Updates for reference, tokens, ui, outtakes

IdentityServer/v7/docs/content/reference/di.md

@@ -7,10 +7,7 @@ weight: 20
 *AddIdentityServer* return a builder object that provides many extension methods to add IdentityServer specific services to DI. Here's a list grouped by feature areas.
 
 ```cs
-public void ConfigureServices(IServiceCollection services)
-{
- var builder = services.AddIdentityServer();
-}
+var idsvrBuilder = builder.Services.AddIdentityServer();
 ```
 
 {{% notice note %}}

IdentityServer/v7/docs/content/reference/efoptions/operational.md

@@ -10,7 +10,7 @@ These options are configurable when using the Entity Framework Core for the [ope
 You set the options at startup time in your *AddOperationalStore* method:
 
 ```cs
-var builder = services.AddIdentityServer()
+builder.Services.AddIdentityServer()
  .AddOperationalStore(options =>
  {
  // configure options here..

IdentityServer/v7/docs/content/reference/models/api_resource.md

@@ -80,5 +80,5 @@ The *AddInMemoryApiResource* extensions method also supports adding API resource
 Then pass the configuration section to the *AddInMemoryApiResource* method:
 
 ```cs
-builder.AddInMemoryApiResources(configuration.GetSection("IdentityServer:ApiResources"))
+idsvrBuilder.AddInMemoryApiResources(configuration.GetSection("IdentityServer:ApiResources"))
 ```

IdentityServer/v7/docs/content/reference/models/api_scope.md

@@ -64,5 +64,5 @@ The *AddInMemoryApiResource* extension method also supports adding clients from
 Then pass the configuration section to the *AddInMemoryApiScopes* method:
 
 ```cs
-builder.AddInMemoryApiScopes(configuration.GetSection("IdentityServer:ApiScopes"))
+idsvrBuilder.AddInMemoryApiScopes(configuration.GetSection("IdentityServer:ApiScopes"))
 ```

IdentityServer/v7/docs/content/reference/options.md

@@ -10,7 +10,7 @@ The *IdentityServerOptions* is the central place to configure fundamental settin
 You set the options when registering IdentityServer at startup time, using a lambda expression in the AddIdentityServer method:
 
 ```cs
-var builder = services.AddIdentityServer(options =>
+var idsvrBuilder = builder.Services.AddIdentityServer(options =>
 {
  // configure options here..
 })
@@ -230,7 +230,7 @@ If you want to take full control over the rendering of the discovery and jwks do
 Adds custom elements to the discovery document. For example:
 
 ```cs
-var builder = services.AddIdentityServer(options =>
+var idsvrBuilder = builder.Services.AddIdentityServer(options =>
 {
  options.Discovery.CustomEntries.Add("my_setting", "foo");
  options.Discovery.CustomEntries.Add("my_complex_setting",

IdentityServer/v7/docs/content/tokens/authentication/jwt.md

@@ -11,31 +11,33 @@ The technique is described [here](https://openid.net/specs/openid-connect-core-1
 ## Setting up a private key JWT secret
 The default private key JWT secret validator expects either a base64 encoded X.509 certificate or a [JSON Web Key](https://tools.ietf.org/html/rfc7517) formatted RSA, EC or symmetric key on the secret definition:
 
- var client = new Client
+```cs
+var client = new Client
+{
+ ClientId = "client.jwt",
+
+ ClientSecrets =
  {
- ClientId = "client.jwt",
+ new Secret
+ {
+ // base64 encoded X.509 certificate
+ Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
 
- ClientSecrets =
+ Value = "MIID...xBXQ="
+ }
+ new Secret
  {
- new Secret
- {
- // base64 encoded X.509 certificate
- Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
-
- Value = "MIID...xBXQ="
- }
- new Secret
- {
- // JWK formatted RSA key
- Type = IdentityServerConstants.SecretTypes.JsonWebKey,
-
- Value = "{'e':'AQAB','kid':'Zz...GEA','kty':'RSA','n':'wWw...etgKw'}"
- }
- },
+ // JWK formatted RSA key
+ Type = IdentityServerConstants.SecretTypes.JsonWebKey,
 
- AllowedGrantTypes = GrantTypes.ClientCredentials,
- AllowedScopes = { "api1", "api2" }
- };
+ Value = "{'e':'AQAB','kid':'Zz...GEA','kty':'RSA','n':'wWw...etgKw'}"
+ }
+ },
+
+ AllowedGrantTypes = GrantTypes.ClientCredentials,
+ AllowedScopes = { "api1", "api2" }
+};
+```
 
 {{% notice note %}}
 You can share the same key for client authentication and [signed authorize requests]({{< ref "/tokens/jar" >}}).
@@ -123,23 +125,20 @@ The OpenID Connect authentication handler in ASP.NET Core allows for replacing a
 This is accomplished by handling the various events on the handler. We recommend to encapsulate the event handler in a separate type. This makes it easier to consume services from DI:
 
 ```cs
-public void ConfigureServices(IServiceCollection services)
-{
- // some details omitted
- services.AddTransient<OidcEvents>();
+// some details omitted
+builder.Services.AddTransient<OidcEvents>();
 
- services.AddAuthentication(options =>
-  .AddOpenIdConnect("oidc", options =>
-  {
-  options.Authority = Constants.Authority;
+builder.Services.AddAuthentication(options =>
+ .AddOpenIdConnect("oidc", options =>
+ {
+ options.Authority = Constants.Authority;
 
-  // no static client secret 
-  options.ClientId = "mvc.jar.jwt";
+ // no static client secret 
+ options.ClientId = "mvc.jar.jwt";
 
- // specifies type that handles events
- options.EventsType = typeof(OidcEvents); 
- }));
- }
+ // specifies type that handles events
+ options.EventsType = typeof(OidcEvents); 
+ }));
 ```
 
 In your event handler you can inject code before the handler redeems the code:

IdentityServer/v7/docs/content/tokens/authentication/mtls.md

@@ -9,7 +9,7 @@ Clients can use an X.509 client certificate as an authentication mechanism to en
 For this you need to associate a client certificate with a client in your IdentityServer and enable MTLS support on the options.
 
 ```cs
-var builder = service.AddIdentityServer(options =>
+var idsvrBuilder = builder.Services.AddIdentityServer(options =>
 {
  options.MutualTls.Enabled = true;
 })
@@ -18,7 +18,7 @@ var builder = service.AddIdentityServer(options =>
 Use the [DI extensions methods]({{< ref "/reference/di" >}}) to add the services to DI which contain a default implementation to do that either thumbprint or common-name based:
 
 ```cs
-builder.AddMutualTlsSecretValidators();
+idsvrBuilder.AddMutualTlsSecretValidators();
 ```
 
 Then add client secret of type *SecretTypes.X509CertificateName* (for PKI-based scenarios) 

IdentityServer/v7/docs/content/tokens/cors.md

@@ -37,7 +37,7 @@ This would be configured as a singleton in DI, and hard-coded with its *AllowedO
 For example, in *ConfigureServices*:
 
 ```cs
-services.AddSingleton<ICorsPolicyService>((container) =>
+builder.Services.AddSingleton<ICorsPolicyService>((container) =>
 {
  var logger = container.GetRequiredService<ILogger<DefaultCorsPolicyService>>();
 

IdentityServer/v7/docs/content/tokens/dynamic_validation.md

@@ -49,5 +49,5 @@ public class TransactionScopeTokenRequestValidator : ICustomTokenRequestValidato
 You can register your implementation like this:
 
 ```cs
-builder.AddCustomTokenRequestValidator<TransactionScopeTokenRequestValidator>();
+idsvrBuilder.AddCustomTokenRequestValidator<TransactionScopeTokenRequestValidator>();
 ```

IdentityServer/v7/docs/content/tokens/extension_grants/token_exchange.md

@@ -82,7 +82,7 @@ public class TokenExchangeGrantValidator : IExtensionGrantValidator
 You then register your grant validator with DI:
 
 ```cs
-builder.AddExtensionGrantValidator<TokenExchangeGrantValidator>();
+idsvrBuilder.AddExtensionGrantValidator<TokenExchangeGrantValidator>();
 ```
 
 And configure your client to be able to use it:

IdentityServer/v7/docs/content/tokens/jar.md

@@ -46,7 +46,7 @@ If the *request_uri* parameter is used, IdentityServer will make an outgoing HTT
 You can customize the HTTP client used for this outgoing connection, e.g. to add caching or retry logic (e.g. via the Polly library):
 
 ```cs
-builder.AddJwtRequestUriHttpClient(client =>
+idsvrBuilder.AddJwtRequestUriHttpClient(client =>
 {
  client.Timeout = TimeSpan.FromSeconds(30);
 })

IdentityServer/v7/docs/content/tokens/par.md

@@ -19,7 +19,7 @@ The use of PAR is encouraged by the [FAPI working group](https://openid.net/wg/f
 Duende.IdentityServer includes support for PAR in the Business Edition or higher license. In the starter edition, PAR requests will not be processed and instead log errors. If you have a starter edition license, you should disable the *EnablePushedAuthorizationEndpoint* flag so that discovery indicates that your IdentityServer does not support PAR:
 
 ```cs
-services.AddIdentityServer(options =>
+builder.Services.AddIdentityServer(options =>
 {
  options.Endpoints.EnablePushedAuthorizationEndpoint = false;
 })

IdentityServer/v7/docs/content/tokens/pop/dpop.md

@@ -54,7 +54,7 @@ DPoP is enabled by simply assigning the *DPoPJsonWebKey* on the client configura
 For example, here's how to configure a client credentials client:
 
 ```csharp
-services.AddClientCredentialsTokenManagement()
+builder.Services.AddClientCredentialsTokenManagement()
  .AddClient("demo_dpop_client", client =>
  {
  client.TokenEndpoint = "https://demo.duendesoftware.com/connect/token";
@@ -66,11 +66,11 @@ services.AddClientCredentialsTokenManagement()
 And here's how to configure a code flow client:
 
 ```csharp
-services.AddAuthentication(...)
+builder.Services.AddAuthentication(...)
  .AddCookie("cookie", ...)
  .AddOpenIdConnect("oidc", ...);
 
-services.AddOpenIdConnectAccessTokenManagement(options => 
+builder.Services.AddOpenIdConnectAccessTokenManagement(options => 
 {
  options.DPoPJsonWebKey = "...";
 });

IdentityServer/v7/docs/content/tokens/pop/mtls.md

@@ -92,7 +92,7 @@ static SocketsHttpHandler GetHandler(X509Certificate2 certificate)
 The last step is to enable that feature in the options:
 
 ```cs
-var builder = services.AddIdentityServer(options =>
+var idsvrBuilder = builder.Services.AddIdentityServer(options =>
 {
  // other settings
 

IdentityServer/v7/docs/content/tokens/requesting.md

@@ -69,25 +69,22 @@ The [Duende.AccessTokenManagement](https://github.com/DuendeSoftware/Duende.Acce
 Using this library, you only need to register the token client in DI:
 
 ```cs
-public void ConfigureServices(IServiceCollection services)
+builder.Services.AddAccessTokenManagement(options =>
 {
- services.AddAccessTokenManagement(options =>
+ options.Client.Clients.Add("client", new ClientCredentialsTokenRequest
  {
- options.Client.Clients.Add("client", new ClientCredentialsTokenRequest
- {
- Address = "https://demo.duendesoftware.com/connect/token",
- ClientId = "m2m",
- ClientSecret = "secret",
- Scope = "api"
- });
+ Address = "https://demo.duendesoftware.com/connect/token",
+ ClientId = "m2m",
+ ClientSecret = "secret",
+ Scope = "api"
  });
-}
+});
 ```
 
 You can then add token management to an HTTP-factory provided client:
 
 ```cs
-services.AddClientAccessTokenClient("client", configureClient: client =>
+builder.Services.AddClientAccessTokenClient("client", configureClient: client =>
 {
  client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/");
 });
@@ -188,38 +185,35 @@ The most common client library for .NET is the OpenID Connect [authentication](h
 You only need to configure it in your startup code:
 
 ```cs
-public void ConfigureServices(IServiceCollection services)
+builder.Services.AddAuthentication(options =>
 {
- services.AddAuthentication(options =>
+ options.DefaultScheme = "cookie";
+ options.DefaultChallengeScheme = "duende";
+})
+ .AddCookie("cookie")
+ .AddOpenIdConnect("duende", "IdentityServer", options =>
  {
- options.DefaultScheme = "cookie";
- options.DefaultChallengeScheme = "duende";
- })
- .AddCookie("cookie")
- .AddOpenIdConnect("duende", "IdentityServer", options =>
+ options.Authority = "https://demo.duendesoftware.com";
+ options.ClientId = "interactive.confidential";
+
+ options.ResponseType = "code";
+ options.ResponseMode = "query";
+ options.SaveTokens = true;
+
+ options.Scope.Clear();
+ options.Scope.Add("openid");
+ options.Scope.Add("api");
+ options.Scope.Add("offline_access");
+
+ options.TokenValidationParameters = new TokenValidationParameters
  {
- options.Authority = "https://demo.duendesoftware.com";
- options.ClientId = "interactive.confidential";
-
- options.ResponseType = "code";
- options.ResponseMode = "query";
- options.SaveTokens = true;
-
- options.Scope.Clear();
- options.Scope.Add("openid");
- options.Scope.Add("api");
- options.Scope.Add("offline_access");
-
- options.TokenValidationParameters = new TokenValidationParameters
- {
- NameClaimType = "name",
- RoleClaimType = "role"
- };
-
- // Disable x-client-SKU and x-client-ver headers 
- options.DisableTelemetry = true;
- });
-}
+ NameClaimType = "name",
+ RoleClaimType = "role"
+ };
+
+ // Disable x-client-SKU and x-client-ver headers 
+ options.DisableTelemetry = true;
+ });
 ```
 
 ### Automating token management in ASP.NET Core

IdentityServer/v7/docs/content/ui/login/dynamicproviders.md

@@ -99,10 +99,7 @@ If it is needed to further customize the *OpenIdConnectOptions*, you can registe
 And to register this in the DI system:
 
 ```cs
- public void ConfigureServices(IServiceCollection services)
- {
- services.ConfigureOptions<CustomConfig>();
- }
+builder.Services.ConfigureOptions<CustomConfig>();
 ```
 
 #### Accessing OidcProvider data in IConfigureNamedOptions
@@ -132,10 +129,7 @@ class CustomOidcConfigureOptions : ConfigureAuthenticationOptions<OpenIdConnectO
 The above class would need to be configured in DI (as before):
 
 ```cs
-public void ConfigureServices(IServiceCollection services)
-{
- services.ConfigureOptions<CustomOidcConfigureOptions>();
-}
+builder.Services.ConfigureOptions<CustomOidcConfigureOptions>();
 ```
 
 ### Callback Paths