Duende Blog

The winds of change are blowing in the direction of .NET 10, and many teams are adjusting their sails to navigate towards new and bold adventures. Exciting times are ahead. As .NET 10 marks the long-term support (LTS) version of the SDK and runtime, now is a great time to plan and strategize. After all, we all have limited resources, developer cycles, and energy when upgrading. You don’t want your ship to hit any unexpected choppy waters.

In this post, Duende has scoured the currently documented .NET 10 breaking changes and found some items you want to be mindful of when upgrading. Hopefully, many of these items will be uneventful in your upgrade, but some may leave you stranded on a deserted island called frustration. In no particular order, let’s see what they are and why you may want to mark them on your upgrade map.

If you've already dipped into OpenID Connect with Duende IdentityServer, you'll know that claims and scopes are the building blocks for describing user information. Previously, Khalid introduced us to claims and how Duende IdentityServer and other OpenID Connect Providers handle providing claims to clients.

Client applications can request any number of scopes, and the authorization server can decide which claims flow back to the client. It's also possible to enable consent, where the user is in control and can decide what information to share.

For example, the user can consent to share their email address or decide to omit it from the claim set. You've probably seen this in action with popular social media platforms or mobile applications.

In this article, we'll explore how Duende IdentityServer handles consent, the differences between interactive and machine-to-machine clients, how "required" vs. "optional" scopes affect the consent screen, and what happens when a client doesn't get everything it asked for.

In recent posts, we have looked at passkey authentication. We saw that passkeys are more secure and phishing-resistant than traditional username and password authentication, thanks to the use of public key cryptography. We also saw how the .NET 10 Blazor project templates add passkey authentication in projects with ASP.NET Identity.

You can also add passkey support to existing ASP.NET Core and Razor Pages projects. In this post, we'll take a practical approach and see how to add .NET passkey support to Duende IdentityServer through ASP.NET Identity.

Passkey authentication offers clear advantages over traditional usernames and passwords. It relies on public key cryptography, where the private key never leaves the client device, ensuring it can’t be stolen in transit or from a server. Only the public key is stored on the server, which is useful only for validating login attempts but not making them, reducing the risk of account takeover even if the server is breached.

In a previous post, we discussed how to create passkey credentials and how the server's URL is used to generate these credentials, making them more resistant to phishing. Using this technique, a credential signed for duendesoftware.com can not be used on example.org.

But what about subdomains? Or applications that operate globally and require users to be able to log in on several top-level domains? In this post, we'll cover origins in more detail, examine how to use passkeys across (sub)domains, and why you may want to consider tying passkey authentication to a specific URL.

Open source remains an exceptional platform where talented individuals can come together and share their knowledge, passion, and code with others. We know firsthand the power that open-source packages can have on the .NET ecosystem, and we want to do our part in continuing the success of endeavors that help bring those opportunities to the community.

In our third sponsorship, the team at Duende has chosen Spectre.Console as the following open source recipient as part of our ongoing commitment to supporting projects that empower individuals, teams, and organizations.

We also have a word from the project maintainer, Patrik Svensson:

"I love working on open source because it’s more than just writing code. It’s about learning, sharing, and building something with the community. The support and collaboration make the effort worthwhile, and it’s inspiring to see companies like Duende Software sponsoring OSS and helping it thrive.” – Patrik Svensson

Thank you, Patrik, you inspire us as well 🙂

Now let's see at what Spectre.Console is all about.

Passwordless authentication is gaining momentum, with Microsoft, Google, Apple, and many others providing Passkey support in their services. But how do you add the latest authentication to your identity solutions?

In a previous post, we saw how passkeys solve fundamental password problems by using public key cryptography to provide a more secure, phishing-resistant authentication method that improves user experience while eliminating the vulnerabilities of traditional passwords.

With the upcoming release of .NET 10, the ASP.NET Core team has taken a step forward by introducing built-in passkey support in ASP.NET Identity. In this post, we'll look at the new Blazor project template in .NET 10, and how it makes secure authentication using passkeys more accessible to .NET developers.

We all use passwords, yet we all struggle to remember them. Some people reuse the same password across multiple websites. Others turn to password managers to create unique passwords for every site. It’s been a challenging problem with no clear solution.

Even with excellent personal security hygiene, data breaches and password-related attacks dominate cybersecurity headlines. Sites like HaveIBeenPwned show just how frequently our credentials are compromised. The industry has tried various solutions, such as multi-factor authentication and hardware security keys, to dampen the impact of data breaches. Layers of additional authentication are complex and come with user experience challenges. There has to be a better way, right?

In this blog series, we will explore passkeys, the next evolution in secure authentication. Passkeys promise to replace passwords with something stronger, simpler, and inherently resistant to phishing attacks. Future posts will cover how to implement passkeys in ASP.NET Core web applications.

For now, let's start at the beginning: we'll take a look at passwords, the evolution of authentication standards, and the cryptographic principles that are behind passkeys.

When developing solutions locally, our goal is to predict and adapt our code to work in a production environment. Depending on our application, predicting production can be straightforward or have several hidden quirks that can lead to hours of head-scratching debugging.

In today’s post, I want to show you a behavior happening in your local development environment that you might not be fully aware of, and how it could be impacting the understanding of your application. We’ll also explore a hidden .NET 10 feature that helps you more accurately mimic a production environment locally, thereby improving your deployment confidence when you’re ready to ship.

With .NET 10 just a few months away, November 2025 can’t come soon enough for developers looking to get their hands on the latest Long Term Support (LTS) release. What's new in .NET 10?

In this post, we’ll show and explain some of the latest auth-related features coming to .NET 10 and how they may positively impact your current Duende IdentityServer deployments. As we scoured the release notes, four enhancements caught our attention, and we thought you’d appreciate a detailed look at each new option.

Have you ever asked the question, "What is a claim?", “how do apps ask for just the necessary claim information?” or “how does Duende IdentityServer complete an authentication request behind the scenes?” All important and necessary questions on your OpenID Connect implementation journey

Get ready for an exciting walkthrough of OpenID Connect's world. We will demystify claims and scopes and explain how Duende IdentityServer teaches these concepts to .NET developers through our SDK implementation.

We'll cover these topics together and, along the way, become OIDC and Duende IdentityServer pros together!