Skip to content

Releases: DuendeSoftware/products

IdentityServer 6.3.0

07 Jan 03:30
@brockallen brockallen
is/6.3.0
274b79f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.3.0

This is a significant release that adds support for DPoP, Dynamic Client Registration, improves refresh token handling, and adds many other new features and bug fixes.

Breaking Changes

  • A new ITokenCleanupService interface has been extracted from the TokenCleanupService, and IdentityServer now depends on that interface, rather than the service itself. Customizations of TokenCleanupService that previously were implemented by deriving from that class and registering the derived class in the DI system need to

    • Register the derived class as an implementation of ITokenCleanupService, and
    • Remove the IServerSideSessionsMarker from any calls to the base constructor.

    See issue #981.

  • The TokenCleanupService.RemoveExpiredGrantsAsync method was renamed to CleanupGrantsAsync to reflect that it performs all grant cleanup work, including removing consumed grants and expired device codes in addition to expired grants. In the strictest sense, this is a breaking change, but it is very unlikely to cause issues during an upgrade because even though RemoveExpiredGrantsAsync was public, it was not virtual. If you were using RemoveExpiredGrantsAsync elsewhere, update your code to use the new name.

    See issue #981.

  • The value of the typ claim in the header of Logout tokens has changed to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0. Clients that were previously validating the typ need to be updated, or the old typ can continue to be used via the new LogoutTokenJwtType configuration option.

    See issue #1169.

  • The TokenResponseGenerator.ProcessTokenRequestAsync virtual method, which generates access and refresh tokens and adds them to a response object, is now called by all token flows except the refresh token flow. This unifies the programming and extensibility model of the generator, which previously had duplicated code in some flows. If you have overridden this virtual method, be aware that it will now be called in all flows. Previously, the authorization code flow, device code flow, and CIBA flow did not invoke this method.

    See pull request: #1178.

  • One time use (rotated) refresh tokens are now deleted immediately when they are used. If you rely on the existing behavior of marking refresh tokens as consumed (perhaps to allow for lenient rotations or replay detection), set the new PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse option to false.

    See issue #1102.

Schema Changes

  • New InitiateLoginUri string property added to the Client model. This is a nullable string that can be left null for existing clients. This column is used for Third Party Initiated Login.

  • New properties added to the Client Model for DPoP support:

    • RequireDPoP is a non-nullable boolean flag that requires a client to use DPoP. Existing clients can set this to false, unless you want the client to start using DPoP.
    • DPoPValidationMode is a non-nullable column that stores a "flags"-style enum that controls the DPoP validation mechanism. In most databases, this is represented as an integer. Existing clients that are not using DPoP can set its value to 0.
    • DPoPClockSkew is a non-nullable timespan that controls how much clock skew is allowed for a particular DPoP client. Existing clients that are not using DPoP can set its value to 0.

DPoP

IdentityServer 6.3 adds support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) , a new OAuth specification for sender-constraining refresh tokens and access tokens. DPoP tokens can only be used by the client application that they are issued to, which provides a strong defense against replay attacks.

Our blog post announcing the feature is here, and detailed documentation is here.

See issues #1116 and #1266.

Configuration API/Dynamic Client Registration

IdentityServer 6.3 begins an effort to add programmatic configuration capabilities to IdentityServer. This configuration capability will take the form of a Configuration API that can be hosted either separately or within the IdentityServer implementation, and is distributed through the separate Duende.IdentityServer.Configuration nuget package.

This initial version of the Configuration API supports the OAuth and OIDC Dynamic Client Registration specifications, which allow a client or relying party to register their configuration details with IdentityServer dynamically by making standardized API requests. You could also use Dynamic Client Registration to provision environments automatically, perhaps in a deployment pipeline.

Our blog post announcing the feature is here, and detailed documentation is here.

See issue #111.

Client Application Portal

InitiateLoginUri is a new optional property added to the IdentityServer Client model that can be used to initiate login from the IdentityServer host. Typically this is used to create an application portal within the IdentityServer host, with links to the registered client applications. The UI templates now include an example of this portal.

See issue #1124.

Initiate User Registration via OIDC

OIDC Relying Parties can now indicate that user registration is needed using the standardized prompt=create parameter. To use this parameter, set the UserInteraction.CreateAccountUrl option to the location of your account creation page. The UI templates now include an example user registration page.

See issues #1029 and #432.

Step-up Error Handling

OIDC Relying Parties can request particular requirements during authentication using the step-up process. For example, they might require two factor authentication before allowing a highly sensitive transaction. IdentityServer now supports the unmet_authentication_requirements error response code during step-up, which can be returned if IdentityServer is unable to fullfil the step-up requirements. If you set the Error property of a ConsentResponse or AuthorizeResponse to "unmet_authentication_requirements" (you can use IdentityModel.OidcConstants.AuthorizeErrors.UnmetAuthenticationRequirements), IdentityServer will return the error to the client.

See issue #1133.

Refresh Token Cleanup

New configuration options (see below) have been added to control what happens to single use refresh tokens when they are used. If the new DeleteOneTimeOnlyRefreshTokensOnUse flag is set, they will be immediately deleted. If you wish to keep consumed tokens for a period time for replay detection or to allow for leniency in the rotation policy, you can now add a delay using the ConsumedTokenCleanupDelay, guaranteeing that consumed tokens will not be deleted for that amount of time.

See issues #1102, #1065, and #982.

New Configuration Options

  • PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse controls what happens to RefreshTokenUsage.OneTime refresh tokens when they are used. They can now be either marked as consumed or deleted immediately. The intent is that if you aren't making use of the consumed tokens you can safely delete them immediately. The default is to immediately delete.

    See issue #1102.

  • OperationalStoreOptions.ConsumedTokenCleanupDelay delays deletion of consumed tokens in the token cleanup job. The intent of the delay is to allow users to keep tokens for some period of time to be used in some custom process. Custom code in the RefreshTokenService could allow "lenient" one-time use refresh tokens that can be reused for a short interval or detect token replay attacks by checking if a token is reused inappropriately. The default value for this new option is 0.

    See issue #1102.

  • LogoutTokenJwtType sets the typ claim in the header of logout tokens. Defaults to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0.

    See issue #1029.

  • UserInteraction.CreateAccountUrl controls where the user is sent when the prompt=create parameter is sent as part of an OIDC login flow. Setting this option enables support for that parameter and is reflected in the prompt_values_supported property o...

Read more
Assets 2
Loading

IdentityServer 6.2.3

07 Jan 03:30
@brockallen brockallen
is/6.2.3
84bc142
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.2.3

What's Changed

Full Changelog: 6.2.2...6.2.3

Contributors

josephdecock
Assets 2
Loading

IdentityServer 6.2.2

07 Jan 03:30
@brockallen brockallen
is/6.2.2
2f5eee2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.2.2

What's Changed

  • Fixes ToOptimizedRawValues to handle multiple resource values when combined with resource indicators by @josephdecock in #1140
  • When cookie is re-issued ensure the issuer is captured in the ticket by @brockallen in #1141

New Contributors

Full Changelog: 6.2.1...6.2.2

Contributors

runegri, brockallen, and josephdecock
Assets 2
Loading

IdentityServer 6.2.1

07 Jan 03:31
@brockallen brockallen
is/6.2.1
bda14c3
Compare
Choose a tag to compare
IdentityServer 6.2.1

Full Changelog: 6.2.0...6.2.1

Bug Fixes
Issue #1127 EmitIssuerIdentificationResponseParameter is reflected in discovery

Assets 2
Loading

IdentityServer 6.2.0

07 Jan 03:31
@brockallen brockallen
is/6.2.0
d923c6c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.2.0

What's Changed

Duende IdentityServer 6.2 adds:

  • Support for .NET 7.0
  • A new option that can help filter unhandled exceptions out of the logs
  • Bug fixes and ongoing maintenance

.NET 7 Support

Filter Unhandled Exceptions

  • Introduce filter to allow suppression of unhandled exception logs in IdentityServer middleware by @brockallen in #1084

Bug Fixes

  • add more defensive check for server side session store in DI by @brockallen in #900
  • fix logger type for CIBA consent page by @brockallen in #939
  • fix URI validation to allow query params with encoded values by @brockallen in #1006
  • typo in CIBA BackchannelAuthenticationUserValidatonResult by @brockallen in #1066
  • Fixed PersistedGrantFilter validation bug - filters with any criteria are now valid by @josephdecock in #1077
  • filter consumed grants in the persisted grant service by @brockallen in #1064

Updates to Dependencies

Samples and Documentation

Build, Test, Etc

New Contributors

Full Changelog: 6.1.7...6.2.0

Contributors

altenstedt, brockallen, and 4 other contributors
Assets 2
Loading

IdentityServer 6.2.0 Preview 1

07 Jan 03:31
@leastprivilege leastprivilege
is/6.2.0-preview.1
836c1a5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.2.0 Preview 1 Pre-release
Pre-release

What's Changed

New Contributors

Full Changelog: 6.1.7...6.2.0-preview.1

Contributors

brockallen, leastprivilege, and 2 other contributors
Assets 2
Loading

IdentityServer 6.1.7

07 Jan 03:31
@brockallen brockallen
is/6.1.7
96a6d0b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.1.7

What's Changed

Full Changelog: 6.1.6...6.1.7

Contributors

brockallen
Assets 2
Loading

IdentityServer 6.1.6

07 Jan 03:31
@brockallen brockallen
is/6.1.6
3b7c05d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.1.6

What's Changed

  • Add support for "extras" in license key by @brockallen in #1030
  • Fix refresh token data fixup upgrade when using DefaultPersistedGrantService by @brockallen in #1028

Full Changelog: 6.1.5...6.1.6

Contributors

brockallen
Assets 2
Loading

IdentityServer 6.1.5

07 Jan 03:31
@brockallen brockallen
is/6.1.5
f0a2997
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.1.5

What's Changed

  • when renewing server-side session, create new entry if current session not found by @brockallen in #1008

Full Changelog: 6.1.4...6.1.5

Contributors

brockallen
Assets 2
Loading

IdentityServer 6.1.4

07 Jan 03:31
@brockallen brockallen
is/6.1.4
41a8f0a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.1.4

What's Changed

  • fix URI validation to allow query params with encoded values by @brockallen in #1007

Full Changelog: 6.1.3...6.1.4

Contributors

brockallen
Assets 2
Loading