Duende Blog

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo terms are Encode, Encrypt, and Hash. Each term is used in software and security to describe converting a string into a different representation. Each function is used for different scenarios. At a glance, these functions may seem interchangeable, and it’s easy to mistake one for the other. Not knowing the differences among options can lead to confusion or even security incidents. Let’s discuss what each term stands for and where you can see and hear it used.

There's a good chance your application consumes one or more APIs. For example, you may have a back-office application that works with a shipping API and an invoice API. Or perhaps you have a microservice architecture, and there are 50 different APIs involved.

In this landscape, one of the most persistent security anti-patterns we see is having access tokens with too much access. An overprivileged token occurs when a client requests a wide array of scopes, for example, invoice.read, shipping.write, and, and receives a single access token that contains all the issued claims.

While asking for multiple scopes at once can be convenient, the issued token raises a concerning trust issue. If the shipping API is compromised and the token is leaked, an attacker can use it to access the invoice API. The attacker has a token that’s issued once, but usable against almost every service within a solution. We’ve sacrificed security for convenience, which can weaken our security posture.

This is where Resource Isolation comes in. Based on RFC 8707 (Resource Indicators for OAuth 2.0), this feature allows you to enforce strict trust boundaries between your APIs, ensuring that a token is only valid for the specific target it was intended for.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is JWT, so let’s discuss what the acronym stands for and where you can see and hear it used.

Today we are excited to announce version 1.0 of our Duende.AspNetCore.Authentication.JwtBearer (JwtBearer Extensions) package, which helps you implement Demonstrating Proof-of-Possession (DPoP) in .NET-powered APIs. This JwtBearer Extensions package is an easy-to-use extension for the JwtBearer authentication handler that you're already using with ASP.NET Core. To get started, you only need a single NuGet package and minimal configuration, with support for advanced protocol features like replay detection and server-issued nonces, signing algorithm configuration, clock skew support, and enables extensibility.

But what's the big deal with this package? What is DPoP, and why do you need it? In this article, we'll see why you want to use DPoP to make your applications more secure, and how you can protect against a number of threats, such as replay attacks using JwtBearer Extensions.

As we enter 2026, many developers are considering the opportunities ahead, from implementing new business features to fixing long-standing bugs and paying down years of technical debt. With some of our customer calls this year, we’ve found that a “popular” item on everyone’s New Year’s resolutions list is upgrading to the latest .NET 10 LTS release, alongside finally moving to the most secure and supported version of Duende IdentityServer to date.

At Duende, we want to fuel your ambitions and help you meet your goals. We’ve spent thousands of hours talking to IdentityServer4 users and have built a tool that should help teams understand the upgrade process ahead of them. If you're concerned about running an unsupported identity solution at the heart of your organization and want to upgrade, we have a solution we think you should consider. In this post, we’d like to introduce you to our IdentityServer4 Migration Analysis Tool, developed by our Customer Success team lead, Maarten Balliauw.

The software development space has creatively coined some memorable statements over the years, from “speed is a feature”, “memory is cheap”, and “always blame the new guy”. All these statements have one thing in common: as developers, we should do our best to baseline our assumptions and verify the truth. In the spirit of building the best software we possibly can by focusing on the fine details, we are happy to announce that this quarter's Duende Open Source Sponsorship goes to BenchmarkDotNet.

In our fourth sponsorship, the team at Duende has chosen BenchmarkDotNet as the next open-source recipient of our ongoing commitment to supporting projects that empower individuals, teams, communities, and organizations.

Now let’s see what BenchmarkDotNet is all about.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is PAR, so let’s discuss what the acronym stands for and where you can see and hear it used.

In the world of OpenID Connect and OAuth 2.0, signing keys are the foundation of trust. They ensure that tokens issued by your identity provider (IdP) are authentic and haven't been tampered with. Managing these keys properly, whether manual or automatically, is an important aspect of running a secure IdentityServer implementation.

This post explores the technical rationale behind key rotation, how Duende IdentityServer handles it, and best practices for implementing production-grade identity solutions.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is OP, so let’s discuss what the acronym stands for and where you can see and hear it used.

As we close 2025, we look back on an exceptional year marked by dedication, innovation, and an unwavering commitment to our community. What follows details the remarkable technical achievements of our engineering teams, who delivered over 1,042 merged pull requests in our core products repository and 173 in our FOSS projects. These numbers represent thousands of hours spent coding, reviewing, testing, and ultimately, shipping best-in-class security software.

Our engineers not only pushed the boundaries of our products—achieving major milestones like the FAPI 2.0 Profile Certification for IdentityServer 7.3.0, the architectural leap of Backend for Frontend (BFF) 4.0.0 GA with its multi-frontend support, and the complete internal reimagination of Duende.AccessTokenManagement 4.0.0—but also ensured we remained future-proof with immediate .NET 10 Support across our major releases.

However, a year of success is built on more than just code. This review celebrates the collective hard work of every Duende employee. Our Sales Teams worked tirelessly to bring our enterprise-grade security solutions to new markets and clients. Our Marketing Team ensured that the value of our commitment to standards and developer experience resonated clearly, amplifying our message of security and compliance to a global audience. And, critically, our Customer Success Team was on the front lines, translating complex technical challenges into real-world solutions, fostering the strong trust our clients place in us.

Together, these efforts have resulted in a powerful, positive impact on both the Duende customer base and the broader .NET community.