Duende Blog

If you’re a professional ASP.NET Core developer in today’s world, you’re likely working on some form of JSON-over-HTTP project. In fact, building web APIs is arguably the strongest use case for ASP.NET Core today. We build APIs so that other developers can discover, learn, and consume our work, all with a strong emphasis on secure access. With those goals in mind, teams often turn to OpenAPI specifications and Swagger to help others better understand said APIs.

As you may know, Duende provides best-in-class products to help secure .NET solutions using the latest standards of OAuth and OpenID Connect. In this post, we’ll see how to secure an ASP.NET Core API with JWT Bearer tokens, set up the solution to generate an OpenAPI specification, and then secure calls from a Swagger UI to authenticate against Duende’s IdentityServer demo instance. All you’ll need is a single ASP.NET Core project, but what you learn will apply to all Duende IdentityServer deployments.

In today's security landscape, organizations rarely rely on a single identity provider. Users can authenticate through corporate directories such as Active Directory, cloud identity providers like Entra ID, or social providers such as Google. They might come through partner federations or specialized systems. This is true for enterprises, Software-as-a-Service providers, and ISVs.

Managing these diverse identities can be a challenging task. You need to strike a balance between maintaining security and providing a good user experience. This is where a federation gateway becomes essential: an identity broker that orchestrates authentication across all these different sources.

This post explores how to architect and implement a federation gateway using Duende IdentityServer, examine the business requirements that drive these decisions, and provide technical guidance for implementation.

Whether you’re just beginning to learn about OAuth 2.0 or OpenID Connect, or you’re an experienced developer troubleshooting why an API is not accepting a particular JSON Web Token (JWT), you often want to quickly inspect the contents of tokens to see if they contain the correct claims, are signed correctly, and if they have the expected lifetime.

Since we already have a live demo IdentityServer environment, which you can use to try out different authentication flows, it made sense to add a utility to inspect JWT token contents as well. Visit https://jwt.me to try it out!

Let's have a look at why we built this tool, and what it can help you with.

.NET 10 is out. 🎁🎉🥳

This likely means you and your team have been, or are starting to consider, the path of stability, predictability, and reduced maintenance overhead that an LTS offers for your applications. If that’s the case, we assume you may also be asking yourself and your team, “How secure is our IdentityServer4 implementation?” Or maybe it’s, “Hey, .NET 10 is out. Wait. Is IdentityServer4 supported?” Or that custom security solution that you hurriedly implemented years ago is now causing you more pain and heartache than you want. “What does it take to move to modern standards like OpenID Connect (OIDC), OAuth 2.0, and PKCE?”

If you’re thinking about any of these scenarios, now might be a good time to upgrade. From our perspective, it’s an excellent time to choose Duende IdentityServer as your OAuth and OpenID Connect provider. You’ll future-proof your solutions for planned initiatives, make your development team happy with how much control they’ll have, and impress your CTO with how extensible Duende IdentityServer is to the changing needs of your business.

The .NET ecosystem is famous for its batteries-included philosophy, with many of the tools necessary to build solutions available in the SDK. It’s genuinely great. As a developer, many options are one namespace, assembly, or NuGet package away. It lets you focus on developing applications rather than spending precious time and energy finding the perfect dependencies. It’s something we can take for granted, but the benefits become clear when dabbling in other ecosystems. We love it.

While .NET offers many options, there are occasions when a solution gap exists. In fact, that’s why a company like Duende Software can exist. We are a security solutions provider in a space that’s difficult, challenging, and necessary for many customers. Necessity breeds innovation, and at Duende, we aim to innovate.

As many of our customers look to migrate their solutions to .NET 10, here are a few security features missing in .NET 10, why they’re essential, and how Duende can provide an industry-leading solution. Let’s get started.

The winds of change are blowing in the direction of .NET 10, and many teams are adjusting their sails to navigate towards new and bold adventures. Exciting times are ahead. As .NET 10 marks the long-term support (LTS) version of the SDK and runtime, now is a great time to plan and strategize. After all, we all have limited resources, developer cycles, and energy when upgrading. You don’t want your ship to hit any unexpected choppy waters.

In this post, Duende has scoured the currently documented .NET 10 breaking changes and found some items you want to be mindful of when upgrading. Hopefully, many of these items will be uneventful in your upgrade, but some may leave you stranded on a deserted island called frustration. In no particular order, let’s see what they are and why you may want to mark them on your upgrade map.

If you've already dipped into OpenID Connect with Duende IdentityServer, you'll know that claims and scopes are the building blocks for describing user information. Previously, Khalid introduced us to claims and how Duende IdentityServer and other OpenID Connect Providers handle providing claims to clients.

Client applications can request any number of scopes, and the authorization server can decide which claims flow back to the client. It's also possible to enable consent, where the user is in control and can decide what information to share.

For example, the user can consent to share their email address or decide to omit it from the claim set. You've probably seen this in action with popular social media platforms or mobile applications.

In this article, we'll explore how Duende IdentityServer handles consent, the differences between interactive and machine-to-machine clients, how "required" vs. "optional" scopes affect the consent screen, and what happens when a client doesn't get everything it asked for.

In recent posts, we have looked at passkey authentication. We saw that passkeys are more secure and phishing-resistant than traditional username and password authentication, thanks to the use of public key cryptography. We also saw how the .NET 10 Blazor project templates add passkey authentication in projects with ASP.NET Identity.

You can also add passkey support to existing ASP.NET Core and Razor Pages projects. In this post, we'll take a practical approach and see how to add .NET passkey support to Duende IdentityServer through ASP.NET Identity.

Passkey authentication offers clear advantages over traditional usernames and passwords. It relies on public key cryptography, where the private key never leaves the client device, ensuring it can’t be stolen in transit or from a server. Only the public key is stored on the server, which is useful only for validating login attempts but not making them, reducing the risk of account takeover even if the server is breached.

In a previous post, we discussed how to create passkey credentials and how the server's URL is used to generate these credentials, making them more resistant to phishing. Using this technique, a credential signed for duendesoftware.com can not be used on example.org.

But what about subdomains? Or applications that operate globally and require users to be able to log in on several top-level domains? In this post, we'll cover origins in more detail, examine how to use passkeys across (sub)domains, and why you may want to consider tying passkey authentication to a specific URL.

Open source remains an exceptional platform where talented individuals can come together and share their knowledge, passion, and code with others. We know firsthand the power that open-source packages can have on the .NET ecosystem, and we want to do our part in continuing the success of endeavors that help bring those opportunities to the community.

In our third sponsorship, the team at Duende has chosen Spectre.Console as the following open source recipient as part of our ongoing commitment to supporting projects that empower individuals, teams, and organizations.

We also have a word from the project maintainer, Patrik Svensson:

"I love working on open source because it’s more than just writing code. It’s about learning, sharing, and building something with the community. The support and collaboration make the effort worthwhile, and it’s inspiring to see companies like Duende Software sponsoring OSS and helping it thrive.” – Patrik Svensson

Thank you, Patrik, you inspire us as well 🙂

Now let's see at what Spectre.Console is all about.