Duende Year-End Review 2025: A Year of Standards, Success, and Community

Damian Hickey | December 30, 2025

As we close 2025, we look back on an exceptional year marked by dedication, innovation, and an unwavering commitment to our community. What follows details the remarkable technical achievements of our engineering teams, who delivered over 1,042 merged pull requests in our core products repository and 173 in our FOSS projects. These numbers represent thousands of hours spent coding, reviewing, testing, and ultimately, shipping best-in-class security software.

Our engineers not only pushed the boundaries of our products—achieving major milestones like the FAPI 2.0 Profile Certification for IdentityServer 7.3.0, the architectural leap of Backend for Frontend (BFF) 4.0.0 GA with its multi-frontend support, and the complete internal reimagination of Duende.AccessTokenManagement 4.0.0—but also ensured we remained future-proof with immediate .NET 10 Support across our major releases.

However, a year of success is built on more than just code. This review celebrates the collective hard work of every Duende employee. Our Sales Teams worked tirelessly to bring our enterprise-grade security solutions to new markets and clients. Our Marketing Team ensured that the value of our commitment to standards and developer experience resonated clearly, amplifying our message of security and compliance to a global audience. And, critically, our Customer Success Team was on the front lines, translating complex technical challenges into real-world solutions, fostering the strong trust our clients place in us.

Together, these efforts have resulted in a powerful, positive impact on both the Duende customer base and the broader .NET community.

🙏 Thank You, Community Contributions!

First, a huge thank you to our community contributors, including @SimonCropp, @wcabus, @0xced, @stefannikolei, @AndersAbel, @gao-artur, @buehler, @Tornhoof, and many others who submitted pull requests, reported issues, and participated in discussions!

📊 DuendeSoftware/products Repository

Note: There have been over 1,042 pull requests for the 2024-2025 period. View all results in GitHub.

🏆 Major Achievements

BFF 3.0.0 & 3.1.0 (Released March 2025)

.NET 9 & 10 Support added
Blazor Support - Comprehensive authentication support for Blazor applications with auto-render mode
Server-Side Session Improvements

IdentityServer 7.3.0 (Released August 2025)

This was a significant release featuring:

FAPI 2.0 Profile Certification - IdentityServer is now officially certified as conformant with the FAPI 2.0 Security Profile
RFC 9701 Support - JWT Response from the introspection endpoint
Diagnostic Data - New comprehensive diagnostic system to help with troubleshooting
OpenTelemetry Metrics - Moved from experimental to stable, removing the "Experimental" service name

Backend for Frontend (BFF) 4.0.0 GA (Released December 2025)

A significant architectural evolution:

Multi-Frontend Support - Revolutionary new capability to support multiple frontends from a single BFF instance
OpenTelemetry Integration - Full observability support
Duende.AccessTokenManagement V4 - Updated to use the latest token management library
Configuration-Based Setup - Load frontends from IConfiguration for dynamic scenarios

IdentityServer 7.4.0 (Released December 2025)

Building on the success of 7.3.0:

.NET 10 Support - Full support for the latest .NET runtime
RFC 8414 Support - OAuth 2.0 Authorization Server Metadata
Enhanced UI Localization - Improved support for the ui_locales parameter
Dynamic Provider Improvements - New callback option for path detection

🔩 Key Improvements

Session Lifetime Coordination - Fixed issues with persistent cookies, server-side sessions, and session expiration
Back-Channel Logout - Resolved concurrent DbContext access issues and improved pipeline timing
Dynamic Client Registration - Better support for public clients and customization
Cookie Re-Issue Bug - Fixed unnecessary cookie re-issue that could cause premature session expiration
Entity Framework Scoping - Fixed scoping issues in ServerSideSessionChecker
mTLS Port Support - Respect port numbers in mTLS configuration
DPoP & mTLS Integration - Proper handling when both are used together

🚀 Innovation Summary

Templates 1.1.0 - New unified template package:

New duende-is template with improved admin UI and wizards
Consolidated BFF templates (duende-bff-remoteapi, duende-bff-localapi, duende-bff-blazor)
Better developer experience with updated visuals and guidance

Developer Productivity:

Aspire Integration - All development hosts and clients now run through .NET Aspire for better local development
Playwright Testing - End-to-end test infrastructure
OpenTelemetry Tracing - Deep observability in development
XUnit V3 Migration - Using the latest testing platform

📊 DuendeSoftware/foss Repository

Note: 173 total merged pull requests for 2024-2025. View all results in GitHub.

🏆 Major Achievements

Duende.AccessTokenManagement 4.0.0 (Released September 2025)

A complete internal reimagination:

HybridCache Support - Significant performance improvements with two-layer caching (L1 memory + L2 distributed)
OpenTelemetry Integration - Full metrics, logs, and traces support
Composition Over Inheritance - New extensibility model with explicit extension points
Strongly Typed Configuration - Better validation and IDE support
Token Request Customization - New ITokenRequestCustomizer interface for context-based scoping

Duende.IdentityModel 8.0.0 RC1 (Released November 2025)

.NET 10 Support - Full compatibility with the latest runtime
RFC 9701 Support - JWT Introspection Response
RFC 7523 bis Support - New token authentication type for private_key_jwt
Improved Discovery Cache - Can now use HttpClient BaseAddress for authority
JSON Claim Support - Native support for JSON claim value types

Duende.IdentityModel.OidcClient 7.0.0 RC1 (Released November 2025)

DPoP Extensibility - New IDPoPProofTokenFactory interface for complete customization
.NET 10 Support added
Platform crypto provider support for signing keys

OAuth2Introspection 7.0.0 RC1 (Released November 2025)

HybridCache Migration - Replaced IDistributedCache with modern HybridCache
Nullable Reference Types - Enabled throughout for better type safety
.NET 10 Support added
Rebranded - Moved from IdentityModel namespace to Duende branding

🔩 Key Improvements

Token Cache Expiration - Fixed calculation for cache invalidation (ATM 4.0.1)
Scope Parsing - Loosened regex to be more RFC-compliant
Concurrent Request Handling - Fixed race conditions in client credential token retrieval
Entity Framework Scoping - Resolved service resolution issues in Blazor Server

🚀 Innovation Summary → Exciting Features

Token Management Evolution:

Token Cache Duration Store - New interface for dynamic cache duration control
Force Token Renewal - Ability to force renewal of OIDC user access tokens
Assertion Support - Ensures assertions are used during token refreshes
Error Description - Now includes error descriptions in token responses

Performance & Quality:

API Verification Tests - Ensuring API stability across releases
Obsolete API Cleanup - Removed deprecated DateTimeExtensions and Base64Url in favor of runtime-provided types.
Removed SimpleJson - Modernized JSON handling

🎯 What All of This Means for You

Security & Compliance

With FAPI 2.0 certification and support for the latest security standards (RFC 9701, RFC 8414, RFC 7523), Duende IdentityServer remains at the forefront of OAuth 2.0 and OpenID Connect security. Your applications benefit from enterprise-grade security that meets the most stringent regulatory requirements.

Since we’re heading into the new year, now is also a great time to learn more about security through the library of content produced by Duende (docs, blog and YouTube) and by joining our technical discussions on GitHub.

Developer Experience

The new templates, Aspire integration, and diagnostic tooling make it easier than ever to get started and troubleshoot issues. The multi-frontend BFF support opens up exciting new architectural possibilities for complex applications that leverage SPA frameworks, such as Angular, React, and Vuejs.

Performance & Observability

HybridCache, OpenTelemetry integration, and improved caching strategies enable your applications to run faster and provide better visibility into what's happening under the hood.

Future-Proof

With .NET 10 support already in release candidates, Duende is staying ahead of the curve, ensuring you can adopt the latest .NET features as soon as they're available. We’ve detailed some of the most anticipated and impactful .NET 10 enhancements for our community, including: passkeys, metrics, cookie handler changes, and certificate improvements. Additionally, see our Passkey posts in our .NET 10 series to ensure you’re considering the best possible security for your organization:

Friendly reminder, upgrading to .NET 10 and IdentityServer 7.4 provides three years of guaranteed support and security patching from Duende and Microsoft.

Conclusion

I’m immensely proud of what we’ve done this year. Not only has Duende delivered significant value to customers, but I think we’re also well prepared for your year ahead in 2026. Being a part of the .NET community for my entire career, I’m keenly aware that with the .NET 10 LTS release many development teams are planning significant modernization efforts in the months ahead. You may be in one of those teams, and we know how arduous and daunting it may be.

We’re thinking of you and how best you might deliver value to your user base. We’ve written about why now is a great time to add “improving our security posture” to the backlog. But the tl;dr is that by upgrading to the latest version of Duende products, you position your development team to capitalize on new opportunities and remain competitive in the software solutions space.

All in all, it’s a bright future for Duende customers. We wish you the best in the new year.

Ready to upgrade? Check out our documentation for migration guides and get started with the most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core! 🚀