github DuendeSoftware/products is-8.0.0
IdentityServer 8.0.0
on GitHub

6 hours ago

Duende IdentityServer 8.0

Duende IdentityServer 8.0 targets .NET 10 and marks a significant milestone for the product.

SAML 2.0 is now a first-class protocol alongside OpenID Connect and OAuth 2.0, enabling enterprise and legacy applications to authenticate against your server without requiring separate infrastructure.

This release also introduces a FAPI 2.0/OAuth 2.1 conformance report to help you verify high-security deployments, and delivers substantial internal modernization - including adoption of .NET 10's HybridCache, TimeProvider, nullable reference types, and pervasive cancellation token support - resulting in a cleaner, more maintainable foundation going forward.

New Features

SAML 2.0 Identity Provider
IdentityServer can now act as a full SAML 2.0 Identity Provider, allowing enterprise and legacy applications that require SAML to authenticate against your server alongside OpenID Connect clients.

It supports:

  • SP-initiated SSO via HTTP-Redirect and HTTP-POST bindings
  • Single Logout (SLO) with front-channel notifications
  • Per-SP assertion signing
  • NameID format support
  • AuthnContext class mapping, per-SP claim mappings
  • Metadata endpoint

Your existing login UI requires only a small update to the cancellation path. See the SAML 2.0 documentation.

SAML 2.0 External Authentication
IdentityServer can now federate with external SAML 2.0 Identity Providers, letting you use a third-party SAML IdP as an upstream identity source - the same way you'd add Google or Microsoft Entra ID as an external provider. Configure SAML external providers statically or dynamically using the existing dynamic providers mechanism. See Configuring a SAML external provider.

Financial-Grade Security & Conformance Report
A new Duende.IdentityServer.ConformanceReport package assesses your IdentityServer deployment against OAuth 2.1 and FAPI 2.0 Security Profile specifications and generates an HTML report at a protected endpoint (/_duende/conformance-report). Use it to verify your server is correctly configured for high-security API scenarios. See the Conformance Report documentation.

User Management
IdentityServer 8 integrates with Duende User Management which adds user registration, password management, MFA (TOTP, passkeys), account recovery, and more. See the User Management documentation.

Improvements

  • Token Cleanup Performance - The token cleanup service now uses a more efficient bulk delete strategy when IOperationalStoreNotification is not registered, reducing database load in high-throughput deployments. MySQL EF Core provider compatibility for PAR entry cleanup is also restored.

  • Orphaned Grants Revoked on Session Overwrite - When a server-side session is overwritten (for example, when a user signs in again without signing out first), refresh tokens belonging to the prior session are now automatically revoked. This prevents stale grants from accumulating and remaining valid after re-authentication.

  • Quieter Secret Validation Logging - Expected-failure log entries in client and API secret validation have been downgraded from Error to Debug. This reduces noise in production logs where failed secret lookups are a normal part of the secret hashing comparison process.

  • Relaxed Audience Validation - Audience validation for private key JWT authentication in strict mode now accepts single-element JSON arrays in addition to scalar string values, improving compatibility with tokens from issuers that always serialize audiences as arrays.

  • HTTP 303 Redirects - All redirects from IdentityServer's authorization endpoint now unconditionally use HTTP 303 See Other, aligning with the OAuth 2.0 and OpenID Connect specifications and avoiding issues with intermediaries that treat 302 redirects differently.

  • Unified Authorization Context - SAML and OpenID Connect flows now share the same IAuthenticationContext abstraction. Your login page can access protocol-specific context - including SAML-specific details such as RequestedAuthnContext - through a single consistent interface.

  • Backchannel Logout Fix - Resolved an issue where backchannel logout notifications could be sent twice for the same session.

  • License Key from IConfiguration - The IdentityServer license key can now be provided through standard .NET configuration sources such as appsettings.json, environment variables, or a secrets manager, making deployment configuration simpler and more consistent with other .NET settings.

  • AuthorizeInteractionPageHttpWriter Now Public - The AuthorizeInteractionPageHttpWriter class is now part of the public API, giving you full control over how IdentityServer writes authorization interaction responses without relying on internal implementation details.

Breaking Changes

See the upgrade guide for full migration instructions.

Change Action Required
.NET 10 required Retarget your project to net10.0.
ICache<T> / DefaultCache<T> replaced by HybridCache Replace custom cache implementations with .NET 10's HybridCache.
IClock replaced by TimeProvider Use TimeProvider directly instead of the IClock abstraction.
CancellationToken required on all interface methods Add a CancellationToken parameter to custom implementations of IdentityServer interfaces.
IEnumerable<T> return types changed to IReadOnlyCollection<T> Update return types in custom store and service implementations.
IAuthorizationParametersMessageStore removed Remove usage; see the upgrade guide for the migration path.
Nullable reference types enabled Fix nullable warnings in code that implements or extends IdentityServer types.
response_mode validated earlier Previously-invalid response_mode values may now surface as errors; test your authorization requests.
IClientStore.GetAllClientsAsync now required Implement this method on custom IClientStore implementations.
IRefreshTokenService method signatures changed Update custom implementations to match the new signatures.
IUserSession - new SAML session methods added Implement the new SAML-related methods on custom IUserSession implementations.
IsNullOrEmpty extension made internal Replace calls with string.IsNullOrEmpty().
DPoP type names corrected Update any references to renamed DPoP types.
PersistedGrantFilter collection properties non-nullable Remove any null assignments to collection properties on PersistedGrantFilter.

Removals & Behavioral Changes

  • ICancellationTokenProvider removed - Cancellation tokens are now passed directly via method parameters throughout the framework.
  • PreviewFeatureOptions removed - All preview features have graduated to stable; their configuration options have been moved to the appropriate standard options classes.
  • IdentityServerLicense class removed - License handling has been updated. LicenseUsageSummary.LicenseEdition is replaced by EntitledSkus.
  • Device flow no longer remembers consent - Users will be prompted to consent on each device flow authorization. This change removes a pattern that could allow unintended persistent access.
  • AuthorizationError renamed to InteractionError - Update any references to this type in your codebase.

Database Migration Required

SAML 2.0 support adds 10 new database tables. If you use the EF Core stores, run the provided migrations as part of your upgrade:

  • Configuration store (7 new tables): SamlServiceProviders, SamlAllowedScopes, SamlAssertionConsumerServices, SamlAuthnContextMappings, SamlCertificates, SamlClaimMappings, SamlRequestedClaimTypes
  • Operational store (3 new tables): SamlLogoutSessions, SamlSigninStates, SamlLogoutSessionRequestIndices

See the upgrade guide for the exact dotnet ef migration commands.

Further Reading

Check out latest releases or
releases around DuendeSoftware/products is-8.0.0

Don't miss a new products release

NewReleases is sending notifications on new releases.

Get notifications