Today, we are proud to announce Duende IdentityServer v7.4. This is an important release that’s been built for .NET 10 Long-Term Support (LTS) and adds support for standards that are important for Agentic AI systems and the Model Context Protocol (MCP).
Duende IdentityServer remains the flexible, standards-compliant SDK for OpenID Connect and OAuth 2.0. With v7.4, we’re focused on .NET 10 upgrades that prioritize stability, safety, and long-term commitment. We’re also helping our users navigate the uncertainty of the AI boom with predictable, protocol-driven security. Plus, we’ve started a new community with an avenue for direct, technical collaboration - Duende Product Insiders.
⚡ Powering ISv7.4 with .NET 10 LTS
Duende IdentityServer v7.4 is now fully compatible with the latest features and architectural improvements in .NET 10, ensuring stability with three years of support and security patches from Duende and Microsoft. We’ve written before about the most anticipated and impactful .NET 10 enhancements for our community, including: passkeys, metrics, cookie handler changes, and certificate improvements. The following are the major benefits for you and your organization:
Long-Term Stability: Upgrading to .NET 10 and IdentityServer 7.4 provides three years of guaranteed support and security patching from Duende and Microsoft. Additionally, adopting the .NET 10 LTS release ensures your security infrastructure benefits from a modern, high-performance runtime platform with foundational security improvements baked in. There are a few .NET 10 breaking changes to keep an eye on, but now is a great time to upgrade.
Native Passkey Support: Leveraging .NET 10's native Passkey support in ASP.NET Core Identity allows enterprises to implement phishing-resistant, passwordless authentication using FIDO standards. This directly addresses the vulnerability of traditional passwords and multi-factor authentication to phishing and credential stuffing attacks. How can this help your organization? See our Passkey posts in our .NET series:
- An Introduction to Passkeys - The Future of Authentication
- Passkeys in .NET 10 Blazor Apps with ASP.NET Identity
- Deep-Dive Into Relying Party ID and Origin With Passkeys
- Adding .NET 10 Passkey Support to Duende IdentityServer and ASP.NET Core
Better development experience on localhost: For ASP.NET Core developers, cookies are a vital part of development. NET 10 supports working with separate localhost domain names, which helps mimic a typical production environment. Read more about Why You Should Be Using .NET 10's New TLS Certificate.
Migrating to .NET 10 now to access platform optimizations and secure long-term stability for your enterprise applications.
🤖 Secure Agentic AI and building MCP servers with RFC 8414 and DCR
They say history doesn’t repeat itself, but it rhymes. In the case of the AI boom currently sweeping the world, the historical precedent I see is to the early days of IoT development, when many new products were rushed to market without much regard for safety or security. The consequences were predictably bad, with many devices handling sensitive data - even the video and audio feeds from baby monitors! - without any security controls. Similarly, AI agents are being given access to valuable resources without much thought to security. Many of our users have asked us to consider how best to provide a predictable, enterprise-grade security foundation to expose high-value data for AI agents performing RAG and other complex tasks.
These kinds of highly regulated industry use cases often require the introduction of AI-driven clients and protocols, such as the Model Context Protocol (MCP). These clients and protocols also bring a massive operational and security challenge: how do you securely and reliably authorize sophisticated, often vendor-supplied, agents accessing your most sensitive data: RAG, customer data, and patient records?
The answer is standardization and automation. Relying on fragile, custom authorization methods creates security nightmares. This is where Dynamic Client Registration (DCR) becomes indispensable. DCR (RFC 7591) enables AI agents to automatically and securely provision themselves with an Authorization Server, thereby eliminating the burden of manual configuration.
Duende IdentityServer v7.4 now implements RFC 8414 (OAuth 2.0 Authorization Server Metadata), the final critical piece that completes the DCR automation chain. RFC 8414 standardizes how an OAuth client discovers all capabilities, supported flows, and endpoint locations - including the crucial DCR endpoint - via a single, machine-readable JSON document at a well-known endpoint. This capability is essential because RFC 8414 provides the 'missing link' that allows an AI client to locate and use the DCR endpoint to register itself programmatically.
This combined support for DCR and RFC 8414 is critical for establishing a stable, secure, and future-proof MCP server architecture.
- Dynamic, Policy-Driven Security: The full implementation of DCR means MCP tooling and AI agents can now dynamically discover the registration endpoint (via RFC 8414) and then configure themselves based on the server's machine-readable metadata. This shifts the security burden away from manual, static client configuration and into your corporate security policy layer.
- Confidence in Complex Flows: By adopting these IETF standards, Duende IdentityServer builds on pre-vetted threat models, ensuring correctness, especially in complex, high-volume, highly federated environments (like machine-to-machine clients or bank federations) that are now expanding into AI use cases requiring thousands of uniquely registered agents.
- Secure HRI Use Cases: The predictability offered by DCR and RFC 8414 provides the enterprise-grade foundation necessary to integrate MCP with existing authorization rails, making it safe to expose high-value data for AI agents performing RAG and other complex tasks.
In a world where AI security is evolving, Duende's approach - building on established IETF consensus protocols like RFC 8414 and DCR - ensures a stable, secure API surface that avoids "the wild west" volatility and provides correctness from the start.
🤝 Shape Duende's Future: Early Access. Deep Collaboration. Better Security and Identity.
We are excited to launch the Duende Discord Community and the Product Insiders Program. This new community creates a dynamic, interactive channel for direct collaboration between Duende engineers and the community's most technical experts.
- Real-time Deep Technical Conversations: Engage directly with the builders of IdentityServer for spec-level clarity and rigorous discussion about architectural feedback and adoption patterns.
- Duende Product Insiders: As a verified Product Insider, you will get early access to experiments and prototypes, test unreleased features, and directly influence the product’s Minimum Viable Product (MVP) scope, ensuring implementation quality and market readiness before broader release to the .NET ecosystem.
- Collaboration Loop: Don’t wait for webinars, conferences, or user meetings, tell us what you think
Connect with us on the Duende Discord Community to get started and join a deeply technical, standards-driven community. This is your chance to actively partner with us in defining the future of Duende’s roadmap innovations and the best of security and identity for .NET. Join us today!
Get Started Today!
Duende IdentityServer v7.4 is available now. This release provides the stable, standards-based identity infrastructure solution you need to leverage .NET 10's advancements, secure your MCP server, and future-proof your architecture. Our upgrade guide for existing users is here, while new users can get started with our quickstart tutorials here. Detailed release notes and our source code are also available on GitHub.
We look forward to your feedback on this release. Feel free to comment on this post or join the discussion in our community forum. Thank you for your continued support.