Duende Blog

Have you ever asked the question, "What is a claim?", “how do apps ask for just the necessary claim information?” or “how does Duende IdentityServer complete an authentication request behind the scenes?” All important and necessary questions on your OpenID Connect implementation journey

Get ready for an exciting walkthrough of OpenID Connect's world. We will demystify claims and scopes and explain how Duende IdentityServer teaches these concepts to .NET developers through our SDK implementation.

We'll cover these topics together and, along the way, become OIDC and Duende IdentityServer pros together!

At the heart of every distributed .NET application lies the humble and unassuming HttpClient class. Arguably one of the most important implementations in the base class library, the HttpClient allows developers to communicate with external HTTP services and connect applications conveniently. A class that negotiates the intricacies of the HTTP protocol for you, what more could you want?

Well, .NET developers always want more, and in this post, we’ll discuss how at Duende, we use DelegatingHandler implementations in our free open-source libraries to give you more flexibility, convenience, and power.

At Duende, we’re best known for being the .NET identity company, and while security is our primary expertise, so is software development. We recently went through an optimization cycle, improving the performance of our website, duendesoftware.com, which runs on ASP.NET Core, to improve the user experience and help search engines rank our pages higher in the results.

If you also run your organization’s site, or even your Duende IdentityServer instance, in a public environment and want to get the best user experience, here are five things you should consider implementing in your solution to get the most optimal experience.

Note, it’s best to take each of these approaches one at a time and measure the impact of your work on the performance of the target application. Sometimes, applying these strategies may be counterproductive in your particular use case.

Today, we’re excited to announce Duende IdentityServer v7.3 (ISv7.3), a release focused on Financial-grade API 2.0 (FAPI 2.0) conformance, fast and intuitive quickstart templates, and enhanced extensibility, spec compliance, and diagnostics.

Duende IdentityServer continues to be a secure, flexible, and standards-compliant framework for OpenID Connect and OAuth 2.0. Now, with FAPI 2.0 conformance, ISv7.3 provides a more robust and secure foundation for organizations handling sensitive data and critical functionality. Plus, our improved quickstart templates mean even developers new to identity can have a working IdentityServer in under an hour, accelerating developer onboarding, proof-of-concept, and customization.

At Duende, we recognize that many of our customers may have decades of .NET experience, while also being new to OAuth 2.0 and OpenID Connect. Security is a challenging domain to get started with, but it rewards those who persevere with improved security, greater interoperability, and future extensibility.

One of our goals with the release of Duende IdentityServer v7.3 is to lower the barrier for developers starting with security by improving the onboarding experience and decreasing the time between ideation and production. In fact, using our new template should get you a proof of concept identity provider in 60 minutes or less.

In this post, we’ll cover improvements to our new .NET project template and show you some of the enhancements that better help you understand and implement your very own OAuth 2.0 and OpenID Connect identity provider.

Working with Duende IdentityServer customers, we’ve noticed many developers adopting Serilog as their preferred logging framework, in addition to the ILogger abstractions found in ASP.NET Core. There’s a lot to love about the simple yet powerful logging library built with powerful structured event data in mind: Easy installation, straightforward configuration, multiple target sinks, fantastic documentation, and a large community of .NET developers.

It’s so great that we ship it as part of our templates to help developers adopt what we view as a great approach to logging information, warnings, and, in rare cases, exceptions.

This post highlights an underrated feature of the Serilog family of extensions: Serilog Expressions.

We understand that making application security decisions is an important and daunting task. The security information can be overwhelming, especially when searching for information about OAuth 2.0 and OpenID Connect. We provide some general, recent information to help developers make decisions when architecting a solution.

In this post, we’ll provide an overview detailing the essential security and authentication flows, which flows to avoid in newer implementations, some security measures built into the specification, best practices for single-page application development, and some enhanced security features.

Many of these recommendations are based on the IETF Best Current Practices document, which you can refer to anytime. Regarding Duende IdentityServer, we’ve done our best to codify best practices when possible, but some decisions are still left to developers to implement.

Managing users and their identities is among the most challenging components of application building. That’s why some developers use external identity providers to reduce the maintenance burden and focus on solving new and interesting problems. The most popular external providers include Google, Microsoft, and other social media platforms.

In this post, we’ll show how to create a basic ASP.NET Core web application that defers its authentication to an external provider, in our case, Google. We’ll also discuss the relationship between external authentication and cookie authentication. And finally, why you may want to consider a different option for your production applications.

To follow along, you will need a Google Account to create a new Client with a corresponding Client ID and Client Secret. It only takes a few minutes and is easy to set up.

Getting all the moving parts to work together can be daunting when building and maintaining a .NET auth solution. Developers are adopting OAuth 2.0 and OpenID Connect for authorization and authentication, powered by Duende IdentityServer, to quickly provide a tested and mature security solution more easily. With the Duende-provided SDK, developers can customize their instance of IdentityServer, but still want to ensure it works as intended.

In this post, we’ll show you how to take your existing IdentityServer instance, or even an IdentityServer development instance, and use it with your favorite unit testing framework. We’ll also show you how to add a special test client for a unit test.

While Duende’s most notable offering is the IdentityServer SDK, the OpenID Connect and OAuth solution for .NET developers, we provide more value with other products, services, and libraries.

In this post, we will explain the commercial and free open-source options we offer .NET developers, the problems these solutions solve, and how you can use them to improve a .NET application’s security posture.