Duende Blog

Today, we’re excited to announce Duende IdentityServer v7.3 (ISv7.3), a release focused on Financial-grade API 2.0 (FAPI 2.0) conformance, fast and intuitive quickstart templates, and enhanced extensibility, spec compliance, and diagnostics.

Duende IdentityServer continues to be a secure, flexible, and standards-compliant framework for OpenID Connect and OAuth 2.0. Now, with FAPI 2.0 conformance, ISv7.3 provides a more robust and secure foundation for organizations handling sensitive data and critical functionality. Plus, our improved quickstart templates mean even developers new to identity can have a working IdentityServer in under an hour, accelerating developer onboarding, proof-of-concept, and customization.

At Duende, we recognize that many of our customers may have decades of .NET experience, while also being new to OAuth 2.0 and OpenID Connect. Security is a challenging domain to get started with, but it rewards those who persevere with improved security, greater interoperability, and future extensibility.

One of our goals with the release of Duende IdentityServer v7.3 is to lower the barrier for developers starting with security by improving the onboarding experience and decreasing the time between ideation and production. In fact, using our new template should get you a proof of concept identity provider in 60 minutes or less.

In this post, we’ll cover improvements to our new .NET project template and show you some of the enhancements that better help you understand and implement your very own OAuth 2.0 and OpenID Connect identity provider.

Working with Duende IdentityServer customers, we’ve noticed many developers adopting Serilog as their preferred logging framework, in addition to the ILogger abstractions found in ASP.NET Core. There’s a lot to love about the simple yet powerful logging library built with powerful structured event data in mind: Easy installation, straightforward configuration, multiple target sinks, fantastic documentation, and a large community of .NET developers.

It’s so great that we ship it as part of our templates to help developers adopt what we view as a great approach to logging information, warnings, and, in rare cases, exceptions.

This post highlights an underrated feature of the Serilog family of extensions: Serilog Expressions.

We understand that making application security decisions is an important and daunting task. The security information can be overwhelming, especially when searching for information about OAuth 2.0 and OpenID Connect. We provide some general, recent information to help developers make decisions when architecting a solution.

In this post, we’ll provide an overview detailing the essential security and authentication flows, which flows to avoid in newer implementations, some security measures built into the specification, best practices for single-page application development, and some enhanced security features.

Many of these recommendations are based on the IETF Best Current Practices document, which you can refer to anytime. Regarding Duende IdentityServer, we’ve done our best to codify best practices when possible, but some decisions are still left to developers to implement.

Managing users and their identities is among the most challenging components of application building. That’s why some developers use external identity providers to reduce the maintenance burden and focus on solving new and interesting problems. The most popular external providers include Google, Microsoft, and other social media platforms.

In this post, we’ll show how to create a basic ASP.NET Core web application that defers its authentication to an external provider, in our case, Google. We’ll also discuss the relationship between external authentication and cookie authentication. And finally, why you may want to consider a different option for your production applications.

To follow along, you will need a Google Account to create a new Client with a corresponding Client ID and Client Secret. It only takes a few minutes and is easy to set up.

Getting all the moving parts to work together can be daunting when building and maintaining a .NET auth solution. Developers are adopting OAuth 2.0 and OpenID Connect for authorization and authentication, powered by Duende IdentityServer, to quickly provide a tested and mature security solution more easily. With the Duende-provided SDK, developers can customize their instance of IdentityServer, but still want to ensure it works as intended.

In this post, we’ll show you how to take your existing IdentityServer instance, or even an IdentityServer development instance, and use it with your favorite unit testing framework. We’ll also show you how to add a special test client for a unit test.

While Duende’s most notable offering is the IdentityServer SDK, the OpenID Connect and OAuth solution for .NET developers, we provide more value with other products, services, and libraries.

In this post, we will explain the commercial and free open-source options we offer .NET developers, the problems these solutions solve, and how you can use them to improve a .NET application’s security posture.

In a previous post, we discussed implementing a Step Up challenge in a typical ASP.NET Core client application powered by Duende IdentityServer. A Step Up challenge helps you build applications that ensure critical actions are performed by the user in question by attempting additional levels of scrutiny.

While client logic can handle most Step Up Challenge scenarios, modern ASP.NET Core solutions may depend on a distributed architecture of APIs, each with unique security requirements.

In this post, we’ll cover the OAuth RFC 9470 specification. This specification allows API developers to request that a client perform a Step Up challenge and issue access tokens that meet the security requirements of an API endpoint. We’ll also see how to implement challenges in your ASP.NET Core APIs and dependent clients.

We’re passionate about open source and grateful for the many maintainers and contributors who make the software world better for everyone. Our team has been fortunate to play a part in the .NET open source ecosystem, with contributions to numerous projects and NuGet packages over the years. We know firsthand that maintaining open source projects is both rewarding and challenging, and we want to do our part in supporting the community.

This time around, we selected Astro as our next open source sponsorship recipient as part of our ongoing commitment to supporting the open source projects that empower our products and community.

Modern software solutions involve hundreds of user actions. When building solutions, user interactions can have impacts ranging from mundane to critical, making it the application’s responsibility to ensure that the user acts intentionally. While a system can follow the best security practices, it may be beneficial to reaffirm a user’s identity before they perform a potentially irreversible action. For example, by requiring multi-factor authentication (MFA) as a Step Up challenge to confirm a user's actions.

In this post, we’ll define Step Up challenges, and highlight their role in a modern .NET solution. We'll also examine how to implement the feature in your ASP.NET Core apps powered by Duende IdentityServer to add a layer of security to mission-critical user decisions.