup:

services.AddBff()
    .WithDefaultOpenIdConnectOptions(options =>
    {
        options.Authority = "your authority";
        options.ClientId = "your client id";
        options.ClientSecret = "secret";
        // ... other OpenID Connect options. 
    }
    .WithDefaultCookieOptions(options => {
        // The cookie options are automatically configured with recommended practices.
        // However, you can change the config here. 
    };

Adding this will automatically configure a Cookie and OpenID Connect flow.

Adding Multiple Frontends

You can statically add a list of frontends by calling the AddFrontends method.

.AddFrontends(
    new BffFrontend(BffFrontendName.Parse("default-frontend"))
        .WithCdnIndexUrl(new Uri("https://localhost:5005/static/index.html")),

    new BffFrontend(BffFrontendName.Parse("with-path"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-path";
            opt.ClientSecret = "secret";
        })
        .WithCdnIndexUrl(new Uri("https://localhost:5005/static/index.html"))
        .MapToPath("/with-path"),

    new BffFrontend(BffFrontendName.Parse("with-domain"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-domain";
            opt.ClientSecret = "secret";
        })
        .WithCdnIndexUrl(new Uri("https://localhost:5005/static/index.html"))
        .MapToHost(HostHeaderValue.Parse("https://app1.localh...