7.0.0
IdentityServer 7 is a major release that includes:
- Support for .NET 8
- Support for Pushed Authorization Requests (PAR)
- OpenTelemetry metrics
- Cleanup job improvements
- New default behavior for refresh tokens
- New extensibility points for CIBA requests
- Many other fixes and enhancements.
Full Changelog
.NET 8
IdentityServer now targets .NET 8. In addition to keeping IdentityServer implementations covered by Microsoft support, new features in .NET 8 enabled several improvements to IdentityServer. See #1337 for more details on the core update, and the item below for a related update that makes use of a new .NET 8 API.
- A
TimeProvider
based clock abstraction improves the granularity of the clock and make code that depends on it easier to test. See #1341.
Pushed Authorization Requests
IdentityServer now supports Pushed Authorization Requests. Pushed Authorization Requests (PAR) is a relatively new OAuth standard that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). See #1424.
OpenTelemetry Metrics
IdentityServer's support for OpenTelemetry now includes support for metrics. OpenTelemetry measurements are now made where we have historically raised our custom events. While IdentityServer will continue to raise those custom events, we think that OpenTelemetry offers significant advantages (open standards and a large ecosystem of tooling), and we intend to emphasize OpenTelemetry in our future work related to observability. See #1456.
Reusable Refresh Tokens
Refresh tokens are now reusable by default. Rotated refresh tokens have historically been encouraged (and been our default), however more recent guidance from the IETF and our own experience have shown that rotation is not usually helpful from a security point of view but is actively harmful to the user experience and produces greater load on the data store.
Rotation of refresh tokens often does not improve their security because a sophisticated attacker can observe the rotation happening while the user is active, and only make use of the final token after the user is no longer active. See OAuth for Browser Based Apps for more details on this sort of attack.
Rotation harms the user experience, because if the token is rotated, but the network response with the new token fails, the user will have to log in again.
Rotation adds pressure on the data store because each time the token rotates, the old record must be updated and a new record written.
Given all these considerations, we have changed our default for RefreshTokenUsage
to ReUse
. Also see #1500.
Token Cleanup Job Improvements
The token cleanup job has historically been the cause of database contention, especially in load-balanced environments, as multiple instances of the job each try to update the table. This release includes a new implementation of the cleanup job which uses EntityFramework's execute delete api to improve performance as well as randomizing the initial startup time of the cleanup job, to help reduce the amount of concurrency across instances. See #1501.
Breaking Changes
Likely to impact most implementations
- IdentityServer now supports .NET 8 only. See #1337.
- Schema Updates
- The server-side session entity in
Duende.IdentityServer.EntityFramework
now uses a 64-bit long as its primary key (previously was a 32-bit int). See #1463. - Two new properties have been added to the client model for PAR support. See #1424.
Client.RequirePushedAuthorization
is a new boolean property that controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). It is safe to initialize this column to false for existing clients, which will mean that the global configuration will be used.Client.PushedAuthorizationLifetime
is a new nullable integer property that controls the lifetime of pushed authorization requests (in seconds) for a client. If this lifetime is set, it takes precedence over the global configuration. It is safe to initialize this column tonull
for existing clients, which means the global configuration is used.
- A new table has been added to store pushed authorization requests. This new table contains a hashed identifier, the pushed parameters (as a string, serialized and data protected), and the expiration time of the request. See #1424.
- The server-side session entity in
Only impacts particular customizations or edge cases
-
The
DefaultCorsPolicyService
now depends on theIConfigurationDbContext
directly, instead of taking a dependency on theIServiceProvider
and resolving that DbContext from it. If you have a customized CORS implementation that derives from theDefaultCorsPolicyService
, you need to update the constructor of your derived class to use theIConfigurationDbContext
. See #1239. -
The
DPoPProofValidatonContext
has been refactored. Instead of theClient
property, we now put the relevant details (expiration validation mode and clock skew) directly in the context. We also have added the HTTP method and URL to the context. If you have a custom implementation of theIDPoPProofValidator
or a class that derives from theDefaultDPoPProofValidator
, update your usage of the context appropriately. See #1338. -
The
DefaultTokenService
no longer includes anIHttpContextAccessor
. This member was unused by the default implementation and marked as obsolete. Customizations that derive from theDefaultTokenService
no longer need to pass the accessor to the base constructor. If such a customization needs the accessor, add it to the derived class. See #1457. -
The
ValidatedAuthorizeRequest.RequestedResourceIndiators
property was misspelled and has been renamedRequestedResourceIndicators
. See #1457. -
The reference token store now includes the session id when revoking reference tokens. Implementors of
IReferenceTokenStore
should update their implementation of token revocation to include the session id. See #1321. -
Invalid prompt modes now cause validation errors that result in an HTTP 400 (Bad Request). Previously, invalid prompt modes were ignored. This complies with updates to the OpenID Connect specification. See #1331.
Newly Deprecated
-
IAuthorizationParametersMessageStore
is deprecated. PAR is a more robust/standardized approach to get similar benefits. See #1462. -
The
IHttpContextAccessor
in theEndSessionRequestValidator
is unused and has been marked as obsolete. It will be removed in a future version. See #1457.
Previously Deprecated, Now Removed
- The obsolete
IdentityServerOrigin
constant has been removed. - Several obsolete extension methods on
HttpContext
have been removed. These methods are replaced by methods inIServerUrls
andIIssuerNameService
. See #1457HttpContext.GetSchemeSupportsSignOutAsync
is replaced byIAuthenticationHandlerProvider.GetHandlerAsync
(you will also need to check if the handler implementsIAuthenticationSignOutHandler
).HttpContext.GetIdentityServerOrigin
andHttpContext.SetIdentityServerOrigin
are replaced byIServerUrls.Origin
.HttpContext.GetIdentityServerBasePath
andHttpContext.SetIdentityServerBasePath
are replaced byIServerUrls.BasePath
.GetIdentityServerHost
is replaced byIServerUrls.Origin
GetIdentityServerBaseUrl
is replaced byIServerUrls.BaseUrl
GetIdentityServerRelativeUrl
is replaced byIServerUrls.GetIdentityServerRelativeUrl
GetIdentityServerIssuerUri
is replaced byIIssuerNameService.GetCurrentAsync
RedirectToAbsoluteUrl
is replaced by redirecting to a call toIServerUrls.GetAbsoluteUrl
.
- The obsolete and unused
IUserSessionExtensions
interface has been removed. See #1457. - The obsolete
IPrincipal.GetName
andIIdentity.GetName
extension methods have been removed. UseClaimsPrincipal.GetDisplayName
instead. See #1457. - The obsolete
ResourceValidationRequest.IncludeNonIsolatedApiResources
has been removed. This flag was no longer used. See #1457.
Unlikely to impact anyone
-
The
KeyManagementOptions.SigningAlgorithms
is now anICollection
rather than anIEnumerable
. If you are configuring signing algorithms using code, and setting theSigningAlgorithms
to some type that implementsIEnumerable
but notICollection
, then you must change the type that you are using. In practice, we expect everyone uses a list or array (which are bothICollections
). See #1375. -
The value of the constant
IdentityServerAuthenticationType
has changed from "IdentityServer4" to "Duende.IdentityServer". This constant is used as the value of the authentication type within the ClaimsIdentity that IdentityServer constructs. The authentication type's value is never used by IdentityServer or ASP.NET, so this is unlikely to impact anyone. It is also the name of the default cors policy created by IdentityServer. This could theoretically impact you if you have a CORS policy named "Duende.IdentityServer", as the new name now conflicts. See #1457.
New Configuration Options
PAR
IdentityServerOptions
now includes thePushedAuthorization
property to configure PAR.PushedAuthorizationOptions.Required
causes par to be required globally. This defaults tofalse
.PushedAuthorizationOptions.Lifetime
controls the lifetime of pushed authorization requests. The pushed authorization request's lifetime begins when the request to the PAR endpoint is received, and is validated until the authorize endpoint returns a response to the client application. Note that user interaction, such as entering credentials or granting consent, may need to occur before the authorize endpoint can do so. Setting the lifetime too low will likely cause login failures for interactive users, if pushed authorization requests expire before those users complete authentication. Some security profiles, such as the FAPI 2.0 Security Profile recommend an expiration within 10 minutes to prevent attackers from pre-generating requests. To balance these constraints, this lifetime defaults to 10 minutes.PushedAuthorizationOptions.AllowUnregisteredPushedRedirectUris
controls whether clients may use redirect uris that were not previously registered. This is a relaxation of security guidance that is specifically allowed by the PAR specification because the pushed authorization requests are authenticated. It defaults tofalse
.
- The
Client
configuration object now includes two new properties to configure PAR on a per-client basis.Client.RequirePushedAuthorization
controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). This defaults tofalse
, which means the global configuration will be used.Client.PushedAuthorizationLifetime
controls the lifetime of pushed authorization requests for a client. If this lifetime is set, it takes precedence over the global configuration. This defaults tonull
, which means the global configuration is used.
- The
EndpointOptions
now includes a new flag to enable or disable the PAR endpoint:EnablePushedAuthorizationEndpoint
, which defaults totrue
.
Token Cleanup
OperationalStoreOptions.FuzzTokenCleanupStart
controls if the cleanup job's initial startup time will be randomized to reduce the amount of database contention when multiple cleanup jobs run at the same time. Defaults totrue
.
Other Improvements
- Protocol endpoints use the new interface
IHttpResponseWriter
to write their http responses. This facilitates customization, when you need to control the way that http responses are written. This change was made in a way that was designed to be backwards compatible. Any customIEndpointResult
orIEndpointHandler
should still work the way they used to. See #1342 and #1450. - Integrate server side sessions with the user info endpoint. See #1327.
- Local APIs now support DPoP. See #1338.
- Reference token revocation now respects the session id. See #1321.
- Ease extension of DCR using protected properties. Customizations that derive from the default DCR validator, request processor, and response generator now have access to the dependencies used in the default implementation. See #1464
- The processed and original prompt modes are now exposed on the
ValidatedAuthorizeRequest
. The prompt modes have historically been mutated as we use them, and the processed and original prompt modes have been tracked internally. We now expose these additional properties to facilitate customization that relies on the prompt modes. See #1453. - Postal codes for our quickstart UI's test users now use strings instead of integers. See #1451.
- The license object is now public and available in the DI system. This allows for easier license status checks, UI that indicates that the license status, etc. See #1319.
- Add support for introspection of refresh tokens. See #1334.
- The sign out scheme is now inferred when external identity providers are used in combination with asp.net Identity. See #1265.
- The admin UI in the
IdentityServerEntityFramework
template now supports theInitiateLoginUri
client property. See #1314. - Improved use of nullable reference types. See #1315 and #1317.
- Make CORS debug log message more descriptive. See #1378.
- Use X-Frame-Options DENY to be consistent with csp frame-ancestors 'none'. See #1389.
- The
IdentityServerTools
class now implements the newIIdentityServerTools
interface, to facilitate testing. See #1454. ServerSideSideSessionRefreshTokenService.ValidateRefreshTokenAsync
is now a virtual method, to facilitate customization. See #1488.- Activity Ids are now included in the
ErrorMessage
class. See #1494. - The CIBA request, validation, storage, and response models now all include a dictionary of custom properties to facilitate custom request and response parameters. See #1497 and #1512.
- The
ICustomBackchannelAuthenticationValidator
interface has been added to facilitate custom CIBA validation. See #1497. - The CIBA request, validation, storage, and response models now all include a dictionary of custom
Properties
to facilitate custom request - The keys for consent records in the persisted grant store are now hex encoded, similar to the other keys in that store. This prevents database collation issues from causing collisions when retrieving consents. This is a backwards compatible change - keys with the old encoding continue to work. See #1489.
Bug Fixes
- Allow
KeyManagementOptions
to be bound from appsettings.json or other config sources. See #1375. - Prevent duplicated keys in Dynamic Client Registration responses. See #1369.
- Fixed typos in KeyManager logging. See #1440.
- Remove the raw exception from unhandled exception events. These exceptions don't serialize cleanly and we already capture the exception message as part of the event. See #1363.
- Fix error log message formatting from the CIBA validator. See #1346.
- The error returned when no response_type is provided has changed from
invalid_response_type
toinvalid_request
, to better conform to RFC 6749. See #1423.