Duende Blog

We all use passwords, yet we all struggle to remember them. Some people reuse the same password across multiple websites. Others turn to password managers to create unique passwords for every site. It’s been a challenging problem with no clear solution.

Even with excellent personal security hygiene, data breaches and password-related attacks dominate cybersecurity headlines. Sites like HaveIBeenPwned show just how frequently our credentials are compromised. The industry has tried various solutions, such as multi-factor authentication and hardware security keys, to dampen the impact of data breaches. Layers of additional authentication are complex and come with user experience challenges. There has to be a better way, right?

In this blog series, we will explore passkeys, the next evolution in secure authentication. Passkeys promise to replace passwords with something stronger, simpler, and inherently resistant to phishing attacks. Future posts will cover how to implement passkeys in ASP.NET Core web applications.

For now, let's start at the beginning: we'll take a look at passwords, the evolution of authentication standards, and the cryptographic principles that are behind passkeys.

When developing solutions locally, our goal is to predict and adapt our code to work in a production environment. Depending on our application, predicting production can be straightforward or have several hidden quirks that can lead to hours of head-scratching debugging.

In today’s post, I want to show you a behavior happening in your local development environment that you might not be fully aware of, and how it could be impacting the understanding of your application. We’ll also explore a hidden .NET 10 feature that helps you more accurately mimic a production environment locally, thereby improving your deployment confidence when you’re ready to ship.

With .NET 10 just a few months away, November 2025 can’t come soon enough for developers looking to get their hands on the latest Long Term Support (LTS) release.

In this post, we’ll show and explain some of the latest auth-related features coming to .NET and how they may positively impact your current Duende IdentityServer deployments. As we scoured the release notes, four enhancements caught our attention, and we thought you’d appreciate a detailed look at each new option.

Have you ever asked the question, "What is a claim?", “how do apps ask for just the necessary claim information?” or “how does Duende IdentityServer complete an authentication request behind the scenes?” All important and necessary questions on your OpenID Connect implementation journey

Get ready for an exciting walkthrough of OpenID Connect's world. We will demystify claims and scopes and explain how Duende IdentityServer teaches these concepts to .NET developers through our SDK implementation.

We'll cover these topics together and, along the way, become OIDC and Duende IdentityServer pros together!

At the heart of every distributed .NET application lies the humble and unassuming HttpClient class. Arguably one of the most important implementations in the base class library, the HttpClient allows developers to communicate with external HTTP services and connect applications conveniently. A class that negotiates the intricacies of the HTTP protocol for you, what more could you want?

Well, .NET developers always want more, and in this post, we’ll discuss how at Duende, we use DelegatingHandler implementations in our free open-source libraries to give you more flexibility, convenience, and power.

At Duende, we’re best known for being the .NET identity company, and while security is our primary expertise, so is software development. We recently went through an optimization cycle, improving the performance of our website, duendesoftware.com, which runs on ASP.NET Core, to improve the user experience and help search engines rank our pages higher in the results.

If you also run your organization’s site, or even your Duende IdentityServer instance, in a public environment and want to get the best user experience, here are five things you should consider implementing in your solution to get the most optimal experience.

Note, it’s best to take each of these approaches one at a time and measure the impact of your work on the performance of the target application. Sometimes, applying these strategies may be counterproductive in your particular use case.

At Duende, we recognize that many of our customers may have decades of .NET experience, while also being new to OAuth 2.0 and OpenID Connect. Security is a challenging domain to get started with, but it rewards those who persevere with improved security, greater interoperability, and future extensibility.

One of our goals with the release of Duende IdentityServer v7.3 is to lower the barrier for developers starting with security by improving the onboarding experience and decreasing the time between ideation and production. In fact, using our new template should get you a proof of concept identity provider in 60 minutes or less.

In this post, we’ll cover improvements to our new .NET project template and show you some of the enhancements that better help you understand and implement your very own OAuth 2.0 and OpenID Connect identity provider.

Today, we’re excited to announce Duende IdentityServer v7.3 (ISv7.3), a release focused on Financial-grade API 2.0 (FAPI 2.0) conformance, fast and intuitive quickstart templates, and enhanced extensibility, spec compliance, and diagnostics.

Duende IdentityServer continues to be a secure, flexible, and standards-compliant framework for OpenID Connect and OAuth 2.0. Now, with FAPI 2.0 conformance, ISv7.3 provides a more robust and secure foundation for organizations handling sensitive data and critical functionality. Plus, our improved quickstart templates mean even developers new to identity can have a working IdentityServer in under an hour, accelerating developer onboarding, proof-of-concept, and customization.

Working with Duende IdentityServer customers, we’ve noticed many developers adopting Serilog as their preferred logging framework, in addition to the ILogger abstractions found in ASP.NET Core. There’s a lot to love about the simple yet powerful logging library built with powerful structured event data in mind: Easy installation, straightforward configuration, multiple target sinks, fantastic documentation, and a large community of .NET developers.

It’s so great that we ship it as part of our templates to help developers adopt what we view as a great approach to logging information, warnings, and, in rare cases, exceptions.

This post highlights an underrated feature of the Serilog family of extensions: Serilog Expressions.

We understand that making application security decisions is an important and daunting task. The security information can be overwhelming, especially when searching for information about OAuth 2.0 and OpenID Connect. We provide some general, recent information to help developers make decisions when architecting a solution.

In this post, we’ll provide an overview detailing the essential security and authentication flows, which flows to avoid in newer implementations, some security measures built into the specification, best practices for single-page application development, and some enhanced security features.

Many of these recommendations are based on the IETF Best Current Practices document, which you can refer to anytime. Regarding Duende IdentityServer, we’ve done our best to codify best practices when possible, but some decisions are still left to developers to implement.