Skip to content

Bump the duende group with 5 updates#1231

Merged
github-actions[bot] merged 1 commit intomasterfrom
dependabot/nuget/Identity/IdentityCenter/duende-98f7c06b5e
Dec 2, 2025
Merged

Bump the duende group with 5 updates#1231
github-actions[bot] merged 1 commit intomasterfrom
dependabot/nuget/Identity/IdentityCenter/duende-98f7c06b5e

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 2, 2025

Updated Duende.BFF from 3.0.0 to 4.0.0.

Release notes

Sourced from Duende.BFF's releases.

4.0.0

This is the fourth release Duende Backend for Frontend Security Framework 4.0.0. The changes since the last release are:

  • Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2269
  • Check authentication state by @​StuFrankish in #​2275
  • Introduce BFF Trial Mode by @​pgermishuys in #​2279
  • Introduce Diagnostics in BFF by @​pgermishuys in #​2278
  • Updated to FOSS packages to GA versions for dotnet 10 release by @​bhazen in #​2281

Enhancements

  • Avoid relying on an active Http Context by @​pgermishuys in #​2259

Bug Fixes

  • Fix entity framework scoping issue in ServerSideSessionChecker @​Erwinvandervalk in #​2262

4.0.0-rc.4

This is the fourth release candidate of Duende Backend for Frontend Security Framework 4.0.0. The changes since the last preview release are:

  • Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2269

Enhancements

  • Avoid relying on an active Http Context by @​pgermishuys in #​2259

Bug Fixes

  • Fix entity framework scoping issue in ServerSideSessionChecker @​Erwinvandervalk in #​2262

4.0.0-rc.3

Changes and improvements

  • Allows users to leverage the other extension methods such as AddBlazorServer after calling AddServerSideSessions [#​2230]
  • Update to BFF to .NET 10 RC 2 [#​2246]
  • Update Access Token Management to 4.1.0 Preview 2 [#​2249]

4.0.0-rc.2

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

Changes since RC1:

  • BFF now references Duende.AccessTokenManagement 4.0.0
  • Added support for management basepaths with templates: #​2185
  • Allow management endpoints to be overwritten manually: #​2186
  • Adjusted loglevel for several log messages : #​2192
  • Fix issue that openid connect handlers are not registered correctly if only relying on config: #​2194
  • remove LocalPath and rename Origin to HostHeaderValue #​2208
  • Adding development time static files proxying #​2207
  • Disable default frontend when using multiple frontends #​2202

Breaking changes since RC2:

Based on feedback from the community, we have made a couple of functional improvements and renamed certain properties to clarify the API.

Renamed properties

The following concepts have been renamed:

  • Path mapping used to use a strongly typed object called LocalPath. It was used to map properties from a path local to the BFF to a remote path or a url. We received feedback that this was confusing. Since .Net already contains a property that could help PathString we decided to remove LocalPath and rely on PathString only.
  • Origin has been renamed to HostHeaderValue. Technically, we're binding frontends to an origin, which is a data structure that contains the scheme, host and port number). However, we're not binding the frontend to the Origin Header*, but to the Host Header. This caused quite a bit of confusion as origins are also used in Cross Origin Resource Sharing.
  • Renamed BffFrontend.MappedToPath() to BffFrontend.MapToPath
  • Renamed BffFrontend.MappedToOrigin() to BffFrontend.MapToHost()
  • Renamed RemoteApi.LocalPath to RemoteApi.MatchingPath
  • Renamed BffFrontend.SelectionCriteria to BffFrontend.MatchingCriteria
  • Renamed BffFrontendConfiguration.MatchingOrigin to BffFrontendConfiguration.MatchingHostHeader

The methods BffFrontend.MapToHost and BffFrontend.MapToPath are now mutually exclusive. Setting both will throw. If you want to match a frontend based on both a Host and a Path, you should use BffFrontend.MapTo()

  • Renamed BffFrontend.WithIndexHtml to BffFrontend.WithCdnIndexUrl (to make it's purpose clearer).
  • Renamed IIndexHtmlClient to IStaticFilesHttpClient
  • Renamed IndexHtmlClientName to StaticAssetsClientName

Development time Static files proxying

We introduced additional functionality for proxying static files. Initially, we only support proxying an index.html file from a CDN. This is still the recommended way to deploy a frontend. There was no support for local development however.

... (truncated)

4.0.0-rc.1

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

Changes since preview 2:

  • BffBuilder type (returned from services.AddBff()) is now an interface called IBffServicesBuilder. This is used as the basis for extension methods.

  • IBffServicesBuilder.WithDefaultCookieOptions is now called IBffServicesBuilder.ConfigureCookies()

  • IBffServicesBuilder.WithDefaultOpenIdConnectOptions is now called IBffServicesBuilder.ConfigureOpenIdConnect()

  • To support split host login scenarios', you can use a referer header in the Silent Login, coupled with BffOptions.AllowedSilentLoginReferers to create a list of allowed referers.

  • IFrontendCollection no longer exposes a GetAll method, but now implements IEnumerable.

  • ReturnUrlValidator.IsValidAsync now only accepts a uri

  • User sessions are now partitioned per frontend. IUserSessionStore has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change.

  • When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property BffOptions.EnableSessionCleanup is removed. You now have to call AddSessionCleanupBackgroundProcess() to enable session migration.

Changes since preview 1:

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
 ... (truncated)

## 4.0.0-preview3

This release is a major change from the previous release. The biggest improvement here is multi-frontend support. 

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal. 

# Changes and improvements

* Support for login prompts, such as prompt = create =>  https://github.com/DuendeSoftware/products/issues/1701
* Deprecated silent login endpoint in favor of prompt=none
* Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
* Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
* Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
* Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945

## Changes since preview 2:
* **BffBuilder** type (returned from **services.AddBff**()) is now an interface called **IBffServicesBuilder**. This is used as the basis for extension methods. 
* **IBffServicesBuilder.WithDefaultCookieOptions** is now called **IBffServicesBuilder.ConfigureCookies()**
* **IBffServicesBuilder.WithDefaultOpenIdConnectOptions** is now called **IBffServicesBuilder.ConfigureOpenIdConnect()**
* To support split host login scenarios', you can use a referer header in the Silent Login, coupled with **BffOptions.AllowedSilentLoginReferers** to create a list of allowed referers. 
* **IFrontendCollection** no longer exposes a **GetAll** method, but now implements IEnumerable<Frontend>. 
* **ReturnUrlValidator.IsValidAsync** now only accepts a uri

* User sessions are now partitioned per frontend. **IUserSessionStore** has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change. 

* When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property **BffOptions.EnableSessionCleanup** is removed. You now have to call **AddSessionCleanupBackgroundProcess**() to enable session migration. 

## Changes since preview 1:
* Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
* Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
* Fixed logout => https://github.com/DuendeSoftware/products/pull/2060


# Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help. 

## Remote APIs

The syntax for configuring remote APIs has changed slightly:

```diff lang="csharp" title="*.cs"
// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);

... (truncated)

4.0.0-preview2

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

Changes since preview 1:

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);
  • The enum TokenType has been renamed to RequiredTokenType.
  • The method to require the token type is renamed to WithAccessToken()
  • Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

... (truncated)

4.0.0-Preview1

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);
  • The enum TokenType has been renamed to RequiredTokenType.
  • The method to require the token type is renamed to WithAccessToken()
  • Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

The V3 style of wireup still works, but BFF V4 comes with a newer style of wireup:

services.AddBff()
    .WithDefaultOpenIdConnectOptions(options =>
 ... (truncated)

## 3.1.0

The changes since the release candidate are:

- Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 
- Update to GA FOSS Packages for .NET 10 Release by @​bhazen in #​2282 

## Bug Fixes
* Fix entity framework scoping issue in ServerSideSessionChecker @​maartenba in #​2251

## 3.1.0-rc.1

The changes since the last preview release are:

- Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 

## Bug Fixes
* Fix entity framework scoping issue in ServerSideSessionChecker @​maartenba in #​2251

## 3.1.0-preview.2

BFF Security Framework 3.1.0 - Preview 2 includes:

## Enhancements
- .NET 10 Support (Simplified) by @​josephdecock in #​2216
Added initial support for .NET 10.
- Updated Access Token Management to 3.3.0-preview.1 in #​2248

## 3.1.0-preview.1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

## Enhancements
- .NET 10 Support (Simplified) by @​josephdecock in https://github.com/DuendeSoftware/products/pull/2216
Added initial support for .NET 10.

Commits viewable in [compare view](https://github.com/DuendeSoftware/products/compare/bff-3.0.0...bff-4.0.0).
</details>

Updated [Duende.BFF.Yarp](https://github.com/DuendeSoftware/products) from 3.0.0 to 4.0.0.

<details>
<summary>Release notes</summary>

_Sourced from [Duende.BFF.Yarp's releases](https://github.com/DuendeSoftware/products/releases)._

## 4.0.0

This is the fourth release Duende Backend for Frontend Security Framework 4.0.0. The changes since the last release are:

- Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2269
- Check authentication state by @​StuFrankish  in #​2275
- Introduce BFF Trial Mode by @​pgermishuys in #​2279
- Introduce Diagnostics in BFF by @​pgermishuys in #​2278
- Updated to FOSS packages to GA versions for dotnet 10 release by @​bhazen in #​2281 

## Enhancements
- Avoid relying on an active Http Context by @​pgermishuys in #​2259

## Bug Fixes
- Fix entity framework scoping issue in ServerSideSessionChecker @​Erwinvandervalk in #​2262

## 4.0.0-rc.4

This is the fourth release candidate of Duende Backend for Frontend Security Framework 4.0.0. The changes since the last preview release are:

- Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2269

## Enhancements
* Avoid relying on an active Http Context by @​pgermishuys in #​2259

## Bug Fixes
* Fix entity framework scoping issue in ServerSideSessionChecker @​Erwinvandervalk in #​2262

## 4.0.0-rc.3

## Changes and improvements
* Allows users to leverage the other extension methods such as `AddBlazorServer` after calling `AddServerSideSessions` [#​2230]
* Update to BFF to .NET 10 RC 2 [#​2246]
* Update Access Token Management to  4.1.0 Preview 2 [#​2249]

## 4.0.0-rc.2

This release is a major change from the previous release. The biggest improvement here is multi-frontend support. 

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal. 

# Changes and improvements

* Support for login prompts, such as prompt = create =>  https://github.com/DuendeSoftware/products/issues/1701
* Deprecated silent login endpoint in favor of prompt=none
* Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
* Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
* Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
* Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945
* X-forward header support => https://github.com/DuendeSoftware/products/pull/2129
* Make sure compatible with non-standard compliant openid connect providers => https://github.com/DuendeSoftware/products/pull/2132
* Added License enforcement warnings => https://github.com/DuendeSoftware/products/pull/2130

## Changes since RC1:
* BFF now references `Duende.AccessTokenManagement 4.0.0`
* Added support for management basepaths with templates: #​2185 
* Allow management endpoints to be overwritten manually: #​2186
* Adjusted loglevel for several log messages : #​2192
* Fix issue that openid connect handlers are not registered correctly if only relying on config: #​2194 
* remove LocalPath and rename Origin to HostHeaderValue #​2208
* Adding development time static files proxying #​2207
* Disable default frontend when using multiple frontends #​2202

### Breaking changes since RC2:
Based on feedback from the community, we have made a couple of functional improvements and renamed certain properties to clarify the API. 

#### Renamed properties
The following concepts have been renamed:

* Path mapping used to use a strongly typed object called `LocalPath`. It was used to map properties from a path local to the BFF to a remote path or a url. We received feedback that this was confusing. Since .Net already contains a property that could help `PathString` we decided to remove `LocalPath` and rely on `PathString` only. 
* `Origin` has been renamed to `HostHeaderValue`. Technically, we're binding frontends to an origin, which is a data structure that contains the scheme, host and port number). However, we're not binding the frontend to the *Origin Header**, but to the **Host Header**. This caused quite a bit of confusion as origins are also used in Cross Origin Resource Sharing. 
* Renamed `BffFrontend.MappedToPath()` to `BffFrontend.MapToPath`
* Renamed `BffFrontend.MappedToOrigin()` to `BffFrontend.MapToHost()`
* Renamed `RemoteApi.LocalPath` to `RemoteApi.MatchingPath`
* Renamed `BffFrontend.SelectionCriteria` to `BffFrontend.MatchingCriteria`
* Renamed `BffFrontendConfiguration.MatchingOrigin` to `BffFrontendConfiguration.MatchingHostHeader`

The methods `BffFrontend.MapToHost` and `BffFrontend.MapToPath` are now mutually exclusive. Setting both will throw. If you want to match a frontend based on both a Host and a Path, you should use `BffFrontend.MapTo()`

* Renamed `BffFrontend.WithIndexHtml` to `BffFrontend.WithCdnIndexUrl` (to make it's purpose clearer). 
* Renamed `IIndexHtmlClient` to `IStaticFilesHttpClient`
* Renamed `IndexHtmlClientName` to `StaticAssetsClientName`

#### Development time Static files proxying

We introduced additional functionality for proxying static files. Initially, we only support proxying an index.html file from a CDN. This is still the recommended way to deploy a frontend. There was no support for local development however. 

 ... (truncated)

## 4.0.0-rc.1

This release is a major change from the previous release. The biggest improvement here is multi-frontend support. 

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal. 

# Changes and improvements

* Support for login prompts, such as prompt = create =>  https://github.com/DuendeSoftware/products/issues/1701
* Deprecated silent login endpoint in favor of prompt=none
* Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
* Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
* Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
* Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945
* X-forward header support => https://github.com/DuendeSoftware/products/pull/2129
* Make sure compatible with non-standard compliant openid connect providers => https://github.com/DuendeSoftware/products/pull/2132
* Added License enforcement warnings => https://github.com/DuendeSoftware/products/pull/2130

## Changes since preview 2:
* **BffBuilder** type (returned from **services.AddBff**()) is now an interface called **IBffServicesBuilder**. This is used as the basis for extension methods. 
* **IBffServicesBuilder.WithDefaultCookieOptions** is now called **IBffServicesBuilder.ConfigureCookies()**
* **IBffServicesBuilder.WithDefaultOpenIdConnectOptions** is now called **IBffServicesBuilder.ConfigureOpenIdConnect()**
* To support split host login scenarios', you can use a referer header in the Silent Login, coupled with **BffOptions.AllowedSilentLoginReferers** to create a list of allowed referers. 
* **IFrontendCollection** no longer exposes a **GetAll** method, but now implements IEnumerable<Frontend>. 
* **ReturnUrlValidator.IsValidAsync** now only accepts a uri

* User sessions are now partitioned per frontend. **IUserSessionStore** has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change. 

* When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property **BffOptions.EnableSessionCleanup** is removed. You now have to call **AddSessionCleanupBackgroundProcess**() to enable session migration. 

## Changes since preview 1:
* Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
* Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
* Fixed logout => https://github.com/DuendeSoftware/products/pull/2060


# Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help. 

## Remote APIs

The syntax for configuring remote APIs has changed slightly:

```diff lang="csharp" title="*.cs"
// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
 ... (truncated)

## 4.0.0-preview3

This release is a major change from the previous release. The biggest improvement here is multi-frontend support. 

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal. 

# Changes and improvements

* Support for login prompts, such as prompt = create =>  https://github.com/DuendeSoftware/products/issues/1701
* Deprecated silent login endpoint in favor of prompt=none
* Allow anti forgery check to be disabled via a delegate => https://github.com/DuendeSoftware/products/pull/1932
* Multi-frontend support => https://github.com/DuendeSoftware/products/pull/2032
* Duende.AccessTokenManagement V4 => https://github.com/DuendeSoftware/products/pull/2032
* Open Telemetry support => https://github.com/DuendeSoftware/products/pull/1945

## Changes since preview 2:
* **BffBuilder** type (returned from **services.AddBff**()) is now an interface called **IBffServicesBuilder**. This is used as the basis for extension methods. 
* **IBffServicesBuilder.WithDefaultCookieOptions** is now called **IBffServicesBuilder.ConfigureCookies()**
* **IBffServicesBuilder.WithDefaultOpenIdConnectOptions** is now called **IBffServicesBuilder.ConfigureOpenIdConnect()**
* To support split host login scenarios', you can use a referer header in the Silent Login, coupled with **BffOptions.AllowedSilentLoginReferers** to create a list of allowed referers. 
* **IFrontendCollection** no longer exposes a **GetAll** method, but now implements IEnumerable<Frontend>. 
* **ReturnUrlValidator.IsValidAsync** now only accepts a uri

* User sessions are now partitioned per frontend. **IUserSessionStore** has been updated to reflect this change. Note, you will have to run a migration to rename the column "ApplicationName" to "PartitionKey", including corresponding interfaces. Note, the migrations project has been updated to reflect this change. 

* When you add EntityFramework based sessions to your system, it no longer automatically enables session cleanup. The property **BffOptions.EnableSessionCleanup** is removed. You now have to call **AddSessionCleanupBackgroundProcess**() to enable session migration. 

## Changes since preview 1:
* Removed custom signin url => https://github.com/DuendeSoftware/products/pull/2056
* Fixed server side sessions & sliding cookie configuration => https://github.com/DuendeSoftware/products/pull/2041
* Fixed logout => https://github.com/DuendeSoftware/products/pull/2060


# Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help. 

## Remote APIs

The syntax for configuring remote APIs has changed slightly:

```diff lang="csharp" title="*.cs"
// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);

... (truncated)

4.0.0-preview2

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

Changes since preview 1:

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);
  • The enum TokenType has been renamed to RequiredTokenType.
  • The method to require the token type is renamed to WithAccessToken()
  • Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

... (truncated)

4.0.0-Preview1

This release is a major change from the previous release. The biggest improvement here is multi-frontend support.

The extensibility approach has been drastically changed. To reduce the public API surface, and improve our ability to evolve the library, we no longer make every class in the system public with virtual methods. Implementation logic now is internal.

Changes and improvements

Upgrade guide

This release introduces many breaking changes. Some small, some large. We'll do our best to document how to upgrade here. Should you run into an upgrade issue that's not documented, please reach out to our discussion forum and we'll do our best to help.

Remote APIs

The syntax for configuring remote APIs has changed slightly:

// Use a client credentials token
app.MapRemoteBffApiEndpoint("/api/client-token", "https://localhost:5010")
-    .RequireAccessToken(TokenType.Client);
+    .WithAccessToken(RequiredTokenType.Client);      

// Use the client token only if the user is logged in
app.MapRemoteBffApiEndpoint("/api/optional-user-token", "https://localhost:5010")
-    .WithOptionalUserAccessToken();
+    .WithAccessToken(RequiredTokenType.UserOrNone);
  • The enum TokenType has been renamed to RequiredTokenType.
  • The method to require the token type is renamed to WithAccessToken()
  • Requesting an optional access token should not be done with the method WithOptionalUserAccessToken() but with RequiredTokenType.UserOrNone

Configuring Token Types In YARP

The required token type configuration in yarp has also changed slightly. It uses the enum values from RequiredTokenType.

Extending The BFF

Simplified Wireup Without Explicit Authentication Setup

The V3 style of wireup still works, but BFF V4 comes with a newer style of wireup:

services.AddBff()
    .WithDefaultOpenIdConnectOptions(options =>
 ... (truncated)

## 3.1.0

The changes since the release candidate are:

- Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 
- Update to GA FOSS Packages for .NET 10 Release by @​bhazen in #​2282 

## Bug Fixes
* Fix entity framework scoping issue in ServerSideSessionChecker @​maartenba in #​2251

## 3.1.0-rc.1

The changes since the last preview release are:

- Update to .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 

## Bug Fixes
* Fix entity framework scoping issue in ServerSideSessionChecker @​maartenba in #​2251

## 3.1.0-preview.2

BFF Security Framework 3.1.0 - Preview 2 includes:

## Enhancements
- .NET 10 Support (Simplified) by @​josephdecock in #​2216
Added initial support for .NET 10.
- Updated Access Token Management to 3.3.0-preview.1 in #​2248

## 3.1.0-preview.1

NOTE: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

## Enhancements
- .NET 10 Support (Simplified) by @​josephdecock in https://github.com/DuendeSoftware/products/pull/2216
Added initial support for .NET 10.

Commits viewable in [compare view](https://github.com/DuendeSoftware/products/compare/bff-3.0.0...bff-4.0.0).
</details>

Updated [Duende.IdentityServer](https://github.com/DuendeSoftware/products) from 7.3.2 to 7.4.0.

<details>
<summary>Release notes</summary>

_Sourced from [Duende.IdentityServer's releases](https://github.com/DuendeSoftware/products/releases)._

## 7.4.0

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

Since the 7.4.0 release candidate, there have been a few minor changes, including:
- Add service for diagnostic data by @​josephdecock in #​2252 
- Trigger Back Channel Logout Earlier in Pipeline by @​bhazen in #​2258
- Enable Customizing ErrorMessage on Redirect to Error Page by @​bhazen  in #​2263 
- Better DCR Support for Public Clientsby @​bhazen in #​2264  
- Update .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario._

## Enhancements
* Set HTTP activity name on routing by @​josephdecock in #​2049
  * Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
* Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109 
  * Enables the UI to skip rendering the front channel logout iframe when it is not needed.
* Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126 
  * Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new `PathMatchingCallback` setting can be used as an alternative to the previously existing `PathPrefix` option.
* Improved UI locales support by @​bhazen in #​2158 
  * Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  * The default implementation, `DefaultUiLocalsService.cs`, delegates to the `CookieRequestCultureProvider` if it is present and any of the values passed in the `ui_locales parameter` match a supported UI culture.
  * If the default implementation does not meet your needs, `IUiLocalesService` can be implemented and registered with DI.
* RFC 8414 support by @​bhazen in #​2189 
  * Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
* Support for custom parameters in authorize response by @​bhazen in #​2206
  * Adds a new `CustomParameters` property to `AuthorizeResponse` to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom `IAuthorizeResponseGenerator`. 
* Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  * The ASP.NET Identity integration package now persists session claims based on `ISessionClaimsFilter.FilterToSessionClaimsAsync` which comes with a default implementation.
  * The new interface can be implemented to customize which session claims are persisted in non-default scenarios. 
* .NET 10 Support (Simplified) by @​josephdecock in #​2216 
 ... (truncated)

## 7.4.0-rc.1

This is the first release candidate of IdentityServer 7.4.0. The changes since the last preview release are:
- Add service for diagnostic data by @​josephdecock in #​2252 
- Trigger Back Channel Logout Earlier in Pipeline by @​bhazen in #​2258
- Enable Customizing ErrorMessage on Redirect to Error Page by @​bhazen  in #​2263 
- Better DCR Support for Public Clientsby @​bhazen in #​2264  
- Update .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10 (this preview targets .NET10 RC2)
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario._

## Enhancements
* Set HTTP activity name on routing by @​josephdecock in #​2049
  * Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
* Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109 
  * Enables the UI to skip rendering the front channel logout iframe when it is not needed.
* Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126 
  * Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new `PathMatchingCallback` setting can be used as an alternative to the previously existing `PathPrefix` option.
* Improved UI locales support by @​bhazen in #​2158 
  * Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  * The default implementation, `DefaultUiLocalsService.cs`, delegates to the `CookieRequestCultureProvider` if it is present and any of the values passed in the `ui_locales parameter` match a supported UI culture.
  * If the default implementation does not meet your needs, `IUiLocalesService` can be implemented and registered with DI.
* RFC 8414 support by @​bhazen in #​2189 
  * Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
* Support for custom parameters in authorize response by @​bhazen in #​2206
  * Adds a new `CustomParameters` property to `AuthorizeResponse` to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom `IAuthorizeResponseGenerator`. 
* Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  * The ASP.NET Identity integration package now persists session claims based on `ISessionClaimsFilter.FilterToSessionClaimsAsync` which comes with a default implementation.
  * The new interface can be implemented to customize which session claims are persisted in non-default scenarios. 
* .NET 10 Support (Simplified) by @​josephdecock in #​2216 
 ... (truncated)

## 7.4.0-preview.2

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10 (this preview targets .NET10 RC2)
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario._

## Enhancements
* Set HTTP activity name on routing by @​josephdecock in #​2049
  * Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
* Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109 
  * Enables the UI to skip rendering the front channel logout iframe when it is not needed.
* Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126 
  * Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new `PathMatchingCallback` setting can be used as an alternative to the previously existing `PathPrefix` option.
* Improved UI locales support by @​bhazen in #​2158 
  * Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  * The default implementation, `DefaultUiLocalsService.cs`, delegates to the `CookieRequestCultureProvider` if it is present and any of the values passed in the `ui_locales parameter` match a supported UI culture.
  * If the default implementation does not meet your needs, `IUiLocalesService` can be implemented and registered with DI.
* RFC 8414 support by @​bhazen in #​2189 
  * Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
* Support for custom parameters in authorize response by @​bhazen in #​2206
  * Adds a new `CustomParameters` property to `AuthorizeResponse` to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom `IAuthorizeResponseGenerator`. 
* Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  * The ASP.NET Identity integration package now persists session claims based on `ISessionClaimsFilter.FilterToSessionClaimsAsync` which comes with a default implementation.
  * The new interface can be implemented to customize which session claims are persisted in non-default scenarios. 
* .NET 10 Support (Simplified) by @​josephdecock in #​2216 
  * Added initial support for .NET 10.
* Updated IS and BFF to IM 8.0.0 Preview 1 and ATM Previews in #​2247

## Bug Fixes
* Reject Pushed Authorization Requests with parameters duplicated in a JAR by @​wcabus in #​2073 
  * Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
  * Such as request will now correctly return an invalid request.
 ... (truncated)

## 7.4.0-preview.1

**NOTE**: There were minor issues with this release. There is a Preview 2 package available which should be used instead.

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10 (this preview targets .NET10 RC2)
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was used. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario._

## Enhancements
* Set HTTP activity name on routing by @​josephdecock in #​2049
  * Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
* Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109 
  * Enables the UI to skip rendering the front channel logout iframe when it is not needed.
* Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126 
  * Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new `PathMatchingCallback` setting can be used as an alternative to the previously existing `PathPrefix` option.
* Improved UI locales support by @​bhazen in #​2158 
  * Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  * The default implementation, `DefaultUiLocalsService.cs`, delegates to the `CookieRequestCultureProvider` if it is present and any of the values passed in the `ui_locales parameter` match a supported UI culture.
  * If the default implementation does not meet your needs, `IUiLocalesService` can be implemented and registered with DI.
* RFC 8414 support by @​bhazen in #​2189 
  * Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
* Support for custom parameters in authorize response by @​bhazen in #​2206
  * Adds a new `CustomParameters` property to `AuthorizeResponse` to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom `IAuthorizeResponseGenerator`. 
* Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  * The ASP.NET Identity integration package now persists session claims based on `ISessionClaimsFilter.FilterToSessionClaimsAsync` which comes with a default implementation.
  * The new interface can be implemented to customize which session claims are persisted in non-default scenarios. 
* .NET 10 Support (Simplified) by @​josephdecock in #​2216 
  * Added initial support for .NET 10.

## Bug Fixes
* Reject Pushed Authorization Requests with parameters duplicated in a JAR by @​wcabus in #​2073 
  * Fixes a bug where when posting a PAR containing the "request" request parameter other requests parameters were being allowed.
 ... (truncated)

Commits viewable in [compare view](https://github.com/DuendeSoftware/products/compare/is-7.3.2...is-7.4.0).
</details>

Updated [Duende.IdentityServer.AspNetIdentity](https://github.com/DuendeSoftware/products) from 7.3.2 to 7.4.0.

<details>
<summary>Release notes</summary>

_Sourced from [Duende.IdentityServer.AspNetIdentity's releases](https://github.com/DuendeSoftware/products/releases)._

## 7.4.0

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

Since the 7.4.0 release candidate, there have been a few minor changes, including:
- Add service for diagnostic data by @​josephdecock in #​2252 
- Trigger Back Channel Logout Earlier in Pipeline by @​bhazen in #​2258
- Enable Customizing ErrorMessage on Redirect to Error Page by @​bhazen  in #​2263 
- Better DCR Support for Public Clientsby @​bhazen in #​2264  
- Update .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario._

## Enhancements
* Set HTTP activity name on routing by @​josephdecock in #​2049
  * Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
* Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109 
  * Enables the UI to skip rendering the front channel logout iframe when it is not needed.
* Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126 
  * Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new `PathMatchingCallback` setting can be used as an alternative to the previously existing `PathPrefix` option.
* Improved UI locales support by @​bhazen in #​2158 
  * Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  * The default implementation, `DefaultUiLocalsService.cs`, delegates to the `CookieRequestCultureProvider` if it is present and any of the values passed in the `ui_locales parameter` match a supported UI culture.
  * If the default implementation does not meet your needs, `IUiLocalesService` can be implemented and registered with DI.
* RFC 8414 support by @​bhazen in #​2189 
  * Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
* Support for custom parameters in authorize response by @​bhazen in #​2206
  * Adds a new `CustomParameters` property to `AuthorizeResponse` to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom `IAuthorizeResponseGenerator`. 
* Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  * The ASP.NET Identity integration package now persists session claims based on `ISessionClaimsFilter.FilterToSessionClaimsAsync` which comes with a default implementation.
  * The new interface can be implemented to customize which session claims are persisted in non-default scenarios. 
* .NET 10 Support (Simplified) by @​josephdecock in #​2216 
 ... (truncated)

## 7.4.0-rc.1

This is the first release candidate of IdentityServer 7.4.0. The changes since the last preview release are:
- Add service for diagnostic data by @​josephdecock in #​2252 
- Trigger Back Channel Logout Earlier in Pipeline by @​bhazen in #​2258
- Enable Customizing ErrorMessage on Redirect to Error Page by @​bhazen  in #​2263 
- Better DCR Support for Public Clientsby @​bhazen in #​2264  
- Update .NET 10 from Release Candidate to GA by @​pgermishuys in #​2267 

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10 (this preview targets .NET10 RC2)
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specific scenario._

## Enhancements
* Set HTTP activity name on routing by @​josephdecock in #​2049
  * Set the DisplayName of the activity associated with the incoming HttpRequest when IdentityServer routes are matched. This makes the IdentityServer route names appear in OTel traces.
* Skip front-channel logout iframe when unnecessary by @​bhazen in #​2109 
  * Enables the UI to skip rendering the front channel logout iframe when it is not needed.
* Callback Option for Path Detection in Dynamic Providers by @​bhazen in #​2126 
  * Adds a new option for Dynamic Providers to increase flexibility when routing to dynamic providers. The new `PathMatchingCallback` setting can be used as an alternative to the previously existing `PathPrefix` option.
* Improved UI locales support by @​bhazen in #​2158 
  * Improves support for the ui_locales parameter in protocol request which support it to allow for better localization.
  * The default implementation, `DefaultUiLocalsService.cs`, delegates to the `CookieRequestCultureProvider` if it is present and any of the values passed in the `ui_locales parameter` match a supported UI culture.
  * If the default implementation does not meet your needs, `IUiLocalesService` can be implemented and registered with DI.
* RFC 8414 support by @​bhazen in #​2189 
  * Adds out of box support for OAuth 2.0 Authorization Server Metadata as defined in RFC 8414
* Support for custom parameters in authorize response by @​bhazen in #​2206
  * Adds a new `CustomParameters` property to `AuthorizeResponse` to support adding custom query parameters to the redirect uri. This will typically be used in conjunction with a custom `IAuthorizeResponseGenerator`. 
* Use Customizable Filter to Persist Session Claims in ASP.NET Identity by @​bhazen in #​2213
  * The ASP.NET Identity integration package now persists session claims based on `ISessionClaimsFilter.FilterToSessionClaimsAsync` which comes with a default implementation.
  * The new interface can be implemented to customize which session claims are persisted in non-default scenarios. 
* .NET 10 Support (Simplified) by @​josephdecock in #​2216 
 ... (truncated)

## 7.4.0-preview.2

IdentityServer 7.4.0 is a significant release that includes:

- Support for .NET 10 (this preview targets .NET10 RC2)
- Support for OAuth 2.0 Authorization Server Metadata (RFC 8414)
- New Callback option for path detection in Dynamic Providers
- Improved UI locales support
- Support for custom parameters in the Authorize Redirect Uri 
- Identity package now persists session claims based on an interface
- Skipping front-channel logout iframe when unnecessary
- Set HTTP activity name on routing

## Breaking Changes
There are no schema changes needed for IdentityServer 7.4.0. Small code changes maybe be required for some users to upgrade.

- Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
- Marked static properties referring to counters in `Telemetry.cs` as readonly

### Removed the unused `Duende.IdentityServer.Models.DiscoveryDocument` class which was public
* Address CA1707 violations by @​bhazen  in #​2128
_In the process of internal code cleanup, this unused and unreferenced file was removed. If code was referencing this file, see the linked PR to create a local copy in the code base needing it._
### Marked static properties referring to counters in `Telemetry.cs` as `readonly`
* Address CA2211 Violations by @​bhazen in #​2170 
_In the process of internal code cleanup, these properties were updated to be marked as `readonly`. Code should not have been updating these properties as it would likely change the behavior of the telemetry emitted by IdentityServer. Any code which was updating these properties should instead create its own counters for its specifi...

_Description has been truncated_

@dependabot
Bump the duende group with 5 updates
875d0fd 
Bumps Duende.BFF from 3.0.0 to 4.0.0
Bumps Duende.BFF.Yarp from 3.0.0 to 4.0.0
Bumps Duende.IdentityServer from 7.3.2 to 7.4.0
Bumps Duende.IdentityServer.AspNetIdentity from 7.3.2 to 7.4.0
Bumps Duende.IdentityServer.EntityFramework from 7.3.2 to 7.4.0

---
updated-dependencies:
- dependency-name: Duende.BFF
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: duende
- dependency-name: Duende.BFF.Yarp
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: duende
- dependency-name: Duende.IdentityServer
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: duende
- dependency-name: Duende.IdentityServer.AspNetIdentity
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: duende
- dependency-name: Duende.IdentityServer.EntityFramework
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: duende
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added .NET Pull requests that update .net code dependencies Pull requests that update a dependency file labels Dec 2, 2025
@github-actions github-actions bot merged commit 042b182 into master Dec 2, 2025
1 of 2 checks passed
@github-actions github-actions bot deleted the dependabot/nuget/Identity/IdentityCenter/duende-98f7c06b5e branch December 2, 2025 17:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file .NET Pull requests that update .net code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants