-
Adding .NET 10 Passkey Support to Duende IdentityServer
In recent posts, we have looked at passkey authentication. We saw that passkeys are more secure and phishing-resistant than traditional username and password authentication, thanks to the use of public key cryptography. We also saw how the .NET 10 Blazor project templates add passkey authentication in projects with ASP.NET Identity.
You can also add passkey support to existing ASP.NET Core and Razor Pages projects. In this post, we'll take a practical approach and see how to add .NET passkey support to Duende IdentityServer through ASP.NET Identity.
-
Relying Party ID and Origin With Passkeys
Passkey authentication offers clear advantages over traditional usernames and passwords. It relies on public key cryptography, where the private key never leaves the client device, ensuring it can’t be stolen in transit or from a server. Only the public key is stored on the server, which is useful only for validating login attempts but not making them, reducing the risk of account takeover even if the server is breached.
In a previous post, we discussed how to create passkey credentials and how the server's URL is used to generate these credentials, making them more resistant to phishing. Using this technique, a credential signed for duendesoftware.com can not be used on example.org.
But what about subdomains? Or applications that operate globally and require users to be able to log in on several top-level domains? In this post, we'll cover origins in more detail, examine how to use passkeys across (sub)domains, and why you may want to consider tying passkey authentication to a specific URL.
-
Spectre.Console - Open Source Sponsorship
Open source remains an exceptional platform where talented individuals can come together and share their knowledge, passion, and code with others. We know firsthand the power that open-source packages can have on the .NET ecosystem, and we want to do our part in continuing the success of endeavors that help bring those opportunities to the community.
In our third sponsorship, the team at Duende has chosen Spectre.Console as the following open source recipient as part of our ongoing commitment to supporting projects that empower individuals, teams, and organizations.
We also have a word from the project maintainer, Patrik Svensson:
"I love working on open source because it’s more than just writing code. It’s about learning, sharing, and building something with the community. The support and collaboration make the effort worthwhile, and it’s inspiring to see companies like Duende Software sponsoring OSS and helping it thrive.” – Patrik Svensson
Thank you, Patrik, you inspire us as well 🙂
Now let's see at what Spectre.Console is all about.
-
Passkeys in .NET 10 Blazor Apps with ASP.NET Identity
Passwordless authentication is gaining momentum, with Microsoft, Google, Apple, and many others providing Passkey support in their services. But how do you add the latest authentication to your identity solutions?
In a previous post, we saw how passkeys solve fundamental password problems by using public key cryptography to provide a more secure, phishing-resistant authentication method that improves user experience while eliminating the vulnerabilities of traditional passwords.
With the upcoming release of .NET 10, the ASP.NET Core team has taken a step forward by introducing built-in passkey support in ASP.NET Identity. In this post, we'll look at the new Blazor project template in .NET 10, and how it makes secure authentication using passkeys more accessible to .NET developers.
-
An Introduction to Passkeys - The Future of Authentication
We all use passwords, yet we all struggle to remember them. Some people reuse the same password across multiple websites. Others turn to password managers to create unique passwords for every site. It’s been a challenging problem with no clear solution.
Even with excellent personal security hygiene, data breaches and password-related attacks dominate cybersecurity headlines. Sites like HaveIBeenPwned show just how frequently our credentials are compromised. The industry has tried various solutions, such as multi-factor authentication and hardware security keys, to dampen the impact of data breaches. Layers of additional authentication are complex and come with user experience challenges. There has to be a better way, right?
In this blog series, we will explore passkeys, the next evolution in secure authentication. Passkeys promise to replace passwords with something stronger, simpler, and inherently resistant to phishing attacks. Future posts will cover how to implement passkeys in ASP.NET Core web applications.
For now, let's start at the beginning: we'll take a look at passwords, the evolution of authentication standards, and the cryptographic principles that are behind passkeys.
-
Why You Should Be Using .NET 10's New TLS Certificate
When developing solutions locally, our goal is to predict and adapt our code to work in a production environment. Depending on our application, predicting production can be straightforward or have several hidden quirks that can lead to hours of head-scratching debugging.
In today’s post, I want to show you a behavior happening in your local development environment that you might not be fully aware of, and how it could be impacting the understanding of your application. We’ll also explore a hidden .NET 10 feature that helps you more accurately mimic a production environment locally, thereby improving your deployment confidence when you’re ready to ship.
-
Duende Most Anticipated .NET 10 Auth Features
With .NET 10 just a few months away, November 2025 can’t come soon enough for developers looking to get their hands on the latest Long Term Support (LTS) release. What's new in .NET 10?
In this post, we’ll show and explain some of the latest auth-related features coming to .NET 10 and how they may positively impact your current Duende IdentityServer deployments. As we scoured the release notes, four enhancements caught our attention, and we thought you’d appreciate a detailed look at each new option.
-
OpenID Connect Providers, Claims, and Duende IdentityServer
Have you ever asked the question, "What is a claim?", “how do apps ask for just the necessary claim information?” or “how does Duende IdentityServer complete an authentication request behind the scenes?” All important and necessary questions on your OpenID Connect implementation journey
Get ready for an exciting walkthrough of OpenID Connect's world. We will demystify claims and scopes and explain how Duende IdentityServer teaches these concepts to .NET developers through our SDK implementation.
We'll cover these topics together and, along the way, become OIDC and Duende IdentityServer pros together!
-
.NET HttpClient and Delegating Handlers
At the heart of every distributed .NET application lies the humble and unassuming
HttpClient
class. Arguably one of the most important implementations in the base class library, theHttpClient
allows developers to communicate with external HTTP services and connect applications conveniently. A class that negotiates the intricacies of the HTTP protocol for you, what more could you want?Well, .NET developers always want more, and in this post, we’ll discuss how at Duende, we use
DelegatingHandler
implementations in our free open-source libraries to give you more flexibility, convenience, and power. -
Optimizing ASP.NET Core Web Site Performance - Duende's Need for Speed
At Duende, we’re best known for being the .NET identity company, and while security is our primary expertise, so is software development. We recently went through an optimization cycle, improving the performance of our website, duendesoftware.com, which runs on ASP.NET Core, to improve the user experience and help search engines rank our pages higher in the results.
If you also run your organization’s site, or even your Duende IdentityServer instance, in a public environment and want to get the best user experience, here are five things you should consider implementing in your solution to get the most optimal experience.
Note, it’s best to take each of these approaches one at a time and measure the impact of your work on the performance of the target application. Sometimes, applying these strategies may be counterproductive in your particular use case.