IdentityServer 6.3.7

This is a minor release that fixes two bugs.

What's Changed

• Fix incorrect LogWarning call by @AndersAbel in #1484
• Fix logout token iss when issuer is missing by @josephdecock in #1486

Full Changelog: 6.3.6...6.3.7

IdentityServer 7.0.0 Preview 2

Identity Server 7.0.0 Preview 2 previews support for .NET 8, pushed authorization requests, OpenTelemetry Metrics, and many other fixes and improvements.

.NET 8

IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.

• A TimeProvider based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.

Pushed Authorization Requests

IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.

OpenTelemetry Metrics

IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.

Breaking Changes

Likely to impact most implementations

• IdentityServer now supports .NET 8 only. See #1337.
• Schema Updates
  • The server-side session entity in Duende.IdentityServer.EntityFramework now uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463.
  • Two new properties have been added to the client model for PAR support. See #1424.
    • Client.RequirePushedAuthorization is a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.
    • Client.PushedAuthorizationLifetime is a new nullable integer property that controls the lifetime of pushed authorization requests (in seconds) for a client. If this lifetime is set, it takes precedence over the global configuration. It is safe to initialize this column to null for existing clients, which means the global configuration is used.
  • A new table has been added to store pushed authorization requests. This new table contains a hashed identifier, the pushed parameters (as a string, serialized and data protected), and the expiration time of the request. See #1424.

Only impacts particular customizations or edge cases

• The DefaultCorsPolicyService now depends on the IConfigurationDbContext directly, instead of taking a dependency on the IServiceProvider and resolving that DbContext from it. If you have a customized CORS implementation that derives from the DefaultCorsPolicyService, you need to update the constructor of your derived class to use the IConfigurationDbContext. See #1239.

• The DPoPProofValidatonContext has been refactored. Instead of the Client property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of the IDPoPProofValidator or a class that derives from the DefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.

• The DefaultTokenService no longer includes an IHttpContextAccessor. This member was unused by the default implementation and marked as obsolete. Customizations that derive from the DefaultTokenService no longer need to pass the accessor to the base constructor. If such a customization needs the accessor, add it to the derived class. See #1457.

• The reference token store now includes the session id when revoking reference tokens. Implementors of IReferenceTokenStore should update their implementation of token revocation to include the session id. See #1321.

• Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.

Newly Deprecated

• IAuthorizationParametersMessageStore is deprecated. PAR is a more robust/standardized approach to get similar benefits. See #1462.

• The IHttpContextAccessor in the EndSessionRequestValidator is unused and has been marked as obsolete. It will be removed in a future version. See #1457.

Previously Deprecated, Now Removed

• The obsolete IdentityServerOrigin constant has been removed.
• Several obsolete extension methods on HttpContext have been removed. These methods are replaced by methods in IServerUrls and IIssuerNameService. See #1457
  • HttpContext.GetSchemeSupportsSignOutAsync is replaced by IAuthenticationHandlerProvider.GetHandlerAsync (you will also need to check if the handler implements IAuthenticationSignOutHandler).
  • HttpContext.GetIdentityServerOrigin and HttpContext.SetIdentityServerOrigin are replaced by IServerUrls.Origin.
  • HttpContext.GetIdentityServerBasePath and HttpContext.SetIdentityServerBasePath are replaced by IServerUrls.BasePath.
  • GetIdentityServerHost is replaced by IServerUrls.Origin
  • GetIdentityServerBaseUrl is replaced by IServerUrls.BaseUrl
  • GetIdentityServerRelativeUrl is replaced by IServerUrls.GetIdentityServerRelativeUrl
  • GetIdentityServerIssuerUri is replaced by IIssuerNameService.GetCurrentAsync
  • RedirectToAbsoluteUrl is replaced by redirecting to a call to IServerUrls.GetAbsoluteUrl.
• The obsolete and unused IUserSessionExtensions interface has been removed. See #1457.
• The obsolete IPrincipal.GetName and IIdentity.GetName extension methods have been removed. Use ClaimsPrincipal.GetDisplayName instead. See #1457.
• The obsolete ResourceValidationRequest.IncludeNonIsolatedApiResources has been removed. This flag was no longer used. See #1457.

Unlikely to impact anyone

• The KeyManagementOptions.SigningAlgorithms is now an ICollection rather than an IEnumerable. If you are configuring signing algorithms using code, and setting the SigningAlgorithms to some type that implements IEnumerable but not ICollection, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are both ICollections). See #1375.

• The value of the constant IdentityServerAuthenticationType has changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.

New Configuration Options

PAR

• IdentityServerOptions now includes the PushedAuthorization property to configure PAR.
  • PushedAuthorizationOptions.Required causes par to be required globally. This defaults to false.
  • PushedAuthorizationOptions.Lifetime controls the lifetime of pushed authorization requests. The pushed authorization request's lifetime begins when the request to the PAR endpoint is received, and is validated until the authorize endpoint returns a response to the client application. Note that user interaction, such as entering credentials or granting consent, may need to occur before the authorize endpoint can do so. Setting the lifetime too low will likely cause login failures for interactive users, if pushed authorization requests expire before those users complete authentication. Some security profiles, such as the FAPI 2.0 Security Profile recommend an expiration within 10 minutes to prevent attackers from pre-generating requests. To balance these constraints, this lifetime defaults to 10 minutes.
  • PushedAuthorizationOptions.AllowUnregisteredPushedRedirectUris controls whether clients may use redirect uris that were not previously registered. This is a relaxation of security guidance that is specifically allowed by the PAR specification because the pushed authorization requests are authenticated. It defaults to false.
• The Client configuration object now includes two new properties to configure PAR on a per-client basis.
  • Client.RequirePushedAuthorization controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). This defaults to false, which means the global configuration will be used.
  • Client.PushedAuthorizationLifetime controls the lifetime of pushed authorization requests for a client. If this lifetime is set, it takes precedence over the global configuration. This defaults to null...

IdentityServer 6.3.6

This is a minor release that allows a method in the server side session store to be overridden.

What's Changed

• Make ServerSideSessionStore.GetAndRemoveExpiredSessionsAsync virtual. See #1435.

Full Changelog: 6.3.5...6.3.6

IdentityServer 6.3.5

This is a minor release that fixes a bug related to serialization of exceptions in the UnhandledExceptionEvent.

What's Changed

• Fixed a bug where the UnhandledExceptionEvent fails to serialize (Yo dawg, I heard you like errors, so I threw an error in your error event...) See #1422.

IdentityServer 7.0.0 Preview 1

Identity Server 7.0.0 Preview 1 previews support for .NET 8, as well as many other fixes and improvements.

.NET 8

IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.

• A TimeProvider based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.

Breaking Changes

Breaking changes are organized below based on the likelihood that they will impact your implementation. In summary, IdentityServer 7 preview 1 will require that you update to .NET 8, and may require minor changes if you are using particular extensibility points.

Likely to impact most implementations

• IdentityServer now supports .NET 8 only. See #1337.

Only impacts particular customizations or edge cases

• The DefaultCorsPolicyService now depends on the IConfigurationDbContext directly, instead of taking a dependency on the IServiceProvider and resolving that DbContext from it. If you have a customized CORS implementation that derives from the DefaultCorsPolicyService, you need to update the constructor of your derived class to use the IConfigurationDbContext. See #1239.

• The DPoPProofValidatonContext has been refactored. Instead of the Client property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of the IDPoPProofValidator or a class that derives from the DefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.

• The reference token store now includes the session id when revoking reference tokens. Implementors of IReferenceTokenStore should update their implementation of token revocation to include the session id. See #1321.

• Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.

Unlikely to impact anyone

• The KeyManagementOptions.SigningAlgorithms is now an ICollection rather than an IEnumerable. If you are configuring signing algorithms using code, and setting the SigningAlgorithms to some type that implements IEnumerable but not ICollection, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are both ICollections). See #1375.

• The value of the constant IdentityServerAuthenticationType has changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.

Improvements

• Protocol endpoints use the new interface IHttpResponseWriter to write their http responses. This facilitates customization, when you need to control the way that http responses are written. This change was made in a way that was designed to be backwards compatible. Any custom IEndpointResult or IEndpointHandler should still work the way they used to. See #1342.
• Integrate server side sessions with the user info endpoint. See #1327.
• Local APIs now support DPoP. See #1338.
• Reference token revocation now respects the session id. See #1321.
• The license object is now public and available in the DI system. This allows for easier license status checks, UI that indicates that the license status, etc. See #1319.
• Refresh tokens can now be introspected at the introspection endpoint. See #1334.
• The sign out scheme is now inferred when external identity providers are used in combination with asp.net Identity. See #1265.
• The admin UI in the IdentityServerEntityFramework template now supports the InitiateLoginUri client property. See #1314.
• Improved use of nullable reference types. See #1315 and #1317.
• Make CORS debug log message more descriptive. See #1378.
• Use X-Frame-Options DENY to be consistent with csp frame-ancestors 'none'. See #1389.

Bug Fixes

• Allow KeyManagementOptions to be bound from appsettings.json or other config sources. See #1375.
• Prevent duplicated keys in Dynamic Client Registration responses. See #1369.
• Remove the raw exception from unhandled exception events. These exceptions don't serialize cleanly and we already capture the exception message as part of the event. See #1363.
• Fix error log message formatting from the CIBA validator. See #1346.

Full Changelog: 6.3.5...7.0.0-preview.1

IdentityServer 6.3.4

This is a minor release that fixes two bugs.

What's Changed

• Fixed nullability annotation on IReturnUrlParser.ParseAsync. See #1344
• Fixed a bug where refreshing tokens would fail. See #1403

Full Changelog: 6.3.3...6.3.4

IdentityServer 6.3.3

This is a minor release that fixes a bug in some narrow edge cases related to disabling server side sessions. The same fix was applied to the 6.2.x release branch in 6.2.4.

What's Changed

• Check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync. See #1356.

Full Changelog: 6.3.2...6.3.3

IdentityServer 6.2.4

This is a minor release that fixes a bug in some narrow edge cases related to disabling server side sessions. The same fix was applied to the 6.3.x release branch in 6.3.3.

What's Changed

• Check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync. See #1353.

Full Changelog: 6.2.3...6.2.4

IdentityServer 6.3.2

This is a minor release that fixes bugs related to nullable reference type annotations.

What's Changed

• Allow null return values from IIdentityInteractionService.GetErrorContextAsync and IIdentityInteractionService.GetLogoutContextAsync. See #1304.
• Allow null parameter to IIdentityInteractionService.RevokeUserConsentAsync. See #1307.
• Allow null parameter to LogoutRequest. See #1304.
• Allow null session id in the PersistedGrant model. See #1304.

Full Changelog: 6.3.1...6.3.2

IdentityServer 6.3.1

This is a minor release with small bug fixes.

What's Changed

• Added nullability annotation to ClientClaimsPrefix. See #1298.
• Fixed a bug where server side sessions had incorrect issuance times. See #1297.

Full Changelog: 6.3.0...6.3.1