IdentityServer 7.3.2

This is a patch release that optimizes key creation when not using X509 Certificates.

Details

• Do not unnecessarily request current issuer when creating new key

IdentityServer 7.3.1

This is a patch release that fixes a bug and enables a System.Text.Json serialization option.

Details

• Fixed an issue where uncommon license features caused an exception.
• Allow RespectNullableAnnotationsDefault to be globally enabled. This is a relatively new feature in System.Text.Json that can be globally opted in to.

Templates 1.1.0

This is a significant update to the Duende.Templates package. Highlights include:

• New duende-is template. This new template improves the experience for new users with an improved admin UI with wizards to create client and scope configuration, a new admin dashboard, explanatory text throughout, and updated visuals.
• Use of IdentityServer 7.3.0 throughout all IdentityServer templates

IdentityServer 7.3.0

IdentityServer 7.3.0 is a significant release that includes:

• FAPI 2.0 profile certification
• JWT Response from the introspection endpoint (RFC 9701)
• Diagnostic data
• Removal of the experimental label from OpenTelemetry metrics
• Additional license compliance warnings
• Several bug fixes
• Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.3.0. Small code changes maybe be required for some users to upgrade.

• The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class
• Client Secret is now required for Clients with ClientCredentials Grant

The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class

• Fix Concurrent DbContext Access on Back Channel Logout by @bhazen in https://github.com/DuendeSoftware/products/pull/2019
  To fix a bug where when using EntityFramework, code which previously executed in parallel needed to be modified to execute sequentially. This necessitated the removal of the SendLogoutNotificationAsync method in the DefaultBackChannelLogoutService class. Anyone who had previously overridden the SendLogoutNotificationAsync as an extensibility point will likely need to move their customization to the PostLogoutJwt method.

Client Secret is now required for Clients with ClientCredentials Grant

• Ensure Client Secret is Required for Clients with ClientCredentials Grant by @bhazen in https://github.com/DuendeSoftware/products/pull/1796
  Previously, it was possible to configure a Client to allow the ClientCredentials Grant without requiring a client secret which is undesirable. The default validation of Clients has been updated to ensure any Client which allows the ClientCredentials grant also sets the RequireClientSecret flag to true to disallow the configuration of a private client to behave like a public client.

Enhancements

FAPI 2.0 Profile Certification

IdentityServer is 7.3.0 is officially certified as conformant with the FAPI 2.0 Security Profile.

• JWT Validation Clock Skew Option by @bhazen in https://github.com/DuendeSoftware/products/pull/1813
• Include PAR in mtls aliases by @josephdecock in https://github.com/DuendeSoftware/products/pull/1955
• Support binding of authorization codes to dpop proof key via dpop header by @josephdecock in https://github.com/DuendeSoftware/products/pull/1974
• Respect port number in mTLS configuration by @josephdecock in https://github.com/DuendeSoftware/products/pull/1990
• Adjust Multiple DPoP Token Error by @bhazen in https://github.com/DuendeSoftware/products/pull/2004
• Options of Allowed Signing Algorithms JWTs and DPoP Proof Tokens by @bhazen in https://github.com/DuendeSoftware/products/pull/2006
• Adjust Default Values for Clock Skew Config Options by @bhazen in https://github.com/DuendeSoftware/products/pull/2010
• Change error when required DPoP proof is missing by @bhazen in https://github.com/DuendeSoftware/products/pull/2011
• Reworked supported algorithm options by @josephdecock in https://github.com/DuendeSoftware/products/pull/2026
• Use standard error response for failed mTLS auth by @josephdecock in https://github.com/DuendeSoftware/products/pull/2079
• mTLS with DPoP by @josephdecock in https://github.com/DuendeSoftware/products/pull/2080
• Handle mTLS and DPoP Used Together by @bhazen in https://github.com/DuendeSoftware/products/pull/2084

JWT Response from Introspection Endpoint

IdentityServer now supports RFC 9701 to return a JWT Response from the Introspection endpoint.

• Implement RFC 9701 to Return JWT Response from Introspection Endpoint by @bhazen in https://github.com/DuendeSoftware/products/pull/1937

Diagnostic Data

Diagnostic data has been added to IdentityServer to help support with troubleshooting. Read more about this new feature in our docs. TODO: link to docs

• Diagnostic Summary Setup by @bhazen in https://github.com/DuendeSoftware/products/pull/2021
• Auth Scheme Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2022
• Registered Implementations Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2023
• IdentityServerOptions Diagnostic Entry by @bhazen https://github.com/DuendeSoftware/products/pull/2024
• Data Protection Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2025
• Token Issue Count Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2029
• License Usage Summary Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2033
• Basic Server Info Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2034
• Endpoint Usage Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2036
• Chunk diagnostics and update diagnostic options by @josephdecock in https://github.com/DuendeSoftware/products/pull/2042
• Client Info Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2043
• Resource Info Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2047
• Registered Implementation Diagnostic Entry Tweaks by @bhazen in https://github.com/DuendeSoftware/products/pull/2048
• Assembly Info Diagnostic Entry Tweaks in @bhazen in https://github.com/DuendeSoftware/products/pull/2051
• Remove assemblyCount from diagnostics by @bhazen in https://github.com/DuendeSoftware/products/pull/2054
• Remove pop from the names of token counts in diagnostics by @josephdecock in https://github.com/DuendeSoftware/products/pull/2055
• Diagnostic Summary Log Tweaks by @bhazen in https://github.com/DuendeSoftware/products/pull/2057
• Update Diagnostic Summary Log Source Name by @bhazen in https://github.com/DuendeSoftware/products/pull/2059
• Log diagnostic summary on shutdown by @bhazen in https://github.com/DuendeSoftware/products/pull/2061
• Add informational version to assembly info diagnostic entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2075

Move OpenTelemetry Metrics from Experimental to Stable

• Remove "Duende.IdentityServer.Experimental" service name from telemetry by @maartenba in https://github.com/DuendeSoftware/products/pull/2002

Update License Usage Warnings

New warnings have been added around license compliance to help identify misuse of IdentityServer licenses prior to more strict license enforcement in the future.

• License Expiration Warning by @bhazen in https://github.com/DuendeSoftware/products/pull/1921
• V2 License Functionality Updates by @bhazen in https://github.com/DuendeSoftware/products/pull/1947
• Source Generator Based Logging for V2 License Code by @bhazen in https://github.com/DuendeSoftware/products/pull/1951
• V2 License Client Warnings by @bhazen in https://github.com/DuendeSoftware/products/pull/1954
• V2 License Issuer Warnings by @bhazen in https://github.com/DuendeSoftware/products/pull/1957
• Update licensing messages by @josephdecock in https://github.com/DuendeSoftware/products/pull/2141

Bug Fixes

• Persistent Cookies, Server Side Sessions, and Session Lifetime Coordination Fix by @bhazen in https://github.com/DuendeSoftware/products/pull/1757
• Handle case-insensitive JSON claim value types. by @josephdecock in https://github.com/DuendeSoftware/products/pull/1769
• Ensure session lifetime coordination is invoked when a session expires by @bhazen in https://github.com/DuendeSoftware/products/pull/1784
• Ensure Client Secret is Required for Clients with ClientCredentials Grant by @bhazen in https://github.com/DuendeSoftware/products/pull/1796
• fix null ref in UserInfoRequestValidator by @SimonCropp in https://github.com/DuendeSoftware/products/pull/1896
• Don't unnecessarily return scope parameter from authorize endpoint by @bhazen in https://github.com/DuendeSoftware/products/pull/1926
• Addresses an unhandled exception path & nullability concerns by @StuFrankish in https://github.com/DuendeSoftware/products/pull/1930
• Don't return redirect URI or response mode on unsafe errors by @bhazen in https://github.com/DuendeSoftware/products/pull/1933
• Fix DCR customizations for EF client configuration by @josephdecock in https://github.com/DuendeSoftware/products/pull/1962
• Add and test unhandled exception logging filter logic by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/2007
• Fix Concurrent DbContext Access on Back Channel Logout by @bhazen https://github.com/DuendeSoftware/products/pull/2019

Code Quality

• Refactor exception handling and minor code improvements. by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/1744
• Remove redundant comment delimiters in license header by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/1747
• Switch to TargetFrameworks for multi-framework support by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/1767
• Adding Missing Test Attributes by @bhazen in https://github.com/DuendeSoftware/products/pull/1773
• Filter client credentials in ToOptimizedFullDictionary method by @josephdecock in https://github.com/DuendeSoftware/products/pull/1781
• Update in code links to v7 by @AndersAbel in https://github.com/DuendeSoftware/products/pull/1783
• Sanitize Log Input by @bhazen in https://github.com/DuendeSoftware/products/pull/1806
• Fix up an accidentally reverted Shouldly change by @josephdecock in https://github.com/DuendeSoftware/products/pull/1852
• Remove extra global.json from identityserver by @josephdecock in https://github.com/DuendeSoftware/products/pull/1853
• Use DefaultConcurrencyLock as a Singleton instead of Transient. by @maartenba in https://github.com/DuendeSoft...

Duende.AspNetCore.Authentication.JwtBearer 0.2.0

This is a minor release focused primarily on improving support around DPoP to enable conformance with the FAPI 2.0 Security Profile. This release also includes a rework of the extensibility model offered by this package.

Breaking Changes

• The extensibility model of this package has been worked in #1994 to make many types internal with then intention of making the intended extensibility points more explicit.

Detailed Changes

• Make DPoP authorization scheme case-insensitive in #1969 by @josephdecock
• Add more logging to dpop jwt events and validator in #1971 by @josephdecock
• DPoP Jwt Bearer extensibility reworked in #1994 by @josephdecock
• DPoP Error Handling in JwtBearerExtensions in #2005 by @bhazen

IdentityServer 7.3.0 Release Candidate 2

This is the second release candidate for IdentityServer 7.3.0, containing several bug fixes from 7.2 releases that were missed in the first release candidate, as well as editorial changes to some new log messages.

Detailed change log

Previously fixed bugs

• Add null-check for client before coordinating session lifecycle - https://github.com/DuendeSoftware/products/pull/2038
• Ensure WWW-Authenticate uses a single HTTP header - https://github.com/DuendeSoftware/products/pull/1998
• Harden default logging filters for PAR and Authorize endpoints - https://github.com/DuendeSoftware/products/pull/1978
• Respect port number in mTLS configuration - https://github.com/DuendeSoftware/products/pull/1990

Log messages

• Update licensing messages - https://github.com/DuendeSoftware/products/pull/2141

Duende.Bff V4 - RC.1

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

• Support for login prompts, such as prompt = create => https://github.com/DuendeSoftware/products/issues/1701
• Deprecated silent login endpoint in favor of prompt=none
• Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
• Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
• Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
• Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945
• X-forward header support => https://github.com/DuendeSoftware/products/pull/2129
• Make sure compatible with non-standard compliant openid connect providers => https://github.com/DuendeSoftware/products/pull/2132
• Added License enforcement warnings => https://github.com/DuendeSoftware/products/pull/2130

Changes since preview 2:

• BffBuilder type (returned from services.AddBff()) is now an interface called IBffServicesBuilder. This is used as the basis for extension methods.

• IBffServicesBuilder.WithDefaultCookieOptions is now called IBffServicesBuilder.ConfigureCookies()

• IBffServicesBuilder.WithDefaultOpenIdConnectOptions is now called IBffServicesBuilder.ConfigureOpenIdConnect()

• To support split host login scenarios', you can use a referer header in the Silent Login, coupled with BffOptions.AllowedSilentLoginReferers to create a list of allowed referers.

• IFrontendCollection no longer exposes a GetAll method, but now implements IEnumerable.

• ReturnUrlValidator.IsValidAsync now only accepts a uri

• User sessions are now partitioned per frontend. IUserSessionStore has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change.

• When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property BffOptions.EnableSessionCleanup is removed. You now have to call AddSessionCleanupBackgroundProcess() to enable session migration.

Changes since preview 1:

• Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
• Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
• Fixed logout => https://github.com/DuendeSoftware/products/pull/2060

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);            

• The enum TokenType has been renamed to RequiredTokenType.
• The method to require the token type is renamed to WithAccessToken()
• Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

The V3 style of wireup still works, but BFF V4 comes with a newer style of wireup:

services.AddBff()
    .WithDefaultOpenIdConnectOptions(options =>
    {
        options.Authority = "your authority";
        options.ClientId = "your client id";
        options.ClientSecret = "secret";
        // ... other OpenID Connect options. 
    }
    .WithDefaultCookieOptions(options => {
        // The cookie options are automatically configured with recommended practices.
        // However, you can change the config here. 
    };

Adding this will automatically configure a Cookie and OpenID Connect flow.

Adding Multiple Frontends

You can statically add a list of frontends by calling the AddFrontends method.

.AddFrontends(
    new BffFrontend(BffFrontendName.Parse("default-frontend"))
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html")),

    new BffFrontend(BffFrontendName.Parse("with-path"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-path";
            opt.ClientSecret = "secret";
        })
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))
        .MappedToPath(LocalPath.Parse("/with-path")),

    new BffFrontend(BffFrontendName.Parse("with-domain"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-domain";
            opt.ClientSecret = "secret";
        })
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))
        .MappedToOrigin(Origin.Parse("https://app1.localhost:5005"))
        .WithRemoteApis(
            new RemoteApi(LocalPath.Parse("/api/user-token"), new Uri("https://localhost:5010")),
            new RemoteApi(LocalPath.Parse("/api/client-token"), new Uri("https://localhost:5010"))
)

Loading Configuration From IConfiguration

Loading configuration, including openid connect configuration from an IConfiguration is now supported:

services.AddBff().LoadConfiguration(bffConfig);

Using this, you can configure your openid connect options, including secrets and configure the list of frontends. This also adds a file watcher, to automatically add / remove frontends from the config file.

See the type BffConfiguration to see what settings can be configured.

Index HTML Retrieval

It's fairly common to deploy your application in such a way to have the BFF be the first entrypoint for your application. It should serve an index.html that will bootstrap your frontend. However, your static content should be loaded from a CDN.

If you publish your frontend code to a cdn with absolute paths (for example by specifying a base path in your vite config), then all static content is loaded directly from the CDN.

You can configure the location of your Index HTML by specifying:

.WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))

Running migrations to usersession db.

A partition key has been added to the usersession db, to support the multi-frontend feature. If you're using the entity framework UserSessionDb provider, you'll need to run the migrations.

cd .\bff\migrations\UserSessionDb
dotnet tool install --global dotnet-ef
dotnet ef database update

Alternatively, here's the script to update the migrations for SqlLocalDB. It may have to be slightly adjusted to match your database of choice.

BEGIN TRANSACTION;

ALTER TABLE "UserSessions" RENAME COLUMN "ApplicationName" TO "PartitionKey";

DROP INDEX "IX_UserSessions_ApplicationName_SubjectId_SessionId";

CREATE UNIQUE INDEX "IX_UserSessions_PartitionKey_SubjectId_SessionId" ON "UserSessions" ("PartitionKey", "SubjectId", "SessionId");

DROP INDEX "IX_UserSessions_ApplicationName_SessionId";

CREATE UNIQUE INDEX "IX_UserSessions_PartitionKey_SessionId" ON "UserSessions" ("PartitionKey", "SessionId");

DROP INDEX "IX_UserSessions_ApplicationName_Key";

CREATE UNIQUE INDEX "IX_UserSessions_PartitionKey_Key" ON "UserSessions" ("PartitionKey", "Key");

INSERT INTO "__EFMigrationsHistory" ("MigrationId", "ProductVersion")
VALUES ('20250701130814_PartitionKey', '8.0.11');

COMMIT;

Duende.Bff V4 - Preview 3

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

• Support for login prompts, such as prompt = create => https://github.com/DuendeSoftware/products/issues/1701
• Deprecated silent login endpoint in favor of prompt=none
• Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
• Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
• Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
• Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945

Changes since preview 2:

• BffBuilder type (returned from services.AddBff()) is now an interface called IBffServicesBuilder. This is used as the basis for extension methods.

• IBffServicesBuilder.WithDefaultCookieOptions is now called IBffServicesBuilder.ConfigureCookies()

• IBffServicesBuilder.WithDefaultOpenIdConnectOptions is now called IBffServicesBuilder.ConfigureOpenIdConnect()

• To support split host login scenarios', you can use a referer header in the Silent Login, coupled with BffOptions.AllowedSilentLoginReferers to create a list of allowed referers.

• IFrontendCollection no longer exposes a GetAll method, but now implements IEnumerable.

• ReturnUrlValidator.IsValidAsync now only accepts a uri

• User sessions are now partitioned per frontend. IUserSessionStore has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change.

• When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property BffOptions.EnableSessionCleanup is removed. You now have to call AddSessionCleanupBackgroundProcess() to enable session migration.

Changes since preview 1:

• Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
• Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
• Fixed logout => https://github.com/DuendeSoftware/products/pull/2060

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);            

• The enum TokenType has been renamed to RequiredTokenType.
• The method to require the token type is renamed to WithAccessToken()
• Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

The V3 style of wireup still works, but BFF V4 comes with a newer style of wireup:

services.AddBff()
    .WithDefaultOpenIdConnectOptions(options =>
    {
        options.Authority = "your authority";
        options.ClientId = "your client id";
        options.ClientSecret = "secret";
        // ... other OpenID Connect options. 
    }
    .WithDefaultCookieOptions(options => {
        // The cookie options are automatically configured with recommended practices.
        // However, you can change the config here. 
    };

Adding this will automatically configure a Cookie and OpenID Connect flow.

Adding Multiple Frontends

You can statically add a list of frontends by calling the AddFrontends method.

.AddFrontends(
    new BffFrontend(BffFrontendName.Parse("default-frontend"))
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html")),

    new BffFrontend(BffFrontendName.Parse("with-path"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-path";
            opt.ClientSecret = "secret";
        })
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))
        .MappedToPath(LocalPath.Parse("/with-path")),

    new BffFrontend(BffFrontendName.Parse("with-domain"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-domain";
            opt.ClientSecret = "secret";
        })
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))
        .MappedToOrigin(Origin.Parse("https://app1.localhost:5005"))
        .WithRemoteApis(
            new RemoteApi(LocalPath.Parse("/api/user-token"), new Uri("https://localhost:5010")),
            new RemoteApi(LocalPath.Parse("/api/client-token"), new Uri("https://localhost:5010"))
)

Loading Configuration From IConfiguration

Loading configuration, including openid connect configuration from an IConfiguration is now supported:

services.AddBff().LoadConfiguration(bffConfig);

Using this, you can configure your openid connect options, including secrets and configure the list of frontends. This also adds a file watcher, to automatically add / remove frontends from the config file.

See the type BffConfiguration to see what settings can be configured.

Index HTML Retrieval

It's fairly common to deploy your application in such a way to have the BFF be the first entrypoint for your application. It should serve an index.html that will bootstrap your frontend. However, your static content should be loaded from a CDN.

If you publish your frontend code to a cdn with absolute paths (for example by specifying a base path in your vite config), then all static content is loaded directly from the CDN.

You can configure the location of your Index HTML by specifying:

.WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))

Running migrations to usersession db.

A partition key has been added to the usersession db, to support the multi-frontend feature. If you're using the entity framework UserSessionDb provider, you'll need to run the migrations.

cd .\bff\migrations\UserSessionDb
dotnet tool install --global dotnet-ef
dotnet ef database update

Alternatively, here's the script to update the migrations for SqlLocalDB. It may have to be slightly adjusted to match your database of choice.

BEGIN TRANSACTION;

ALTER TABLE "UserSessions" RENAME COLUMN "ApplicationName" TO "PartitionKey";

DROP INDEX "IX_UserSessions_ApplicationName_SubjectId_SessionId";

CREATE UNIQUE INDEX "IX_UserSessions_PartitionKey_SubjectId_SessionId" ON "UserSessions" ("PartitionKey", "SubjectId", "SessionId");

DROP INDEX "IX_UserSessions_ApplicationName_SessionId";

CREATE UNIQUE INDEX "IX_UserSessions_PartitionKey_SessionId" ON "UserSessions" ("PartitionKey", "SessionId");

DROP INDEX "IX_UserSessions_ApplicationName_Key";

CREATE UNIQUE INDEX "IX_UserSessions_PartitionKey_Key" ON "UserSessions" ("PartitionKey", "Key");

INSERT INTO "__EFMigrationsHistory" ("MigrationId", "ProductVersion")
VALUES ('20250701130814_PartitionKey', '8.0.11');

COMMIT;

IdentityServer 7.3.0 Release Candidate 1

This is release candidate 1 of IdentityServer 7.3.0, a significant release that includes:

• FAPI 2.0 profile certification
• JWT Response from the introspection endpoint (RFC 9701)
• Diagnostic data
• Removal of the experimental label from OpenTelemetry metrics
• Additional license compliance warnings
• Several bug fixes
• Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.3.0. Small code changes maybe be required for some users to upgrade.

• The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class
• Client Secret is now required for Clients with ClientCredentials Grant

The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class

• Fix Concurrent DbContext Access on Back Channel Logout by @bhazen in https://github.com/DuendeSoftware/products/pull/2019
  To fix a bug where when using EntityFramework, code which previously executed in parallel needed to be modified to execute sequentially. This necessitated the removal of the SendLogoutNotificationAsync method in the DefaultBackChannelLogoutService class. Anyone who had previously overridden the SendLogoutNotificationAsync as an extensibility point will likely need to move their customization to the PostLogoutJwt method.

Client Secret is now required for Clients with ClientCredentials Grant

• Ensure Client Secret is Required for Clients with ClientCredentials Grant by @bhazen in https://github.com/DuendeSoftware/products/pull/1796
  Previously, it was possible to configure a Client to allow the ClientCredentials Grant without requiring a client secret which is undesirable. The default validation of Clients has been updated to ensure any Client which allows the ClientCredentials grant also sets the RequireClientSecret flag to true to disallow the configuration of a private client to behave like a public client.

Enhancements

FAPI 2.0 Profile Certification

IdentityServer is 7.3.0 is officially certified as conformant with the FAPI 2.0 Security Profile.

• JWT Validation Clock Skew Option by @bhazen in https://github.com/DuendeSoftware/products/pull/1813
• Include PAR in mtls aliases by @josephdecock in https://github.com/DuendeSoftware/products/pull/1955
• Support binding of authorization codes to dpop proof key via dpop header by @josephdecock in https://github.com/DuendeSoftware/products/pull/1974
• Respect port number in mTLS configuration by @josephdecock in https://github.com/DuendeSoftware/products/pull/1990
• Adjust Multiple DPoP Token Error by @bhazen in https://github.com/DuendeSoftware/products/pull/2004
• Options of Allowed Signing Algorithms JWTs and DPoP Proof Tokens by @bhazen in https://github.com/DuendeSoftware/products/pull/2006
• Adjust Default Values for Clock Skew Config Options by @bhazen in https://github.com/DuendeSoftware/products/pull/2010
• Change error when required DPoP proof is missing by @bhazen in https://github.com/DuendeSoftware/products/pull/2011
• Reworked supported algorithm options by @josephdecock in https://github.com/DuendeSoftware/products/pull/2026
• Use standard error response for failed mTLS auth by @josephdecock in https://github.com/DuendeSoftware/products/pull/2079
• mTLS with DPoP by @josephdecock in https://github.com/DuendeSoftware/products/pull/2080
• Handle mTLS and DPoP Used Together by @bhazen in https://github.com/DuendeSoftware/products/pull/2084

JWT Response from Introspection Endpoint

IdentityServer now supports RFC 9701 to return a JWT Response from the Introspection endpoint.

• Implement RFC 9701 to Return JWT Response from Introspection Endpoint by @bhazen in https://github.com/DuendeSoftware/products/pull/1937

Diagnostic Data

Diagnostic data has been added to IdentityServer to help support with troubleshooting. Read more about this new feature in our docs. TODO: link to docs

• Diagnostic Summary Setup by @bhazen in https://github.com/DuendeSoftware/products/pull/2021
• Auth Scheme Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2022
• Registered Implementations Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2023
• IdentityServerOptions Diagnostic Entry by @bhazen https://github.com/DuendeSoftware/products/pull/2024
• Data Protection Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2025
• Token Issue Count Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2029
• License Usage Summary Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2033
• Basic Server Info Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2034
• Endpoint Usage Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2036
• Chunk diagnostics and update diagnostic options by @josephdecock in https://github.com/DuendeSoftware/products/pull/2042
• Client Info Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2043
• Resource Info Diagnostic Entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2047
• Registered Implementation Diagnostic Entry Tweaks by @bhazen in https://github.com/DuendeSoftware/products/pull/2048
• Assembly Info Diagnostic Entry Tweaks in @bhazen in https://github.com/DuendeSoftware/products/pull/2051
• Remove assemblyCount from diagnostics by @bhazen in https://github.com/DuendeSoftware/products/pull/2054
• Remove pop from the names of token counts in diagnostics by @josephdecock in https://github.com/DuendeSoftware/products/pull/2055
• Diagnostic Summary Log Tweaks by @bhazen in https://github.com/DuendeSoftware/products/pull/2057
• Update Diagnostic Summary Log Source Name by @bhazen in https://github.com/DuendeSoftware/products/pull/2059
• Log diagnostic summary on shutdown by @bhazen in https://github.com/DuendeSoftware/products/pull/2061
• Add informational version to assembly info diagnostic entry by @bhazen in https://github.com/DuendeSoftware/products/pull/2075

Move OpenTelemetry Metrics from Experimental to Stable

• Remove "Duende.IdentityServer.Experimental" service name from telemetry by @maartenba in https://github.com/DuendeSoftware/products/pull/2002

Update License Usage Warnings

New warnings have been added around license compliance to help identify misuse of IdentityServer licenses prior to more strict license enforcement in the future.

• License Expiration Warning by @bhazen in https://github.com/DuendeSoftware/products/pull/1921
• V2 License Functionality Updates by @bhazen in https://github.com/DuendeSoftware/products/pull/1947
• Source Generator Based Logging for V2 License Code by @bhazen in https://github.com/DuendeSoftware/products/pull/1951
• V2 License Client Warnings by @bhazen in https://github.com/DuendeSoftware/products/pull/1954
• V2 License Issuer Warnings by @bhazen in https://github.com/DuendeSoftware/products/pull/1957

Bug Fixes

• Persistent Cookies, Server Side Sessions, and Session Lifetime Coordination Fix by @bhazen in https://github.com/DuendeSoftware/products/pull/1757
• Handle case-insensitive JSON claim value types. by @josephdecock in https://github.com/DuendeSoftware/products/pull/1769
• Ensure session lifetime coordination is invoked when a session expires by @bhazen in https://github.com/DuendeSoftware/products/pull/1784
• Ensure Client Secret is Required for Clients with ClientCredentials Grant by @bhazen in https://github.com/DuendeSoftware/products/pull/1796
• fix null ref in UserInfoRequestValidator by @SimonCropp in https://github.com/DuendeSoftware/products/pull/1896
• Don't unnecessarily return scope parameter from authorize endpoint by @bhazen in https://github.com/DuendeSoftware/products/pull/1926
• Addresses an unhandled exception path & nullability concerns by @StuFrankish in https://github.com/DuendeSoftware/products/pull/1930
• Don't return redirect URI or response mode on unsafe errors by @bhazen in https://github.com/DuendeSoftware/products/pull/1933
• Fix DCR customizations for EF client configuration by @josephdecock in https://github.com/DuendeSoftware/products/pull/1962
• Add and test unhandled exception logging filter logic by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/2007
• Fix Concurrent DbContext Access on Back Channel Logout by @bhazen https://github.com/DuendeSoftware/products/pull/2019

Code Quality

• Refactor exception handling and minor code improvements. by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/1744
• Remove redundant comment delimiters in license header by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/1747
• Switch to TargetFrameworks for multi-framework support by @khalidabuhakmeh in https://github.com/DuendeSoftware/products/pull/1767
• Adding Missing Test Attributes by @bhazen in https://github.com/DuendeSoftware/products/pull/1773
• Filter client credentials in ToOptimizedFullDictionary method by @josephdecock in https://github.com/DuendeSoftware/products/pull/1781
• Update in code links to v7 by @AndersAbel in https://github.com/DuendeSoftware/products/pull/1783
• Sanitize Log Input by @bhazen in https://github.com/DuendeSoftware/products/pull/1806
• Fix up an accidentally reverted Shouldly change by @josephdecock in https://github.com/DuendeSoftware/products/pull/1852
• Remove extra global.json from identityserver by @josephdecock in https://github.com/DuendeSoftware/products/pull/1853
• Use DefaultConcurrencyLock as a Singleton instead of Transient. by @maartenba in https://github.com/DuendeSoftware/products/pull/1859
• remove duplicate file headers in identityserve...

BFF 4.0.0 preview 2

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

• Support for login prompts, such as prompt = create => https://github.com/DuendeSoftware/products/issues/1701
• Deprecated silent login endpoint in favor of prompt=none
• Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
• Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
• Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
• Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945

Changes since preview 1:

• Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
• Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
• Fixed logout => https://github.com/DuendeSoftware/products/pull/2060

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);            

• The enum TokenType has been renamed to RequiredTokenType.
• The method to require the token type is renamed to WithAccessToken()
• Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

The V3 style of wireup still works, but BFF V4 comes with a newer style of wireup:

services.AddBff()
    .WithDefaultOpenIdConnectOptions(options =>
    {
        options.Authority = "your authority";
        options.ClientId = "your client id";
        options.ClientSecret = "secret";
        // ... other OpenID Connect options. 
    }
    .WithDefaultCookieOptions(options => {
        // The cookie options are automatically configured with recommended practices.
        // However, you can change the config here. 
    };

Adding this will automatically configure a Cookie and OpenID Connect flow.

Adding Multiple Frontends

You can statically add a list of frontends by calling the AddFrontends method.

.AddFrontends(
    new BffFrontend(BffFrontendName.Parse("default-frontend"))
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html")),

    new BffFrontend(BffFrontendName.Parse("with-path"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-path";
            opt.ClientSecret = "secret";
        })
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))
        .MappedToPath(LocalPath.Parse("/with-path")),

    new BffFrontend(BffFrontendName.Parse("with-domain"))
        .WithOpenIdConnectOptions(opt =>
        {
            opt.ClientId = "bff.multi-frontend.with-domain";
            opt.ClientSecret = "secret";
        })
        .WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))
        .MappedToOrigin(Origin.Parse("https://app1.localhost:5005"))
        .WithRemoteApis(
            new RemoteApi(LocalPath.Parse("/api/user-token"), new Uri("https://localhost:5010")),
            new RemoteApi(LocalPath.Parse("/api/client-token"), new Uri("https://localhost:5010"))
)

Loading Configuration From IConfiguration

Loading configuration, including openid connect configuration from an IConfiguration is now supported:

services.AddBff().LoadConfiguration(bffConfig);

Using this, you can configure your openid connect options, including secrets and configure the list of frontends. This also adds a file watcher, to automatically add / remove frontends from the config file.

See the type BffConfiguration to see what settings can be configured.

Index HTML Retrieval

It's fairly common to deploy your application in such a way to have the BFF be the first entrypoint for your application. It should serve an index.html that will bootstrap your frontend. However, your static content should be loaded from a CDN.

If you publish your frontend code to a cdn with absolute paths (for example by specifying a base path in your vite config), then all static content is loaded directly from the CDN.

You can configure the location of your Index HTML by specifying:

.WithIndexHtmlUrl(new Uri("https://localhost:5005/static/index.html"))