Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

Your IdentityServer v8 Upgrade Checklist: A Quick Pre-Flight Guide

A profile photo of Khalid Abuhakmeh in black and white
Khalid Abuhakmeh
Two blue circles
Summary: Upgrading to IdentityServer v8 doesn't have to be stressful. The release follows an additive infrastructure model, meaning your existing configuration, clients, and deployments continue to work without breaking changes. This guide walks you through a practical pre-flight checklist covering everything from auditing your current setup and backing up your stores, to updating your .NET SDK, running database migrations, and safely rolling out to production. Once you're on v8, you'll also unlock a suite of powerful opt-in features, including Multi-Issuer support, User Management, SAML 2.0, and Financial-Grade Security conformance.

Nobody wakes up on a Monday morning and thinks, “You know what would be fun? Breaking authentication for every user in production.“ But we know that’s exactly what flashes before your eyes when you see “Major Version Upgrade” in the release notes. If you’re feeling that IdentityServer v7-to-v8 upgrade anxiety: we get it.

Here's the good news: migrating from IdentityServer v7 to v8 was designed with one simple rule: don't break what's working. IdentityServer 8 follows an additive infrastructure model. New capabilities are additions, not replacements. Your existing configuration, your clients, and your deployment all keep working.

But even smooth upgrades deserve a little prep. Think of this as your pre-flight checklist. Pilots don't skip it just because they've flown a thousand times, and neither should you.

The Checklist

Before You Touch Anything

Know what you're running. Write down your exact IdentityServer v7 NuGet package version, your .NET version, your database provider, and every custom extension you've wired up (IProfileService, custom grants, middleware, etc.). Future-you will thank present-you.

Scan the release notes and upgrade docs for what affects you. Look for deprecated APIs you're currently using, changes to default behavior (token lifetimes, security defaults), and anything deprecated in IdentityServer v7 and removed in IdentityServer v8.

Back up everything. Configuration store, operational store, deployment artifacts, config files. If it matters, back it up. Not sure if it matters? Back it up.

Clone your environment. Spin up a staging or test environment that mirrors production. Representative data, realistic clients, the works. If you have automated tests for your identity flows, now's their time to shine. If you don't, maybe make that your next project.

Map and know your rollback path. Before you touch production, document how you get back to IdentityServer v7 if something goes wrong. Database restore steps, NuGet package downgrades, DNS or deployment slot swaps. Whatever applies to your setup. You probably won't need it, but the pre-flight checklist isn't complete without it.

The Actual Upgrade

Update your .NET SDK and target framework. IdentityServer v8 targets net10.0. Update global.json and your .csproj TargetFramework before touching NuGet packages.

Update ALL Duende IdentityServer NuGet packages to v8. All of them. At the same time. Don't mix versions. That path leads to sadness.

Run database migrations (if applicable). If you're using EF-backed stores, generate idempotent migration scripts and review the resulting SQL before applying them. For large databases, test on a copy of production data first and estimate migration time.

Build and fix. Run dotnet build. If it compiles, you're already most of the way there. Address any breaking changes, and consult the release notes to learn about before/after examples for each. Note, the biggest change is the move towards proper use of CancellationToken.

Run your tests. Unit tests first, then integration tests. Pay attention to token format, discovery document structure, refresh token behavior, and session management. Compare IdentityServer v7 and IdentityServer v8 outputs side by side if you want extra peace of mind.

Deploy to staging, then production. Staging first. Smoke test with real clients. Then production, ideally during a low-traffic window. Watch p50/p95/p99 latency, token issuance success rate, and error rates on the token endpoint. Compare to your IdentityServer v7 baseline for the first 48 hours.

Ready?

The migration was designed to be straightforward. The core behavior is unchanged, and new features are opt-in. The upgrade isn't a tax, it's an investment in where your identity infrastructure is headed.

Check out the IdentityServer v8 upgrade guide →

Start with the checklist above, set up a test environment, and try the upgrade. If you hit anything unexpected, let us know!

Done with the upgrade? Here's what you unlocked.

IdentityServer v8 is a platform that grows with you. Start with what you need today, add new capabilities tomorrow. Each of these is an independent, opt-in add-on:

  • Multi-Issuer — Have multiple issuers served from the same deployment. Each gets its own OIDC discovery endpoint and signing key rotation.
  • User Management — Modern authentication methods like One-Time Passwords (OTP), passkeys, ... Registration flows, self-service password reset, ... The things AddAspNetIdentity<T>() doesn't give you.
  • SAML — Full SAML 2.0 support as an IdP, and federation to other SPs. That "20-year-old protocol" still runs half the enterprise world, and your customers know it.
  • Financial-Grade Security and Compliance — DPoP, PAR, and sender-constrained tokens validated in an OAuth 2.1 and FAPI 2.0 profile conformance report. Useful for any high-value API.

Happy upgrading!