Duende Blog

On March 10, 2026, Microsoft disclosed CVE-2026-26127, a high-severity denial-of-service vulnerability in the Microsoft.BCL.Memory NuGet package. It can be triggered when decoding malformed Base64Url input.

Because several Duende packages depend on this package transitively, your builds may now show NuGet vulnerability warnings. We've shipped patch releases across our library stack to resolve this. Here's what you need to know.

When you sign in to a website, you enter your username/password, and maybe a two-factor auth code. You’re using your phone to authenticate yourself to a site, all on that same device. What if in the future, we used that same technology to authenticate ourselves to some other device, like a public kiosk, or even authenticating ourselves to a person we’re speaking to over the phone. That future is now. And it comes from Client-Initiated Backchannel Authentication (CIBA).

CIBA is an OpenId Foundation standard that extends OpenID Connect, enabling user authentication on a different device from the one running the application. CIBA builds on the OpenID Connect standard we all know and love, but separates the notion of the Consumption Device (where the user needs to be logged in) from the Authentication Device (where the user will perform authentication).

And before you ask, YES! It is fully supported by Duende IdentityServer at the Enterprise license tier.

Your identity provider is the front door to every application in your organization. Every request to your identity infrastructure shares the same resources: CPU, memory, database connections, and cryptographic operations such as token signing.

A recent community discussion highlighted what happens when one consumer takes more than their fair share of incoming requests. A specific client application was making an excessive number of requests to the /connect/token endpoint, resulting in an unintentional denial-of-service attack. Not by an attacker or a malicious actor, just a misbehaving client that overwhelmed the shared infrastructure. Misconfigurations are a common source of issues we see with customers, and this was no exception.

For teams dealing with critical identity infrastructure, this occurrence raises an important question: Should you add rate limiting to your Duende IdentityServer deployment?

Every web developer has uttered the phrase: "It's probably DNS!" It's a common refrain because issues with the Domain Name System are among the most frequent—and frustrating—roadblocks to hosting web applications, especially those building enterprise mission-critical applications.

DNS is the Internet's phone book. It translates human-readable domain names (such as www.example.com) into machine-readable IP addresses (such as 192.0.2.1). When this translation fails, your users can't reach your application. Regarding Duende IdentityServer customers, DNS failures can leave users unable to log in and complete their work, or clients unable to retrieve essential OAuth 2.0 tokens to communicate securely with other services. When DNS goes wrong, everything breaks.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo terms are Encode, Encrypt, and Hash. Each term is used in software and security to describe converting a string into a different representation. Each function is used for different scenarios. At a glance, these functions may seem interchangeable, and it’s easy to mistake one for the other. Not knowing the differences among options can lead to confusion or even security incidents. Let’s discuss what each term stands for and where you can see and hear it used.

There's a good chance your application consumes one or more APIs. For example, you may have a back-office application that works with a shipping API and an invoice API. Or perhaps you have a microservice architecture, and there are 50 different APIs involved.

In this landscape, one of the most persistent security anti-patterns we see is having access tokens with too much access. An overprivileged token occurs when a client requests a wide array of scopes, for example, invoice.read, shipping.write, and, and receives a single access token that contains all the issued claims.

While asking for multiple scopes at once can be convenient, the issued token raises a concerning trust issue. If the shipping API is compromised and the token is leaked, an attacker can use it to access the invoice API. The attacker has a token that’s issued once, but usable against almost every service within a solution. We’ve sacrificed security for convenience, which can weaken our security posture.

This is where Resource Isolation comes in. Based on RFC 8707 (Resource Indicators for OAuth 2.0), this feature allows you to enforce strict trust boundaries between your APIs, ensuring that a token is only valid for the specific target it was intended for.

The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.

Today’s security lingo is JWT, so let’s discuss what the acronym stands for and where you can see and hear it used.

Today we are excited to announce version 1.0 of our Duende.AspNetCore.Authentication.JwtBearer (JwtBearer Extensions) package, which helps you implement Demonstrating Proof-of-Possession (DPoP) in .NET-powered APIs. This JwtBearer Extensions package is an easy-to-use extension for the JwtBearer authentication handler that you're already using with ASP.NET Core. To get started, you only need a single NuGet package and minimal configuration, with support for advanced protocol features like replay detection and server-issued nonces, signing algorithm configuration, clock skew support, and enables extensibility.

But what's the big deal with this package? What is DPoP, and why do you need it? In this article, we'll see why you want to use DPoP to make your applications more secure, and how you can protect against a number of threats, such as replay attacks using JwtBearer Extensions.

As we enter 2026, many developers are considering the opportunities ahead, from implementing new business features to fixing long-standing bugs and paying down years of technical debt. With some of our customer calls this year, we’ve found that a “popular” item on everyone’s New Year’s resolutions list is upgrading to the latest .NET 10 LTS release, alongside finally moving to the most secure and supported version of Duende IdentityServer to date.

At Duende, we want to fuel your ambitions and help you meet your goals. We’ve spent thousands of hours talking to IdentityServer4 users and have built a tool that should help teams understand the upgrade process ahead of them. If you're concerned about running an unsupported identity solution at the heart of your organization and want to upgrade, we have a solution we think you should consider. In this post, we’d like to introduce you to our IdentityServer4 Migration Analysis Tool, developed by our Customer Success team lead, Maarten Balliauw.

The software development space has creatively coined some memorable statements over the years, from “speed is a feature”, “memory is cheap”, and “always blame the new guy”. All these statements have one thing in common: as developers, we should do our best to baseline our assumptions and verify the truth. In the spirit of building the best software we possibly can by focusing on the fine details, we are happy to announce that this quarter's Duende Open Source Sponsorship goes to BenchmarkDotNet.

In our fourth sponsorship, the team at Duende has chosen BenchmarkDotNet as the next open-source recipient of our ongoing commitment to supporting projects that empower individuals, teams, communities, and organizations.

Now let’s see what BenchmarkDotNet is all about.