DuendeSoftware/products is-7.3.0

IdentityServer 7.3.0

on GitHub

IdentityServer 7.3.0 is a significant release that includes:

• FAPI 2.0 profile certification
• JWT Response from the introspection endpoint (RFC 9701)
• Diagnostic data
• Removal of the experimental label from OpenTelemetry metrics
• Additional license compliance warnings
• Several bug fixes
• Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.3.0. Small code changes maybe be required for some users to upgrade.

• The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class
• Client Secret is now required for Clients with ClientCredentials Grant

The SendLogoutNotificationAsync method has been removed from the DefaultBackChannelLogoutService class

• Fix Concurrent DbContext Access on Back Channel Logout by @bhazen in #2019
  To fix a bug where when using EntityFramework, code which previously executed in parallel needed to be modified to execute sequentially. This necessitated the removal of the SendLogoutNotificationAsync method in the DefaultBackChannelLogoutService class. Anyone who had previously overridden the SendLogoutNotificationAsync as an extensibility point will likely need to move their customization to the PostLogoutJwt method.

Client Secret is now required for Clients with ClientCredentials Grant

• Ensure Client Secret is Required for Clients with ClientCredentials Grant by @bhazen in #1796
  Previously, it was possible to configure a Client to allow the ClientCredentials Grant without requiring a client secret which is undesirable. The default validation of Clients has been updated to ensure any Client which allows the ClientCredentials grant also sets the RequireClientSecret flag to true to disallow the configuration of a private client to behave like a public client.

Enhancements

FAPI 2.0 Profile Certification

IdentityServer is 7.3.0 is officially certified as conformant with the FAPI 2.0 Security Profile.

• JWT Validation Clock Skew Option by @bhazen in #1813
• Include PAR in mtls aliases by @josephdecock in #1955
• Support binding of authorization codes to dpop proof key via dpop header by @josephdecock in #1974
• Respect port number in mTLS configuration by @josephdecock in #1990
• Adjust Multiple DPoP Token Error by @bhazen in #2004
• Options of Allowed Signing Algorithms JWTs and DPoP Proof Tokens by @bhazen in #2006
• Adjust Default Values for Clock Skew Config Options by @bhazen in #2010
• Change error when required DPoP proof is missing by @bhazen in #2011
• Reworked supported algorithm options by @josephdecock in #2026
• Use standard error response for failed mTLS auth by @josephdecock in #2079
• mTLS with DPoP by @josephdecock in #2080
• Handle mTLS and DPoP Used Together by @bhazen in #2084

JWT Response from Introspection Endpoint

IdentityServer now supports RFC 9701 to return a JWT Response from the Introspection endpoint.

• Implement RFC 9701 to Return JWT Response from Introspection Endpoint by @bhazen in #1937

Diagnostic Data

Diagnostic data has been added to IdentityServer to help support with troubleshooting. Read more about this new feature in our docs. TODO: link to docs

• Diagnostic Summary Setup by @bhazen in #2021
• Auth Scheme Diagnostic Entry by @bhazen in #2022
• Registered Implementations Diagnostic Entry by @bhazen in #2023
• IdentityServerOptions Diagnostic Entry by @bhazen #2024
• Data Protection Diagnostic Entry by @bhazen in #2025
• Token Issue Count Diagnostic Entry by @bhazen in #2029
• License Usage Summary Diagnostic Entry by @bhazen in #2033
• Basic Server Info Diagnostic Entry by @bhazen in #2034
• Endpoint Usage Diagnostic Entry by @bhazen in #2036
• Chunk diagnostics and update diagnostic options by @josephdecock in #2042
• Client Info Diagnostic Entry by @bhazen in #2043
• Resource Info Diagnostic Entry by @bhazen in #2047
• Registered Implementation Diagnostic Entry Tweaks by @bhazen in #2048
• Assembly Info Diagnostic Entry Tweaks in @bhazen in #2051
• Remove assemblyCount from diagnostics by @bhazen in #2054
• Remove pop from the names of token counts in diagnostics by @josephdecock in #2055
• Diagnostic Summary Log Tweaks by @bhazen in #2057
• Update Diagnostic Summary Log Source Name by @bhazen in #2059
• Log diagnostic summary on shutdown by @bhazen in #2061
• Add informational version to assembly info diagnostic entry by @bhazen in #2075

Move OpenTelemetry Metrics from Experimental to Stable

• Remove "Duende.IdentityServer.Experimental" service name from telemetry by @maartenba in #2002

Update License Usage Warnings

New warnings have been added around license compliance to help identify misuse of IdentityServer licenses prior to more strict license enforcement in the future.

• License Expiration Warning by @bhazen in #1921
• V2 License Functionality Updates by @bhazen in #1947
• Source Generator Based Logging for V2 License Code by @bhazen in #1951
• V2 License Client Warnings by @bhazen in #1954
• V2 License Issuer Warnings by @bhazen in #1957
• Update licensing messages by @josephdecock in #2141

Bug Fixes

• Persistent Cookies, Server Side Sessions, and Session Lifetime Coordination Fix by @bhazen in #1757
• Handle case-insensitive JSON claim value types. by @josephdecock in #1769
• Ensure session lifetime coordination is invoked when a session expires by @bhazen in #1784
• Ensure Client Secret is Required for Clients with ClientCredentials Grant by @bhazen in #1796
• fix null ref in UserInfoRequestValidator by @SimonCropp in #1896
• Don't unnecessarily return scope parameter from authorize endpoint by @bhazen in #1926
• Addresses an unhandled exception path & nullability concerns by @StuFrankish in #1930
• Don't return redirect URI or response mode on unsafe errors by @bhazen in #1933
• Fix DCR customizations for EF client configuration by @josephdecock in #1962
• Add and test unhandled exception logging filter logic by @khalidabuhakmeh in #2007
• Fix Concurrent DbContext Access on Back Channel Logout by @bhazen #2019

Code Quality

• Refactor exception handling and minor code improvements. by @khalidabuhakmeh in #1744
• Remove redundant comment delimiters in license header by @khalidabuhakmeh in #1747
• Switch to TargetFrameworks for multi-framework support by @khalidabuhakmeh in #1767
• Adding Missing Test Attributes by @bhazen in #1773
• Filter client credentials in ToOptimizedFullDictionary method by @josephdecock in #1781
• Update in code links to v7 by @AndersAbel in #1783
• Sanitize Log Input by @bhazen in #1806
• Fix up an accidentally reverted Shouldly change by @josephdecock in #1852
• Remove extra global.json from identityserver by @josephdecock in #1853
• Use DefaultConcurrencyLock as a Singleton instead of Transient. by @maartenba in #1859
• remove duplicate file headers in identityserver by @SimonCropp in #1891
• Use available async overloads in tests by @SimonCropp in #1918
• Use PAR IdentityModel constants by @josephdecock in #1956
• Filter Request Object by @bhazen in #2003
• Trivial Typos by @josephdecock in #2008
• Pass a cancellation token where it was accidentally forgotten by @josephdecock #2009
• Fix tabs -> spaces in several csproj's by @damianh in #2013
• Microsoft.AspnetCore.Authentication.Google -> Use demo.duendesoftware.com by @maartenba in #2015
• Use duende.link for trial mode docs by @maartenba in #2016
• Nit: Fix some typos by @josephdecock in #2027

Performance Enhancements

• Remove redundant ToArray calls by @SimonCropp in #1901
• Replace single character strings with chars by @SimonCropp in #1913
• Remove redundant initializations by @SimonCropp in #1917

Developer Productivity

• Replaces FluentAssertions with Shouldly by @damianh in #1768
• identity-server - simplify build process by building from solution by @Erwinvandervalk in #1774
• Fix builds of identityserver clients by @josephdecock in #1777
• Manual CodeQL Build Commands by @bhazen in #1802
• Unify EF Integration Tests by @bhazen in #1807
• Use aspire to run IdentityServer development hosts and clients by @StuFrankish in #1845
• Include and automate remaining console clients by @StuFrankish in #1865
• Convert a bunch of test assertions from xunit assert to Shoudly by @damianh in #1867
• Remove http launchSettings from aspire by @josephdecock in #1882
• Allow all dev API projects to run simultaneously in aspire by @StuFrankish in #1887
• Add net9.0 EF Test Host by @StuFrankish in #1923
• Allow all clients to run against both EF hosts (net8.0 and net9.0) by @StuFrankish in #1927
• Add OpenTelemetry tracing and integrate IdentityServer by @khalidabuhakmeh in #1928
• Use ServiceDefaults for IdSrv host to get Otel in Aspire by @AndersAbel and @josephdecock in #1988
• Rename aspire projects and update package/sdk references by @damianh in #2012
• Collapsed EF integration tests into main integration test project by @bhazen in #2018
• Aspire Quality of Life improvements by @josephdecock in #2028
• Make mTLS clients run in aspire by @josephdecock in #2031
• Fix Parameterized Scope Client by @bhazen in #2035
• Update vscode launch and task config by @josephdecock in #2044
• Remove ReadKey at shutdown by @josephdecock in #2045
• Slow down cleanup job frequency in development by @josephdecock in #2046
• Update aspire to 9.3 by @josephdecock in #2053
• Write Diagnostic Summary to File for Local Development by @bhazen in #2058
• IS Non-Aspire Default Config by @bhazen in #2068