IdentityServer 7.1.0 Release Candidate 2

This is release candidate 2 for IdentityServer 7.1.0. This adds a fix for #1689 to the previous release candidate. Please see 7.1.0-rc.1's release notes for further information about the 7.1.0 release.

IdentityServer 7.1.0 Release Candidate 1

This is release candidate 1 for IdentityServer 7.1.0, a significant release that includes:

• .NET 9 support
• Use of Duende.IdentityModel
• New license usage helpers
• Friendly READMEs in the NuGet packages
• Improved log filtering when HTTP requests are aborted
• Redaction of the subject token during token exchange
• Improved extensibility of the ClientConfigurationStore in the Configuration API
• Several bug fixes
• Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.1.0. Small code changes will be required for must users to upgrade.

• IdentityModel renamed Duende.IdentityModel
• ClientConfigurationStore now uses IConfigurationDbContext

IdentityModel renamed Duende.IdentityModel

• Use Duende.IdentityModel 7.0.0 by @damianh in #1621
  Our open source IdentityModel library has been renamed Duende.IdentityModel, and we now depend on Duende.IdentityModel instead of IdentityModel. Duende.IdentityModel is a drop-in replacement for IdentityModel with updated namespaces that include the Duende prefix. If you are using IdentityModel's types in your IdentityServer implementation, you will need to update references from IdentityModel to Duende.IdentityModel (replace "using IdentityModel" with "using Duende.IdentityModel").

ClientConfigurationStore now uses IConfigurationDbContext

• Use IConfigurationDbContext in ClientConfigurationStore by @stefannikolei in #1624
  The ClientConfigurationStore in the Duende.Configuration.EntityFramework package now depends on IConfigurationDbContext instead of ConfigurationDbContext to allow for customization. If you have a customized store that derives from the default store, you may need to update your constructors. Note that this only affects the Entity Framework based implementation of the configuration store used by the dynamic client registration configuration API.

Enhancements

.NET 9

• Update to .NET 9 by @josephdecock in #1603
• Update .NET9 from rc2 to release by @stefannikolei in #1623
  IdentityServer 7.1 multi-targets .NET 8 and .NET 9. Both versions are supported.

License Usage Helpers

• Add new license management services by @josephdecock in #1637
  A LicenseUsageSummary is now available which includes the license edition and clients, issuers, and enterprise or business edition features used. The intent is to make it easier to understand which license is needed.

Other Enhancements

• Filter subject token from TokenRequest log by @krosn in #1521
  Subject tokens from token exchange are now redacted by default from logs.
• Update GitHub readme, add NuGet readmes by @josephdecock in #1610
  All IdentityServer NuGet packages now have README files.
• Filter all OperationCanceledExceptions from logs, instead of only TaskCanceledExceptions by @josephdecock in #1671
  Aborted HTTP requests result in expected exceptions, which we filter out of our logging when the request is aborted. Sometimes this is raised as OperationCanceledException instead of TaskCanceledException, so we now filter both.

Bug Fixes

• Fall back to other token types when given incorrect hint during introspection by @josephdecock in #1607
  When an incorrect token_type_hint parameter is passed during introspection we now fall back to find tokens of the other type, in compliance with RFC 7662 Section 2.1.
• Clean up retired keys even if they are not unprotectable by @josephdecock in #1608
  Retired signing keys will now be deleted by the key manager even if the data protected portion of the key cannot be unprotected.
• Filter protocol claims from reference tokens by @josephdecock in #1662
  Reference tokens from IdentityServer 4 sometimes contain "protocol" claims, such as iat, which caused a bug where claims were duplicated.
• Respect EnableBackchannelAuthenticationEndpoint during routing by @EternamFr in #1599
  If CIBA is disabled in config, we now disable the endpoint in addition to suppressing it in discovery.
• Persist claim issuers in server side sessions by @josephdecock in #1660
  Claims from third-party issuers now track their issuer in a server side session, which fixes issues related to logout when integrating with 3rd party SAML providers.

Code Quality

• Update misleading comment by @AndersAbel in #1525
• Fix indentation by @AndersAbel in #1541
• Bump OpenTelemetry dependencies by @AndersAbel in #1549
• Replace alice/bob/email.com domains with example domains by @wenz in #1606
• Typo fix in README.md by @Tornhoof in #1615
• fix typo in comment by @JuliusPC in #1626
• leverage argument throw helpers by @SimonCropp in #1630
• leverage generic GetService by @SimonCropp in #1631
• fix incorrect as usage in GetAuthenticationTimeEpoch by @SimonCropp in #1636
• use named headers by @SimonCropp in #1643
• fix broken xml docs by @SimonCropp in #1648
• remove redundant casts by @SimonCropp in #1658
• more accurate timing to SigningKeyStore.StoreKey activity in StoreKeyAsync by @SimonCropp in #1664
• fix null reference in PostConfigureApplicationCookieTicketStore PostConfigure by @SimonCropp in #1666
• missing dispose for GetCurrentProcess by @SimonCropp in #1667

Performance Enhancements

• remove unnecessary distinct method by @testfirstcoder in #1581
• use static equals method to avoid exception by @testfirstcoder in #1583
• improve youngest key search by @testfirstcoder in #1584
• Refactoring AuthenticationPropertiesExtensions by @testfirstcoder in #1585
• Avoid multiple check adding clientid by @testfirstcoder in #1586
• better perf in request validation by @SimonCropp in #1632
• use faster char based StartsWith, EndsWith, and Contains by @SimonCropp in #1633
• remove redundant Any checks before enumeration by @SimonCropp in #1634
• remove redundant list and expression alloc in SecretValidator.ValidateAsync by @SimonCropp in #1635
• Use SHA*.HashData() one-shot methods by @martincostello in #1640
• use char base overloads where possible by @SimonCropp in #1644
• simplify some linq by @SimonCropp in #1645
• avoid some array alloc by @SimonCropp in #1646
• remove duplicate dictionary lookups by @SimonCropp in #1651
• remove redundant array allocation by @SimonCropp in #1655
• use count property over count method by @SimonCropp in #1657
• remove redundant allocation in ProtectedResourceErrorResult by @SimonCropp in #1663
• remove some ToString allocs by @SimonCropp in #1668

New Contributors

• @krosn made their first contribution in #1521
• @wenz made their first contribution in #1606
• @testfirstcoder made their first contribution in #1586
• @damianh made their first contribution in #1621
• @Tornhoof made their first contribution in #1615
• @EternamFr made their first contribution in #1599
• @JuliusPC made their first contribution in #1626
• @SimonCropp made their first contribution in #1631

Full Changelog: 7.0.8...7.1.0-rc.1

IdentityServer 7.1.0-preview.1

IdentityServer 7.1.0-preview.1 is the first preview release of IdentityServer 7.1.0. It includes support for .NET 9, adds friendly READMEs to the NuGet packages, and includes a few smaller enhancements and bugfixes.

Breaking Changes

There are no breaking changes at the schema or API level in this release.

• No schema updates are required.
• While we are adding support for .NET 9, .NET 8 continues to be supported.

There is a log message change, which we highlight as a breaking change in case monitoring or other tooling that consumes the logs relies on the old behavior:

• Subject tokens (the tokens passed in during token exchange) are now redacted from logs by @krosn in #1521
  If you need the old behavior, remove OidcConstants.TokenRequest.SubjectToken from the TokenRequestSensitiveValuesFilter option.

.NET 9

IdentityServer 7.1.0 supports both .NET 8 and .NET 9.

• Update to .NET 9 by @josephdecock in #1603

READMEs

• Update GitHub readme, add NuGet readmes by @josephdecock in #1610

Fixes and Enhancements

• Avoid multiple check adding clientid by @testfirstcoder in #1586
• Fall back to other token types when given incorrect hint in introspection by @josephdecock in #1607
• Use example.com as the domain for emails for test users by @wenz in #1606

New Contributors

• @krosn made their first contribution in #1521
• @wenz made their first contribution in #1606
• @testfirstcoder made their first contribution in #1586

Full Changelog: 7.0.7...7.1.0-preview.1

IdentityServer 7.0.8

This is a security hotfix that addresses CVE-2024-49755, a low-severity vulnerability in our handling of DPoP access tokens at local APIs. See
our blog post and the security advisory for more details.

IdentityServer 7.0.7

This is a patch release that allows the UserInteractionOptions.PromptValuesSupported to be customized, in order to support custom prompt modes.

What's Changed

• Allow SupportedPromptModes customization by @josephdecock in #1582

Full Changelog: 7.0.6...7.0.7

IdentityServer 7.0.6

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.3.10

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.2.5

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.1.8

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

IdentityServer 6.0.5

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.