Duende Blog

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is OP, so let’s discuss what the acronym stands for and where you can see and hear it used.

As we close 2025, we look back on an exceptional year marked by dedication, innovation, and an unwavering commitment to our community. What follows details the remarkable technical achievements of our engineering teams, who delivered over 1,042 merged pull requests in our core products repository and 173 in our FOSS projects. These numbers represent thousands of hours spent coding, reviewing, testing, and ultimately, shipping best-in-class security software.

Our engineers not only pushed the boundaries of our products—achieving major milestones like the FAPI 2.0 Profile Certification for IdentityServer 7.3.0, the architectural leap of Backend for Frontend (BFF) 4.0.0 GA with its multi-frontend support, and the complete internal reimagination of Duende.AccessTokenManagement 4.0.0—but also ensured we remained future-proof with immediate .NET 10 Support across our major releases.

However, a year of success is built on more than just code. This review celebrates the collective hard work of every Duende employee. Our Sales Teams worked tirelessly to bring our enterprise-grade security solutions to new markets and clients. Our Marketing Team ensured that the value of our commitment to standards and developer experience resonated clearly, amplifying our message of security and compliance to a global audience. And, critically, our Customer Success Team was on the front lines, translating complex technical challenges into real-world solutions, fostering the strong trust our clients place in us.

Together, these efforts have resulted in a powerful, positive impact on both the Duende customer base and the broader .NET community.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is BCP, so let’s discuss what the acronym stands for and where you can see and hear it used.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is DPoP, so let’s discuss what the acronym stands for and where you can see and hear it used.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is Auth, so let’s discuss what the word stands for and where you can see and hear it used.

Development teams look very different from teams 20 years ago, heck, even 5 years ago. Here at Duende, we have developed with .NET since its inception, and we know many of you have as well. The technology has been foundational for building solutions for decades now. Still, in our time, we’ve seen organizations also begin to evolve, adopting new technology, deploying to new devices, and delivering new user experiences. To say we, as a professional industry, have come a long way would be an understatement.

The umbrella term “development” now sees teams adopting practices in frontend, backend, operations, database management, and many other areas. Professionals’ skills and discipline coalesce to deliver outcomes that bring joy to stakeholders and, most importantly, users. While your users may experience positive emotions using software you’ve developed, quietly in the background, the unsung hero of security ensures they do so in a safe and secure environment.

Let’s examine why now is an excellent time to consider Backend for Frontend (BFF) when building new solutions or modernizing existing ones.

Love it or hate it, AI is here and it’s finding its way into software all over the world. Regardless of your opinion on the current state of AI, here at Duende Software, we just want you to do all things software-related securely.

In relation to AI, developers are starting to explore scaling operational efficiency with AI agents. These AI Agents could be a powerful addition to an organization, but an LLM-only approach can be fraught with costly errors, misinformation, and hallucinations. Anything worth doing is worth doing right, but what does “right” currently look like? After all, developers want to deliver secure AI experiences, right?

In this post, we’ll discuss the Model Context Protocol, how developers can utilize the emerging protocol to deliver existing operational investments to a new audience, and, most importantly, how to securely deliver software-based value with industry best practices and spec-compliant implementations using Duende IdentityServer.

Today, we are proud to announce Duende IdentityServer v7.4. This is an important release that’s been built for .NET 10 Long-Term Support (LTS) and adds support for standards that are important for Agentic AI systems and the Model Context Protocol (MCP).

Duende IdentityServer remains the flexible, standards-compliant SDK for OpenID Connect and OAuth 2.0. With v7.4, we’re focused on .NET 10 upgrades that prioritize stability, safety, and long-term commitment. We’re also helping our users navigate the uncertainty of the AI boom with predictable, protocol-driven security. Plus, we’ve started a new community with an avenue for direct, technical collaboration - Duende Product Insiders.

Today, we are excited to announce the release of Duende BFF Security Framework v4 (BFFv4), an essential update that fundamentally simplifies how .NET developers secure multi-frontend applications while dramatically increasing system observability.

For .NET developers, Duende provides an identity infrastructure solution offering an SDK for flexible, standards-compliant identity and access control. Duende’s solutions enable customization of implementations built on OpenID Connect and OAuth 2.0. As highlighted in the BFFv4 live stream, in alignment with the Internet Engineering Task Force’s (IETF) best current practice document, storing OAuth tokens in the browser is a significant security risk, exposing your application to various injection and supply-chain attacks. The backend for frontend (BFF) pattern moves the OAuth flow and token management to the secure server side, using HTTP-only cookies to manage the user session, drastically reducing the attack surface.

With BFFv4, we continue our mission: secure, standards-based identity—all simplified for developers.

If you’re a professional ASP.NET Core developer in today’s world, you’re likely working on some form of JSON-over-HTTP project. In fact, building web APIs is arguably the strongest use case for ASP.NET Core today. We build APIs so that other developers can discover, learn, and consume our work, all with a strong emphasis on secure access. With those goals in mind, teams often turn to OpenAPI specifications and Swagger to help others better understand said APIs.

As you may know, Duende provides best-in-class products to help secure .NET solutions using the latest standards of OAuth and OpenID Connect. In this post, we’ll see how to secure an ASP.NET Core API with JWT Bearer tokens, set up the solution to generate an OpenAPI specification, and then secure calls from a Swagger UI to authenticate against Duende’s IdentityServer demo instance. All you’ll need is a single ASP.NET Core project, but what you learn will apply to all Duende IdentityServer deployments.