6.3.9

This is a patch release that updates our dependency on ASP.NET framework packages from version 6.0.0 (or 7.00) to version 6.0.26 (or 7.0.15). This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.

What's Changed

• Update dependencies for 6.3.x by @AndersAbel in #1559
• Update ASP.NET core dependencies by @josephdecock in #1570

Full Changelog: 6.3.8...6.3.9

7.0.5

This is a patch release that fixes bugs related to the prompt and max_age parameters and a null reference exception when the http context is not available during cleanup jobs. It also adds a warning log when we detect certain misconfigurations of the state data formatter cache.

What's Changed

• Fix null reference exception in event service when httpcontext missing by @josephdecock in #1556
• Update OTel dependencies for 7.0 by @AndersAbel in #1560
  • This is an internal-only dependency used for testing and does not affect the dependencies in any released packages.
• Warn when non-distributed cache detected by @AndersAbel in #1550
• Prevent infinite loop when max_age=0 by @josephdecock in #1565
• PAR - support processed params in authorize endpoint by @josephdecock in #1566

Full Changelog: 7.0.4...7.0.5

7.0.4

This is a patch release that updates our dependency on ASP.NET framework packages from version 8.0.0 to version 8.0.3. This updates our transitive dependency on the System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens packages past versions that have a known Denial of Service vulnerability.

What's Changed

• update dependencies to latest patches by @brockallen in #1538

Full Changelog: 7.0.3...7.0.4

7.0.3

This is a patch release that fixes a bug where CryptographicExceptions would be thrown when hosting in IIS with the Load user profile option disabled.

What's Changed

• Exception type is updated from .NET 7 and up by @AndersAbel in #1535

Full Changelog: 7.0.2...7.0.3

7.0.2

This is a patch release that fixes a performance bug in the license validation.

What's Changed

• Rework license validator to not use ConcurrentDictionary by @AndersAbel in #1527

Full Changelog: 7.0.1...7.0.2

7.0.1

IdentityServer 7.0.1 reorganizes the OpenTelemetry metrics added in 7.0.0 in order to significantly improve their usability. The meter and counter names used in version 7.0.0 were not properly scoped, which caused issues in monitoring tools to the extent that many of the metrics would not be usable at all. We have therefore decided to rename our metrics. While this is a breaking change, we believe that a patch release close to the original 7.0.0 release is the least impactful way to resolve the situation.

Breaking Changes

• The OpenTelemetry metrics have been reorganized into two meters.
  • The overall health counters have been redefined and are now locked from further breaking changes for all 7.x releases.
  • The detailed counters have been moved to a new Experimental meter to indicate that they are not to be considered stable. Any changes to them will be announced as breaking changes in future release notes.
• Counter names are now prefixed to avoid ambiguity.
• Separate success and failure counters have been merged into a single counter, with success and failure indicated with tags.

For more details on the OTel Metrics, please see the documentation.

Full Changelog: 7.0.0...7.0.1

7.0.0

IdentityServer 7 is a major release that includes:

• Support for .NET 8
• Support for Pushed Authorization Requests (PAR)
• OpenTelemetry metrics
• Cleanup job improvements
• New default behavior for refresh tokens
• New extensibility points for CIBA requests
• Many other fixes and enhancements.

Full Changelog

.NET 8

IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.

• A TimeProvider based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.

Pushed Authorization Requests

IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.

OpenTelemetry Metrics

IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.

Reusable Refresh Tokens

Refresh tokens are now reusable by default. Rotated refresh tokens have historically been encouraged (and been our default), however more recent guidance from the IETF and our own experience have shown that rotation is not usually helpful from a security point of view but is actively harmful to the user experience and produces greater load on the data store.

Rotation of refresh tokens often does not improve their security because a sophisticated attacker can observe the rotation happening while the user is active, and only make use of the final token after the user is no longer active. See OAuth for Browser Based Apps for more details on this sort of attack.

Rotation harms the user experience, because if the token is rotated, but the network response with the new token fails, the user will have to log in again.

Rotation adds pressure on the data store because each time the token rotates, the old record must be updated and a new record written.

Given all these considerations, we have changed our default for RefreshTokenUsage to ReUse. Also see #1500.

Token Cleanup Job Improvements

The token cleanup job has historically been the cause of database contention, especially in load-balanced environments, as multiple instances of the job each try to update the table. This release includes a new implementation of the cleanup job which uses EntityFramework's execute delete api to improve performance as well as randomizing the initial startup time of the cleanup job, to help reduce the amount of concurrency across instances. See #1501.

Breaking Changes

Likely to impact most implementations

• IdentityServer now supports .NET 8 only. See #1337.
• Schema Updates
  • The server-side session entity in Duende.IdentityServer.EntityFramework now uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463.
  • Two new properties have been added to the client model for PAR support. See #1424.
    • Client.RequirePushedAuthorization is a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.
    • Client.PushedAuthorizationLifetime is a new nullable integer property that controls the lifetime of pushed authorization requests (in seconds) for a client. If this lifetime is set, it takes precedence over the global configuration. It is safe to initialize this column to null for existing clients, which means the global configuration is used.
  • A new table has been added to store pushed authorization requests. This new table contains a hashed identifier, the pushed parameters (as a string, serialized and data protected), and the expiration time of the request. See #1424.

Only impacts particular customizations or edge cases

• The DefaultCorsPolicyService now depends on the IConfigurationDbContext directly, instead of taking a dependency on the IServiceProvider and resolving that DbContext from it. If you have a customized CORS implementation that derives from the DefaultCorsPolicyService, you need to update the constructor of your derived class to use the IConfigurationDbContext. See #1239.

• The DPoPProofValidatonContext has been refactored. Instead of the Client property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of the IDPoPProofValidator or a class that derives from the DefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.

• The DefaultTokenService no longer includes an IHttpContextAccessor. This member was unused by the default implementation and marked as obsolete. Customizations that derive from the DefaultTokenService no longer need to pass the accessor to the base constructor. If such a customization needs the accessor, add it to the derived class. See #1457.

• The ValidatedAuthorizeRequest.RequestedResourceIndiators property was misspelled and has been renamed RequestedResourceIndicators. See #1457.

• The reference token store now includes the session id when revoking reference tokens. Implementors of IReferenceTokenStore should update their implementation of token revocation to include the session id. See #1321.

• Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.

Newly Deprecated

• IAuthorizationParametersMessageStore is deprecated. PAR is a more robust/standardized approach to get similar benefits. See #1462.

• The IHttpContextAccessor in the EndSessionRequestValidator is unused and has been marked as obsolete. It will be removed in a future version. See #1457.

Previously Deprecated, Now Removed

• The obsolete IdentityServerOrigin constant has been removed.
• Several obsolete extension methods on HttpContext have been removed. These methods are replaced by methods in IServerUrls and IIssuerNameService. See #1457
  • HttpContext.GetSchemeSupportsSignOutAsync is replaced by IAuthenticationHandlerProvider.GetHandlerAsync (you will also need to check if the handler implements IAuthenticationSignOutHandler).
  • HttpContext.GetIdentityServerOrigin and HttpContext.SetIdentityServerOrigin are replaced by IServerUrls.Origin.
  • HttpContext.GetIdentityServerBasePath and HttpContext.SetIdentityServerBasePath are replaced by IServerUrls.BasePath.
  • GetIdentityServerHost is replaced by IServerUrls.Origin
  • GetIdentityServerBaseUrl is replaced by IServerUrls.BaseUrl
  • GetIdentityServerRelativeUrl is replaced by IServerUrls.GetIdentityServerRelativeUrl
  • GetIdentityServerIssuerUri is replaced by IIssuerNameService.GetCurrentAsync
  • RedirectToAbsoluteUrl is replaced by redirecting to a call to IServerUrls.GetAbsoluteUrl.
• The obsolete and unused IUserSessionExtensions interface has been removed. See #1457.
• The obsolete IPrincipal.GetName and IIdentity.GetName extension methods have been removed. Use ClaimsPrincipal.GetDisplayName instead. See #1457.
• The obsolete ResourceValidationRequest.IncludeNonIsolatedApiResources has been removed. This flag was no longer used. See #1457.

Unlikely to impact anyone

• The KeyManagementOptions.SigningAlgorithms is now an ICollection rather than an IEnumerable. If you are configuring signing algorithms using code, and setting the SigningAlgorithms to some type that implements IEnumerable but not ICollection, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are both ICollections). See #1375.

• The value of the constant IdentityServerAuthenticationType has changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.

New Configurati...

7.0.0 RC 1

Identity Server 7.0.0 RC 1 is the release candidate for IdentityServer 7. IdentityServer 7 includes support for .NET 8, pushed authorization requests, OpenTelemetry metrics, cleanup job improvements, and many other fixes and enhancements.

What's New since Preview 2

See below for more details and links to related PRs.

• Refresh tokens are now reusable by default.
• The token cleanup job has been improved to reduce database contention and locking.
• Several new extensibility points have been added:
  • The IdentityServerTools class now implements the new IIdentityServerTools interface, to facilitate testing.
  • ServerSideSideSessionRefreshTokenService.ValidateRefreshTokenAsync is now a virtual method, to facilitate customization.
  • The ICustomBackchannelAuthenticationValidator interface has been added to facilitate custom CIBA validation.
  • The CIBA request, validation, storage, and response models now all include a dictionary of custom Properties to facilitate custom request and response parameters.
• A regression introduced in preview 2 that prevented relaxed redirect url validation in mobile apps using the StrictRedirectUriValidatorAppAuth has been fixed.
• Activity Ids are now included in the ErrorMessage class.
• The ValidatedBackchannelAuthenticationRequest.RequestedResourceIndiators property was renamed to RequestedResourceIndicators (corrects spelling of indicators).
• The keys for Consent records in the persisted grant store are now hex encoded, similar to the other keys in that store. This prevents database collation issues from causing collisions when retrieving consents.

Full v7.0.0 Changelog

.NET 8

IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.

• A TimeProvider based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.

Pushed Authorization Requests

IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.

OpenTelemetry Metrics

IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.

Reusable Refresh Tokens

Refresh tokens are now reusable by default. Rotated refresh tokens have historically been encouraged (and been our default), however more recent guidance from the IETF and our own experience have shown that rotation is not usually helpful from a security point of view but is actively harmful to the user experience and produces greater load on the data store.

Rotation of refresh tokens often does not improve their security because a sophisticated attacker can observe the rotation happening while the user is active, and only make use of the final token after the user is no longer active. See OAuth for Browser Based Apps for more details on this sort of attack.

Rotation harms the user experience, because if the token is rotated, but the network response with the new token fails, the user will have to log in again.

Rotation adds pressure on the data store because each time the token rotates, the old record must be updated and a new record written.

Given all these considerations, we have changed our default for RefreshTokenUsage to ReUse. Also see #1500.

Token Cleanup Job Improvements

The token cleanup job has historically been the cause of database contention, especially in load-balanced environments, as multiple instances of the job each try to update the table. This release includes a new implementation of the cleanup job which uses EntityFramework's execute delete api to improve performance as well as randomizing the initial startup time of the cleanup job, to help reduce the amount of concurrency across instances. See #1501.

Breaking Changes

Likely to impact most implementations

• IdentityServer now supports .NET 8 only. See #1337.
• Schema Updates
  • The server-side session entity in Duende.IdentityServer.EntityFramework now uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463.
  • Two new properties have been added to the client model for PAR support. See #1424.
    • Client.RequirePushedAuthorization is a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.
    • Client.PushedAuthorizationLifetime is a new nullable integer property that controls the lifetime of pushed authorization requests (in seconds) for a client. If this lifetime is set, it takes precedence over the global configuration. It is safe to initialize this column to null for existing clients, which means the global configuration is used.
  • A new table has been added to store pushed authorization requests. This new table contains a hashed identifier, the pushed parameters (as a string, serialized and data protected), and the expiration time of the request. See #1424.

Only impacts particular customizations or edge cases

• The DefaultCorsPolicyService now depends on the IConfigurationDbContext directly, instead of taking a dependency on the IServiceProvider and resolving that DbContext from it. If you have a customized CORS implementation that derives from the DefaultCorsPolicyService, you need to update the constructor of your derived class to use the IConfigurationDbContext. See #1239.

• The DPoPProofValidatonContext has been refactored. Instead of the Client property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of the IDPoPProofValidator or a class that derives from the DefaultDPoPProofValidator, update your usage of the context appropriately. See #1338.

• The DefaultTokenService no longer includes an IHttpContextAccessor. This member was unused by the default implementation and marked as obsolete. Customizations that derive from the DefaultTokenService no longer need to pass the accessor to the base constructor. If such a customization needs the accessor, add it to the derived class. See #1457.

• The ValidatedAuthorizeRequest.RequestedResourceIndiators property was misspelled and has been renamed RequestedResourceIndicators. See #1457.

• The reference token store now includes the session id when revoking reference tokens. Implementors of IReferenceTokenStore should update their implementation of token revocation to include the session id. See #1321.

• Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.

Newly Deprecated

• IAuthorizationParametersMessageStore is deprecated. PAR is a more robust/standardized approach to get similar benefits. See #1462.

• The IHttpContextAccessor in the EndSessionRequestValidator is unused and has been marked as obsolete. It will be removed in a future version. See #1457.

Previously Deprecated, Now Removed

• The obsolete IdentityServerOrigin constant has been removed.
• Several obsolete extension methods on HttpContext have been removed. These methods are replaced by methods in IServerUrls and IIssuerNameService. See #1457
  • HttpContext.GetSchemeSupportsSignOutAsync is replaced by IAuthenticationHandlerProvider.GetHandlerAsync (you will also need to check if the handler implements IAuthenticationSignOutHandler).
  • HttpContext.GetIdentityServerOrigin and HttpContext.SetIdentityServerOrigin are replaced by IServerUrls.Origin.
  • HttpContext.GetIdentityServerBasePath and HttpContext.SetIdentityServerBasePath are replaced by IServerUrls.BasePath.
  • GetIdentityServerHost is replaced by IServerUrls.Origin
  • GetIdentityServerBaseUrl is replaced by IServerUrls.BaseUrl
  • GetIdentityServerRelativeUrl is replaced by IServerUrls.GetIdentityServerRelativeUrl
  • GetIdentityServerIssuerUri is replaced by IIssuerNameService.GetCurrentAsync
  • RedirectToAbsoluteUrl is replaced by redirecting to a call to IServerUrls.GetAbsoluteUrl.
• The obsolete and unused IUserSessionExtensions interface has been removed. See #1457.
• The obsolete IPrincipal.GetName and IIdentity.GetName extension methods have been removed. Use ClaimsPrincipal.GetDisplayName instead. See #1457.
• The obsolete ResourceValidationRequest.IncludeNonIsolatedApiResources has been removed. This flag was no ...

6.3.8

This is a minor release that improves error handling of grant deserialization.

What's Changed

• Return successfully deserialized grants even if some fail by @AndersAbel in #1506

Full Changelog: 6.3.7...6.3.8

6.3.7

This is a minor release that fixes two bugs.

What's Changed

• Fix incorrect LogWarning call by @AndersAbel in #1484
• Fix logout token iss when issuer is missing by @josephdecock in #1486

Full Changelog: 6.3.6...6.3.7