6.3.4

This is a minor release that fixes two bugs.

What's Changed

• Fixed nullability annotation on IReturnUrlParser.ParseAsync. See #1344
• Fixed a bug where refreshing tokens would fail. See #1403

Full Changelog: 6.3.3...6.3.4

6.3.3

This is a minor release that fixes a bug in some narrow edge cases related to disabling server side sessions. The same fix was applied to the 6.2.x release branch in 6.2.4.

What's Changed

• Check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync. See #1356.

Full Changelog: 6.3.2...6.3.3

6.2.4

This is a minor release that fixes a bug in some narrow edge cases related to disabling server side sessions. The same fix was applied to the 6.3.x release branch in 6.3.3.

What's Changed

• Check for IsAuthenticated in addition to Succeeded when calling AuthenticateAsync. See #1353.

Full Changelog: 6.2.3...6.2.4

6.3.2

This is a minor release that fixes bugs related to nullable reference type annotations.

What's Changed

• Allow null return values from IIdentityInteractionService.GetErrorContextAsync and IIdentityInteractionService.GetLogoutContextAsync. See #1304.
• Allow null parameter to IIdentityInteractionService.RevokeUserConsentAsync. See #1307.
• Allow null parameter to LogoutRequest. See #1304.
• Allow null session id in the PersistedGrant model. See #1304.

Full Changelog: 6.3.1...6.3.2

6.3.1

This is a minor release with small bug fixes.

What's Changed

• Added nullability annotation to ClientClaimsPrefix. See #1298.
• Fixed a bug where server side sessions had incorrect issuance times. See #1297.

Full Changelog: 6.3.0...6.3.1

6.3.0

This is a significant release that adds support for DPoP, Dynamic Client Registration, improves refresh token handling, and adds many other new features and bug fixes.

Breaking Changes

• A new ITokenCleanupService interface has been extracted from the TokenCleanupService, and IdentityServer now depends on that interface, rather than the service itself. Customizations of TokenCleanupService that previously were implemented by deriving from that class and registering the derived class in the DI system need to

  • Register the derived class as an implementation of ITokenCleanupService, and
  • Remove the IServerSideSessionsMarker from any calls to the base constructor.

  See issue #981.

• The TokenCleanupService.RemoveExpiredGrantsAsync method was renamed to CleanupGrantsAsync to reflect that it performs all grant cleanup work, including removing consumed grants and expired device codes in addition to expired grants. In the strictest sense, this is a breaking change, but it is very unlikely to cause issues during an upgrade because even though RemoveExpiredGrantsAsync was public, it was not virtual. If you were using RemoveExpiredGrantsAsync elsewhere, update your code to use the new name.

  See issue #981.

• The value of the typ claim in the header of Logout tokens has changed to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0. Clients that were previously validating the typ need to be updated, or the old typ can continue to be used via the new LogoutTokenJwtType configuration option.

  See issue #1169.

• The TokenResponseGenerator.ProcessTokenRequestAsync virtual method, which generates access and refresh tokens and adds them to a response object, is now called by all token flows except the refresh token flow. This unifies the programming and extensibility model of the generator, which previously had duplicated code in some flows. If you have overridden this virtual method, be aware that it will now be called in all flows. Previously, the authorization code flow, device code flow, and CIBA flow did not invoke this method.

  See pull request: #1178.

• One time use (rotated) refresh tokens are now deleted immediately when they are used. If you rely on the existing behavior of marking refresh tokens as consumed (perhaps to allow for lenient rotations or replay detection), set the new PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse option to false.

  See issue #1102.

Schema Changes

• New InitiateLoginUri string property added to the Client model. This is a nullable string that can be left null for existing clients. This column is used for Third Party Initiated Login.

• New properties added to the Client Model for DPoP support:

  • RequireDPoP is a non-nullable boolean flag that requires a client to use DPoP. Existing clients can set this to false, unless you want the client to start using DPoP.
  • DPoPValidationMode is a non-nullable column that stores a "flags"-style enum that controls the DPoP validation mechanism. In most databases, this is represented as an integer. Existing clients that are not using DPoP can set its value to 0.
  • DPoPClockSkew is a non-nullable timespan that controls how much clock skew is allowed for a particular DPoP client. Existing clients that are not using DPoP can set its value to 0.

DPoP

IdentityServer 6.3 adds support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) , a new OAuth specification for sender-constraining refresh tokens and access tokens. DPoP tokens can only be used by the client application that they are issued to, which provides a strong defense against replay attacks.

Our blog post announcing the feature is here, and detailed documentation is here.

See issues #1116 and #1266.

Configuration API/Dynamic Client Registration

IdentityServer 6.3 begins an effort to add programmatic configuration capabilities to IdentityServer. This configuration capability will take the form of a Configuration API that can be hosted either separately or within the IdentityServer implementation, and is distributed through the separate Duende.IdentityServer.Configuration nuget package.

This initial version of the Configuration API supports the OAuth and OIDC Dynamic Client Registration specifications, which allow a client or relying party to register their configuration details with IdentityServer dynamically by making standardized API requests. You could also use Dynamic Client Registration to provision environments automatically, perhaps in a deployment pipeline.

Our blog post announcing the feature is here, and detailed documentation is here.

See issue #111.

Client Application Portal

InitiateLoginUri is a new optional property added to the IdentityServer Client model that can be used to initiate login from the IdentityServer host. Typically this is used to create an application portal within the IdentityServer host, with links to the registered client applications. The UI templates now include an example of this portal.

See issue #1124.

Initiate User Registration via OIDC

OIDC Relying Parties can now indicate that user registration is needed using the standardized prompt=create parameter. To use this parameter, set the UserInteraction.CreateAccountUrl option to the location of your account creation page. The UI templates now include an example user registration page.

See issues #1029 and #432.

Step-up Error Handling

OIDC Relying Parties can request particular requirements during authentication using the step-up process. For example, they might require two factor authentication before allowing a highly sensitive transaction. IdentityServer now supports the unmet_authentication_requirements error response code during step-up, which can be returned if IdentityServer is unable to fullfil the step-up requirements. If you set the Error property of a ConsentResponse or AuthorizeResponse to "unmet_authentication_requirements" (you can use IdentityModel.OidcConstants.AuthorizeErrors.UnmetAuthenticationRequirements), IdentityServer will return the error to the client.

See issue #1133.

Refresh Token Cleanup

New configuration options (see below) have been added to control what happens to single use refresh tokens when they are used. If the new DeleteOneTimeOnlyRefreshTokensOnUse flag is set, they will be immediately deleted. If you wish to keep consumed tokens for a period time for replay detection or to allow for leniency in the rotation policy, you can now add a delay using the ConsumedTokenCleanupDelay, guaranteeing that consumed tokens will not be deleted for that amount of time.

See issues #1102, #1065, and #982.

New Configuration Options

• PersistentGrantOptions.DeleteOneTimeOnlyRefreshTokensOnUse controls what happens to RefreshTokenUsage.OneTime refresh tokens when they are used. They can now be either marked as consumed or deleted immediately. The intent is that if you aren't making use of the consumed tokens you can safely delete them immediately. The default is to immediately delete.

  See issue #1102.

• OperationalStoreOptions.ConsumedTokenCleanupDelay delays deletion of consumed tokens in the token cleanup job. The intent of the delay is to allow users to keep tokens for some period of time to be used in some custom process. Custom code in the RefreshTokenService could allow "lenient" one-time use refresh tokens that can be reused for a short interval or detect token replay attacks by checking if a token is reused inappropriately. The default value for this new option is 0.

  See issue #1102.

• LogoutTokenJwtType sets the typ claim in the header of logout tokens. Defaults to logout+jwt, which complies with OpenID Connect Back-Channel Logout 1.0.

  See issue #1029.

• UserInteraction.CreateAccountUrl controls where the user is sent when the prompt=create parameter is sent as part of an OIDC login flow. Setting this option enables support for that parameter and is reflected in the prompt_values_supported property o...

6.2.3

What's Changed

• Always emit the sid claim in id tokens by @josephdecock in #1157

Full Changelog: 6.2.2...6.2.3

6.2.2

What's Changed

• Fixes ToOptimizedRawValues to handle multiple resource values when combined with resource indicators by @josephdecock in #1140
• When cookie is re-issued ensure the issuer is captured in the ticket by @brockallen in #1141

New Contributors

• @runegri made their first contribution in #1118

Full Changelog: 6.2.1...6.2.2

6.2.1

Full Changelog: 6.2.0...6.2.1

Bug Fixes
Issue #1127 EmitIssuerIdentificationResponseParameter is reflected in discovery

6.2.0

What's Changed

Duende IdentityServer 6.2 adds:

• Support for .NET 7.0
• A new option that can help filter unhandled exceptions out of the logs
• Bug fixes and ongoing maintenance

.NET 7 Support

• Add NET7 RC1 support by @leastprivilege in #1027
• Additional changes to get net7 working by @brockallen in #1037
• Update to .NET 7 RC2 by @leastprivilege in #1051
  .NET 7
• add .NET 7 host by @leastprivilege in #1069
• updates for the samples after testing .net7 by @brockallen in #1073
• Update to .NET 7 RTM by @leastprivilege in #1091

Filter Unhandled Exceptions

• Introduce filter to allow suppression of unhandled exception logs in IdentityServer middleware by @brockallen in #1084

Bug Fixes

• add more defensive check for server side session store in DI by @brockallen in #900
• fix logger type for CIBA consent page by @brockallen in #939
• fix URI validation to allow query params with encoded values by @brockallen in #1006
• typo in CIBA BackchannelAuthenticationUserValidatonResult by @brockallen in #1066
• Fixed PersistedGrantFilter validation bug - filters with any criteria are now valid by @josephdecock in #1077
• filter consumed grants in the persisted grant service by @brockallen in #1064

Updates to Dependencies

• Update OTel libraries by @leastprivilege in #917
• Bump SimpleExec from 9.0.0 to 10.0.0 by @dependabot in #837
• Bump xunit.runner.visualstudio from 2.4.3 to 2.4.5 by @dependabot in #929
• Bump Microsoft.NET.Test.Sdk from 17.1.0 to 17.2.0 by @dependabot in #933
• Bump MinVer from 3.0.0 to 4.0.0 by @dependabot in #892
• Bump MinVer from 4.0.0 to 4.1.0 by @dependabot in #951
• Bump Serilog.AspNetCore from 5.0.0 to 6.0.0 by @dependabot in #971
• Bump Microsoft.NET.Test.Sdk from 17.2.0 to 17.3.0 by @dependabot in #1004
• Bump SimpleExec from 10.0.0 to 11.0.0 by @dependabot in #1014
• Bump MinVer from 4.1.0 to 4.2.0 by @dependabot in #1015
• Bump Bullseye from 4.0.0 to 4.1.0 by @dependabot in #1054
• Bump Bullseye from 4.0.0 to 4.1.1 by @dependabot in #1070
• Bump Microsoft.NET.Test.Sdk from 17.3.0 to 17.4.0 by @dependabot in #1088
• Bump Bullseye from 4.1.1 to 4.2.0 by @dependabot in #1093

Samples and Documentation

• Show info on how to enable server side sessions when disabled by @brockallen in #899
• Add comments to the LoggingOptions properties by @adammorr in #1013
• format JSON response in sample clients by @brockallen in #1081

Build, Test, Etc

• add copyright comment headers by @brockallen in #897
• Lock down GH actions by @leastprivilege in #908
• internal method name changes for clarity for key management by @brockallen in #978
• Enable TreatWarningsAsErrors by @brockallen in #1083
• 6.1.1 patches back to main by @leastprivilege in #941
• Merge patch 6.1.2 commits to main by @brockallen in #968
• Merge 6.1.3 patch into main by @brockallen in #1001
• Add some simple tests for ICache and caching resource store by @brockallen in #1002
• Merge 6.1.6 patch into main by @brockallen in #1019
• Merge patch branch 6.1.7 by @brockallen in #1045
• Update LICENSE url by @brockallen in #1046
• Switch to latest CodeQL due to bug by @leastprivilege in #1058
• Minor updates to build by @leastprivilege in #1060
• add an integration test showing a custom claims service adding an audience claim by @brockallen in #1075
• Verify refresh token creation and lifetime in test by @altenstedt in #1074
• Add unit tests for parsing client credentials when client ids include colons by @josephdecock in #1082
• Remove GRM yaml file by @leastprivilege in #1095

New Contributors

• @adammorr made their first contribution in #1013
• @josephdecock made their first contribution in #1077
• @altenstedt made their first contribution in #1074

Full Changelog: 6.1.7...6.2.0