Release IdentityServer 7.1.0 · DuendeSoftware/products

IdentityServer 7.1.0 is a significant release that includes:

.NET 9 support
Use of Duende.IdentityModel
New license usage helpers
Friendly READMEs in the NuGet packages
Improved log filtering when HTTP requests are aborted
Redaction of the subject token during token exchange
Improved extensibility of the ClientConfigurationStore in the Configuration API
Several bug fixes
Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.1.0. Small code changes will be required for must users to upgrade.

Use Duende.IdentityModel 7.0.0 by @damianh in #1621
Our open source IdentityModel library has been renamed Duende.IdentityModel, and we now depend on Duende.IdentityModel instead of IdentityModel. Duende.IdentityModel is a drop-in replacement for IdentityModel with updated namespaces that include the Duende prefix. If you are using IdentityModel's types in your IdentityServer implementation, you will need to update references from IdentityModel to Duende.IdentityModel (replace "using IdentityModel" with "using Duende.IdentityModel").

Use IConfigurationDbContext in ClientConfigurationStore by @stefannikolei in #1624
The ClientConfigurationStore in the Duende.Configuration.EntityFramework package now depends on IConfigurationDbContext instead of ConfigurationDbContext to allow for customization. If you have a customized store that derives from the default store, you may need to update your constructors. Note that this only affects the Entity Framework based implementation of the configuration store used by the dynamic client registration configuration API.

Update to .NET 9 by @josephdecock in #1603
Update .NET9 from rc2 to release by @stefannikolei in #1623
IdentityServer 7.1 multi-targets .NET 8 and .NET 9. Both versions are supported.

Add new license management services by @josephdecock in #1637
A LicenseUsageSummary is now available which includes the license edition and clients, issuers, and enterprise or business edition features used. The intent is to make it easier to understand which license is needed.

Filter subject token from TokenRequest log by @krosn in #1521
Subject tokens from token exchange are now redacted by default from logs.
Update GitHub readme, add NuGet readmes by @josephdecock in #1610
All IdentityServer NuGet packages now have README files.
Filter all OperationCanceledExceptions from logs, instead of only TaskCanceledExceptions by @josephdecock in #1671
Aborted HTTP requests result in expected exceptions, which we filter out of our logging when the request is aborted. Sometimes this is raised as OperationCanceledException instead of TaskCanceledException, so we now filter both.

Fall back to other token types when given incorrect hint during introspection by @josephdecock in #1607
When an incorrect token_type_hint parameter is passed during introspection we now fall back to find tokens of the other type, in compliance with RFC 7662 Section 2.1.
Clean up retired keys even if they are not unprotectable by @josephdecock in #1608
Retired signing keys will now be deleted by the key manager even if the data protected portion of the key cannot be unprotected.
Filter protocol claims from reference tokens by @josephdecock in #1662
Reference tokens from IdentityServer 4 sometimes contain "protocol" claims, such as iat, which caused a bug where claims were duplicated.
Respect EnableBackchannelAuthenticationEndpoint during routing by @EternamFr in #1599
If CIBA is disabled in config, we now disable the endpoint in addition to suppressing it in discovery.
Persist claim issuers in server side sessions by @josephdecock in #1660
Claims from third-party issuers now track their issuer in a server side session, which fixes issues related to logout when integrating with 3rd party SAML providers.

Update misleading comment by @AndersAbel in #1525
Fix indentation by @AndersAbel in #1541
Bump OpenTelemetry dependencies by @AndersAbel in #1549
Replace alice/bob/email.com domains with example domains by @wenz in #1606
Typo fix in README.md by @Tornhoof in #1615
fix typo in comment by @JuliusPC in #1626
leverage argument throw helpers by @SimonCropp in #1630
leverage generic GetService by @SimonCropp in #1631
fix incorrect as usage in GetAuthenticationTimeEpoch by @SimonCropp in #1636
use named headers by @SimonCropp in #1643
fix broken xml docs by @SimonCropp in #1648
remove redundant casts by @SimonCropp in #1658
more accurate timing to SigningKeyStore.StoreKey activity in StoreKeyAsync by @SimonCropp in #1664
fix null reference in PostConfigureApplicationCookieTicketStore PostConfigure by @SimonCropp in #1666
missing dispose for GetCurrentProcess by @SimonCropp in #1667

remove unnecessary distinct method by @testfirstcoder in #1581
use static equals method to avoid exception by @testfirstcoder in #1583
improve youngest key search by @testfirstcoder in #1584
Refactoring AuthenticationPropertiesExtensions by @testfirstcoder in #1585
Avoid multiple check adding clientid by @testfirstcoder in #1586
better perf in request validation by @SimonCropp in #1632
use faster char based StartsWith, EndsWith, and Contains by @SimonCropp in #1633
remove redundant Any checks before enumeration by @SimonCropp in #1634
remove redundant list and expression alloc in SecretValidator.ValidateAsync by @SimonCropp in #1635
Use SHA*.HashData() one-shot methods by @martincostello in #1640
use char base overloads where possible by @SimonCropp in #1644
simplify some linq by @SimonCropp in #1645
avoid some array alloc by @SimonCropp in #1646
remove duplicate dictionary lookups by @SimonCropp in #1651
remove redundant array allocation by @SimonCropp in #1655
use count property over count method by @SimonCropp in #1657
remove redundant allocation in ProtectedResourceErrorResult by @SimonCropp in #1663
remove some ToString allocs by @SimonCropp in #1668

Full Changelog: 7.0.8...7.1.0-rc.1