Today, we’re excited to announce Duende IdentityServer v7.3 (ISv7.3), a release focused on Financial-grade API 2.0 (FAPI 2.0) conformance, fast and intuitive quickstart templates, and enhanced extensibility, spec compliance, and diagnostics.
Duende IdentityServer continues to be a secure, flexible, and standards-compliant framework for OpenID Connect and OAuth 2.0. Now, with FAPI 2.0 conformance, ISv7.3 provides a more robust and secure foundation for organizations handling sensitive data and critical functionality. Plus, our improved quickstart templates mean even developers new to identity can have a working IdentityServer in under an hour, accelerating developer onboarding, proof-of-concept, and customization.
Why FAPI 2.0?
Your digital services are expanding, and we know that brings two key challenges: protecting sensitive data and maintaining critical functionality. Our philosophy at Duende is to provide you with a standards-based foundation that not only hardens your security posture but also enables confident, large-scale growth.
But why FAPI 2.0? As organizations handle increasingly sensitive transactions—financial data, patient records, critical infrastructure—they need a security posture they can trust at scale. Many teams begin with custom-built security models, only to discover that these implementations struggle to meet regulatory demands, introduce vulnerabilities, and become bottlenecks when scaling to millions of users.
FAPI 2.0 provides a hardened, standards-based framework designed for high-value, high-assurance scenarios such as finance, healthcare, and e-government. Built on top of OAuth 2.0 and OpenID Connect, FAPI 2.0 enforces best current practices that all OAuth and OpenID Connect implementations should adopt, for example:
- Avoiding vulnerable OAuth flows, such as the Implicit Flow and Resource Owner Password Flow;
- Requiring PKCE to defend against authorization code injection attacks; and
- Using short-lived access tokens paired with long-lived refresh tokens bound to the client application.
Beyond fundamentals like these, FAPI 2.0 mandates additional layers of protection that are appropriate for high-security environments, including:
- Mandating Pushed Authorization Requests (PAR) to provide confidentiality and integrity to the authorization endpoint’s parameters;
- Requiring either Demonstrating Proof-of-Possession (DPoP) or Mutual TLS (mTLS) to sender-constrain access tokens, preventing abuse of exfiltrated tokens;
- Enforcing strong client authentication mechanisms (
private_key_jwtor mTLS) that do not rely on shared secrets; and - Enforcing algorithmic and lifetime requirements for all JWTs.
These are just some of the many requirements that must be followed to pass the FAPI conformance tests. In ISv7.3, we completed the conformance process ourselves, which made us aware of edge cases where we could simplify the process for our users. This involved:
- Adding new configuration options to control the algorithms IdentityServer uses when creating JWTs of various types;
- Refining how we describe those algorithms in the discovery document;
- Adding a new option to control the allowed clock skew when validating JWTs; and
- Fixing certain error messages to match the conformance suite's expectations.
By adopting this specification-based approach, organizations can then scale confidently. Norway’s HelseID platform offers a compelling real-world example of a national-scale, standards-based identity infrastructure capable of evolving with regulatory and security best practices. It’s also an excellent example of how a large-scale system can securely modernize with Duende IdentityServer and FAPI 2.0.
Accelerated Developer Experience
We know that even seasoned .NET developers can find the learning curve of OAuth 2.0 and OpenID Connect daunting. Our improved quickstart templates are designed to get you from zero to a functional Duende IdentityServer in under 60 minutes by reducing setup complexity, and enabling you to experiment, customize, and integrate with real confidence and speed.
Key improvements include:
- Modern, guided setup with contextual hints and a live claims debugger;
- Admin Dashboard for managing clients and scopes—no database digging required;
- Generated C# code snippets for faster client integrations; and
- Fully customizable templates that serve as a solid foundation for enterprise-grade solutions
See our walkthrough blog for more information.
RFC 9701, Diagnostics and Troubleshooting
Additional improvements in this release focus on enhancing Duende IdentityServer’s extensibility, specification security compliance, and troubleshooting technical setups and licensing issues.
RFC 9701: JSON Web Token (JWT) Response for OAuth Token Introspection
ISv7.3 now supports JWT responses from the introspection endpoint, allowing Duende IdentityServer to return cryptographically signed JWTs rather than unsigned JSON when tokens are introspected. These signed introspection responses offer non-repudiation for the claims returned during introspection.
This feature is beneficial in situations where the Authorization Server holds legal responsibility for the introspection response. For instance, a Resource Server might depend on personal data provided by the Authorization Server via introspection to generate electronic signatures. With a JWT response, this introspection response can be stored and independently validated in the event of an audit or dispute.
For organizations managing digital credentials or electronically signing documents, this provides a standards-based, verifiable mechanism for auditing and compliance.
Pinpointing Configuration Headaches in Complex IdentityServer deployments
At times, troubleshooting an IdentityServer implementation can feel like searching for a needle in a haystack. With its many extensibility points and the inherent complexity of .NET configuration, identifying the root cause of an issue can be a daunting task. ISv7.3 introduces new diagnostic logging capabilities that help teams understand configuration and licensing behavior, while also giving operations teams data to analyze and pinpoint issues faster. This transparency not only improves troubleshooting but also provides valuable insights for planning, compliance, and cost optimization.
Diagnostic data is never automatically shared with Duende - instead it is logged periodically. In a support scenario, you can choose to share the diagnostics from your logs to help us understand the problem and provide you with a faster resolution. We document all the data that we log here and write it in easily readable JSON.
Get Started Today!
Duende IdentityServer v7.3 is available now. This release is more secure than ever before while also allowing new users to get up and running faster. Our upgrade guide for existing users is here, while new users can get started with our quickstart tutorials here. Detailed release notes and our source code are also available on GitHub.
We look forward to your feedback on this release. Feel free to comment on this post or join the discussion in our community forum. Thank you for your continued support.