Duende Blog

Development teams look very different from teams 20 years ago, heck, even 5 years ago. Here at Duende, we have developed with .NET since its inception, and we know many of you have as well. The technology has been foundational for building solutions for decades now. Still, in our time, we’ve seen organizations also begin to evolve, adopting new technology, deploying to new devices, and delivering new user experiences. To say we, as a professional industry, have come a long way would be an understatement.

The umbrella term “development” now sees teams adopting practices in frontend, backend, operations, database management, and many other areas. Professionals’ skills and discipline coalesce to deliver outcomes that bring joy to stakeholders and, most importantly, users. While your users may experience positive emotions using software you’ve developed, quietly in the background, the unsung hero of security ensures they do so in a safe and secure environment.

Let’s examine why now is an excellent time to consider Backend for Frontend (BFF) when building new solutions or modernizing existing ones.

Love it or hate it, AI is here and it’s finding its way into software all over the world. Regardless of your opinion on the current state of AI, here at Duende Software, we just want you to do all things software-related securely.

In relation to AI, developers are starting to explore scaling operational efficiency with AI agents. These AI Agents could be a powerful addition to an organization, but an LLM-only approach can be fraught with costly errors, misinformation, and hallucinations. Anything worth doing is worth doing right, but what does “right” currently look like? After all, developers want to deliver secure AI experiences, right?

In this post, we’ll discuss the Model Context Protocol, how developers can utilize the emerging protocol to deliver existing operational investments to a new audience, and, most importantly, how to securely deliver software-based value with industry best practices and spec-compliant implementations using Duende IdentityServer.

Today, we are proud to announce Duende IdentityServer v7.4. This is an important release that’s been built for .NET 10 Long-Term Support (LTS) and adds support for standards that are important for Agentic AI systems and the Model Context Protocol (MCP).

Duende IdentityServer remains the flexible, standards-compliant SDK for OpenID Connect and OAuth 2.0. With v7.4, we’re focused on .NET 10 upgrades that prioritize stability, safety, and long-term commitment. We’re also helping our users navigate the uncertainty of the AI boom with predictable, protocol-driven security. Plus, we’ve started a new community with an avenue for direct, technical collaboration - Duende Product Insiders.

Today, we are excited to announce the release of Duende BFF Security Framework v4 (BFFv4), an essential update that fundamentally simplifies how .NET developers secure multi-frontend applications while dramatically increasing system observability.

For .NET developers, Duende provides an identity infrastructure solution offering an SDK for flexible, standards-compliant identity and access control. Duende’s solutions enable customization of implementations built on OpenID Connect and OAuth 2.0. As highlighted in the BFFv4 live stream, in alignment with the Internet Engineering Task Force’s (IETF) best current practice document, storing OAuth tokens in the browser is a significant security risk, exposing your application to various injection and supply-chain attacks. The backend for frontend (BFF) pattern moves the OAuth flow and token management to the secure server side, using HTTP-only cookies to manage the user session, drastically reducing the attack surface.

With BFFv4, we continue our mission: secure, standards-based identity—all simplified for developers.

If you’re a professional ASP.NET Core developer in today’s world, you’re likely working on some form of JSON-over-HTTP project. In fact, building web APIs is arguably the strongest use case for ASP.NET Core today. We build APIs so that other developers can discover, learn, and consume our work, all with a strong emphasis on secure access. With those goals in mind, teams often turn to OpenAPI specifications and Swagger to help others better understand said APIs.

As you may know, Duende provides best-in-class products to help secure .NET solutions using the latest standards of OAuth and OpenID Connect. In this post, we’ll see how to secure an ASP.NET Core API with JWT Bearer tokens, set up the solution to generate an OpenAPI specification, and then secure calls from a Swagger UI to authenticate against Duende’s IdentityServer demo instance. All you’ll need is a single ASP.NET Core project, but what you learn will apply to all Duende IdentityServer deployments.

In today's security landscape, organizations rarely rely on a single identity provider. Users can authenticate through corporate directories such as Active Directory, cloud identity providers like Entra ID, or social providers such as Google. They might come through partner federations or specialized systems. This is true for enterprises, Software-as-a-Service providers, and ISVs.

Managing these diverse identities can be a challenging task. You need to strike a balance between maintaining security and providing a good user experience. This is where a federation gateway becomes essential: an identity broker that orchestrates authentication across all these different sources.

This post explores how to architect and implement a federation gateway using Duende IdentityServer, examine the business requirements that drive these decisions, and provide technical guidance for implementation.

Whether you’re just beginning to learn about OAuth 2.0 or OpenID Connect, or you’re an experienced developer troubleshooting why an API is not accepting a particular JSON Web Token (JWT), you often want to quickly inspect the contents of tokens to see if they contain the correct claims, are signed correctly, and if they have the expected lifetime.

Since we already have a live demo IdentityServer environment, which you can use to try out different authentication flows, it made sense to add a utility to inspect JWT token contents as well. Visit https://jwt.me to try it out!

Let's have a look at why we built this tool, and what it can help you with.

.NET 10 is out. 🎁🎉🥳

This likely means you and your team have been, or are starting to consider, the path of stability, predictability, and reduced maintenance overhead that an LTS offers for your applications. If that’s the case, we assume you may also be asking yourself and your team, “How secure is our IdentityServer4 implementation?” Or maybe it’s, “Hey, .NET 10 is out. Wait. Is IdentityServer4 supported?” Or that custom security solution that you hurriedly implemented years ago is now causing you more pain and heartache than you want. “What does it take to move to modern standards like OpenID Connect (OIDC), OAuth 2.0, and PKCE?”

If you’re thinking about any of these scenarios, now might be a good time to upgrade. From our perspective, it’s an excellent time to choose Duende IdentityServer as your OAuth and OpenID Connect provider. You’ll future-proof your solutions for planned initiatives, make your development team happy with how much control they’ll have, and impress your CTO with how extensible Duende IdentityServer is to the changing needs of your business.

The .NET ecosystem is famous for its batteries-included philosophy, with many of the tools necessary to build solutions available in the SDK. It’s genuinely great. As a developer, many options are one namespace, assembly, or NuGet package away. It lets you focus on developing applications rather than spending precious time and energy finding the perfect dependencies. It’s something we can take for granted, but the benefits become clear when dabbling in other ecosystems. We love it.

While .NET offers many options, there are occasions when a solution gap exists. In fact, that’s why a company like Duende Software can exist. We are a security solutions provider in a space that’s difficult, challenging, and necessary for many customers. Necessity breeds innovation, and at Duende, we aim to innovate.

As many of our customers look to migrate their solutions to .NET 10, here are a few security features missing in .NET 10, why they’re essential, and how Duende can provide an industry-leading solution. Let’s get started.

The winds of change are blowing in the direction of .NET 10, and many teams are adjusting their sails to navigate towards new and bold adventures. Exciting times are ahead. As .NET 10 marks the long-term support (LTS) version of the SDK and runtime, now is a great time to plan and strategize. After all, we all have limited resources, developer cycles, and energy when upgrading. You don’t want your ship to hit any unexpected choppy waters.

In this post, Duende has scoured the currently documented .NET 10 breaking changes and found some items you want to be mindful of when upgrading. Hopefully, many of these items will be uneventful in your upgrade, but some may leave you stranded on a deserted island called frustration. In no particular order, let’s see what they are and why you may want to mark them on your upgrade map.