Skip to content

Releases: DuendeSoftware/products

Duende BFF Security Framework V3 - Release Candidate 1

27 Feb 14:40
@Erwinvandervalk Erwinvandervalk
bff-3.0.0-rc1
cb26b8d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Duende BFF Security Framework V3 - Release Candidate 1 Pre-release
Pre-release

This is the first Release Candidate for the next version of the Duende BFF Security Framework V3.

What's new?

Duende BFF Security Framework v3.0 is a significant release that includes:

  • .NET 9 support
  • Blazor support
  • Several fixes and improvements

Blazor support

Microsoft's Blazor framework enables developers to build interactive web applications using C# and .NET, offering both server-side and client-side hosting models. However, implementing authentication in Blazor presents certain challenges. For example, in split-mode scenarios, where rendering is divided between server and client, managing authentication states consistently can be complex.

To address these issues, the new Backend for Frontend (BFF) framework provides comprehensive support for authentication in Blazor applications. The BFF pattern centralizes authentication logic on the server side, creating a secure environment for managing user identities and sessions. As with other browser based applications, the actual authentication logic is handled on the server by the Duende BFF Security Framework. On the client, the BFF makes sure that the authentication state is in sync with the session on the server.

Breaking changes

  • Bff yarp proxy improvements #1734 (With many thanks to @ArturDorochowicz for bringing this issue to our attention and providing a solution direction)
  • AddAddEntityFrameworkServerSideSessionsServices in Duende.Bff.EntityFramework/Configuration/BffBuilderExtensions.cs #1695
  • Async GetUserClaims, GetManagementClaims #1702
  • Consolidating ClaimRecord and ClaimLite #1697

Other fixes and improvements

  • Prevent log warning when expected duplicate key constraint is violated. #1763
  • Signout on refresh token expire #1803
  • Bumped version of Duende.AccessTokenManagement to 3.2.0 #1804

Upgrading

If you rely on the default extension methods for wiring up the BFF, then V3 should be a drop-in replacement.

Upgrade guide

From v2.x => v3.x

If you rely on the default extension methods for wiring up the BFF, then V3 should be a drop-in replacement.

Migrating from custom implementations of IHttpMessageInvokerFactory

In Duende.BFF V2, there was an interface called IHttpMessageInvokerFactory. This class was responsible for creating
and wiring up yarp's HttpMessageInvoker. This interface has been removed in favor yarp's IForwarderHttpClientFactory.

One common scenario for creating a custom implementation of this class was for mocking the http client
during unit testing.

If you wish to inject a http handler for unit testing, you should now inject a custom IForwarderHttpClientFactory. For example:

   // A Forwarder factory that forwards the messages to a message handler (which can be easily retrieved from a testhost)
    public class BackChannelHttpMessageInvokerFactory(HttpMessageHandler backChannel) 
        : IForwarderHttpClientFactory
    {
        public HttpMessageInvoker CreateClient(ForwarderHttpClientContext context) => 
            new HttpMessageInvoker(backChannel);
    }

   // Wire up the forwarder in your application's test host:
    services.AddSingleton<IForwarderHttpClientFactory>(
         new BackChannelHttpMessageInvokerFactory(_apiHost.Server.CreateHandler()));

Migrating from custom implementations IHttpTransformerFactory

The IHttpTransformerFactory was a way to globally configure the YARP tranform pipeline. In V3, the way that
the default endpoints.MapRemoteBffApiEndpoint() method builds up the YARP transform has been simplified
significantly. Most of the logic has been pushed down to the AccessTokenRequestTransform.

Here are common scenario's for implementing your own IHttpTransformerFactory and how to upgrade:

Replacing defaults

If you used a custom implementation of IHttpTransformerFactory to change the default behavior of MapRemoteBffApiEndpoint(),
for example to add additional transforms, then you can now inject a custom delegate into the di container:

services.AddSingleton<BffYarpTransformBuilder>(CustomDefaultYarpTransforms);

//...

// This is an example of how to add a response header to ALL invocations of MapRemoteBffApiEndpoint()
private void CustomDefaultBffTransformBuilder(string localpath, TransformBuilderContext context)
{
    context.AddResponseHeader("added-by-custom-default-transform", "some-value");
    DefaultBffYarpTransformerBuilders.DirectProxyWithAccessToken(localpath, context);
}

Another way of doing this is to create a custom extensionmethod MyCustomMapRemoteBffApiEndpoint() that wraps
the MapRemoteBffApiEndpoint() and use that everywhere in your application. This is a great way to add other defaults
that should apply to all endpoints, such as requiring a specific type of access token.

Configuring transforms for a single route
Another common usecase for overriding the IHttpTransformerFactory was to have a custom transform for a single route, by
applying a switch statement and testing for specific routes.

Now, there is an overload on the endpoints.MapRemoteBffApiEndpoint() that allows you to configure the pipeline directly:

            endpoints.MapRemoteBffApiEndpoint(
                "/local-path",
                _apiHost.Url(),
                context =>
                {
                    // do something custom: IE: copy request headers
                    context.CopyRequestHeaders = true;

                    // wire up the default transformer logic
                    DefaultTransformers.DirectProxyWithAccessToken("/local-path", context);
                })
                // Continue with normal BFF configuration, for example, allowing optional user access tokens
                .WithOptionalUserAccessToken();

Removed method RemoteApiEndpoint.Map(localpath, apiAddress).

The Map method was no longer needed as most of the logic had been moved to either the MapRemoteBffApiEndpoint and the DefaultTransformers. The map method also wasn't very explicit about what it did and a number of test scenario's tried to verify if it wasn't called wrongly. You are now expected to call the method MapRemoteBffApiEndpoint. This method now has a nullable parameter that allows you to inject your own transformers.

AccessTokenRetrievalContext properties are now typed

The LocalPath and ApiAddress properties are now typed. They used to be strings. If you rely on these, for example for implementing
a custom IAccessTokenRetriever, then you should adjust their usage accordingly.

/// <summary>
/// The locally requested path.
/// </summary>
public required PathString LocalPath { get; set; }

/// <summary>
/// The remote address of the API.
/// </summary>
public required Uri ApiAddress { get; set; }

AddAddEntityFrameworkServerSideSessionsServices has been renamed to AddEntityFrameworkServerSideSessionsServices

If you used the method AddAddEntityFrameworkServerSideSessionsServices() in your code, please replace it with the corrected AddEntityFrameworkServerSideSessionsServices()

StateProviderPollingDelay and StateProviderPollingInterval have been split into separate options for WebAssembly and Server.

If you used BffBlazorOptions.StateProviderPollingInterval or BffBlazorOptions.StateProviderPollingDelay to configure different polling settings, you should now consider if this same setting applies to either Server, WASM or both. Set the appropriate properties accordingly.

Contributors

ArturDorochowicz
Loading

IdentityServer 7.2.0 Preview 1

29 Jan 18:54
@josephdecock josephdecock
is-7.2.0-preview.1
b4daf0a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.2.0 Preview 1 Pre-release
Pre-release

This is the first preview of IdentityServer 7.2. Highlights include:

  • Optional strict validation of private_key_jwt audiences
  • Error events are no longer raised for the use_dpop_nonce response from the token endpoint
  • Bug fixes and optimizations

Upgrading

There are no breaking changes or schema updates required to upgrade from IdentityServer 7.1 to 7.2.

What's Changed

New Contributors

Full Changelog: is-7.1.0...is-7.2.0-preview.1

Contributors

aomader, SimonCropp, and 4 other contributors
Loading

IdentityServer 7.1.0

13 Jan 17:09
@josephdecock josephdecock
is-7.1.0
bb9798e
Compare
Choose a tag to compare
IdentityServer 7.1.0 Latest
Latest

IdentityServer 7.1.0 is a significant release that includes:

  • .NET 9 support
  • Use of Duende.IdentityModel
  • New license usage helpers
  • Friendly READMEs in the NuGet packages
  • Improved log filtering when HTTP requests are aborted
  • Redaction of the subject token during token exchange
  • Improved extensibility of the ClientConfigurationStore in the Configuration API
  • Several bug fixes
  • Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.1.0. Small code changes will be required for must users to upgrade.

  • IdentityModel renamed Duende.IdentityModel
  • ClientConfigurationStore now uses IConfigurationDbContext

IdentityModel renamed Duende.IdentityModel

  • Use Duende.IdentityModel 7.0.0 by @damianh in #1621
    Our open source IdentityModel library has been renamed Duende.IdentityModel, and we now depend on Duende.IdentityModel instead of IdentityModel. Duende.IdentityModel is a drop-in replacement for IdentityModel with updated namespaces that include the Duende prefix. If you are using IdentityModel's types in your IdentityServer implementation, you will need to update references from IdentityModel to Duende.IdentityModel (replace "using IdentityModel" with "using Duende.IdentityModel").

ClientConfigurationStore now uses IConfigurationDbContext

  • Use IConfigurationDbContext in ClientConfigurationStore by @stefannikolei in #1624
    The ClientConfigurationStore in the Duende.Configuration.EntityFramework package now depends on IConfigurationDbContext instead of ConfigurationDbContext to allow for customization. If you have a customized store that derives from the default store, you may need to update your constructors. Note that this only affects the Entity Framework based implementation of the configuration store used by the dynamic client registration configuration API.

Enhancements

.NET 9

  • Update to .NET 9 by @josephdecock in #1603
  • Update .NET9 from rc2 to release by @stefannikolei in #1623
    IdentityServer 7.1 multi-targets .NET 8 and .NET 9. Both versions are supported.

License Usage Helpers

  • Add new license management services by @josephdecock in #1637
    A LicenseUsageSummary is now available which includes the license edition and clients, issuers, and enterprise or business edition features used. The intent is to make it easier to understand which license is needed.

Other Enhancements

  • Filter subject token from TokenRequest log by @krosn in #1521
    Subject tokens from token exchange are now redacted by default from logs.
  • Update GitHub readme, add NuGet readmes by @josephdecock in #1610
    All IdentityServer NuGet packages now have README files.
  • Filter all OperationCanceledExceptions from logs, instead of only TaskCanceledExceptions by @josephdecock in #1671
    Aborted HTTP requests result in expected exceptions, which we filter out of our logging when the request is aborted. Sometimes this is raised as OperationCanceledException instead of TaskCanceledException, so we now filter both.

Bug Fixes

  • Fall back to other token types when given incorrect hint during introspection by @josephdecock in #1607
    When an incorrect token_type_hint parameter is passed during introspection we now fall back to find tokens of the other type, in compliance with RFC 7662 Section 2.1.
  • Clean up retired keys even if they are not unprotectable by @josephdecock in #1608
    Retired signing keys will now be deleted by the key manager even if the data protected portion of the key cannot be unprotected.
  • Filter protocol claims from reference tokens by @josephdecock in #1662
    Reference tokens from IdentityServer 4 sometimes contain "protocol" claims, such as iat, which caused a bug where claims were duplicated.
  • Respect EnableBackchannelAuthenticationEndpoint during routing by @EternamFr in #1599
    If CIBA is disabled in config, we now disable the endpoint in addition to suppressing it in discovery.
  • Persist claim issuers in server side sessions by @josephdecock in #1660
    Claims from third-party issuers now track their issuer in a server side session, which fixes issues related to logout when integrating with 3rd party SAML providers.

Code Quality

Performance Enhancements

New Contributors

Full Changelog: 7.0.8...7.1.0-rc.1

Contributors

damianh, SimonCropp, and 10 other contributors
Assets 2
Loading

IdentityServer 7.1.0 Release Candidate 2

06 Jan 17:55
@josephdecock josephdecock
is/7.1.0-rc.2
1756170
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.1.0 Release Candidate 2 Pre-release
Pre-release

This is release candidate 2 for IdentityServer 7.1.0. This adds a fix for #1689 to the previous release candidate. Please see 7.1.0-rc.1's release notes for further information about the 7.1.0 release.

Loading

IdentityServer 7.1.0 Release Candidate 1

06 Jan 17:54
@josephdecock josephdecock
is/7.1.0-rc.1
5c68cf3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.1.0 Release Candidate 1 Pre-release
Pre-release

This is release candidate 1 for IdentityServer 7.1.0, a significant release that includes:

  • .NET 9 support
  • Use of Duende.IdentityModel
  • New license usage helpers
  • Friendly READMEs in the NuGet packages
  • Improved log filtering when HTTP requests are aborted
  • Redaction of the subject token during token exchange
  • Improved extensibility of the ClientConfigurationStore in the Configuration API
  • Several bug fixes
  • Numerous small code quality and performance enhancements from the community

Breaking Changes

There are no schema changes needed for IdentityServer 7.1.0. Small code changes will be required for must users to upgrade.

  • IdentityModel renamed Duende.IdentityModel
  • ClientConfigurationStore now uses IConfigurationDbContext

IdentityModel renamed Duende.IdentityModel

  • Use Duende.IdentityModel 7.0.0 by @damianh in #1621
    Our open source IdentityModel library has been renamed Duende.IdentityModel, and we now depend on Duende.IdentityModel instead of IdentityModel. Duende.IdentityModel is a drop-in replacement for IdentityModel with updated namespaces that include the Duende prefix. If you are using IdentityModel's types in your IdentityServer implementation, you will need to update references from IdentityModel to Duende.IdentityModel (replace "using IdentityModel" with "using Duende.IdentityModel").

ClientConfigurationStore now uses IConfigurationDbContext

  • Use IConfigurationDbContext in ClientConfigurationStore by @stefannikolei in #1624
    The ClientConfigurationStore in the Duende.Configuration.EntityFramework package now depends on IConfigurationDbContext instead of ConfigurationDbContext to allow for customization. If you have a customized store that derives from the default store, you may need to update your constructors. Note that this only affects the Entity Framework based implementation of the configuration store used by the dynamic client registration configuration API.

Enhancements

.NET 9

  • Update to .NET 9 by @josephdecock in #1603
  • Update .NET9 from rc2 to release by @stefannikolei in #1623
    IdentityServer 7.1 multi-targets .NET 8 and .NET 9. Both versions are supported.

License Usage Helpers

  • Add new license management services by @josephdecock in #1637
    A LicenseUsageSummary is now available which includes the license edition and clients, issuers, and enterprise or business edition features used. The intent is to make it easier to understand which license is needed.

Other Enhancements

  • Filter subject token from TokenRequest log by @krosn in #1521
    Subject tokens from token exchange are now redacted by default from logs.
  • Update GitHub readme, add NuGet readmes by @josephdecock in #1610
    All IdentityServer NuGet packages now have README files.
  • Filter all OperationCanceledExceptions from logs, instead of only TaskCanceledExceptions by @josephdecock in #1671
    Aborted HTTP requests result in expected exceptions, which we filter out of our logging when the request is aborted. Sometimes this is raised as OperationCanceledException instead of TaskCanceledException, so we now filter both.

Bug Fixes

  • Fall back to other token types when given incorrect hint during introspection by @josephdecock in #1607
    When an incorrect token_type_hint parameter is passed during introspection we now fall back to find tokens of the other type, in compliance with RFC 7662 Section 2.1.
  • Clean up retired keys even if they are not unprotectable by @josephdecock in #1608
    Retired signing keys will now be deleted by the key manager even if the data protected portion of the key cannot be unprotected.
  • Filter protocol claims from reference tokens by @josephdecock in #1662
    Reference tokens from IdentityServer 4 sometimes contain "protocol" claims, such as iat, which caused a bug where claims were duplicated.
  • Respect EnableBackchannelAuthenticationEndpoint during routing by @EternamFr in #1599
    If CIBA is disabled in config, we now disable the endpoint in addition to suppressing it in discovery.
  • Persist claim issuers in server side sessions by @josephdecock in #1660
    Claims from third-party issuers now track their issuer in a server side session, which fixes issues related to logout when integrating with 3rd party SAML providers.

Code Quality

Performance Enhancements

New Contributors

Full Changelog: 7.0.8...7.1.0-rc.1

Contributors

damianh, SimonCropp, and 10 other contributors
Loading

IdentityServer 7.1.0-preview.1

07 Jan 03:11
@josephdecock josephdecock
is/7.1.0-preview.1
0850cda
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.1.0-preview.1 Pre-release
Pre-release

IdentityServer 7.1.0-preview.1 is the first preview release of IdentityServer 7.1.0. It includes support for .NET 9, adds friendly READMEs to the NuGet packages, and includes a few smaller enhancements and bugfixes.

Breaking Changes

There are no breaking changes at the schema or API level in this release.

  • No schema updates are required.
  • While we are adding support for .NET 9, .NET 8 continues to be supported.

There is a log message change, which we highlight as a breaking change in case monitoring or other tooling that consumes the logs relies on the old behavior:

  • Subject tokens (the tokens passed in during token exchange) are now redacted from logs by @krosn in #1521
    If you need the old behavior, remove OidcConstants.TokenRequest.SubjectToken from the TokenRequestSensitiveValuesFilter option.

.NET 9

IdentityServer 7.1.0 supports both .NET 8 and .NET 9.

READMEs

Fixes and Enhancements

  • Avoid multiple check adding clientid by @testfirstcoder in #1586
  • Fall back to other token types when given incorrect hint in introspection by @josephdecock in #1607
  • Use example.com as the domain for emails for test users by @wenz in #1606

New Contributors

Full Changelog: 7.0.7...7.1.0-preview.1

Contributors

wenz, josephdecock, and 2 other contributors
Loading

IdentityServer 7.0.8

07 Jan 03:12
@josephdecock josephdecock
is/7.0.8
f28cac9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.0.8

This is a security hotfix that addresses CVE-2024-49755, a low-severity vulnerability in our handling of DPoP access tokens at local APIs. See
our blog post and the security advisory for more details.

Loading

IdentityServer 7.0.7

07 Jan 03:12
@josephdecock josephdecock
is/7.0.7
d9afcc3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.0.7

This is a patch release that allows the UserInteractionOptions.PromptValuesSupported to be customized, in order to support custom prompt modes.

What's Changed

Full Changelog: 7.0.6...7.0.7

Contributors

josephdecock
Loading

IdentityServer 7.0.6

07 Jan 03:16
@josephdecock josephdecock
is/7.0.6
765116a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 7.0.6

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

Loading

IdentityServer 6.3.10

07 Jan 03:17
@josephdecock josephdecock
is/6.3.10
269ca21
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
IdentityServer 6.3.10

This is a security hotfix that addresses CVE-2024-39694. See the security advisory for more details.

Loading