Skip to content

Releases: DuendeSoftware/products

IdentityServer 7.1.0

13 Jan 17:09
Compare
Choose a tag to compare

IdentityServer 7.1.0 is a significant release that includes:

  • .NET 9 support
  • Use of Duende.IdentityModel
  • New license usage helpers
  • Friendly READMEs in the NuGet packages
  • Improved log filtering when HTTP requests are aborted
  • Redaction of the subject token during token exchange
  • Improved extensibility of the ClientConfigurationStore in the Configuration API
  • Several bug fixes
  • Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.1.0. Small code changes will be required for must users to upgrade.

  • IdentityModel renamed Duende.IdentityModel
  • ClientConfigurationStore now uses IConfigurationDbContext

IdentityModel renamed Duende.IdentityModel

  • Use Duende.IdentityModel 7.0.0 by @damianh in #1621
    Our open source IdentityModel library has been renamed Duende.IdentityModel, and we now depend on Duende.IdentityModel instead of IdentityModel. Duende.IdentityModel is a drop-in replacement for IdentityModel with updated namespaces that include the Duende prefix. If you are using IdentityModel's types in your IdentityServer implementation, you will need to update references from IdentityModel to Duende.IdentityModel (replace "using IdentityModel" with "using Duende.IdentityModel").

ClientConfigurationStore now uses IConfigurationDbContext

  • Use IConfigurationDbContext in ClientConfigurationStore by @stefannikolei in #1624
    The ClientConfigurationStore in the Duende.Configuration.EntityFramework package now depends on IConfigurationDbContext instead of ConfigurationDbContext to allow for customization. If you have a customized store that derives from the default store, you may need to update your constructors. Note that this only affects the Entity Framework based implementation of the configuration store used by the dynamic client registration configuration API.

Enhancements

.NET 9

  • Update to .NET 9 by @josephdecock in #1603
  • Update .NET9 from rc2 to release by @stefannikolei in #1623
    IdentityServer 7.1 multi-targets .NET 8 and .NET 9. Both versions are supported.

License Usage Helpers

  • Add new license management services by @josephdecock in #1637
    A LicenseUsageSummary is now available which includes the license edition and clients, issuers, and enterprise or business edition features used. The intent is to make it easier to understand which license is needed.

Other Enhancements

  • Filter subject token from TokenRequest log by @krosn in #1521
    Subject tokens from token exchange are now redacted by default from logs.
  • Update GitHub readme, add NuGet readmes by @josephdecock in #1610
    All IdentityServer NuGet packages now have README files.
  • Filter all OperationCanceledExceptions from logs, instead of only TaskCanceledExceptions by @josephdecock in #1671
    Aborted HTTP requests result in expected exceptions, which we filter out of our logging when the request is aborted. Sometimes this is raised as OperationCanceledException instead of TaskCanceledException, so we now filter both.

Bug Fixes

  • Fall back to other token types when given incorrect hint during introspection by @josephdecock in #1607
    When an incorrect token_type_hint parameter is passed during introspection we now fall back to find tokens of the other type, in compliance with RFC 7662 Section 2.1.
  • Clean up retired keys even if they are not unprotectable by @josephdecock in #1608
    Retired signing keys will now be deleted by the key manager even if the data protected portion of the key cannot be unprotected.
  • Filter protocol claims from reference tokens by @josephdecock in #1662
    Reference tokens from IdentityServer 4 sometimes contain "protocol" claims, such as iat, which caused a bug where claims were duplicated.
  • Respect EnableBackchannelAuthenticationEndpoint during routing by @EternamFr in #1599
    If CIBA is disabled in config, we now disable the endpoint in addition to suppressing it in discovery.
  • Persist claim issuers in server side sessions by @josephdecock in #1660
    Claims from third-party issuers now track their issuer in a server side session, which fixes issues related to logout when integrating with 3rd party SAML providers.

Code Quality

Performance Enhancements

New Contributors

Full Changelog: 7.0.8...7.1.0-rc.1

IdentityServer 7.1.0 Release Candidate 2

06 Jan 17:55
1756170
Compare
Choose a tag to compare

This is release candidate 2 for IdentityServer 7.1.0. This adds a fix for #1689 to the previous release candidate. Please see 7.1.0-rc.1's release notes for further information about the 7.1.0 release.

IdentityServer 7.1.0 Release Candidate 1

06 Jan 17:54
5c68cf3
Compare
Choose a tag to compare

This is release candidate 1 for IdentityServer 7.1.0, a significant release that includes:

  • .NET 9 support
  • Use of Duende.IdentityModel
  • New license usage helpers
  • Friendly READMEs in the NuGet packages
  • Improved log filtering when HTTP requests are aborted
  • Redaction of the subject token during token exchange
  • Improved extensibility of the ClientConfigurationStore in the Configuration API
  • Several bug fixes
  • Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.1.0. Small code changes will be required for must users to upgrade.

  • IdentityModel renamed Duende.IdentityModel
  • ClientConfigurationStore now uses IConfigurationDbContext

IdentityModel renamed Duende.IdentityModel

  • Use Duende.IdentityModel 7.0.0 by @damianh in #1621
    Our open source IdentityModel library has been renamed Duende.IdentityModel, and we now depend on Duende.IdentityModel instead of IdentityModel. Duende.IdentityModel is a drop-in replacement for IdentityModel with updated namespaces that include the Duende prefix. If you are using IdentityModel's types in your IdentityServer implementation, you will need to update references from IdentityModel to Duende.IdentityModel (replace "using IdentityModel" with "using Duende.IdentityModel").

ClientConfigurationStore now uses IConfigurationDbContext

  • Use IConfigurationDbContext in ClientConfigurationStore by @stefannikolei in #1624
    The ClientConfigurationStore in the Duende.Configuration.EntityFramework package now depends on IConfigurationDbContext instead of ConfigurationDbContext to allow for customization. If you have a customized store that derives from the default store, you may need to update your constructors. Note that this only affects the Entity Framework based implementation of the configuration store used by the dynamic client registration configuration API.

Enhancements

.NET 9

  • Update to .NET 9 by @josephdecock in #1603
  • Update .NET9 from rc2 to release by @stefannikolei in #1623
    IdentityServer 7.1 multi-targets .NET 8 and .NET 9. Both versions are supported.

License Usage Helpers

  • Add new license management services by @josephdecock in #1637
    A LicenseUsageSummary is now available which includes the license edition and clients, issuers, and enterprise or business edition features used. The intent is to make it easier to understand which license is needed.

Other Enhancements

  • Filter subject token from TokenRequest log by @krosn in #1521
    Subject tokens from token exchange are now redacted by default from logs.
  • Update GitHub readme, add NuGet readmes by @josephdecock in #1610
    All IdentityServer NuGet packages now have README files.
  • Filter all OperationCanceledExceptions from logs, instead of only TaskCanceledExceptions by @josephdecock in #1671
    Aborted HTTP requests result in expected exceptions, which we filter out of our logging when the request is aborted. Sometimes this is raised as OperationCanceledException instead of TaskCanceledException, so we now filter both.

Bug Fixes

  • Fall back to other token types when given incorrect hint during introspection by @josephdecock in #1607
    When an incorrect token_type_hint parameter is passed during introspection we now fall back to find tokens of the other type, in compliance with RFC 7662 Section 2.1.
  • Clean up retired keys even if they are not unprotectable by @josephdecock in #1608
    Retired signing keys will now be deleted by the key manager even if the data protected portion of the key cannot be unprotected.
  • Filter protocol claims from reference tokens by @josephdecock in #1662
    Reference tokens from IdentityServer 4 sometimes contain "protocol" claims, such as iat, which caused a bug where claims were duplicated.
  • Respect EnableBackchannelAuthenticationEndpoint during routing by @EternamFr in #1599
    If CIBA is disabled in config, we now disable the endpoint in addition to suppressing it in discovery.
  • Persist claim issuers in server side sessions by @josephdecock in #1660
    Claims from third-party issuers now track their issuer in a server side session, which fixes issues related to logout when integrating with 3rd party SAML providers.

Code Quality

Performance Enhancements

New Contributors

Full Changelog: 7.0.8...7.1.0-rc.1

IdentityServer 7.1.0-preview.1

07 Jan 03:11
0850cda
Compare
Choose a tag to compare
Pre-release

IdentityServer 7.1.0-preview.1 is the first preview release of IdentityServer 7.1.0. It includes support for .NET 9, adds friendly READMEs to the NuGet packages, and includes a few smaller enhancements and bugfixes.

Breaking Changes

There are no breaking changes at the schema or API level in this release.

  • No schema updates are required.
  • While we are adding support for .NET 9, .NET 8 continues to be supported.

There is a log message change, which we highlight as a breaking change in case monitoring or other tooling that consumes the logs relies on the old behavior:

  • Subject tokens (the tokens passed in during token exchange) are now redacted from logs by @krosn in #1521
    If you need the old behavior, remove OidcConstants.TokenRequest.SubjectToken from the TokenRequestSensitiveValuesFilter option.

.NET 9

IdentityServer 7.1.0 supports both .NET 8 and .NET 9.

READMEs

Fixes and Enhancements

  • Avoid multiple check adding clientid by @testfirstcoder in #1586
  • Fall back to other token types when given incorrect hint in introspection by @josephdecock in #1607
  • Use example.com as the domain for emails for test users by @wenz in #1606

New Contributors

Full Changelog: 7.0.7...7.1.0-preview.1

IdentityServer 7.0.8

07 Jan 03:12
f28cac9
Compare
Choose a tag to compare

This is a security hotfix that addresses CVE-2024-49755, a low-severity vulnerability in our handling of DPoP access tokens at local APIs. See
our blog post and the security advisory for more details.

IdentityServer 7.0.7

07 Jan 03:12
d9afcc3
Compare
Choose a tag to compare

This is a patch release that allows the UserInteractionOptions.PromptValuesSupported to be customized, in order to support custom prompt modes.

What's Changed

Full Changelog: 7.0.6...7.0.7

IdentityServer 7.0.6

07 Jan 03:16
765116a
Compare
Choose a tag to compare

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.3.10

07 Jan 03:17
269ca21
Compare
Choose a tag to compare

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.2.5

07 Jan 03:17
Compare
Choose a tag to compare

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.1.8

07 Jan 03:19
f04cf0b
Compare
Choose a tag to compare

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.